Saturday 23 August 2003

A day of rest

Since joining the ranks of the employed (however temporary it may be) I actually look forward to weekends again, where you can do laundry and shopping and yard work and every thing else you couldn't get done while you were chained to a desk. What follows is kind of geeky but if you are interested read on and laugh at hubris... and if you don't read on have fun with customer support.

I'm the fix-it guy. Somethings I can fix no sweat others I am not so good at (personal relationships seem to be difficult) but it doesn't stop me from wanting to fix things or trying to fix things. I get a problem and I get obsessed. FOAF brings over a nice new laptop running XP, seems when he gets on-line (dialup lowlife...) wierd stuff happens (like the computer shuts down)... I smile and shake my head you been infested with lovsan I say.

Sure enough there it is. I find the dropper and infections with a cursory search. First thing to do is kill the process running that keeps you from deleting the file you need to. So the three fingure salute is issued to bring up the task manager.

Task manager appears and disappears WTF!!??!! Whoa this is unexpected. OK so I can't shut down the dirty bastid that is running I get rid of everything else. I know that the way this thing starts is, the registry has an entry in it that will start it up before you even get a chance to log in. So off to regedit to remove the offending entry, once I reboot everything will be OK and I can delete the persistant file. Run.... regedit, launches and shuts down just like task manager what the hell?

OK this isn't LovSan something else is going on. FOAF has Norton Anti-Virus on his computer but it isn't running, OK launch that puppy and do a scan... no virus is found. Hmmmm

The Virus definition file is a year old.

OK this laptop can't dial out but I can plug it in to my home network... Don't worry I plug it into the DMZ in front of my router/firewall. Plug it in behind and the virus will spread itself to all the machines that are not running ZoneAlarm or other firewall software.

Once on the net I get to the MS update site and download all the critical updates that can be installed (note XP Expess SP1 download is NOT express it takes for fucking ever to apply). Update the Norton anti virus and run the scan again.

This time bingo I find lovsan no problem I already know it is there. It also finds the Welchia worm.

Now the Welchia worm was some kind hearted individual's attempt to stop lovsan. This virus installs as a service using the same security hole as lovsan. It then tries to download the Microsoft patches that closes the hole and thus prevents you from getting lovsan. Cool except that it doesn't work. It just gunks up the net with useless traffic. It's a virus/worm and doesn't help the situation, as easy as lovsan to remove if you can get a handle on it (task manager and regedit) which I don't have.

As the scan continues spybot is located. So here I am with a real dirty machine. Spybot is the virus that doesn't play nice. It infests a critical system service.. actually it replaces a critical system service that needs to be loaded when the computer boots. Can't shut it down can't change the system registry can't clean or quarentine the infected files.

Shit. On to the net where I learn spybot is reported as rare and easy to remove. So easy to remove there is no tool to download to help you remove it.

Search some more and you find this bugger has caused untold grief to lotsa people. Fortunately there are instructions on how to remove this obnoxious POS.

You can download tools that do the job of regedit and taskmanager, the virus doesn't know about these (dialup users are out of luck as dialup connections are dropped by lovsan)

So I do it the hard way (I could have downloaded the tools but it isn't my computer). Disable the restore point software. Boot to safe mode delete the POS worm run the virus scan again and quarentine the other bad boys.

Reboot and all is well. Nope... turns out the system is full of spyware as well. So clean that crap out too.

Whew... I'm thinking I am glad I didn't have to do this on all my computers.

Moral of the story.... Charge FOAF beaucou bucks to clean out and update this computer, except I can't because I'm obsessed.

Don't use IRC don't use Kazaa or other P2P software unless you know what you are doing, and if you do then you deserve all the crap that will flow your way.

I charge $250 an hour plus expenses.

Posted by Philip at Saturday 23 August 2003 | TrackBack

I have the same problem, my task manager and regedit shut down. Where can I downl these tools to remove this worm/virus?


Posted by: Dries at November 9, 2003 04:49 AM