a vb (visual basic) script that if run can do bad things.

i might add for those people who want to find out more about who made the virus if you open the exe file in a hex editor usually theres some kind of signature that they leave to mark where it came from - it is readable in a hex editor. then sometimes they make mistakes like revealing vital information about the site they hosted the virus from. :P

(This post was last modified: 02/07/2007 03:45 PM by Anger.)

Kill Process Tree.

If Task Manager sucks too much, try Process Explorer NT.  You can also try the command taskkill -f -im iexplore.exe

After you kill the process, search for startup entries - these will show you where the virus is stored.  Just delete both things.

the problem me and him had was that the process was restarting after being terminated. the actual parent process had to be killed first, and it was tied to explorer so...well it worked anyway.

That's why you Kill Process Tree.  A process can't do anything after it's been terminated - most apps would start two processes to try and stay alive.  A batch script usually should stop this - if not, edit your startup files.

Actually, it's possible to stop a user killing the process, via API hooking, but if the programmer bothered with API hooking, they may as well make a rootkit instead.

well i don't know the particulars of the virus but i couldnt find which process it was attached to (the parent process that kept running the main program) so the process tree wouldnt work unless i knew which one. i needed to find out which process and it turned out to be explorer itself. and that program i mentioned meant i didnt have to kill explorer to terminate the virus. i was ending process tree with what i thought was the virus but the program was somehow attached to explorer and would just keep running itself every time it was teminated.

Just kill explorer then.  If explorer spawns processes, it would fall under explorer.exe (ie a child process) - thus killing the tree would propagate to all child processes.  Unless the virus injected code into explorer.exe which caused it to spawn process via the SYSTEM account...  Should try Process Explorer NT - helps you identify stuff :P

mhm i ended up either going through all the processes or just downloading a program which finds what the problem is and i chose the easy option. :P
ill try it out next time - hopefully there won't be but you never know.