Virus infected my PB - help?
Well, mostly anyway...it seems I have been infected with the Word macro virus W97/thus.gen. Of course, it has no effect on my mac itself (other than turning off the macro warning in Word), but every document I send to PC users gets blocked or infects them.
I downloaded Virex from .Mac, got the latest updates, and while it WILL clean the files (I have cleaned the entire drive repeatedly), as soon as I create a new file or open an old one, it becomes infected again.
Any help please?
Fish
I downloaded Virex from .Mac, got the latest updates, and while it WILL clean the files (I have cleaned the entire drive repeatedly), as soon as I create a new file or open an old one, it becomes infected again.
Any help please?
Fish
Comments
Originally posted by fishdoc
Well, mostly anyway...it seems I have been infected with the Word macro virus W97/thus.gen. Of course, it has no effect on my mac itself (other than turning off the macro warning in Word), but every document I send to PC users gets blocked or infects them.
I downloaded Virex from .Mac, got the latest updates, and while it WILL clean the files (I have cleaned the entire drive repeatedly), as soon as I create a new file or open an old one, it becomes infected again.
Any help please?
Fish
If each new file is infected, then clearly you have not disinfected your computer. But, you used Virex so the best evidence is that your files have indeed been disinfected. Virex will not allow them to be reinfected. My question is: How do you know that your new files are still infected? My reading of your post is that the files are infected when your friends receive them. That tells me that it is their computers that are still infected, not yours. Where did your first infection come from?
Another thing--just because a mail server's antivirus software blocks your attachments doesn't mean that your attachments are infected. Although I do most of my computer work on a Macintosh, my firm is predominantly a Windows shop. Over the years, it has been inundated with viruses. Recently, IT implemented antiviral software on the Exchange server. At times, this software has blocked my attached Word files, PDFs, and .zip files. Suffice it to say, none of my blocked attachments were infected.
In your case, your account may have been tagged by some servers as a source of infections. My entire firm got tagged as a source of infections due to reasons mentioned above. ISPs that subscribed to the tagging services blocked all email from my firm.
However - if I create a new blank Word document after doing the virus check, and then save it, it is also infected. So the problem really is my computer.
Fish
Originally posted by fishdoc
Well, I run Virex on the entire drive, and it finds and cleans files of the virus. Running it a second time reveals no viruses.
However - if I create a new blank Word document after doing the virus check, and then save it, it is also infected. So the problem really is my computer.
Fish
You have yet to answer the question: "How do you know that newly created files are infected?"
Recommendation: Delete and reinstall MS Office.
He runs Virex, disinfects (confirming with another run), makes a new Word doc, saves, and Virex immediately finds it on a subsequent scan.
Word is making infected files from scratch, it appears. Which means the virus lodged itself into perhaps a template document or macro library.
I concur though, wipe Office off your machine, toss your preferences and any extra macros, and reinstall the mess from scratch.
Don't you just LOVE MS products?!? :P
after you delete it, make a new file, save and scan it again. it should be clean. faster than wiping office completely. of course, if after that the new file is still infected. wipe it.
Originally posted by Kickaha
Yeah, Mr. Me, he did answer the question.
He runs Virex, disinfects (confirming with another run), makes a new Word doc, saves, and Virex immediately finds it on a subsequent scan.
Word is making infected files from scratch, it appears. Which means the virus lodged itself into perhaps a template document or macro library.
I concur though, wipe Office off your machine, toss your preferences and any extra macros, and reinstall the mess from scratch.
Don't you just LOVE MS products?!? :P
Reread what fishdoc says. He runs Virex to disinfect. He runs Virex again to verify that all files have been disinfected. Virex shows no infections. Nowhere does he specifically say that Virex tells him that his new files are infected. However, I have a feeling that he is leaving out something. Viruses don't materialize out of the ether. Virex supposedly removed all traces of W97M.thus.gen. That means that it had been removed from all documents, templates, and everywhere else, or should have been. And yet it magically resurfaces. According to the Symantec virus database, this family of viruses is four years old, not widely distributed, not terribly destructive, and easy to remove. Come on, fishdoc, what's really going on?
I have the virus - I know because Virex finds and cleans it from various word docs. Yet with every new document I create, I am re-infected (the newly-created document has the W97 virus - specifically W97/thus.gen).
Put more succinctly:
"He runs Virex, disinfects (confirming with another run), makes a new Word doc, saves, and Virex immediately finds it on a subsequent scan."
Also, note that for W97/thus.gen, there are two entries in the Symantec database - one with a discovery date of sep 03, and one from Sep 04. I am not sure how or why the age of the virus is an issue anyway - the fact is, I have the virus, and AFTER cleaning the entire drive ("All Local Volumes") with the newest update of Virex from .Mac (7.21, DAT file update Oct 14), the virus re=appears on any new Word document.
I iwll try re-installing Office and see what happens...
Fish
Most antivirus software will not clean the active boot volume.
Infected files may already be resident in memory and represent as 'protected kernel'.
(Remember "Terminate and Stay Resident" programs from the old days?)
Boot from CD or external volume and then run anti-virus.
Only when booted externally can your AV tools fully clean the machine.
Not sure if that helps, but in reading your comments, it wasn't clear if you're trying to clean the volume you've booted from (which wouldn't be thorough and might explain recurring symptoms).
PAGING MR. ME.
PLEASE READ. CAREFULLY.
THAT IS ALL.
Originally posted by fishdoc
Well, I run Virex on the entire drive, and it finds and cleans files of the virus. Running it a second time reveals no viruses.
However - if I create a new blank Word document after doing the virus check, and then save it, it is also infected. So the problem really is my computer.
Fish
Missed that post, did we?
Originally posted by Kickaha
PAGING MR. ME.
PAGING MR. ME.
PLEASE READ. CAREFULLY.
THAT IS ALL.
Missed that post, did we?
There is no need to get personal. The fact is that you are the one, not fishdoc, who explained how he "knows" that his new Word documents are infected. You inferred it from what he wrote, but you did not read it in his post. fishdoc then quoted you rather than use his own words to comfirm your inference.
Now to curiousuburb's assertion that you cannot clean the boot volume. MacOS X is not MS-DOS and W97.thus.gen is not a DOS virus. It is a MS Word macrovirus, and as such, can only exist within the Office environment and the files generated by it. Such viruses are easily removed from the boot volume. In my personal experience going back to System 6, I have never had any problem removing viruses from Mac boot volumes.
Originally posted by alcimedes
before you wipe everything, toss the default template file first. that's the one that likely infected.
I agree with this. Isn't it called the "Normal" template?
Microsoft Office X/Templates/Normal
Originally posted by Mr. Me
There is no need to get personal. The fact is that you are the one, not fishdoc, who explained how he "knows" that his new Word documents are infected. You inferred it from what he wrote, but you did not read it in his post. fishdoc then quoted you rather than use his own words to comfirm your inference.
Sorry, but no. I quoted the third message in this thread, which was fishdoc's immediate and clear response to you, prior to my entering it simply to point to out that he had already answered you. Hence hauling out the larger clubs to get you to realize that your subsequent requests for information were superfluous, and only served to point out that you weren't reading carefully... not to mention more than a little rude.
Now as to what's actually going on... fishdoc, you aren't by any chance having Word still running while doing the scans, are you? If so, then the virus will have already been loaded into memory, as pointed out by curiousburb (even though what he describes is WIndows specific). Quit all apps, run Virex, ensure a clean drive. Then launch Word and see if it still happens. If so, Virex your drive again, remove the templates, and then reinstall just them from the CD. Try launching Word again. If it STILL happens, delete the entire Office installation (and all preferences files, Library files, etc!), then Virex, reinstall Office, and try again. If it happens after *THAT*, call a witch doctor.
As for Mr. Me - you gotta lighten up dude. "What's really going on"? As though there is some conspiracy to mislead here (rather than you simply not understanding my post)?
Anyway, I asked for help, and you guys helped me resolve this - thanks much everyone!
Fish
Originally posted by fishdoc
Thanks Kickaha - that was EXACTLY what happened - I left Word running during the virus scan, so the removal was incomplete (although of course Virex did not know that).
As for Mr. Me - you gotta lighten up dude. "What's really going on"? As though there is some conspiracy to mislead here (rather than you simply not understanding my post)?
Anyway, I asked for help, and you guys helped me resolve this - thanks much everyone!
Fish
In the post that seemed to get so many goats, I said that you were not telling us everything. You have now admitted that you performed your virus scans while the offending application was still running. That the infected file was in RAM rather than on the hard disk would seem to explain why the seemingly impossible was happening. Thank you for finally coming clean.
Here, have a cookie for your *fantastic* prognostication and sheer genius. Wow, you really were ahead of the game, and man, you sure pegged fishdoc as being this evil conniving seeeeecretive bastard for not being 'willing' to divulge everything.
Brother.
Question answered, thread has run its course, and Mr. Me needs one less place to rant.
Locking.