Solved

PC with 4 viruses

Posted on 2004-09-08
27
217 Views
Last Modified: 2013-12-04
Hi,

My client has the following four viruses on her Win 2000 PC:

Backdoor. OptixPro.13
Backdoor. Sdbot
W32.Spybot.Worm
W32.Randex.gen

Symantec doesn't have any quick fixes for these. The site tells me to go into the registry and make all these changes for each of the viruses. The computer can't even locate the files in the registry Symantec is asking me to look at! The viruses have infected some important files, such as server.exe and win.exe.

Can anyone give me some tips on how to get rid of the viruses?

Thanks.

Kara
0
Comment
Question by:kara334
  • 12
  • 9
  • 4
  • +1
27 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 250 total points
ID: 12008263
0
 
LVL 8

Assisted Solution

by:RevelationCS
RevelationCS earned 250 total points
ID: 12009411
Also, haev you tried the following:

Adaware - http://www.lavasoftusa.com/software/adaware/
Spybot S&D - http://www.safer-networking.org/en/download/index.html
CoolWebShredder - http://www.spychecker.com/program/coolwebshredder.html


Also, take a look at the following links for variants of the viruses listed above -

W32.Randex.gen - http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=W32%2ERandex%2Egen&alt=Randex%2Egen

W32.Spybot.Worm - http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=W32%2ESpybot%2EWorm&alt=Spybot%2EWorm

Backdoor.Sdbot - http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=Backdoor%2ESdbot&alt=Sdbot

Backdoor.OptixPro.13 - http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=Backdoor%2EOptixPro%2E13&alt=OptixPro%2E13

I would recommend doing the virus scan from Trend (http://housecall.trendmicro.com) and from there make a note of the specific viruses listed there and proceed with the cleanups per the links above....


0
 

Author Comment

by:kara334
ID: 12031232
Thank you for your suggestions. The links to Trendmicro were very helpful. I have gotten rid of two of the four viruses completely.

However, I have four files left infected with viruses. Unfortunately, three of them are explorer.exe files. They are all infected with the W32.Spybot worm. I don't know what to do with these files. I can't simply delete explorer.exe files!!

The fourth file, windrive.exe is infected with W32.Randex.gen. It's a stubborn infection and doesn't want to go away.

Can you help me further, particularly with those explorer.exe infections? I want to be careful and I just don't know what to do!

Thanks.

Kara
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12031257
Do this.... Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

post here the contents of that Log file,,,, let me check if these explorer.exe are running from valid location or are just faked ones ??
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12031844
what is the location of the explorer.exe files? please post the locations here....

also, the windrive.exe file might not be a valid file. Per the information on the SDBOT worm, this file is dropped when infected with the virus... try doing the cleaning steps listed here - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.DO
This is also known as the virus name you listed above...
0
 
LVL 5

Expert Comment

by:burningmace
ID: 12033992
Kaspersky Anti-Virus will remove any infections from files in less than a second :)

http://www.kaspersky.com/

I'd recommend that as the best virus scanner ever.
Also, use ZoneAlarm (Pro if you want higher security). It'll stop viruses from accessing the internet if you tell it to.
0
 

Author Comment

by:kara334
ID: 12035425
Hi,

I ran HijackThis. I couldn't copy all the results over from the infected computer, but for explorer.exe I got three logs that said:

[Microsoft Syncronization Manager] explorer.exe

(those were the only explorer.exe logs listed)



The online Symantec virus scan gave these locations for the files:

C:\explorer.exe is infected with W32.Spbot.Worm
C:\Documents and Settings\Judy\explorer.exe is infected with W32.Spybot.Worm
C:\WINNT\system32\windrive.exe is infected with W32.Randex.gen
C:\WINNT\system32\explorer.exe is infected with W32.Spybot.Worm

Thanks.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12035431
the original location of Valid Explorer.exe is C:\Windows
all else are faked
u can remove all these four files without even thinking !!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12035436
If u cannot post the log of hijackhtis here,,,,, then u can use this site >> http://www.hijackthis.de/index.php?langselect=english

post there ur log and it will automatically analyse it for u,,, delete everything which it asks u to delete :)
0
 

Author Comment

by:kara334
ID: 12035478
This computer doesn't have a C:\Windows folder, only C:\WINNT. Her computer is Win 2000. Are you sure?? I'm sure you're right. I just want to double check. Thanks.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12035484
oh yeah,,,, in XP its marked as C:\Windows
and in Win2000, its as C:\WINNT

im sure abt it,,, and u must be having an explorer.exe in ur C:\WINNT
this is the original and valid explorer.exe
and all other explorer.exe files in the other locations are faked and they must be kicked out as soon as possible :)
0
 

Author Comment

by:kara334
ID: 12035502
Thanks. I got rid of two of the explorer.exe files. Do you have any idea what I should do with the infected files in the WINNT folder? Thanks again. You are being VERY helpful.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12035512
look i will tell u what u needed to delete actually....
u needed to delete.....

explorer.exe file from C: drive
explorer.exe file from C:\WINNT\system32 folder
explorer.exe file from C:\Documents and Settings\Judy folder
windrive.exe file from C:\WINNT\system32 folder

so get rid of all these four files,,,,, u not at all need them..... these are all junk\harmful files and shudn't be present on ur system in any way !!!

understand :)
0
 

Author Comment

by:kara334
ID: 12035519
Got it. I'll delete them and run a virus scan and then give you your well deserved points.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12035528
sure go ahead and get rid of all those nasties,,,, and dont worry abt the points,,, no hurry, just take ur time :)
0
 

Author Comment

by:kara334
ID: 12035575
OK, everything seems cool except I can't delete the explorer.exe file from C:\WINNT\system32 folder.

"Access is denied. The source file may be in use."

Restarted the computer. Disconnected it from the internet. Still can't delete it.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12035583
Delete it in Safemode, it must be running in background in Normal Mode,,,, and if still u get the Access Denied error, then take the ownership of this file, and then delete it !!

HOW TO: Take Ownership of Files
http://support.microsoft.com/?id=268019
0
 

Author Comment

by:kara334
ID: 12036230
I was able to delete the file in Safe Mode! I ran a virus scan and my client's computer is no longer infected!!!

Thank you so much for your help. I'm really glad I ran into you. :)


Kara
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12036263
well..... my pleasure, glad i cud help u :)
Cheers ^_^
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12036951
Is there a reason why you didn't split the points when an answer I gave cleaned you of two of the four viruses?
0
 

Author Comment

by:kara334
ID: 12039216
I sincerely apologize. It was an accidental oversite. I should have split the points. Is there anything I can do about it now? I was working with the other person so much yesterday I didn't realize you were the one who had given me some crucial links originally. I haven't worked with this system much, and I'm not quite used to it.

Kara
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12039335
U can goto Support area and can ask a moderator to reopen this question, and then u can reassign the points to award Revelation :)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12047153
thanx Lunchy for ur time on it ^_^
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12047583
Thank you for posting the correction Kara... it was a pleasure to assit you and work with SS...
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12047660
^_^
0
 

Author Comment

by:kara334
ID: 12048341
Good. I'm not quite sure what just happened here, but it sounds like everybody's happy now. :)

Thanks Lunchy!

Kara
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Possibility of Outlook running on Linux 6 266
Login to computer through Admin Priviligies 9 102
Lenovo Helix Laptop: Bitlocker appears to be preventing boot 7 101
PCI compliance 16 50
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question