Sign in with
Sign up | Sign in
Your question

VX2 virus

Tags:
Last response: in Windows 2000/NT
Share
Anonymous
April 24, 2005 4:58:31 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi

I have been sorting out my brothers laptop (running Win2000 Professional,
SP4) which seems have been infected with VX2 (nasty as that installs itself
as a critical service - gets loaded in safe mode).

He has Mcafees but I think the various malware executables nobbled this on
installation. It seems to be missing parts.

I have run latest Stinger, Ad-Aware (found 127 items) and also HiJackThis
(as Ad-Aware in Safe Mode did not get rid of everything).

I think it is clean. Nothing strange appears in HiJackThis. All crud deleted
off laptop.
(But I will know for sure once I reinstall McAfees).

But I have 2 problems.

1. If I boot as my brother in Safe Mode I cannot run RegEdit from Start ->
Run...
I get "This operation has been cancelled due to restrictions in effect on
this computer. Please contact your system administrator".
I find this odd as he has administrator rights. So why is this happening?
If I log in as "Administrator", there is no problem running RegEdit.

2. If I fire up Control Panel,click on Add/Remove Programs, I just see no
entries except a string across the top saying

"Change or Remove ProgramsAdd New ProgramsAdd/Remove Windows ComponentsSet
Program Access and Defaults"

Note the lack of spaces or anything between column headers.

Yet in RegEdit, I can see many entries under
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
They are all there.

Now I have read about
(i) Keyname longer than 63 chars
(ii) DisplayName longer than 63 chars

I don't think I have either for entries (some dont have a DispalyName just
QuietDisplayName).
I will check again if anyone thinks that is worthwhile.

- should I reinstall Control Panel applet from win2000 CD? If so - how do I
do that?
- what else should I do?

3. Is there any tools that come with Win2000 I should be running to reapair
the PC?
I don't think my brother has backed up any parts of the registry for a long
time.

Cheers

Stephen Howe

More about : vx2 virus

Anonymous
April 24, 2005 5:19:58 AM

Archived from groups: microsoft.public.win2000.security (More info?)

If he had one malware he probably had more and the best solution would be to
reinstall the operating system to a newly formatted system partition after
backing up his needed data and configuration settings. If any files were
encrypted with EFS, they must be decrypted before reinstalling the operating
system.

Having said that if for some reason you want to avoid that option I would be
sure to first do full malware scan on the computer with the latest virus
definitions. Trend Micro also has a free program called Sysclean that is
worth a try. Kinda like Stinger but checks for much much more malware. The
links below are to Sysclean and the pattern file for it.

http://www.trendmicro.com/download/dcs.asp -- be sure to read the read me
http://www.trendmicro.com/download/pattern.asp

Verify that his user account is still in the local administrators group. If
problems still persist see the link below on using the secedit command to
reset security settings to default defined levels as user rights and
file/registry permissions may have been modified.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222 --- works
for Windows 2000 also.

Anther thing to try is to use System File Checker as in sfc /scannow to see
if critical system files are present. You usually need to install disk to
run System File Checker.

http://support.microsoft.com/default.aspx?scid=kb;en-us;310747 -- same for
Windows 2000.

A last resort option to clean install is an in place upgrade install as
shown in the link below. If you do such you will need the install disk and
the product key and when done you will need to first install the service
pack and then all critical updates.

http://support.microsoft.com/kb/292175/

Make sure that measures are taken to prevent reoccurrence which at minimum
would include using a strong password for user accounts, using an antivirus
program that is kept current with virus definitions and scans ALL email,
keeping current with critical security updates at Windows Updates, and using
a firewall. There are quality firewalls that are free for personal use such
as Zone Alarm and Sygate. --- Steve

http://www.microsoft.com/athome/security/protect/defaul... -- Protect
your PC tips.


"Stephen Howe" <noone@nowhere.com> wrote in message
news:%23x5DbBGSFHA.2252@TK2MSFTNGP15.phx.gbl...
> Hi
>
> I have been sorting out my brothers laptop (running Win2000 Professional,
> SP4) which seems have been infected with VX2 (nasty as that installs
> itself as a critical service - gets loaded in safe mode).
>
> He has Mcafees but I think the various malware executables nobbled this on
> installation. It seems to be missing parts.
>
> I have run latest Stinger, Ad-Aware (found 127 items) and also HiJackThis
> (as Ad-Aware in Safe Mode did not get rid of everything).
>
> I think it is clean. Nothing strange appears in HiJackThis. All crud
> deleted off laptop.
> (But I will know for sure once I reinstall McAfees).
>
> But I have 2 problems.
>
> 1. If I boot as my brother in Safe Mode I cannot run RegEdit from Start ->
> Run...
> I get "This operation has been cancelled due to restrictions in effect on
> this computer. Please contact your system administrator".
> I find this odd as he has administrator rights. So why is this happening?
> If I log in as "Administrator", there is no problem running RegEdit.
>
> 2. If I fire up Control Panel,click on Add/Remove Programs, I just see no
> entries except a string across the top saying
>
> "Change or Remove ProgramsAdd New ProgramsAdd/Remove Windows ComponentsSet
> Program Access and Defaults"
>
> Note the lack of spaces or anything between column headers.
>
> Yet in RegEdit, I can see many entries under
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
> They are all there.
>
> Now I have read about
> (i) Keyname longer than 63 chars
> (ii) DisplayName longer than 63 chars
>
> I don't think I have either for entries (some dont have a DispalyName just
> QuietDisplayName).
> I will check again if anyone thinks that is worthwhile.
>
> - should I reinstall Control Panel applet from win2000 CD? If so - how do
> I do that?
> - what else should I do?
>
> 3. Is there any tools that come with Win2000 I should be running to
> reapair the PC?
> I don't think my brother has backed up any parts of the registry for a
> long time.
>
> Cheers
>
> Stephen Howe
>
>
>
>
Anonymous
April 24, 2005 5:29:34 AM

Archived from groups: microsoft.public.win2000.security (More info?)

http://www.cexx.org/vx2.htm
http://www.iamnotageek.com/a/391-p1.php
http://www.doxdesk.com/parasite/Transponder.html

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

"Stephen Howe" <noone@nowhere.com> wrote in message news:#x5DbBGSFHA.2252@TK2MSFTNGP15.phx.gbl...
> Hi
>
> I have been sorting out my brothers laptop (running Win2000 Professional,
> SP4) which seems have been infected with VX2 (nasty as that installs itself
> as a critical service - gets loaded in safe mode).
>
> He has Mcafees but I think the various malware executables nobbled this on
> installation. It seems to be missing parts.
>
> I have run latest Stinger, Ad-Aware (found 127 items) and also HiJackThis
> (as Ad-Aware in Safe Mode did not get rid of everything).
>
> I think it is clean. Nothing strange appears in HiJackThis. All crud deleted
> off laptop.
> (But I will know for sure once I reinstall McAfees).
>
> But I have 2 problems.
>
> 1. If I boot as my brother in Safe Mode I cannot run RegEdit from Start ->
> Run...
> I get "This operation has been cancelled due to restrictions in effect on
> this computer. Please contact your system administrator".
> I find this odd as he has administrator rights. So why is this happening?
> If I log in as "Administrator", there is no problem running RegEdit.
>
> 2. If I fire up Control Panel,click on Add/Remove Programs, I just see no
> entries except a string across the top saying
>
> "Change or Remove ProgramsAdd New ProgramsAdd/Remove Windows ComponentsSet
> Program Access and Defaults"
>
> Note the lack of spaces or anything between column headers.
>
> Yet in RegEdit, I can see many entries under
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
> They are all there.
>
> Now I have read about
> (i) Keyname longer than 63 chars
> (ii) DisplayName longer than 63 chars
>
> I don't think I have either for entries (some dont have a DispalyName just
> QuietDisplayName).
> I will check again if anyone thinks that is worthwhile.
>
> - should I reinstall Control Panel applet from win2000 CD? If so - how do I
> do that?
> - what else should I do?
>
> 3. Is there any tools that come with Win2000 I should be running to reapair
> the PC?
> I don't think my brother has backed up any parts of the registry for a long
> time.
>
> Cheers
>
> Stephen Howe
>
>
>
>
!