Infected files

Dave Little · Post by **Dave Little** » 21 Feb 2001 4:52 am

My McAfee detected 2 infected files in my C:/_Restore/Temp directory. However, I'm unable to delete these files, even though I've closed all running programs. Another thing- a few days ago, McAfee found that wininit.exe had been infected, then deleted wininit.exe. Now, at start-up, I get a MS-DOS window that is titled WININIT-FINISHED
and a message that WININIT.EXE cannot be run in windows. WININIT is still in my Windows directory. (Windows ME)
Any suggestions?<FONT SIZE=1 COLOR="#8e236b"><p align=CENTER>[This message was edited by Dave Little on 21 February 2001 at 05:37 AM.]</p></FONT>

Jack Stoner · Post by **Jack Stoner** » 21 Feb 2001 6:15 am

Windows ME has a recovery procedure built in that will restore your computer to an earlier date.

If you know when (or approximately when) the computer was infected you may be able to restore it back to where it was before the virus infected it.

Click on Start and the Run. Enter msconfig in the box and then click OK. This will bring up the msconfig window. At the lower left will be an option to "Launch System Restore". Click on that and then follow the instructions to restore your computer to an earlier date.

This may take care of both the virus and your deleted files. I've never tried it to remove a virus so I don't know if that part will work. If it doesn't you will be back to where you were before running McAfee. McAfee should tell you what kind of virus(es) you have. You can go to the McAfee site and they have detailed instructions on removing many of the viruses which may help in getting the winint file restored.

Mark Ardito · Post by **Mark Ardito** » 21 Feb 2001 7:43 am

Dave,

This sounds like a virus to me. I had a client a couple of weeks ago that this happened to. I ran a virus check and couldn't. So I did some research and found out they had a W32.blebla.B.worm virus a.k.a Romeo and Juliet.

check out: http://service1.symantec.com/sarc/sarc.nsf/html/W32.Blebla.B.Worm.html

Hope this helps.

Marcus

Everett Cox · Post by **Everett Cox** » 21 Feb 2001 8:06 am

Dave -- Seems like Jack has a good idea, there, about 'recovering' to an earlier condition. Depending upon the virus type and whether it is 'active' that MAY not get rid of it.

If the recovery fails (or even if it works), you might try TrendMicro's on-line antivirus procedure.

http://housecall.antivirus.com/housecall/start_corp.asp

This does a virus scan/clean with no purchase or obligation. They do ask, but don't require, you to 'register'. The first time you use HOUSECALL will take several minutes for them to temporarily download their files. If/when you get a security dialogue about 'running and installing', select 'yes'.

After they are prepared, the Trend system will display a window in which you may select the drives and/or folders to be scanned. The actual scan goes pretty quick so don't be too selective about folders.
IMO they have a good product and provide much virus info and advice on their site.

Any question, ask me. -- Everett

P.S. You should be able to restore the WININIT file(s) from your Windos CDRom or from cabinet files on your hard disk if the recovery fails.

Craig A Davidson · Post by **Craig A Davidson** » 21 Feb 2001 2:54 pm

While we are on the virus issue. I was hit by the Snow White virus. I have it in quarantine now cause norton doesn't know how to fix it. Once in awhile it comes thru on an e-mail, so someone I know is sending it. Wish I knew if system restore would fix it or not.

------------------

Jack Stoner · Post by **Jack Stoner** » 21 Feb 2001 3:18 pm

Craig, check the McAfee site. They seem to have more info on manually removing viruses than Norton.

Norton seems to be lacking in that area as I've had some e-mails from others that have files "quarantined" but didn't know how to remove them, and I currently have Norton Antivirus 2001 installed on my machine.

Dave Little · Post by **Dave Little** » 22 Feb 2001 2:53 pm

Thanks guys! All your suggestions were very helpful. My latest scan shows all OK.

Jack Stoner · Post by **Jack Stoner** » 22 Feb 2001 4:00 pm

Dave, did the Windows ME "restore my computer" fix it or did you do something else?? My suggestion about using the restore function was a spur of the moment thought. I wasn't sure if that would take care of the virus.

Dave Little · Post by **Dave Little** » 24 Feb 2001 9:11 pm

Answer to Jack:
Actually, when I tried your suggestion of system restore, there were no restore points available. Just for fun, I tried to create a new restore point and it seemed to work as I was proceeding. I then went back to see if I could restore to my "new" restore point but was informed that there were no restore points. I think there is more wrong than just the recent virus attack. Another glitch is that my Windows Help doesn't come up. All of my programs are working fine at this point so I can't justify a complete reformat just now......but some day.
Thanks again for your time and help.

Everett Cox · Post by **Everett Cox** » 25 Feb 2001 10:37 am

Dave -- some virus attacks screw up the WININIT.EXE located in the Windows folder.

Maybe you should get that file off the CDROM again. You say you're no longer getting the 'help' file??? Look in the Windows\Help folder - do you have a COMMON.HLP file ???

-- Everett

Mark Ardito · Post by **Mark Ardito** » 26 Feb 2001 7:51 am

Dave,

I thought back to when everyone in my company got this virus and remembered it was not that Romeo and Juliet like I said earlier, but it is the W32.HLLW.Bymer

Go to the Start Menu, Find, Files or folders, make sure you are aimed at the C:\ drive. Then look for WININIT.EXE You should have a couple. Delete the WININIT.EXE that is in the C:\Windows\System folder. DO NOT AND I REPEAT DO NOT DELETE THE FILE THAT IS IN THE C:\Windows FOLDER.

Also do a search on your C:\ drive for dnetc

you should have a couple of files named dnetc that were put there by the virus. Just go ahead and delete them.

email me off the forum if you would like more help removing this.

Marcus