Norton has found the w32dedler.worm in my xp pro
c:\windows\system32\smvss.exe and cannot clean, quarantine or remove
it. |
Request for Question Clarification by
feilong-ga
on
24 Apr 2004 07:21 PDT
Since it's infected and can't be cleaned, have you tried deleting the file?
|
Clarification of Question by
arvedon-ga
on
24 Apr 2004 08:09 PDT
The file will not allow itself to be deleted. Also, Microsoft support
informed that smvss.exe is not a Microsoft file even though it is in
the System32 directory.
|
Request for Question Clarification by
feilong-ga
on
24 Apr 2004 09:14 PDT
Hi Arvedon-ga
Yes, smvss.exe is not a Microsoft file. There are many forums in the
web saying that the file cannot be deleted but we will try to solve
this.
Right-click the file then go to properties to make sure that the file
is not hidden. Change the attribute if necessary. Restart the computer
to DOS. You can follow the instructions in these links:
Windows XP Professional Documentation: "MS-DOS overview"
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/default.mspx
http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/using/productdoc/en/windows_dos_overview.asp
Once in DOS mode C prompt, type this:
del C:\windows\system32\smvss.exe
OR
If you're in Windows, try renaming the file by changing ".exe" to
".abc" or ".txt" or by simply removing ".exe".
After renaming it, select the file and delete it. If it can't be done
in Windows, use the same instructions that I gave to delete in DOS
mode. Just make sure you type the correct name of the renamed file:
del C:\windows\system32\(renamed file)
Please tell us if this solved the problem. If not, please tell us if
you have Norton Utilities installed.
- Feilong
|
Request for Question Clarification by
feilong-ga
on
24 Apr 2004 10:10 PDT
You can also try to move the file out of the system folder and put it
in another folder that you want then delete the file from there.
|
Clarification of Question by
arvedon-ga
on
24 Apr 2004 11:24 PDT
I have to go out for an hour or so. Will try your suggestion upon my
return. To answer your question I only have Norton virus and Internet
security I do not have utilities but will purchase if that is needed.
Richard
|
Request for Question Clarification by
feilong-ga
on
24 Apr 2004 11:39 PDT
I need to know if the suggestions are effective and I have other
suggestions in case they don't work so I'll wait for your reply. Thank
you.
|
Clarification of Question by
arvedon-ga
on
24 Apr 2004 13:43 PDT
I was unclear whether you meant the dos command prompt or if there is
some way to get to ?real? does from within XP. I went to the command
prompt and issued your instruction. It said that the file could not
be located. But when I went and checked the directory it was gone. I
re booted and ran the Norton virus scan. The W32.Dedler.worm has now
moved to C:\System Volume
Information\_restore{AD6EEC57-03F7-4D39-AF19-71F8630A460F}\RP375\. It
is now listed as being in quarantine. Should I try the same procedure
or is this data I need?
Richard
|
Request for Question Clarification by
feilong-ga
on
24 Apr 2004 23:47 PDT
Hi Arvedon-ga
"I was unclear whether you meant the dos command prompt or if there is
some way to get to ?real? does from within XP." -- I meant the DOS
command prompt.
From what I found in the internet, the worm is related to an
adware/spyware program although it was not clearly identified.
What is spyware?
"A technology that assists in gathering information about a person or
organization without their knowledge. On the Internet, "spyware is
programming that is put in someone's computer to secretly gather
information about the user and relay it to advertisers or other
interested parties." As such, spyware is cause for public concern
about privacy on the Internet."
http://reach.ucf.edu/~coursdev/cdrom/html/help/glossary.html
What is adware?
"while not necessarily malware, adware is considered to go beyond the
reasonable advertising that one might expect from freeware or
shareware. Typically a separate program that is installed at the same
time as a shareware or similar program, adware will usually continue
to generate advertising even when the user is not running the
originally desired program. See also cookies, spyware, and web bugs."
http://sun.soci.niu.edu/~rslade/secgloss.htm
To remove this, please follow the instructions described in the following links:
PestPatrol, Inc. How To Clear a Hijack
http://www.pestpatrol.com/Support/HowTo/How_To_Clear_a_Hijack.asp#DisablingScripting
To make it easy for you and to remove spy or adware programs, download
and install following programs but don't forget to update them first
before running them one after the other:
Spybot - Search & Destroy 1.2 Application to scan for spyware, adware,
hijackers and other malicious software.
http://www.safer-networking.org/index.php?page=mirrors
To update Spybot, click on Search for updates.
Ad-Aware: http://www.lavasoft.de/support/download/
To update Ad-Aware, click on the globe icon with a magnifying glass
called Open WebUpdate.
Make sure to keep these programs updated and run them once or twice a
week. Also, make sure to have an antivirus program for further
protection.
Please tell us if this solved the problem. Thanks.
Regards,
Feilong
|
Request for Question Clarification by
feilong-ga
on
24 Apr 2004 23:51 PDT
By the way, if it is reported as being in quarantine, please do not
touch it. If it is in your Norton Antivirus quarantine, you can simply
delete the quarantined file and your problem is gone.
Again, please tell us if this solved your problem. Thank you.
|
Request for Question Clarification by
livioflores-ga
on
25 Apr 2004 05:22 PDT
Follow these steps to remove the virus:
1- Get into Windows Safe Mode:
http://www.computerhope.com/issues/chsafe.htm#02
2- Disable System Restore: VERY IMPORTANT, PLEASE DO IT!!!
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
3- Use the Task Manager to stop processes:
Ctrl + Alt + Del and in the Processes' tab select smvss.exe (if
available) and click on the End processes button at the bottom.
"Windows XP : Task Manager"
http://www.wown.info/j_helmig/wxptskmg.htm
4- Search in your HD drives with the Windows search tool the file
smvss.exe and if it is found delete it and empty the recycle trash.
"HOW TO: Search for Files and Folders in Windows XP"
http://support.microsoft.com/default.aspx?scid=kb;en-us;308895&sd=tech
5- Perform an scan with Norton Antivirus, at this point the most
possible result is that the virus is not found in your computer. If
the virus is found, let Norton do its work to delete it and empty the
quarantine.
This method must clean your computer, if it does not work, let me know
what happened and I will give you further assistance. If it works let
me know to post this in the answer box.
Regards.
livioflores-ga
|
Clarification of Question by
arvedon-ga
on
25 Apr 2004 05:25 PDT
2 questions:
Do I need to be concerned about deleting the
Information\_restore{AD6EEC57-03F7-4D39-AF19-71F8630A460F}\RP375\
where the virus now resides, is this file information I will need?
You say I should get an antivirus program, do you mean in addition to
the Norton I already have?
Norton told me that the virus was now in quarantine so after I receive
your response I will attempt to delete the quarantined file.
Richard
|
Request for Question Clarification by
feilong-ga
on
25 Apr 2004 06:04 PDT
Hi Arvedon,
Like I said, if it is in your Norton Antivirus quarantine, just delete
the quarantined file and your problem is gone.
Please tell me if this solved your problem and I'll post an official
answer. Thank you.
Regards,
Feilong
|
Request for Question Clarification by
livioflores-ga
on
25 Apr 2004 06:34 PDT
When you disable System Restore the folder
Information\_restore{AD6EEC57-03F7-4D39-AF19-71F8630A460F}\RP375\ is
deleted.
When you see that the antivirus does not found again the virus, just
enable System Restore again.
Thank you.
|
Request for Question Clarification by
livioflores-ga
on
25 Apr 2004 06:45 PDT
Please note that we are two different researches working on your
question, so you can decide who of us deserve the prize, please
include this in your next clarification that I am sure will tell us
that your computer is clean.
livioflores-ga
|
Clarification of Question by
arvedon-ga
on
25 Apr 2004 12:21 PDT
I deleted the virus from quarantine, ran the Norton virus scan and
thought I was done since the virus did not show up. Then did a file
search and found that the smvss.exe is now showing up in
C:\windows\prefetch. Should I next follow the procedure suggested by
LIVIOFLORES? Please advise.
|
Request for Question Clarification by
livioflores-ga
on
25 Apr 2004 19:57 PDT
Hi!!
My suggestion is YES delete the file found in C:\windows\prefetch
(also I suggest that empty this folder). It is a cached version of the
original. If you think that you possibly need this file or think that
Windows will need it, do a back up copying it to a 3_1/2" diskette.
What is Windows XP Prefetch?
"This is a unique technique for Windows XP operating system. Following
is a definition given by Microsoft on prefetching technique.
Windows XP monitors the files that are used when computer starts and
also when you start applications. By monitoring these files, Windows
XP can prefetch them. Prefetching data is the process whereby data
that is expected to be requested is read ahead into the cache.
Prefetching boot files and applications decreases the time needed to
start Windows XP and start applications.
This information is logged and stored on your hard drive taking up
space and requires a process to be kept running monitoring which
applications are being run often. This has a performance impact on
your PC...
However, it is recomended to clear your prefetch directory often at
least monthly once."
http://www.prabhums.org/weblogs/?postid=70
Iif you did not disable System Restore, remember to disable it and
then enable it again (if you want to use it, normally this useful tool
waste a lot of HD space); the virus was saved to the System Restore's
files (in one or several Restore Points) and it is "waiting" for a
recovery to attack again.
I guess that we are very close to a complete cleaning of your PC.
Regards.
livioflores-ga
|
Request for Question Clarification by
livioflores-ga
on
27 Apr 2004 03:42 PDT
Hi!!
How the last advice works?
Do you need more help?
|
Clarification of Question by
arvedon-ga
on
27 Apr 2004 05:09 PDT
The only thing I have not had a chance to do yet is what you advised
on the restore. Everything else seems alright though.
I am curious, Norton normally places any virus in quarantine, why not
this one until I deleted it using the command prompt?
|
Request for Question Clarification by
livioflores-ga
on
27 Apr 2004 16:51 PDT
What you cannot do, disable the system restore?
If the virus is in the system restore folder, Norton cannot move from
there, because it is a protected folder of the windows system, after
disabling this service and scan again you will not find the virus
anymore.
After that you are free to enable the System Restore tool again.
Please clarify this point.
Thank you.
livioflores-ga
|
Request for Question Clarification by
livioflores-ga
on
27 Apr 2004 20:29 PDT
Please, also tell me if I can post the advices provided in the answer
box in order to claim the prize.
Regards.
livioflores-ga
|
Clarification of Question by
arvedon-ga
on
28 Apr 2004 01:48 PDT
I have still not had a chance to fool with the restore and I still do
not understand why Norton could not quarantine the virus when it first
appeared in the Windows directory but I have no problem paying the
money. Thank you for your assistance.
|
