One of the blokes next door has had a Windows 2000 PC and ADSL for a couple of weeks, and gave me knock earlier in the week as the PC won’t boot properly.
On further inspection, the machine seems to be completely virus-ridden. Putting it through the hoops of AVG Sophos and F-Prot turned up 19 files infected with 6 different viruses which I cleaned out. Running AdAware found a bunch more SpyWare too.
But it still wouldn’t boot. It’d get as far as the desktop wallpaper and just sit there. Using Alt-Ctrl-Del and Task Manager it was possible to kill the Explorer.exe process and start a new one, but something else was obviously up.
Looking through the registry with RegEdit, having cleaned out an earlier virus which stops you using RegEdit or MSconfig, I found that there were multiple entries in the “Run” and “RunOnce” sections of HKLM/Software/Microsoft/Windows/CurrentControlSet titled “winlog” which were all running something called “winregedit.exe” from the /WINNT/System32 directory. I removed the entries and rebooted but they reappeared, so they were most likely up to no good. Killing the winregedit.exe processes and removing the registry entries again seemed to sort things out.
A quick Google didn’t show up anything significant about winregedit.exe, but looking through the files with a text editor revealed that the file was a virus or worm. The text strings indicated that it was looking for CD keys for various games, connecting to an IRC channel and generally being bad.
I did a search of the anti-virus sites but none of them listed this particular virus, though the Yaha strains looked similar. I removed winregedit.exe and rebooted; everything appeared clean now.
Looking round the system, I found a file c:\winreg.exe which was identical to winregedit.exe . I removed that one too, and started to look at where to send a sample of the virus. After half an hour of looking, I gave up, none of the AV sites had obvious mechanisms for submitting new viruses…
I’ve now setup AVG for him, and installed Zone Alarm to protect him from future infections.
Having my own machines behind a firewalling router means that I don’t suffer from any network-based attacks from the Internet, though I do get the usual selection of email viruses (which AVG picks up).
So, if you do have a machine connected to the Net (especially a Windows machine), make sure you have a firewall of some description and make sure you have up-to-date anti-virus software, and also choose strong passwords for your machine as some viruses/worms gain access by guessing network passwords.