Unknown Virus



CT04
07-09-2005, 11:49 PM
My mate David - Dell Lapotop running Windows XP Home SP2 - has been infected
by a virus that I am unable to identify. The virus came in a Zip file and
the message related to a subject about 'Passwords'. David thought he had
removed the virus file when he deleted the message and Zip file. How wrong
he was! He was running Norton Anti-virus 2003 but HAD NOT run Live Update for
a while - hence his virus problem. To add insult to injury, he was having
problems getting things to work and uninstalled Norton AV. Because of the way
this virus works, I can't get Nortons AV 2003, or the more recent 2005
version which he bought, to load. I talked him through running the scan from
Symantecs security site but it didn't appear to come up with anything. As I
am trying to help him over the phone, it is difficult to identify whether the
virus prevented the Symantec check from running properly. I guess it had.

What I really need advice on is: How can I identify the virus? When I know
what virus it is, how do I get rid of it? How can I get his Norton 2005 to
load? This damn virus won't let you run any of the tools in normal mode -
MSCONFIG or REGEDIT for example. Frankly I have reached the reached the
level of my incompetence and hope somebody out there can help me help him.
Thanks.

David H. Lipman
07-09-2005, 11:49 PM
From: "CT04" <CT04@discussions.microsoft.com>

| My mate David - Dell Lapotop running Windows XP Home SP2 - has been infected
| by a virus that I am unable to identify. The virus came in a Zip file and
| the message related to a subject about 'Passwords'. David thought he had
| removed the virus file when he deleted the message and Zip file. How wrong
| he was! He was running Norton Anti-virus 2003 but HAD NOT run Live Update for
| a while - hence his virus problem. To add insult to injury, he was having
| problems getting things to work and uninstalled Norton AV. Because of the way
| this virus works, I can't get Nortons AV 2003, or the more recent 2005
| version which he bought, to load. I talked him through running the scan from
| Symantecs security site but it didn't appear to come up with anything. As I
| am trying to help him over the phone, it is difficult to identify whether the
| virus prevented the Symantec check from running properly. I guess it had.
|
| What I really need advice on is: How can I identify the virus? When I know
| what virus it is, how do I get rid of it? How can I get his Norton 2005 to
| load? This damn virus won't let you run any of the tools in normal mode -
| MSCONFIG or REGEDIT for example. Frankly I have reached the reached the
| level of my incompetence and hope somebody out there can help me help him.
| Thanks.

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendorís web site.
On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the PC
On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend, McAfee, Exit the
menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Catamount
07-09-2005, 11:49 PM
David H. Lipman wrote:
> From: "CT04" <CT04@discussions.microsoft.com>
>
> | My mate David - Dell Lapotop running Windows XP Home SP2 - has been infected
> | by a virus that I am unable to identify. The virus came in a Zip file and
> | the message related to a subject about 'Passwords'. David thought he had
> | removed the virus file when he deleted the message and Zip file. How wrong
> | he was! He was running Norton Anti-virus 2003 but HAD NOT run Live Update for
> | a while - hence his virus problem. To add insult to injury, he was having
> | problems getting things to work and uninstalled Norton AV. Because of the way
> | this virus works, I can't get Nortons AV 2003, or the more recent 2005
> | version which he bought, to load. I talked him through running the scan from
> | Symantecs security site but it didn't appear to come up with anything. As I
> | am trying to help him over the phone, it is difficult to identify whether the
> | virus prevented the Symantec check from running properly. I guess it had.
> |
> | What I really need advice on is: How can I identify the virus? When I know
> | what virus it is, how do I get rid of it? How can I get his Norton 2005 to
> | load? This damn virus won't let you run any of the tools in normal mode -
> | MSCONFIG or REGEDIT for example. Frankly I have reached the reached the
> | level of my incompetence and hope somebody out there can help me help him.
> | Thanks.
>
> Dump the contents of the IE Temporary Internet Folder cache (TIF)
> Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
> Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> Tools --> Options --> Privacy --> Cache --> Clear
>
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
> http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart scripts, one Link
> (.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
> simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
> viruses and various other malware.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in Normal Mode. This
> way all the components can be downloaded from each AV vendorís web site.
> On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the PC
> On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend, McAfee, Exit the
> menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files or you can
> download the files and perform a scan in Normal Mode. Once you have downloaded the files
> needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
> file.
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
> through your FireWall to allow them to download the needed AV vendor related files.
>
> * * * Please report back your results * * *
>
>
You know..I was gonna post...but I knew David was going to
help...and...well..David is just the right man to help..David...I will
shut up now...:)

What's in a Name?
07-09-2005, 11:49 PM
Catamount wrote:
> David H. Lipman wrote:
>
>> From: "CT04" <CT04@discussions.microsoft.com>
>>
>> | My mate David - Dell Lapotop running Windows XP Home SP2 - has been
>> infected
>> | by a virus that I am unable to identify. The virus came in a Zip
>> file and
>> | the message related to a subject about 'Passwords'. David thought
>> he had
>> | removed the virus file when he deleted the message and Zip file.
>> How wrong
>> | he was! He was running Norton Anti-virus 2003 but HAD NOT run Live
>> Update for
>> | a while - hence his virus problem. To add insult to injury, he was
>> having
>> | problems getting things to work and uninstalled Norton AV. Because
>> of the way
>> | this virus works, I can't get Nortons AV 2003, or the more recent 2005
>> | version which he bought, to load. I talked him through running the
>> scan from
>> | Symantecs security site but it didn't appear to come up with
>> anything. As I
>> | am trying to help him over the phone, it is difficult to identify
>> whether the
>> | virus prevented the Symantec check from running properly. I guess
>> it had.
>> |
>> | What I really need advice on is: How can I identify the virus? When
>> I know
>> | what virus it is, how do I get rid of it? How can I get his Norton
>> 2005 to
>> | load? This damn virus won't let you run any of the tools in normal
>> mode -
>> | MSCONFIG or REGEDIT for example. Frankly I have reached the reached
>> the
>> | level of my incompetence and hope somebody out there can help me
>> help him.
>> | Thanks.
>>
>> Dump the contents of the IE Temporary Internet Folder cache (TIF)
>> Start --> Settings --> Control Panel --> Internet Options --> Delete
>> Files
>>
>> Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
>> Tools --> Options --> Privacy --> Cache --> Clear
>>
>> Download MULTI_AV.EXE from the URL --
>> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>>
>> It is a self-extracting ZIP file that contains the Kixtart Script
>> Interpreter {
>> http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart
>> scripts, one Link
>> (.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE
>> and WGET.EXE. It will
>> simplify the process of using up to 3 different Anti Virus Command
>> Line Scanners to remove
>> viruses and various other malware.
>>
>> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in
>> C:\AV-CLS}
>> This will bring up the initial menu of choices and should be executed
>> in Normal Mode. This
>> way all the components can be downloaded from each AV vendorís web site.
>> On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot
>> the PC
>> On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos,
>> Trend, McAfee, Exit the
>> menu and Reboot the PC.
>>
>> You can choose to go to each menu item and just download the needed
>> files or you can
>> download the files and perform a scan in Normal Mode. Once you have
>> downloaded the files
>> needed for each scanner you want to use, you should reboot the PC into
>> Safe Mode [F8 key
>> during boot] and re-run the menu again and choose which scanner you
>> want to run in Safe
>> Mode. It is suggested to run the scanners in both Safe Mode and
>> Normal Mode.
>>
>> When the menu is displayed hitting 'H' or 'h' will bring up a more
>> comprehensive PDF help
>> file.
>>
>> To use this utility, perform the following...
>> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
>> Choose; Unzip
>> Choose; Close
>>
>> Execute; C:\AV-CLS\StartMenu.BAT
>> { or Double-click on 'Start Menu' in C:\AV-CLS }
>>
>> NOTE: You may have to disable your software FireWall or allow WGET.EXE
>> and/or FTP.EXE to go
>> through your FireWall to allow them to download the needed AV vendor
>> related files.
>>
>> * * * Please report back your results * * *
>>
>>
> You know..I was gonna post...but I knew David was going to
> help...and...well..David is just the right man to help..David...I will
> shut up now...:)

Me too,I googled the info and came up with a number of possibilities
-max
--
Virus Removal Instructions: http://home.neo.rr.com/manna4u/
You can find my e-mail address on my pages.

CT04
07-09-2005, 11:49 PM
Dave

Thanks for the advice. Carried out the instructions and identified he had
W32.MYTOB.GEN@MM. We initially had problems getting McAfee, Sophos or Trend
to download anything. Both Sophos and Trend came up with the message "Bad
File Descriptor" - whatever that all means? Each time we selected the
appropriate option number, a directory was created but nothing else happened.
Eventually we were able to get the McAfee one to download and ran it. Ought
we to have downloaded from each of the vendors sites or would just the one
suffice? What I wasn't clear about is what to do once the scan was completed
and the virus reported to have been removed. We have since been able to load
his new Norton Internet security 2005 but can't get the damn LiveUpdate to
run. It tells us that there are lines in the Host file which is causing the
problem. I checked the Host file and there is only one entry - 127.0.0.1
localhost, yet the Norton report explaining why LiveUpdate won't run contains
a list of enteries. Right now I am banjaxed as to how to resolve this. I
got him to download the Symantec Mytob fix tool and run it in the hope it may
repair or clean up and legacy problems left over from the virus. Meanwhile,
thanks for your help.

CT

"David H. Lipman" wrote:

> From: "CT04" <CT04@discussions.microsoft.com>
>
> | My mate David - Dell Lapotop running Windows XP Home SP2 - has been infected
> | by a virus that I am unable to identify. The virus came in a Zip file and
> | the message related to a subject about 'Passwords'. David thought he had
> | removed the virus file when he deleted the message and Zip file. How wrong
> | he was! He was running Norton Anti-virus 2003 but HAD NOT run Live Update for
> | a while - hence his virus problem. To add insult to injury, he was having
> | problems getting things to work and uninstalled Norton AV. Because of the way
> | this virus works, I can't get Nortons AV 2003, or the more recent 2005
> | version which he bought, to load. I talked him through running the scan from
> | Symantecs security site but it didn't appear to come up with anything. As I
> | am trying to help him over the phone, it is difficult to identify whether the
> | virus prevented the Symantec check from running properly. I guess it had.
> |
> | What I really need advice on is: How can I identify the virus? When I know
> | what virus it is, how do I get rid of it? How can I get his Norton 2005 to
> | load? This damn virus won't let you run any of the tools in normal mode -
> | MSCONFIG or REGEDIT for example. Frankly I have reached the reached the
> | level of my incompetence and hope somebody out there can help me help him.
> | Thanks.
>
> Dump the contents of the IE Temporary Internet Folder cache (TIF)
> Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
> Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> Tools --> Options --> Privacy --> Cache --> Clear
>
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
> http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart scripts, one Link
> (.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
> simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
> viruses and various other malware.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in Normal Mode. This
> way all the components can be downloaded from each AV vendor’s web site.
> On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the PC
> On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend, McAfee, Exit the
> menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files or you can
> download the files and perform a scan in Normal Mode. Once you have downloaded the files
> needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
> file.
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
> through your FireWall to allow them to download the needed AV vendor related files.
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

David H. Lipman
07-09-2005, 11:50 PM
From: "CT04" <CT04@discussions.microsoft.com>

| Dave
|
| Thanks for the advice. Carried out the instructions and identified he had
| W32.MYTOB.GEN@MM. We initially had problems getting McAfee, Sophos or Trend
| to download anything. Both Sophos and Trend came up with the message "Bad
| File Descriptor" - whatever that all means? Each time we selected the
| appropriate option number, a directory was created but nothing else happened.
| Eventually we were able to get the McAfee one to download and ran it. Ought
| we to have downloaded from each of the vendors sites or would just the one
| suffice? What I wasn't clear about is what to do once the scan was completed
| and the virus reported to have been removed. We have since been able to load
| his new Norton Internet security 2005 but can't get the damn LiveUpdate to
| run. It tells us that there are lines in the Host file which is causing the
| problem. I checked the Host file and there is only one entry - 127.0.0.1
| localhost, yet the Norton report explaining why LiveUpdate won't run contains
| a list of enteries. Right now I am banjaxed as to how to resolve this. I
| got him to download the Symantec Mytob fix tool and run it in the hope it may
| repair or clean up and legacy problems left over from the virus. Meanwhile,
| thanks for your help.
|
| CT


CT:

I don't know when you downloaded the Multi AV front end but I just updated it last nite.
You might want to download the newer version, run the self extracter and then run the Start
Menu again and see if Trend and Sophos will work correctly.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Crouchie1998
07-09-2005, 11:50 PM
The Mytob tool from symantec will be rebuilt again soon as a new strain was
discovered over the past 24 hours, so, you'll need to download the new
version in a few days & check your system again

Crouchie1998
BA (HONS) MCP MCSE

CT04
07-09-2005, 11:50 PM
To both Dave and Crouchie1998

Good news...finally managed to resolve everything and now have Norton
Internet Security loaded and LiveUpdate is running - finally! Had a few
problems with that but cracked it. Dave, I downloaded the removal tool you
recommended on Thursday so no, wouldn't have your latest one. Crouchie1998,
I had him download the Mytob removal tool for his variant and it came up with
no infection. Looks like Dave's tool did the trick first time out the
blocks!

Anyway guys, my mate Dave is as happy as a pig in the hot smelly stuff and
my/our thanks to you for your help and advice. I hope he has learned his
lesson and won't download and open questionable attachments in future.

Cheers, CT

"David H. Lipman" wrote:

> From: "CT04" <CT04@discussions.microsoft.com>
>
> | Dave
> |
> | Thanks for the advice. Carried out the instructions and identified he had
> | W32.MYTOB.GEN@MM. We initially had problems getting McAfee, Sophos or Trend
> | to download anything. Both Sophos and Trend came up with the message "Bad
> | File Descriptor" - whatever that all means? Each time we selected the
> | appropriate option number, a directory was created but nothing else happened.
> | Eventually we were able to get the McAfee one to download and ran it. Ought
> | we to have downloaded from each of the vendors sites or would just the one
> | suffice? What I wasn't clear about is what to do once the scan was completed
> | and the virus reported to have been removed. We have since been able to load
> | his new Norton Internet security 2005 but can't get the damn LiveUpdate to
> | run. It tells us that there are lines in the Host file which is causing the
> | problem. I checked the Host file and there is only one entry - 127.0.0.1
> | localhost, yet the Norton report explaining why LiveUpdate won't run contains
> | a list of enteries. Right now I am banjaxed as to how to resolve this. I
> | got him to download the Symantec Mytob fix tool and run it in the hope it may
> | repair or clean up and legacy problems left over from the virus. Meanwhile,
> | thanks for your help.
> |
> | CT
>
>
> CT:
>
> I don't know when you downloaded the Multi AV front end but I just updated it last nite.
> You might want to download the newer version, run the self extracter and then run the Start
> Menu again and see if Trend and Sophos will work correctly.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

David H. Lipman
07-09-2005, 11:50 PM
From: "CT04" <CT04@discussions.microsoft.com>

| To both Dave and Crouchie1998
|
| Good news...finally managed to resolve everything and now have Norton
| Internet Security loaded and LiveUpdate is running - finally! Had a few
| problems with that but cracked it. Dave, I downloaded the removal tool you
| recommended on Thursday so no, wouldn't have your latest one. Crouchie1998,
| I had him download the Mytob removal tool for his variant and it came up with
| no infection. Looks like Dave's tool did the trick first time out the
| blocks!
|
| Anyway guys, my mate Dave is as happy as a pig in the hot smelly stuff and
| my/our thanks to you for your help and advice. I hope he has learned his
| lesson and won't download and open questionable attachments in future.
|
| Cheers, CT

Glad to hera it CT. Thank for updating the thread.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


Unknown Virus