Trojan Virtual.Root in Explorer.

kc

Got a call from a mate. Norton Antivirus dilemma.

There has been some funky happenings wrt his settings in IE and Outlook of
late.

He downloaded updates from Norton.

Ran them. They discovered a Trojan Virtual.Root in Explorer.
Norton unable to repair file.

Norton has the unhelpful page at
http://www.symantec.com/avcenter/venc/dyn/33068.html

Any ideas?

Thanks,
KC

Xterminator

Download the latest 30day free trial from a competitor such as Macafee,
Use it, and if it allows you to create rescue floppys, do so.
Use it to clean the system.

Note , ensure your mate disables the symantic anti virus, before adding another product.

kc

Not really possible.

The machine will not start, gets as far as the desktop color (no icons). dialog box reports prsence of Trojan Virtual.Root in explorer, no way out.

He really need the files on the machine. But a floppy by floopy helilift would be painful.

All ideas welcome, thanks,
kc

Xterminator

Can you download it, and add his hdd to your machine?

Otherwise, you could try making recovery disks on a similar machine, but i think they are supposed to be made on the machine that you use them on.

[This message has been edited by Xterminator (edited 14-08-2001).]

Gavin

If it's just the explorer.exe that is corrupted, you could possibly just copy over a new exploever.exe ?

Failing that, just reinstall windows ? It will just install over the current version and retain all settings. His actual files won't go anywhere.

Gav

or if he is worried about doing that, then just take the harddrive out, stick it as a slave in another machine and copy anything he needs off it over.

JustHalf

Yes, that should work... the problem seems to be tied into "explorer.exe"; which is the windows graphical shell (and one of it's file managers). Make sure you get one from the same version of Windows.

From the machine you're copying from, make a Windows system disk. Put in a disk you don't mind wiping. Then, in "My Computer", right-click on the floppy-drive icon and select format. Tick the "system files" bullet, and click "Format".

Then, copy "explorer.exe" from the %SYSTEMROOT% directory (usually "C:\WINDOWS" or "C:\WINNT" - though you need to do something else for Win2K/NT, and I can't remember it ) onto the disk. Take it out and write protect it (they may have boot sector virii too, from what I see of their luck)

Pop the floppy into the drive of your friend's machine, and boot up. Assuming you have Windows 95/98/98SE/ME, it will start up a DOS prompt. Type: "copy explorer.exe c:\windows\", and confirm. It is *very* important that you have a copy of "explorer.exe" from the same version of Windows.

BTW, I disclaim all responsibilities for whatever mess you make

Kix

JustHalf,

Safer by far would be to switch shells back to the Program Manager for a while until he can sort it out.

To do this, all you have to do is boot into DOS, edit the system.ini and under the [boot] section change

shell=explorer.exe

to

shell=progman.exe

That should allow Windows to boot. He can then disinfect and retrieve a clean copy of Explorer from his Windows CDROM.

EDIT: Extracting the file from the CDROM

Just in case this isn't a well enough known technique, I'll describe it in brief. First locate the extract.exe file, it should be in the main setup directory on your CDROM.

The format of the command is as follows:

extract /a <cabinet> <filename> /l <destination> 

Where <cabinet> is the first CAB file in the CAB file 'chain'. On Windows 95 this is 'Win95_02.cab', on Windows 98 it's 'base4.cab'. This wil then search each CAB file in turn until it finds the file you're looking for.

On my machine, for Windows 98, the command would be:

e:\win98\extract /a e:\win98\base4.cab explorer.exe /l c:\explorer.exe

Which would place a clean copy of explorer.exe onto the root of the C: drive. You could then copy it into the Windows directory, reboot into DOS, change the system.ini back and Bob's your mother's brother.


K


[This message has been edited by Kix (edited 15-08-2001).]