Help removing Viruses

[sakumar79]

Hi,
In my dad's office, there is a LAN of about 15 computers. Among these, only one is connected to the internet. So, we installed an antivirus in only that one and we check all media (cds, floppies) that come from outside before using it. Until now, we have been using Norton Antivirus, Zone Alarm and Adaware for security, but we plan to replace NAV with PC-Cillin Internet Security 2005 as our NAV updates are coming to an end.
My first question therefore is for first hand opinion from users of PC-Cillin.

The second is this: Recently, NAV detected VBS.Redlof when I tried to copy files from one of the other systems onto the system with NAV. Since I cannot run NAV to check the other systems registry, I downloaded MWAV free utility and ran the program on some of the computers (not yet checked the system that gave the Redlof virus). It gave alert for a handful of viruses I am not able to obtain much info. The list are "Tool.BAT.ExitWindows.a", "Trojan.Win32.Autoit.d", "Tool.Win32.Reboot", "Tool.DOS.Restart", "JavaClass.Chart". These are found in a handful of files each coming as "File x tagged as not-a-virus:y ". Main files affected are folder.htt which I will be deleting but a Win98 cab file (backed up locally on the computer) also is marked as Tool.Win32.Reboot. Please tell me whether these are viruses and what I need to do.

Thanks in advance,
S. Arun Kumar

 

[anandk]

no first hand info. but from what i have read, efficacy of pc-cillin is better than norton. norton is a good brand; pc-cilln a good product !

 

[digen]

Firstly your implementation of security solutions is not correct as far I got from reading your post.

Let me get this correct,you have 15 computers in a LAN &
Only one is directly connected to the internet & what bout the others? No internet connectivity for them?

Installing a AV on a single computer & leaving the other 14 hosts without a AV is not a good solutions imho.
The best practise would be to either install a AV on each host or get a server AV which allows remote scanning of the other 14 hosts or even a client server model AV.

Regarding your query regarding those files are malicious or not,then yes they are !

Tool.Win32.Reboot
Tool.DOS.Restart
Trojan.Win32.Autoit.d
^This is a worm !
Imho manually deleting isnt the way to go here.I would instead suggest connecting this hard drive to another system as master/slave appropriately depending on the setup & booting of a clean system loaded with a updated AV & "on demand" scaning the entire infected disk thoroughly.Report back the happenings.

 

[rohanbee]

Like digen says all your computers on a network need to be protected and your virus definitions plus other updates need to be taken care of daily.
I had the same virus a little while back and it does take some time to remove. What are the files of your that are infected.
Also got to the symntec website and type in the virus name and it will tell you the things you need to remove it.
Also, better get norton corporate edition for furthur protection against such problems.

 

[rajat22]

Regarding product, NAV is better option to me.

For viruses & trojans, whatever suits you can install in the infected system, likely to get corrupt.
So, my option is,
1.Scan with a PC that is not infected.
2. SCAN ON LINE.
Go to *www.pandasoftware.com/products/activescan/com/activescan_principal.htm.
And opt for Free online virus scan. This will revmove all viruses and trojans.

 

[sakumar79]

Hi all,
Thanks for all your reply. Firstly, let me get this straight. Theoretically, let us assume that one system has antivirus and all systems are clean to start with. Also, all files from outside and going outside are only through the one system with antivirus. Then, assuming the system with antivirus is not infected, the others cannot be infected right?

Next, I must explain that since this is a small office, the internet is mainly to get email and occasionally for my father to browse. Therefore, other than my father, none of the staff have permission to browse. So, there is no need for internet connection for more than one computer.

Third, since of the 15 computers, more than 10 are very old (with 32 MB RAM and less than 400 MHz speed) that can barely run the needed software. If I install an AV in one of them, they will come to a crawl. Not to mention the dent they will put on my dad's budget... Can NAV corporate edition scan the registry of another system in the network? If yes, how much does it cost?

Fourth, I found Alexa spyware listed. So, I downloaded Alexa spyware removal tool by Emco from MajorGeeks.com. This said that there was no instance of Alexa on the system. Confused, I installed Adaware on the system and ran a scan. Sure enough, Alexa was found. Does this mean the Emco tool is useless?

Finally, it looks to me that MWAV is highlighting both dangerous files as well as those that appear dangerous. Some of the files such as CAB files and setup files are likely to request you to restart the system after installation. When I notice that these are being highlighted, I wonder if MWAV is unsure if this is legitimate "restart" or not and trying to be on the safer side... Please let me know if this is right...

Thanks for your help,
S. Arun Kumar

 

[digen]

Things are clear now,wokay now lets get started...
First things first,since you have no other option than installing a AV on computer you use for browsing & checking emails you gotta keep it UPDATED frequently !

This is your only line of defense against virus & especially network worms which spread through email attachements for example.Not only do they create havoc they could hog up all your available bandwidth.
Considering the fact that the rest of the machines you have are pretty low on processing power this could lead to a disaster incase a network worm gets through & possibly taking bringing with it hours of downtime.

Can NAV corporate edition scan the registry of another system in the network? If yes, how much does it cost?

Thats not the only place where malicious programs ake shelter,it could be your startup folder,a malicious executable starting itself with a legit program...yada yada
Also consider the fact that your other machines are pretty old & may not be able to bear the brunt of a "remote av service" which then allows for remote network scanning.

As far as spyware is concerned ,Spybot Search & Destroy,Lavasoft Adaware & Microsoft Ani-spyware solutions are pretty reliable.I've been using them myself for a long period of time now & they are certainly trustable.You can check that by reading reviews,user experiences everywhere on the internet.IMHO these three is all you will need..period.
I've never used the Emco tool which you've mentioned so I dont hold the right to comment.

Regarding your machine,I suggest you take that machine down(disconnect it from the internet) after having a updated your AV & Anti-Spyware Solution/s beforehand.
Perform the appropriate scan & observe if you detect anything peculiar i.e infection.
Because imho you still wont know if still anything malicious exists in your computer.

I would also suggest a Hijackthis scan,post the log here,i'm sure people like swatkat will definately help you out regarding that aspect.If you have any more queries please ask.

 

[rohanbee]

yes digen is right pm swatkat he helped me out quite a bit with this virus problem of mine. Also very important that you post your hijack this log file..............

 

[Aijaz Akhtar]

One option is boot into Bit defender Live Linux CD. It would not touch Windows and would scan for viruses. It was given by PCQuest some time last year I think.