Sign in with
Sign up | Sign in
Your question

Infections

Last response: in Windows XP
Share
Anonymous
June 1, 2005 10:58:02 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I received a fake e-mail message and opened the attacment.
After completing a Spyware scan I found that my computer is infected.
Indications are that a known good site may be hijacked. Adware, Spyware and
phishing sites may use the Window hosts file to redirect my brwser to a
malicious site when trying to access a valid site such as my bank account.
The infection level is HIGH.
I am on Windows XP SP2installed with Norton Internet security and Antivirus,
also Spybot Search & Destroy, Spyware Doctor and Ad-Aware.
Naturally I am not doing any banking over the internet. Could somebody
please advise what to do to bring my computer back in safe operating mode
i.e. removing the key logger from my system.
Thank you in advance for you kind consideration.
With best regards

More about : infections

Anonymous
June 1, 2005 2:25:32 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Kayman" <Kayman@discussions.microsoft.com>

| I received a fake e-mail message and opened the attacment.
| After completing a Spyware scan I found that my computer is infected.
| Indications are that a known good site may be hijacked. Adware, Spyware and
| phishing sites may use the Window hosts file to redirect my brwser to a
| malicious site when trying to access a valid site such as my bank account.
| The infection level is HIGH.
| I am on Windows XP SP2installed with Norton Internet security and Antivirus,
| also Spybot Search & Destroy, Spyware Doctor and Ad-Aware.
| Naturally I am not doing any banking over the internet. Could somebody
| please advise what to do to bring my computer back in safe operating mode
| i.e. removing the key logger from my system.
| Thank you in advance for you kind consideration.
| With best regards

You mentioned non-viral anti malware applications. You have not shown to use anti virus
software.

I can suggest the following with CA eTrust being the preferred AV application.

AVAST -
http://www.avast.com/i_idt_1016.html - FREE

AntiVir -
http://www.free-av.com/ - FREE

AVG -
http://free.grisoft.com/freeweb.php/doc/2/lng/us/tpl/v5 - FREE

CA eTrust -
http://www.my-etrust.com/microsoft/index.cfm - FREE for one year.
{ Free offer ends 8/1/05 }

The *best* defense is not software, it is yOU. You have to practive Safe Hex to prevent
malicious software.

http://www.claymania.com/safe-hex.html

The following uses the McAfee Command Line Scanner and should clean your computer...

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear


Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
{ http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. You may have to disable your FireWall or allow FTP.EXE to go through your FireWall
to allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
June 1, 2005 8:49:32 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dear David,
Thank you very much for promot response. I am trying to implement your
recommendations forthwith, it may take some though as am not very computer
savvy. Incedently, I would have thought that my Norton security systems would
have been able to assist me in rectifying my problem. Be that as it may I do
appreciate your advice and definately will report back to you, thanks again.

"David H. Lipman" wrote:

> From: "Kayman" <Kayman@discussions.microsoft.com>
>
> | I received a fake e-mail message and opened the attacment.
> | After completing a Spyware scan I found that my computer is infected.
> | Indications are that a known good site may be hijacked. Adware, Spyware and
> | phishing sites may use the Window hosts file to redirect my brwser to a
> | malicious site when trying to access a valid site such as my bank account.
> | The infection level is HIGH.
> | I am on Windows XP SP2installed with Norton Internet security and Antivirus,
> | also Spybot Search & Destroy, Spyware Doctor and Ad-Aware.
> | Naturally I am not doing any banking over the internet. Could somebody
> | please advise what to do to bring my computer back in safe operating mode
> | i.e. removing the key logger from my system.
> | Thank you in advance for you kind consideration.
> | With best regards
>
> You mentioned non-viral anti malware applications. You have not shown to use anti virus
> software.
>
> I can suggest the following with CA eTrust being the preferred AV application.
>
> AVAST -
> http://www.avast.com/i_idt_1016.html - FREE
>
> AntiVir -
> http://www.free-av.com/ - FREE
>
> AVG -
> http://free.grisoft.com/freeweb.php/doc/2/lng/us/tpl/v5 - FREE
>
> CA eTrust -
> http://www.my-etrust.com/microsoft/index.cfm - FREE for one year.
> { Free offer ends 8/1/05 }
>
> The *best* defense is not software, it is yOU. You have to practive Safe Hex to prevent
> malicious software.
>
> http://www.claymania.com/safe-hex.html
>
> The following uses the McAfee Command Line Scanner and should clean your computer...
>
> Dump the contents of the IE Temporary Internet Folder cache (TIF)
> Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
> Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> Tools --> Options --> Privacy --> Cache --> Clear
>
>
> Download CLEAN.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/clean.exe
>
> It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
> { http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
> (.lnk) files and a PDF instruction file.
>
> GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
> Scanner. You may have to disable your FireWall or allow FTP.EXE to go through your FireWall
> to allow the FTP utility to download the needed files
>
> CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
> to scan again at a future date, run this batch file. It will automatically check the date
> of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
> signature files and install them before performing the scan.
>
> DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
> you have booted from an Emergency Boot Disk or DOS disk and have already executed;
> c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
> http://www.bootdisk.com/bootdisk.htm
>
> I need you to perform the following...
>
> Execute; CLEAN.EXE
> Choose; Unzip
> Choose; Close
>
> Execute; c:\mcafee\GetFiles.BAT
> { or Double-click on 'GetFiles Link' in c:\mcafee }
>
> Reboot the PC into Safe Mode [F8 key during boot]
>
> Shutdown as many applications as possible !
> It would also help for you to read - "How to perform a clean boot in Windows XP"
> http://support.microsoft.com/kb/310353
>
> Execute; c:\mcafee\CLEAN.BAT
> { or Double-click on 'Clean Link' in c:\mcafee }
>
> A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
> end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
> It is suggested that you move the report out of c:\mcafee before performing another scan.
> It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
> report for each session.
>
>
> * * * Please report back your results * * *
>
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Related resources
Anonymous
June 2, 2005 9:53:21 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dear David:
Well, I think I was able to rectify the infection problem.
I followed your recommendations but was not able to implement the mcafee
scan. The download to the zip file went okay but I was not able to open and
scan. I tried updating my Norton Virus/Security application but this also
could not be done. Then I was trying to access the my-etrust website which
also was (and still is) unsuccessful. I was able to download the avast virus
remover but the scan did not reveal any problems, in fact only SpyWare Doctor
scan highlighted the problem but could not remove the virus. I then
downloaded successfully AntiVir and the subsequent scan not only revealed the
problem but also prompted me to remove this file. I was very delighted to say
the least. Thereafter I was able updating the Norton application and a
subsequent scan also revealed the same problem which Norton fixed (removed)
as well. ( I am not quite sure how this can happen, but I don't really care
as long as the virus is out of my computer). The problem was identified as
Item: Lien Van de Kelderrr.VIR, Virus Name: W32.MytobCU@mm
This probably makes more sense to you than it does to me. I also run a
couple of scans with SpyWare Doctor and it appears that the 'Worm' has
disappeared.
Now, could I please test your patience one more time. Based on the apparent
sucessful removal of the Worm/Virus, can I assume that my system is
relatively save and secure again? Also, with respect to the System
Configeration Utility, I noticed that Lien Van de Kelderrr is still in the
Startup facility, i.e. Startup Item: Lien Van de Kelderrr, Command: Lien Van
de Kelderrr...., Location: SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Naturally, I unchecked this item and thus the Startup selection changed from
Normal Startup to Selective Startup. Could you please advise as how to
remove/delete the Lien Van de Kelderrr item complete with check box from the
Startup Item so I can revert to the Normal Startup mode.
Again, thank so much for your kind support and valuable assistance.
With all good wishes
Kayman.

"David H. Lipman" wrote:

> From: "Kayman" <Kayman@discussions.microsoft.com>
>
> | I received a fake e-mail message and opened the attacment.
> | After completing a Spyware scan I found that my computer is infected.
> | Indications are that a known good site may be hijacked. Adware, Spyware and
> | phishing sites may use the Window hosts file to redirect my brwser to a
> | malicious site when trying to access a valid site such as my bank account.
> | The infection level is HIGH.
> | I am on Windows XP SP2installed with Norton Internet security and Antivirus,
> | also Spybot Search & Destroy, Spyware Doctor and Ad-Aware.
> | Naturally I am not doing any banking over the internet. Could somebody
> | please advise what to do to bring my computer back in safe operating mode
> | i.e. removing the key logger from my system.
> | Thank you in advance for you kind consideration.
> | With best regards
>
> You mentioned non-viral anti malware applications. You have not shown to use anti virus
> software.
>
> I can suggest the following with CA eTrust being the preferred AV application.
>
> AVAST -
> http://www.avast.com/i_idt_1016.html - FREE
>
> AntiVir -
> http://www.free-av.com/ - FREE
>
> AVG -
> http://free.grisoft.com/freeweb.php/doc/2/lng/us/tpl/v5 - FREE
>
> CA eTrust -
> http://www.my-etrust.com/microsoft/index.cfm - FREE for one year.
> { Free offer ends 8/1/05 }
>
> The *best* defense is not software, it is yOU. You have to practive Safe Hex to prevent
> malicious software.
>
> http://www.claymania.com/safe-hex.html
>
> The following uses the McAfee Command Line Scanner and should clean your computer...
>
> Dump the contents of the IE Temporary Internet Folder cache (TIF)
> Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
> Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> Tools --> Options --> Privacy --> Cache --> Clear
>
>
> Download CLEAN.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/clean.exe
>
> It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
> { http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
> (.lnk) files and a PDF instruction file.
>
> GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
> Scanner. You may have to disable your FireWall or allow FTP.EXE to go through your FireWall
> to allow the FTP utility to download the needed files
>
> CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
> to scan again at a future date, run this batch file. It will automatically check the date
> of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
> signature files and install them before performing the scan.
>
> DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
> you have booted from an Emergency Boot Disk or DOS disk and have already executed;
> c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
> http://www.bootdisk.com/bootdisk.htm
>
> I need you to perform the following...
>
> Execute; CLEAN.EXE
> Choose; Unzip
> Choose; Close
>
> Execute; c:\mcafee\GetFiles.BAT
> { or Double-click on 'GetFiles Link' in c:\mcafee }
>
> Reboot the PC into Safe Mode [F8 key during boot]
>
> Shutdown as many applications as possible !
> It would also help for you to read - "How to perform a clean boot in Windows XP"
> http://support.microsoft.com/kb/310353
>
> Execute; c:\mcafee\CLEAN.BAT
> { or Double-click on 'Clean Link' in c:\mcafee }
>
> A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
> end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
> It is suggested that you move the report out of c:\mcafee before performing another scan.
> It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
> report for each session.
>
>
> * * * Please report back your results * * *
>
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Anonymous
June 2, 2005 1:39:46 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Kayman" <Kayman@discussions.microsoft.com>

| Dear David:
| Well, I think I was able to rectify the infection problem.
| I followed your recommendations but was not able to implement the mcafee
| scan. The download to the zip file went okay but I was not able to open and
| scan. I tried updating my Norton Virus/Security application but this also
| could not be done. Then I was trying to access the my-etrust website which
| also was (and still is) unsuccessful. I was able to download the avast virus
| remover but the scan did not reveal any problems, in fact only SpyWare Doctor
| scan highlighted the problem but could not remove the virus. I then
| downloaded successfully AntiVir and the subsequent scan not only revealed the
| problem but also prompted me to remove this file. I was very delighted to say
| the least. Thereafter I was able updating the Norton application and a
| subsequent scan also revealed the same problem which Norton fixed (removed)
| as well. ( I am not quite sure how this can happen, but I don't really care
| as long as the virus is out of my computer). The problem was identified as
| Item: Lien Van de Kelderrr.VIR, Virus Name: W32.MytobCU@mm
| This probably makes more sense to you than it does to me. I also run a
| couple of scans with SpyWare Doctor and it appears that the 'Worm' has
| disappeared.
| Now, could I please test your patience one more time. Based on the apparent
| sucessful removal of the Worm/Virus, can I assume that my system is
| relatively save and secure again? Also, with respect to the System
| Configeration Utility, I noticed that Lien Van de Kelderrr is still in the
| Startup facility, i.e. Startup Item: Lien Van de Kelderrr, Command: Lien Van
| de Kelderrr...., Location: SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
| Naturally, I unchecked this item and thus the Startup selection changed from
| Normal Startup to Selective Startup. Could you please advise as how to
| remove/delete the Lien Van de Kelderrr item complete with check box from the
| Startup Item so I can revert to the Normal Startup mode.
| Again, thank so much for your kind support and valuable assistance.
| With all good wishes
| Kayman.
|


I "still" suggest the original suggestion I provided to use the McAfee Command Line Scanner.

You'll have to explian EXACTLY what problems you had using teh utility and what error
messages you may have experienced.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
June 3, 2005 7:54:01 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dear David:
I finally was able to download mcafee, it took a very long time though
(about 5hrs) with no indication as to the expected download time or any sort
of progress report. Being a novice I wasn't quite sure what to do...but I
won't bore with all the mistakes I did. I should have been more patient.
Anyway, I was able to run the scans as per you recommendation. The first scan
detected a Virus Qhosts.ap and has been removed from the file.(Is this virus
related to the Lien Van de Kelderrr W32 Mytob.CU@mm Worm??). No other
viruses were fond. Summary report on C:\*.* as follows:
total files: 73598, clean: 73530, possibly infected: 0, cleaned: 1,
non-critical errors: 3, master boot records: 1, possibly infected: 0, boot
sectors: 1, possibly infected:0. Time:00:26.52
The results of the other scans were similar exept no virus removal.
All this seems to be most satisfactory, the mcafee tool performs in a
magical manner! I am going to use it frequently.
The only outstanding issue I have is in relation to the Startup selection,
Lien Van de Kelderrr is still present there. Is there any way to remove this
item so I can go back to the Normal Startup.
Thanks again for your support and patience.
"David H. Lipman" wrote:

> From: "Kayman" <Kayman@discussions.microsoft.com>
>
> | Dear David:
> | Well, I think I was able to rectify the infection problem.
> | I followed your recommendations but was not able to implement the mcafee
> | scan. The download to the zip file went okay but I was not able to open and
> | scan. I tried updating my Norton Virus/Security application but this also
> | could not be done. Then I was trying to access the my-etrust website which
> | also was (and still is) unsuccessful. I was able to download the avast virus
> | remover but the scan did not reveal any problems, in fact only SpyWare Doctor
> | scan highlighted the problem but could not remove the virus. I then
> | downloaded successfully AntiVir and the subsequent scan not only revealed the
> | problem but also prompted me to remove this file. I was very delighted to say
> | the least. Thereafter I was able updating the Norton application and a
> | subsequent scan also revealed the same problem which Norton fixed (removed)
> | as well. ( I am not quite sure how this can happen, but I don't really care
> | as long as the virus is out of my computer). The problem was identified as
> | Item: Lien Van de Kelderrr.VIR, Virus Name: W32.MytobCU@mm
> | This probably makes more sense to you than it does to me. I also run a
> | couple of scans with SpyWare Doctor and it appears that the 'Worm' has
> | disappeared.
> | Now, could I please test your patience one more time. Based on the apparent
> | sucessful removal of the Worm/Virus, can I assume that my system is
> | relatively save and secure again? Also, with respect to the System
> | Configeration Utility, I noticed that Lien Van de Kelderrr is still in the
> | Startup facility, i.e. Startup Item: Lien Van de Kelderrr, Command: Lien Van
> | de Kelderrr...., Location: SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
> | Naturally, I unchecked this item and thus the Startup selection changed from
> | Normal Startup to Selective Startup. Could you please advise as how to
> | remove/delete the Lien Van de Kelderrr item complete with check box from the
> | Startup Item so I can revert to the Normal Startup mode.
> | Again, thank so much for your kind support and valuable assistance.
> | With all good wishes
> | Kayman.
> |
>
>
> I "still" suggest the original suggestion I provided to use the McAfee Command Line Scanner.
>
> You'll have to explian EXACTLY what problems you had using teh utility and what error
> messages you may have experienced.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Anonymous
June 3, 2005 2:14:56 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Kayman" <Kayman@discussions.microsoft.com>

| Dear David:
| I finally was able to download mcafee, it took a very long time though
| (about 5hrs) with no indication as to the expected download time or any sort
| of progress report. Being a novice I wasn't quite sure what to do...but I
| won't bore with all the mistakes I did. I should have been more patient.
| Anyway, I was able to run the scans as per you recommendation. The first scan
| detected a Virus Qhosts.ap and has been removed from the file.(Is this virus
| related to the Lien Van de Kelderrr W32 Mytob.CU@mm Worm??). No other
| viruses were fond. Summary report on C:\*.* as follows:
| total files: 73598, clean: 73530, possibly infected: 0, cleaned: 1,
| non-critical errors: 3, master boot records: 1, possibly infected: 0, boot
| sectors: 1, possibly infected:0. Time:00:26.52
| The results of the other scans were similar exept no virus removal.
| All this seems to be most satisfactory, the mcafee tool performs in a
| magical manner! I am going to use it frequently.
| The only outstanding issue I have is in relation to the Startup selection,
| Lien Van de Kelderrr is still present there. Is there any way to remove this
| item so I can go back to the Normal Startup.
| Thanks again for your support and patience.


The QHosts.apd Trojan is related to the Mytob as the different variants modify the etc/hosts
file...

".The Hosts file (typically found in C:\Windows\System32\Drivers\etc\) is also appended to
direct several security websites to the local host, so they cannot be accessed. This file
is detected and cleaned as Qhosts.apd."

QHosts.apd -- http://vil.nai.com/vil/content/v_124880.htm

The script specifically will correct the etc/hosts file such that you can get to the McAfee
FTP site. McAfee most likely found and cleaned the etc/hosts.bak backup file made by the
script.

You had stated...
"Also, with respect to the System
Configeration Utility, I noticed that Lien Van de Kelderrr is still in the
Startup facility, i.e. Startup Item: Lien Van de Kelderrr, Command: Lien Van
de Kelderrr...., Location: SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Naturally, I unchecked this item and thus the Startup selection changed from
Normal Startup to Selective Startup. "

and

"The only outstanding issue I have is in relation to the Startup selection,
Lien Van de Kelderrr is still present there. Is there any way to remove this
item so I can go back to the Normal Startup. "

I need to understand how this is in startup. Is this a Registry Run location ? Is this in
the StartUp menu ?

Have you looked to see if it is listed when or if you run MSCONFIG.EXE ?



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
June 4, 2005 8:49:02 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dear David:
My apologies for the confusion I created with respect to Lien Van de
Kelderrr in Startup Facility.
I try to be more specifc and explicit.
When I open msconfig and click OK the System Configuration Utility will
appear. Then clicking the Startup tab a number of Startup Items are displayed
including information with respect to Command and Location. The one item
which concerns me is in relation to Lien Van de Kelderrr.
The item appears as follows:

Startup Item Command Location
Lien Van de Kelderrr \Lien Van de Kelder...
SOFTWARE\Microsoft\Windows\CurrentVersion\Run

There is a check box in front of Lien Van de Kelderrr (refering to the
Startup Item). I have unchecked this box (refering to Lien Van de Kelderrr).
Although the Worm/Virus files had been removed according to the AntiVir and
Mcafee Scan Reports, I thought it would be prudent to uncheck the box.
Therefore the Startup (refering to the System Configuration Utility) is a
Selective Startup and not a (prefered) Normal Startup; refer (click) to the
General Tab of System Configuration Utility window.
My assumption that a Normal Startup is prefered is based on th fact that
everytime I switch on my computer a note pops up suggesting to enable all
Startup Items in the Sysyem Cofiguration Utility in order to revert to Normal
Startup.
Before I revert to the Normal Startup I would like to remove/delete the Lien
Van de Kelder item from the Startup im the System configuration Utility.
Would you please kindly advise what steps to take to do so.

As per your suggestion I have run MSCONFIC.EXE and opened the folder in
C:\Windows\Preftech, I don't understand any of the files contained in this
folder. I tried to open by double clicking the files but Windows can not open
and request using a website. I accessed the website (Microsoft Windows File
Associations) to find an appropriate program. I gave up because this goes
beyond my knowledge base.

I only hope you can come up with a relative simple solution for removing
Lien Van de Kelderrr from the Startup in the System Cofiguration Utility
(this guy is giving me nightmares).

Again, my sincerest thanks in advance for you kind support and patience.



"David H. Lipman" wrote:

> From: "Kayman" <Kayman@discussions.microsoft.com>
>
> | Dear David:
> | I finally was able to download mcafee, it took a very long time though
> | (about 5hrs) with no indication as to the expected download time or any sort
> | of progress report. Being a novice I wasn't quite sure what to do...but I
> | won't bore with all the mistakes I did. I should have been more patient.
> | Anyway, I was able to run the scans as per you recommendation. The first scan
> | detected a Virus Qhosts.ap and has been removed from the file.(Is this virus
> | related to the Lien Van de Kelderrr W32 Mytob.CU@mm Worm??). No other
> | viruses were fond. Summary report on C:\*.* as follows:
> | total files: 73598, clean: 73530, possibly infected: 0, cleaned: 1,
> | non-critical errors: 3, master boot records: 1, possibly infected: 0, boot
> | sectors: 1, possibly infected:0. Time:00:26.52
> | The results of the other scans were similar exept no virus removal.
> | All this seems to be most satisfactory, the mcafee tool performs in a
> | magical manner! I am going to use it frequently.
> | The only outstanding issue I have is in relation to the Startup selection,
> | Lien Van de Kelderrr is still present there. Is there any way to remove this
> | item so I can go back to the Normal Startup.
> | Thanks again for your support and patience.
>
>
> The QHosts.apd Trojan is related to the Mytob as the different variants modify the etc/hosts
> file...
>
> ".The Hosts file (typically found in C:\Windows\System32\Drivers\etc\) is also appended to
> direct several security websites to the local host, so they cannot be accessed. This file
> is detected and cleaned as Qhosts.apd."
>
> QHosts.apd -- http://vil.nai.com/vil/content/v_124880.htm
>
> The script specifically will correct the etc/hosts file such that you can get to the McAfee
> FTP site. McAfee most likely found and cleaned the etc/hosts.bak backup file made by the
> script.
>
> You had stated...
> "Also, with respect to the System
> Configeration Utility, I noticed that Lien Van de Kelderrr is still in the
> Startup facility, i.e. Startup Item: Lien Van de Kelderrr, Command: Lien Van
> de Kelderrr...., Location: SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
> Naturally, I unchecked this item and thus the Startup selection changed from
> Normal Startup to Selective Startup. "
>
> and
>
> "The only outstanding issue I have is in relation to the Startup selection,
> Lien Van de Kelderrr is still present there. Is there any way to remove this
> item so I can go back to the Normal Startup. "
>
> I need to understand how this is in startup. Is this a Registry Run location ? Is this in
> the StartUp menu ?
>
> Have you looked to see if it is listed when or if you run MSCONFIG.EXE ?
>
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Anonymous
June 4, 2005 11:58:54 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Kayman" <Kayman@discussions.microsoft.com>

| Dear David:
| My apologies for the confusion I created with respect to Lien Van de
| Kelderrr in Startup Facility.
| I try to be more specifc and explicit.
| When I open msconfig and click OK the System Configuration Utility will
| appear. Then clicking the Startup tab a number of Startup Items are displayed
| including information with respect to Command and Location. The one item
| which concerns me is in relation to Lien Van de Kelderrr.
| The item appears as follows:
|
| Startup Item Command Location
| Lien Van de Kelderrr \Lien Van de Kelder...
| SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
| There is a check box in front of Lien Van de Kelderrr (refering to the
| Startup Item). I have unchecked this box (refering to Lien Van de Kelderrr).
| Although the Worm/Virus files had been removed according to the AntiVir and
| Mcafee Scan Reports, I thought it would be prudent to uncheck the box.
| Therefore the Startup (refering to the System Configuration Utility) is a
| Selective Startup and not a (prefered) Normal Startup; refer (click) to the
| General Tab of System Configuration Utility window.
| My assumption that a Normal Startup is prefered is based on th fact that
| everytime I switch on my computer a note pops up suggesting to enable all
| Startup Items in the Sysyem Cofiguration Utility in order to revert to Normal
| Startup.
| Before I revert to the Normal Startup I would like to remove/delete the Lien
| Van de Kelder item from the Startup im the System configuration Utility.
| Would you please kindly advise what steps to take to do so.
|
| As per your suggestion I have run MSCONFIC.EXE and opened the folder in
| C:\Windows\Preftech, I don't understand any of the files contained in this
| folder. I tried to open by double clicking the files but Windows can not open
| and request using a website. I accessed the website (Microsoft Windows File
| Associations) to find an appropriate program. I gave up because this goes
| beyond my knowledge base.
|
| I only hope you can come up with a relative simple solution for removing
| Lien Van de Kelderrr from the Startup in the System Cofiguration Utility
| (this guy is giving me nightmares).
|
| Again, my sincerest thanks in advance for you kind support and patience.

No problem Kayman !

Run Regedit

go to; HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Delete the key; Lien Van de Kelderrr

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
June 4, 2005 11:58:55 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%23ZIpJzPaFHA.3840@tk2msftngp13.phx.gbl...
> From: "Kayman" <Kayman@discussions.microsoft.com>
>
> | Again, my sincerest thanks in advance for you kind support and patience.
>
> No problem Kayman !
>
> Run Regedit
>
> go to; HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>
> Delete the key; Lien Van de Kelderrr
>

Not familiar with this one, but just want to mention that I have run
into a couple of these where you had to right click the key and
change the permissions before you were able to delete the key
(just another thoughtful touch by the trojan/virus writers).

mikey
Anonymous
June 5, 2005 2:43:01 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dear David:
I am very happy to report that the following value was successfully deletd
from the Registry Editor:
Name: http://www.lienv...
Type: REG_SZ
Data: Lien Van de Kelderrr.exe

I am glad the Parasite is gone, couldn't have done it with your assistance!!

For your information:
I conducted a search for Lien Van de Kelderrr and found in C:\Document and
Settings\All Users, a 4KB file named Lien Van de KelderrrABOO which I deleted
as well.

I also conducted a scan with Ad-Aware (free ware) which wanted to scan a
file containing the Mytob virus. The scan stopped and the AntiVir (Luke
Filewalker)message screen popped up requesting me to to prompt "Deny Access",
which I did. Consequently a second screen message screen from AntiVir popped
up requesting me to Delete this fiele, which I did as well. I am glad that I
have installed AntiVir!!! The Ad-Aware scan contiued without any hick-ups.

All consequent scans with Norton Antivirus, M/S AntiSpyware, Spybot Search &
Destroy, AntiVir, Spyware Doctor and mcafee did not indicate any major
problems.

Re: Registry Mechanic (free ware).
I conducted a scan with this utility which found 2 high priority items to be
deleted. The items are as follows:
Item #1,
C:\mcafee\sdat4505.exe
Location: HKEY_CURRENT_USER\Software\Microsoft\WindowsShellNoRoam\MUICache

Item #2,
Files\Content.IE5\RV53EXCW\clean[1].exe

Should I delete these 2 items? I am worried ruining the mcafee scanning tool
as it took me a long time to get the files into my computer. Also the M/S
AntiSpyware is scanning the Registry Keys as well and there seems to be no
issue with these 2 items as reported by the Registry Mechanic.

An finally, do you consider it worthwile/essential for having a Registry
Mechanic scanning application?

With best reagrds................................Karl.

"David H. Lipman" wrote:

> From: "Kayman" <Kayman@discussions.microsoft.com>
>
> | Dear David:
> | My apologies for the confusion I created with respect to Lien Van de
> | Kelderrr in Startup Facility.
> | I try to be more specifc and explicit.
> | When I open msconfig and click OK the System Configuration Utility will
> | appear. Then clicking the Startup tab a number of Startup Items are displayed
> | including information with respect to Command and Location. The one item
> | which concerns me is in relation to Lien Van de Kelderrr.
> | The item appears as follows:
> |
> | Startup Item Command Location
> | Lien Van de Kelderrr \Lien Van de Kelder...
> | SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> |
> | There is a check box in front of Lien Van de Kelderrr (refering to the
> | Startup Item). I have unchecked this box (refering to Lien Van de Kelderrr).
> | Although the Worm/Virus files had been removed according to the AntiVir and
> | Mcafee Scan Reports, I thought it would be prudent to uncheck the box.
> | Therefore the Startup (refering to the System Configuration Utility) is a
> | Selective Startup and not a (prefered) Normal Startup; refer (click) to the
> | General Tab of System Configuration Utility window.
> | My assumption that a Normal Startup is prefered is based on th fact that
> | everytime I switch on my computer a note pops up suggesting to enable all
> | Startup Items in the Sysyem Cofiguration Utility in order to revert to Normal
> | Startup.
> | Before I revert to the Normal Startup I would like to remove/delete the Lien
> | Van de Kelder item from the Startup im the System configuration Utility.
> | Would you please kindly advise what steps to take to do so.
> |
> | As per your suggestion I have run MSCONFIC.EXE and opened the folder in
> | C:\Windows\Preftech, I don't understand any of the files contained in this
> | folder. I tried to open by double clicking the files but Windows can not open
> | and request using a website. I accessed the website (Microsoft Windows File
> | Associations) to find an appropriate program. I gave up because this goes
> | beyond my knowledge base.
> |
> | I only hope you can come up with a relative simple solution for removing
> | Lien Van de Kelderrr from the Startup in the System Cofiguration Utility
> | (this guy is giving me nightmares).
> |
> | Again, my sincerest thanks in advance for you kind support and patience.
>
> No problem Kayman !
>
> Run Regedit
>
> go to; HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>
> Delete the key; Lien Van de Kelderrr
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Anonymous
June 5, 2005 2:51:01 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dear Mike:
Many thanks for your input. I was able to delete the key successfully
without right clicking. Its probably a different version. But your advice is
greatly appreciated and will keep it on file together with David's
recommendations.
Best Regards..............Karl.

"Mike Fields" wrote:

>
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> news:%23ZIpJzPaFHA.3840@tk2msftngp13.phx.gbl...
> > From: "Kayman" <Kayman@discussions.microsoft.com>
> >
> > | Again, my sincerest thanks in advance for you kind support and patience.
> >
> > No problem Kayman !
> >
> > Run Regedit
> >
> > go to; HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> >
> > Delete the key; Lien Van de Kelderrr
> >
>
> Not familiar with this one, but just want to mention that I have run
> into a couple of these where you had to right click the key and
> change the permissions before you were able to delete the key
> (just another thoughtful touch by the trojan/virus writers).
>
> mikey
>
>
>
!