Bad virus problem, need help

Hi,
I ran AntiVir today and it found that I had the newlove virus/worm. At the bottom of this page is the removal technique I tried:
http://www.csus.edu/uccs/alerts/archived/newlove.htm


When I ran that scanner in dos, it said "unrecognizable command". Next I did a serch of the P.C. for .vbs files and found about 20! Should these be deleted? Has anyone else had this and gotten rid of it?
Thanks for any help.

 

The contents of all files will be deleted, leaving the affected files with a byte length of zero.

The worm also appends the .vbs extension to each of these files. For example, the calc.exe file becomes calc.exe.vbs.

Because this worm overwrites all files regardless of extension, proper removal can only be achieved by restoring the affected files from known clean backups. The user may need to reinstall the operating system as well as system files may have been destroyed.

 

Thanks Kodo. Here's a little more info:

Also it's on a Win2k P.C.

"The contents of all files will be deleted, leaving the affected files with a byte length of zero. "

Do you mean if I run that dos line scan? It doesn't work anyways and says "unrecognizable command". Should I delete all the .vbs files I found on my P.C.?

 

it's ok to delete that IMSCAN.DLL

 

I just did a search for IMSCAN.dll and it came up with nothing. Hmmmm.

 

IMSCAN is for online scanning plug-in.

 

Where would it be if a search didn't find it?

 

C:\winnt\system32\activescan was the location of the file.

 

I check there and the .dll isn't there. (yes, all file types are being shown)

 

can you search

for *.vbs in files and folders? I've been googling and this virus changes LOTS of files to .vbs and deletes the contents of the folders. It's a nasty for sure...

 

Is it safe to delete the .vbs files I've found or are they possibly needed? I just installed on a clean HD less then a week ago and haven't noticed any major probs yet but should I consider re-installing Windows?

 

from what I've read

on symantec and other sites the vbs files are basically empty and what ever was in them is gone. In re-reading this thread, Kodo's initial reply is a quote from info from the Norton (Symantec) site, I think that perhaps the virus is gone and you are left with the residual damage (empty files). By reading the post, all of the vbs files need to be restored from a known clean back up source. It does go on to say that you may need to replace the OS. There again, you state that it appears to be working well and you did a clean install last week.. and I can hear my ol' man (rest his soul) shouting at me "if it ain't broke don't fix it." It appears you have a paradox...I would xheck to see if you have the same vbs files in your system that you found, only without the .vbs added to it. If you do, then I would probably remove them. AND I base that on my crazed logic, not on sound information!!

 

Hey, thanks a lot for the info you two. I'll check those files now.

 

I had an idea

when you did your clean re-install...did you save your old e-mail and re-install it?? This virus comes to your machine through e-mail that will have any subject that starts with "FW: and has an attachment that ends with ".vbs." If you restored your old e-mail, I would get busy and see if you put that particular E-mail back in.... just an idea....tryin' to think and help. If you did, delete it, and then delete it from your deleted folder. I really hope that you get to the bottom of this. When you do, please post back. I would be interested in knowing what happened. You should not have gotten reinfected with the clean install. Good luck!!

 

Thanks Boccemon,
I'm not sure what you mean by "...did you save your old e-mail and re-install it?? " I use hotmail and still use it after the new install. Yesterday I installed Office 2003 and used Outlook ffor the first time. I'm not sure if I got re-infected or if this just happened but you got me thinking. Also, when AntiVir found the virus it gave me the option and I deleted it. I also scanned every file I backed up on my other P.C. before transferring it over.

 

what I meant was

did you backup all of your e-mail folders and re-install them. Do you use hotmail in conjunction with a POP3 account? Or do you leave it on their server? At this point I'm out of ideas. I'm gonna keep looking tho...perhaps you are not infected. Several AV sites say that this virus can take out system files, which would cripple your OS. I do not know, it's surely a puzzle. If I find more I'll post back. Good luck.

 

Gotcha, I leave all my e-mail on thier server and the Office 2003 was a brand new disc also (nothing from Office was saved from previous install). I wasn't using outlook before either.

@Kodo, I deleted an infected file after the virus scan so I assume it was the imscan.dll I couldn't find. Sorry I didn't see where you saw that earlier but in my screenshot I drew a line right through that file and missed it.