fun.exe worm

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

got a bit of a problem on the network. Its a basic P2P network using comodo premium for AV and firewall as well as the windows fire wall. The AV software detects a file called fun.exe and quarantines it. When deleted, with in a day, it has re appeared from where it was deleted. It sits in 3 different folders and i don't know what to do.

I found a site that told me what to do in the registry and windows folder but the file hasn't been activated, it is not in the processes or in the regisrty any where. As it is not actually running can't kill it this way and i don't want to activate it to get it to this stage incase the fix doesn't work.

I have maxed out the security as high as i can an keep it all functional. Any one experienced this before? it seems to be common that people have activated it, but i haven't , i just want to stop it getting in at all.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

this one is even on wiki apart from the file there is a process running as well, you can try and disable it in msconfig, then delete the files. or better, leave it to some software like mbam or sas. usually running them in safe mode does the trick, otherwise that process just creates them again. not sure about this one, but some malware uses autostart to infect PC's, someone brings in a pendrive and you'll have it again. good luck!

 

it isn't in the process part of task manager,this is the bit that's annoying me. Thats what the site i found said, but it's not been activated, it just sits there doin nothing then regenerates at startup. a roll back to an earlier restore didn't do the job either. i did find out that someone had brought in a pen drive from home and i think that's what done it. I hate worms!!!!!!!!!

 

steve, run msconfig and have a look for it on startup tab. It is an old one, I am sure most software should get rid of it easily IF you run them in safe mode. malwarebytes anti-malware usually helps. if you have your pc's up to date with updates infected pendrives shouldn't be a problem, I think there was an update for xp sometime ago that disables autorun on all removable drives. you can always do that manually in local policy settings, but get rid of the worm first! you can mess around trying to delete it but that might take you a lot more time than doing a full scan.

 

Given the amount of time you have spent trying to remove this, you could have done a full format/ reinstall and that way you are sure to have removed it.

Our company policy is anything taking long than 2 hours to remove, we just format/reinstall.

 

i'll boot in safe mode and try it tomorrow, i can't just wipe the system unfortuneatley as it has the main database for our parts software on it and i can't be arsed doing a wipe and setting another pc up to be the database server then swapping back again when it's done.
i opened msconfig and its not a startup option on it but there is a startup program that has no name so i disabled that one. here is the list of running processes but i can't see anything that looks suspect to me.

 

As this computer holds your main database I assume every other computer connects to it. So you are happy to let every computer connect to a machine that has a potential worm virus.

 

What's the pacific.exe process that's using almost 64MB?


NB

 

that's our parts program. Toasty, i've unplugged the PC from the network for now so that it doesn't get to any other machine and we can still use the parts software.

I booted into safe mode, removed the worm files. Rebooted and ran malware bytes. That came up with one more tucked away that wasn't found before. I cleaned it and rebooted then ran reg cleaner and it appears to have solved it. I'll check again tomorrow am to see if anything turns up before reconnecting to the network.