Help please - unknown virus

  • Thread starter Thread starter ädämski
  • Start date Start date
Ä

ädämski

I had a virus last month that was so bad I had to reformat my hard drive.

Anyway, I've been very careful since and have Noryon installed and last
updated about 10 days ago.

Over the last week I've been getting a lot of the Microsoft critical update
viruses and have been deleting them all.

My problem is is that I'm getting a lot of emails saying messages sent from
me are undeliverable (when I haven't been sending them to any such address)

I can't update my antivirus as it's saying I'm not connected to any host.

And most annoying of all Outlook Express keeps opening of its own accord
every few minutes. Even if I'm reading the NG, it's as if I've clicked on
the inbox to get out as that opens.

I've run two separate online scans and both of them said I don't have a
virus. I've also run adaware and that hasn't stopped it either.

It's pretty much stopping me from doing anything with Outlook Express
opening up all the time.

Anyone know the name of this virus and how I can get rid of it?

TIA
 
sven..

read the ng... everyone having this prob.


run msconfig..

if it opens you're clean.
 
I had a virus last month that was so bad I had to reformat my hard drive.

Anyway, I've been very careful since and have Noryon installed and last
updated about 10 days ago.

Over the last week I've been getting a lot of the Microsoft critical update
viruses and have been deleting them all.

My problem is is that I'm getting a lot of emails saying messages sent from
me are undeliverable (when I haven't been sending them to any such address)
Click to expand...

Other peoples computers that are infected are forging your e-mail
address as the "sender" of what they shoot out, so when it bounces it
comes back to you.

It's happening to all of us. It doesn't mean your computer is
infected.
I can't update my antivirus as it's saying I'm not connected to any host.

And most annoying of all Outlook Express keeps opening of its own accord
every few minutes. Even if I'm reading the NG, it's as if I've clicked on
the inbox to get out as that opens.
Click to expand...

So set it not to do that. Set it to check mail only when you tell it
to. That's what I do. What's difficult about that?
I've run two separate online scans and both of them said I don't have a
virus. I've also run adaware and that hasn't stopped it either.

It's pretty much stopping me from doing anything with Outlook Express
opening up all the time.

Anyone know the name of this virus and how I can get rid of it?
Click to expand...

Have you read any of the other threads in this group?

C'mon, read first and your question will often be answered before
posting.
 
ädämski said:
I had a virus last month that was so bad I had to reformat my hard drive.
Click to expand...

Hardly ever necessary, but I'll take your word for it.
Anyway, I've been very careful since and have Noryon installed and last
updated about 10 days ago.
Click to expand...

Ten days is a long time these days, too long if you don't have
a good knowledge of safe computing practices to supplement
your AV.
Over the last week I've been getting a lot of the Microsoft critical update
viruses and have been deleting them all.
Click to expand...

This is good, they should be deleted.
My problem is is that I'm getting a lot of emails saying messages sent from
me are undeliverable (when I haven't been sending them to any such address)
Click to expand...

Typical worm effect, means nothing. You cannot deduce whether your
own system is or is not infested by this happenstance.
I can't update my antivirus as it's saying I'm not connected to any host.
Puzzling.

And most annoying of all Outlook Express keeps opening of its own accord
every few minutes. Even if I'm reading the NG,...
Click to expand...

If you are reading newsgroups (using OE) then OE should be
open. Are you posting from the affected machine now? OE
is indicated as your newsreader in the headers.
it's as if I've clicked on the inbox to get out as that opens.
Click to expand...

It's beginning to sound like OE needs to be reinstalled or repaired,
but mouse and keyboard problems can do this too.
I've run two separate online scans and both of them said I don't have a
virus. I've also run adaware and that hasn't stopped it either.

It's pretty much stopping me from doing anything with Outlook Express
opening up all the time.
Click to expand...

If you go to Add/Remove programs in the control panel and
find the "Internet Explorer 6 and Internet Tools" listed, you might
be able to select it and hit the "remove" button and then choose
"repair" to fix it.

This doesn't sound like a virus to me, and it might be best to
get tech support from Microsoft to help you, they were able
to help me before with an unusual OE related problem.
Anyone know the name of this virus and how I can get rid of it?
Click to expand...

I'm certainly no expert, but it doesn't sound like a virus problem
to me.
 
I had a virus last month that was so bad I had to reformat my hard drive.
Click to expand...

That's pretty screwy. Reinstall Windows, maybe.
Anyway, I've been very careful since and have Noryon installed and last
updated about 10 days ago.
Click to expand...

That's way too late. Most vendors release updates at least weekly and
even more quickly during outbreaks. F-prot issued its latest
definition on 18-Sept (4 days ago) and I think Norton was on the 17th,
but the first version only detected the virus and could not delete it.

I would recommend that you set the automatic update to daily. Most
days you won't get anything, but it only takes a few seconds and no
intervention on your part. That way, you'll get the new definitions
within 24 hours that way. A virus can go around the world in a few
days.
Over the last week I've been getting a lot of the Microsoft critical update
viruses and have been deleting them all.

My problem is is that I'm getting a lot of emails saying messages sent from
me are undeliverable (when I haven't been sending them to any such address)

I can't update my antivirus as it's saying I'm not connected to any host.
Click to expand...

Despite your precautions, I suspect you have been infected with the
Swen virus. If your Windows hasn't been patched (and you didn't
mention this) it could have run anyway even if you didn't click on the
attachment.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp

"If an attacker created an HTML e-mail containing an executable
attachment, then modified the MIME header information to specify that
the attachment was one of the unusual MIME types that IE handles
incorrectly, IE would launch the attachment automatically when it
rendered the e-mail."

Here's some more information about Swen.

http://www.f-prot.com/virusinfo/descriptions/swena.html

"When W32/Swen.A@mm is activated it goes through the following list of
applications and tries to terminate them. Some of those applications
are security and antivirus applications."

The list includes: "... nvc95, nupgrade, nupdate, ..." I think these
are the Norton Update routines.

"It also prevents the applications from being executed while it is in
memory. When the user tries to execute one of these applications under
these circumstances a dialog box is displayed with a fake error
message."

Most convincing to me:

"It also sends out a fake email message falsely reporting that a
message could not be delivered."
And most annoying of all Outlook Express keeps opening of its own accord
every few minutes. Even if I'm reading the NG, it's as if I've clicked on
the inbox to get out as that opens.
Click to expand...

I don't see that particular symptom listed for Swen, but it just might
be undocumented.
I've run two separate online scans and both of them said I don't have a
virus. I've also run adaware and that hasn't stopped it either.

It's pretty much stopping me from doing anything with Outlook Express
opening up all the time.

Anyone know the name of this virus and how I can get rid of it?
Click to expand...

Try one of these removal tools:

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
http://vil.nai.com/vil/stinger/

The F-Prot page mentioned above also has removal instructions.

Steven
 
It's hard for me to read the ng as outlook express keeps throwing me out of
them and putting me back into my inbox. It's taken me 15 minutes just to
read the few threads replying to my message. Thanks for your help though.
 
it's not opening when it's checking for emails, it's just opening every 90
seconds or so. Even if I've not got IE open at all and am just using Office,
for example, it opens.
 
last month it froze on me then wouldn't reboot. I reinstalled windows and
that was okay until I tried to run my AV when it froze again. I tried to
reinstall windows again but then I kept getting the message that I didn't
have enough room to reinstall it (on an 80gb machine!)

Couldn't reinstall it, couldn't get it to boot up (even in safe mode),
couldn't get it to boot from the either. What option did I have?

Thanks for the help. I'll give that a try.
 
thanks Steven. I'll give stinger a go.
Steve M (remove wax for reply) said:
That's pretty screwy. Reinstall Windows, maybe.

That's way too late. Most vendors release updates at least weekly and
even more quickly during outbreaks. F-prot issued its latest
definition on 18-Sept (4 days ago) and I think Norton was on the 17th,
but the first version only detected the virus and could not delete it.

I would recommend that you set the automatic update to daily. Most
days you won't get anything, but it only takes a few seconds and no
intervention on your part. That way, you'll get the new definitions
within 24 hours that way. A virus can go around the world in a few
days.


Despite your precautions, I suspect you have been infected with the
Swen virus. If your Windows hasn't been patched (and you didn't
mention this) it could have run anyway even if you didn't click on the
attachment.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS01-020.asp

"If an attacker created an HTML e-mail containing an executable
attachment, then modified the MIME header information to specify that
the attachment was one of the unusual MIME types that IE handles
incorrectly, IE would launch the attachment automatically when it
rendered the e-mail."

Here's some more information about Swen.

http://www.f-prot.com/virusinfo/descriptions/swena.html

"When W32/Swen.A@mm is activated it goes through the following list of
applications and tries to terminate them. Some of those applications
are security and antivirus applications."

The list includes: "... nvc95, nupgrade, nupdate, ..." I think these
are the Norton Update routines.

"It also prevents the applications from being executed while it is in
memory. When the user tries to execute one of these applications under
these circumstances a dialog box is displayed with a fake error
message."

Most convincing to me:

"It also sends out a fake email message falsely reporting that a
message could not be delivered."


I don't see that particular symptom listed for Swen, but it just might
be undocumented.


Try one of these removal tools:

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
l.tool.html
http://vil.nai.com/vil/stinger/

The F-Prot page mentioned above also has removal instructions.

Steven
Click to expand...
 
Patty said:
It's not msconfig that swen blocks from running, it's regedit.
Click to expand...

Both programs are on the list of programs that swen
tries to block (along with many other "security" related
application's executables).

Swen uses two methods against regedit though, a process
killer and a registry setting IIRC.
 
ädämski said:
last month it froze on me then wouldn't reboot. I reinstalled windows and
that was okay until I tried to run my AV when it froze again. I tried to
reinstall windows again but then I kept getting the message that I didn't
have enough room to reinstall it (on an 80gb machine!)
Click to expand...

Is your drive filling up with Windows001 ,2 ,3 ,4, directories?
 
I didn't notice it, so probably not.

I think I have it under control now. After running a few online AV's (all of
which cam back as clear) I downloaded RAV antivirus and that found 16
viruses on my pc. I thought they were in 'contained' areas such as my
deleted files and in temp files. Deleted all those, anyhow.

Downloaded spampal and another program called MailBox Dispatcher (which lest
you see your email headers before you download them).

Also reinstalled windows as I kept getting my inbox opening and taking
precedence over any other program I was working on.

Now everything appears to be okay. Cookies are working again (couldn't
access password sites before, either). Keeping the viruses at bay with the
triple whammy I've mentioned and the inbox opening of it's own accord seems
to have stopped as well.
 
It could well be "winlodr.scr" . Put this in the search box in
Google. It believe you can find out more about this from any of the major
anti-virus mfg sites. It sounds like it could be your baby.
 
Back
Top