Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Help with a virus removal!

  • 09-07-2002 10:57am
    #1
    Registered Users, Registered Users 2 Posts: 10,339 ✭✭✭✭


    Righty. As the title says, I need help removing a virus from a machine.

    I have no idea how long the virus has been on the PC but it recently started popping error messages up when any exe file was run.

    Here's what I know:
    The virus is a version of Optix Pro trojan horse virus. (which is very like backdoor assassain but older and not listed on the NaV site, I could only find reference to it on a site called DiamondCS).

    It runs a reporting file with every application. The reporting file uses any open internet connection to allow the virus owner have access to the pc. fair enough.

    Now: the main file WMMIEXE.EXE was deleted at some stage and whenever a program was run the error message "cannot find file wmmiexe.exe" came up.

    I edited the registry and went through the system folder to remove any reference to this file. That seemed to work ok.
    also removed a file in the windows system folder called: TAPISYS.sys which contained the code:
    @if exist C:\windows\tmpcpyis.bat del C:\windows\tmpcpyis.bat
    @if exist C:\windows\winstart.bat c:\windows\winstart.bat
    

    winstart.bat is how optix lite re-populates itself if a part is deleted.

    The virus scanner has been updated with the latest ide files (NAV 2000) but it cannot find anything, probably because it keeps getting shut down every 40 to 50 seconds - another feature of the optix family.

    I've run the scanner in safe mode but nothing was found (except a change in the boot record which was repaired).

    I still can't find what is shutting down the virus scanner, not even by disabling services one at a time. If I try re-installing NAV it will get cut off during installation and setup, at least that's what happened the Norton firewall I was installing (there was pain over that one!)

    The PC is running but it is slow and the owner is not happy about not having any anti-virus. Anyone help?


Comments

  • Moderators, Arts Moderators, Recreation & Hobbies Moderators Posts: 10,885 Mod ✭✭✭✭Hellrazer


    Dont know whether this will help or not but the last time I had a virus which my virus software could not detect I used an online virus scan found at panda-online(if you can get on the net)It found the virus first time and I was sorted.It takes roughly an hour to scan all your files but its quite good.
    Richie.


  • Registered Users, Registered Users 2 Posts: 4,676 ✭✭✭Gavin


    Kick this into technology, will get a bit more of a response there


  • Registered Users, Registered Users 2 Posts: 1,393 ✭✭✭Inspector Gadget


    One suggestion for you to try is to use the command-line scanner if you have one with yours (McAfee's is SCAN.EXE, for example), only rename it to something harmless (like TEACUP.EXE, or something not-virus-related) and run it - this should prevent Optix from shutting down the virus scanner.

    Also, look out for a file in your system directory called spooll32.exe (Very Important - it must have TWO 'L's! The one with just one 'l' is important to the operation of your PC) and delete it in safe mode if you can. You may have to kill the process first.

    Hope this helps,
    Gadget


  • Registered Users, Registered Users 2 Posts: 10,339 ✭✭✭✭LoLth


    I've tried renaming and running NAV (not sure if it was the command line scanner part though, so I'll try again).

    No file called spooll32 :(


  • Registered Users, Registered Users 2 Posts: 1,393 ✭✭✭Inspector Gadget


    ...I just did a google and found a page on the subject and it said that the trojan's "server" was called spooll32.exe and was located in the system directory.

    Apparently, another file to look for (according to this - they recommend the virus scanner file rename trick too) is wmmiexe.exe in the Windows directory.

    Having looked at the list of things it can do, boy, oh boy is it nasty!

    Good luck cleaning it.
    Gadget


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,781 ✭✭✭amen


    hvae u tried booting from a bootable floppy and then run your AV av software from the command line

    that way your virus should not have loaded its self and you should be able to clean it


  • Registered Users, Registered Users 2 Posts: 10,339 ✭✭✭✭LoLth


    Gadget: that's the same reference page I used. It's the only mention of it I can find (which is a bit strange considering what it is supposed to be capable of). The Wmmiexe.exe file was the one that kept popping up whenever an application was started. I removed the "self duplicating" file and all references to wmmiexe from the registry (it was associated with all applications and the extensions LOG_ , .LOG , .TXT, EXE_ and a few others).
    It's the rest of the files I cant find. according to that diamondcs page the virus can be "customised" by the controller. I need to find what he has customised the files to.

    Amen: good idea. unfortunately already tried it. Both bootable floppy and safe mode. According to NAV, there's nothing wrong. (latest definitions by the way, which had to be manually updated as liveupdate kept getting interrupted).


  • Registered Users, Registered Users 2 Posts: 443 ✭✭bricks




  • Registered Users, Registered Users 2 Posts: 1,393 ✭✭✭Inspector Gadget


    Lolth:

    Here's another one:

    http://www.megasecurity.org/trojans/o/optix/Optixpro1.1.html

    ...it seems to suggest that this thing uses port 3410, so maybe you should try a "netstat" to see if anything's using port 3410.

    Also, check the registry key it talks about - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run - to see if there's anything suspicious in there.

    Gadget


  • Closed Accounts Posts: 1,341 ✭✭✭Koopa


    hmm i know this isnt much help, but the reason its not mentioned anywhere is probably because bo2k+plugins could do pretty much everything this trojan can do, except for the auto-killing processes every 60 secs part, and it was released in 1999, long before this

    what OS are you running? if its win98/me then make sure you check in system.ini and win.ini for references to it as well as in the registry+startup folders, you shouldnt really need anything in the "load=" and "run=" lines in win.ini, and check the "shell=explorer.exe" line to make sure theres not something added to the end of it, like "shell=explorer.exe virus.exe"


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 10,339 ✭✭✭✭LoLth


    well, finally I had a trawl through the system information. I found a file in the "currently running" section that didn't show up in the ctl-alt-del window.

    wmsis32.exe

    couldn't find any reference to it on the internet either so I had a search through the registry and sure enough it was found:

    HKEY_LOCAL_MACHINE\windows\currentversion\runservices\software :
    Key: WSISdvx32 value: "c:\windows\system\wmsis32.exe"

    Deleted the registry entry and the file and all is working nice and happily now.

    thank f**k.

    having said all that, I'll probably find out tomorrow that that file is an essential windows component that stops the PC from exploding or something.....


Advertisement