• United States
by Michael Day

A friendly neighborhood viral cleansing

Aug 02, 20046 mins

* Removing a morphing computer virus

There once was a guy named Dave Whose computer just wouldn’t behave…

There once was a guy named Dave

Whose computer just wouldn’t behave…

I’ll leave the rest to you, but you get the idea. That limerick beginning was inspired by a viral cleansing I performed on an associate’s computer. It reminded me of the difficult situation we all face as PC users who connect to networks and expose our machines to the variety of malicious code that exists.

In all of my years experience working with computers, I’ve dealt with all kinds of virus infections, Trojans and phishing scams, but none was as nasty as the one Dave got.  The stakes were high because he was the financial executive responsible for making a multimillion-dollar transfer between banks in different countries.

Dave is similar to many other computer users whose technical proficiency is largely in using applications to get his daily work completed. He knows how to get around the Desktop, install and uninstall programs, surf the Web, and crank out the next spreadsheet. But like so many other users, he hasn’t heard of “DLL hell,” has no idea which programs are actually part of the Windows operating system, and thinks phishing is a great way to spend an afternoon on the lake.

A couple of days before my associate was to do the online funds transfer, he called and sounded desperate. 

“Mike!  I need some help. My virus detection software says I have a virus and I can’t clean it. I’ve got some serious banking to do on Monday involving millions of dollars and I’m more than a little worried. Do you suppose you could come over and take a look?”

“Sure. Shut down the computer and I’ll be right there,” which meant I’ll see you in the next few minutes because Dave lived right across the street.

Dave knows now to shut down his computer immediately if he has a problem caused by the introduction of a virus or Trojan. He has a Windows 2000 system. He also has a DSL always-on connection, which can be a mixed blessing. It’s really convenient for the consumer, but also works to the benefit of virus writer whose virus sends back key logs as soon as they are created.

And that’s exactly what was infecting his computer.

After assessing the situation and checking the anti-virus software’s log, I realized that his online banking activities were far from secure or confidential.

Having a quality anti-virus software installation can help your IT staff solve these problems even when the software doesn’t have an effective virus definition.  His software directed me to a Web page that had information about the malicious activity on his machine.

It said that the virus was especially nasty and would log keystrokes whenever a window opened with “bank” or “money,” or a slew of other keywords in the window’s title. That log would then be sent to someone in a former Eastern Bloc country where the originator could wreak havoc on the victim’s finances. All this information came from that one Web page, but it did not tell me how to clear the machine of the virus.

I kept reading and found that the virus installed a DLL and a couple of small, almost insignificant programs. 

I tried to delete the executables and DLL that the Web page had flagged as the culprits, but could only delete one of the executables. I have to give credit to the virus writer’s ingenuity. The one program I was able to delete was named win—–.exe; the complete name escapes me. The name doesn’t matter. The point I’m trying to make is that unless you’ve been in the WINNTSystem32 directory as many times as I have, you might have blown right past the offending program, assuming it was part of the Windows operating system because of the win prefix.

So I opened the Task Manager to see if I could recognize anything out of the ordinary. What I found really opened my eyes to the devilishly crafty methods modern virus writers were using. I saw a process called “a.exe” that I didn’t recognize, so I killed it, and closed the Task Manager.

I tried to delete the program again, and still couldn’t. Upon reopening the Task Manager, I saw a different process called “g.exe” that I didn’t recognize and killed it. Well, they say “the third time’s a charm,” so after seeing it recreate a new program with a different single letter for a name, I came up with a better strategy.

A major problem was going to be the DLL. Most DLLs are loaded, opened and left open until the operating system is shut down, at least in the Windows world. That means you can’t delete them, at least not while they’re open, which is whenever Windows boots up.

Thank you, Microsoft, for leaving in the “Boot to a DOS command prompt” as one of the boot up options. I noted the location of the DLL and rebooted the PC. When the opportunity to boot to DOS came up, I took it. I traversed the directory structure to where the DLL was located and promptly deleted it. While I was there, I deleted the last of the offending programs and rebooted the PC.

The elation I felt when the PC came up and passed the virus scan can only be shared by geeks like me. Dave was smiling; he was pleased as well. But then a forlorn look pushed his smile aside.

“What’s wrong, Dave?” I asked. “The virus is completely gone, so why the look of disappointment?”

“What am I going to do when you move?” he asked. He knew that my wife and I had just bought our first house and were preparing for the move.

I chuckled and said, “Don’t worry, Dave. I’m only moving four miles away. It’ll take me longer than five minutes to get here, but I’ll still get here.”

Michael Day is an emerging technology analyst for Currid & Company.  You can write to him at