Virus/Worm question

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi all,

We have a laptop where all Shell programs (cmd, regedit, tastkmgr) don't
run - unless in safe mode. Norton runs but doesn't detect anything. This
happened within the last 2-3 days. Does anybody have an idea which
Virus/Worm could have caused it? We check RUN, RUNONCE and RUNEXE and
couldn't find anything suspicious.

Thanks,

Claus

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dave,

Thanks for the quick response. I will give it a try with your hunch and if
that doesn't work I will post at one of the virus groups.

Claus
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%23urRXD%23XFHA.2420@TK2MSFTNGP12.phx.gbl...
> From: "cjobes" <cjobes@nova-tech.org>
>
> | Hi all,
> |
> | We have a laptop where all Shell programs (cmd, regedit, tastkmgr) don't
> | run - unless in safe mode. Norton runs but doesn't detect anything. This
> | happened within the last 2-3 days. Does anybody have an idea which
> | Virus/Worm could have caused it? We check RUN, RUNONCE and RUNEXE and
> | couldn't find anything suspicious.
> |
> | Thanks,
> |
> | Claus
> |
>
>
> There are anti virus News Groups specifically for this type of discussion.
>
> microsoft.public.scripting.virus.discussion
> microsoft.public.security.virus
> alt.comp.virus
> alt.comp.anti-virus
>
> There are a few...
>
> W32/Nopir -- http://vil.nai.com/vil/content/v_133358.htm
> W32/Swen@MM -- http://vil.nai.com/vil/content/v_100662.htm
> W32/Navidad@M -- http://vil.nai.com/vil/content/v_98881.htm
> Conlock -- http://vil.nai.com/vil/content/v_99308.htm
>
> There may be others as well.
>
> The Swen is the likely culprit.
>
> The following should remove any/all of the above...
>
> Dump the contents of the IE Temporary Internet Folder cache (TIF)
> Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
> Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> Tools --> Options --> Privacy --> Cache --> Clear
>
>
> Download CLEAN.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/clean.exe
>
> It is a self-extracting ZIP file that contains the Kixtart Script
Interpreter
> { http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart
scripts, two Link
> (.lnk) files and a PDF instruction file.
>
> GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee
Command Line
> Scanner. You may have to disable your FireWall or allow FTP.EXE to go
through your FireWall
> to allow the FTP utility to download the needed files
>
> CLEAN.BAT -- For running within Windows after running
c:\mcafee\GetFiles.BAT. If you choose
> to scan again at a future date, run this batch file. It will
automatically check the date
> of the McAfee DAT files and if it is a couple of days old, it will
download (FTP) the latest
> signature files and install them before performing the scan.
>
> DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is
using FAT32 after
> you have booted from an Emergency Boot Disk or DOS disk and have already
executed;
> c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be
obtained from;
> http://www.bootdisk.com/bootdisk.htm
>
> I need you to perform the following...
>
> Execute; CLEAN.EXE
> Choose; Unzip
> Choose; Close
>
> Execute; c:\mcafee\GetFiles.BAT
> { or Double-click on 'GetFiles Link' in c:\mcafee }
>
> Reboot the PC into Safe Mode [F8 key during boot]
>
> Shutdown as many applications as possible !
> It would also help for you to read - "How to perform a clean boot in
Windows XP"
> http://support.microsoft.com/kb/310353
>
> Execute; c:\mcafee\CLEAN.BAT
> { or Double-click on 'Clean Link' in c:\mcafee }
>
> A final report in HTML format called C:\mcafee\ScanReport.HTML will be
generated. At the
> end of the scan, it will be displayed in your browser (Opera, FireFox or
Internet Explorer).
> It is suggested that you move the report out of c:\mcafee before
performing another scan.
> It would be a good idea to scan in Safe Mode and in Normal Mode and save a
copy of the HTML
> report for each session.
>
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>