Virus deletion failed

First of all, don't be embarassed about getting a virus - it happens to everyone at one time or another. Like you said, live and learn.


2nd, I'm assuming that you are following Symantec's removal instructions from here:

http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html

Don't skip any steps, especially disabling System Restore. You don't want to be re-infected from a restore point.


For deleting stubborn files you can use Dellater for any file that Windows is not letting you access. Directions for it's use and download are here:

http://www.diamondcs.com.au/index.php?page=dellater


If file(s) you deleted were system files, you may need to run SFC /SCANNOW to restore them from your XP CD.

 

Yup, did it all as instructed (but, as I mentioned, the taskmon value wasn't there).

I'm having a problem. The file containing the virus has a name like this: doc.txt (bunch of spaces) .scr. When I run dellater, it tells me it can't find the file. I've tried replacing the spaces with an asterisk, but that didn't work. I tried renaming the virus file and wasn't permitted to do so.

Any suggestions? Thanks again!

Anne

 

Try this, just noticed it on the front page:

http://www.majorgeeks.com/download4114.html

[edit] W32.Mydoom.A is another name for the same virus

More info:

http://vil.nai.com/vil/content/v_100983.htm

 

Anne,
Sorry you're having this problem. [mini-lecture]From now on, never open an attachment without scanning it first. Your virus scanner should let you just right-click the attachment name and choose SCAN THE BUGGER! (or words to that effect). Even attachments from your mother, sister, children: SCAN 'EM FIRST.[/mini-lecture]

Now, you said in the first post
"one of the values they told me to delete ("Taskmon"="%System%\taskmon.exe") wasn't there.
I scanned the hard drive again, and one infected file remains. How can I delete it?"

Then later you said
"The file containing the virus has a name like this: doc.txt (bunch of spaces) .scr. When I run dellater, it tells me it can't find the file."

I take it that the Taskmon file and the "doc.txt(...).scr" are NOT the same, and that you got rid of Taskmon. exe. (We may need to help you get that back later. Let's kill the nasty first.)

I've forgotten what OS you're using (XP Home/Pro), but my first guess would be that the thing has hidden in the System Restore system, and Dellater can't get to it there.

This is really easy and fast, and another virus scan may tell you that you're clean once you do this:
Right-click My Comp, Properties, System Restore tab, CHECK the box that says Turn System Restore OFF .... Click Apply. Say Yes to the pop-up information panel. Wait until you don't hear the hard drive whirring anymore.

Now UNcheck that same OFF box, and click Apply.

(If you have more than one drive and you're only monitoring one drive, you'll need to re-set the others to "Turned off." If this means nothing to you, ignore it.)

Now try the virus checker again. And for cryin' out loud, let us know.

 

You have taught me well, O WizeWiz; I *did* scan the attachment before I opened it. Alas, the worm was too new for even my very up-to-date virus definitions. Norton didn't post the update till a few hours after I received the e-mail.

I have no idea if I got rid of taskmon.exe (it wasn't in the HKEY where they said it would be) or whether that's the same file as doc.txt(...)scr. (I have XP.) Before I did all this, I turned off System Restore, as instructed by Norton in the online instrux for this worm. When I couldn't delete the file manually or with dellater, I downloaded and employed the fix posted on MajorGeeks and did another virus scan---and the virus is gone!

So, now that my virus scan came up clean, I'm good to go, right? I can turn System Restore back on and delete the Regedit key backups?

Anne

 

not to step on anyones toes but seeing as your here waiting

yes get your system restore up and running

but id keep your registry backups somewhere safe for a while just to be on the safe side

 

Thanks, General. No sore toes around here, as far as I can see (or feel).

Anne, since you turned it off and have rebooted since then, the SVI folder is cleared and there can be no threats from there, so YES, by all means, turn 'er back on and start that safety net system running again.

It's a good system. It tracks everything it can. Unfortunately, that includes the appearance in your mail of beastie-laden attachments "yearning to be free."