Hi all
This is my first post and I am looking for some help ???
I previously used AntiVir and it detected a W32/Francette-I worm in C:\WIndows\system32\lol/dll. Access to the infected file is denied.
In an attempt to get rid of it I downloaded Avast 4 Home addition and registered it. However, Avast 4 does not report this infection.
I would really appreciate some suggestion about how to get rid of this Francette worm.
Thanks in anticipation.
Robbieroy (yes from Scotland!)
General Virus Removal Help courtesy of whocares.
What WIN do you have? Are all ServicePacks and Windowsupdates applied?
Have you managed to repair/reinstqll avast? so that the resident protection is working again?
→ test with harmless testfile EICAR.COM from www.eicar.com
What were the exact names avast gives the trojans?
Sometimes it’s enough to
- clear all TEMP-folders (via drive CleanUp AND best also manually)
- empty Temporary Internet Files folder(s) (via IE->Tools > Options > General - Temporary Internet files ->Delete files, including OFFLINE files) and
- empty java-Cache or
- disable system restore on Win ME/XP INCLUDING a REBOOT!! ( http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm )
to get rid of it…
Test the file with OnlineScanners e.g. from Trend, RAV & KAV (see below) to get a more specific name (you need to temporarily pause AV-Resident Shield/Monitor/Guard to be able to scan the file online)
(If they all don’t show it as infected, please send it in a password-protected zip-file to
virus (at) asw (dot) cz
Include the Zip-password and a link to this posting in the mailtext)
spybot, ad-aware and cwshredder might also help
see www.lurkhere.com ->nicefiles and www.lavasoft.de
-remove the Virus/Malware and it’s system modifications according to VirusInfos
from Avast, VGREP, TrendMicro, Kaspersky, AV-Boot-Disks;
you might also try searching for the virus name or filename with google
General removal procedure:
- disable system restore on Win ME/XP
- kill respective Backdoor/Trojan process with task manager
- search for the file/process names in the registry; remove the malware’s startup entries in the registry
- disinfect or (if disinfection is not possible) delete the file; this may be possible only after a reboot
If you still can’t remove it, you could post a logfile of Hijackthis here:
http//hjt.klaffke.de/en & read this first: http://www.spywareinfo.com/~merijn/htlogtutorial.html
- Secure your system:
Change passwords, secure shares, install patches/updates for WIN&IE;
disable ActiveX and Scripting in IE except for know secure sites - and better use a secure browser like Opera or Mozilla - Scan your whole system with updated avast and maybe a 2nd scanner ,e.g. TrendMicro/RAV to check whether your PC is clean
- If needed, reenable system restore on Win ME/XP
HTH David
hi there,
first, sorry for my poor english,
my system is infected by francette worm
i cant download patches from microsoft - system is too unstable after infection
virus try connect with adress bots2.m0n4x.pp.ru
is there any removal tool to kill this worm?virus
Run a boottime scan and see if the problem is solved.
unfortunatelly boottime scan not work at all , i mean scanner remove some but not all infected files,
(cause 2-5 min after system logon - avast alerts me again)
im not so experienced in xp (nt/2k) systems… so i dont know what process/services is suspect to be
infected
at win9x / me i use linux rescue cd to boot my comp, then manually remove infected files - and all
system files possibly infected - replace this files from win install cd - but this not work in xp/2k
small wonder:
this worm will reinfect you as soon as you connect to the inet, if your Windows is not patched…!!
- reread the above topic and give us some more infos
- enable XP’s built-in firewall
- get the patches (possible from a different PC) and install them in SAFEMODE (F8-Boot)
→ for Download-locations look e.g. here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.francette.worm.html - clean your PC with avast in SafeMode or via Boot-time scan or according to the instructions in above Symantec-Link or via the red links here:
http://www.virusbtn.com/perlbin/vgrep/vgrep.cgi?terms=Francette&product=1 - reboot, do a full scan with avast and post a hijackthis-Log