View Full Version : Beaten down by virus
Senator
12-26-2004, 07:36 PM
Begging the community to have seen this:
My brother rolls into town, throws me his virus infested PC and leaves. My annual job is to clean it up. I do this for all my family, and I have never been stumped before.
Here is the chain of events. I first install a fresh copy of Norton and update the definitions. I install the newest ad aware and update it. I run them and find tons of stuff. Some of which cannot be deleted. No problem - I go to safe mode, run it again, and it still will not let me delete. Even stranger, the path that Norton says leads me to said file is empty of the file. It is not there. I have turned on the files to show hidden ones, file extensions, and system files, but still these few stinking files are nowhere to be seen. Then, they shut down the PC when I hook into the internet. I jump on another PC - google the virus in question and get all kinds of answers but always the answer is to delete it from the folder.
The questions are:
Have you ever seen files, .dat files, ect show up in Norton, and then go to that location only to not see any?
Could the NIC card have anything to do with this at all? Would replacing to help? I saw one lonely post alluding to this on the internet?
Thanks to those that understand this and can help.
Here is the HIJACK THIS file:
Logfile of HijackThis v1.99.0
Scan saved at 7:34:03 PM, on 12/26/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Clean up tools\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.rd.yahoo.com/p/hpq/desk/*http://ps.hpq.yahoo.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Microsoft IT Update] win64.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] msoffice2.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
Senator
12-26-2004, 07:43 PM
DOLA :
The hijack file was in safe mode - I will run it again in normal boot up.
The buggers that are showing on the PC are:
WebRebates_Auto_InstallSIlent.exe - and is showing to be in the documents and settings folder/Owner/Local Settings/Temorary Internet Files
I have deleted everything in there over and over and no luck.
While your on the internet the browser is hijacked to some rebate page and then a few pop ups happen, and then the machine shuts down.
The other files that won't delete, are there but cannot be seen are:
hhthpy.exe
wwrwroy.exe.
These are supposed to be in the local settings under the owner folder in the startup folder and the last one is supposed to be in system 32 folder. Don't see them there and no luck when I search the computer.
I have never been stumped like this before.
Senator
12-26-2004, 07:54 PM
Normal boot hijack this file:
Logfile of HijackThis v1.99.0
Scan saved at 7:55:05 PM, on 12/26/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\MoodLogic\Service\Updater.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\??rss.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\icwvc11n.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Clean up tools\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.rd.yahoo.com/p/hpq/desk/*http://ps.hpq.yahoo.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Microsoft IT Update] win64.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] msoffice2.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Win32 Regsrvc] regsrvc32.exe
O4 - HKLM\..\Run: [MoodLogic Updater] C:\Program Files\MoodLogic\Service\Updater.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\RunServices: [Microsoft IT Update] win64.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] msoffice2.exe
O4 - HKLM\..\RunServices: [Win32 Regsrvc] regsrvc32.exe
O4 - HKCU\..\Run: [Microsoft IT Update] win64.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] msoffice2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Jvkebso] C:\WINDOWS\system32\??rss.exe
O4 - HKCU\..\Run: [c004RQe8P] icwvc11n.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: HushEncryptionEngine - [url]https://mailserver2.hushmail.com/shared/HushEncryptionEngine.cab[/url]
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [url]http://imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab[/url]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - [url]http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab[/url]
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - [url]http://download.websearch.com/Dnl/T_50212/QDow_AS2.cab[/url]
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - [url]http://www.odysseusmarketing.com/actsetup.cab[/url]
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - [url]http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab[/url]
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - [url]http://photo.walmart.com/photo/uploads/WebUploadClient.cab[/url]
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - [url]http://www.trueswitch.com/sbc/TrueInstallSBC.exe[/url]
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Senator
12-26-2004, 08:26 PM
Noop - after 13 hours of this I am willing to try anything. I have tried several variations of this program with no luck. I will give it a shot, and thanks for helping me out.
vtbub
12-26-2004, 08:35 PM
Have you tried another web browser?
Spybot is an excellent suggestion, adaware is good too.
Is his ISP Yahoo SBC?
bosshogg23
12-26-2004, 08:43 PM
I have had similar problems with Norton and files in the Temporary Internet Files folder.
Online Virus Scan (http://www.pandasoftware.com/activescan/com/activescan_principal.htm)
This site has worked for me in the past to clean things Norton wouldnt.
McAfee also has cleaned several things Norton wouldnt.
JonInMiddleGA
12-26-2004, 08:45 PM
Sen -- see if they're hiding in a Windows sub-folder called "bundles"
{That's referenced at http://forums.techguy.org/t311002.html }
Senator
12-26-2004, 08:58 PM
could these file names be dynamic? i.e.,
they (or some other bit of malware) are being renamed when cued by some action (reboot? search? something else?)?
Probably a long shot, but it would explain why they seem to be invisible.
That is what I am thinking as the names change at different times. I tried Spybot, it found 13 items and I deleted them. I ran it again. It found them again. I deleted them, and ran it again. Still there. I rebooted in safe mode, same thing. Wow. They are being spawned but I will be damned if I know where.
I will try every suggestion you guys give me, and I thank you all very much for the input.
vtbub - At home in Kansas he uses SBC and the Yahoo browser. Connecting him up here to my network - I use charter cable and the Explorer browser.
JonInMiddleGA
12-26-2004, 08:59 PM
hhthpy.exe
wwrwroy.exe.
I suspect you've already discovered this, but ... neither of those files show up anywhere when Googled -- which is pretty unusual, at least in my experience, when dealing with virus/spyware/adware/etc files.
Just wondering out loud here ... could these file names be dynamic? i.e.,
they (or some other bit of malware) are being renamed when cued by some action (reboot? search? something else?)?
Probably a long shot, but it would explain why they seem to be invisible.
JeffNights
12-26-2004, 09:07 PM
<takes long at thread and slams forehead down onto desk repeatedly>
Senator
12-26-2004, 09:10 PM
The knucklehead never turned it on. If I can clean this off - which at this point looks bad - I am creating one to always refer back to.
JonInMiddleGA
12-26-2004, 09:10 PM
This is probably a longshot too, but ... if he's on XP, does he have a recent restore point (or whatever the heck its properly called) that doesn't include this particular piece o' spyware?
Actually what I do to get rid of pesky spyware processes is to open the folder it is located and click on it( not double click) then I go to task manager and end the process and quickly go back to the file I have clicked and delete it. Sometimes those things move fast so it takes some practice especially with Ebates. Another thing would be to see if one of the programs installed such as I-Tunes or any download program is the reason why... but if all else fails I suggest going to someone else to do and ask if they can show you how they got rid of it so you can know for future reference.
Senator
12-26-2004, 11:08 PM
This just baffles me.
All the scanning finds this exe virus - what I think may be the one propagating everything in:
C:/Documents and Settings/Owner/Local Settings/Temporary Internet Files/(Some weird ass folder name that does not exist/webrebates_Auto_SIlentIntall.exe
Now, the Norton and others scan several of these "mythical" named folders inside the Temporary Internet File directory. None of these exist, yet - somewhere they do.
To heck with this - a full night and full day and night is enough.
I am going to tell him to save all his stuff off the OWNER profile - delete it - and create another. Maybe he can figure that out.
DaddyTorgo
12-26-2004, 11:11 PM
can you get rid of it from safe mode?? or not letting windows boot up and deleting it from DOS?
Senator
12-26-2004, 11:17 PM
as far as safe mode - I have tried that about a dozen times. When it deletes - the files show right back up.
As far as DOS goes - that is another world to me, and I am not ashamed to say I don't go there.
DaddyTorgo
12-26-2004, 11:21 PM
because what it sounds like is the files are getting loaded each time windows loads up, safe mode or not. I wonder if deleting them from DOS would work if the computer wasn't allowed to boot all the way through to windows? Running XP?
edit: here's a quick primer on using MS-DOS delete. I think it would be best to do it before the computer loaded windows at all...so interrupt it in the booting process so windows never loads.
Godzilla Blitz
12-26-2004, 11:22 PM
Reformat?
Senator
12-26-2004, 11:26 PM
Well, he is picking it back up to take with him to Kansas tomorrow morning. I feel like I have been defeated.
DaddyTorgo gave me one idea to try. Boot from the Norton CD and let it look over the PC before booting up to Windows.
Reformat is an option, but one that should not have to happen. I am obsessed with understanding why I can't root this sucker out.
DaddyTorgo
12-26-2004, 11:31 PM
Let us know if that works Sen. I still think if that doesn't work, that deleting the directories from DOS before Windows ever loads should work too. At the very least, as long as you don't delete the entire contents of his HD, it can't hurt.
stevew
12-26-2004, 11:31 PM
Maybe you could make an autobooting disc on your computer that works that would do a virus scan on your brothers? Loading up in safe mode doesnt always work.
Ironhead
12-26-2004, 11:33 PM
I understand your pain. I had a virus once that pissed me off so badly that I stayed home from work in order to try and get rid of it.
In the end I found that the virus had a way of reinstalling itself everytime Windows was loaded. Everytime it would rename the files something different. I cleaned out everything a billion times but I just couldn't get rid of the thing. I kept removing it from the registry, removing all of the associated files, but the damned thing wouldn't go away. I eventually found the thing respawning it in one of the most likely places that I never checked: in the Startup folder in the Windows menu. I thought it was strange because I never remembered seeing the entry in the Run folder in the registry. Worth a shot.
In any case, good luck!
stevew
12-27-2004, 02:38 AM
also, im sure you have already done it, but just in case, from the command prompt run msconfig and unclick all the startup files, and then run adaware after reboot
Yellow5
12-27-2004, 03:27 AM
Doing what Stevew suggests above, make sure you get those win64.exe entries removed from the startup! TrendMicro site says that's a nasty virus. (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.GA). They also have an online virus scan (http://housecall.trendmicro.com/) that might pick up things Norton could miss.
C:\WINDOWS\system32\icwvc11n.exe looks like it might also be bad. Kill that process and see what happens.
These two lines are also suspect:
This one is the "websearch toolbar" which is probably spyware.
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50212/QDow_AS2.cab
This one should be removed.
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab
Good luck!
I also got a wicked virus yesterday when my dad was googling around for interesting stuff. He must've clicked on a bad link somewhere.
Anyways, this thing deleted my system restore, deleted a key file off Spybot, replicates itself after being removed (even in safe mode). Deadly. CWS.homesearch is the one I have.
I THINK I may have gotten rid of it thanks to reading some good forum posts on tech boards, I did a regedit and got rid of a bunch of stuff. Apparently this virus also authorized itself to open up ActiveX controls to anyone, and opened up a bunch more holes in the security net. After removing all the registry entries, I went back into my Internet Tools and closed everything back up again.
Definitely the most brutal virus I've ever had.
SlapBone
12-27-2004, 08:53 PM
Senator:
I have been fighting viruses for about 10 years now for different members of my family and my favorite tool is "c:\format c:" If that tool doesn't work try "c:\fdisk"
Wipe their data a few times and one of 2 scenarios presents itself:
1. They stop getting viruses
2. They continue to get viruses but they stop bringing the computer to you.
Either way...you win :)
robbgmaier
12-27-2004, 09:59 PM
this is a very depressing thread
Airhog
12-27-2004, 09:59 PM
in order to effectively remove virus, you must learn how to use dos. Im not trying to chastise you here, but DOS is a very effective tool for the removal of viruses. if there are files in there you will be able to remove them in dos, if they are not in use by the system.
vBulletin v3.6.0, Copyright ©2000-2026, Jelsoft Enterprises Ltd.