Brool brool (n.) : a low roar; a deep murmur or humming

Yet Another Virus

 |  coding

Spent the good part of today trying to clear my laptop of a virus that wasn’t being caught by Norton or any other anti-virus program that I tried. In the hopes of saving someone some time, I put them here into the Google-mind.

Symptoms: Extra processes THEWMPCD.EXE and ROUCCONF.EXE in the task list. The processes cannot be killed; when stopped, they are automatically restarted by the Windows explorer.

The executables themselves cannot be found on casual inspection. Looking at their home directories in the process list reveals that THEWMPCD.EXE is supposed to be in /Program Files/Ipyeader, and ROUCCONF.EXE should be in /Windows/System32. Alas, neither cannot be found. There is apparently no Ipyeader directory in the Program Files directory, but trying to create said directory results in an “This directory already exists” error message.

Also: ROUCCONF.EXE repeatedly writes to a file named “p5gxa” (may be randomly generated) in the Windows directory. This file is only 24 bytes long and contains a timestamp.

Solution: Boot safe mode, log in as administrator, and you’ll be able to see the files. Remove them. (Still testing this, may offer a different solution in a day or two).

Update: Received the following message from Norton:

We have analyzed your submission. The following is a report of our findings for each file you have submitted:

filename: C:\fornorton\Ipyeader\thewmpcd.exe
result: See the developer notes
Developer notes:
C:\fornorton\Ipyeader\thewmpcd.exe
This sample has been analyzed by a variety of automated means and was not immediately identified as malicious. This file may be passed to an engineer for further inspection. Thank you for your submission.

… which is about what I expected. Of course, the presumption is that random Joe doesn’t know what he or she is talking about. Admittedly, I am not positive that it is a virus, but am instead simply coming to that conclusion based on the fact that the process didn’t allow itself to be killed and hides itself and keeps a cache of web pages that are visited. I mean, there could be completely innocent reasons for all of that.

If I were to find a person hiding in my bathroom, I would also assume that he had nefarious purpose. I’m just biased that way.

Discussion

Comments are moderated whenever I remember that I have a blog.

There are no comments on this article.

Add a comment