Another day, another completely undocumented windows worm. Has any legitimate traffic ever happened on port 445? I doubt it. This week’s culprits are the barely-heard-of wucmdex.exe and the completely-unknown zsxtr.exe.
If your computer starts “acting funny”, Mcafee won’t run and so forth, well, here you are. If you can’t even call up the task manager, that’s an artefact of the zsxtr.exe infection.
I’ll have more information on this soon, and I’ll put together another document on the fixes for these bastards, but for now I suggest you apply the following procedure, that might as well be called the ANSI Standard Windows Fix: log in to safe mode with command prompt, as administrator, delete the file and hand-scrub the registry, P.S. hope you got everything. In this case, like so:
- Reboot the machine and hit F8 as soon as it POSTs.
- Choose “Safe Mode With Command Prompt”.
- Log in with an admin-privileged account.
- At the command prompt, do this:
cd c:\windows\system32 attrib -s -h -r wucmdex.exe attrib -s -h -r zsxtr.exe del wucmdex.exe del zsxtr.exe
- Run regedit, search for both of those filenames and delete any registry entries you find with them in it. On my machine, zsxtr.exe appears under a folder called “Krypton” which I’ve also deleted. There’s an associated file hidden in c:\windows\system32 called sys16.exe, which you should also unhide and remove.
- Reboot, hit F8, choose “safe mode with networking” and do a full Windows Update.
I should add here that it’s a good idea as a general practice to turn “System Recovery” off and to have all of these security updates on a burned CD. That last step, the Windows Update part, is just a race against time.
More news as it develops. Again, I’m grateful for any information people want to add to this. Please email me or leave a comment below.
This entry was last updated 1:00 PM EST, July 21/04