PC with 4 viruses

Hi,

My client has the following four viruses on her Win 2000 PC:

Backdoor. OptixPro.13
Backdoor. Sdbot
W32.Spybot.Worm
W32.Randex.gen

Symantec doesn't have any quick fixes for these. The site tells me to go into the registry and make all these changes for each of the viruses. The computer can't even locate the files in the registry Symantec is asking me to look at! The viruses have infected some important files, such as server.exe and win.exe.

Can anyone give me some tips on how to get rid of the viruses?

Thanks.

Kara
kara334Asked:
Who is Participating?
 
RevelationCSConnect With a Mentor Commented:
Also, haev you tried the following:

Adaware - http://www.lavasoftusa.com/software/adaware/
Spybot S&D - http://www.safer-networking.org/en/download/index.html
CoolWebShredder - http://www.spychecker.com/program/coolwebshredder.html


Also, take a look at the following links for variants of the viruses listed above -

W32.Randex.gen - http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=W32%2ERandex%2Egen&alt=Randex%2Egen

W32.Spybot.Worm - http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=W32%2ESpybot%2EWorm&alt=Spybot%2EWorm

Backdoor.Sdbot - http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=Backdoor%2ESdbot&alt=Sdbot

Backdoor.OptixPro.13 - http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=Backdoor%2EOptixPro%2E13&alt=OptixPro%2E13

I would recommend doing the virus scan from Trend (http://housecall.trendmicro.com) and from there make a note of the specific viruses listed there and proceed with the cleanups per the links above....


0
 
kara334Author Commented:
Thank you for your suggestions. The links to Trendmicro were very helpful. I have gotten rid of two of the four viruses completely.

However, I have four files left infected with viruses. Unfortunately, three of them are explorer.exe files. They are all infected with the W32.Spybot worm. I don't know what to do with these files. I can't simply delete explorer.exe files!!

The fourth file, windrive.exe is infected with W32.Randex.gen. It's a stubborn infection and doesn't want to go away.

Can you help me further, particularly with those explorer.exe infections? I want to be careful and I just don't know what to do!

Thanks.

Kara
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
SheharyaarSaahilCommented:
Do this.... Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

post here the contents of that Log file,,,, let me check if these explorer.exe are running from valid location or are just faked ones ??
0
 
RevelationCSCommented:
what is the location of the explorer.exe files? please post the locations here....

also, the windrive.exe file might not be a valid file. Per the information on the SDBOT worm, this file is dropped when infected with the virus... try doing the cleaning steps listed here - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.DO
This is also known as the virus name you listed above...
0
 
burningmaceCommented:
Kaspersky Anti-Virus will remove any infections from files in less than a second :)

http://www.kaspersky.com/

I'd recommend that as the best virus scanner ever.
Also, use ZoneAlarm (Pro if you want higher security). It'll stop viruses from accessing the internet if you tell it to.
0
 
kara334Author Commented:
Hi,

I ran HijackThis. I couldn't copy all the results over from the infected computer, but for explorer.exe I got three logs that said:

[Microsoft Syncronization Manager] explorer.exe

(those were the only explorer.exe logs listed)



The online Symantec virus scan gave these locations for the files:

C:\explorer.exe is infected with W32.Spbot.Worm
C:\Documents and Settings\Judy\explorer.exe is infected with W32.Spybot.Worm
C:\WINNT\system32\windrive.exe is infected with W32.Randex.gen
C:\WINNT\system32\explorer.exe is infected with W32.Spybot.Worm

Thanks.
0
 
SheharyaarSaahilCommented:
the original location of Valid Explorer.exe is C:\Windows
all else are faked
u can remove all these four files without even thinking !!
0
 
SheharyaarSaahilCommented:
If u cannot post the log of hijackhtis here,,,,, then u can use this site >> http://www.hijackthis.de/index.php?langselect=english

post there ur log and it will automatically analyse it for u,,, delete everything which it asks u to delete :)
0
 
kara334Author Commented:
This computer doesn't have a C:\Windows folder, only C:\WINNT. Her computer is Win 2000. Are you sure?? I'm sure you're right. I just want to double check. Thanks.
0
 
SheharyaarSaahilCommented:
oh yeah,,,, in XP its marked as C:\Windows
and in Win2000, its as C:\WINNT

im sure abt it,,, and u must be having an explorer.exe in ur C:\WINNT
this is the original and valid explorer.exe
and all other explorer.exe files in the other locations are faked and they must be kicked out as soon as possible :)
0
 
kara334Author Commented:
Thanks. I got rid of two of the explorer.exe files. Do you have any idea what I should do with the infected files in the WINNT folder? Thanks again. You are being VERY helpful.
0
 
SheharyaarSaahilCommented:
look i will tell u what u needed to delete actually....
u needed to delete.....

explorer.exe file from C: drive
explorer.exe file from C:\WINNT\system32 folder
explorer.exe file from C:\Documents and Settings\Judy folder
windrive.exe file from C:\WINNT\system32 folder

so get rid of all these four files,,,,, u not at all need them..... these are all junk\harmful files and shudn't be present on ur system in any way !!!

understand :)
0
 
kara334Author Commented:
Got it. I'll delete them and run a virus scan and then give you your well deserved points.
0
 
SheharyaarSaahilCommented:
sure go ahead and get rid of all those nasties,,,, and dont worry abt the points,,, no hurry, just take ur time :)
0
 
kara334Author Commented:
OK, everything seems cool except I can't delete the explorer.exe file from C:\WINNT\system32 folder.

"Access is denied. The source file may be in use."

Restarted the computer. Disconnected it from the internet. Still can't delete it.
0
 
SheharyaarSaahilCommented:
Delete it in Safemode, it must be running in background in Normal Mode,,,, and if still u get the Access Denied error, then take the ownership of this file, and then delete it !!

HOW TO: Take Ownership of Files
http://support.microsoft.com/?id=268019
0
 
kara334Author Commented:
I was able to delete the file in Safe Mode! I ran a virus scan and my client's computer is no longer infected!!!

Thank you so much for your help. I'm really glad I ran into you. :)


Kara
0
 
SheharyaarSaahilCommented:
well..... my pleasure, glad i cud help u :)
Cheers ^_^
0
 
RevelationCSCommented:
Is there a reason why you didn't split the points when an answer I gave cleaned you of two of the four viruses?
0
 
kara334Author Commented:
I sincerely apologize. It was an accidental oversite. I should have split the points. Is there anything I can do about it now? I was working with the other person so much yesterday I didn't realize you were the one who had given me some crucial links originally. I haven't worked with this system much, and I'm not quite used to it.

Kara
0
 
SheharyaarSaahilCommented:
U can goto Support area and can ask a moderator to reopen this question, and then u can reassign the points to award Revelation :)
0
 
SheharyaarSaahilCommented:
thanx Lunchy for ur time on it ^_^
0
 
RevelationCSCommented:
Thank you for posting the correction Kara... it was a pleasure to assit you and work with SS...
0
 
SheharyaarSaahilCommented:
^_^
0
 
kara334Author Commented:
Good. I'm not quite sure what just happened here, but it sounds like everybody's happy now. :)

Thanks Lunchy!

Kara
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.