VX2 virus

Archived from groups: microsoft.public.win2000.security (More info?)

Hi

I have been sorting out my brothers laptop (running Win2000 Professional,
SP4) which seems have been infected with VX2 (nasty as that installs itself
as a critical service - gets loaded in safe mode).

He has Mcafees but I think the various malware executables nobbled this on
installation. It seems to be missing parts.

I have run latest Stinger, Ad-Aware (found 127 items) and also HiJackThis
(as Ad-Aware in Safe Mode did not get rid of everything).

I think it is clean. Nothing strange appears in HiJackThis. All crud deleted
off laptop.
(But I will know for sure once I reinstall McAfees).

But I have 2 problems.

1. If I boot as my brother in Safe Mode I cannot run RegEdit from Start ->
Run...
I get "This operation has been cancelled due to restrictions in effect on
this computer. Please contact your system administrator".
I find this odd as he has administrator rights. So why is this happening?
If I log in as "Administrator", there is no problem running RegEdit.

2. If I fire up Control Panel,click on Add/Remove Programs, I just see no
entries except a string across the top saying

"Change or Remove ProgramsAdd New ProgramsAdd/Remove Windows ComponentsSet
Program Access and Defaults"

Note the lack of spaces or anything between column headers.

Yet in RegEdit, I can see many entries under
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
They are all there.

Now I have read about
(i) Keyname longer than 63 chars
(ii) DisplayName longer than 63 chars

I don't think I have either for entries (some dont have a DispalyName just
QuietDisplayName).
I will check again if anyone thinks that is worthwhile.

- should I reinstall Control Panel applet from win2000 CD? If so - how do I
do that?
- what else should I do?

3. Is there any tools that come with Win2000 I should be running to reapair
the PC?
I don't think my brother has backed up any parts of the registry for a long
time.

Cheers

Stephen Howe
2 answers Last reply
More about virus
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    If he had one malware he probably had more and the best solution would be to
    reinstall the operating system to a newly formatted system partition after
    backing up his needed data and configuration settings. If any files were
    encrypted with EFS, they must be decrypted before reinstalling the operating
    system.

    Having said that if for some reason you want to avoid that option I would be
    sure to first do full malware scan on the computer with the latest virus
    definitions. Trend Micro also has a free program called Sysclean that is
    worth a try. Kinda like Stinger but checks for much much more malware. The
    links below are to Sysclean and the pattern file for it.

    http://www.trendmicro.com/download/dcs.asp -- be sure to read the read me
    http://www.trendmicro.com/download/pattern.asp

    Verify that his user account is still in the local administrators group. If
    problems still persist see the link below on using the secedit command to
    reset security settings to default defined levels as user rights and
    file/registry permissions may have been modified.

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222 --- works
    for Windows 2000 also.

    Anther thing to try is to use System File Checker as in sfc /scannow to see
    if critical system files are present. You usually need to install disk to
    run System File Checker.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;310747 -- same for
    Windows 2000.

    A last resort option to clean install is an in place upgrade install as
    shown in the link below. If you do such you will need the install disk and
    the product key and when done you will need to first install the service
    pack and then all critical updates.

    http://support.microsoft.com/kb/292175/

    Make sure that measures are taken to prevent reoccurrence which at minimum
    would include using a strong password for user accounts, using an antivirus
    program that is kept current with virus definitions and scans ALL email,
    keeping current with critical security updates at Windows Updates, and using
    a firewall. There are quality firewalls that are free for personal use such
    as Zone Alarm and Sygate. --- Steve

    http://www.microsoft.com/athome/security/protect/default.mspx -- Protect
    your PC tips.


    "Stephen Howe" <noone@nowhere.com> wrote in message
    news:%23x5DbBGSFHA.2252@TK2MSFTNGP15.phx.gbl...
    > Hi
    >
    > I have been sorting out my brothers laptop (running Win2000 Professional,
    > SP4) which seems have been infected with VX2 (nasty as that installs
    > itself as a critical service - gets loaded in safe mode).
    >
    > He has Mcafees but I think the various malware executables nobbled this on
    > installation. It seems to be missing parts.
    >
    > I have run latest Stinger, Ad-Aware (found 127 items) and also HiJackThis
    > (as Ad-Aware in Safe Mode did not get rid of everything).
    >
    > I think it is clean. Nothing strange appears in HiJackThis. All crud
    > deleted off laptop.
    > (But I will know for sure once I reinstall McAfees).
    >
    > But I have 2 problems.
    >
    > 1. If I boot as my brother in Safe Mode I cannot run RegEdit from Start ->
    > Run...
    > I get "This operation has been cancelled due to restrictions in effect on
    > this computer. Please contact your system administrator".
    > I find this odd as he has administrator rights. So why is this happening?
    > If I log in as "Administrator", there is no problem running RegEdit.
    >
    > 2. If I fire up Control Panel,click on Add/Remove Programs, I just see no
    > entries except a string across the top saying
    >
    > "Change or Remove ProgramsAdd New ProgramsAdd/Remove Windows ComponentsSet
    > Program Access and Defaults"
    >
    > Note the lack of spaces or anything between column headers.
    >
    > Yet in RegEdit, I can see many entries under
    > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    > They are all there.
    >
    > Now I have read about
    > (i) Keyname longer than 63 chars
    > (ii) DisplayName longer than 63 chars
    >
    > I don't think I have either for entries (some dont have a DispalyName just
    > QuietDisplayName).
    > I will check again if anyone thinks that is worthwhile.
    >
    > - should I reinstall Control Panel applet from win2000 CD? If so - how do
    > I do that?
    > - what else should I do?
    >
    > 3. Is there any tools that come with Win2000 I should be running to
    > reapair the PC?
    > I don't think my brother has backed up any parts of the registry for a
    > long time.
    >
    > Cheers
    >
    > Stephen Howe
    >
    >
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    http://www.cexx.org/vx2.htm
    http://www.iamnotageek.com/a/391-p1.php
    http://www.doxdesk.com/parasite/Transponder.html

    --
    Regards

    Steven Burn
    Ur I.T. Mate Group
    www.it-mate.co.uk

    Keeping it FREE!

    "Stephen Howe" <noone@nowhere.com> wrote in message news:#x5DbBGSFHA.2252@TK2MSFTNGP15.phx.gbl...
    > Hi
    >
    > I have been sorting out my brothers laptop (running Win2000 Professional,
    > SP4) which seems have been infected with VX2 (nasty as that installs itself
    > as a critical service - gets loaded in safe mode).
    >
    > He has Mcafees but I think the various malware executables nobbled this on
    > installation. It seems to be missing parts.
    >
    > I have run latest Stinger, Ad-Aware (found 127 items) and also HiJackThis
    > (as Ad-Aware in Safe Mode did not get rid of everything).
    >
    > I think it is clean. Nothing strange appears in HiJackThis. All crud deleted
    > off laptop.
    > (But I will know for sure once I reinstall McAfees).
    >
    > But I have 2 problems.
    >
    > 1. If I boot as my brother in Safe Mode I cannot run RegEdit from Start ->
    > Run...
    > I get "This operation has been cancelled due to restrictions in effect on
    > this computer. Please contact your system administrator".
    > I find this odd as he has administrator rights. So why is this happening?
    > If I log in as "Administrator", there is no problem running RegEdit.
    >
    > 2. If I fire up Control Panel,click on Add/Remove Programs, I just see no
    > entries except a string across the top saying
    >
    > "Change or Remove ProgramsAdd New ProgramsAdd/Remove Windows ComponentsSet
    > Program Access and Defaults"
    >
    > Note the lack of spaces or anything between column headers.
    >
    > Yet in RegEdit, I can see many entries under
    > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    > They are all there.
    >
    > Now I have read about
    > (i) Keyname longer than 63 chars
    > (ii) DisplayName longer than 63 chars
    >
    > I don't think I have either for entries (some dont have a DispalyName just
    > QuietDisplayName).
    > I will check again if anyone thinks that is worthwhile.
    >
    > - should I reinstall Control Panel applet from win2000 CD? If so - how do I
    > do that?
    > - what else should I do?
    >
    > 3. Is there any tools that come with Win2000 I should be running to reapair
    > the PC?
    > I don't think my brother has backed up any parts of the registry for a long
    > time.
    >
    > Cheers
    >
    > Stephen Howe
    >
    >
    >
    >
Ask a new question

Read More

Windows