Just an update to help others being attacked. Our company network is currently being hammered by a virus that Norton doesn't seem to be able to kill. It detects some of it but under status it says "Leave Alone." Other parts it skips right over.
I found a program called Pocket Killbox.exe
http://download.broadbandmedic.com/Killbox.exewhich will stop the evil processes and can even remove them. Then I run HijackThis and get it out of the registry that way.
The virus is using port 445. Our IT folk have not been keeping up with the MS patches which is understandable I guess since we were in Chapter 11 and are now being merged with our rivals and they have been laying off people right and left.
The worm creates a hidden system folder called !Submit and drops two files called bling.exe and load.exe in the folder. Seems to mutate as you kill it. Kill off bling.exe and a little later you have msconfig32.exe and a little while after that you have winssv.exe which is followed by winfirewall.exe. You also get several files with misspellings of load or loud and also an un1oad with a 1 (one) instead of an L). By using Killbox on the System Process menu you can usually kill all of the critters off but you have to be fast. (The killbox instructions just say to type in the full path but it works better if you use the dropdown menu which says System Process then select the bad file and press the Yellow triangle. That just stops the process (which Task Manager and Process Explorer can't do) and you still have to delete. Sometimes you have to use Killbox to delete the files. There is a small Open Folder icon which you can click on and then drill down to C:\winnt\system32. Once you select the file you can press the Red button to kill it.
Then HijackThis will let you kill off the registry entries that start the mess. (The processes claim to be Microsoft Updates but don't believe them.) You have to kill the running processes off first or they put the registry entries right back after HijackThis finishes.
Before reconnecting to the network you have to install ZoneAlarm or it won't stay uninfected long enough to get any updates from MS. ZoneAlarm is really usueful in another way since its alerts tell you which PCs are infected.
Got to run. Have another 20 PCs to clean.
Ron
