LGF Comment: re: #607 realwest NO sweat DD

Saturday Night Music: Miles Davis at the Isle of Wight, Intro by Keith Jarrett

Gus8/22/2009 11:32:55 pm PDT

re: #607 realwest

NO sweat DD - task manager found three programs running including LGF, Norton and that stupid Virus thing so I clicked the virus thing and hit cancel.
It appears to be gone!

It’ll just start up again on reboot. You have to clean it all out.

It includes doing this:

symantec.com

The Symantec tech details shows that it creates this:

Installation
When the program is executed, it creates the following files:
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Virus Doctor.lnk
%UserProfile%\Application Data\Virus Doctor\settings.ini
%UserProfile%\Application Data\Virus Doctor\uill.ini
%UserProfile%\Desktop\Virus Doctor.lnk
%UserProfile%\Desktop\VirusDoctor.exe
%UserProfile%\Start Menu\Programs\Virus Doctor.lnk
%UserProfile%\Start Menu\Virus Doctor.lnk
C:\Documents and Settings\All Users\Application Data\[RANDOM CHARACTERS]\Languages\VDDe.lng
C:\Documents and Settings\All Users\Application Data\[RANDOM CHARACTERS]\Languages\VDFr.lng
C:\Documents and Settings\All Users\Application Data\[RANDOM CHARACTERS]\Languages\VDIt.lng
C:\Documents and Settings\All Users\Application Data\[RANDOM CHARACTERS]\System Data Configuration\DBInfo.ver
C:\Documents and Settings\All Users\Application Data\[RANDOM CHARACTERS]\System Data Configuration\vd[RANDOM CHARACTERS].bd
C:\Documents and Settings\All Users\Application Data\[RANDOM CHARACTERS]\unins000.dat
C:\Documents and Settings\All Users\Application Data\[RANDOM CHARACTERS]\unins000.exe
C:\Documents and Settings\All Users\Application Data\[RANDOM CHARACTERS]\VDo[RANDOM CHARACTERS].exe
C:\Documents and Settings\All Users\Application Data\System Data Configuration\config.cfg
C:\Documents and Settings\All Users\Application Data\System Data Configuration\DB.ini

It also creates the following folders:
%UserProfile%\Application Data\Virus Doctor
C:\Documents and Settings\All Users\Application Data\[RANDOM CHARACTERS]
C:\Documents and Settings\All Users\Application Data\[RANDOM CHARACTERS]\Languages
C:\Documents and Settings\All Users\Application Data\[RANDOM CHARACTERS]\System Data Configuration
C:\Documents and Settings\All Users\Application Data\System Data Configuration

Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"Virus Doctor” = “C:\Documents and Settings\All Users\Application Data\[RANDOM CHARACTERS]\VDo[RANDOM CHARACTERS].exe” /s /d”“

It also creates the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Virus Doctor_is1