M
Matthew Weymar
HouseCall recently detected nimda and/or Holar/Halawi on my on WinXP
box.
I have taken three actions in response:
1. Per http://www.bullguard.com/antivirus/vit_holar_h.aspx, I have
done the following:
[BEGIN QUOTE]
Removal instructions
Manual removal: Use regedit to remove the registry entry
HKLM\Software\Microsoft\Windows\CurrentVersion\run\Explore; restart
Windows and delete the virus components and its copies (listed in the
sections above). To clean up, remove the HKCU\DeathTime registry entry
too; you might also want to run "regsvr32 /u smtp.ocx" and delete
smtp.ocx.
[END QUOTE]
To be more specific, I deleted explore.exe & smtp.ocx from
c:/windows/system32 directory. I removed both reg. entries above, but
did not run "regsvr32 /u smtp.ocx."
2. I installed AVG Anti-Virus System.
3. I have installed McAfee AVERT Stinger Version 1.9.2 built on Nov 14
2003, using Virus data file v1000 created on Nov 14 2003.
Now I am experiencing the following:
1. AVG detects Nimda in the form of *many* .eml files strewn
"randomly" (?) around my system.
2. Neither Symatec's FixNimda, nor their FxNimdaE programs detect the
Nimda virus - although certainly all of those .eml files are there.
3. Stinger has found four instances of the Klez.h@MM virus. These
seem, in fact, to be "one" copy of the virus and a backup. They appear
in directories of the following structure:
- \Documents and Settings\LOGIN\Application
Data\Mozilla\Profiles\...\Mail\MAIL SERVER\Trash\00001353.EML\true.bat
- \Documents and Settings\LOGIN\Application
Data\Mozilla\Profiles\...\Mail\MAIL
SERVER\Trash\00001353.EML\00020780.EML\Log.exe
- \Program Files\Support.com\backup\Tr\Trash\ID\Trash\00001353.EML\true.bat
- \Program Files\Support.com\backup\Tr\Trash\ID\Trash\00001353.EML\00020780.EML\Log.exe
4. Symatec's FixKlez does not detect the Klez virus.
5. My Start > All Programs lists only one program - eBay toolbar,
which must have updated itself subsequent to some action I took. Also,
the "recently used programs" section of my Start menu is not being
populated with recently used programs.
The icons in my Start Menu directory appear "lighter" than usual;
ditto the icons on my desktop. All are functional. They - those in my
Start Menu - just aren't appearing in Start > All Programs.
Questions:
1. Am I, in fact, infected? and
2. What should I do about this?
Additional Notes:
1. HouseCall now detects no viruses.
2. FWIW, AVG does not find Klez, nor does Stinger find Nimda - which
is at least theoretically included in its "Virus data file v1000
created on Nov 14 2003."
Any suggestions will be greatly appreciated.
Thanks,
Matthew
box.
I have taken three actions in response:
1. Per http://www.bullguard.com/antivirus/vit_holar_h.aspx, I have
done the following:
[BEGIN QUOTE]
Removal instructions
Manual removal: Use regedit to remove the registry entry
HKLM\Software\Microsoft\Windows\CurrentVersion\run\Explore; restart
Windows and delete the virus components and its copies (listed in the
sections above). To clean up, remove the HKCU\DeathTime registry entry
too; you might also want to run "regsvr32 /u smtp.ocx" and delete
smtp.ocx.
[END QUOTE]
To be more specific, I deleted explore.exe & smtp.ocx from
c:/windows/system32 directory. I removed both reg. entries above, but
did not run "regsvr32 /u smtp.ocx."
2. I installed AVG Anti-Virus System.
3. I have installed McAfee AVERT Stinger Version 1.9.2 built on Nov 14
2003, using Virus data file v1000 created on Nov 14 2003.
Now I am experiencing the following:
1. AVG detects Nimda in the form of *many* .eml files strewn
"randomly" (?) around my system.
2. Neither Symatec's FixNimda, nor their FxNimdaE programs detect the
Nimda virus - although certainly all of those .eml files are there.
3. Stinger has found four instances of the Klez.h@MM virus. These
seem, in fact, to be "one" copy of the virus and a backup. They appear
in directories of the following structure:
- \Documents and Settings\LOGIN\Application
Data\Mozilla\Profiles\...\Mail\MAIL SERVER\Trash\00001353.EML\true.bat
- \Documents and Settings\LOGIN\Application
Data\Mozilla\Profiles\...\Mail\MAIL
SERVER\Trash\00001353.EML\00020780.EML\Log.exe
- \Program Files\Support.com\backup\Tr\Trash\ID\Trash\00001353.EML\true.bat
- \Program Files\Support.com\backup\Tr\Trash\ID\Trash\00001353.EML\00020780.EML\Log.exe
4. Symatec's FixKlez does not detect the Klez virus.
5. My Start > All Programs lists only one program - eBay toolbar,
which must have updated itself subsequent to some action I took. Also,
the "recently used programs" section of my Start menu is not being
populated with recently used programs.
The icons in my Start Menu directory appear "lighter" than usual;
ditto the icons on my desktop. All are functional. They - those in my
Start Menu - just aren't appearing in Start > All Programs.
Questions:
1. Am I, in fact, infected? and
2. What should I do about this?
Additional Notes:
1. HouseCall now detects no viruses.
2. FWIW, AVG does not find Klez, nor does Stinger find Nimda - which
is at least theoretically included in its "Virus data file v1000
created on Nov 14 2003."
Any suggestions will be greatly appreciated.
Thanks,
Matthew