Virus problems

[Guest]

I am working on a computer that has several issues.
1. When I was finally able to update the Norton A/V definitions and ran a
scan I found 146 viruses. 1 virus (2 files) were not deleted or quarantined.
Norton is calling them Trojan.Vundo. I re-scanned in safe mode and Norton
is still unable to delete the virus. I have attempted manually deleting the
virus, but it is even running in safe mode. This is very new to me. How do
I stop the darn thing from starting in safe mode?

2. I am unable to enable the Windows firewall. I have found a KB article
about this but would like any other information/feedback about this if
available.

3. Norton A/V autoprotect is disabled upon startup, even when I tell it to
start enabled.

I suspect that the last two issues are related to the virus problems and I
most likely can't do anything about them until the virus is gone, which is my
first priority anyway, but I could use some help with them in advance.

Thanks you,
Brian

 

[Guest]

I am working on a computer that has several issues.
1. When I was finally able to update the Norton A/V definitions and ran a
scan I found 146 viruses. 1 virus (2 files) were not deleted or quarantined.
Norton is calling them Trojan.Vundo. I re-scanned in safe mode and Norton
is still unable to delete the virus. I have attempted manually deleting the
virus, but it is even running in safe mode. This is very new to me. How do
I stop the darn thing from starting in safe mode?

2. I am unable to enable the Windows firewall. I have found a KB article
about this but would like any other information/feedback about this if
available.

3. Norton A/V autoprotect is disabled upon startup, even when I tell it to
start enabled.

I suspect that the last two issues are related to the virus problems and I
most likely can't do anything about them until the virus is gone, which is my
first priority anyway, but I could use some help with them in advance.

Thanks you,
Brian

Hi Brian----

A quick and easy search on Yahoo! shows a removal tool at Symantec. If you
type in the name 'trojan.vundo' in your favorite search engine, I'll bet you
could get all the info you would need in helping to get rid of it. If more
'help' in removing it, is needed, I suggest www.aumha.org See ya-----

 

[David H. Lipman]

From: "bdsmcse" <[email protected]>

| I am working on a computer that has several issues.
| 1. When I was finally able to update the Norton A/V definitions and ran a
| scan I found 146 viruses. 1 virus (2 files) were not deleted or quarantined.
| Norton is calling them Trojan.Vundo. I re-scanned in safe mode and Norton
| is still unable to delete the virus. I have attempted manually deleting the
| virus, but it is even running in safe mode. This is very new to me. How do
| I stop the darn thing from starting in safe mode?
|
| 2. I am unable to enable the Windows firewall. I have found a KB article
| about this but would like any other information/feedback about this if
| available.
|
| 3. Norton A/V autoprotect is disabled upon startup, even when I tell it to
| start enabled.
|
| I suspect that the last two issues are related to the virus problems and I
| most likely can't do anything about them until the virus is gone, which is my
| first priority anyway, but I could use some help with them in advance.
|
| Thanks you,
| Brian

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.scripting.virus.discussion
microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

Please read the following URL on "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Dump the contents of the IE Temporary Internet Folder cache (TIF)

start --> settings --> control panel --> internet options --> delete files


1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Ad-aware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt486.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM .

2) Update Ad-aware with the latest definitions.
3) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC according to --
http://support.microsoft.com/kb/310353
5) Using Trend Sysclean, Stinger and Ad-aware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using the three
utilities; Trend Sysclean, and Ad-aware
7) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) Create a new Restore point

* * Please report your results ! * *

 

[Sharon F]

On Fri, 11 Mar 2005 18:24:18 -0500, David H. Lipman wrote:

Aside: David, how did you get an x-face into OE? Good trick!

 

[David H. Lipman]

From: "Sharon F" <[email protected]>

| On Fri, 11 Mar 2005 18:24:18 -0500, David H. Lipman wrote:
|
| Aside: David, how did you get an x-face into OE? Good trick!
|
| --
| Sharon F
| MS-MVP ~ Windows Shell/User
| In memory of our dear friend, MVP Alex Nichol

Oh, you are a Header Reader...

Here's the scoop. I have been *attacked* for years as a Top Poster. I have always used OE
and OE has certain "quirks" about it that many UseNet posters find anti UseNet standard like
Top Posting (albeit I have read the RFC in question and it suggests Bottom Posting but in no
way mandates Bottom Posting as a UseNet standard).

As many of my peers of switched to Mozilla products (e.g., Thunderbird) some have complained
about my signature. Mozilla products interpret the signature on replying to a post. So
after grinning and bearing many abusive messages, I took a suggestion to try OE-QuoteFix
(OEQF). I tried it and I liked it but found it limiting. I have also wanted to read yEnc
(but not post using yEnc) encoded binary posts. So I heard about another application called
FidoLook.

http://www.fidolook.org/ and news://news.gmane.org/gmane.network.fidolook

And so I tried this OE add-on application. You launch FidoLook which in turn launches OE.
It works symbiotically with OE and enhances it greatly. This includes viewing yEnc binary
attachments "within" OE and views X-Faces. Through the use of Templates for; News Reading,
News Posting, News replying, etc. You can modyfy how the program will read a post and
create or reply to a post. This includes adding the X-Face line item in the Template for
Posting and Replying. Then it was just a matter of using another utility {winface.exe --
http://www.xs4all.nl/~walterln/winface/ } to take a BitMap and convert it to a X-Face binary
string. With FidoLook templates I can add /*anything*/ to my headers when posting.

There is great verstility in FidoLook and with it I plan on continuing with OE and its use
makes OE feel like a whole new product. There are caveats. It is written by those whose
English is a second language so FidoLook screens have an occasional spelling error. The
second is a complete lack of HELP files (HLP or CHM). It is not for a novice it is for
someone with a little more capabilities but once you overcome the shortcomings FidoLook
becomes a valuable tool.

You know I'm using FidoLook becuase it adds the following to the headers...
FL-Build: Fidolook 2002 (SL) 6.0.2800.94 - 3/3/2005 11:18:26

BTW: The X-Face that I am using is an interim one. It is not /*NEARLY*/ as nice looking as
yours or others but it is is mine... at least for the moment.

HTH Sharon.

 

[Sharon F]

You know I'm using FidoLook becuase it adds the following to the headers...
FL-Build: Fidolook 2002 (SL) 6.0.2800.94 - 3/3/2005 11:18:26

BTW: The X-Face that I am using is an interim one. It is not /*NEARLY*/ as nice looking as
yours or others but it is is mine... at least for the moment.

HTH Sharon.

Displaying complete headers makes my eyes grow weary. The news program that
I use can be configured to display limited header info. If enabled, can
turn x-face on/off in that info area. I enjoy the pictures when I come
across them so run with it on.

Thanks for taking the time to explain this. Will take a look at FidoLook as
it sounds interesting.

 

[Kelly]

Great catch, Sharon!!! )

--
In memory of our dear friend, MVP Alex Nichol: http://www.dts-l.org/

All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

 

[Guest]

Dave,

Sorry for the delay in responding and thanks for the pointer to the
appropriate groups.

I have not been in a position where I could download the Trend Micro stuff
and burn it for transfer to the affected system. What I have done is this:

I had earlier created a bootable CD with Barts PE and included the McAfee
command line virus scanner with the 3/11/05 virus defs. I disables system
restore. I booted using the CD and ran the virus scanner and had it delete
the infected files. I have deleted one file that I know is a problem while
in the CD OS. When I rebooted the problem is still there, even in safe mode.
I am ready to suggest formatting and re-installing everything. I have
attempted using MSCONFIG to not install anything unnecessary and the problem
is still there.

This problem is VERY FRUSTRATING. I have always been able to get rid of
trojans and viruses in the past by booting in safe mode, deleting the
offending files, and cleaning the registry. This problem seems to be deeper
than anything else that I have ever dealt with before. Is there a "root kit"
or something installed and how do I find and delete it?

Thanks again,
Brian

 

[David H. Lipman]

From: "bdsmcse" <[email protected]>

| Dave,
|
| Sorry for the delay in responding and thanks for the pointer to the
| appropriate groups.
|
| I have not been in a position where I could download the Trend Micro stuff
| and burn it for transfer to the affected system. What I have done is this:
|
| I had earlier created a bootable CD with Barts PE and included the McAfee
| command line virus scanner with the 3/11/05 virus defs. I disables system
| restore. I booted using the CD and ran the virus scanner and had it delete
| the infected files. I have deleted one file that I know is a problem while
| in the CD OS. When I rebooted the problem is still there, even in safe mode.
| I am ready to suggest formatting and re-installing everything. I have
| attempted using MSCONFIG to not install anything unnecessary and the problem
| is still there.
|
| This problem is VERY FRUSTRATING. I have always been able to get rid of
| trojans and viruses in the past by booting in safe mode, deleting the
| offending files, and cleaning the registry. This problem seems to be deeper
| than anything else that I have ever dealt with before. Is there a "root kit"
| or something installed and how do I find and delete it?
|
| Thanks again,
| Brian
|
| "David H. Lipman" wrote:
|

Based upon the shear number of infectors found and your ability to remove them, it shows you
know about viruses and what to do once you are infected, however you don't practice Safe Hex
to prevent infection in the first place !

After booting a BART PE disk and scanning with McAfee, did you have the McAfee Commnad Line
Scanner create a ASCII or HTML LOG file ?

What were the switch parameters used in the McAfee Command Line Scan ?

 

[Guest]

Hi again dave,

I finally got rid of it. I updated the anti-spyware solution on the
computer and did another scan and it found an executable with the name in
reverse of the trojan file (i.e. urlanti.exe, itnalru.dat). I re-booted into
Barts PE and deleted the .exe and all of the inverted .dat files. Problem
finally gone. The anti-virus was only finding the .dat and the anti-spyware
was only finding the .exe. The anti-spyware could not do anything about the
..exe, thus the reason for deleting manually while in Barts PE.

I have also discovered that the person whose computer this is recently
needed had their cable router at work go down so he took the one from home to
work and directly connected this computer to the internet with not firewall.
I have updated his computer to SP2 and will recommend that he get a new
router for home.

Thanks again for your help,
Brian