OT-ish: Virus or not?

Yesterday, testing a new Ethernet based thingy, having problems. Thought the firewall might be involved, disabled it. Forgot, logged onto www. Pzzzang, all sorts of popups, logged off fast. Restarted firewall, got alert 'netlib.exe trying to access the web'.

Searched for netlib.exe, the virus folks say it's a component of a virus. Ran virus check with latest updates, no virus found. Ran spybot with latest updates, no problems.

So is this a virus or not? I don't know if it was there before, I don't look at what's running except when one of my own programs has crashed. Can't get rid of netlib.exe, access denied.

The virus description says it installs a number of other files- I can't see these (I always display hidden files).

Any experiences/ advice much appreciated.

Paul Burke

Key thing here, is that you have to run the virus checker 'clean'. You need to be booting a seperate check disk, and using this, rather than the OS. Unfortunately many worms, 'mark themselves' as friendly to the virus checker on the machine (basically add themselves to the list of files excluded).

Spybot is good, but you should try another package like AdAware as well. You should be able to rename netlib.exe, and this may get rid of this after a reboot, but many of the packages are smart enough to restore their own files on reboot. There are a couple of packages that will allow you to remove a file automaticaly during the boot process before the OS has fully launched, and these may get rid of the main body of the infection.

Best Wishes

nasty. I'm no good at hacking the register thing in windows, but one little app that i find useful is moveonboot

which will move or delete files before windows grabs hold of it the other prog is regcleaner by jouni vuorio google for the free version, its not on his website anymore

martin

Thanks everyone. I haven't got rid of it yet (if it is a virus), but at least the firewall seems to be blocking it (fingers xxxxxxxxx).

Paul Burke

--
Regards,
  Bob Monsen

If a little knowledge is dangerous, where is the man who has
so much as to be out of danger?
                                  Thomas Henry Huxley, 1877

has a nice little search engine that looks for file names, not just christened names for net sludge. Their search gives all the details about which virii use that name. CA also provides free virus scans, perhaps that would help root out the little scum.

Or, since it seems you are running Windows, booting into safe mode and starting up the admin account should be enough to give you the access to delete the file.

Or, if you wanted to mail it to me, with a subject line of

***VIRUS ATTACHED*** I'll turn my firepower against it and let you know what happens.

I've done volunteer virus reporting for a few people in the past and hope it helps. Just don't start blasting the stuff at me without that subject line, otherwise the automated reporting system will blast it right back at the appropriate abuse address.

56465 Swen virus received and reported. Email address IS valid, I bait SWEN virus with it. Now if I can just get Bigpond/Telstra to clean up their ongoing infection.

You guys make me so glad I don't run windoze! Think about it.

Ted

Isn't somebody, by now, accumulating a list of IPs where these viri come from? Why not just blacklist them all?

Thanks, Rich