W32.Wisfc attack

[PFJ]

Hi All TS,

on the day I finished work before the holidays my workstation WIN2000Pro went down with a virus. I don't know how it got in - perhaps through webmail?? I'm not sure.
It slowed down so that the CPU was running at 100% so I did a reg fix scan and when hundres of DLLs & INKs were damaged I pressed FIX. I didn't suspect a virus until I saw the kb021119.exe & WINSFC.exe alarms from ewido - but it was too late. Ewido continued to alert but could not fix the invasion.

As far as I know this is a new virus variant found on the 21 Dec last. Now when I painfully wait for other virus scans to do their business loaded from my USB pen it too gets corrupted with the virus. I know this because Symantec on my laptop picks it up. It invades that DLLs that I try to put back into the registry of the infected workstation. The AV from the sever tried to load but stops because of missing DLLs.

Any ideas?

Regards

PFJ

 

[vhunter]

Boot in Safe Mode and run a scan. Symantec should clean it out.

Here's a page with more information and removal instructions: W32.wisfc.

 

[Tedster]

removal:

http://securityresponse.symantec.com/avcenter/venc/data/w32.wisfc.html

 

[PFJ]

Hi Guys,

I appreciate your replies with suggestions. However, the first thing I did was to do a search for this virus to be more informed. I have also tried several times to sort the problem out in the safe mode but to no avail.

Symantec NAV Corp ed will not run as the virus has infected the MSXML3r.dll file in C:\Program Files/Commom Files/Microsoft Shared/SPFC Cache.

I have a laptop with current AV definitions. Is it possible for me to connect via an USB cable, get the laptop to see the infected PC as an external HD and do a scan?

What do you think?

Regards

PFJ

 

[vhunter]

If both PCs have a network connector, you could just get a patch cable, connect the two systems, then tell the laptop to use the infected hard drive as a network drive. That should get it to scan.

 

[PFJ]

Hi Vhunter,

I agree. I went up town to look for a USB bridge cable but the local COMPU shop does not stock it - neither do Farnell.
I have both laptop and infected workstation connected to the server from where the corp NAV resides through a hub.
Our IT man was in yesterday to do something up with the NAV and when he was finished I asked him to sort out my workstation. He was not able to do so. He suggested getting another PC and remove the infected HD and put it into a good PC with current AV updates.
I went about this with a WIN98SE only to find that after much of the day spent getting it upp and running on the server that the NAV will not load on this OS!

What do you think of the USB bridge idea?

Regards

PFJ

 

[vhunter]

I think that it should work, provided that the NAV can connect through the bridge to the workstation. You can get a cheap one off of eBay for less than $20.

 

[RealBlackStuff]

You can't connect a USP port from one PC to that of another.
Never heard of such a far-fetched idea.
Either reformat/reinstall or put the HD in a working other PC with W2K or XP, and fix it from there. W98 will most likely not work because it can't read NTFS.

 

[vhunter]

That's not what I meant.
You can buy a USB bridge (meaning that you get two USB cables, one for each PC, and connect them into the bridge, thus linking the PCs) online for under $40.

 

[PFJ]

Hi Guys,

went in yesterday with another idea. I used stand alone virus removers i.e. stinger and v-cleaner from a USB pen drive and locked it so that the virus could not write to the pen drive. I also ran Ewido and used the pen drive as its default location. Now I had it on the run. I was able to use 'search' and locate the WINSFC.exe file and delete it. I also delected the complete TEMP folder.
I still can get Symantec to boot up because it tells me that MSXLM Installer is required. Neither can I remove it because all my .exe and .DLL files are damaged.

I think I need to start installing the OS first. At least now I have the ability to save my important files and work. Then I could do a format or reinstall without fear of losing data.

What is it with these hackers? I also found WIN32.Honk.A virus which attacks the .exe & .dll files also!

I see this evening that I have 4 threats on my home PC but I will view the collwebsearch removal info now.

Best Regards

PFJ

 

[PFJ]

Hi Techspotters,

thanks for the feedback so far.

Anyone tell me how I can replace all my damaged .DLL & .EXE files on my win2000Pro workstation?
Have disk and product key. I'm not admin but I have good control over the OS etc...
I have tried to do them individually and it worked but I'll be here until next Christmas at this rate!

I have tried the clean reinstall but it doesn't see the damaged files as a problem.

I cannot remove many programs because the .exe files are damaged. SO when I go into add/remove I get a message res://appwiz.cpl/listbox.htc - line:225 but efforts to resolve it using MS advice proved useless.


Would a visit to bootdisk.com help?

Re:USB to USB file sharing I think what vhunter and I had in mind was something like this item http://www.usbgear.com/PCLinq2/

Regards

PFJ

 

[vhunter]

Well, if you're talking about system files, you should be able to go into a command prompt (Start>Run "cmd" (no quotes)) and type "sfc /SCANNOW" (no quotes). This should fix all corrupt system files.

If you're talking about corrupt user EXEs, then your only hope is to reinstall the programs.

 

[PFJ]

In conclusion...I ended up having to format both C & D HDs. Even though I found the launcher kb021119.exe and deleted it, the WINSFC.exe kept coming back even after using HJT and other AV. Also W32.Honk.A. virus infected all dll files. I was able to save some files but the hackers will be delighted to hear that over two years of files were lost.

Question: not a problem (I hope) just curious why at startup I now see three instances of the OS (WIN2000Pro) and the PC asks which one do I want to use and if I don't choose it by hitting the return key it shows a countdown and automatically selects the last installation?


Regards

PFJ