Virus?

[beenthere]

I believe I have a virus, and have no idea where it came from or how to get rid of it.
It seems connected to MS Outlook Express, and creates files named 'image001, 002.....00X, and file names of images I have named in my digital camera pic files. The files are attached to every (near as I can tell) folder I have - one at least, and sometimes more, in each one. I can delete the files, but they re-create themselves in some random fashion, as the same files do not show up in the same place. Also, if I click on the file icon that is there, I get the Outlook Express 'New Message' box that has a file attached with 0 bytes.
Anyone have any experience with this or any clues about what it is or how to get rid of it?

I have Norton Anti Virus, and updated it and ran it. No viruses found in any of the 41,000+ files.

Haven't beenthere before, but maybe I am there now!

 

[TerryinMD]

beenthere,

Dumb question - when did you do your last update?

Have you or anyone else using the computer made any configuration changes? Almost sounds like you're creating at lot of picture links to display in HTML. A shot in the dark.

Good luck!!

Terry

 

[beenthere]

Last update of Norton Anti Virus was yesterday, the 24th.
All the 'unwanted' files are listed under type as Outlook Express Mail Message or Outlook Express News Message, as near as I can tell when I do a file search on the name of the file. The icon looks like an open white envelope. The file size shows as 78k. Tis a mystery.

 

[TerryinMD]

Would it hurt to delete all of the mail messages?

Hmmm... do you scan all of your emails when they come in?

How about checking all of the Norton application settings to make sure your checking everything that hits your machine?

All shots in the dark!! This kind of stuff makes ya crazy....

Terry

 

[beenthere]

Thanks for your interest. I can't delete them faster than they can re-appear. I thought I was gaining, as I could find (at first) 200+ files, delete them, remove them from the recycle bin, then have them pop again within a few minutes (or shut down the computer, fire it up again, and have unwanted images re-appear. When I kept this up, the numbers of files to delete kept going down, such as 180, 100, 80, 60, 53. 40, 31, 20, 18, 10, 8, 5, (wow, kept thinking I was gaining ground here) until I left the computer for a few minutes and the numbers grew back to 60 again. Also, these files were only the ones not attached to a folder. If I go through the folders, there are files (at least one) attached to every one, including sub-folders. Hmmmmmm?

 

[TerryinMD]

Man, you got something bad!!

Do you know how to get to the Task Manager?

The easy way is to do a Ctrl+Alt+Del.

Then you need to see what may be running.

Since I'm using Windows XP, my descriptions may be a little different than yours, but similar.

Check the running Applications. If something looks really bogus, kill it.

Check your processes and see what may be using the CPU a lot?

I can't give you any specifics here because your machine will be different from mine.

I'm no security expert or PC guru but usually just watch what's going on and try to figure out what appears to be the problem. I wouldn't suggest that you delete any applications or files because you may get rid of a necessary file. But killing a process or application would only hang the machine at worst case.

Too bad it's Christmas day, there are a couple of good PC people on the board who could help.

Good luck!!

Terry

 

[scruffy]

First port of call: http://housecall.antivirus.com/
You need to run their free online virus scanner and try to get an identity to the critter. Once that is accomplished, then further steps can be taken.
What version wincrud are you running? What version of IE, and OE?

 

[beenthere]

Thanks for the suggestion. I tried to run the freescan, but could not get it to run. I get the statement
"Miss pattern files, reinstall please"
Am not sure what this means. Any ideas?

 

[AndyR]

Are you sure you are only checking for 41000+ virus definitions? 'Case my current Norton 2001 load reads 58371 as of the 18th. If you have them, boot off of your (Norton)rescue disks. If not, try booting off of the Norton CD - but be prepared to wait a lonnnngggg time as the CD scan is quite slow. It does indeed sound like a virus.

Andy in NH

 

[hoghead]

I had the same problem some time ago..I solved the problem by setting up norton antivirus 2001 to scan "all files", ran live update and then did a manual scan to fix the problem.My virus definitions as of 12/19 are over 58000 so you obviously aren't up to date.One thing I remember is that I had the 2000 version of Norton and it didn't pick up the bug so I installed Norton 2001 and did the above mentioned routine.

Hoghead

 

[beenthere]

I interpreted this as I only have 41,000+ files to check, which I didn't interpret there were 41,000 virus's being checked for. Maybe I missed something. Those were the records at the end of the Norton scan, (after the 12/24/01 live update) indicating the number of files checked that had no virus detected.
Last evening, I went through a time where I found 925 of the 'unwanted' files, deleted them, and 'heard' them re-created about 8 minutes later. I rounded them up again, and deleted them (had the same date and time as previous ones), and this happened four times. After the fourth time, (and since then) they have not returned. They were all files with the type "Outlook Express Mail (or News) Message". Originally some were dated as early as 11/30/01, (several of those are still there, but I am not allowed to delete them), but those dated after the 11/30/01 date are deleted. I have not heard back from Trend Micro about the HouseCall free-scan problem. I will watch for new images to pop up, but at the moment (knock on wood) the problem seems to be dormant, or gone. Thanks for your thoughts.

 

[beenthere]

Well, so much for the unwanted files to remain dormant. I found I could not use excel or word (could get in but could not open any files), so I decided I needed to remove MS Office 2000 and reload it. Probably a mistake, as when re-loading it, there were a number of long waits, with considerable hard drive activity. When the computer finished rebooting, I could not even get into any of the MS Office 2000 programs AND the unwanted files came back, this time as *.eml and *.nws files (with names of images from other image files). I deleted these files also, only to have them come back in 6 minutes. I removed MS Office 2000 again, but still the unwanted files re-create in the computer. I'm at a loss where to go next. Please weigh in if you have any other ideas?

 

[beenthere]

I have tried several times to download the free virus program, and also the pc-cillin 30 day version. I cannot seem to get it completed. The pc-cillin hung up with 4 kB to go (9851 of 9855), after a 25 minute wait to get to that point. Not sure what to do next, but will keep looking for something to do. Still hoping your suggestion works. I have Win 98 2nd ed., and have Netscape 4.+, so I qualify as near as I can tell.

 

[mikim]

ya know -- someday I'm gonna be where I dun't need no 'puter an' dun't want no 'puter ---
Years ago when home computers first started getting popular, a fellow worker asked me if I was going to get one; I said I didn't think so 'cause it wasn't gonna help me start my chainsaw ---- I wanna get back there again!
I feel for ya - I'm fightin' it right now too - (XP woes)
mike

 

[Anonymous Poster]

beenthere,
Your description sounds like it might be the Nimda Worm. Here is a link for its MO and method of removal.
http://www.cert.org/advisories/CA-2001-26.html. See 'File System Propogation' area. Just my $.02, and be prepared to do a full reinstall if all else fails /w3tcompact/icons/frown.gif. Good luck!

 

[beenthere]

That sure looks like what I have, and I appreciate you taking the time to point me in the right direction - however, it is a place I do not wannabe!

 

[Joe_W]

After I was hit with a virus a couple of years ago, I installed a program called GoBack, by WildFile. This program keeps a log of all activity on the computer, and if you have problems, you can revert the hard drive back to a time before the problem started. In other words if you install a program that doesn't get along with Microcrap, and it crashes the computer and makes changes that you don't like, you can pick a time before you installed the errant program, revert to that time, and all the changes will be erased. The only problem with this, is that you will also loose any data that you created between these two times. This will work with viruses, and any other software problems. It will not help if you have a hardware problem though. This program does take up some hard drive space and will slow down the computer a very small amout, but the peace of mind is well worth it.
When this program was unveiled at Comdex, they re-formatted their hard drive, then rebooted, ran GoBack, then reverted the hard drive back the way it was before the re-format.
Joe W.


PS. I forgot to mention that this program must be in place before you have problems so it can create a time schedule to revert back to. This will not do beenthere any good now, but it might save someone else from going through what he is.<P ID="edit"><FONT SIZE=-1>Edited by Joe_W on 12/27/01 06:56 PM (server time).</FONT></P>

 

[beenthere]

Rick M You deserve a great big THANK YOU! I checked out the site you gave me, and followed the download of symantec, and it cleaned out the problem - as near as I can tell at this time. I have been able to re-load MS Office 2000 and it runs, and no more unwanted files created. There is one step that I could not do, and do not know why it didn't work. That was to replace a Riched20.dll file with one off the CDROM.

Now I can get back to my late Christmas letter. Can't let the relatives and friends get by without one this year!

Thanks again. This site is fantastic.

 

[Bird]

Joe, I'm running Norton SystemWorks 2002.05 and it includes GoBack.

 

[TerryinMD]

Scatology!!!!

My wife called me from home and said that the Nimda virus has attacked her machine. Seems like Norton has caught it but I'm not sure what is going based upon her discription.

Here we go..... /w3tcompact/icons/crazy.gif/w3tcompact/icons/shocked.gif/w3tcompact/icons/mad.gif This is with a recent Norton Live Update this past weekend.

Happy New Year!!!!!!

Terry