Re: Removing a suspect file

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 01/22/04 

Date: Thu, 22 Jan 2004 06:31:16 -0500

Update your antivirus with the latest update for this week, reboot and scan
to find out what virus if any it might be. Once you have a virus name, the
best solution is to go to the virus encyclopedia on the web page of your
antivirus vendor to look up the virus name and find manual removal
instructions or a removal tool. Or, you could try
http://housecall.antivirus.com for an easy second-opinion scan from a
different AV product. Scanning with a free or trial trojan scanner like
www.pestpatrol.com might be useful as well. If none of these tools detects
it, submitting the file to one or more antivirus vendors [starting with
yours] using the instructions on their web pages would be good.

If none of that identifies what it is [which is the ideal solution], then
generally you can try to muddle through your own removal process by pressing
the CTRL-ALT-DELETE keys to bring up task manager and find and stop the
process if you can. [If it is installed and loads as a service at bootup,
this might not be possible.] Then, remove the file to a floppy disk. Also,
do Start, Run, MSCONFIG, and click OK [or for Windows 2000, use Startup
Explorer at http://securityadmin.info/faq.asp#startup ] to prevent the file
from starting up at next bootup and look for other files you might be
missing. Also, run something like Vision or Fport from
www.foundstone.com/knowledge to look for other suspicious files.

It sounds like your computer might be hacked, in which case you want to
confirm this and find out how and/or what holes you need to close on your
system to prevent this from happening again. Sounds like you need a
firewall, such as the free ones at www.kerio.com or www.sygate.com. Install
all the Microsoft patches from http://windowsupdate.microsoft.com . Here
are some other things you may want to consider doing:

http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#re-secure
http://securityadmin.info/faq.asp#harden

"TSJ" <anonymous@discussions.microsoft.com> wrote in message
news:1fe801c3e059$bd9f49f0$a401280a@phx.gbl...
> Using an anti-virus program, I discovered 3 strange files
> on my hard drive that had not been innoculated. I
> investigated them using (Properties) and they seem to be
> the work of scripters (Product Name: "totally"
> Version: "we rule" etc.) I was able to delete two of these
> files to the Recycle Bin and empty the Bin, but the
> remaining one is a problem. Whenever I click to delete
> this file an alert box pops up that says something
> like "Cannot delete this file as it is running in
> Windows". I believe it is in my Windows/System folder.
>
> How can I get rid of this file? Using DOS? I am very
> unfamiliar with DOS so specific steps and command/syntax
> help would be greatly appreciated. My hard drive is
> labeled "c"
>
> ThankQ,
> TSJ