virus on xp need help

[Mack]

Hello,i found a file called virscan.ini that talks bout
the familly of w32 trojan only...it's very detailed i
seem to be suffering from those effects explained by the
virscan.ini but first is that a normal file????
i did a scan on my puter with systemworks and got 0 virus
but my registery has been modifyed and some inf files too
i found some joy files exel exel4 winword winword2 amiprp
presenta quattro powerpnt wordpft and one was in
systemworks ...... in c:\
msdos,autoexec,config.sys.IO,are at 0kb now i also have 4
zipped folder in diffrent area of doccument and settings
all the info on my system is wrong on inf files and
servers dial ups are created on my puter can you tell me
if that virscan is an exemple or if it could be a real
virus file rfrom my puter??? i'll paste the 1st line here
ty :

The Norton AntiVirus Information File
Copyright Symantec Corp. 1993-98
All Rights Reserved

Version #9609
 Q~dý   &ÿw&ÿwsI+áfÄ?Vþ?
Fü<FüFþuÄ^&ÿw&ÿw¸
Ps4áf
!

`
`
`
`
`
`
`
`
`

õ M$ No additional
information. This virus infects the master boot record
and boot record of floppy disks. Bootup from infected
floppies often causes system hangs Lenart This virus
contains the text, "I am Li Xibin!". Bootup from
infected floppies often causes system hangs This is
dropped by the "Backdoor.Poly" or "Backdoor.SubSeven".
You must delete this file. This is a trojan horse
program and not a virus. This program can be used to
allow unauthorized access to your computer. You must
delete this file. This is a backdoor type trojan
program which can be used to allow unauthorized access to
your computer. This backdoor trojan loads by adding
to the line shell=explorer.exe in the SYSTEM.INI file.
To clean, replace that line and delete the corresponding
file from the C:\WINDOWS directory. This virus does
little but replicate. Note that Boot-437 does not infect
the MBR of the hard drive; it infects only the Boot
Sector. This is a Internet worm that uses .bat files
to search through a range of IP addresses of known ISPs
to find an accessible computer.

ty for help (it aslo say in the file i get the iamvirus
for opening this file) ty i will develop from here if
more info needed..........

 

[Carey Frisch [MVP]]

Symantec Security Check
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym

Virus Removal Tools
http://securityresponse.symantec.com/avcenter/tools.list.html

Online Virus Removal Tutorials
http://www.symantec.com/techsupp/virusremoval/virusremoval_info_tutorial.html

Visit the virus removal experts for help in this newsgroup:
news://msnews.microsoft.com/microsoft.public.security.virus

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

----------------------------------------------------------------------


Hello,i found a file called virscan.ini that talks bout
the familly of w32 trojan only...it's very detailed i
seem to be suffering from those effects explained by the
virscan.ini but first is that a normal file????
i did a scan on my puter with systemworks and got 0 virus
but my registery has been modifyed and some inf files too
i found some joy files exel exel4 winword winword2 amiprp
presenta quattro powerpnt wordpft and one was in
systemworks ...... in c:\
msdos,autoexec,config.sys.IO,are at 0kb now i also have 4
zipped folder in diffrent area of doccument and settings
all the info on my system is wrong on inf files and
servers dial ups are created on my puter can you tell me
if that virscan is an exemple or if it could be a real
virus file rfrom my puter??? i'll paste the 1st line here
ty :

The Norton AntiVirus Information File
Copyright Symantec Corp. 1993-98
All Rights Reserved

Version #9609
 Q~dý   &ÿw&ÿwsI+áfÄ?Vþ?
Fü<Fü FþuÄ^&ÿw&ÿw¸
Ps4áf
!

`
`
`
`
`
`
`
`
`

õ M$ No additional
information. This virus infects the master boot record
and boot record of floppy disks. Bootup from infected
floppies often causes system hangs Lenart This virus
contains the text, "I am Li Xibin!". Bootup from
infected floppies often causes system hangs This is
dropped by the "Backdoor.Poly" or "Backdoor.SubSeven".
You must delete this file. This is a trojan horse
program and not a virus. This program can be used to
allow unauthorized access to your computer. You must
delete this file. This is a backdoor type trojan
program which can be used to allow unauthorized access to
your computer. This backdoor trojan loads by adding
to the line shell=explorer.exe in the SYSTEM.INI file.
To clean, replace that line and delete the corresponding
file from the C:\WINDOWS directory. This virus does
little but replicate. Note that Boot-437 does not infect
the MBR of the hard drive; it infects only the Boot
Sector. This is a Internet worm that uses .bat files
to search through a range of IP addresses of known ISPs
to find an accessible computer.

ty for help (it aslo say in the file i get the iamvirus
for opening this file) ty i will develop from here if
more info needed..........

 

[Lanwench [MVP - Exchange]]

What version of Norton are you running? The mention of an .ini file and the
copyright date makes me a little nervous you're using very old stuff. You
may need to upgrade. Do you keep it updated with live update?

Re server dialups created on your computer - do you mean porn dialers like
lop.com ? Try AdAware or Spybot Search&Destroy to get rid of them.

 

[cquirke (MVP Win9x)]

Hello,i found a file called virscan.ini that talks bout
the familly of w32 trojan only...it's very detailed

Where was this file? .ini files are usually settings, so this may be
part of a malware (a non-infectious part left behind after av
scanning?) or part of an a(nti)v(irus utility).

seem to be suffering from those effects explained by the
virscan.ini but first is that a normal file????

Additional info would help here:
- what virus name?
- what effects?

i did a scan on my puter with systemworks and got 0 virus

That's Windows-based. That the scan worked at all points away from
certain malware, but even so, a smart malware is in a position to
evade detection if it runs before the av.

See http://users.iafrica.com/c/cq/cquirke/virtest.htm , noting that
NTFS may get in the way of this formal approach.

but my registery has been modifyed and some inf files too

When an av cleans malware, it does not always "mend fences". In some
cases, this can leave the system inoperable, when the registry is left
to reference files deleted by the cleaning process. This is why it's
important to read up any *active* malware you have cleaned.

i found some joy files exel exel4 winword winword2 amiprp
presenta quattro powerpnt wordpft and one was in
systemworks ...... in c:\
msdos,autoexec,config.sys.IO,are at 0kb now i also have 4
zipped folder in diffrent area of doccument and settings
all the info on my system is wrong on inf files

Sorry, I'm lost by now. Short sentences and paragraphs please!

What are you looking at, a log file that lists those files? On .inf
files; these are used to mediate installations, so they can be
malware-relevant, but they are generally not used in an ongoing way as
..ini files are. Once processed to install whatever, they are
thenceforth ignored, unless they are positioned so that they are
processed on every startup (thus repeating the install).

The Norton AntiVirus Information File
Copyright Symantec Corp. 1993-98
All Rights Reserved

information. This virus infects the master boot record
and boot record of floppy disks. Bootup from infected
floppies often causes system hangs Lenart This virus
contains the text, "I am Li Xibin!". Bootup from
infected floppies often causes system hangs This is
dropped by the "Backdoor.Poly" or "Backdoor.SubSeven".
You must delete this file. This is a trojan horse
program and not a virus. This program can be used to
allow unauthorized access to your computer. You must
delete this file. This is a backdoor type trojan
program which can be used to allow unauthorized access to
your computer. This backdoor trojan loads by adding
to the line shell=explorer.exe in the SYSTEM.INI file.
To clean, replace that line and delete the corresponding
file from the C:\WINDOWS directory. This virus does
little but replicate. Note that Boot-437 does not infect
the MBR of the hard drive; it infects only the Boot
Sector. This is a Internet worm that uses .bat files
to search through a range of IP addresses of known ISPs
to find an accessible computer.

Those strings don't really flow as if they refer to the same entity.
Perhaps you are looking at the string table from within code? If so,
you aren't looking at a report; just all the things the program could
say depending on what it found.

You really do need to do a formal virus scan.

---------- ----- ---- --- -- - - - -

Consumer Asks: "What are you?"
Market Research: ' What would you like us to be? '