Got zapped last night by a virus that came from a trusted colleague when we both just happened to be logged onto MSN Messenger, but not chatting to each other.

Norton caught the virus and said it killed it but, on closing the notification box, there was a second box underneath, from Windows, warning that something was trying to alter my settings and the only way to fix it was by inserting the Service Pack 2 CD. I've downloaded SP2 into my machine from the internet - so don't have a CD copy of it. How do you move forward there?

Now, it seems that whatever did get into the computer has changed the various windows files - it changed my internet home page (but I've reset that).

The only other difference I've noticed, so far, is that Norton has been closed from my system tray, the program will not open if selected through start/programs (it freezes) and any attempt to access a Symantec web page from my computer is blocked.

Anybody any ideas, polite comments or suggestions?

System Retore Point prior to the infection?

System Restore, when attempted, was marked as "Closed" and all previous restore points erased when I "opened" it again.

Not an option. New points are now being added again - but too late for this drama.

key, Can you tell us a bit more about your internet connection ... modem ...router ... BB ...dialup .....

what version of Norton are you using ? .... NAV .... or the "Norton Internet Security" package ? .....

Did you manage to get a name for the Virus involved? ....

How did it arrive from your trusted colleaque? ....

KG, sounds like spyware or malware to me.

You can view Norton's log by opening the log file located (usually) in your C: drive Program Files\Norton Antivirus folder. Usually named AVVirus.log.

If Norton is still alive, you may not be able to open this file - just highlight it select EDIT > Copy then EDIT > Paste and open the newly made copy.

There is some gibberish in here, but also the Virus names in plain English. Look at the bottom of the list.

I would then goto Netscape.com and download and install the latest version of this free browser (or FireFox or Opera) - use the alternate browser to surf where you want.

Update and run your Anti-Spyware APP if you have. If you don't have this goto Lavasoft.com and choose Ad-Aware Personal (it's free) and run this
after updating. Alternatively, you can goto Microsoft.com/spyware and
download the free (beta 2) Windows Defender anti-spyware app.

Good Luck !

Well, bugger me, what a viscious little :mad: that was!!

Turned out it was called W32.Chod.D and is wandering around the ether on the back of MSNMessenger.

I received an "instant message" from a colleague, which read (words to the effet of) "Hey, <insert name>, have a look at this messenger update." and, of course, there is a link added.

Stoopid me trusted the address (as I use it a lot) and clicked the link. Game over.

Virus writes itself into the computer - no way out. Then duplicates itself into various random folders and sets up a loop that ensures it installs on every boot up of the PC. It goes on to close down, and prevent access to, all known security programs and software (including security website address such as www.symantec.com (http://www.symantec.com)) and deletes many administrator priviledges from the computer operator. It then opens a back door to let Mr. Hacker come in for a wander round at his/her own desire. As I already said, also shut down and cleared the memories of system restore.

Took three hours of professional help to track down the invading files and clean them out - the duplicates were incredible.

In answer to your various questions: SDSL BB modem on 24/7. Norton Internet Security 2005 - fully up to date. All firewalls and securities enabled.

MSNMessenger and Trillian also running 24/7. MSNMessenger now total history. Wipe in its entirity.

God luck, team players. Hope you never encounter it.

A timely warning, Keygrip, for MSN users! I see from my info that it also disables 'regedit' and 'hijackthis' which makes it even harder to 'kill'.

The only query I have is that it has been on my a/v protection system since August 2005 - you may wish to ask Norton why it was not picked up?

For info it works by installing a "%System%\<random folder name>\csrss.exe" file and edits the file "win.ini" to ensure this file is executed at each Windows start.

.......and it is assessed as 'low risk, medium pervasiveness'!!! You have to hope you don't see worse:{

Yeah, BOAC, I found my way (on my wireless laptop - not affected by the bug) to the Norton site and noted the August 2005 comment. Pointed it out to the tech help that erased the problem for me.

To be fair(ish) to Norton - it DID spot the worm entering, and it DID tell me.

I don't know if somebody has written a workaround but Norton was not able to stop the bug from loading - which I fear had something to do with that warning that "Some program is trying to alter your Windows setting. To prevent this, please insert your Windows Service Pack 2 disk". There was no way out from that - as soon as you click the close button on the Norton warning window - Game Over, it's in there.

So just how do you get a CD of SP2?

So just how do you get a CD of SP2?

Keygrip,
I am not sure whether this would have satisfied your needs, but it's wise to make a slipstreamed copy of your OS boot CD to your SP level. I can recommend Autostreamer to do this. Saves gnashing of teeth if a full repair is required. You just need your installation CD and the SP executable.

BOFH

Thanks, Mike - it took my order.

Free disc, just pay for postage at $1.67 in cluding tax. About £1.

They do suggest though, that I should allow 4 to 6 weeks for posting. Don't you love the 21st Century?

Too late now but for the record, keep SP2 in a folder on a data partition. Lock the data partition with something like Folder Guard, for example. Keep copies of all the MS and other security updates in the same folder and back them all up on CD/DVD.

If I was hit this badly I'd use these files to do a wipe of the C: drive and do a clean install of the OS, with latest updates, followed by all applications from the original disks. It doesn't hurt to do that once in a while anyway - it keeps your machine running sweeter and faster.

Fingers crossed for you KG:). I would echo BOFH's suggestion and slipstream SP2 into a fresh CDROM when you can. I have not used the 'Freeware' autostreamer, but followed (successfully!) the instructions on a web site I can send to you if you wish.

The task I set out on of slipstreaming all the updates proved TOO long-winded:{ so I understand I will have to wait for a MS 'update roll-up for SP2' when the task will be easier.

You will, therefore, have to patiently download/install/reboot/download/install yawn yawn yawn all the updates when you are up and running with SP2 again.:) I have also downloaded all the updates to hard drive, incidentally 'just-in-case'.

I haven't got time to read all the posts but I have SP 2 and would be happy to send anyone a copy.

TNB

You can apply to Microsoft for a free CD copy of SP2 for XP.

It takes about 3 weeks to arrive.

Thanks for all the follow up.

The lurgy was completely removed by the three hour (trans-Atlantic) telephone call with the guru and the machine is running super sweet again.

I'll have to get the advice on "slipstreaming" etc. sent to me in words of one syllable. All over my head - needs to be plug and play for me to get it with these darned things.

There's a big sign that pops up in my mind, saying "Here be dragons" whenever anybody mentions the words "regedit" or "msconfig".

LLuggage - I've already ordered the disk thanks (earlier post, Feb 19th).

Slipstreaming is taking a bog standard XP CD (i.e. the original), and tweaking it using the SP2 and other update files so, when installed, it leaves a system patched automatically, thus avoiding XP / SP2 / download patches.

The suggestion about sticking all the updates on a separate read-only folder seems like a good idea too - depends on how much disk space you have.

A good program to have which bypasses all these problems is GoBack.
Unlike system restore, GoBack takes your PC back to a specified time and all that occurred after that time does not exist.
I used it when I first started playing with PCs and editing the registry etc.
It restores everything.
Never let me down yet no matter how bad the calamity which had befallen me.

Right - back on line after three days of working away (and a network failure).

Have quite a bit to read, it appears. Thanks for all the advice (BOAC - got your PM today, thanks).

Postman already brought my Service Pack 2 CD whilst I was away - so ordered on the 19th (late at night), delivered by snail mail on either 23rd or 24th. US$1.77. Nice one, Microsoft.