hi all
im having a problem with viruses.i used house call and it found these viruses troj.icq revenge bkdr sub7.22a vbs .loveletter please help tried to get rid of them im stuck ran etrust anti virus doesnt detect it thanks to all

Hi newme2,

Some trojans aren't picked up by antivirus software, you'll need a trojan scanner like TAUSCAN or ANTS.

Tauscan (http://www.agnitum.com/products/tauscan/)

ANTS (http://www.webattack.com/get/ants.shtml)

For the actual viruses, try visiting the Symantec website as they have all sorts of tools for download to help you remove the viruses from your system.

Symantec Security Response (http://securityresponse.symantec.com/)

:) Cricket

Also check out The Cleaner (http://www.moosoft.com/).

thanks for the replies
i tried all of the above tools and they didnt detect any trojans.could housecall make a mistake or can these trojans hide from these tools
thanks again

where are you cricket could use your help or someone who has dealt with these virus. its not my comp. its my sisters and she wants me to try and fix it any help would be appreciated

Hi newme,

Sorry, but I've never had first hand experience with any really nasty viruses or trojans. Just been lucky I guess.

Anyway, what kind of problems is your sister experiencing with her system?

Have you tried using the Windows Find feature to see if those files are actually on that PC? I've never tried House Call and don't know how it works.

I'm pretty sure those virus and trojan tools do work as they've been able to find trojans on the PC's of people I know.

I don't know which member has the most experience with trojans and viruses but hopefully someone will come by and offer some insight into this.

:) Cricket

Are you sure Housecall didn't clean them out?

hi glc
i tried to clean it with housecall and it said the files coudnt be removed that they were being used by hte comp.i tried to delete them just woudnt allow it.i dont know how these things work, it doesnt seem to affect her comp.any ideas what to do next, thanks again for your responses.

What are the EXACT virii that you've got?
Generally speaking, you can drop down to DOS mode and delete the files, <b>PROVIDED YOU KNOW EXACTLY WHAT IS BEING DELETED AND HOW TO REPLACE SYSTEM FILES FROM OPERATING SYSTEM CD</b>

That sounds like a heck a lot of trojans, which general shows poor decision making wrt to unknown files/ choice of email programs etc. It would be a good idea to have an updated antivirus program running all the time. A lot of trojans like sub7 variants are uncleanable by any antivirus, they usually require registry edits, file deletes and restores. Now would be a good time to back up data files :)

Addendum: for trojans, if they are being used, means they are active .. generally shows that you have a problem.

thanks statica
would i be just as well to reformat, the ideas you were talking about i dont really think ican do.Ive never done a reformat but from the forums ive read there seems to be alot of help here to get me through it.
thanks

If you have a means to backup your documents (data files), have all the driver disks and download the programs that you need effectively, then a reformat would be ideal. Try to make sure that none of your backed up files are infected either.

Its not impossible to get a virus free drive back, you might be better off trying to remove the infected files especially if you arent adept at:
1) backing up clean files
2) reinitialization / reformating drive
3) reinstallation of the operating system
4) installation of all the drivers and requisite program files
5) installation of any service packs and/or fixes or enhancements that you previously downloaded
5) restoring the files you backed up
6) bringing bak your system to the same level of customization that you had before.

All of that does seem overkill, if you can simply remove the virus, right?
Personally though, the moment I find that I've been infected, I try to do a reformat. Either way, you will find the help that you seek from the good folks lurking on here.

If u want to just remove ur virus, post back with exact names and as much clarity as you can give us .. like what did housecall detect? Which files were infected. Which files did u try to delete etc.
The clearer the sit.rep. the better help you would get.

hi statica
the viruses it (housecall) found was/ 3 files trojan icq revenge/1 file bkdr sub 7.22a/ 3 files vbs. loveletter/.this is my sisters comp. i was there yesterday ran housecall and found these.ill have to try and remember what i did ,i think i right clicked on the infected files pressed delete and a prompt came up and on all of them said the file could not be deleted that it was in use.i believe one was a cab file ext.sorry i cant be more specific as i dont have the computer in front of me.i really apprecciate all the responses.thanks to all.

For TROJ_ICQ_REV : check to see if you have a file called - <b>icqrevenge.exe</b> if you have it you need to delete it .. do a search for that file .. then make a note of the location it exists in.

Start the computer in MSDOS prompt mode and delete the file. Do you know any DOS commands?

For the sub7 trojan .. check out: http://vil.mcafee.com/dispVirus.asp?virus_k=10566 for removal instructions.

Moosoft Cleaner (http://www.moosoft.com) only removes 2 variants of that trojan, and I doubt the 7.22.A can be removed by it, if the instructions on mcafee dont work then try moosoft.

Re: Loveletter .. there are unfortuntely way too many variants of it for me to give you the shortest removal route. U will have to take note of the infected files and then delete it from DOS mode as above .. the registry scanner for loveletter is here : http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_LOVELETTER


Originally posted by newme
hi statica
the viruses it (housecall) found was/ 3 files trojan icq revenge/1 file bkdr sub 7.22a/ 3 files vbs. loveletter/.this is my sisters comp. i was there yesterday ran housecall and found these.ill have to try and remember what i did ,i think i right clicked on the infected files pressed delete and a prompt came up and on all of them said the file could not be deleted that it was in use.i believe one was a cab file ext.sorry i cant be more specific as i dont have the computer in front of me.i really apprecciate all the responses.thanks to all.

hi statica
thanks again for your time ill give it a try, and i dont know any dos commands ill have asearch and see if ican figure out what commands i need to know.its aplace for me to start ill keep in touch and let you know how it goes.

hi statica
hope your there im at my sisters now ran house call again it said,
icq reevenge c:\restore\archive\fs12.cab
bkdr sub7.22a\c:\restore\archive\fs22.cab
vbs loveletter c:\restore\archive\fs211.cab
where do istart how do i find these files thanks again

me again
i just used atool from norton loveletter tool and it said i dont have the loveletter virus but housecall says still have it need help pleeease going crazy

Hi newme2,

Those virus or trojan files are in the WinME restore folder and are not active on that system. Depending on how long WinME takes to purge those specific dates, those archives will remain on the system until then. As far as I know, you aren't in any danger unless your restore that particular date that has the files. Just wait it out, the restore points will eventually be purged from the system.

:) Cricket

hi cricket
thanks for the reply sounds like i wasted alot of my time for nothing.oh well live and learn, still dont really understand what it all means.

Have a look at this page:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q263455

Also, why don't you download and run Startlog.com and then copy and paste the contents of the text file it creates to your reply here so we can see if you're really clean. You may be but you never know.
http://home.earthlink.net/~rmbox/Reticulated/Only_IE.html

hi here is the results of the text thanks for your time



1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations

__________________________________________________________________________
__________________________________________________________________________

The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"AtiCwd32"="Ati2cwad.exe"
"Ati2cwxx"="Ati2cwxx.exe"
"New.net Startup"="rundll32 C:\\WINDOWS\\NEWDOT~2.DLL,NewDotNetStartup"
"McAfee Guardian"="\"C:\\PROGRAM FILES\\MCAFEE\\MCAFEE SHARED COMPONENTS\\GUARDIAN\\CMGRDIAN.EXE\" /SU"
"b3dUpdate"="C:\\WINDOWS\\BDE\\Update\\Zupdate.EXE -silent -p \"C:\\WINDOWS\\BDE\\Update\" -s setup.cab"
"Vet Alert"="C:\\WINDOWS\\System\\VetMsg9x.exe"
"VetTray"="C:\\PROGRA~1\\COMPUT~1\\ETRUST~1\\ETRUST~1\\VETTRAY.EXE"
"Outpost Firewall"="C:\\PROGRA~1\\AGNITUM\\OUTPOS~1.0\\outpost.exe /waitservice"
"CreateCD"="C:\\PROGRA~1\\ADAPTEC\\EASYCD~1\\CREATECD\\CREATECD.EXE -r"


==========================================================================
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\PROGRA~1\\MESSEN~1\\msmsgs.exe\" /background"
"Eraser"="C:\\PROGRAM FILES\\ERASER\\ERASER.EXE -hide"


==========================================================================
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"*StateMgr"="C:\\WINDOWS\\System\\Restore\\StateMgr.exe"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"Outpost Firewall"="C:\\PROGRAM FILES\\AGNITUM\\OUTPOST FIREWALL 1.0\\outpost.exe /service"


==========================================================================
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


==========================================================================
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run=C:\WINDOWS\SYSTEM\cmmpu.exe

load=ptsnoop.exe

==========================================================================
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.


This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

==========================================================================
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)


These are your program startups and set paths in your autoexec.bat file

SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS\SYSTEM;C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

==========================================================================
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your StartUp folder

C:\WINDOWS\Start Menu\Programs\StartUp\ATISched.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\PowerReg Scheduler.exe

==========================================================================
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your All Users StartUp folder


*(No start-ups found)*

==========================================================================
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


.....................................................................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


-=========================-
HKU (.Default) Run - Registry
-=========================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\PROGRA~1\\MESSEN~1\\msmsgs.exe\" /background"
"Eraser"="C:\\PROGRAM FILES\\ERASER\\ERASER.EXE -hide"


-==============================-
HKU (.Default) RunOnce - Registry
-==============================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]


-================================-
StubPaths - Registry (Partial Listing)
-================================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components


"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"StubPath"=""
"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:WIN9X /user /install"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:WIN9X /user /install"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
"StubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"

-=================-
WINSTART.BAT File - (c:\windows\winstart.bat)
-=================-

@C:\WINDOWS\tmpcpyis.bat

-=================-
WININIT.BAK File - (c:\windows\wininit.bak)
-=================-



[Rename]
NUL=C:\WINDOWS\SYSTEM\MSXML3.DLL
C:\WINDOWS\SYSTEM\MSXML3.DLL=C:\WINDOWS\SYSTEM\SET61E2.TMP
NUL=C:\WINDOWS\SYSTEM\MSXML3A.DLL
C:\WINDOWS\SYSTEM\MSXML3A.DLL=C:\WINDOWS\SYSTEM\SET61E3.TMP
C:\WINDOWS\SYSTEM\vbscript.dll=C:\WINDOWS\SYSTEM\vbscript.001



-=========================-
ICQ Inet Registry StartUp
-=========================-

Shows applications that start when connected to Inet


[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps]
"Launch Browser"="No"


-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-

SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DFLOW~1.SCR

==========================================================================
__________________________________________________________________________

- Supplemental Environment Information -

COMSPEC=C:\WINDOWS\COMMAND.COM
PATH=C:\WINDOWS\SYSTEM;C:\WINDOWS;C:\WINDOWS\COMMAND
TEMP=C:\WINDOWS\TEMP
TMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
windir=C:\WINDOWS

File - c:\windows\Wininit.bak
File - c:\windows\deletefi.ini

==========================================================================
__________________________________________________________________________

- End -

Yeah you're clean but you've got new.net's garbageware installed. It's not doing you any good so do yourself a favor and go into msconfig and uncheck it from under the startup tab so that it's not running at startup. (start--run--msconfig) If you want to remove it do so from add/remove in the control panel. If you do remove it it's important that you immediately restart after uninstalling from add/remove to complete the uninstall. And if you remove it from add/remove and it's still present then you would need to follow the directions here to get rid of it:
http://new.chat.new.net/viewtopic.php?topic=673&forum=8&4

It's up to you if you want to get rid of it but at least uncheck it in msconfig.

thanks kento ill get rid of it i dont know anything about files or spyware all that stuff so i thank you for the time youve taken to answer my questions