Virus Scare....

Welcome, Guest. Please login or register.

[IRI5HJ4CK]

Hi guys,

Yesterday, I was on the official website of the British Steam Tug "Challange", that has been preserved.

There was a section which said that many people were intested in Challange, as regards to possably building a remote control model of her (Like Hibernia).

The website provided a PDF file which allowed you to look at the plans to give you a better idea of the structure of the vessel. I saved the PDF File, opened it up, and it seemed fine. I printed it out and realised it was a little small, so, I copied the image and pasted it into paint and all of a sudden, my computer started to run very slowly. I eventually managed to sort it out and just thought that its possable that there may have been "lots going on" in my computer that time.

However, I switched my computer on this morning, and all of a sudden, BullGaurd (My Antivirus software) came up saying it had blocked a trojan. So I scanned my system and it picked up a virus within two minutes of the scanning, I thought this would be unusual, since it only finds the cookies later on, and sure enough, it was a Virus.

I used Bullgaurd to clean it off, this is the message that came up:

http://i44.tinypic.com/21k9ttt.jpg

What I wanted to know was, is everything OK now? What was that virus's purpose? And do I need to worry about anything else? or watch out for anything else?

Thanks,
Jack
p.s. I only downloaded the PDF because I considered it as safe, since the website was about the tug "Challange".

[Shipaddict]

If it was me, i'd do another scan just to make sure everythings been cleaned up

As to what it's purpose is, well there may be a guide on the web but I suppose be careful looking for anything with the word virus in it on Google.

I'm sure people know lots more than me

[IRI5HJ4CK]

Hi again guys,

A little worried...Another message came up later again saying Bullgaurd hard blocked something else, what is going on?

Jack.

[kuusuru]

Hi again guys,

A little worried...Another message came up later again saying Bullgaurd hard blocked something else, what is going on?

Jack.

wuauclt.exe is part of the process which allows your Windows operating system to receive automatic updates from Microsoft, including security updates, so it's not surprising that malware might try to interfere with this 

Can I suggest that, if you haven't already, you try running something like this:

http://www.sophos.com/products/free-tools/sophos-threat-detection-test.html

on your machine?  It will at least validate that Bullguard is doing its job.  And you could try contacting Bullguard support, they claim to offer free 24/7 support...

[IRI5HJ4CK]

Thanks for the help Kuusuru, I will try that now!

It came up again, that Bullgaurd has stopped it.

http://i40.tinypic.com/71qqnp.jpg

Jack.

[kuusuru]

Thanks for the help Kuusuru, I will try that now!

It came up again, that Bullgaurd has stopped it.

http://i40.tinypic.com/71qqnp.jpg

Jack.

It could also be legitimate, and Bullguard is getting it wrong.  It happens.  Put it this way, Sophos is enterprise grade software, if it doesn't flag wuauclt.exe as suspicious, then it's probably OK.

[IRI5HJ4CK]

It could also be legitimate, and Bullguard is getting it wrong.  It happens.  Put it this way, Sophos is enterprise grade software, if it doesn't flag wuauclt.exe as suspicious, then it's probably OK.

I hope that Bullgaurd is getting it wrong alright! Its a little odd I think, thinking about it, I think there was an update for Adobe Reader earlier, maybe Bullgaurd reacted to that or something.

Also, another odd thing is that, I Always Scan files after downloading from the internet, and when I scanned the PDF file after the slowness, it said it was OK. Weird.

But anyway, I may be in luck, Bullgaurd hasn't detected anything since I posted that last picture, If I get it again, I shall download Sophos.

Thanks VERY much for your help, it is greatly appreciated!

Jack

[kuusuru]

But anyway, I may be in luck, Bullgaurd hasn't detected anything since I posted that last picture, If I get it again, I shall download Sophos.

Thanks VERY much for your help, it is greatly appreciated!

Jack

Just keep in mind that because wuauclt.exe is the update client, it may be running on a schedule, so if you get another Bullguard warning, that could be because the scheduler has tried to run the client and the client has tried to connect to the update source not necessarily because the client is infected with malware.  Unfortunately it seems that this would not be the only time that Bullguard got it wrong recently  .  From http://www.bullguard.com/support/system-status.aspx, the bulletin for 13th Feb 2009:

We would like to notify you of the fact that, this morning, our Antivirus engines started flagging the Windows file "winlogon.exe" (the English version, for SP3) as infected.with "Trojan.Generic.1423603".

Detection was removed shortly after that, so any inquiries regarding this issue should be solved by updating the engines, no other action on your part regarding this issue being necessary.

Hmm... 

[IRI5HJ4CK]

So does that mean I don't have virus afterall?

Thanks!
Jack.

[Thruster]

So does that mean I don't have virus afterall?

Thanks!
Jack.

It has happened to me too. My anti-virus software (AVG) one day saw one of the vital parts of Windows as a Trojan. But after the daily update everything was all right again. Just a mistake of one of the programmers I guess...

[kuusuru]

So does that mean I don't have virus afterall?

Thanks!
Jack.

You don't have enough evidence to support that conclusion, because the bulletin talks about a false positive for winlogon.exe, not wuauclt.exe. 

The fact that Bullguard issued a signature which flagged winlogon.exe would tend to suggest that their release QA isn't up to scratch  , so it's definitely possible that they've issued a signature which flags certain versions of wuauclt.exe.  It's also possible that you've got a trojan 

This is why it is important for you to scan your system with a different product.  I often use Avast when I'm testing stuff which wants to know that there's an antivirus client present, and it seems to work, but the test environments are isolated, there's no malware present, so I can't vouch for how good it actually is.  It is free, however, and so is AVG if you want yet another option  , but again I don't use it in anger, only in simulation 

[TerryRussell]

Hi Jack.

It is likely that you have a virus on your PC. Probaby W32.Rispif. It lives in the temp folder (or sometimes in other places) and infects the windows updater program each time you reboot. When the updater program is launched, it then does the real nasty work. Bullguard is catching it after its been re-infected each time.

Removal instructions here:
http://www.symantec.com/security_response/writeup.jsp?docid=2008-081915-2311-99&tabid=2

[IRI5HJ4CK]

Hi Terry, following the instructions now, do I need to worry? Is Bullgaurd keeping it at bay?

Jack.

[TerryRussell]

I think so.

You still have the infection, it seems. And that will keep inserting the trojan into wuauclt. But each time it runs, Bullguard will catch it, apparently.

In the meanwhile, you can't update Windows and install security patches etc. So you need to get this fixed as quickly as you can. There is also the chance that it might slip through when Bullguard is sniffing it's own tail or something...

[firestar12]

God. I hate Trojans. I got one and had to cleanse my hard drive!

[TerryRussell]

God. I hate Trojans. I got one and had to cleanse my hard drive!

You can ALWAYS beat them. I have a test machine that I use to check out my own antiviral/antieverythingnasty programs. I deliberately infect it and see what is needed to destroy the viruses. Sometimes they struggle, but they always loose.

Often, just going to the Symantec site and typing the name of the virus, trojan, whatever into their search engine will reveal exactly what you need to do. Often they have a tool for your use.

So, chin up, Jack! 

[firestar12]

You can ALWAYS beat them. I have a test machine that I use to check out my own antiviral/antieverythingnasty programs. I deliberately infect it and see what is needed to destroy the viruses. Sometimes they struggle, but they always loose.

Often, just going to the Symantec site and typing the name of the virus, trojan, whatever into their search engine will reveal exactly what you need to do. Often they have a tool for your use.

So, chin up, Jack! 

Do you just do trojans or all types of viruses?

[TerryRussell]

my own antiviral/antieverythingnasty programs

Everything.

[firestar12]

Everything.

I bet installing viruses on purpose is fun. But how do you know how to find them?

[Shipaddict]

You can ALWAYS beat them.

Thats the spirit!

[IRI5HJ4CK]

Thanks for telling me Terry! Just been out, left Bullgaurd scanning and it picked up two viruses, deleted them, THE WAR IS ON!

Alright, Now I'm going to look at these instructions, hopefully I'll understand them!

Thanks a million for the help Terry, I can always give you the link to that nasty PDF file if you'd like to play with it in your test Machine!

Jack.

[TerryRussell]

Alright, Now I'm going to look at these instructions, hopefully I'll understand them!

Thanks a million for the help Terry, I can always give you the link to that nasty PDF file if you'd like to play with it in your test Machine!

Just take the instructions slowly, one step at a time. Read it all, then read it again. Then do it again. 

I think I already have that virus in my "losers" collection.

I think there was an update to Adobe Acrobat that stops it happening again. When you've fixed the problem, traipse over to Adobe and update your pdf reader.

[IRI5HJ4CK]

Just take the instructions slowly, one step at a time. Read it all, then read it again. Then do it again. 

I think I already have that virus in my "losers" collection.

I think there was an update to Adobe Acrobat that stops it happening again. When you've fixed the problem, traipse over to Adobe and update your pdf reader.

Yes, I am doing now, just reading them carefully, Bullgaurd is running in the background at the moment, just to see if anything is trying to sneak past without detection

Ah right, just out of interest, has any virus actually ever/almost beaten you? Whats the worst one(s)?

Jack

[TerryRussell]

Nope. I always win.

The worst one was where it made a large number of copies of itself. (13, I think). If you went into Task Manager and stopped any of them, one of the others simply recreated it.

For that I tried two approaches.

A few years ago I created a program called processkiller. It is a very fast Machine Code program. I originally wrote it for some of my servers that run Word in Mailmerge when certain web pages are called up. If the Mailmerge fails for any reason, Word is left locked in the background and no more Word documents can be called up. Every minute, the servers launch processkiller and close down any instances of Word that have taken more than their allotted time.

I simply told processkiller to look for the PID (Process ID) for the virus and kill it. Then I reprogrammed another copy to look for another instance of the virus. And so on, 14 times (in case one got missed).

That took three minutes to catch and kill them all.

I also reverse engineered the virus, to work out how it would name the next instance that it created. That way, I have processkiller ready and waiting. 

The other way was to see how it launched itself at startup and prevent that. That was quite simple. It just hijacked a windows program (rather like your infection) and started it on reboot. I simply made a program that removed the registry key before Windows go far enough to lauch it. That method is now included in some of the anti virus software you may be using.

[IRI5HJ4CK]

Interesting stuff Terry!

Still don't understand the mentality of people making viruses, what do they get out of it?

One thing Terry, I think I may need to PM you about these instructions, I'm a little confused to be honest with you, I don't want to mess anything up on the computer, I really could do with learning about the techy side of computing, couldn't I *rolls eyes*

Thanks a lot for the help!

Jack
P.S. I just scanned my computer again (Its constantly scanning-just to keep on top of it while I'm reading the instructions), and it came up with the file attached below, does it make things any clearer to you, as to what exactly is going on, Terry?