virus

i just ran trend micro housecall and it found a virus !! its the first one its ever found. it couldnt delete it. what do i do now? aloha

 

Laurie,

There doesn't appear to be any information that I can find at Trend Micro, McAfee and Symantec web sites and no Google information on dpwlay.dll or wetski. Does the Trend Micro scanner provide a link to more information about what it found?

Do you know if you have installed anything recently?
Do you have a backup or a restore point you could go back to?

 

A Google of "troj_wetski" returns a single result: a Trend Micro page. It's listed in the lower window of the cached result.

 

Laurie, my searches at the same time as Maxwell also turned up blanks.
Only alternative suggestion I can offer is to email, or ring, Trend Micro for more information on your trojan.

Same questions as Maxwell, what have you done recently, or since your last trojan check. Sorry not to be of more help. Bazza

===

 

Good on yer,TheDoug. Google does indeed find 1 result, now. Couldn't find one earlier.
Hope this helps Laurie. Bazza

===

 

The only reference i could find to dpwlay.dll was in reference to the W32/Netsky.a Virus.

The name is similar to the one trend found, so may be a spelling error on their behalf. Try downloading the Netsky.a cleaner from here, and see if it finds anything

http://www.nod32.com/home/home.htm (Choose the w32.netsky.a cleaner from the dropdown menu thingy.

If this fails, download another Virus Scanner (I reccomend NOD32 from the link i just gave you) and see if that picks it up. If not, chances are you have a false alarm on your hands. Or a Virus so new your the first to contract it! If so contact trend.

 

oh dear..........when i posted i expected to be directed to a thread that said all about it. search had produced nothing. flumoxed ! (is that a real word?). yes i have downloaded 'type as you learn' for my son. i cant remember when i last did house call, but within the last couple of weeks. my restore point only goes back a week due to one of the cleaners (i think). my daughter also uses this computer at will. shes sensible and savvy, but there you go. i may have also downloaded a spelling program within that time.i will go back to google and then i will download netsky. i will report back.

 

there is no w32.netsky on the drop down menue thingy. although there are serveral netsky virus removers labled A, B, D, - Z, etc. i didnt understand the page at trnd micro and still didnt find a direct reference to it. i will now run the other scanner. no i wont, coz i dont understand the choices.

 

YEs you need the Netsky.A Remover, that will scan and remove any of that particular virus.

I would go ahead and download the nod32 trial and run a scan to see what it picks up

Get it here:- http://www.nod32.com/download/trial.htm

If you have XP get it here http://u4.eset.com/eval/win/v2/nentenst.exe

 

Silly 3 minute edit.

Make sure you update NOD32 after install, and before you run a scan,

To update just go to update, update now as in this pic

 

what do i do with this???? my mail is yahoo. isnt that the where the virus is ???

 

Did NOD generate that?

Make sure in the setup you choose advanced setup and say no to all the messegagin and email stuff. Also turn of DMON in nod setup which monitor MS apps for viruses.

If you click on NOD32 system tools then when it expands and click system setup, then setup you can change the options

 

its also instructing me to uninstall other virus protection. i have anti vir xp personal edition, spybot, spyblaster, and zone alarm. does it mean me to uninstall all these programs????

 

the email message thiingy appeared in between the download and the installation. i am assuming its a message from windows, not NOD.

 

bumped. i need an answer to the last two questions before i can download 'nod'. http://www.anchoredbygrace.com/smileys/1zhelp.gif

 

LaurieB,


You should be able to unload AntiVir XP, (not a bad proggy as it goes). Before you unload it uncheck the 'start with windows', 'load on startup thingies', (sorry can't remember details, but I know you'll figure it out )

If you restart, there should be no antivir running, and it's engine shouldn't be resident.

You can go ahead and install NOD32, give it a try for a while, if you don't like it, go through the same process, and you'll be able to reactivate AntiVir XP.

 

i don't understand. by unload do you mean actually uninstall?? or simply switch off?? i assume you mean this box below when you say 'start up thingy'?? what about the window asking me to change my default mail? if its a virus in my mail addresses then what would be the point of changing it? and i don't want msn mail, I'm happy with yahoo. did you want me to download the netsky remover before i download nod, or download nod to see if it finds the same virus before attempting to remove it?? how is it possible for house call to misspell a virus name ??? how is it possible for me to get a virus nobody's heard of?? i don't understand what you mean by resident engine either. please remember i do not have a clue what i am doing, and this whole thing is making me very nervous.

 

oops, forgot to attatch the window.

 

pps. i meant i didnt want outlook, as default, not msn. see how confused i am.
ppps. many thank and much aloha for the help.

 

A couple of points that might help...

It's not a good idea to have more than one virus scanner running at the same time. They tend to argue with each other.

Virus scanners normally run "resident", i.e., they're always there, in the background. They run that way so that they can scan every file that you open or use. Usually, you can disable a scanner temporarily (i.e., switch it off) so that you can do an install without having the scanner interfere with the install. If you're going to use a second scanner for any reason, disable the first. Better yet, uninstall it.

You're not likely to find a virus in your addresses. Viruses are normally found in attachments to e-mail messages. Some e-mail messages that use HTML can launch a virus. While you may be using Yahoo! for your mail, any message or attachment you open has to be transferred to your machine at least temporarily to open it. That gives a virus the opening it needs to infect your machine.

If you have a virus infection, it's better to fix it before you install a virus scanner. Some viruses know how to prevent a scanner from operating properly, and can mess up a program install.

I don't know what brought up the dialogue box that asked you to set Outlook as the default e-mail client, so I won't guess about what you should do with it. Personally, I only use Outlook when I'm paid to. I don't use it at home. I dislike Outlook intensely.

 

thanks rob .so i will attempt to download the virus remover first. i do get infected email. it has a netsky virus in it. it comes with a 24k attatchment and a one word subject matter. ie. 're: your letter' or 're:your pictures'. (just in case anyone here gets one) it infected the moderater of a support site i visit. i opened the first email i recieved but could not open the attatchment because yahoo said that it contained netsky. i contacted the moderater and told her to come here. she got a puter tech to come and 'clean' her puter instead. but she lives in wales, so i dunno. lol (not insulting the welsh, but if it isnt rugby or grolch...) anyway i've been getting three or four a week since then from the same site as she had the addresses of everybody. i havn't opened any of them. they all go to my bulk mail. i thought that was on yahoo's side of things, not mine. i also thought that as long as you didnt actually open the attatchments you were safe. i will report back when ive done the virus remover thing

 

on the drop down menu it actually says netsky AB. i am assuming thats the one. well nothing so bloody smple my friend. i get a file error page in spanish i think lol. now what?? is thare another downlaod site? or can i download say netsky D or Z or something???

 

i was trying to show you the netsky choices but im having problems making the picture small enough lol

 

im having trouble resizing the netsky choices.

 

I'd try the AB version. Remember, chances are this is a false alarm as no one but trend have the virus listed.

Do you have an suspicious looking Processes in your task manager?

 

i have 50 suspicios looking processes!!! take your pick. lol

 

next set

 

and the last.

 

It only takes one to do your system. It sounds like the one that Yahoo! flagged for you did get into your system. If you want details on what Netsky.AB does, check out Symantec's page at <http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.ab@mm.html>.

Note that Netsky (like most e-mail worms) spoofs the From: line in the message. The sender identified in the infected message is not going to be the source of the message, so ragging on the indicated sender will only get that person mad at you.

(And yes, that does mean that identifying the true sender is difficult, if not impossible. The virus writer sets it up that way so that the virus can remain in place longer and do more damage.)

You're quite right -- the attachments you haven't opened won't hurt you. Delete the messages carrying them from Yahoo!'s bulk mail folder without opening them before you forget what's in them and get curious.

 

thanks rob. i managed to get the removal tool from that link. i ran it as directed. it didnt find it!!!! so im back to square 1. either its a brand new virus or a false alarm. how do i find out?? much aloha.

 

i will now uninstall antivir xp and install nod 32 and see what it says.

 

Damn thats a lot of processes I have 14 on boot and maybe 19 when using it properly.

Maybe its a women thing to want it all at once

Hope you get sorted

Sorry i ahve to be up at 5am tommorow for work, so i dont have time to check out your million and one services most i dont recognise, but i dont see any known trojan proxxess there

 

the proccesses are what they are. it has nothing to do with me. if some shouldnt be there, then i dont know how to turn them off or whatever. maybe when you have time you can give me further instructions. this is the report from nod. sleep well and have nice dreams aloha

 

i am now going to uninstall nod, and reinstall antivir (cos i dont like change, and once the trail version runs out i will have to do it anyway. )

 

OK. done that. so I'm back to antivir now. it didn't find the virus this time either.......im worried now about nirvana's comments about my processes. and frustrated to know that i will have to wait another day to find out why i have so many (this Hawaiian time zone, when I'm up your all asleep). one good thing though is that 1) i knew what he was talking about. 2) i knew where to find it. 3) i knew how to capture it and attach it to MG. I'm obviously getting more puter savvy, mostly due to this site. so once again i thank you all. much aloha

 

Well its quite simple.

Firstly go to Start-->Run then type SERVICES.MSC

Then click on the grey box above the column that shows if a service is started or not, to filter all the started services together.

Then start with the service and load up this site You can then check on that site what exactly that service does, and chances are you can disable it safely. To disable a serice just double click it, change the drop down box you see from automatic to disabled, then click the stop service button. Also when you double click a service it explains what it does., but the black viper site is great for letting you know if you need it.

If your unsure of a service, change it to Manual, not diabled, this bacsically disables it, but allows windows to enable it if a program needs it.

Doing this i would say you can disable at least half of your 50 services. Ideally with a normal XP system, with a Firewall and Antivirus running you should be able to run with anything from 15-25 services, plus each service ties up memory and CPU time, so diabling un needed ones will speed your computer quite a bit.

Also you can goto Start-->Run--> then type in msconfig

Then check the selective startup, then click the last tab which is startup items, if my memory serves, you can tick and untick what programs you want running when you log on.

 

Hi, LaurieB --

Good question -- especially when there is some conflicting information in the thread up to this point. For instance: Trend Micro identified the threat as TROJ_WETSKI.A(1) and the infected file as DWPLAY.DLL -- yet we seem to be assuming that the threat is either Netsky.A or Netsky.AB, and nobody can find anything about a file named DWPLAY.DLL.

Does DWPLAY.DLL actually exist on your machine -- in C:\WINDOWS\SYSTEM\ or anywhere else? If so, can you replace it with a known-good copy? For that, you'll need to know what that file is and where it came from. You may be able to find that out by right-clicking on the file in Explorer and clicking on Properties in the resulting drop-down menu. If the file doesn't belong on your system, you can just delete it.

If you find DWPLAY.DLL on your system, check out Trend Micro's page here and follow the virus removal instructions provided. It was a cached page in Google that provided that link, so I suspect that Trend Micro has changed the name of that particular virus in later versions of its scanner -- which would explain why info is hard to find on this virus. Trend Micro reports it as discovered on Aug. 31, so other scanners won't recognise the threat if they are using virus definitions that are older than that. If they do recognise the bug, they may identify it by another name.

It's possible that Trend Micro's scanner has found a file that is carrying a threat that has not yet infected your system. If you can delete or repair the file before it is opened, it won't have infected your machine. The trouble is that .dll's are opened by other program files without asking you first. You won't know when it gets opened. If you don't find the registry keys identified in the removal instructions, the virus probably didn't execute. Yet.

If you're not sure what DWPLAY.DLL is or does, rename it and move it to a folder that is not searched by Windows when it is looking for a file. If a program needs the file, it will usually let you know that it can't find it. Then you've identified the program that calls DWPLAY.DLL and you've ensured that the file doesn't get opened without your knowledge.

If DWPLAY.DLL doesn't exist anywhere on your system, Trend Micro has presumably mis-identified the file -- or did delete it regardless of what it told you when you tried. Either way, I don't know that there's much you can do.

Some scanners check for code that does things that viruses do, in the hope of identifying a threat before an appropriate virus definition is available. It works, but it does generate the occasional false alarm.

If you come to the conclusion that it was a false alarm, just drive on but keep a sharp watch. Make sure that your hard drive is scanned frequently, and that whatever scanner you're using is kept right up to date -- daily, if possible.

 

nirvana. thanks for all your help and time. i will slowly work my way through black vipers list. i am very nervous about doing this sort of thing. I'm a 'if it ain't broke, don't fix it' kinda girl. however i take your word for the fact that a lot of the processes on my puter are unnecessary for me. i was really surprised when you said you had 19, and i have 50!! there are a lot of things on my puter that i don't use. ms money is a good example. i don't use it and probably will never need a program to help with my finances. i don't have any money, any investments, i don't even pay taxes!!(to poor lol) but i haven't uninstalled it because I'm frightened it will some how affect other things if i do. (what other things i don't know) someone told me never to uininstall unnecessary programs. just ignore them and eventually they will be buried by the current ones. he compared it to a room full of boxes. the ones you go into are moved to the front. the ones you never open or have even forgotten that you have , are slowly buried at the back. if you try to remove a box from the bottom, then the stack falls down. i don't know how realistic that analogy is, but it put me off experimenting with the computer. also is the factor that i don't know how to repair any mistakes. this site acts as a kinda 'comfort blanket' in that i can bring my queries to people more experienced than i. it took me a solid year to save the $600 for this computer. by that i mean that i did without every sort of luxury and personal spending. it is an enormous amount of money to me. i know people who download so much crap on what i consider to be valuable pieces of equipment, until eventually they trash it. then they just buy another one!! on average, i guess, people are replacing their puters etal every two years. i need mine to last two or three times longer than that! once again please know that i really appreciate the time and effort you have taken. much aloha.

 

Well the un-installing programs bit isnt really correct, i install, test, dislike anjd un-install big programs all the time, the only negative effect is it makes your dick need de-fragmenting now and again, byut thats something you should do a few times a year anyways, as it speeds your disk access up.

Dont worry too much about the services, you cannot break your machine by disabling them.

The best way to do it is disabled maybe 5 your confident you dont need, then reboot and just use your pc for 30 mins, just test you can do the important things such as get online, load the programs you need etc. If the worst comes to the worst, you just re-enable the service. If you get any your unsure of, just post them here, i know what most do off by heart, and know whether you should disable them.

If your not comfortable dont do it Although 50 of them will be slowing you down. If the machine has a CD Writer, its probably good practice to copy anything you cant live without onto a CD every month or so. Even though i spent 5 years support 1000+ PC's before beomcing a Dev, i still get times when i cant fix something, and have to format and re-install windows, and thats when the CD with all your important data and files on is a lifesaver

 

i backed up everything in my documents inc. my pictures to cd. i was then going to back up everything else. i went start-programs-accesories-system tools backup. i started the back up wizard, instructed it to back up 'all inforation on this computer'. i inserted a cd into E drive and chose E:\ as the place to save the back up. i named the file back up. then i got this massage. i looked in the help files but cannot find anything revelent to xp home that says how to do it. what am i doing wrong??

 

rob and nirvana. it does exist in system 32. i dont know what registry keys are. i dont know how or what to remane it or how to move it to a 'safe' place, or what indeed a safe place is. i cannot open it. here is what it says under properties.

 

and lastly this (which doesnt say anything really, but i thought id better include it. lol

 

ps, it says open with internet explorer, because thats what i ticked. first i tried adobe, but originally that bit was blank.

 

followed your link rob. did it wrong. it says
unregistering the malware componant
start-run-type REGSVR32/u <path and file name of the .DLL file detected earlier>
i accidently skipped this step !!!!!!

i did do
start-run-regedit and deleted the file named dpwlay.dill

i then went back and tried to do the first step, but it couldnt find it. when trend says type the path and file name what EXACTLY does it want me to type???
i tried REGSVR32/uC:\WINDOWS\system32\dpwlay.dll
and REGSVR32/udpwlay.dll

hope i havnt done something awfull by skipping the first step.
i then did search again and it was still there. i opened the system 32 folder and deleted it !!!!

the link you gave then said to disable system restore and run the scanner again. if i disable restore how am i gonna repair any damage i may have done?

 

ps it was in a folder marked 'design science' when i went to regedit. as far as i can tell that came with the machine.

 

ok. i turned off and restarted and rescanned and its still gone. yippy. i think you've done it http://www.anchoredbygrace.com/smileys/OLA.gif

 

i will now try to deal with the proccess thingy

 

Glad you got their in the end

 

ok, changed some of the settings according to BV, now i have 45 instead of 50!! however, are they all running? do they all run on start up? (most of the stuff i checked out was already on manual) lastly why does system idle proccess use so much cpu? what is system idle process?