"w32/ovide.A" virus

[Guest]

Hi wondering if anyone can help I run windows XP and just installed verizon
security suite to my computer it found and removed virus, spyware etc but
there is one it says it cannot
"w32/ovide.A" virus
it says its in c:/windows/system32/taskdir.dll

how can I remove the virus when the taskdir.dll icon cannot be deleted
because "file is either full or protected"

any help will be greatly appreciated

 

[Larry Samuels]

Since this virus uses rootkit technology, I would recommend a wipe/reload of
the system. If the system has been rooted it can not be trusted because you
can never be sure that it is completely clean.

--
Larry Samuels Associate Expert
MS-MVP (2001-2005)
Unofficial FAQ for Windows Server 2003 at
http://pelos.us/SERVER.htm
Expert Zone-

 

[David H. Lipman]

From: "dnj" <[email protected]>

| Hi wondering if anyone can help I run windows XP and just installed verizon
| security suite to my computer it found and removed virus, spyware etc but
| there is one it says it cannot
| "w32/ovide.A" virus
| it says its in c:/windows/system32/taskdir.dll
|
| how can I remove the virus when the taskdir.dll icon cannot be deleted
| because "file is either full or protected"
|
| any help will be greatly appreciated

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

At this time a wipe/re-install of the OS is NOT suggested.

First download the needed files for the various AV scanners then scan your system in Normal
and Safe Mode. If it is STILL remaining, load the included PDF Help File to learn how to
create a DOS Boot Disk using NTFS4DOS and then scan the system after booting from DOS.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[Larry Samuels]

Hi David,

Do you trust a computer that has been rooted? Can you be *absolutely* sure
you haven't missed something or that permissions haven't been changed?

I have a great deal of respect for you and your work--I am just surprised
that someone with your knowledge of security issues doesn't recommend
flattening a rooted system.

--
Larry Samuels Associate Expert
MS-MVP (2001-2005)
Unofficial FAQ for Windows Server 2003 at
http://pelos.us/SERVER.htm
Expert Zone-

 

[David H. Lipman]

From: "Larry Samuels" <[email protected]>

| Hi David,
|
| Do you trust a computer that has been rooted? Can you be *absolutely* sure
| you haven't missed something or that permissions haven't been changed?
|
| I have a great deal of respect for you and your work--I am just surprised
| that someone with your knowledge of security issues doesn't recommend
| flattening a rooted system.
|

Just because malware *may* use RootKit Technology does NOT mean that one must restart from
the POV of scratch. I'm not sure that this Proxy Trojan even uses RootKit technology. It
doesn't create NR Services, it doesn't inject in the Winlogon Notify, doesn't chaing off
Userinit and Explorer, etc. Seems to me to be a simple Registry Run loaded Proxy Trojan.

Now I must ask, what write-up are you looking at and what specific information on
"w32/ovide.A" makes YOU come to that conclusion.

Troj/HideDl-A -- http://www.sophos.com/virusinfo/analyses/trojhidedla.html

 

[Larry Samuels]

Hi David,

The first page I pulled up when researching had a bold rootkit warning.

http://translate.google.com/transla...htm&prev=/search?q=w32.ovide.a&hl=en&lr=&sa=G


--
Larry Samuels Associate Expert
MS-MVP (2001-2005)
Unofficial FAQ for Windows Server 2003 at
http://pelos.us/SERVER.htm
Expert Zone-

 

[David H. Lipman]

From: "Larry Samuels" <[email protected]>

| Hi David,
|
| The first page I pulled up when researching had a bold rootkit warning.
|
|
http://translate.google.com/transla...htm&prev=/search?q=w32.ovide.a&hl=en&lr=&sa=G
|

Yeah, the term is over-used and abused. It is just a simple Trojan Proxy.

 

[Larry Samuels]

Hi David,

Thanks. I think something got lost or overstated in the translation.
Just call me paranoid when it comes to rootkits--I've got too many corporate
clients with sensitive data to risk cleaning a machine that is no longer
trusted.

I normally don't recommend home users flattening a machine unless there is
evidence of it being rooted,but that bold warning pushed my alarm button<G>


--
Larry Samuels Associate Expert
MS-MVP (2001-2005)
Unofficial FAQ for Windows Server 2003 at
http://pelos.us/SERVER.htm
Expert Zone-

 

[David H. Lipman]

From: "Larry Samuels" <[email protected]>

| Hi David,
|
| Thanks. I think something got lost or overstated in the translation.
| Just call me paranoid when it comes to rootkits--I've got too many corporate
| clients with sensitive data to risk cleaning a machine that is no longer
| trusted.
|
| I normally don't recommend home users flattening a machine unless there is
| evidence of it being rooted,but that bold warning pushed my alarm button<G>
|

While I didn't recognize the "W32/Ovide.A" name (and I am curious what AV declared this
name) I am familiar with "taskdir.dll". In fact I recently distributed a sample to the AV
vendors (including Microsoft { sigh }).

I searched the Sophos library and soon found it. Sophos is good at showing modifications
made to the OS.