I have a Downloader Trojan Horse virus that I can't get rid of.
Norton can't repair it nor many anti virus & spyware I have tried. I
tried Symatics instructions as to runnung it in safe mode,and trying
to delete it from the registry, however when I went to the registry,
it wasn't there. It's lowthreat on all levels and is supposed to be
easy to remove but I can't.
It's in C:\Windows\system32\ymya2.dll. A friend suggested copying a
clean copy of this file from another computer and then deleting the
virus infected one, but said it could make it impossible to reboot my
computer. My other computers don't seem to have this file anyway. I
am running Windows XP and completely up to date with virus protection
and service pack 2.
My friend also said it may not really even be a virus but Norton might
be just identifing as such. It's a small file 5kb so maybe I can
just leave it there but is there a way for Norton to quit popping up
all the time?
Any help would be greatly appreciated Thanks Paul |
Request for Question Clarification by
answerguru-ga
on
23 Jan 2005 10:54 PST
Hi Paul,
Have you tried the information available from Symantec's Security
Response? I searched "downloader trojan horse" from this page:
http://securityresponse.symantec.com/avcenter/vinfodb.html
There appear to be several versions of this virus (just looking at the
first page of results). Do you know which one specifically is being
stated by Norton?
answerguru-ga
|
Request for Question Clarification by
hummer-ga
on
23 Jan 2005 11:42 PST
Hi pablocruise,
In regards to your statement, "when I went to the registry, it wasn't
there", did you enable viewing of hidden filees, folders, and
extensions first?
Start Windows Explorer and click your main hard drive.
Select Tools / Folder Options/ View Tab.
Scroll down to Hidden Files and Folders and check "Show Hidden Files and Folders".
Next, uncheck the "Hide File Extensions for known types" (don't skip this step).
Now you are ready to try Symantec's instructions again if you want to.
Also try:
TrojanScan (online scanner):
http://www.windowsecurity.com/trojanscan/
If still no joy, try the following steps in order:
1) Disable your System Restore.
How to disable the System Restore feature:
http://www.trendmicro.com/en/security/advisories/win_me_clean.htm
2) Run HouseCall, a very thorough online virus scan:
http://housecall.trendmicro.com/
3) Update your Ad-aware and Spybot.
4) Boot into Safe Mode.
5) In Safe Mode run Ad-aware, Spybot & scan again with TrojanScan.
6) Reboot normally and re-enable your System Restore and set a new restore point.
If that doesn't work, it's time to try HijackThis:
http://majorgeeks.com/download3155.html
Post the HijackThis log here. Do not try to fix anything yourself
unless you know what you are doing.
Good luck,
hummer
|
Clarification of Question by
pablocruise-ga
on
23 Jan 2005 13:41 PST
I did try the Symatics advice... some else said to go to Explyer and
show hidden files is maybe the reason it was not in the
registry....The virus is also known as Trojan Downloader.Win32.Get
Files, TrojanDownloader.Win32/Erom,or Downloader.w
|
Clarification of Question by
pablocruise-ga
on
23 Jan 2005 18:24 PST
When I try to run the trojan scan windows stops it with an error
report about half way thru which stops the scan. I tried the showing
the hidden files but it still did not show.
I tried running my Windows 98 disk to try to get a clean
C:\windows\system32\ymya2.dll but my cd rrom would not let me or
better yet would keep prompting me insert the cd when it was already
in the drive.
Is there a place a can get a clean file of the web. like I said its 5kb. Thanks
|
Request for Question Clarification by
livioflores-ga
on
24 Jan 2005 03:53 PST
I think that the file C:\Windows\system32\ymya2.dll must be deleted,
it is not part of the Windows system, I am pretty sure that it is part
of the trojan.
Try to start in safe mode and then delete the file:
"Getting into Windows Safe Mode":
http://www.computerhope.com/issues/chsafe.htm
It will be usefull if you can post a HijackThis log:
"HijackThis Tutorial":
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42
Just post the log WITHOUT fix anything, I will tell you which items
you must remove without damaging the Windows system.
To download HijackThis:
http://www.bleepingcomputer.com/files/Merijn/HijackThis.zip
I will wait your response.
Regards.
livioflores-ga
|
Clarification of Question by
pablocruise-ga
on
24 Jan 2005 09:35 PST
First off I am at work so this will have to wait until 6;00pm PST. I
am a novice with computers so I need more simple direction. I assume
you want me to post it before I delete the file? How do I post it?
Next I run Hijack, then I suppose its going to give me multiple files
then am I suppose to post those and then you will tell me which ones
to delete?
At what point am I running safe mode and deleting the file?
What if the file is important and my computer won't work when I remove it?
Sorry for all the Questions but I do know enough that if screw
something up it could take days to fix.
Do I keep running system restore and or go back just in case?
Thanks for all your help Paul
|
Request for Question Clarification by
livioflores-ga
on
24 Jan 2005 19:21 PST
Hi again!!
Perform the following tasks:
Reboot your computer in safe mode. For instructions see the following page:
"Getting into Windows Safe Mode":
http://www.computerhope.com/issues/chsafe.htm
Then disable System Restore if it is enabled. See the following page
for instructions:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
The next step is to delete the infected file C:\Windows\system32\ymya2.dll
(if you think that you will need it later you can copy it in a floppy
disk or in another device like a CD-RW).
Remove this file (if present) with Windows Explorer:
trojandownloader.win32.getfiles.exe
If you need help on this see:
"How To Search for Files and Folders in Windows XP":
http://support.microsoft.com/default.aspx?scid=kb;en-us;308895&sd=tech
For additional reference see:
"Downloader.Trojan" at Symantec's site:
http://securityresponse.symantec.com/avcenter/venc/data/downloader.trojan.html
The above procedures must help you to get rid of this pest, if this
fail, we will try with HijackThis (do not worry, I will provide you
with detailed instructions if you need them).
I will wait your feedback on this.
ReGards.
livioflores-ga
|
Clarification of Question by
pablocruise-ga
on
24 Jan 2005 22:14 PST
livioflores, Hi I tried what you suggested but 1:I couldn't copy the
filebecause it is "full or write protected or is now currently in
use".... I tried to delete it with system restore disabled and in safe
mode and it gave me the same reason why it couldn't be deleted. Is
highjacked still an option. Thanks Paul
|
Request for Question Clarification by
livioflores-ga
on
25 Jan 2005 03:59 PST
At this point will need to see a HijackThis log. First of all download it from:
http://www.unitethecows.com/software/HijackThis.exe
Copy it in a separate folder than other files or programs, for example in:
C:\My Documents\HijackThis
Then run it and follow the instructions from this tutorial:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#HowToUse
Follow the instructions to save a log and post it into a forum
adapting the procedure to Google Answers. Post the log as a
clarification and do not check to fix anything, I will tell you which
items you must fix without damaging the Windows system.
Regards.
livioflores-ga
|
Clarification of Question by
pablocruise-ga
on
25 Jan 2005 21:17 PST
Logfile of HijackThis v1.99.0
Scan saved at 8:17:39 PM, on 1/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\safe-share\SafeShare.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\Documents and Settings\Paul\My Documents\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.naupoint.com/toolbar/ie.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
(file missing)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} -
C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: Google Desktop Search Capture -
{7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program
Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: No description - {88CC91DE-5930-45AD-9E04-6B1233609FEA} -
C:\WINDOWS\system32\oljF2F5.dll
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Stopper &Companion -
{8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program
Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS
Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program
Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program
Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program
Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Unshare] C:\Program Files\safe-share\SafeShare.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common
Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program
Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program
Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) -
http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF}
(PatchInstaller.Installer) -
file://G:\content\include\XPPatchInstaller.CAB
O16 - DPF: {44FD0AF8-9D30-4E96-8ECE-306446B5E0D3} -
http://naupoint.com/toolbar/installer/iEBINST2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
- http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD
Class) - file://G:\Content\include\msSecUcd.cab
O23 - Service: GoBack Polling Service - Symantec Corporation -
C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec
Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation
- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
This is probably not where i was to post it, but it was the best I
could do at the time... I will keeo trying Paul
|
Hi!!
These are the items that you must fix:
Running processes:
Try to stop this process:
C:\Program Files\safe-share\SafeShare.exe
To stop this process you must use the Task Manager, follow the
instructions on the following page (they work for Windows XP):
"HOW TO: Use Windows Task Manager in Windows 2000":
http://support.microsoft.com/kb/323527/en-us
When the process is stopoed try to delete it and its folder:
C:\Program Files\safe-share\
Reboot in safe mode and run HijackThis.
Clean out these folders (it is safe):
* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary
Internet Files\ <=This will delete all your cached internet content
including cookies.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local
Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".
Please follow the instructions below if you wish to remove the offending items
Items to be checked for fix:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.naupoint.com/toolbar/ie.html
O2 - BHO: No description - {88CC91DE-5930-45AD-9E04-6B1233609FEA} -
C:\WINDOWS\system32\oljF2F5.dll
O4 - HKLM\..\Run: [Unshare] C:\Program Files\safe-share\SafeShare.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) -
http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF}
(PatchInstaller.Installer) -
file://G:\content\include\XPPatchInstaller.CAB
O16 - DPF: {44FD0AF8-9D30-4E96-8ECE-306446B5E0D3} -
http://naupoint.com/toolbar/installer/iEBINST2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
- http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD
Class) - file://G:\Content\include\msSecUcd.cab
Click on the Fix Checked button.
Now try to delete the infected file C:\Windows\system32\ymya2.dll
Delete the folder
Reboot in normal mode and repost a new HJT log file.
In my opinion this must clean your computer, if not I will check your
new log file and I'll give further assistance to complete the trojan
and pestwares removal.
Best regards.
livioflores-ga |
Clarification of Answer by
livioflores-ga
on
26 Jan 2005 06:51 PST
I must to clarify the last part of my answer:
Click on the Fix Checked button.
Now try to delete the infected file C:\Windows\system32\ymya2.dll
*** Delete the folder (if still present):
C:\Program Files\safe-share\
Reboot in normal mode and repost a new HJT log file.
Good luck!!
livioflores-ga
|
Request for Answer Clarification by
pablocruise-ga
on
26 Jan 2005 20:08 PST
livioflores, hi tries all your steps and I still can't delete the
C\:Windows\system32\ymya2.dll with the same explanation and virus. See
find below the latest hijack log. A local computer guy suggested
renoving the hard drive and then externally scanning it or something
like that. For supposively such a benign virus and easy to remove its
being a bug a boo. I Thank you for all your work, can you think of
some other way of doing it? Thank PaulLogfile of HijackThis v1.99.0
Scan saved at 7:57:58 PM, on 1/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Paul\My Documents\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
(file missing)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} -
C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: Google Desktop Search Capture -
{7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program
Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Stopper &Companion -
{8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program
Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS
Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program
Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program
Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program
Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common
Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program
Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program
Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O23 - Service: GoBack Polling Service - Symantec Corporation -
C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec
Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation
- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
|
Clarification of Answer by
livioflores-ga
on
26 Jan 2005 22:01 PST
Hi again!!
I think that we need a new tool. Please download Process Explorer:
http://www.sysinternals.com/files/procexpnt.zip
See its page for reference if you want:
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
Unzip it in a dedicated folder (like c:\Process Explorer) and the run
the program by double clicking on the file procexp.exe.
When the Process Explorer window open:
- Click on the Find DLL button or Menu Find-->Find DLL or press
simultaneously Ctrl+E
- A dialog box is displayed, put in the DLL substring box: ymya2.dll
- Press the Search button
- A list of processes that use the ymya2.dll file appears in the
bottom part of the dialog box, stop all of them (you can use Process
Explorer to do that via the Kill Process button (the red X).
Please post the list of process that are using the infected file. I
will give you assistance to delete them and the infected file also.
After that you must check to fix some items in the HijackThis scan,
again I will tell you which item are they.
Regards.
livioflores-ga
|
Request for Answer Clarification by
pablocruise-ga
on
27 Jan 2005 20:21 PST
Livioflores, Hi when I pressed the search button winlogon.exe PID568
showed up. when I went back to the originak screen for kill a list of
sub files were found like sercices.exe.,svchost.exe.,hpgs 2wnfe,
msnsgs.exe more svchost and a spoolsv.exe and others. In the bottom
section it had a bunch of dll.s with descriptions except for
ymya2.dll. When I tried to kill it winlog.exe showed up and asked me
if I really wanted to kill it. I said yes the computer rrebooted, and
nothing had changed... I still had the virus and winlog.exe. I saw
there was a tab to kill it and all of its sub folders but I was to
afraid to do it. You asked me to post the list of processes which I
gave the majority above but there was no way to copy and paste it like
I did in the past. Do you want me to type the full list of processes
under winlog.exe. I do have system restore and go back so I quess I
do something harmful I can reverse it. I know it must be frustrating
working with a non compiter person such as myself but I appreciate
your persistence. Thanks Paul
|
Request for Answer Clarification by
pablocruise-ga
on
27 Jan 2005 21:42 PST
Process PID CPU Description Company Name
System Idle Process 0 90
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 484 Windows NT Session Manager Microsoft Corporation
csrss.exe 548 Client Server Runtime Process Microsoft Corporation
winlogon.exe 572 1 Windows NT Logon Application Microsoft Corporation
services.exe 616 2 Services and Controller app Microsoft Corporation
svchost.exe 776 Generic Host Process for Win32 Services Microsoft Corporation
hpgs2wnf.exe 1500 hpgs2wnf Module
msmsgs.exe 2748 Windows Messenger Microsoft Corporation
svchost.exe 856 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 920 Generic Host Process for Win32 Services Microsoft Corporation
wscntfy.exe 1676 Windows Security Center Notification
App Microsoft Corporation
svchost.exe 996 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1104 Generic Host Process for Win32
Services Microsoft Corporation
spoolsv.exe 1248 Spooler SubSystem App Microsoft Corporation
GBPoll.exe 1648 Norton GoBack Polling Service Symantec Corporation
NAVAPSVC.EXE 1668 Norton AntiVirus Auto-Protect Service Symantec Corporation
nvsvc32.exe 1696 NVIDIA Driver Helper Service, Version
45.23 NVIDIA Corporation
svchost.exe 1888 Generic Host Process for Win32
Services Microsoft Corporation
SymWSC.exe 1956 Norton Security Center Service Symantec Corporation
alg.exe 356 Application Layer Gateway Service Microsoft Corporation
iPodService.exe 1856 iPodService Module Apple Computer, Inc.
svchost.exe 1608 Generic Host Process for Win32
Services Microsoft Corporation
lsass.exe 628 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 896 2 Windows Explorer Microsoft Corporation
NAVAPW32.EXE 1056 Norton AntiVirus Agent Symantec Corporation
hpgs2wnd.exe 1324 hpgs2wnd Hewlett-Packard
realplay.exe 1336 RealPlayer RealNetworks, Inc.
mm_tray.exe 1712 mm_tray MUSICMATCH, Inc.
mmtask.exe 1404 TODO: <File description> TODO: <Company name>
hpztsb04.exe 1424 HP
Hpi_monitor.exe 1480 Device Monitor Application Hewlett-Packard Company
iTunesHelper.exe 1396 iTunesHelper Module Apple Computer, Inc.
qttask.exe 1532 Apple Computer, Inc.
winampa.exe 1840
rundll32.exe 260 Run a DLL as an App Microsoft Corporation
SpySweeper.exe 340 Spy Sweeper Webroot Software, Inc.
GoogleDesktop.exe 336
GoogleDesktopIndex.exe 3076
GoogleDesktopCrawl.exe 3120
GoogleDesktopOE.exe 3208
qbdagent2002.exe 1032 QBDAgent Module
QWDLLS.EXE 1436 Quicken Load DLLs Intuit
msn6.exe 4060 msn Microsoft Corporation
procexp.exe 3568 5 Sysinternals Process Explorer Sysinternals
Process: winlogon.exe Pid: 572
Name Description Company Name Version
activeds.dll ADs Router Layer DLL Microsoft Corporation 5.01.2600.2180
adsldpc.dll ADs LDAP Provider C DLL Microsoft Corporation 5.01.2600.2180
advapi32.dll Advanced Windows 32 Base API Microsoft Corporation 5.01.2600.2180
apphelp.dll Application Compatibility Client Library Microsoft
Corporation 5.01.2600.2180
atl.dll ATL Module for Windows XP (Unicode) Microsoft Corporation 3.05.2284.0000
authz.dll Authorization Framework Microsoft Corporation 5.01.2600.2180
clbcatq.dll Microsoft Corporation 2001.12.4414.0258
comctl32.dll Common Controls Library Microsoft Corporation 5.82.2900.2180
comctl32.dll User Experience Controls Library Microsoft Corporation 6.00.2900.2180
comdlg32.dll Common Dialogs DLL Microsoft Corporation 6.00.2900.2180
comres.dll Microsoft Corporation 2001.12.4414.0258
crypt32.dll Crypto API32 Microsoft Corporation 5.131.2600.2180
cscdll.dll Offline Network Agent Microsoft Corporation 5.01.2600.2180
cscui.dll Client Side Caching UI Microsoft Corporation 5.01.2600.2180
ctype.nls
gdi32.dll GDI Client DLL Microsoft Corporation 5.01.2600.2180
imagehlp.dll Windows NT Image Helper Microsoft Corporation 5.01.2600.2180
index.dat
index.dat
index.dat
iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.2180
kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation 5.01.2600.2180
locale.nls
midimap.dll Microsoft MIDI Mapper Microsoft Corporation 5.01.2600.2180
mpr.dll Multiple Provider Router DLL Microsoft Corporation 5.01.2600.2180
mprapi.dll Windows NT MP Router Administration DLL Microsoft
Corporation 5.01.2600.2180
msacm32.dll Microsoft ACM Audio Filter Microsoft Corporation 5.01.2600.2180
msacm32.drv Microsoft Sound Mapper Microsoft Corporation 5.01.2600.0000
msasn1.dll ASN.1 Runtime APIs Microsoft Corporation 5.01.2600.2180
msgina.dll Windows NT Logon GINA DLL Microsoft Corporation 5.01.2600.2180
msv1_0.dll Microsoft Authentication Package v1.0 Microsoft
Corporation 5.01.2600.2180
msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.2180
nddeapi.dll Network DDE Share Management APIs Microsoft Corporation 5.01.2600.2180
netapi32.dll Net Win32 API DLL Microsoft Corporation 5.01.2600.2180
ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.2180
ntmarta.dll Windows NT MARTA provider Microsoft Corporation 5.01.2600.2180
odbc32.dll Microsoft Data Access - ODBC Driver Manager Microsoft
Corporation 3.525.1117.0000
odbcint.dll Microsoft Data Access - ODBC Resources Microsoft
Corporation 3.525.1117.0000
ole32.dll Microsoft OLE for Windows Microsoft Corporation 5.01.2600.2180
oleaut32.dll Microsoft Corporation 5.01.2600.2180
profmap.dll Userenv Microsoft Corporation 5.01.2600.2180
psapi.dll Process Status Helper Microsoft Corporation 5.01.2600.2180
R000000000038.clb
rasapi32.dll Remote Access API Microsoft Corporation 5.01.2600.2180
rasman.dll Remote Access Connection Manager Microsoft Corporation 5.01.2600.2180
regapi.dll Registry Configuration APIs Microsoft Corporation 5.01.2600.2180
rpcrt4.dll Remote Procedure Call Runtime Microsoft Corporation 5.01.2600.2180
rsaenh.dll Microsoft Enhanced Cryptographic Provider Microsoft
Corporation 5.01.2600.2161
rtutils.dll Routing Utilities Microsoft Corporation 5.01.2600.2180
samlib.dll SAM Library DLL Microsoft Corporation 5.01.2600.2180
secur32.dll Security Support Provider Interface Microsoft
Corporation 5.01.2600.2180
setupapi.dll Windows Setup API Microsoft Corporation 5.01.2600.2180
sfc.dll Windows File Protection Microsoft Corporation 5.01.2600.2180
sfc_os.dll Windows File Protection Microsoft Corporation 5.01.2600.2180
shell32.dll Windows Shell Common Dll Microsoft Corporation 6.00.2900.2180
shlwapi.dll Shell Light-weight Utility Library Microsoft Corporation 6.00.2900.2180
shsvcs.dll Windows Shell Services Dll Microsoft Corporation 6.00.2900.2180
sis.dll Webroot Software, Inc. 3.02.0000.0142
sortkey.nls
sorttbls.nls
sxs.dll Fusion 2.5 Microsoft Corporation 5.01.2600.2180
tapi32.dll Microsoft® Windows(TM) Telephony API Client DLL Microsoft
Corporation 5.01.2600.2180
unicode.nls
urlmon.dll OLE32 Extensions for Win32 Microsoft Corporation 6.00.2900.2518
user32.dll Windows XP USER API Client DLL Microsoft Corporation 5.01.2600.2180
userenv.dll Userenv Microsoft Corporation 5.01.2600.2180
uxtheme.dll Microsoft UxTheme Library Microsoft Corporation 6.00.2900.2180
version.dll Version Checking and File Installation Libraries Microsoft
Corporation 5.01.2600.2180
wdmaud.drv WDM Audio driver mapper Microsoft Corporation 5.01.2600.2180
wininet.dll Internet Extensions for Win32 Microsoft Corporation 6.00.2900.2518
winlogon.exe
winmm.dll MCI API DLL Microsoft Corporation 5.01.2600.2180
winscard.dll Microsoft Smart Card API Microsoft Corporation 5.01.2600.2180
winspool.drv Windows Spooler Driver Microsoft Corporation 5.01.2600.2180
winsta.dll Winstation Library Microsoft Corporation 5.01.2600.2180
wintrust.dll Microsoft Trust Verification APIs Microsoft
Corporation 5.131.2600.2180
wldap32.dll Win32 LDAP API DLL Microsoft Corporation 5.01.2600.2180
wlnotify.dll Common DLL to receive Winlogon notifications Microsoft
Corporation 5.01.2600.2180
ws2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation 5.01.2600.2180
ws2help.dll Windows Socket 2.0 Helper for Windows NT Microsoft
Corporation 5.01.2600.2180
wtsapi32.dll Windows Terminal Server SDK APIs Microsoft Corporation 5.01.2600.2180
xpsp2res.dll Service Pack 2 Messages Microsoft Corporation 5.01.2600.2180
YmYa2.dll
This is what I found when I ran find winlogon.exe in search for file
from my computer,I hope it helps. Paul
|
Clarification of Answer by
livioflores-ga
on
28 Jan 2005 04:59 PST
Hi Paul!!
Do not worry about your lack of computer skills, one thing that you
will keep from all of these procedures is a big experience and
knowledge related to how to solve this kind of problems.
Another thing that I want to tell you is that you have a benign pest
in your computer, but it is persistent (fortunately, no more
persistent than us).
More tools are needed. We must unregister the file C:\Windows\system32\ymya2.dll
To do that you must use a tool called RegCtrls, download it from:
ftp://ftp.softcircuits.com/apps/regctrls.zip
Unzip and run it. Then press the second button on its toolbar (a red
crossed file) to openthe Unregister File dialog box. Search for the
file C:\Windows\system32\ymya2.dll and press Open button.
The next step is to delete the file, we cannot do this in the easy way
because it is in use, but there is another useful tool called
DrDelete:
Here you will find info related to this tool:
http://www.dslreports.com/forum/remark%252C7374516~root=sware~mode=flat
and
http://www.docsdownloads.com/Tier1/dr-delete.htm
Download it from:
http://www.dslreports.com/r0/download/386698~c40f6198204a9cc2ac6b5c403c1f697c/DrDelete.zip
Run DrDelete to schedule ymya2.dll to be deleted after reboot.
Reboot your computer and cross your fingers.
PS: Do not be frustrated if you find this tasks hard, you have removed
two pests from your computer; according to your first hijackthis log
you had installed:
Naupoint:
http://www.doxdesk.com/parasite/Naupoint.html
and
SafeShare:
http://www.pestpatrol.com/pestinfo/s/safeshare.asp
You have removed them with hijackthis fix feature, so you cannot say
that all these tasks wasn't useful.
One suggestion:
If you can, buy and install PestPatrol, in my opinion this is the best
resident antispyware, if you keep it updated and running you will be a
hard target for the pestwares:
www.pestpatrol.com
I hope that this helps you. Again feel free torequest for further
assistance if you need it via the clarification feature.
Regards.
livioflores-ga
|
Clarification of Answer by
livioflores-ga
on
28 Jan 2005 05:10 PST
Hi!!
IMPORTANT:
You can use a command line to unregister the ymya2.dll file. Just
follow the instructions at this page:
http://www3.ca.com/securityadvisor/pest/content.aspx?q=64463#UnregisterDLLs
The specific instructions for your case are:
Click the Start button, and select Run
Enter this command line:
regsvr32 /u C:\Windows\system32\ymya2.dll
(you can copy the above command line and paste it in the Open box)
Press the OK or Accept button.
If you use this way you do not need to download the RegCtrl tool.
One more thing, this is not our last option, we can do more things, so
please do not give up if this does not work.
GOOD LUCK!!
livioflores-ga
|
Request for Answer Clarification by
pablocruise-ga
on
28 Jan 2005 17:54 PST
Hi, tried both of your suggestions, unfortunately access denied in
both situations. No I am not giving up...thank God this is a benign
virus . I am ready for more ideas Thanks Paul
|
Clarification of Answer by
livioflores-ga
on
28 Jan 2005 20:14 PST
Please can you tell me eactly what happened when you unregister and
schedule for delete the file ymya2.dll?
Thank you.
livioflores-ga
|
Clarification of Answer by
livioflores-ga
on
29 Jan 2005 06:11 PST
May be you can try with this tool to delete ymya2.dll :
-MoveOnBoot:
http://www.snapfiles.com/get/moveonboot.html
If you have troubles downloading this file see the "Information for XP
Service Pack 2 users":
http://www.snapfiles.com/xpsp2_downloadchanges.html
Hope that this helps.
|
Request for Answer Clarification by
pablocruise-ga
on
29 Jan 2005 11:51 PST
HI. The exact message was
"LoadLibraryC:\Windows\sustem32\ymya2.dllfailed Aceess denied. I also
ran AVG which also could not repair it but also desribed the virus as
"Trojan horse downloader Small 16x" if that helps. I will try the
other things you advised as soon as the scan is over. Thanks Paul
|
Clarification of Answer by
livioflores-ga
on
29 Jan 2005 22:36 PST
Hi!!
May be the file is protected.
Two things to do:
a. Enable the viewing of Hidden files:
1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button
labeled Show hidden files and folders.
7. Remove the checkmark from the checkbox labeled Hide file extensions
for known file types.
8. Remove the checkmark from the checkbox labeled Hide protected
operating system files.
9. Press the Apply button and then the OK button and shutdown My Computer.
Now your computer is configured to show all hidden and system files.
See "How to make Windows show all files":
http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5
b. Unprotect Read-Only Files:
"If you have a file that you want to edit or delete but you can't,
chances are the file is designated as read-only.
Read-only files can't be changed or deleted. You can read these files,
but you can't touch them.
If you need to edit or delete a read-only file, you need to change
that file's attributes?such as whether it's hidden, or read-only.
Follow these steps:
Select the file or folder you want to change and select File, Properties.
When the Properties dialog box appears (see Figure 3.18), select the
General tab and then check or uncheck the desired attributes. For
example, to make a read-only file editable, uncheck the Read-only
check box.
After you've made the desired changes, click the OK.
Figure 3.18 You can change the attributes of a file from the Properties dialog box.
You can change the following file attributes in the Properties dialog box:
-Read-only files are files you can read but not edit or delete.
-Hidden files are files?typically sensitive system files?that you
normally can't view from My Computer.
-Archive files are files that have changed since last backed up."
From "Managing Files in Windows XP Home Edition - Essential File Management":
http://www.peachpit.com/articles/article.asp?p=24588&seqNum=6
The figure 3.18 is here:
http://www.peachpit.com/content/images/chap3_0789726513/elementLinks/03fig18.gif
After you unprotect the file ymya2.dll may be you will be able to
delete it by scheduling it to delete in next boot procedure (using
DrDelete or MoveOnBoot)(and may be you can unregister it).
If you cannot delete it after that we must try to do it by starting
with a floppy boot disk and delete the file using DOS commands.
I will be waiting your feedback!!
REgards.
livioflores-ga
|
Request for Answer Clarification by
pablocruise-ga
on
29 Jan 2005 23:41 PST
Snapfiles worked!!!!! I am sure it solved the problem but being the
sceptic I am I wonder if will create any new malfuctions,,,, so far so
good.I appreciate all your expertise but also am sure I will need your
services again.. Your rating were high and well deserved. If there is
programms which I need to go back or system restore, will it also
cause the virus to come back?
Believe it or not I had 12 new virus's this am mostly
undernetspry.exe. I was able to delete them so I hope it doen't screw
up my O/S also. I was so frustrated! Right now all seems good so
thank you. I like you am persistent, I never quit.
|
Request for Answer Clarification by
pablocruise-ga
on
29 Jan 2005 23:43 PST
Thanks Paul foothold@msn.com is this agaainst the rules?
|
Clarification of Answer by
livioflores-ga
on
30 Jan 2005 07:38 PST
Hi!!
I am really glad to know that you finally could delete the infected file!!
Regarding to the file undernetspry.exe in my knowledge it is not
associated with the Windows system and it is not part of any well
knowed program, so it can be deleted safely (you can also make a
backup copy in a floppy disk and also send it to Symantec to be
analysed).
You have installed and running the program GoBack (I use it), this is
a system restore program. I do not suggest you to restore the system
to a previous time point because yes, you can cause the virus to come
back. My suggestion is when your computer will be clean and running
properly (without errors) make a Safe Time point and take note on it.
Then every time you have a trouble you can restore your system to that
point. Remember to update the safe point every time you add or modify
a file and when you install a program (GoBack do this automatically).
You can download the GoBack's User?s Guide from Symantec:
ftp://ftp.symantec.com/public/english_us_canada/products/goback/3.0/manuals/goback_3_users_guide.pdf
You can also take a look at the following page (it is a different but
very similar version of GoBack, so the instructions almost apply):
"Restoring Files and Software":
http://support.gateway.com/support/manlib/astro/8506043/6043ch07.htm
Remember to keep updated the Antivirus definitions and run a complete
scan at least three times a week.
Regarding to your e-mail, I cannot contact you due Google Answers policies.
It was a pleasure to work with you, I also learned a lot with your
problem. I will be glad to work for you in the future if you
experience more new troubles.
And remember that I am here to bring further assistance if you have
more problems or doubts related to this question.
Best regards.
livioflores-ga
|
