trojan virus in my computer

Mike, I think you are right, I don't think it is in safe mode as it doesn't have that written in the corners. It starts out with the grey and white cloud like screen like you get in safe mode, then it goes to the desktop with the large icons and they are weird colors and tells me it cannot use my "callwave" internet answering machine because it needs 256 colors and needs to be set to that. When I go in to set it, it has a choice only of 16 colors at the most. It does have my normal windows98 blue backgroung that I am using. There is also a window that pops up and at the top says c:\windows\start menu\programs\startup\kak.hta and there is nothing in the window. When using the computer the typing is rather distorted because of the background. Not clear and sharp like the regular windows screen.

I did have some problems with the installing. It got to a point where it said it couldn't find some files. I ended up starting the whole process over thinking that it would fix it.

I went in to the device manager and clicked on the dial up adaptar and properties for it and told the computer to find new device drivers for it and it fixed it. It now has no red X and nothing else has any problems in the device manager.and also there are no dupes of anything in device manager and no "other" entry. Need help! Sorry I was gone all day today. Had shopping to do and a party I had to attend. Glad that you are back. Hope you can help. Is it salvagable or do I need to save everything to CDs (if I still can) and delete the whole thing and start over?

 

Mary!!!!!


KAK.HTA is a worm!

You are infested after all! Thought we covered this, I will need to review entire thread.

Late 1:20, just came in from Christmas party myself!

Will get back to you in morning with coffee!

Mike

 

This page has a repair tool for that. Scroll down to where it say Removal Instructions.
I had thought we were fighting something random. It seems that M$ has a patch for it, or a visit to Windows Update when running good is a good recommendation.

 

Good morning Mary and Mark

Coffee Ahhhhhhhhhhh!

There is someting funny here! I reread this entire long thread and all the proper steps to have found this worm were taken.

We ran the Local virus scanner, we ran an online virus scanner and an online trojan scan.

This is not a new worm, all those scanners should have found it!

ALSO! Right now it is appearently diabled because the startup can not find it! There is an entry in startup for it but it can not start hence the startup error. But we still need to do the cleanup to be sure.

Run the cleanup from the page that Mark sent!

Fix the above first!

Then go to control panel-system-device manager-Display adapters.

Click the "+" see if there is more than one entry here. If so post me back what they are!

Mike

 

Mary

After you finish the above go here d/l and run all of these.

They are small and quick.

http://www.nsclean.com/freebies.html


Then d/l and install Scripttrap

http://keir.net/scriptrap.html

Be sure to run it and enable it.

Mike

 

I tried to use the short version of the fix but it told me an error had been encountered and I had to do it manually. Followed the whole procedure and all of the short downloads. I put the first short downloads on my desktop to reach them and ran them all. Do I need to save them somewhere or can I delete some of them? I downloaded the last one that you said to run and enable and saved it on the hard drive C. I thought it was going to actually run a scan of some sort, but all it did was show me the enable and disable window, was that right? It is enabled. I went into the "my computer" and in the display adaptars, there is only one listing.

My computer no longer shows me the error window so I hope with all I have done that the worm is gone. I still have the problem with the operating system showing only the 8 bit color. I am still getting the warning that it can not run my "Callwave Answering Machine" as it has to have the 256 color. Can you tell me how to fix this problem? Talked to my son on the phone last night and he said I needed to reset the resolution but couldn't figure out how to get there to do so. Also have the Symantec/Norton screens that come up at start and tell me the System.ini is searching for the files that are missing. Don't see anything listed in the sysedit that directly points to it. Could I safely go in and unselect each one at a time and restart to see if it eliminated it? Thanks for the help. You guys are greatly appreciated!!!!!!!

 

Hello Mary

Good job! You catch on quick!

As for the fixes I would move not copy to a folder in C:\Program files. Make a folder there and call it Security fixes or whatever!

Yes I now believe we are clean. Aso that the original problem is fixed.

Now to deal with the video.

1. What is the brand of the video controller listed in device Manager.

2. Copy and paste the errors you speak of on startup before you do anything. I can advise you if I know what the problem is.

Mike

 

In device manager under sound, video, and game controllers there are: Creative Sound Blaster Audio PCI 64D, Gameport Joystick, SB Audio PCI 64D Legacy Device, and Wave Device for Voice Modem.

As for the messages I receive on start up for the "Callwave" it says: We're sorry, your CallWave software won't run because your video display is not set to at least 256 colors(8--bit mode). Please click the Help button for more information. When I click help button it brings me to the callwave website where it tells me the same thing. I checked it in the display settings and it says there are 16 colors and the only other choice is 2 colors.

I tried to copy and paste the information on the problem at startup for the Symantec/Norton stuff, but it is a black screen when it shows up and there is no way it will let me copy it. I wrote down everything in long hand and here it is:

Cannot find a device file that may be needed to run Windows or a Windows application.

The windows registry or SYSTEM.INI file refers to this device file, but the device file no longer exists.

If you deleted this file on purpose, try uninstalling the associated application using its uninstall or setup program.

If you till want to use the application associated with this device file, try reinstalling that application to replace the missing file.

C:\progra~1\symantec\symevnt.386

Then it says to hit any key to continue and when you do you get the say instructions for each of the files it is searching for. Here is the list of additional files.
C:\progra~1\norton~1\savrt.vxd
C:\progra~1\norton~1\savrtpel.vxd
symtdi.vxd

I hope you can help with these problems, too. Seems a lot to ask of you, but greatly appreciated. Thanks again.

 

Hi Mary

This is slow going isn't it!

I am going and coming, chores errands and last minute shopping. I expect you are also!

Mary I need to know the name of the Video device in device manager before we proceed to fix that. I think we are close now.

I think the best solution for the Norton thing is to go to add/remove and uninstall it. I think you should reboot hit F8 and go to safe mode to do this.

After you uninstall, if it wants to reboot say NO! Then search for norton*.* and delete all it finds. The same for symant*.*!

While in safe mode go to device manager again, open Video controllers and get me the name or names.

After you do the above still in safe mode run RegCleaner and scroll down and find any references to norton or symantec and tag and delete them.

Also while in RegCleaner go to the StarUp List and look for any entries for norton or symantec and remove those also.

Then boot back to full mode see if you boot up clean with no errors except the callwave device.

Do not reinstall Norton untill we correct the video! Norton should reinstall and work properly then.

The ScriptTrap program I sent! Yes that was all you need to do now is enable it! But if it ever pops up a warning listen to it. It will warn if any script or macro (good or bad) that you do not see is going to execute without your knowledge.

If you get this warning on say an Excel spreadsheet that has macros then you would allow it to execute. If it warns you on something else better think about it. Virus writers love to use scripts.

Your move!

Mike

 

You need to install the video drivers for your video adaptor. If you do not know what it is, get Belarc Advisor for free. It should tell you what your video adaptor is.

 

Hi Mark

Yes she may, but if she has a duplicate entry in safe mode and removes the bad one the original one will most likely come in. At least it should tell us the name of the video adapter.

Or just removing it and rebooting may cause it to be reinstalled.

If this don't work then she should use belarc.

Merry Christmas.

Mike

 

Mike and Mark,
I tried to find out what the name of the video adaptar/video controller is but there is nothing that identifies it in device manager. Do you think when I reinstalled the operating system it didn't get reinstalled and just isn't there? Mark I installed the Belarc and printed out what it showed me. If you can tell me where to look I would be able to find it and tell you what it is. Is it the display adaptar? If so it is Standard PCI Graphics Adaptar(VGA). If this isn't it tell me under what heading it would be.

I think the Symantec/Norton problem is going to be virtually impossible to solve. I don't have the software to uninstall with. It was just a trial version I downloaded to check my system for the trojan to begin with. I have a free Anti-Virus software called AVG from Grisoft. It was my own mistake because, if you recall, I told you I had used a program called "BackTrack" which came with my computer from Gateway that takes a picture of your harddrive on a certain date and you can tell the computer to go back to that picture of the harddrive to solve some problems, but it created a massive one I don't know how to resolve. If I had the software I would have uninstalled it already. I have already done the searching for any files with the Symantec and Norton names on them and deleted them all and I am still getting the same message at start up. I even sent an email to Symantec looking for help and explained what I had done and no one has responded. Would it help to download another trial version and would they let me do it? Hoping to hear from you soon.

 

Mary

Ok!

Mary give me the exact name of your computer and I will find the driver for you from Gateway.

No the Norton thing is not impossible. But do I understand there is no entry for norton in Control Panel Add/Remove?

Go here: http://service1.symantec.com/SUPPOR...om/techsupp/nav/&next=&src=csm&pcode=nav&svy=

This is the Norton removal tool. It has a selection for several versions of Norton Run it for all versions don’t let it reboot until all versions have been removed!

AVG is a very good virus scanner. Use that one.

Mike

 

Mike and Mark,
I downloaded the symantec/norton fix and it worked to clean out the files that were left. Hurray!!! I went to Gateway and entered my identification number for the computer and they told me what video driver I needed. Went into the display after installing it, changed the resolution, and it worked. I now can use the Word 2000 program. The only thing left is the problem with the WinMX program. I installed the newest version after seeing that the Word 2000 worked, but am still getting an error message. This program has performed an illegal operation and will be shutdown. If the problem persists, contact the program vendor. WINMX caused a divide error in module winmx.exe at 015f.004952b8. Can you help with this?

 

Merry Christmas Mary

This seems to be a never ending story! Smile!

Fantastic that the rest is fixed!

OK Mary handle this the same as the other things we have fixed!

1 safe mode use add/remove on this program.
2 search HD for anything left of winmx and delete these
3 run regcleaner "not regclean" look thru its list for winmx tag and remove.

Reboot to full mode reinstall winmx again. Do confirm you have the latest ver of this program if not get newest.

Get back and tell me all is now fixed, then I don't want to hear from you for the rest of the year. Smile!

After that you can drop in to say hello! Smile!!!!!!!!!!!!!!!!

Mike