Virus experts, NAV says it found 2 / Update: Same virus returns on laptop now

[EvilHorace]

I just got Norton Anti-virus 2002 and have so far installed it on 3 of my 4 PCs at home. No problems with 2 of them but on my main PC which dual boots Win2K Pro and Win98SE, I've so far only installed it on the Win2K OS and it found what it claims are virus's yet NAV can't repair, quarantine or delete them. It'll then cause a warning message after booting to the desktop and the only way I can get rid of that message is the 3 finger solute/task manager it to close.
After doing that my e-mail is inop and NAV says there's an e-mail error also.

Now, this PC has had no problems known to me until I installed NAV yesterday.

This morning I then un-installed NAV and my e-mail (Outlook express 6.0) works just fine.

OK, the virus's it says exist:

1)Kdll.dll "Trojan Horse" located in D:\WinNT\system32\kdll.dll (Win2K is installed on my "D" drive)

2) Kernal32.exe "w32.badtrans.B2mm" located D:\WinNT\system32\kernal32.exe

NAV says it can't quarantine or delete either because "access is denied"


So what can I do or where can I search for info on this? I've checked Symantecs website under "Virus's" but didn't see my particular files listed.

I'm thinking that it's possibly an install problem with NAV as it stalled on me while it was doing it 'live update' on initial install so I stopped, restarted it and maybe that caused a problem? I'm thinking of trying to install NAV on the Win98SE OS first, see if I get the same errors and if not, try the Win2K OS again.

Any other ideas?

Note: PC has no symtoms of any problems whatsoever and the Win2K OS is a recent, fresh install too.

[RubberDuckie]

Seems like one virus.
here is some info on this one.
http://securityresponse.symantec.com/av ... .b@mm.html

or

http://vil.nai.com/vil/virusSummary.asp?virus_k=99069

Looks like a bugger

[EvilHorace]

Yep, that's it. At least it's removeable/cureable so I'm happy about that. Thanks RubberDuckie.

I think I know how I got it too. A few weeks ago I got an e-mail from a guy I hadn't heard from in well over a year, it contained attachments with an old subject line (from a subject we discussed over 1.5 yrs ago) but I trusted the guy so I clicked on them yet there was nothing visably there (nothing in the mail other than a subject line, no content, empty), which seemed strange to me. I then replied asking "hows things" and asked what he had tryed to send me yet the mail came back as "unreturnable". It did occur to me that I might have opened a virus or two but nothing bad seemed to happen so I forgot about it.

I guess NAV's pretty impressive then.

Another question, did this virus get sent out to others from my e-mail? I just briefly looked the info over as I'm at work now but it does look like that's possible.

Another question: Does NAV then shut my e-mail down to prevent it from being re-sent? I assume that's why my e-mail was then inop after installing NAV, after it scanned and found the virus.

[DocSilly]

I think that's one of the new features in the new NAV 2002, it also prevents viruses from getting out once you're infected.
Not sure what to do to bring your email back to work, I'm still with NAV 2001.

[EvilHorace]

I ran the program from the symantec link listed above and it effectively removed the virus file. I then re-installed NAV on this PC (one previously effected) and it's clean, no virus's exist AND my e-mail, etc works normally too.

I also installed NAV in my kids PC and it found two virus's (same file listed twice) but was able to quarantine them w/o a problem. He's always DLing music and music videos so he must have picked it up from one of those files as he doesn't yet have working e-mail other than a hotmail account. I'll look into that virus to see how to completelty get rid of it.

I must say that I'm very impressed with NAV 2002. It's alot better than what I recall of my previously registered version of McAffee years ago, which I thought then was somewhat of a pain compared to NAV now.

[EvilHorace]

So tonight I left the laptop on for a while and noticed that NAV finds the same virus on it where it didn't find it before and puts up a virus found screen. The laptop now also runs Win2K Pro (same as main PC that previously reported this virus). This time NAV let me quarantine the two mentioned files (listed above) and I'll do the cure proceedure later but can anyone explain how I could get this now on my laptop running NAV 2002 with all the latest auto upgrades? I havent received any unusual e-mails lately either.

Might this be some wierd Win2K or NAV with Win2K related problem and not really a virus? I'd hate to think that I'm still getting a virus with NAV and it's also using a firewall with ZA.

Any thoughts?

[chottoED]

ok... this is getting annoying...
for the 2nd time in 2 weeks now... i'm being hit w/ the w32.nimda.enc virus...
luckily i'm using NAV2002 and it has script blocking and also email scanning...
so i run a full system scan and detect nothing... the virus is quarantined ... however, it's annoying as hell whenever i check my email now, i get a notice saying the nimda has been detected on my system...
so i'm assuming it's somehow on one of the email servers i'm dnlding from...

[DocSilly]

chottoED

Check Symantecs page on " .enc " warnings, just click this link .


EvilHorace

Did NAV find the virus in an email or on your hdd during the weekly full scan?

[EvilHorace]

Yep, found during its routine scan according to the activity log. The first scan was 1/1 when I installed NAV and yesterday was the first time it ran another system scan. It wasn't detected in my e-mail nor have I received any unusual e-mails. I've re-checked all e-mails there and they all look legit, from reliable sources (nothing that I'd think would be suspicious). I use cable and it's networked so it's always online once on yet behind firewalls.

I can't imagine where it came from or how it appeared.

The removal tool doesn't see the file now that it's quarantined so my options are then to either delete it (the first file only as Windows needs the other one and the other one, second file listed isn't the problem) OR restore the virus file "Kdll.dll" and then let the removal program remove it OR just keep it quarantined.

What's best?

[DocSilly]

Maybe best to put those files back and have the removal tool take care of it. Otherwise use the manual removal method as described on the symantec page linked above.

REmoving that virus requires a change in the registry, so either you let the removal tool do it or you do it yourself.

[chottoED]

it doesn't make sense...
i've already deleted all the emails i got yesterday...
but i'm still getting the stupid notifications w/ every email check

[EvilHorace]

I did what you suggested and it's gone. I still wish I knew how it got in there after NAV was installed? NAV's always running too (default settings) on all 4 PCs here.

[chottoED]

maybe yours is stuck on your email server?

[EvilHorace]

If so, any ideas how to detect and remove it? NAVs E-mail scanning is always on with all PCs too.

[DocSilly]

chottoED, did ya read the link ? It explains everything, pay attention to the "How to fix it" section. What the heck, I'll just put the info in here:

In some cases, Norton AntiVirus detects a threat and adds the extension ".enc" to the name of the detection. For example, if a computer has received email infected with W32.Nimda.A@mm, you may also see a detection for W32.Nimda.enc.

The .enc detection is actually a detection of header information or encoded script which can be contained in an email message. The detection of an encoded script is the result of the script using a vulnerability that affects some versions of Microsoft Internet Explorer, and therefore Microsoft Outlook and Outlook Express. This vulnerability, if not patched with a Microsoft program update, allows a virus, worm, or Trojan to be executed just by reading or previewing the email message. Information on this problem, which is known as a MIME header exploit, can be found at:

http://www.microsoft.com/technet/securi ... 01-020.asp

NOTE: Symantec provides this link as a convenience only, and cannot accept responsibility if they change, or for the contents of the site.

How it works
The following is a typical--but not the only--scenario:

1. You receive an email message that has an infected attachment. You have current virus definitions, and the preview function in Microsoft Outlook or Outlook Express is enabled.
2. Depending on your version of Norton AntiVirus (NAV) and your program settings, NAV detects the infected attachment either after it is downloaded or when the attachment is executed. (If you are using an unpatched version of Internet Explorer, it could be executed without your knowledge.)
3. NAV detects the infected attachment and deletes or quarantines it. The message, which still contains the (non-infectious) header information, is not deleted.
4. Each time that you select the previously infected message in your email program, NAV detects the header as <name of threat>.enc.


How to fix the problem

1. Make sure that you have updated your version of Internet Explorer, or that you are using a version that includes the update. For additional information, go to the Microsoft Web page:

http://www.microsoft.com/technet/securi ... 01-020.asp

2. Note which message is causing the alert.
3. Turn off the preview function in Microsoft Outlook or Outlook Express:

NOTE: The following is provide for your convenience. The steps may vary, depending on your version. For additional information, read the product document or online help.
1. Click "Ignore the problem and continue with the infected file."
2. Do one of the following:
* In Microsoft Outlook, click the View menu, and then make sure that the Preview Pane menu item is not selected.
* In Outlook Express, click the View menu, and then click Layout. Uncheck Show Preview Pane.
3. Open the Inbox, right-click the infected email, and then click Delete.
4. Right-click the "Deleted Items" folder, and then click "Empty Deleted Folder."
5. Turn on the preview pane option, if desired.

Did, or did you not, empty your Deleted Folder ?