?
Solved

PC with 4 viruses

Posted on 2004-09-08
27
Medium Priority
?
243 Views
Last Modified: 2013-12-04
Hi,

My client has the following four viruses on her Win 2000 PC:

Backdoor. OptixPro.13
Backdoor. Sdbot
W32.Spybot.Worm
W32.Randex.gen

Symantec doesn't have any quick fixes for these. The site tells me to go into the registry and make all these changes for each of the viruses. The computer can't even locate the files in the registry Symantec is asking me to look at! The viruses have infected some important files, such as server.exe and win.exe.

Can anyone give me some tips on how to get rid of the viruses?

Thanks.

Kara
0
Comment
Question by:kara334
  • 12
  • 9
  • 4
  • +1
26 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 1000 total points
ID: 12008263
0
 
LVL 8

Assisted Solution

by:RevelationCS
RevelationCS earned 1000 total points
ID: 12009411
Also, haev you tried the following:

Adaware - http://www.lavasoftusa.com/software/adaware/
Spybot S&D - http://www.safer-networking.org/en/download/index.html
CoolWebShredder - http://www.spychecker.com/program/coolwebshredder.html


Also, take a look at the following links for variants of the viruses listed above -

W32.Randex.gen - http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=W32%2ERandex%2Egen&alt=Randex%2Egen

W32.Spybot.Worm - http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=W32%2ESpybot%2EWorm&alt=Spybot%2EWorm

Backdoor.Sdbot - http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=Backdoor%2ESdbot&alt=Sdbot

Backdoor.OptixPro.13 - http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=Backdoor%2EOptixPro%2E13&alt=OptixPro%2E13

I would recommend doing the virus scan from Trend (http://housecall.trendmicro.com) and from there make a note of the specific viruses listed there and proceed with the cleanups per the links above....


0
 

Author Comment

by:kara334
ID: 12031232
Thank you for your suggestions. The links to Trendmicro were very helpful. I have gotten rid of two of the four viruses completely.

However, I have four files left infected with viruses. Unfortunately, three of them are explorer.exe files. They are all infected with the W32.Spybot worm. I don't know what to do with these files. I can't simply delete explorer.exe files!!

The fourth file, windrive.exe is infected with W32.Randex.gen. It's a stubborn infection and doesn't want to go away.

Can you help me further, particularly with those explorer.exe infections? I want to be careful and I just don't know what to do!

Thanks.

Kara
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12031257
Do this.... Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

post here the contents of that Log file,,,, let me check if these explorer.exe are running from valid location or are just faked ones ??
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12031844
what is the location of the explorer.exe files? please post the locations here....

also, the windrive.exe file might not be a valid file. Per the information on the SDBOT worm, this file is dropped when infected with the virus... try doing the cleaning steps listed here - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.DO
This is also known as the virus name you listed above...
0
 
LVL 5

Expert Comment

by:burningmace
ID: 12033992
Kaspersky Anti-Virus will remove any infections from files in less than a second :)

http://www.kaspersky.com/

I'd recommend that as the best virus scanner ever.
Also, use ZoneAlarm (Pro if you want higher security). It'll stop viruses from accessing the internet if you tell it to.
0
 

Author Comment

by:kara334
ID: 12035425
Hi,

I ran HijackThis. I couldn't copy all the results over from the infected computer, but for explorer.exe I got three logs that said:

[Microsoft Syncronization Manager] explorer.exe

(those were the only explorer.exe logs listed)



The online Symantec virus scan gave these locations for the files:

C:\explorer.exe is infected with W32.Spbot.Worm
C:\Documents and Settings\Judy\explorer.exe is infected with W32.Spybot.Worm
C:\WINNT\system32\windrive.exe is infected with W32.Randex.gen
C:\WINNT\system32\explorer.exe is infected with W32.Spybot.Worm

Thanks.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12035431
the original location of Valid Explorer.exe is C:\Windows
all else are faked
u can remove all these four files without even thinking !!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12035436
If u cannot post the log of hijackhtis here,,,,, then u can use this site >> http://www.hijackthis.de/index.php?langselect=english

post there ur log and it will automatically analyse it for u,,, delete everything which it asks u to delete :)
0
 

Author Comment

by:kara334
ID: 12035478
This computer doesn't have a C:\Windows folder, only C:\WINNT. Her computer is Win 2000. Are you sure?? I'm sure you're right. I just want to double check. Thanks.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12035484
oh yeah,,,, in XP its marked as C:\Windows
and in Win2000, its as C:\WINNT

im sure abt it,,, and u must be having an explorer.exe in ur C:\WINNT
this is the original and valid explorer.exe
and all other explorer.exe files in the other locations are faked and they must be kicked out as soon as possible :)
0
 

Author Comment

by:kara334
ID: 12035502
Thanks. I got rid of two of the explorer.exe files. Do you have any idea what I should do with the infected files in the WINNT folder? Thanks again. You are being VERY helpful.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12035512
look i will tell u what u needed to delete actually....
u needed to delete.....

explorer.exe file from C: drive
explorer.exe file from C:\WINNT\system32 folder
explorer.exe file from C:\Documents and Settings\Judy folder
windrive.exe file from C:\WINNT\system32 folder

so get rid of all these four files,,,,, u not at all need them..... these are all junk\harmful files and shudn't be present on ur system in any way !!!

understand :)
0
 

Author Comment

by:kara334
ID: 12035519
Got it. I'll delete them and run a virus scan and then give you your well deserved points.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12035528
sure go ahead and get rid of all those nasties,,,, and dont worry abt the points,,, no hurry, just take ur time :)
0
 

Author Comment

by:kara334
ID: 12035575
OK, everything seems cool except I can't delete the explorer.exe file from C:\WINNT\system32 folder.

"Access is denied. The source file may be in use."

Restarted the computer. Disconnected it from the internet. Still can't delete it.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12035583
Delete it in Safemode, it must be running in background in Normal Mode,,,, and if still u get the Access Denied error, then take the ownership of this file, and then delete it !!

HOW TO: Take Ownership of Files
http://support.microsoft.com/?id=268019
0
 

Author Comment

by:kara334
ID: 12036230
I was able to delete the file in Safe Mode! I ran a virus scan and my client's computer is no longer infected!!!

Thank you so much for your help. I'm really glad I ran into you. :)


Kara
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12036263
well..... my pleasure, glad i cud help u :)
Cheers ^_^
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12036951
Is there a reason why you didn't split the points when an answer I gave cleaned you of two of the four viruses?
0
 

Author Comment

by:kara334
ID: 12039216
I sincerely apologize. It was an accidental oversite. I should have split the points. Is there anything I can do about it now? I was working with the other person so much yesterday I didn't realize you were the one who had given me some crucial links originally. I haven't worked with this system much, and I'm not quite used to it.

Kara
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12039335
U can goto Support area and can ask a moderator to reopen this question, and then u can reassign the points to award Revelation :)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12047153
thanx Lunchy for ur time on it ^_^
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12047583
Thank you for posting the correction Kara... it was a pleasure to assit you and work with SS...
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12047660
^_^
0
 

Author Comment

by:kara334
ID: 12048341
Good. I'm not quite sure what just happened here, but it sounds like everybody's happy now. :)

Thanks Lunchy!

Kara
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
OfficeMate Freezes on login or does not load after login credentials are input.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question