Solved

PC with 4 viruses

Posted on 2004-09-08
27
199 Views
Last Modified: 2013-12-04
Hi,

My client has the following four viruses on her Win 2000 PC:

Backdoor. OptixPro.13
Backdoor. Sdbot
W32.Spybot.Worm
W32.Randex.gen

Symantec doesn't have any quick fixes for these. The site tells me to go into the registry and make all these changes for each of the viruses. The computer can't even locate the files in the registry Symantec is asking me to look at! The viruses have infected some important files, such as server.exe and win.exe.

Can anyone give me some tips on how to get rid of the viruses?

Thanks.

Kara
0
Comment
Question by:kara334
  • 12
  • 9
  • 4
  • +1
27 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 250 total points
ID: 12008263
0
 
LVL 8

Assisted Solution

by:RevelationCS
RevelationCS earned 250 total points
ID: 12009411
Also, haev you tried the following:

Adaware - http://www.lavasoftusa.com/software/adaware/
Spybot S&D - http://www.safer-networking.org/en/download/index.html
CoolWebShredder - http://www.spychecker.com/program/coolwebshredder.html


Also, take a look at the following links for variants of the viruses listed above -

W32.Randex.gen - http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=W32%2ERandex%2Egen&alt=Randex%2Egen

W32.Spybot.Worm - http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=W32%2ESpybot%2EWorm&alt=Spybot%2EWorm

Backdoor.Sdbot - http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=Backdoor%2ESdbot&alt=Sdbot

Backdoor.OptixPro.13 - http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=Backdoor%2EOptixPro%2E13&alt=OptixPro%2E13

I would recommend doing the virus scan from Trend (http://housecall.trendmicro.com) and from there make a note of the specific viruses listed there and proceed with the cleanups per the links above....


0
 

Author Comment

by:kara334
ID: 12031232
Thank you for your suggestions. The links to Trendmicro were very helpful. I have gotten rid of two of the four viruses completely.

However, I have four files left infected with viruses. Unfortunately, three of them are explorer.exe files. They are all infected with the W32.Spybot worm. I don't know what to do with these files. I can't simply delete explorer.exe files!!

The fourth file, windrive.exe is infected with W32.Randex.gen. It's a stubborn infection and doesn't want to go away.

Can you help me further, particularly with those explorer.exe infections? I want to be careful and I just don't know what to do!

Thanks.

Kara
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12031257
Do this.... Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

post here the contents of that Log file,,,, let me check if these explorer.exe are running from valid location or are just faked ones ??
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12031844
what is the location of the explorer.exe files? please post the locations here....

also, the windrive.exe file might not be a valid file. Per the information on the SDBOT worm, this file is dropped when infected with the virus... try doing the cleaning steps listed here - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.DO
This is also known as the virus name you listed above...
0
 
LVL 5

Expert Comment

by:burningmace
ID: 12033992
Kaspersky Anti-Virus will remove any infections from files in less than a second :)

http://www.kaspersky.com/

I'd recommend that as the best virus scanner ever.
Also, use ZoneAlarm (Pro if you want higher security). It'll stop viruses from accessing the internet if you tell it to.
0
 

Author Comment

by:kara334
ID: 12035425
Hi,

I ran HijackThis. I couldn't copy all the results over from the infected computer, but for explorer.exe I got three logs that said:

[Microsoft Syncronization Manager] explorer.exe

(those were the only explorer.exe logs listed)



The online Symantec virus scan gave these locations for the files:

C:\explorer.exe is infected with W32.Spbot.Worm
C:\Documents and Settings\Judy\explorer.exe is infected with W32.Spybot.Worm
C:\WINNT\system32\windrive.exe is infected with W32.Randex.gen
C:\WINNT\system32\explorer.exe is infected with W32.Spybot.Worm

Thanks.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12035431
the original location of Valid Explorer.exe is C:\Windows
all else are faked
u can remove all these four files without even thinking !!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12035436
If u cannot post the log of hijackhtis here,,,,, then u can use this site >> http://www.hijackthis.de/index.php?langselect=english

post there ur log and it will automatically analyse it for u,,, delete everything which it asks u to delete :)
0
 

Author Comment

by:kara334
ID: 12035478
This computer doesn't have a C:\Windows folder, only C:\WINNT. Her computer is Win 2000. Are you sure?? I'm sure you're right. I just want to double check. Thanks.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12035484
oh yeah,,,, in XP its marked as C:\Windows
and in Win2000, its as C:\WINNT

im sure abt it,,, and u must be having an explorer.exe in ur C:\WINNT
this is the original and valid explorer.exe
and all other explorer.exe files in the other locations are faked and they must be kicked out as soon as possible :)
0
 

Author Comment

by:kara334
ID: 12035502
Thanks. I got rid of two of the explorer.exe files. Do you have any idea what I should do with the infected files in the WINNT folder? Thanks again. You are being VERY helpful.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12035512
look i will tell u what u needed to delete actually....
u needed to delete.....

explorer.exe file from C: drive
explorer.exe file from C:\WINNT\system32 folder
explorer.exe file from C:\Documents and Settings\Judy folder
windrive.exe file from C:\WINNT\system32 folder

so get rid of all these four files,,,,, u not at all need them..... these are all junk\harmful files and shudn't be present on ur system in any way !!!

understand :)
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:kara334
ID: 12035519
Got it. I'll delete them and run a virus scan and then give you your well deserved points.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12035528
sure go ahead and get rid of all those nasties,,,, and dont worry abt the points,,, no hurry, just take ur time :)
0
 

Author Comment

by:kara334
ID: 12035575
OK, everything seems cool except I can't delete the explorer.exe file from C:\WINNT\system32 folder.

"Access is denied. The source file may be in use."

Restarted the computer. Disconnected it from the internet. Still can't delete it.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12035583
Delete it in Safemode, it must be running in background in Normal Mode,,,, and if still u get the Access Denied error, then take the ownership of this file, and then delete it !!

HOW TO: Take Ownership of Files
http://support.microsoft.com/?id=268019
0
 

Author Comment

by:kara334
ID: 12036230
I was able to delete the file in Safe Mode! I ran a virus scan and my client's computer is no longer infected!!!

Thank you so much for your help. I'm really glad I ran into you. :)


Kara
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12036263
well..... my pleasure, glad i cud help u :)
Cheers ^_^
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12036951
Is there a reason why you didn't split the points when an answer I gave cleaned you of two of the four viruses?
0
 

Author Comment

by:kara334
ID: 12039216
I sincerely apologize. It was an accidental oversite. I should have split the points. Is there anything I can do about it now? I was working with the other person so much yesterday I didn't realize you were the one who had given me some crucial links originally. I haven't worked with this system much, and I'm not quite used to it.

Kara
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12039335
U can goto Support area and can ask a moderator to reopen this question, and then u can reassign the points to award Revelation :)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12047153
thanx Lunchy for ur time on it ^_^
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12047583
Thank you for posting the correction Kara... it was a pleasure to assit you and work with SS...
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12047660
^_^
0
 

Author Comment

by:kara334
ID: 12048341
Good. I'm not quite sure what just happened here, but it sounds like everybody's happy now. :)

Thanks Lunchy!

Kara
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now