Ordinarily I do not spend much time passing along my tidbits of computer information, usually because someone else out there has already figured out the same things I have, and has already posted it. But today is different.
Hopefully the search engines will pick up on this post, and this will be useful to someone.
The key items here are:
VBS/PSYME
abc123.pid
checkin[1].htm
or, for the search engines, let's call this one checkin.htm
solution, removal
McAfee was complaining that a file "checkin[1].htm" was infected with the VBS/PSYME virus, and had been deleted. This file was being created in %TEMP% along with another file named "abc123.pid"
Searching around the Internet, I found a few clues, but couldn't find anything that really nailed it, so it was down to old school detective work. Rather than give you the long route that I took to get to the answer, I'll give you only the important part that I was able to boil it all down to.
Whatever virus this is, it's actually almost kind -- it doesn't actually "infect" existing files, and in fact, makes backup copies of the existing files before inserting itself in their places. Needless to say, this makes restoring the files very easy.
First, do a search on your computer for all folders named "bak" and you should see a results list with quite a few folders named "bak" Sort the view by file name so that the folders are on top.
In some of the "victim" folders, you will find executable files that bear the same filenames as those that are listed in the startup portion of your computer's registry. If you don't know what or where this is, don't worry about it. It's good to know, but not necessary to fix the problem.
From the search screen, open one of the "bak" folders, and copy the file that you find there (there should only be a single file in this folder). This is the backup copy of the file that the virus replaced. Then, do another search for the exact same filename as the one you found in the "bak" folder. When you find a file with the same name that is exactly 21K, you have found the virus that causing the headaches for you. Paste your "bak" file over this 21K menace, and you will have fixed part of the problem. Repeat this for as many files as you find in "bak" folders (but please be smart about it -- this post assumes you work in IT or have enough experience to know exactly what I'm talking about without further need of explanation).
I hope this shortcut helps someone. It took me about six hours to peg it; it should take you less than 30 minutes. If you aren't sure what you're doing, ask me for help before you botch it.
EDIT: 11/11/2006
If you find that this solution works for you, then I ask that you spread the word to make it easier for the search engines to find it. If you have a blog, or web page, take a few minutes out of your life to write about the problem you had, and post a link to this page (URL provided below), so others can find it too. I am constantly receiving email from sysinternals forums pages from people with this exact problem, because they are looking in the wrong place for the solution. Help me to help them.
http://ganellon.blogspot.com/2006/10/skills-of-former-employ.html
bellum in capite meum pugno
Wednesday, October 11, 2006
Subscribe to:
Posts (Atom)