Archived Files

I have just had my first experience with a virus (actually, several of them at once). I have gotten rid of all except one that seems to replicate itself in c:\windows. Its archive attribute is on each time.

Does this file recreate itself from the archived file (is this even possible)? If so, where does the archived file live and how do I get rid of it?

If not, I could use some suggestions.

Here is how I dealt with the problem:

1. I ran Norton AV and scanned my entire network. Only one computer was affected.

2. I deleted as many virus files as I could.

3. I checked and edited the Win.ini file, which had been commandeered and bastardized by the aforementioned malware.

4. I did the same with the System.ini file. I also deleted the things from the regedit HKEY......\Run- file.

5. As the kernel32.dll file was infected, I deleted it and restarted with the emergency disks from Norton AV.

6. After a complete scan, Norton AV informed me that the machine was virus-free.

7. I installed a clean copy of kernel32.dll (and hid it).

8. I rebooted several times, first without processing the Win.ini or Startup.ini files. Each time I added one more process to the reboot.

9. All seemed to be well.

10. I ran a full-system scan again and found that one virus had resurrected itself.

Thanks for any help,

Tristan M. Chase

 

Hello Tristan,

Did you run the scan in safe mode? If not, try that.

On NAV - look at the exclusion list.

Smart mode or comprehensive scan?

Here are on-line scanning/removal tools to pick from http://www.wilders.org/free_services.htm

Regards - Charles

 

Here is the puzzle:

The virus is on my Win98 computer. The NAV is on my Win2k computer. When I boot in Safe Mode, the netwoek connection is not present. I tried to install NAV on the Win98 box but there is an older version of NAV there and I can't uninstall it for some reason. Lots of error windows popped up when I tried this.

When I Start up from the NAV emergency disks and do a scan on the Win98 box, it tells me that the machine is not infected. The fun begins all over when I restart.

-Tristan

 

Try some things and in this order: (note that this is sort of a belt & suspenders approach. Probably more cautions than is necessary but it will work)

1. Disconnect the 98 system from any network you have.

2. Turn off system restore on XP and run a scan from Housecall to make sure it's clean.

3. Then reboot and turn system restore back on. Update your AV def files unless you've done so within the last day or so. Then shut XP down.

4. Hook 98 up to the internet and run the same scan on it from housecall. Clean as needed. Then get some sort of AV program loaded on the 98 PC. The free version of AVG will be fine.

Now power everything back on and hook it up as you normally do. You should be clean all around.

 

Well, I tried to do some of the things you all suggested, but owing to the oddball configuration we have, I couldn't make anything work. I ran NAV at least four times yesterday. Each time it would find and delete or quarantine six or seven files. Then I would check Win.ini and the registry, but after about three minutes, the nasties would come creeping back.

I decided that the easiest thing to do is swap out the machine and do a clean re-installation of the OS and system-specific software. All the data on the machine has already been backed up.

I will check out some of the other programs, however. It seems that NAV kept missing something with each scan.

Thank you for your help,

-Tristan

 

Did you do #2 (from my first response above) before running the scans and then scan with housecall in case one of the critters had partly or completely disabled your onboard AV software?