W2000 / Outlook Question - possible virus

[hammer02]

Within the past couple days I've had some interesting things occur on a home PC. The CPU is constantly at 100% with WINHelp.exe and services.exe processes taking up the majority of the CPU. Also, in Outlook there were over 16K e-mail messages that were trying to be sent.

When I tried to delete the e-mails they keep getting re-generated.

I'm ashamed to say the system does not have any virus scan software. Kind of took it for granted that it came with the system since that is a necessity now-a-days. Needless to say I'm going out to get some NAV software tonight.

Any ideas on the issue or type of virus? Any help would be appreciated.

Thanks!
MH

 

[manarth]

sophos / lovegate might be the first threat of choice -

usual virus fighting procedure -
1. identify the virus if you can (there are online virus scanners available - suggest you google to find one you like)

2. clean boot (i.e. boot from a virus free boot floppy / cd
3. delete / quarantine the infected files
4. reboot and rescan the machine to ensure you've removed the virus.

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[wbg34]

Might be a varient of lovegate but there isn't enough info to go on. If you get NAV, then make sure you you go to their site and download the intelligent updater (updates to most recent definitions without using liveupdate).

http://securityresponse.symantec.com/avcenter/defs.download.html

Make sure you do this from a different computer then the infected one. Once you have the intelligent updater then start the infected computer into safe mode and install NAV. Reboot into safe mode, run the intelligent updater and scan your PC. You may need to download a removal tool from Symantecs website after you have identified the virus. Download this on a different computer as well.

 

[SESaskDFC]

Howdy:

If you do get an av program odds are it won't work anyway as most of the newer virii have the ability to disable the scanner.

Suggest you go to

http://www.antivirus.com

and run their online scanner first.

Clean out anything it finds and then load your av program.

Murray

 

[smah]

And a few more free online scanners faq760-3862

 

[wbg34]

1. If you suspect that you have infected e-mails waiting in your outbox, then you shouldn't connect that machine to the internet or a network. It would just be asking for problems.

2. Booting a PC into safe mode will stop a virus from loading in Windows. Your Anti virus program will be able to run as normal and your virus scans will complete.

 

[hammer02]

I'm getting there. Here is what has been done so far:

1. I found and used AntiVir from

http://www.antivir.de.

2. I installed the software under safe mode.
3. Ran the program and it corrected some registry and .ini entries. It also found the Lovegate.F worm in the following files:
a. Iexplore.exe
b. Kernel66.dll
c. NetServices.exe
d. Ravmond.exe
e. WinDriver.exe
f. Wingate.exe
g. winrpc.exe
h. WinHelp.exe

I had the program quarantine the following files:
a. Kernel66.dll
b. wingate.exe
c. winhelp.exe

I was afraid to have it update the others, especially Iexplore.exe.

The CPU % is back to normal and I was able to open Outlook and clear out all of the files it was trying to send.

Any suggestions on how to proceed next? I assume I need to get the infected files replaced. How can that be done?

Thanks again for all of your ideas and help!
MH

 

[hammer02]

Latest update. Took a chance and had the program delete the specified files. System is now working just fine.

Looks like the virus created files with the names above in one of the system directories. Did a bunch of reading on the Lovegate virus and it indicated that might be the case.

Thank you for all of your help!