Sign in with
Sign up | Sign in
Your question

virus problem

Last response: in Windows XP
Share
March 19, 2005 3:07:01 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Having problem with a virus than seems to run on startup and is contained i
think in system restore? Usually i am ok getting rid of any viruses but this
one has got me stumped. I have removed the registry entry and all folders
but every time i restart it comes back. Cmd line is C:\127021.exe. I don't
know much about DOS and when i type this ono the c prompt access is denied.
Ad-Aware picks this up seems to fix it but always back after restart. I run
sophos anti-virus but IDE files have not been updated for some time as no
longer in contact with person who installed. Every hour os so sophos prompts
me to this virus but cannot delete it.

Can anyone advise how to remove this or direct me to instructions on how to
locate and delete.

Any response will be appreciated...

More about : virus problem

March 19, 2005 3:27:00 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

craig wrote:

> Having problem with a virus than seems to run on startup and is
> contained i think in system restore? Usually i am ok getting rid of
> any viruses but this
> one has got me stumped. I have removed the registry entry and all
> folders
> but every time i restart it comes back. Cmd line is C:\127021.exe. I
> don't know much about DOS and when i type this ono the c prompt access
> is denied.
> Ad-Aware picks this up seems to fix it but always back after restart.
> I run sophos anti-virus but IDE files have not been updated for some
> time as no
> longer in contact with person who installed. Every hour os so sophos
> prompts me to this virus but cannot delete it.
>
> Can anyone advise how to remove this or direct me to instructions on
> how to locate and delete.
>
> Any response will be appreciated...

I'm not sure what you mean by saying your Sophos av files haven't been
updated "as no longer in contact with person who installed". Having
outdated virus definitions is almost worse than having no av installed
at all. If you are unable to update Sophos, uninstall it and get a
full-featured av immediately. If the virus is running on startup, it is
*not* contained only in System Restore points. The virus files in the
System Restore points aren't active; something else on your hard drive
is.

Delete all Temporary and Temporary Internet Files. Then scan in Safe
Mode with TrendMicro's Sysclean:

TrendMicro's Sysclean is an extensive antivirus tool which has the
advantage of not needing to be installed. It requires two parts - the
scanning engine and the virus pattern files.

1. Create a new folder on your Desktop or the C: drive named something
useful like "Sysclean".
2. Go here and download the two parts of the program to that folder:

http://www.trendmicro.com/download/dcs.asp - Sysclean
http://www.trendmicro.com/download/pattern.asp - virus pattern files

The pattern files will be zipped - extract them with your unzipper (like
WinZip) or if you have XP, you can just open the folder. You need to
put the extracted files in the Sysclean folder you made.

3. Restart your computer in Safe Mode. Get into Safe Mode by repeatedly
tapping the F8 key as the computer is starting up to get to the proper
menu.
4. Go to the Sysclean folder you made and double-click on sysclean.com.
Start the scan. After the scan is finished, look at the log. You may
need to make a note of where any viruses were found if they were not
able to be removed so you can manually delete them.

After you've scanned with Sysclean, get and install the full-featured av
(uninstall Sophos first), update it, and do a thorough scan in Safe
Mode. After you've done your virus scanning, remove non-viral malware
with Ad-aware and Spybot Search & Destroy. Make sure you update those
programs before you run them, and do your scans in Safe Mode.

After you know your computer is 100% clean, you can make a new System
Restore point and then delete all the previous ones by using Disk
Cleanup's More Options feature.

Malke
--
MS MVP - Windows Shell/User
www.elephantboycomputers.com
In Memoriam - MVP Alex Nichol
The world is diminished without him.
March 19, 2005 3:59:01 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Malke,

Many thanks for your reply, i'll give this a go over the next few days...

for info, i had alot of problems with this pc (was second hand) and had to
take the hard-drive to an 'expert' who completely wiped the memory and
rebuilt. He was the one who gave me sophos (think he paid them an amount
each year or something) and used to send me an update disc every 3 months.
Have taken note of your comments! and will get a full featured av asap..

Kind regards

"Malke" wrote:

> craig wrote:
>
> > Having problem with a virus than seems to run on startup and is
> > contained i think in system restore? Usually i am ok getting rid of
> > any viruses but this
> > one has got me stumped. I have removed the registry entry and all
> > folders
> > but every time i restart it comes back. Cmd line is C:\127021.exe. I
> > don't know much about DOS and when i type this ono the c prompt access
> > is denied.
> > Ad-Aware picks this up seems to fix it but always back after restart.
> > I run sophos anti-virus but IDE files have not been updated for some
> > time as no
> > longer in contact with person who installed. Every hour os so sophos
> > prompts me to this virus but cannot delete it.
> >
> > Can anyone advise how to remove this or direct me to instructions on
> > how to locate and delete.
> >
> > Any response will be appreciated...
>
> I'm not sure what you mean by saying your Sophos av files haven't been
> updated "as no longer in contact with person who installed". Having
> outdated virus definitions is almost worse than having no av installed
> at all. If you are unable to update Sophos, uninstall it and get a
> full-featured av immediately. If the virus is running on startup, it is
> *not* contained only in System Restore points. The virus files in the
> System Restore points aren't active; something else on your hard drive
> is.
>
> Delete all Temporary and Temporary Internet Files. Then scan in Safe
> Mode with TrendMicro's Sysclean:
>
> TrendMicro's Sysclean is an extensive antivirus tool which has the
> advantage of not needing to be installed. It requires two parts - the
> scanning engine and the virus pattern files.
>
> 1. Create a new folder on your Desktop or the C: drive named something
> useful like "Sysclean".
> 2. Go here and download the two parts of the program to that folder:
>
> http://www.trendmicro.com/download/dcs.asp - Sysclean
> http://www.trendmicro.com/download/pattern.asp - virus pattern files
>
> The pattern files will be zipped - extract them with your unzipper (like
> WinZip) or if you have XP, you can just open the folder. You need to
> put the extracted files in the Sysclean folder you made.
>
> 3. Restart your computer in Safe Mode. Get into Safe Mode by repeatedly
> tapping the F8 key as the computer is starting up to get to the proper
> menu.
> 4. Go to the Sysclean folder you made and double-click on sysclean.com.
> Start the scan. After the scan is finished, look at the log. You may
> need to make a note of where any viruses were found if they were not
> able to be removed so you can manually delete them.
>
> After you've scanned with Sysclean, get and install the full-featured av
> (uninstall Sophos first), update it, and do a thorough scan in Safe
> Mode. After you've done your virus scanning, remove non-viral malware
> with Ad-aware and Spybot Search & Destroy. Make sure you update those
> programs before you run them, and do your scans in Safe Mode.
>
> After you know your computer is 100% clean, you can make a new System
> Restore point and then delete all the previous ones by using Disk
> Cleanup's More Options feature.
>
> Malke
> --
> MS MVP - Windows Shell/User
> www.elephantboycomputers.com
> In Memoriam - MVP Alex Nichol
> The world is diminished without him.
>
Related resources
Can't find your answer ? Ask !
March 19, 2005 7:40:55 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

craig wrote:

> Malke,
>
> Many thanks for your reply, i'll give this a go over the next few
> days...
>
> for info, i had alot of problems with this pc (was second hand) and
> had to take the hard-drive to an 'expert' who completely wiped the
> memory and
> rebuilt. He was the one who gave me sophos (think he paid them an
> amount each year or something) and used to send me an update disc
> every 3 months. Have taken note of your comments! and will get a full
> featured av asap..

Thanks for the clarification, Craig. Absolutely you need to get your own
av. Updating every 3 months is dreadful. I have my F-Prot set to update
twice a day on my Windows boxen. Let me know if you need more help.

Malke
--
MS-MVP Windows User/Shell
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"
Anonymous
March 19, 2005 9:02:10 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

You may want to try downloading Symantec's Norton Anti-Virus which has a 15
day free trial. It will scan your computer after updating the virus
definitions and in the mean time (15 days) you can get this virus off your
computer. After that perhaps you may want to look into an anti-virus
software that auto updates itself.
"craig" <craig@discussions.microsoft.com> wrote in message
news:09A442EC-5A44-40FF-B232-86B91B5A852F@microsoft.com...
> Having problem with a virus than seems to run on startup and is contained
> i
> think in system restore? Usually i am ok getting rid of any viruses but
> this
> one has got me stumped. I have removed the registry entry and all folders
> but every time i restart it comes back. Cmd line is C:\127021.exe. I
> don't
> know much about DOS and when i type this ono the c prompt access is
> denied.
> Ad-Aware picks this up seems to fix it but always back after restart. I
> run
> sophos anti-virus but IDE files have not been updated for some time as no
> longer in contact with person who installed. Every hour os so sophos
> prompts
> me to this virus but cannot delete it.
>
> Can anyone advise how to remove this or direct me to instructions on how
> to
> locate and delete.
>
> Any response will be appreciated...
March 30, 2005 4:13:02 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Malke,

Those downloads have done the trick, virus now removed...however have
another small problem!

Yesterday a spyware program appeared as my background. When clicking it
just took me to a search engine offering all sort of free anti spyware. I
have ad-aware, spybot and microsoft anti-spyware installed so ran those and
thought problem removed.

When i logged back in my background is now just a white screen which i
cannot change. Properties show this as a HTML document with address;
file//C:\WINDOWS\web\desktop.html

When i go to this location there is nothing to delete or remove that matches
this.

The trend Micro sysclean package didn't fix this either.

Any ideas?


"Malke" wrote:

> craig wrote:
>
> > Malke,
> >
> > Many thanks for your reply, i'll give this a go over the next few
> > days...
> >
> > for info, i had alot of problems with this pc (was second hand) and
> > had to take the hard-drive to an 'expert' who completely wiped the
> > memory and
> > rebuilt. He was the one who gave me sophos (think he paid them an
> > amount each year or something) and used to send me an update disc
> > every 3 months. Have taken note of your comments! and will get a full
> > featured av asap..
>
> Thanks for the clarification, Craig. Absolutely you need to get your own
> av. Updating every 3 months is dreadful. I have my F-Prot set to update
> twice a day on my Windows boxen. Let me know if you need more help.
>
> Malke
> --
> MS-MVP Windows User/Shell
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic"
>
March 30, 2005 7:39:20 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

craig wrote:

> Malke,
>
> Those downloads have done the trick, virus now removed...however have
> another small problem!
>
> Yesterday a spyware program appeared as my background. When clicking
> it
> just took me to a search engine offering all sort of free anti
> spyware. I have ad-aware, spybot and microsoft anti-spyware installed
> so ran those and thought problem removed.
>
> When i logged back in my background is now just a white screen which i
> cannot change. Properties show this as a HTML document with address;
> file//C:\WINDOWS\web\desktop.html
>
> When i go to this location there is nothing to delete or remove that
> matches this.
>
Here's how to get rid of the desktop warning being displayed by malware.
Go to the Display applet in Control Panel and look on the Desktop tab.
Click on Customize Desktop, and then click on the Web tab. You will see
that there are checkmarks next to "My Current Home Page" and probably
"Lock Desktop Items". Uncheck these. By highlighting the "My Current
Home Page" and clicking on the Properties button, you will be able to
determine the name of the file that is the message. It might be called
something like "security.html" or the like.

Of course you want to click Apply and OK out when you've made your
changes. Then you want to find the *.html malware file and delete it.

Malke
--
MS MVP - Windows Shell/User
www.elephantboycomputers.com
In Memoriam - MVP Alex Nichol
The world is diminished without him.
March 31, 2005 5:09:03 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Malke,

Thanks again for the reply.

When i click on the web tab all that shows in web pages is security. 'My
current home page' doesn't exist and 'lock desktop items' is unchecked.

I think i have already got rid of the malware but for some reason my
background is now just a white screen.

Any other suggestions please!

"Malke" wrote:

> craig wrote:
>
> > Malke,
> >
> > Those downloads have done the trick, virus now removed...however have
> > another small problem!
> >
> > Yesterday a spyware program appeared as my background. When clicking
> > it
> > just took me to a search engine offering all sort of free anti
> > spyware. I have ad-aware, spybot and microsoft anti-spyware installed
> > so ran those and thought problem removed.
> >
> > When i logged back in my background is now just a white screen which i
> > cannot change. Properties show this as a HTML document with address;
> > file//C:\WINDOWS\web\desktop.html
> >
> > When i go to this location there is nothing to delete or remove that
> > matches this.
> >
> Here's how to get rid of the desktop warning being displayed by malware.
> Go to the Display applet in Control Panel and look on the Desktop tab.
> Click on Customize Desktop, and then click on the Web tab. You will see
> that there are checkmarks next to "My Current Home Page" and probably
> "Lock Desktop Items". Uncheck these. By highlighting the "My Current
> Home Page" and clicking on the Properties button, you will be able to
> determine the name of the file that is the message. It might be called
> something like "security.html" or the like.
>
> Of course you want to click Apply and OK out when you've made your
> changes. Then you want to find the *.html malware file and delete it.
>
> Malke
> --
> MS MVP - Windows Shell/User
> www.elephantboycomputers.com
> In Memoriam - MVP Alex Nichol
> The world is diminished without him.
>
March 31, 2005 8:18:18 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

craig wrote:

> Malke,
>
> Thanks again for the reply.
>
> When i click on the web tab all that shows in web pages is security.
> 'My current home page' doesn't exist and 'lock desktop items' is
> unchecked.
>
> I think i have already got rid of the malware but for some reason my
> background is now just a white screen.
>
The security.html file is the one you need to uncheck and then find the
file and delete it. Once you have disabled using the web as your
desktop, try applying one of the Windows backgrounds.

Malke
--
MS MVP - Windows Shell/User
www.elephantboycomputers.com
In Memoriam - MVP Alex Nichol
The world is diminished without him.
April 1, 2005 3:07:01 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Malke, you are a genius!

Thanks very much for your help, much appreciated...

"Malke" wrote:

> craig wrote:
>
> > Malke,
> >
> > Thanks again for the reply.
> >
> > When i click on the web tab all that shows in web pages is security.
> > 'My current home page' doesn't exist and 'lock desktop items' is
> > unchecked.
> >
> > I think i have already got rid of the malware but for some reason my
> > background is now just a white screen.
> >
> The security.html file is the one you need to uncheck and then find the
> file and delete it. Once you have disabled using the web as your
> desktop, try applying one of the Windows backgrounds.
>
> Malke
> --
> MS MVP - Windows Shell/User
> www.elephantboycomputers.com
> In Memoriam - MVP Alex Nichol
> The world is diminished without him.
>
April 1, 2005 3:17:18 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

craig wrote:

> Malke, you are a genius!
>
> Thanks very much for your help, much appreciated...
>
Thanks for the nice words. I'm glad you've got it all sorted. Thanks for
taking the time to let me know.

Malke
--
MS MVP - Windows Shell/User
www.elephantboycomputers.com
In Memoriam - MVP Alex Nichol
The world is diminished without him.
!