Please help me with WinME and persistent virus!!

[Fardringle]

I have an extremely annoying problem with a virus in WindowsME. (I realize that statement is potentially redunant, but still.. )

The virus name is W32/WinInit.worm.b, which by the way is not listed in the databases at Symantec or McAfee web sites...

It infected several files on my system, all of which I have been able to clean up except for one. The virus somehow made its way into the _RESTORE\TEMP directory and WinME refuses to allow me (or any virus scanner) access to the file to clean, delete, or move it.

Will disabling the System Restore function delete all of the _RESTORE files (including the one infected by the virus)? Or is there another way I can clean this file? The virus itself is now 'inert' since it appears to be unable to propagate itself outside of the _RESTORE directory, but if I ever need to use the System Restore function, the virus will again be infecting my system, so I'd really like to completely get rid of it.

Thanks for your help!

 

[Fandu]

Sounds like W32.Bymer to me. Try the distributed.net trojans page. I think www.distributed.net/trojans.html . You should be able to disable the System Restore in control panel-system-performance-file settings-troubleshooting

 

[Fardringle]

I don't think it's the D.Net virus, as RC5 wasn't running (I checked, since I DO run SETI..) However, I'll take a look at their fix and see if it will help.

As for disabling the System Restore, I know how to do it, but I was wondering if disabling it would actually delete all of the files, so that when I enable it again, the restore files can be re-created without having the virus present? (Or if I just leave it disabled, at least the files will be wiped so I no longer have the virus anywhere on my system..)

Thanks again!

 

[josphstalinator]

use a boot disk to boot into dos then delete the _restore folder

 

[Fardringle]

I agree that would probably be the easiest and most effect way to take care of this. Unfortunately, the floppy drive in this system died a little while ago and I haven't been able to replace it yet..

I'll try disabling the Restore function when I get home from work tonight, and I'll let you know how it works out.

Thanks to both of you for the suggestions. Hopefully I can get rid of this thing pretty quickly!

 

[Mytv]

What I want to know is how you got this?
Lets see either warez or an email attachment, stop downloading stuff you don't know about.

 

[Fardringle]

Nope. I don't ever download warez. (Even if I wanted to, I have a crap Dial-Up line..) I always scan every attachment and downloaded file before I open it. So, I'd have to agree with your question, as I also have no idea how I got it...

 

[Motorheader]

Have you tried running MSCONFIG and getting rid of things that:

automatically start notepad.exe
run some *.hqa file
run a file called c:\windows\system\wininit.exe
place network.vbs or network.exe in the startup folder as a hidden/system file
place a run= or load= line in your win.ini file that starts wininit.exe

that is where I would look first for this one - I have seen about a dozen variants in the past 6 months that do just what is happening to you.

 

[Fardringle]

Yep, I cleaned out all references to the virus in MSCONFIG, WIN.INI and the REGISTRY, I just haven't been able to get Windows to let me delete/clean/move that one file in the _RESTORE\TEMP directory...


edit: Typos..

 

[Fardringle]

I'm happy to report that disabling the System Restore function did in fact wipe out ALL files in the _RESTORE directory, thereby finally cleaning out the last remnants of this particularly stubborn virus!

Thanks again to those of you who offered your help and advice!