uh oh.. "Houston, we have a problem."

It appears my new favorite bootCD app, PEBuilder cannot boot a system that has been infected by a memory resident virus. Blue screens everytime, as does ERD Commander 2002.

Trying to recover a win2k system hit by W32.weird (gen1) . Not having much luck. Online ActiveX scanners (housecall & panda) are crashing IE or just plain not loading. NAV is crashing (vpc32 error) whenever I click scan. Safe mode or no safe mode. This system is running Norton AV corp 8.0 with a managed install. Norton finds it but is unable to repair it. Their site isn't much help either. No removal steps listed for this particular variation of w32.weird.

At this point I'm afraid to hook this thing back up to our network in order to even try another online scanner. Apparently this virus listens on tcp ports and tries to start its own version of the server.exe process for sharing out the drive. I did find the renamed explorer.exe file (explorer.e.exe) and deleted it but I'm afraid my troubles aren't over yet.

Anybody dealt with this one before?

Also, the various removal tools that I've googled up only detect other versions of W32.weird, but not the (gen1) version.

thanks.
:)

wow this is getting worse. I can't even boot the system in normal mode anymore.. It freezes during the Windows logo screen. It's all up to safe mode now.

Memory resident virus...are you completely powering down the system? Such as...shutdown computer...pull the power cord for a few minutes? Then try to boot into safe mode?

Or...if this is a workstation...take the HD out, slave to another system that has antivirus....bootup that system...then scan the drive.

http://securityresponse.symantec.com/avcenter/venc/data/w32.weird.html

"NOTE: If NAV reports that it cannot delete an infected file, you must shut down the computer, turn off the power, and wait 30 seconds. Then restart the computer in Safe mode and run the scan again. All Windows 32-bit operating systems except Windows NT can be restarted in Safe mode. For instructions on how to do this, read the document How to start the computer in Safe Mode."

Originally posted by YeOldeStonecat
http://securityresponse.symantec.com/avcenter/venc/data/w32.weird.html

"NOTE: If NAV reports that it cannot delete an infected file, you must shut down the computer, turn off the power, and wait 30 seconds. Then restart the computer in Safe mode and run the scan again. All Windows 32-bit operating systems except Windows NT can be restarted in Safe mode. For instructions on how to do this, read the document How to start the computer in Safe Mode."

thanks Stonecat, but I tried that yesterday.. didn't work.. That link to symantec's site isn't quite the same variation I have (the technical description is just a bit off from what its doing on this system). There is another page on symantec's site for the (gen1) version of W32.weird but it doesn't have any removal info for it.

I made the mistake of assuming that if the event log said NAV left the file alone, then it wouldn't have been quarantined but low and behold they were hanging out in the good ol' Norton stockade and I deleted them before NAV crashed again. Now a reboot and it seems to be functioning in normal mode okay right now. I'm searching out the temp files, scanning for adware, and making sure this system is updated and stable before bringing it back upstairs to its proper user. I also was able to retrieve all the data off of it beforehand so hopefully everythings cool now.

thanks
:)

Originally posted by koldchillah
thanks Stonecat, but I tried that yesterday.. didn't work.. That link to symantec's site isn't quite the same variation I have (the technical description is just a bit off from what its doing on this system).

Yeah I noticed there were a whole slew of pages on that W32.Weird virus...I don't believe I've come across that one before...although the name rang a bell...someone else here I think had to deal with it.

Doesn't appear to whack Win2K systems too well anyways, virus has a bug in it that prevent it from running properly in the 2K environment.

Anyways...gotta remember they're making most viruses memory resident now...so if you go to reboot between scans and removal tool scans...always completely power down and unplug for a while...else you simply reinfect the newly cleaned hard drive because a soft reboot keeps the memory charged...and infected.

TRY THIS
http://www.commandondemand.com/eval/cod/ctrlie.cfm

Originally posted by alexf
TRY THIS
http://www.commandondemand.com/eval/cod/ctrlie.cfm

sounds like another activeX scanner. If a virus takes out the browsers activeX capabilities or other subapp/scripts for that matter, then your out of gas.

The PC in question here has already been redeployed and no problems have yet been reported. Thanks for the link though.. maybe I'll look into it more in the future. :)