1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Nasty, Sticky Worm - "variousnames".exe

Discussion in 'Windows XP' started by burbanksteve, Sep 8, 2004.

Thread Status:
Not open for further replies.
  1. burbanksteve

    burbanksteve Thread Starter

    Joined:
    Sep 8, 2004
    Messages:
    2
    Thought I'd share this as it's been driving me nuts for a couple of days. I got a worm on my work PC which looks a lot like the old sysupd.exe with a couple of intererestingly nasty twists which made it very hard to get rid of.

    The symptom is that you've got a process running in task manager that's using your spare CPU cycles (sort the tasks by CPU activity and you'll see it popping to the top every now and then). You don't recognize the process, but mine were called, variously, PCWAVE, AC, TCPCR, VBC and HOSTX. All potentially genuine-sounding names. The name changed on each reboot.

    The .EXE file associated with the process that was running was hidden, and installed in various locations under WINNT after reboot (I'm running W2K).

    Digging around in the registry revealed, under the RUN and RUNONCE branches for both HKCM and HKCU, references to both the program that was running and another unknown program (mine was called WODBC.EXE).

    Further digging revealed a couple of more hidden files - one file purported to be an .INI file, but actually a binary with the same name, but reversed, as the running program - i.e. VBC.EXE came was accompanied by CBV.INI). In the >documents and settings\myusername\local settings\temp folder I also found two hidden .DAT files - one named like the INI file - i.e. CBV.DAT and another apparently randomly-named file (ssvvrd.dat).

    Unlike the old sysupd file(s), there was no company, author etc. information in the file header. All the version information in the file(s) are blank.

    The only common thread was the file sizes - the running executable was 694,272 bytes long, the "other" executable (my WODBC.EXE) was 215,040 bytes long. The .DAT file sizes were 86,016 and 98,304 bytes respectively.

    Cleaning this little beast requires that you first delete the "non running executable" (my WODBC.EXE) and then reboot in safe mode. Search and destroy the files references in the registry, plus their associated .INI and .DAT partners. Check and check again that you've deleted everything, and that you've deleted the registry references in BOTH current_user and local_machine. Check both the RUN and RUNONCE branches. Miss one thing and you're back to square one again.

    Sorry it's not more specific with filenames, etc, but this thing changes it's name on every reboot. The only thing I could see commonality was the file sizes of the executables and the .DAT and .INI files.

    Hope this helps. I have Corporate NAV and Spysweeper on my PC, Spysweeper picked up that I had "something" running which it identified as sysupd, but it's a variant, and couldn't be cleaned.

    No idea what it was doing, but I didn't want to sit around and wait to find out.
     
  2. burbanksteve

    burbanksteve Thread Starter

    Joined:
    Sep 8, 2004
    Messages:
    2
    I'm a new user, can't read private messages yet. Please reply to the thread for now .. thanks
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/271645

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice