Expert: Lorry - 8/13/2005

Question
Many thanks, Lorry, for the rapid response.

I realised when I read your response that I had omitted one ?important? fact, and had perhaps inadvertently misled you in another.

Firstly, I forgot to include that, since being infected with the three trojans, the dialler attempts to contact my ISP whenever I start Windows (except in "safe mode").  This has continued even after Norton AntiVirus quarantined the files it had identified as being infected.  To me this suggests that there is at least one "altered" file still lurking somewhere.

Secondly, because Norton SpeedDisk was experiencing problems I uninstalled what remained of Norton SystemWorks after I had installed NAV2005 - I had already uninstalled NAV2000 as per the instructions for installing NAV2005.  I have not yet upgraded to Systemworks2005, but prefer to sort out the computer as it presently stands before making that decision.

After uninstalling Systemworks2000 I tried the windows defragmenter but again with no luck.  I, therefore, tried Scandisk but within a minute or so received the message that "Windows or another programme has been writing to this drive...".  Consequently, I ran both Scandisk and Defragmenter after starting in "safe mode" and both ran satisfactorily to completion.

On receipt of your reply I carried out your advice.  The Free Online Virus and Security Check found no viruses as was the case when I repeated it using a similar service from Panda.com.  However, Adaware SE Personal Edition (I have been using an earlier version) found on its two runs (as advised by you) 1 malware (attempting to hijack the browser) and lots of "miners".  All were quarantined.

However, Windows Defragmenter and "Scandisk" still will not work except in Safe Mode as something is continuously writing to the hard disk and something is still trying to phone-up my ISP on Windows start-up - it's not a programme in the Start Up folder as I have removed all these.

Could you advise as to what may be happening still.

Many thanks,

Tony
-------------------------
Followup To
Question -
I run Windows98, 2nd Edition and have Norton SystemWorks 2000, which include Norton Antivirus 2000 and Norton Utilities2000.  My computer became infected with DownloadTrojan, DownLoaderTrojan and Trojan.ByteVerifier, identified when I ran a regular virus scan.  The infected files were quarantined. When I attempted to update my virus definitions (last updated in June 2005) I was unable to do so as NAV2000 was no longer supported by Symantec.  I was able to do so after upgrading to NAV2005. No viruses were identified during the installation nor in a full scan with the most up-to-date virus definitions.  However, I now find that Windows defragmenter doesn't work, nor does the Norton Utility Defragmenter- SpeedDisk.  The former appears to load but never does anything thereafter.  This occurs even after Norton Utilities has been removed and NAV2005 switched off.  Re-installing Windows98 has not solved the problem.  Speedisk never manages to get through the initial scan of the disc to assess degree of defragmentation, continually restarting after between 11% & 85% of the disc has been scanned.  If the initial scan is bypassed, the programme never gets beyond "Optimizing folders" which manages to get to 100%, only to restart immediately.  Interestingly, my floppy disc drive has also become inoperative although it is enabled according to "System Properties" in Control Panel.
Are all these problems "virus-related" or, if not, what may they be due to?
Your advice would be greatly welcomed.

Tony Lee
Answer -
Hi Tony,

Is Norton SystemWorks 2000 totally removed from the computer? Follow the steps given at:

http://service1.symantec.com/SUPPORT/sunset-c2002kb.nsf/9b60813077fffd2385256ee6

I'm assuming that you installed Norton SystemWorks 2005, correct? When running Speed Disk, just like when you you defrag, do not have any other programs running, including the screen saver.

To verify that the viruses you mentioned are off the computer, you might want to go to: http://sarc.com/  Scroll down and click on,"Free Online Virus and Security Check" and run the virus check. Write down exactly anything it finds, then return to: http://sarc.com/  and do a search for what was found. Symantec usually has a removal tool and/or directions for removing manually.

I would suggest scanning for spyware. Download Ad-Aware® SE Personal Edition, a free program that you can download at:

http://www.lavasoftusa.com/support/download/

Check for updates before running program. Then follow the directions here to do a full scan:

1. In the 'General' window make sure the following are selected with a checkmark and are green:

· Automatically save log-file
· Automatically quarantine objects prior to removal
· Safe Mode (always request confirmation)

2. Click on the 'Scanning' button on the left and select :

· Scan Within Archives
· Scan Active Processes
· Scan Registry
· Deep Scan Registry
· Scan my IE favorites for banned URL's
· Scan my Hosts file
· Under 'Click here to select drives + folders, choose: All of your hard drives.

3. Click on the 'Advanced' button on the left and select:

· Include additional file information
· Include additional object details
· Include environment information

4. Click the 'Tweak' button and select:

Under the 'Scanning Engine' be sure a checkmark is beside:

· Unload recognized processes & modules during scanning
· Scan registry for all users instead of current user only
· Obtain command line of scanned processes

Under the 'Cleaning Engine' be sure a checkmark is beside:

· Automatically try to unregister objects prior to deletion
· Let Windows remove files in use at next reboot
· Always try to unload modules before deletion
· During removal, unload explorer and IE if necessary
· Delete quarantined objects after restoring

5. Click on 'Safety Settings' and select "Write-protect system files after repair (Hosts file, etc)"

6. Click on 'Proceed' to save the settings.

7. Click 'Start' and on the next screen choose 'Activate in-depth Scan' at the bottom of the page and then choose:

· Perform full system scan

8. Close all programs except Ad-Aware.

Click on "Next" in the bottom right corner to start the scan.

Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted.

After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

When you first open Ad-aware, click "Check for updates now", click Connect, if there any updates available - get them, when done click Next or Finish.

Now click Start, Next and let it run.

When it is done scanning, you will see the Scanning results window, check all of the boxes, then click Next.

The next window will say "X" number of objects will be removed - click OK.

Anything that is removed is quarantined, making the computer safe.

Hope this helps!
Lorry  

Answer
Hi Tony,

Many people who use Ad-aware SE also use Spybot Search & Destroy, the following site explains how to install including Tea Timer:

http://www.bleepingcomputer.com/forums/tutorial43.html

When you say that Defrag and ScanDisc don't work in regular mode, is it because they keep restarting? If yes, make sure you disable the screen saver first.

Go to Start, Run, type in MSCONFIG, under the Startup tab, the programs that are checked are starting with the computer. To verify if thay are really needed, go to one of the following sites:

http://www.pacs-portal.co.uk/startup_content.php

http://www.answersthatwork.com/Tasklist_pages/tasklist.htm

Hope this helps!
Lorry