VIRUS ALERT!!!! OH NO!

[auggybendoggy]

Guys,

I was checking my norton spam email to make sure there were no good emails and i clicked on one cause it looked legit and as soon as I did Norton popped up and said "Virus detected: cannot delete".

 

The window would not go away so I clicked back on outlook and selected all and delted and then the norton alert said a diff file name by a series of numbers...

what I mean is it said the first time

wqr(12).ani

then i licked ok then the window came back immediatley saying

wqr(13).ani

and it did this for about 5-6 times then it stopped.

 

I went to symantecs sight and it said if 2005 cannot delete the moo file it's probably because windows was using it. Makes sesne since I was using the email

and the location of the file was

 

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Y9HA3ULW\wqr[12].ani

Click for more information about this threat : Trojan.Moo

 

its in the temp internet folder so it may have come from the spam.

 

but i never told it to quarantine or delete anything so I'm afraid it's still present.

I did a system scan and NOTHIN!

I searched the foler listed above y98... and the wqr files are not there.

 

Am I safe or should I WIPE!!!!

 

help

 

Auggy

[Acid-Flux]

dont threat.

first if you cant just manualy delete the file, hit up http://housecall.trendmicro.com/

 

try their scan, sometimes they can delete / quarintine what norton cant.

[Acid-Flux]

PS.

http://esd.element5.com/publisher/50364/pr...trojan.moo.html

 

^^ read that and included in it is the removal instructions.

 

let us know how it goes

[auggybendoggy]

ok guys

i got nothign from either NAV or the link to techworld or what ever it was called.

 

So no trace of it is found.

 

I feel a bit uneasy having a web store and stuff like that. I think I outta wipe and reinstall.

 

The good news is I have a 20g partition that with an image of this main partition to just rebuild MOST of it in about 10 minutes. No installing cause it's already done.

 

But I'll lose some stuff and I'll have to reinstall a few things

 

What do you guys think?

 

Aug

[Acid-Flux]

dont wipe..

did you try that housecall?

i use that one all the time.

it always finds the problmes.

and did you also check out the page i posted? that is the removal instructions.

[Guest zerodamage]

do the housecall and use the second link. It is beta but more up to date.

[auggybendoggy]

the housecall is scanning now but my fatherinlaw stopped it so i had to restart it.

 

as for the removal page from symantec i tried it all but it cant detect the infected files

wqr(xx).ani

so removal is imposs

i cant locate this file either.

some forums suggest it's already piggy backed on other exe's.

 

Aug

 

ill let you knwo what housecalls does.

[Guest zerodamage]

If you have a backup image on another partition. I just say go with that (back up my documents first of course) and save yourself the headache over all. You will never have peace of mind and will always wonder what is going on that you do not know about.

[Acid-Flux]

this is why i keep all my docs on one partition and winblows on another

[auggybendoggy]

flux,

i do too. I've got a 200gb ide for my docs

and a 80gb c split into 2 parts. the second part has the virtual backup

 

I'm favoring the idea to reinstall the virtual partition

 

Aug

[Acid-Flux]

well if you feel that the virus scanner isnt doing it's job. reinstall everything. only takes like a hr, then another hr for CS if you dont have the cd, and if you dont, make a backup of it (there is a option in steam) that is what I did and burt it on dvd.

 

as ZD said, it's just peace of mind.

 

ps. seeing as you use norton, have you ever thought about using ghost?

Edited March 30, 2005 by Acid-Flux

[appalachian_fox]

Images are great. IF you're really uncomfortable, I'd say the time spent backing up the data that aren't imaged and reinstalling the few programs you need to are well invested for peace of mind, especially since images restore soooo fast...just my two cents.

 

If there's no evidence, it's most likely not necessary...but definitely worth the peace of mind. Imagined stress can be worse than actual stress.

[dwEEziL]

If your Norton detected it (as you said it did), then you should be fine. Norton would not detect a file as a virus and still let you execute it unless you disabled Norton first.

 

Secondly, the reason it was in your "Temporary Internet Files" directory is because the e-mail was formated in HTML, thus it uses the Internet cache to store the files as it generates the HTML document. No surprise there.

 

Third, whatever e-mail client you use, set it to ALWAYS read mail in plain text. This will help prevent this happening again in the future.

[auggybendoggy]

dweez,

i figured on point 2 but thanks for the tip on 3

that is very helpful and I will do that immediatley.

 

aug

[auggybendoggy]

i cant seem to turn off the html view for incoming mail in outlook

[Preacher]

OUTLOOK? Are you insane lol. Every Virus author out there targets outlook as a mode of transferance. Use a third party one like mozilla. Also if Norton detected it, it was probably deleted on your reboot so I would rerun Norton and if it doesn't come up againg just breath a sigh of relief. If it does scrub the system and reimage.

 

Disclaimer:

Following my advice may result in your head blowing clean off!

[dwEEziL]

Auggy, what version of Outlook? Outlook XP, Outlook 2003, Outlook Express?

 

I use Outlook as well and I should be able to tell you how to set it.

[auggybendoggy]

outlook 2000 dweez

[Wolfsblood]

Better yet, use Eudora. Been using it for 10 years, and had no problems with it.

[Acid-Flux]

Doesnt anyone use Thunderbird?

[Wolfsblood]

I used it briefly, but disliked it. Way too much like OE. I didn't like the interface, and since I'm forced to use Outlook at work (boss doesn't know enough about computers to know there are better alternatives, and I get pulled away from my regular work enough as it is to take the time to train him how to use a different program) I don't even want Outlook, or OE installed here at home.

 

My personal take on TB was that it was ugly, and clunky to use. Maybe that's due to me having used Eudora for the last 10 years or so.

[dwEEziL]

Auggy, ok, there is no default built-in functionality for Outlook 2000 to automatically read mail in plain text but Russ Cooper, moderator for the NTBugtraq listserv created a COM add-in that does it. It can be a bit quirky at times but it is better than nothing.

 

Now, this add-in does not just display the mail in plain text, it actually converts it to plain text as it displays it. This means, any special formatting is lost forever. For me, I didn't care. I'd rather lose a little bit now and then (mostly, I lost the ability to click on a link...it displayed it as just text and not a hyperlink so I had to copy and paste into a browser) to have more piece of mind with my Outlook Security.

 

http://www.ntbugtraq.com/default.aspx?pid=...F=N&H=0&O=D&T=0

 

You might also want to read some of the links here for other quirks regarding the NoHTML COM add-in.

 

http://www.ntbugtraq.com/default.aspx?pid=...tml&s=&f=&a=&b=