I really need help on this (virus prob)........

[dl01]

Ok the problem is everytime I open windows explorer, my docs and such, I get an e-mail sent to my outbox with noe text just a subject saying 'Help!!!' (that probebly being the programer being cockey) anyway I would like to know if anyone has heard of this and if anyone knows anything about it (or more importently is it cureble).

The thing is it's vital I get this sorted cos I've got a peace of software I'm working on and it needs to be relesed pretty soon.

Thanks!!

 

[wolluf]

you put Virus in title - have you scanned for such?
Also - is your machine workable (apart from this foible?)

 

[dinosnake]

Every time a program runs this happens?

Check the .EXE key in the Registry. Start RegEdit and go to:

HKEY_CLASSES_ROOT\.exe

and

HKEY_CLASSES_ROOT\exefile\shell\command

to check for bogus entries. A few viruses I've seen usurp Window's normal running of .EXE files by changing their class association to start the virus's action before they start the program you asked for.

The key HKEY_CLASSES_ROOT\.exe right hand pane will usually contain

Default "exefile"
ContentType "application/x-msdownload"

The key HKEY_CLASSES_ROOT\exefile\shell\command right hand pane's entry should only read:

"%1" %*

there should also be a shellex page handler:

HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\{86F19A00-42A0-1069-A2E9-08002B30309D}

which should only contain:

Default ""

These may vary if you are using a different browser. If the entries looks unfamiliar - pointing to a program you know nothing about, then the virus is at work here. Change the entries back and reboot (back backups of the settings by exporting the keys before changing them, however).
Your mileage may vary...

 

[Kento]

scan:

http://housecall.antivirus.com/

 

[dl01]

Yes my comp is workable but just. It's very difficult to get along with when I can't open my docs or my comp and all those. No it's not everytime I open a program it's when I open windows explorer (My documents, My Computer etc.). I know it's a virus because my mum sent an e-mail to her payroll people and they phoned back saying they detected a virus when they tried to open the attachment, but I have'nt scaned it (I did'nt see a point after that)
Could you please help?

Thanks!

 

[mainegeek]

Here is a link you might want to try. You can do a virus scan from here. It is detection only so jot down what ever it finds and download the removal tool.

http://security1.norton.com/ssc/home.asp?j=1&langid=us&venid=sym&plfid=20&pkj=MYTYMWPAZTJWUFJJSZO

 

[TheOldMan346]

DDaann,

Check out this descriptsion of the VBS.Haptime.B@mm virus. When an infected application is loaded it sends email with a subject of "Help" and an attachment called Instlog.htm. This attachment is what is used to replicate itself to other systems. Does this match what is happening?

Here is the info.

http://securityresponse.symantec.com/avcenter/venc/data/vbs.haptime.b@mm.html

If this does not match, you can check search their virus encyclopedia.

Good luck.
The Old Man

 

[TheOldMan346]

Not sure what happened to that link in my message. The Tek-Tips server timed out and I resubmitted. Maybe that did something.

Here is the link again

http://securityresponse.symantec.com/avcenter/venc/data/vbs.haptime.b@mm.html

 

[TheOldMan346]

Nope! It appears the server has an issue with the address. Just go to securityresponse.symantec.com and do a search for VBS.Haptime.B@mm

The Old Man

 

[Kento]

DDaann, you say you have a virus but you think there's no point to running a virus scan? We can't help you remove the virus until you can tell us which virus it is. The scan will tell you which one it is and might even clean it for you so run the scan and let us know which one it finds.

http://housecall.antivirus.com/

 

[Kento]

It might be the haptime virus as TheOldMan346 suggested but run the scan to be sure.

 

[GrandpaCarl]

If, indeed, you have one of the virus types I have seen that will not execute an EXE file, but either ignores it or redirects the system to something else, then you will need to change the registry as described in previous posts. Unfortunately, when you attempt to execute REGEDIT.EXE in order to make the changes, it won't let you.

You have to be sneakier than the virus. Do the following:

1) Boot up in DOS via the CTL-F8 menu (or just hold down the control key in Win 98). You might have to use a boot floppy.

2) Navigate to the WINDOWS directory and rename REGEDIT.EXE to REGEDIT.COM.

3) Now, boot up back into windows, and go to the RUN dialog box. (WIN Key + R)

4) Type in the full name REGEDIT.COM, and press enter.

5) Make the necessary changes in the registry as per previous posts.

6) Using Explorer, FIND, or DOS, you need to change REGEDIT.COM back to REGEDIT.EXE.

With the Virus in place, you cannot use the tools necessary to fix the problem. You cannot even execute the browser to get on the net! Changing the extension on REGEDIT outsmarts the virus.

Hope this helps.

GrandpaCarl

 

[dl01]

Well it's pretty strange cos I've got the 'Help' e-mails but no attachment, shall I still get this tool?

Oh and I have a few more viruses according to a scan I just did one of them was called 'PE WEIRD' and a few others I can't remember I'll scan again and tell you.

 

[GrandpaCarl]

Ran across another similar set of threads and found this:

========================================
Kento (TechnicalUser) Jul 22, 2002
Can you run other programs? If you have 95, 98, or ME download exefix08.com from here into any folder then doubleclick on it and run it. (Running exefix08.com won't hurt anything.) Now see if it'll work.

http://home.earthlink.net/~rmbox/Reticulated/Only_IE.html

If that fixed it run a virus scan. In fact, run a virus scan anyway.

http://housecall.antivirus.com/

===============================================

This is much easier than for a novice to use REGEDIT.

GrandpaCarl