Re: Virus?
From: Karl Levinson [x y] MVP (levinson_k@excite.com)
Date: 10/23/02
- Next message: John Toman: "Remove Local Security"
- Previous message: Bart: "Re: Errors"
- In reply to: Chris Barnard: "Virus?"
- Next in thread: Chris Barnard: "Re: Virus?"
- Reply: Chris Barnard: "Re: Virus?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] MVP" <levinson_k@excite.com> Date: Wed, 23 Oct 2002 11:27:20 -0400
"Chris Barnard" <lord_waymaster@yahoo.com> wrote in message
news:ap5tl5$aol$1@knossos.btinternet.com...
> We're running a Windows 2000 domain with XP clients. Yesterday, one of the
> 2000 servers and a couple of the XP clients started misbehaving - a whole
> bunch of applications have been replaced by EXEs which run Internet
> Explorer. They vary in size, most are around 2.5 Mb, but one or two are up
> to 6 meg. On one of our XP machines, the explorer.exe file had been
> replaced, so Internet Explorer ran on startup.
> At the same time, I found an explorer.exe process running on one of the
> servers which was using up 170Mb of memory!
>
> Is this a virus? I can't find any references to those symptoms anywhere.
It could be a virus or a trojan, but the best way to confirm or deny is to
run an antivirus program with the latest updates, and also a trojan scanner
such as www.pestpatrol.com, and also you can submit the files to any
antivirus vendor via information on their web pages. You might also run
Vision from www.foundstone.com/knowledge to look for open ports.
================
be sure you are using an antivirus program with the latest updates for the
week. If you are and the virus was not removed, you should search for
removal information and/or a removal tool and/or a support group at one or
more of the following web sites:
* The web page of your antivirus vendor
* www.sarc.com
* www.google.com
However, there are additional issues you should be aware of. Keep reading
below for more information:
The best way to deal with any virus on any computer or server is ALWAYS to
install and use an antivirus program that is updated with the latest updates
for that week [or day].
Some antivirus manufacturers may release mini-tools that will remove a
particular virus or worm, such as a Nimda virus removal tool. However,
these single-virus removal tools generally do nothing to protect you from
becoming re-infected when you receive another infected email or file five
minutes after you ran the tool. Antivirus software is necessary to prevent
against re-infection and damage to your computer files.
Just running an antivirus program is not enough. You should make sure that
your antivirus program can be configured to download updates every day [or
every week] automatically via the Internet, and open the program from time
to time to ensure that it is still receiving updates.
NOTE however that if an antivirus scanner or trojan scanner finds a trojan
installed and running on your computer, it could be a sign of a hacker
intrusion, in which case you will want to consider taking additional steps
before removing the trojan. For more information, see the section in this
FAQ entitled "How can I tell if I've been hacked?"
If you have a particular file name and wish to find out whether or not it is
a virus [or a worm, a Trojan, a hoax, etc.], you can try searching an
Internet search engine such as www.google.com for that file name. However,
it is still best to install and use an antivirus scanner. Looking up a
particular file name is NOT a reliable way to determine whether or not the
file is a virus.
Deleting a file from your system is never the first way or the best way to
try to remove a virus from your computer.
Which antivirus software is best for you will vary depending on your
computer systems, your security requirements and your personal preferences.
Antivirus programs may be purchased from Internet web sites, from your local
computer store, and even from stores like Target and Wal-Mart. Antivirus
software can be found using the links below:
www.symantec.com [Norton Antivirus]
www.grisoft.com [AVG Antivirus [including a free version]
www.f-prot.com/products [free DOS version]
www.f-secure.com [F-Secure]
www.trendmicro.com [Trend Micro]
www.wilders.org
www.download.com
www.tucows.com
[Most of the antivirus products will also work on Windows Server products or
have a version for Windows Server.]
There are also a number of web sites that will scan your computer for
viruses for free. However, using these web sites will do nothing to protect
you against future re-infection and damage to your computer files. Some of
these web sites include:
http://security2.norton.com [Norton free one-time web-based scanner]
http://housecall.antivirus.com [Trend Micro free one-time web-based scanner]
Just running an antivirus program is not enough. You should make sure that
your antivirus program can be configured to download updates every day [or
every week] automatically via the Internet, and open the program from time
to time to ensure that it is still receiving updates.
Antivirus software is like prescription drugs or psychologists; the first
one you get might not work right for you. If one antivirus program fails to
install or causes your computer to perform slowly, you could contact the
manufacturer, or you could uninstall it and try another antivirus program.
Note that you may need to set your antivirus program to ignore certain
folders, such as the folder containing your firewall software. Failing to
do so can cause speed problems or false alarms on your computer.
You generally only want to install and run no more than one antivirus
program on your computer at a time. Running two memory-resident, on-access
antivirus programs simultaneously can cause false alarms or cause other
problems.
If you are running antivirus with the latest updates and are STILL having
problems removing the virus, you should:
* Note the name of the virus being reported by your antivirus program;
* Visit the web site for your antivirus manufacturer and click on "Support,"
so that you can:
+ Look up the virus name in the virus information database for info and
follow any instructions found there;
+ Search the support web page for your antivirus; and/or
+ Post a question in the support group for your antivirus.
For example, if you are using Norton Antivirus, you should visit the
following web sites:
www.sarc.com - NAV virus database
www.sarc.com/techsupp - free NAV support discussion groups
Be wary of any email ever that:
* Tells you to delete a file from your computer as the first or only way to
remove a particular virus;
* Tells you to forward the email to everyone you know;
* Tells you that a particular virus cannot be stopped by antivirus.
* Tells you that a particular virus has been confirmed by a large company or
government entity, such as Microsoft, IBM, the Department of Defense, etc.
Emails such as the ones described above are usually hoaxes [even if the
warning email is from a friend that you trust]. Stop and confirm or have
someone confirm the authenticity of any warning email before forwarding it
to anyone. You can often confirm or deny the existence of a particular
virus by searching for the virus name at an Internet search engine or virus
manufacturer's web page, such as:
www.google.com
www.sarc.com - Norton Antivirus
www.f-secure.com/virus-info - F-Secure
TROJAN SCANNERS:
It is also a good idea to consider using a Trojan scanner *in addition to*
antivirus software. Trojans and hacker tools can cause many of the same
symptoms that viruses and worms do, but antivirus programs generally do not
detect all of the most common Trojans and hacker tools. Some Trojan
scanners can be found by searching an Internet search engine or your
favorite software web site, or by using the links below:
www.pestpatrol.com [includes a free mini-scanner]
www.lockdowncorp.com
www.wilders.org
www.download.com
www.tucows.com
www.sunbelt-software.com
www.google.com/search?q=trojan-scanner
When looking for Trojans, you should also consider using a tool to look for
open ports, such as Vision or Fport from www.foundstone.com/knowledge or
Pstools / Pslist from www.sysinternals.com
- Next message: John Toman: "Remove Local Security"
- Previous message: Bart: "Re: Errors"
- In reply to: Chris Barnard: "Virus?"
- Next in thread: Chris Barnard: "Re: Virus?"
- Reply: Chris Barnard: "Re: Virus?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
