News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

dr watson virus

Started by dedndave, February 07, 2009, 08:51:12 PM

Previous topic - Next topic

dedndave

I know this forum is not intended to be for virus solutions, but i can't think of a better bunch of people to consult.
I picked up a nasty virus that causes crashes that invoke several instances of dr watson.
I am usually pretty good at removing crapolla like this, but this one is kinda nasty.
I wound up rebuilding C: and have another drive with all kinds of files on it - about 240GB of odds and ends.
After rebuilding, I used one of the command console mode programs from the second drive and the virus installed itself again.
After rebuilding the second time, I found that the virus had attached itself to many of the command-line mode programs on that drive.
MalwareBytes doesn't find it.
My question is, does anyone know of a scan program that will identify the infected exe's for me ?
ThanX in advance - Dave

BlackVortex

Upload a nice sample if the virus here :
http://virusscan.jotti.org/


Then download the trial of one of the products that detects it and get rid of it.

Mark Jones

Hi Dave, have you tried SpyBot SD to scan for spyware yet? That does a pretty good job of finding a lot of junk. In your case, you'll want to right-click on the affected folder in Windows Explorer and do a "Scan using SpyBot Search & Destroy" to closely examine each of the affected files. Might take hours or more depending on how many files there are, but it is very thorough.

If that doesn't do it. if you have a free "spare" machine around, stick that affected disk into it (as a SLAVE disk!), power up, then run SpyBot, a good RootKit detector, and your favorite anti-virus on it.

Of course, the best thing to do is to just manually save any clean data you need from the disk, then nuke it from a Windows 98 boot diskette -- "FDISK /MBR" followed by "FDISK", et. al.
"To deny our impulses... foolish; to revel in them, chaos." MCJ 2003.08

dedndave

Thanks guys
   I am on the third rebuild, now - lol
this is a nasty bugger
this time, it got me on an html file I had written myself
in the file were these 2 urls that I have added to my HOSTS file:
  ZieF.pl
  www.tEenPassage.com
the last one sounds like a porn site - lol
but, I got the virus from a torrent site - thepiratebay.com

raymond

HouseCall from TrendMicro may be able to detect it and clean it. It's FREE. Give it a try.
When you assume something, you risk being wrong half the time
http://www.ray.masmcode.com

dedndave

thanks Ray
i think i need a scanner that is geared specifically for this virus
i may write my own - lol
i have an entire 250 gb drive that needs cleaning
so far, i have seen it infect command-line exe's and html's
lord only knows what other files are infected
240 gb is alot to sort out - it would take forever to do it manually
btw - nice fpu site Ray - i added it to faves


BlackVortex

Why don't you upload an infected file to the site I recommended ? I'm interested to see which virus it is and which products detect it.

dedndave

well - i looked at that site - the problem is, i have 240 gb of possibly infected files - lol
i have found an infected html - exe's - and, from what i can gather by searching the web - screensavers (don't care 'bout that)
i am afraid so many different types of files are infected in different ways
i may upload an exe - i have one in mind
i have since re-downloaded the exe file
it is a simple disassembler from http://www.geocities.com/SiliconValley/Foothills/4078/
it may not be the best disassembler, but it is simple and fast and disassembles 32-bit code
anyways, that is one file i know i have an infected copy and the original, both

i would think that it would be neccessary to look at more than one file to make a scanner
but - i will give it a try and let you know.....

dedndave

ok - i uploaded the disassembler 3 ways
1) zipped - infected
2) raw - infected
3) raw - uninfected

on the last 2 scans, the G Data scanner took forever and found nothing - lol
anyways - that is an interesting site - it is different than what i was expecting
interesting to note that kaspersky and norman virus control both id'ed the zipped file, but not the infected raw exe
10 of the scanners found nothing at all
none of the scanners reported a problem with the uninfected exe
the ones that ID'ed the same virus in both zipped and raw form were:

AntiVir  Found W32/Virut.Gen
ArcaVir  Found Heur.W32
F-Prot Antivirus  Found W32/Virut.AI
F-Secure Anti-Virus  Found Virus.Win32.Virut.ce
Ikarus  Found AdWare.Win32.ABetterInternet.G
NOD32  Found Win32/Virut.NBK
Sophos Antivirus  Found W32/Scribble-A
VBA32  Found Virus.Win32.Virut.5

I was surprised to see f-prot in the list - lol - i think the very first anti-virus program i saw (DOS days) was from f-prot
f-secure is well known and i know they have a good trial program - i may give that a shot
they have several virus-specific scanners - i had looked on their list earlier for one - no luck
most of the others, i am not familiar with
do you have any recommendations ?
- ThanX - Dave

BlackVortex

My recommendation is to install a trial of NOD32 and clean everything with it. And I mean everything !!!!

raymond

The HouseCall I suggested is an on-line scanner. Here's the link if you haven't found it yet.

http://housecall65.trendmicro.com/
When you assume something, you risk being wrong half the time
http://www.ray.masmcode.com

GreenTea

Quote from: dedndave on February 07, 2009, 08:51:12 PM
I know this forum is not intended to be for virus solutions, but i can't think of a better bunch of people to consult.
I picked up a nasty virus that causes crashes that invoke several instances of dr watson.

My question is, does anyone know of a scan program that will identify the infected exe's for me ?
ThanX in advance - Dave


In the future, I would be more careful where I went.

"If you hang around a barbershop, eventually you'll get a haircut."


dedndave

lol - ty green - as i said, normally i can get rid of this stuff
this one is nasty and is infecting many trusted sites
Tom at Malwarebytes.org told me the only way to remove it from the boot drive is to rebuild
i found a couple other urls associated with this virus
you may want to add them to your HOSTS file, as I have done:

www.lwstats.com
www.kaeverak.com

adding those 4 sites will help protect you from receiving the payload of this nasty
ThanX again everyone
Dave

dedndave

I did try housecall - i think i would have liked it, if there was any way to make it scan a drive other than C: