This worm called W32.spybot.worm(Symantec) or Win32:wmit-c (Avast). It attacked our dns server by 22 February 2010, changing a host file become almost 5MB (normally, it only 1KB), so all client can't access our file sharing on the server.
Beside changed file host's size, this worm also running and copying processes on the system, made ur CPU really busy and working really slow.
Symptom :
- You can find wmiptsd.exe (hidden file), wmiptsn.exe (hidden file), wmiptqxzv0.exe-qxzv8.exe on WINDOWS/system32 or at ur registry
- A lot of qxzv.exe running on ur CPU process
- The host file size becoming 5 Mb with some random data
- You can't go to safe mode because of this worm made some file at ur OS corrupted
- You have to clean it one by one, so.. don't connect to ur network, first. But before it, download avast AV installer + the update
- Install Avast AV, then update it..
- Do boot time scan
- After that, check ur computer manually. Look at WINDOWS/system32 and registry.., is there any wmiptsd.exe, qxzv.exe, wmiptsn.exe?? If they still, delete it manually..
- Look at ur host file, and correct it manually
- After you'r sure your computer is clean, try to use ur computer with safe mode, if you cant do it, then repair ur OS
- Make sure that all of the computer is cleaned before u are connect to the network
- Finish...
