Do I Have A Virus?

[Rich Knowles]

Sunday / 7NOV2004

Do I Have A Virus?

Hi.

Problem:
---------
I have Symantec AntiVirus Corporate Edition - Version 8.00.9374 (scan
engine 4.1.0.15). The file system realltime protection feature has
stopped functioning and will not enable. When I try to enable it it
immediate flips to disabled. There are no error messages; just
notification that realltime protection is disabled.

Please advise as to what course of action(s) I should take.

Some (or All) Options I am considering:

OPTION 1:
----------
Perform full system virus scan from original installation CD; however,
how would I be able to utilize the most recent virus definition files
downloaded to my PC?

OPTION 2:
----------
Perform full system virus scan from Symantec website.
Not sure this would do much other than just ID a problem; not fix or
quarantine offending files.

OPTION 3:
----------
Uninstall and reinstall Symantec AV Corporate Edition.
Concerned that if I truly do have a virus this option will create a
bigger / more complicated problem.

OPTION 4:
----------
Utilize XP restore point.

Background:
------------
Two weeks ago I had to perform a complete hard drive reformat and OS
and application software install. So my system is fresh and clean.

The only system change that I can think of that might have changed is
a download and install of a piece of software called, "Easy Recorder".
"Easy Recorder" provides ability to capture and record sounds
(www.easyrecorder.com, see blurb below).


Blurb About "Easy Recorder"
----------------------------
Easy Recorder is a small but efficient Windows sound recorder software
that can record any sound generated, or requested, by any other
computer program such as Windows Media Player, Quick Time, WinAmp,
etc. Additionally, it also will record any sounds that come from the
Internet through your sound card, either as audio files or live
streams. Your favorite recorded sounds are saved in wav format, and
then convert them into the space-saving and popular mp3 format.


What to do and in what order would be best?

Thanks for your comments and recommendations.

--Rich K.

 

[David H. Lipman]

1) Download the following four items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

McAfee Stinger
http://vil.nai.com/vil/stinger/

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Dowload the Trend Pattern File by obtaining the ZIP file.
For example; lpt238.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adaware with the latest definitions
3) If the PC is using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using; Stinger, Trend Sysclean and Adaware, perform a Full Scan of the
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart the PC and perform a "final" Full Scan of the platform using;
Stinger, Trend Sysclean and Adaware
7) If the PC is using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot the PC.
9) If the PC is using WinME or WinXP, create a new Restore point


* * * Please report your results ! * * *

Dave





| Sunday / 7NOV2004
|
| Do I Have A Virus?
|
| Hi.
|
| Problem:
| ---------
| I have Symantec AntiVirus Corporate Edition - Version 8.00.9374 (scan
| engine 4.1.0.15). The file system realltime protection feature has
| stopped functioning and will not enable. When I try to enable it it
| immediate flips to disabled. There are no error messages; just
| notification that realltime protection is disabled.
|
| Please advise as to what course of action(s) I should take.
|
| Some (or All) Options I am considering:
|
| OPTION 1:
| ----------
| Perform full system virus scan from original installation CD; however,
| how would I be able to utilize the most recent virus definition files
| downloaded to my PC?
|
| OPTION 2:
| ----------
| Perform full system virus scan from Symantec website.
| Not sure this would do much other than just ID a problem; not fix or
| quarantine offending files.
|
| OPTION 3:
| ----------
| Uninstall and reinstall Symantec AV Corporate Edition.
| Concerned that if I truly do have a virus this option will create a
| bigger / more complicated problem.
|
| OPTION 4:
| ----------
| Utilize XP restore point.
|
| Background:
| ------------
| Two weeks ago I had to perform a complete hard drive reformat and OS
| and application software install. So my system is fresh and clean.
|
| The only system change that I can think of that might have changed is
| a download and install of a piece of software called, "Easy Recorder".
| "Easy Recorder" provides ability to capture and record sounds
| (www.easyrecorder.com, see blurb below).
|
|
| Blurb About "Easy Recorder"
| ----------------------------
| Easy Recorder is a small but efficient Windows sound recorder software
| that can record any sound generated, or requested, by any other
| computer program such as Windows Media Player, Quick Time, WinAmp,
| etc. Additionally, it also will record any sounds that come from the
| Internet through your sound card, either as audio files or live
| streams. Your favorite recorded sounds are saved in wav format, and
| then convert them into the space-saving and popular mp3 format.
|
|
| What to do and in what order would be best?
|
| Thanks for your comments and recommendations.
|
| --Rich K.

 

[Rich Knowles]

Mr. Lipman --

Thanks for your helpful post. I have downloaded all the recommended files
and started to disable System Restore when I realized this will delete all
of my restore points. I cancelled out of disabling SR points and went ahead
and did an online Symantec scan that detected nothing.

My question is can I reboot into Safe Mode and run all of your suggested
programs without disabling System Restore?
-- or stated another way --
what is the reason for disabling System Restore except for virus removal
that is 100% certain?

Thanks.

--Rich K.

 

[Rich Knowles]

Monday / 8NOV2004

SOLUTIONS REPORT
--------------------------

Problem:
----------
RealTime file protection functionality of Symantec AV Corporate Edition -
v8.0 would not stay enabled. Running Windows XP Pro OS.


Steps to Problem Rectification:
-------------------------------
1. Performed online web-based AV scan @ Symantec website -- "Symantec
Security Check". Nothing Found/Detected.
http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym

2. Downloaded Trend Micro "Sysclean" (w/ pattern file) and McAfee "Stinger".
Trend Sysclean Package --- http://www.trendmicro.com/download/dcs.asp
(Trend Pattern File --- http://www.trendmicro.com/download/pattern.asp)
McAfee Stinger --- http://vil.nai.com/vil/stinger/

Note: Did not run Adaware SE as separate step as I have Adaware SE Plus
already installed and monitoring system in realtime all the time. (Adaware
SE (free personal version v1.05 available @ http://www.lavasoftusa.com/)

3. Because I did not believe I had a virus I did not disable System Restore
(did not want to delete and lose all restore points) prior to restarting PC
and booting into Safe Mode. Executed "Sysclean" and "Stinger". Nothing
Found/Detected.

4. As an extra step I specifically submitted the "Easy Recorder" executable
file to Virus Total; place to have suspicious files scanned by ten(!)
different AV engines. Nothing Found/Detected.
http://www.virustotal.com/flash/index_en.html

5. Next I turned to the Symantec online Knowldgebase to search for answers.
Symantec suggested updating the "SYMEVENT" files which I did. No Change/No
Effect on Problem.
http://service1.symantec.com/SUPPOR...sav_ce&dtype=corp&svy=&prev=&miniver=sav_8_ce

(Selecting Appropriate Symantec Product Knowledgebase ---
http://www.symantec.com/techsupp/enterprise/select_product_kb.html)

6. Final Solution was simply uninstall and reinstall Symantec AntiVirus
Corporate Edition.
Made sure that AV was uninstalled according to Symantec
recommendations/instructions which in this case was simply utilizing the
"Add/Remove Programs" in Control Panel. PROBLEM FIXED (and I didn't even
mess anything up in the process! whew!!)

--Rich K.




Here is what I did to get my problem solved

 

[David H. Lipman]

Yes you can, but if you clean the infection it may still reside in the System Restore cache
and if you were to restore, you would just get infected again.

Dave
BTW: It's Dave ;-)




|
| Mr. Lipman --
|
| Thanks for your helpful post. I have downloaded all the recommended files
| and started to disable System Restore when I realized this will delete all
| of my restore points. I cancelled out of disabling SR points and went ahead
| and did an online Symantec scan that detected nothing.
|
| My question is can I reboot into Safe Mode and run all of your suggested
| programs without disabling System Restore?
| -- or stated another way --
| what is the reason for disabling System Restore except for virus removal
| that is 100% certain?
|
| Thanks.
|
| --Rich K.
|
| | > 1) Download the following four items...
| >
| > Trend Sysclean Package
| > http://www.trendmicro.com/download/dcs.asp
| >
| > Latest Trend Pattern File.
| > http://www.trendmicro.com/download/pattern.asp
| >
| > McAfee Stinger
| > http://vil.nai.com/vil/stinger/
| >
| > Adaware SE (free personal version v1.05)
| > http://www.lavasoftusa.com/
| >
| > Create a directory.
| > On drive "C:\"
| > (e.g., "c:\New Folder")
| > or the desktop
| > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
| >
| > Download Sysclean.com and place it in that directory.
| > Dowload the Trend Pattern File by obtaining the ZIP file.
| > For example; lpt238.zip
| >
| > Extract the contents of the ZIP file and place the contents in the same
| directory as
| > sysclean.com.
| >
| > 2) Update Adaware with the latest definitions
| > 3) If the PC is using WinME or WinXP, disable System Restore
| > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
| > 4) Reboot your PC into Safe Mode
| > 5) Using; Stinger, Trend Sysclean and Adaware, perform a Full Scan of
| the
| > platform and clean/delete any infectors/parasites found.
| > (a few cycles may be needed)
| > 6) Restart the PC and perform a "final" Full Scan of the platform
| using;
| > Stinger, Trend Sysclean and Adaware
| > 7) If the PC is using WinME or WinXP, Re-enable System Restore and
| re-apply any
| > System Restore preferences, (e.g. HD space to use suggested 400 ~
| 600MB),
| > 8) Reboot the PC.
| > 9) If the PC is using WinME or WinXP, create a new Restore point
| >
| >
| > * * * Please report your results ! * * *
| >
| > Dave
| >
| >
| >
| >
| >
| > | > | Sunday / 7NOV2004
| > |
| > | Do I Have A Virus?
| > |
| > | Hi.
| > |
| > | Problem:
| > | ---------
| > | I have Symantec AntiVirus Corporate Edition - Version 8.00.9374 (scan
| > | engine 4.1.0.15). The file system realltime protection feature has
| > | stopped functioning and will not enable. When I try to enable it it
| > | immediate flips to disabled. There are no error messages; just
| > | notification that realltime protection is disabled.
| > |
| > | Please advise as to what course of action(s) I should take.
| > |
| > | Some (or All) Options I am considering:
| > |
| > | OPTION 1:
| > | ----------
| > | Perform full system virus scan from original installation CD; however,
| > | how would I be able to utilize the most recent virus definition files
| > | downloaded to my PC?
| > |
| > | OPTION 2:
| > | ----------
| > | Perform full system virus scan from Symantec website.
| > | Not sure this would do much other than just ID a problem; not fix or
| > | quarantine offending files.
| > |
| > | OPTION 3:
| > | ----------
| > | Uninstall and reinstall Symantec AV Corporate Edition.
| > | Concerned that if I truly do have a virus this option will create a
| > | bigger / more complicated problem.
| > |
| > | OPTION 4:
| > | ----------
| > | Utilize XP restore point.
| > |
| > | Background:
| > | ------------
| > | Two weeks ago I had to perform a complete hard drive reformat and OS
| > | and application software install. So my system is fresh and clean.
| > |
| > | The only system change that I can think of that might have changed is
| > | a download and install of a piece of software called, "Easy Recorder".
| > | "Easy Recorder" provides ability to capture and record sounds
| > | (www.easyrecorder.com, see blurb below).
| > |
| > |
| > | Blurb About "Easy Recorder"
| > | ----------------------------
| > | Easy Recorder is a small but efficient Windows sound recorder software
| > | that can record any sound generated, or requested, by any other
| > | computer program such as Windows Media Player, Quick Time, WinAmp,
| > | etc. Additionally, it also will record any sounds that come from the
| > | Internet through your sound card, either as audio files or live
| > | streams. Your favorite recorded sounds are saved in wav format, and
| > | then convert them into the space-saving and popular mp3 format.
| > |
| > |
| > | What to do and in what order would be best?
| > |
| > | Thanks for your comments and recommendations.
| > |
| > | --Rich K.
| >
| >
|
|
|

 

[BF]

Only if you do a restore, right? The virus can't reinstall itself if it
is contained in a restore point and you don't do a restore, can it?

 

[David H. Lipman]

Right.

But, here's an analogy. If you knew someone had smallpox would you keep their bed linens or
would you get rid of them as a biohazard ? Having infectors resident in the System Restore
cache is the same.

Dave



| Only if you do a restore, right? The virus can't reinstall itself if it
| is contained in a restore point and you don't do a restore, can it?
|
| > Yes you can, but if you clean the infection it may still reside in the System Restore
cache
| > and if you were to restore, you would just get infected again.
| >
| > Dave
| > BTW: It's Dave ;-)
| >
| >
| >
| >
| > | > |
| > | Mr. Lipman --
| > |
| > | Thanks for your helpful post. I have downloaded all the recommended files
| > | and started to disable System Restore when I realized this will delete all
| > | of my restore points. I cancelled out of disabling SR points and went ahead
| > | and did an online Symantec scan that detected nothing.
| > |
| > | My question is can I reboot into Safe Mode and run all of your suggested
| > | programs without disabling System Restore?
| > | -- or stated another way --
| > | what is the reason for disabling System Restore except for virus removal
| > | that is 100% certain?
| > |
| > | Thanks.
| > |
| > | --Rich K.
| > |
| > | | > | > 1) Download the following four items...
| > | >
| > | > Trend Sysclean Package
| > | > http://www.trendmicro.com/download/dcs.asp
| > | >
| > | > Latest Trend Pattern File.
| > | > http://www.trendmicro.com/download/pattern.asp
| > | >
| > | > McAfee Stinger
| > | > http://vil.nai.com/vil/stinger/
| > | >
| > | > Adaware SE (free personal version v1.05)
| > | > http://www.lavasoftusa.com/
| > | >
| > | > Create a directory.
| > | > On drive "C:\"
| > | > (e.g., "c:\New Folder")
| > | > or the desktop
| > | > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
| > | >
| > | > Download Sysclean.com and place it in that directory.
| > | > Dowload the Trend Pattern File by obtaining the ZIP file.
| > | > For example; lpt238.zip
| > | >
| > | > Extract the contents of the ZIP file and place the contents in the same
| > | directory as
| > | > sysclean.com.
| > | >
| > | > 2) Update Adaware with the latest definitions
| > | > 3) If the PC is using WinME or WinXP, disable System Restore
| > | > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
| > | > 4) Reboot your PC into Safe Mode
| > | > 5) Using; Stinger, Trend Sysclean and Adaware, perform a Full Scan of
| > | the
| > | > platform and clean/delete any infectors/parasites found.
| > | > (a few cycles may be needed)
| > | > 6) Restart the PC and perform a "final" Full Scan of the platform
| > | using;
| > | > Stinger, Trend Sysclean and Adaware
| > | > 7) If the PC is using WinME or WinXP, Re-enable System Restore and
| > | re-apply any
| > | > System Restore preferences, (e.g. HD space to use suggested 400 ~
| > | 600MB),
| > | > 8) Reboot the PC.
| > | > 9) If the PC is using WinME or WinXP, create a new Restore point
| > | >
| > | >
| > | > * * * Please report your results ! * * *
| > | >
| > | > Dave
| > | >
| > | >
| > | >
| > | >
| > | >
| > | > | > | > | Sunday / 7NOV2004
| > | > |
| > | > | Do I Have A Virus?
| > | > |
| > | > | Hi.
| > | > |
| > | > | Problem:
| > | > | ---------
| > | > | I have Symantec AntiVirus Corporate Edition - Version 8.00.9374 (scan
| > | > | engine 4.1.0.15). The file system realltime protection feature has
| > | > | stopped functioning and will not enable. When I try to enable it it
| > | > | immediate flips to disabled. There are no error messages; just
| > | > | notification that realltime protection is disabled.
| > | > |
| > | > | Please advise as to what course of action(s) I should take.
| > | > |
| > | > | Some (or All) Options I am considering:
| > | > |
| > | > | OPTION 1:
| > | > | ----------
| > | > | Perform full system virus scan from original installation CD; however,
| > | > | how would I be able to utilize the most recent virus definition files
| > | > | downloaded to my PC?
| > | > |
| > | > | OPTION 2:
| > | > | ----------
| > | > | Perform full system virus scan from Symantec website.
| > | > | Not sure this would do much other than just ID a problem; not fix or
| > | > | quarantine offending files.
| > | > |
| > | > | OPTION 3:
| > | > | ----------
| > | > | Uninstall and reinstall Symantec AV Corporate Edition.
| > | > | Concerned that if I truly do have a virus this option will create a
| > | > | bigger / more complicated problem.
| > | > |
| > | > | OPTION 4:
| > | > | ----------
| > | > | Utilize XP restore point.
| > | > |
| > | > | Background:
| > | > | ------------
| > | > | Two weeks ago I had to perform a complete hard drive reformat and OS
| > | > | and application software install. So my system is fresh and clean.
| > | > |
| > | > | The only system change that I can think of that might have changed is
| > | > | a download and install of a piece of software called, "Easy Recorder".
| > | > | "Easy Recorder" provides ability to capture and record sounds
| > | > | (www.easyrecorder.com, see blurb below).
| > | > |
| > | > |
| > | > | Blurb About "Easy Recorder"
| > | > | ----------------------------
| > | > | Easy Recorder is a small but efficient Windows sound recorder software
| > | > | that can record any sound generated, or requested, by any other
| > | > | computer program such as Windows Media Player, Quick Time, WinAmp,
| > | > | etc. Additionally, it also will record any sounds that come from the
| > | > | Internet through your sound card, either as audio files or live
| > | > | streams. Your favorite recorded sounds are saved in wav format, and
| > | > | then convert them into the space-saving and popular mp3 format.
| > | > |
| > | > |
| > | > | What to do and in what order would be best?
| > | > |
| > | > | Thanks for your comments and recommendations.
| > | > |
| > | > | --Rich K.
| > | >
| > | >
| > |
| > |
| > |
| >
| >

 

[BF]

I totally agree. I just wanted to make sure I understood System Restore.