Posted on

Virus Warning

Today I noticed on my desktop PC that I had a virus.

It put a file called TEL.XLS.EXE on the root drive of each partition. ie C:TEL.XLS.EXE, E:TEL.XLS.EXE

When I went to delete the file, it kept coming back so some quick googling found these links about it.

http://forums.whirlpool.net.au/forum-replies-archive.cfm/730930.html
http://www.sophos.com/security/analyses/trojvbcwp.html
http://fileinfo.prevx.com/fileinfo.asp?PXC=669749228023

Basically it copies itself to the root directory and creates an AUTORUN.INI file so that each time you put a USB stick into an infected PC, it copies itself across, and then when that plugs the USB into another computer, self executes and copies itself to that machine.

The file is a hidden file, (so you have to go to control panel->folder options and select the radio button for Show Hidden Files and Folders), and its icon is made to look like a Microsoft Excel file.

The thing also changes a registry value so that if you go to the Folder Options Control Panel, you can’t see the Show All Hidden files option to see the thing. I only noticed it because I don’t use the Do Not show hidden files and folders option.

Ok, so the links have a rundown of how to get rid of it, here is my preferred way.

Get the program Process Explorer.  It is like Task Manager but gives you a bit better info.  It comes as a zip file with a single exe you can start to start the application.Start it up, look for svchost.exe.  There will be a few of them, but this one is noticeable because it has an icon that makes it look like an Excel file.  Double click on it.  The programs path will be C:WINDOWSSVCHOST.EXE.  Note that if its a proper windows file and not the virus, its icon wont be an excel file and it will have the path C:WINDOWSSystem32SVCHOST.EXE
 

If you have trouble killing the svchost.exe app that is causing the problem you can start in safe mode.

Restart in safe mode (go Start -> Run. Type msconfig and press Enter).
Select Diagnostic Startup radio button. Press OK, and reboot when prompted….If this doesn’t work, press F8 when your computer boots up and you’ll see a menu item to start in safe mode.After svchost.exe is stopped or you are in safe mode, open up a command prompt window. (go to Start -> Run. Type cmd and press enter)
In the window delete the following files with these commands 

del C:autorun.ini
del C:tel.xls.exe

Repeat the last two commands for each partition you have. Also, plug in your USB sticks and delete the autorun.ini and tel.xls.exe on each of them. It’d be a safe idea to hold down the shift key so that the Autorun doesn’t execute and reinfect your system all over again.

Once the main culprits are gone then do

del %System%SocksA.exe
del %System%algsrv.exe
del %System%FileKan.exe
del %WINDIR%SESSION.EXE
del %WINDIR%SVCHOST.EXE
del %WINDIR%ufdata2000.log

Close the cmd prompt window.

Open the registry editor. (go start->run. Type regedit and press enter)
Expand the My Computer tree on the left and then
Search for HKEY_LOCAL_MACHINESoftwareMicros­oftWindowsCurrentVersionRun
When you click on Run then the right hand pane will have a list of autostarting programs.

One of those entries will have a value that matches one of the files you deleted above. (ie SocksA.exe). Right click and Delete it.

Search for HKEY_LOCAL_MACHINESOFTWAREMicros­oftWindowsCurrentVersionExplore­ rAdvancedFolderHiddenSHOWALL

In the right hand pane, you’ll see a key named CheckedValue with a value of 0. Double click the name and change its value to 1. Change the DefaultValue to 0.
This will return the ability to see the option ‘Show Hidden Files And Folders’ in the Folders Control Panel. You may want to now open this control panel and select it and press Ok. Make sure that this has taken affect. Go back into the Folder Options and make sure the radio button has that value highlighted.

Provided all the above is completed, you should now be virus free. To prevent re-infection in future I suggest you Disable Autoplay for USB drive