April 19th, 2006 05:32 AM
I need some help in removing a virus named "WINFILE". This is in a form of a file which keeps on reappearing in my local disk drives. I tried deleting it both normally and "shift + delete", but it keeps on appearing again and again.
Strangely, I also noticed files(with icons like globe and windows logo) named wuauclt, wuauclt1, wuaucpl, wuaueng1.dll, wuaueng.dll, wuauserv.dll, wucltui.dll and wupdmgr in the system32 folder of c:/windows. I suspect them as the culprits and even tried to delete them but they too reappeared like the WINFILE case.
I'm not a comp. geek and am not aware of what thing i'm becoming victim of.
The properties of the WINFILE are as:
Type of file: Application
Size on disk: 56.0KB
Created: Wednesday, January 18, 2006, 7:15:19 PM
Modified: Sunday, November 24, 2013, 1:24:54 PM
Accessed: Today, April 06, 2006, 8:40:00 PM
File version: 188.8.131.52
Other version information:
File Version: 1.00
Internal Name: wukill
Language: Chinese (PRC)
Original file name: wukill.exe
Product Name: Xgtray
Product Version: 1.00
The configuration of my pc is as follows:
Operating System: Windows XP Professional (5.1, Build 2600) Service Pack 2 (2600.xpsp_sp2_rtm.040803-2158)
Language: English (Regional Setting: English)
System Manufacturer: MICRO-STAR INTERNATIONAL CO., LTD
System Model: MS-7142
BIOS: Phoenix - AwardBIOS v6.00PG
Processor: AMD Sempron(tm) Processor 2500+, MMX, 3DNow, ~1.4GHz
Memory: 192MB RAM
Page File: 80MB used, 384MB available
Windows Dir: C:\WINDOWS
DirectX Version: DirectX 9.0c (4.09.0000.0904)
Please tell me what to do.
April 19th, 2006 05:59 AM
Boot into safemode by pressing F8 while windows is booting.
Make sure your AV is updated and run a full system scan.
Once its removed WINFILE, reboot do not boot into safemode this time.
Run another full systemscan with your AV to make sure its removed all traces of WINFILE.
April 19th, 2006 06:19 AM
There is a possibility that there are spy-ware and other things running in the background so
try scanning your system for any spyware and other malicious programs. You can use (Ad-ware) for this purpose..... Before scaning better update it first....
One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!
April 19th, 2006 07:28 AM
Maybe off-topic but I just want to share this one bit:
I've encountered a similar situation with a virus file with an associated file desktop.ini. It replicates itself into all of the folders of the harddisk and is not easy to control. Running Norton Anti-Virus puts you into a loop (reminds of me the DOS version of Dark Avenger virus). When the virus is scanned, it automatically latches on into the system memory such that when NAV cleans the file (apparently by deleting it), it immediately rewrites itself into the disk folder then NAV detects it and cleans it then it rewrites itself again... so on the NAV continues to work ad infinitum.
The desktop.ini file attribute is hidden. I manually removed the files in all of the folders by first removing the hidden attribute (in DOS mode, it's ATTRIB -H DESKTOP.INI /S [lower or upper case doesn't matter]) the proceeded to delete (DEL DESKTOP.INI /S) while still in that mode. After that, I rebooted the system by pressing the RESET button (not by going back to Windows and ordering a system restart). Went into safe mode, repeated the DOS mode procedure then ran the anti-virus just to make none of the virus signature was further found.
When I restarted the system in normal mode and ran anti-virus again, no further infection was further found. Note that even when I did set the Windows Explorer folder options into "show hidden files and folders" prior to the DOS mode activities, I couldn't see that hidden desktop.ini file in the folders (subdirectories) which made me wonder how insidious that one was.
The infected system is not mine (the unit is an officially-issued laptop used by a friend) and I'm not really sure how often that unit gets upgraded virus definitions.
At ay rate, I just want to share what I did with that one... and I hope I can get the experts around to tell me if I did right (or if wrong... at which point).
Si vis pacem, para bellum!
April 19th, 2006 07:32 AM
Install them, update them, boot into SAFE MODE and run them. Do the same with your antivirus.
REMEMBER TO TURN OFF YOUR SYSTEM RESTORE POINTS FIRST
If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?
April 19th, 2006 07:36 AM
You can find some more information on this file here. Looking at what they say about it, you might want to check your backups to make sure they haven't been infected.
If everything looks perfect, then there is something you don\'t know
April 19th, 2006 12:23 PM
First, disable system restore...How to System Restore then download.... Killbox and follow the instructions, after you reboot into normal, enable your System restore and set a manual restore point...
Some info:: wuauclt - wuauclt.exe - Process Information
Process File: wuauclt or wuauclt.exe
Process Name: AutoUpdate for WindowsME
Wuauclt.exe is a process managing automatic updates for Windows. This process continuously checks for the latest updates by going online. This process should not be removed if you want to get informed about new updates.
File Name: wuauclt1.exe
wuauclt1.exe is the Windows Update AutoUpdate Client which runs in background to checks with Microsoft website for updates to the operating system. This file is located at "%WinDir%\System32" directory. If you find this file in directory other than System32, you should beware that it is virus or spyware.
Most of these are related to your Windows Update process (auto), try Googling them to see what they tell you, or go to More Info
PC Registered user # 2,336,789,457...
"When the water reaches the upper level, follow the rats."
April 20th, 2006 01:00 PM
Tthanks guys killbox worked well.
TYhank You Very Much.
April 20th, 2006 06:02 PM
rofl, the mighty dalek reveals the truth once again....listen to him, he definitely knows his stuff...
good job dalek!
However, I do praise you, princesheril, for giving so much information. Keep that up, as it is very helpful in tech support situations such as this. And don't be discouraged by this encounter either, as everyone will probably have an experience like this at some point or another. Just keep seeking the knowledge, you will become better with time.
(this is in reguard to the windows update files, I do agree with the antivirus options though)
there's always a way in...