The other day, my Windows 2000 PC showed signs of virus infection. Speed was not affected, but continuous network activity indicated something was amiss. When connected to Internet over a slow GSM wireless modem, it was difficult to access sites, as the machine was sending out data to unknown locations. Due to this high volume outward packets, browsing speed slowed down effectively to a blank. A virus scan was immediately initiated with the installed software from McAfee VirusScan Enterprise 8.0, but it failed even to recognize the malware quietly running in system memory even though the scan took most part of a half-day. When TaskManager was run, the culprit was quickly identified – with a name of serivces.exe, it was evidently misspelled to disguise it as the legitimate services.exe, an integral module of Windows. It didn’t allow the process to be stopped from Task Manager and there was no reference to it in the RUN sections of Windows Registry. A quick search on the Net from another PC failed to obtain any encouraging result. Some sites offered a software patch which would eliminate the threat, but they were not convincingly benign. A complete formatting of the hard disk loomed on the horizon.
At this point, I checked the running services on the machine using services.msc component. By checking each service which has started, the miscreant was identified in the Plug and Play Manager, right below the legitimate service Plug and Play. The Plug and Play Manager refused to be stopped or disabled, reaching a dead-end. There was no way to delete the exe file from system32 folder while it was residing in memory. It was then that I thought to experiment with the system running in Safe mode. The machine was restarted in safe mode with command prompt. It took a while for it to bring the command prompt, during which it seemed to have hung. After a nail biting wait, the familiar good old DOS prompt came to my great relief.
A directory listing of the system32 folder showed up the suspect, serivces.exe, which was renamed to old_serivces.exe. The meekness with which it allowed itself to be rechristened in safe mode gave me an exultation of joy! Services.msc was run again and this time, the service allowed disabling as it had not yet started. The machine was restarted in the usual mode and presto!, the virus is removed from the system, without running any custom software.
Use the following steps to combat this threat. You don't need to install any software.
To identify
1. Press Ctrl-Alt- Del to bring up Task manager. Go to Processes tab and see whether serivces.exe is present in the list.
To innoculate
1. Restart the machine and press F8 while the it is rebooting. A menu will appear asking the user to select the startup option. Choose 'Safe mode with command prompt'.
2. After the command prompt is displayed (which may take several minutes), go to system32 folder with the command 'cd c:\winnt\system32' or 'c:\windows\system32' depending on the location of the system folder. Press Enter at the end of each command.
3. Type 'dir seriv*.exe'. followed by 'Enter' to see the file listed. Rename it with the command 'ren serivces.exe old_serivces.exe' followed by 'Enter' .
4. Type 'services.msc' at the prompt followed by 'Enter'. The list of services will be displayed. Locate Plug and Play Manager service, right click on it, and select Properties from the menu. In the 'General' tab, select the Startup type as Disabled. Click OK and restart the machine normally. The virus would not be there in the system now.
No comments:
Post a Comment