lock1.exe?

[Guest]

Recently my friend sent me a link that said something like "how's my new
pic?" After I clicked on it, I asked him about it and he said it was a virus
on his computer and it sent that link to everyone on his AIM buddy list. I
believe I already deleted some of the files associated with it, but when I
restart my computer and log in to my windows session, it keeps asking me if I
want to run lock1.exe. And of course I always click cancel. But how do I get
rid of it?

 

[David H. Lipman]

From: "al" <[email protected]>

| Recently my friend sent me a link that said something like "how's my new
| pic?" After I clicked on it, I asked him about it and he said it was a virus
| on his computer and it sent that link to everyone on his AIM buddy list. I
| believe I already deleted some of the files associated with it, but when I
| restart my computer and log in to my windows session, it keeps asking me if I
| want to run lock1.exe. And of course I always click cancel. But how do I get
| rid of it?


It could be a SDbot Internet worm variant. Please perform the following...

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[Shawn E. Hale]

My daughter just got nailed with this and it started sending itself out
automatically to everyone who was online instant messaging her at the time.
We shutdown IM quickly and I followed the steps for manually removing the
traces of it in the registry as detailed on this link below (look under the
'advanced' tab). In addition, in msconfig, I un-checked two entries for
lock1.exe in the startup section. There was also a file called xz.bat in my
root directory that I deleted. Ran a full anti-virus and spyware scan after
and I believe she is clean. Good luck.

http://www.sophos.com/virusinfo/analyses/w32sdbotadq.html