Netsky removed, but PIFs keep being generated

[Delores]

Having problems with NETSKY on a Windows 98SE system with Norton Anti
Virus 2000 and current virus definitions.

The owner got the NETSKY worm (variation D, I believe).

I removed it using the Removal Tool offered by Symantec.

I carefully read the info on the virus at Symantec's site and checked
the system's registry for any problems or items that should not be
there. I found no problems.

The computer owner reports that each day, upon starting the computer,
Norton AV finds and quarentines about 3 - 8 PIF type files.

I have rescanned the system with AV and rechecked the registry and
found no problems. I also looked for WINLOGON.EXE and found no such
file.

I'm guessing that some part of the worm (the part that makes the PIF
files) remains on this system, even though it looks like the rest of
the worm has been sucessfully removed.


I would appreciate any suggestions, theories or comments anyone has as
to how to resolve this problem.

Thanks in advance for any help you can offer,

Delores

 

[Heather]

Hi Delores......FWIW, I am receiving at least 10-15 Netsky viruses/day and I
have never been infected with it.......it is just rampant the past week or
two.....I am sure that is all that it is.

Cheers......Heather

 

[FromTheRafters]

Having problems with NETSKY on a Windows 98SE system with Norton Anti
Virus 2000 and current virus definitions.

There are arguably no such things as "current virus definitions".
Especially when it concerns NetSky. ;o)

The owner got the NETSKY worm (variation D, I believe).

I removed it using the Removal Tool offered by Symantec.

I carefully read the info on the virus at Symantec's site and checked
the system's registry for any problems or items that should not be
there. I found no problems.

That sounds like a thorough job. I haven't looked yet, but are
there any applicable patches to be concerned with here?

The computer owner reports that each day, upon starting the computer,
Norton AV finds and quarentines about 3 - 8 PIF type files.

Where are they being found? Is this an e-mail attachment detection?
It could be that you are involved in a social cluster of activity just now.

I have rescanned the system with AV and rechecked the registry and
found no problems. I also looked for WINLOGON.EXE and found no such
file.

The machine is probably not infested, but attempts to enter are
being thwarted because of the AV scanning e-mail or other
vectors (NetSky is up to perhaps 20 variants now, and some
are pretty tricky).

I'm guessing that some part of the worm (the part that makes the PIF
files) remains on this system, even though it looks like the rest of
the worm has been sucessfully removed.

I don't think that this is likely, but I'm not an expert. It seems
more likely that those piffiles are coming from without.

I would appreciate any suggestions, theories or comments anyone has as
to how to resolve this problem.

Norton, in addition to finding and quarantining those piffiles, also
should log that activity. The log file could tell you where the piffiles
were found, and that could lead to a better understanding of what
is happening.

 

[Delores]

Hi Delores......FWIW, I am receiving at least 10-15 Netsky viruses/day and I
have never been infected with it.......it is just rampant the past week or
two.....I am sure that is all that it is.

Cheers......Heather

Hello Heather - thank you for your reply and suggestion.

You are absolutely correct.

After having removed the initial worm from this ladie's machine, I
left the are and have been trying to help her via phone and E-mail.
She is not too computer savy and it took a while to get her to tell me
EXACTLY what info Norton was providing.

Turns out, Norton was set to scan incoming mail and was intercepting
the PIFs of the various worm E-mails that are going around.

The lady was telling me that Norton was reporting the computer to be
infected by the worms when Norton was ACTUALLY telling her the files
it found CONTAINED the worms !

Norton did its job and quarentined the files, as it could not
disinfect them.

Each morning, Norton gave a report of new infected files found.

All she has to do is empty the quarentine and her system is just fine.

Delores.

 

[Delores]

SNIP



The machine is probably not infested, but attempts to enter are
being thwarted because of the AV scanning e-mail or other
vectors (NetSky is up to perhaps 20 variants now, and some
are pretty tricky).
SNIP

I don't think that this is likely, but I'm not an expert. It seems
more likely that those piffiles are coming from without.


Norton, in addition to finding and quarantining those piffiles, also
should log that activity. The log file could tell you where the piffiles
were found, and that could lead to a better understanding of what
is happening.

Thank you for your reply.

After removing the inital worm, which was launched in the ladie's
system, I left her area. I've been trying to help her by phone and
E-mail.

Turns out, she has no more infections of the worm, Norton is just
catching PIFs attached to junk E-mails.

All the lady has to do is delete the quarentined fils and her system
is fine.

Delores