Shell.exe

[miranda]

Hello - new to Google Groups so I apologize if this is in the wrong
group.

A couple days ago I had some problems with Mozilla Firefox - everytime
I opened up our office's online database it froze and shut down. Then
when I try to restart the program, it says there is already a version
of Firefox running, but there is no trace of it in my Task Manager
(processes or applications). The only way I can get Firefox to run
again is to restart the whole computer.

As I was going through my applications in the Task Manager, I noticed a
program called Shellwrd, and a process called Shell.exe. Have done
some Googling and have found that Shell.exe is the W32.Lovit worm.
Since I started playing around with it, I notice that Shell only comes
up after I have opened Firefox. Have tried a few virus programs to
remove it (Norton, AVG, Trendmicro, Ad-Aware), but none detect it.
Have also tried to manually remove it with instructions from
Trendmicro, by going into the registry and HOST, but unfortunately none
of the registries or host files exist for me to remove or edit.

I've also uninstalled Firefox and reinstalled it, but nothing seems to
work at all.

Could this be something coming from the online database? Or could this
be something coming from our network? Are the infected files hiding
somewhere else?

Any help would be greatly appreciated.

 

[David H. Lipman]

From: <[email protected]>

| Hello - new to Google Groups so I apologize if this is in the wrong
| group.
|
| A couple days ago I had some problems with Mozilla Firefox - everytime
| I opened up our office's online database it froze and shut down. Then
| when I try to restart the program, it says there is already a version
| of Firefox running, but there is no trace of it in my Task Manager
| (processes or applications). The only way I can get Firefox to run
| again is to restart the whole computer.
|
| As I was going through my applications in the Task Manager, I noticed a
| program called Shellwrd, and a process called Shell.exe. Have done
| some Googling and have found that Shell.exe is the W32.Lovit worm.
| Since I started playing around with it, I notice that Shell only comes
| up after I have opened Firefox. Have tried a few virus programs to
| remove it (Norton, AVG, Trendmicro, Ad-Aware), but none detect it.
| Have also tried to manually remove it with instructions from
| Trendmicro, by going into the registry and HOST, but unfortunately none
| of the registries or host files exist for me to remove or edit.
|
| I've also uninstalled Firefox and reinstalled it, but nothing seems to
| work at all.
|
| Could this be something coming from the online database? Or could this
| be something coming from our network? Are the infected files hiding
| somewhere else?
|
| Any help would be greatly appreciated.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *