Help removing virus/Microsoft Security Bulletin MS03-026

[Robert Blackwell]

I have AVG and it keeps detecting this virus
http://www.grisoft.com/doc/virbase/lng/us/tpl/tpl01?nam=Win32/Gaelicum

I'm having the hardest time removing it because everytime AVG alerts me that
it detects it, I delete the file that is infected.... which is always an
exe. Additionally, the "fix" doesn't work because I have service packs
installed (seems rediculous to me)
(here's a link to the fix)
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

I save files to my desktop now and then and that's usually when I first get
the notice. I ALWAYS delete the files it says are infected and after doing
so have scanned my computer MANY times without it finding this virus and
I've even run the vcleaner utility in safe mode without it finding
anything.... Problem is, is that even though I do all this stuff, it keeps
coming back from time to time (probably a few weeks or something) I wonder
how much of a coincidence that it comes up again after recently (2 days ago)
setting my computer on dmz... could I get this virus from someone sending it
to me without me actually downloading it???

Another frustrating thing is that when I do get the alerts from AVG, if I
click Heal or delete or move to vault, I get this error
Requested action is not available for this object. Access to the file has
been denied. OK

The only way to get rid of the error is just to hit continue... and then it
keeps alerting for every file I have on my desktop sometimes it keeps
cycling through until I've "continued" for the same file twice.

KB823980 Setup Error
(X) Setup has detected that the Service Pack version of the system installed
is newer than the update you are applying to it.

You can only install this update on a computer with no Service Packs
installed.
[OK]

I'm doing everything I can to get rid of this damn thing but that's not very
much considering the stupid solution doesn't even work for me.

Desperate for help, thanks in advance.

 

[David H. Lipman]

From: "Robert Blackwell" <robatNOSPAMwowcentral.com>

| I have AVG and it keeps detecting this virus
| http://www.grisoft.com/doc/virbase/lng/us/tpl/tpl01?nam=Win32/Gaelicum
|
| I'm having the hardest time removing it because everytime AVG alerts me that
| it detects it, I delete the file that is infected.... which is always an
| exe. Additionally, the "fix" doesn't work because I have service packs
| installed (seems rediculous to me)
| (here's a link to the fix)
| http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
|

< snip >

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

The W32/Gael (aka, Licum, Tenga and Gaelicum) is a "true" virus in the traditional sense in
that it will infect other EXE files and append itself to the EXE file. That's its payload
and that's one way it spreads. Anothor is NetBIOS shares TCP port 139.

One way to protect oneself is to use a Cable/DSL Router and specifically block both TCP and
UDP ports 135 ~ 139 and 445. This will greatly mitigate Internet worms from the SDBot to
Blaster to Sasser to the Gael.

W32/Gael.worm.a -- http://vil.nai.com/vil/content/v_134857.htm
w32.Licum -- http://securityresponse.symantec.com/avcenter/venc/data/w32.licum.html

Download the following tool. Install it then download the needed files for the; McAfee,
Sophos and Kaspersky modules but don't perform a scan yet.

Reboot the PC and then use at least the McAfee module and scan in Safe Mode.

I also suggest reading the included PDF Help File about creating a DOS Boot Disk or a DOS
Boot Disk withe NTFS4DOS (if you use NTFS). Then boot the PC using the DOS Boot Disk and
scan the computer using one of the provided DOS batch files.

C:\AV-CLS\DOSCLEAN.BAT <-- McAfee
C:\AV-CLS\KAVCLEAN.BAT <-- Kaspersky
C:\AV-CLS\SOFCLEAN.BAT <-- Sophos

I also *strongly* advise you to scan any read/write removable media that may have EXE files
on it such as; ZIP disks, USB Flash Drives, Memory cards, USB hard disks, etc. If you
don't, you risk re-infection.

The below tool has the capability to scan a specified location.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[Frank Saunders, MS-MVP OE]

I have AVG and it keeps detecting this virus
http://www.grisoft.com/doc/virbase/lng/us/tpl/tpl01?nam=Win32/Gaelicum

I'm having the hardest time removing it because everytime AVG alerts
me that it detects it, I delete the file that is infected.... which
is always an exe. Additionally, the "fix" doesn't work because I have
service packs installed (seems rediculous to me)
(here's a link to the fix)
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

I save files to my desktop now and then and that's usually when I
first get the notice. I ALWAYS delete the files it says are infected
and after doing so have scanned my computer MANY times without it
finding this virus and I've even run the vcleaner utility in safe
mode without it finding anything.... Problem is, is that even though
I do all this stuff, it keeps coming back from time to time (probably
a few weeks or something) I wonder how much of a coincidence that it
comes up again after recently (2 days ago) setting my computer on
dmz... could I get this virus from someone sending it to me without
me actually downloading it???

Another frustrating thing is that when I do get the alerts from AVG,
if I click Heal or delete or move to vault, I get this error
Requested action is not available for this object. Access to the file
has been denied. OK

The only way to get rid of the error is just to hit continue... and
then it keeps alerting for every file I have on my desktop sometimes
it keeps cycling through until I've "continued" for the same file
twice.

KB823980 Setup Error
(X) Setup has detected that the Service Pack version of the system
installed is newer than the update you are applying to it.

You can only install this update on a computer with no Service Packs
installed.
[OK]

I'm doing everything I can to get rid of this damn thing but that's
not very much considering the stupid solution doesn't even work for
me.

Desperate for help, thanks in advance.

Have you tried running AVG in Safe Mode?

--
Frank Saunders, MS-MVP OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/default.aspx
http://defendingyourmachine.blogspot.com/

 

[Glen]

putting your computer in the DMZ bypasses the firewall, opening you up to
all kinds of nasties from the internet.

 

[Robert Blackwell]

Thanks David I'll get right on that stuff. Frank, yes, I mentioned that I
scanned in safe mode.