Hello. (System details/versions below). 
1. About 11 am today (June 16, 03) I got a message from Norton saying
a "malicious script was detected" and identifying the script as
IEXPLORE.exe. The Norton screen also said I needed to do something,
and suggested deleting the file, so I said yes. Did not get a
confirmation that the file was deleted, though.

2. Shortly afterwards, I was unable to send email (I use Outlook),
because the program told me there was not enough memory for the
default editor -- Microsoft WORD. I then tried to open Word directly,
and had trouble -- "not enough memory available."

3. I called my computer expert, who suggested I likely had a virus,
should back up data and bring machine in for re-initialization, etc.

4. I backed up all data (from C: drive to another internal hard drive,
F:).

5. Other programs seemed to be running fine. Then WORD began running
fine.

6. My computer expert still said, safer to probably re-initialize.

7. I quickly checked with Symantec, searching "malicious script" and
wound up looking at a bulletin from Renoworks Software that "Norton
AntiVirus script detection...identifies ALL scripts as malicious by
default. This is by design."

HELP! If #7 is correct, then I may NOT have a virus. I told my
computer expert that all programs now seem to be running ok, including
WORD, but he still thinks I might have to re-initialize (of course,
that means a fee and a lot of work for me, too, re-installing all the
non-system stuff).

One final point: About 3 days ago, I noticed that Microsoft word had
acquired one strange form of behavior: In the headers and footers, I
now see the code onscreen rather than the result: i.e., I see "{
FILENAME }" in a header instead of the actual file name. The printouts
are still OK, tho. This PRECEDES the WORD problem today -- which, as
explained, seemed serious yet seemed to be temporary -- and is still
there. I'm not seeking a twofer, here, but the facts may be relevant.
Anyone who solves this should get a $5 fee, separately from the main
question.

Brad 



 
Immediately afterward, 


I am running Windows 2000 (professional, I guess) version 5, on my
home computer. I have Norton Systemworks 2003 professional edition,
and run Live Update very often and do system scans regularly. Last
scan was about 3 days ago. (First of my Drive C:, and then of 2nd
internal hard drive F:)

---

Request for Question Clarification by livioflores-ga on 16 Jun 2003 12:26 PDT

I need some clarifications to continue the research, please tell me if
you can run the MS Internet Explorer (iexplore.exe is the executable
file for this program). Also I suggest you to do an online scan (If
you cannīt run the Internet Explorer please use another browser or
reinstall the internet explorer), it is free, when it finish please
let me know the results.
I recommend this service to you:
http://www.bitdefender.com/scan/licence.php

---

Clarification of Question by bbb-ga on 16 Jun 2003 13:35 PDT

To livioflores-ga:
Thanks for your interest. Yes, I am able to run Explorer, and have had
no problem with running it all along. I assume this is a good sign...
Also, I did a file search and found 2 files with that name: 
   1. "IEXPLORE.EXE in C:\Program Files\Internet Explorer. 
   2. "iexplore.exe in C:\WINNT\system32\dllcache
The upper/lower case are as I typed them here. 

Soon I'll be away from my computer, but just for about 1 hour.
Brad

---

Clarification of Question by bbb-ga on 16 Jun 2003 13:38 PDT

CONTINUED to livioflores:
 
Oops. I forget to add this: I noticed you suggested an "online scan"
but I'm not sure what you mean. Do you mean run "scandisk"? Or
something like that?
Brad

---

Request for Question Clarification by livioflores-ga on 16 Jun 2003 14:01 PDT

Please visit the page that I gave you and follow the instructions in
order to do an antivirus scan online. If there is  virus is in you pc
,your installed antivirus could be corrupted.

---

Clarification of Question by bbb-ga on 16 Jun 2003 20:58 PDT

To Livioflores: 
Continuing thanks! I did go to that site and carried out a scan. 
It helped--I think==but raises more questions. 
1. I did NOT select "autofix" (I think that was the phrase), because I
of course wanted to be notified of any viruses found.
2. I did get this message, that within my "local settings/temporary
internet" files, there was an infection:

..../local settings/temporary internet
files/content.IE5/CDE3S5IV/5[1].htm is infected with
JS.Trojan.NoClose.B

I then told it to delete this. Got no message confirming that, but the
scan continued.

3. I then was away from my computer, returned to find that scan was
completed, and "2 infected files found." No listing of the files, no
way to tell what had happened. Presumably they were NOT deleted, since
I hadn't checked autofix--and since the earlier message had asked me
what to do. So everything is completely ambiguous now:
    a. Are these two in ADDITION to the one mentioned before? Or does
the "two" include that one?
    b. Much more importantly, what happened, and what should I do?
Were they deleted? That seems impossible. Then how do I delete them
now? The program doesn't say.

---

Clarification of Question by bbb-ga on 16 Jun 2003 21:10 PDT

To livioflores: 
  I am going to take one step that I assume is reasonable. I'll run
that scan again and tell it to go ahead and autofix. Then I'll never
know the names of whatever infection it finds, I realize; I evidently
can't count on that scan program to do anything as simple as provide a
list of what it has deleted.
  But it seems better to fix than not to fix. (If in fact autofix IS
autofix. Whew.)
  I will not be able to answer e-mail, then, I think, for a while. 
  But please do add further comments if you can. I'll be happy to pay
more, and especially if you can explain what is going on with that
scan program. As of now, I can't tell at all, as my previous post
complains...

---

Request for Question Clarification by livioflores-ga on 16 Jun 2003 21:28 PDT

At least now you know what happened in your PC. This Trojan script is
not a dangerous pest, lucky man!!
See: http://www.bitdefender.com/virusi/virusi_descrieri.php?virus_id=3

I think that the 2 other virus was the same and you catched them in
the same event, so when you tell to the antivirus delete
JS.Trojan.NoClose.B once you gave it the autorization to do this all
the times needed.
I think that your own antivirus is not affected by this infection, so
you can update and run it and do an scan, if something new appears you
will have a log.
Please keep me informed about this.

livioflores-ga

---

Request for Question Clarification by livioflores-ga on 16 Jun 2003 21:57 PDT

I just found more info that explain the temporal inapropiate behavior
of your PC:
"The infection is activated by the execution a code in JavaScript
embedded in a Web page or a HTML message.  When said page is
visualized, the browser remains minimized and cannot be closed or to
maximized easily in some cases.
Also a large quantity of windows are opened, aiming at different
directions of selected URLs listed in its code.  If the connection to
Internet is active, these directions are accessed without the
authorization of the user.
The windows remain hidden to the user, but active in memory, causing
from time to time a notorious loss of resources in the system. 
Because they are hidden, the user cannot close them.
The solution consists of rebooting Windows, and to eliminate the code
that originated the infection, by means of the scan with one or more
updated antivirus.  The Trojan does not produce another change in the
computer, neither has included any routine of infection, not being
been able to spread it alone.  An updated antivirus, monitoring in
real time, alsostops the action of this pestware."
Translated from "Troj/JS.Noclose.B. Agota los recursos del sistema":
http://www.vsantivirus.com/js-noclose-b.htm

This explains why you cannot start other applications until you
restart your PC or doing something you stop the hidden Internet
Explorerīs windows.

Hope this helps.

---

Request for Question Clarification by livioflores-ga on 16 Jun 2003 22:51 PDT

Hi bbb!!

If your PC problem is solved and you think that my help deserves the
prize, please let me know and I will post an answer.
Thank you

Regards.
livioflores-ga

---

Clarification of Question by bbb-ga on 17 Jun 2003 01:04 PDT

To livioflores (and others who responded with help or suggestions): I
certainly think livioflores put in enough time & effort to earn that
magnificent salary, and in fact, I'll increase it by $5, to $20 in
total, so you can just about retire at this point....

(To synarchy and funkywizard, and any others kind enought to make
suggestions, please read this:)


Thanks for the help. I'm not crystal-clear on what happened, and have
a few final question, below. But to review the situation and what is
to be learned from it:

1. First: I gather I had a not-too-dangerous virus whose main function
was to trick me into deleting IEXPLORER.EXE. (My computer knowledge is
spotty in some ways, but I recognized that this was probably the main
Internet Explorer executable module, so I wasn't in a hurry to delete
it. Of course, I also know that viruses can infect otherwise healthy
files, so I did wonder if IEXPLORER.exe had gotten infected. However,
I was always able to open it, and it seemed to run perfectly.)

2. I've also learned that bitdefender can apparently find and delete
(evidently) some virus or virus-like attackers which even Norton can't
find or understand properly. So anyone who runs Norton should also
learn and use bitdefender, apparently (how often? Every couple of
days?). The free online version seems to work fine.

3. My computer's behavior, tho, does not closely match the the
scenario. First, I did not have trouble with Internet Explorer; that
program seemed to behave normally, through all this. On the other
hand, for a short while I did have much trouble running WORD, which
would be consistent with the description here which says that this
problem ties up system resources.

---

Clarification of Question by bbb-ga on 17 Jun 2003 01:07 PDT

Continued! (Did not mean to post the first part of this when I did.

So: Does it seem safe to assume that what I had was in fact only this
relatively minor problem? That seems not unlikely; but as noted, there
are many unanswered aspects to this.

Again thanks!
BBB

Hi bbb!!

I will post the answer with the hope that you can use it in the future
as reference.

I think that you had a minor virus infection. The solution for this is
to do an online antivirus scan. The better service that I know is the
offered by Bit Defender, you just only visit the following page and
follow the instruction:
http://www.bitdefender.com/scan/licence.php

After you run this scan, the downloaded secanner detect the virus
called JS.Trojan.NoClose.B
This is a not dangerous pest:
"The infection is activated by the execution a code in JavaScript
embedded in a Web page or a HTML message.  When said page is
visualized, the browser remains minimized and cannot be closed or to
maximized easily in some cases.
Also a large quantity of windows are opened, aiming at different
directions of selected URLs listed in its code.  If the connection to
Internet is active, these directions are accessed without the
authorization of the user.
The windows remain hidden to the user, but active in memory, causing
from time to time a notorious loss of resources in the system. Because
they are hidden, the user cannot close them. The solution consists of
rebooting Windows, and to eliminate the code that originated the
infection, by means of the scan with one or more updated antivirus. 
The Trojan does not produce another change in the computer, neither
has included any routine of infection, not being been able to spread
it alone.  An updated antivirus, monitoring in real time, also stops
the action of this pestware."
Translated from "Troj/JS.Noclose.B. Agota los recursos del sistema": 
http://www.vsantivirus.com/js-noclose-b.htm

This explains why, when you started another program and the malicious
code was running, you received "not enough resources or memory"
messages.
Now you are wondering why you have not problem, at the same time, with
other programs than Word. I guess that Internet Explorer, as a
previous running program, had physical memory assigned, when you try
to start a big program like Word (which need a lot of memory) not
enough memory was available and it did not start.

For more info about the JS.Trojan.NoClose.B pest from the Bit
Defenderīs site:
http://www.bitdefender.com/virusi/virusi_descrieri.php?virus_id=3

One more thing, your IEXPLORE.EXE file did not infected, I guess, it
was used by the pestware and you deleted it from a system cache folder
(DLLCACHE).
This is the place where windows stores the important system files
(usually DLL and EXE) that's used during a WFP (Windows File
Protection) recovery.
See "What is the Windows File Protection (WFP) in W2K/XP computer?":
http://www.petri.co.il/what's_windows_file_protection.htm

You can do an online scan once a week, and use it as a second opinion.

Some recommedations:
-The Proxomitron:
To diminish the risk of infection and to avoid damages caused by the
use of malicious code embedded in webpages by the simple fact to
visualize them, I recommend the installation of the free utility
Proxomitron.
See "The Proxomitron An Introduction ":
http://www.sankey.ws/proxomitron.html

Download it from here:
http://www.pluto.dti.ne.jp/~tengu/proxomitron/files/ProxN45.exe


-Pest Patrol:
"PestPatrol is a powerful security and personal privacy tool that
detects and eliminates destructive pests like trojans, spyware, adware
and hacker tools. It complements your anti-virus and firewall
software, extending your protection against non-viral malicious
software that can evade your existing security and invade your
personal privacy." It costs $39.95
http://www.safersite.com/pestpatrolhe/


Additional note: Heuristic is known by Symantec as Bloodhound, you can
access it by the Options menu. The following page may be useful to
you:
"How to configure Norton AntiVirus to provide maximum virus protection
" (note the paragraph that says "Choosing the "Highest Level of
Protection" may cause NAV to incorrectly report a virus." in the
manual scan section):
http://service1.symantec.com/SUPPORT/nav.nsf/pfdocs/2001031614323606


I hope this helps you in the future, I am glad because it do that
today. If you need a clarification please post a request for it.

Best regards.
livioflores-ga

Very good, well-organized help by livioflores. 
I am still puzzled by something that just happened, though, and which
may contradict some of the earlier interchanges.
I just ran Norton's virus scan, which finished and scanned only
124,025 files. I did this twice, same result.
But the last scans prior to that, June 13th, were all in the area of
424,000. (I do have all my data backed up every few days, to a 40 Gig
internal hard drive, so if much of the originals are gone, I likely
have copies).
But earlier scans (June 7th) showed only 113,000 files, so I can't
figure things out...also, the scans only go back a few days (I don't
know why; I run Norton virus scan every few days and would never have
deleted the results).
Any suggestions about this? The virus may have destroyed 3/4 of my
data.
Any suggestions about what to check? 
Are they any ways to count the number of files in a directory, so that
I can start comparing some of my backups on the internal hard drive to
each other, and to what is on the main drive?
Help....! This still looks serious, even though I had closed out the
question, becuase I didn't realize the problem with the file totals
then.

You might also try one of the free programs available which scans for
embedded programs within the browser (IEXPLORER.exe is Internet
Explorer) - these programs are the result of companies creating
programs that worm into the browswer to monitor your typing and
surfing so that they can track what things you search for online. 
SpyBot is freely available and removed a program that was causing a
similar problem on my machine.  It's available from

www.spybot.com

To synarchy-ga:
Thanks for that thought. In fact, I recently found out about spybot,
use it and adaware both ('ad-aware' is similar, in some ways). But I
think the problem I have is more serious. Spybot does not deal with
real viruses, just with some phenomena that SEEM like viruses.

But I think the "infection" noted by the program livioflores sent me
to (at http://www.bitdefender.com/scan/licence.php) may be a real
virus infection. As you can see from my clarification to livioflores,
I have no idea whether that program has deleted it or not. ....

I've seen this happen a number of times before, though usually it
attacks a critical file needed to run all dll files, instead of
attacking internet exploere (iexplore.exe). Basically the way it works
is norton antivirus goes ahead and decides that your perfectly well
behaved system has a virus and then goes on to convince you to delete
critical system files (in this case internet explorer). Then, all
programs that use said system file no longer function and you have to
reinstall your os to fully repair the damage.

I really think its about time this horrible utilities suite bit the
dust. It makes me shake my head to think that anybody still uses it,
given how each individual utility seems to cause the problems it
purports to solve. Where else do you get the thinking "If you don't
have internet explorer, you cant get any malicious websites attacking
your comptuer anymore."?

Now, onto the other information. I agree with livioflores-ga
wholeheartedly on the recommendation of using bitdefender, I've always
had it work well for me.

Also, that "noclose" trjan/virus is nothing to worry about, its just
basically saying one of the web pages you've visited in the past had a
popup ad in it.

To funkywizard: 

I appreciate your kind help. I hope you can scan the
comments/questions here again, and let me know if does indeed seem
that I had only the virus that's been mentioned, which would mean this
is not disastrous.

And how often do you run bitdefender? And does it often catch things
that Norton's virus scan is confused by?

Do you recommend using Norton and/or McAfee AND running bitdefender?
Is that correct? Any clarifications will help.

Many thanks!

BBB

ive run all 3 programs before. I found that mcaffee didnt seem to do
much good or bad, norton caused many more problems than it solved, and
bitdefender was pretty good about behaving well with my system and
still finding viruses.

I suppose the main problem with norton from my perspective is its
"hueristic" scan, which often claims there are viruses present when
there are not. Since the hueristic scan scans for viruses the program
does not have specific knowledge of how to clean, it then goes and
asks you to delete the files.

On several occasions, I have had norton "go crazy" and decide all the
programs on my computer were virused. After deleting a few of them
because it recommended this, I decided to reboot, after which point
norton didn't detect any viruses, at which point it had already
deleted many critical system files.

One of the things I like best about bitdefender is that it's update
program works very well, very automatically (if desired), and is
updated on about a daily basis. For this reason there is no need to
run risky hueristics scans that often just cause software conflicts.

If you really want to keep using norton, I would definitely recommend
disabling hueristic scanning.

And to answer one concern, as long as all your programs are working
and your system appears to be behaving normally, there should be no
reason to take your computer into the shop to be reloaded, since the
types of "viruses" found by norton, even if they are real, are
actually more like nuisance programs than viruses and not a whole lot
to worry about. On the other hand, if this ordeal has deleted files
your system needs in order to run some of your more used programs, you
may indeed have to reload windows to get things working normally
again.

Best of luck,
Funkywizard

To funkywizard: 

Thanks for that additional help. 

One point I don't understand is exactly what you mean by not doing
"heuristic" scanning. Do you mean (a) do NOT run Norton "in
background" checking on incoming and outgoing mail, etc.... or (b)
make sure Norton runs with certain parameters not selected (That is:
Are you using "heuristic" to describe a certain kind of parameter, or
a certain kind of scheduling?)

BB

In regard to the other WORD problem, I think that there is a registry
or a configuration trouble. Please post a new question about this to
let another researcher to answer it.

Hi again bbb!!

Thank you for the good rating and the tip!!
I was thinking about your last comment and in my opinion you are worry
about nothing. The difference between the number of files scanned
could be originated in the deletion of some temporal files (Temporal
Internet and Windows files), coockies, etc.
If you want to compare directories you can see the following programs:
-FolderMatch: (You can try it for 30 days)
http://www.foldermatch.com/fmpeek.htm
Download from:
http://www.foldermatch.com/fmdownload.htm

-Drasbek Diff'n'Merge V1.3: You are allowed to try out this program,
but you must register it if you use it regularly. So you can use it
for free if you donīt use it very often ;>).
http://www.drasbek.com/diffnmerge.htm
http://www.drasbek.com/dminst13.exe

I tried both and they work very well for me.

Other software:
WMatch 2.0: You must suscribe to download it (About 6 dollars)
http://www.pcmag.com/article2/0,4149,487066,00.asp

Compare and Merge: The full featured trial period ends after 50
comparisons.
http://www.allyoursoftware.com/en/compare/

Hope this helps.