 sj |
||
|
||
Tech: virus: Downloader.Dluca.E ????
|
|
|
Subject: Tech: virus: Downloader.Dluca.E ???? From: Art Thieme Date: 18 Apr 04 - 10:28 PM Friends, When I go to Outlook Express, it does come up and my e-mail loads properly.---- BUT THEN a Norton pop-up jumps onto the screen saying they have detected viruses on my computer and it/they are a virus called: Downloader.Dluca.E Has anyone heard of this? I did several full scans with Norton and 25 viruses were found. It fixed 24 of those. But the 25th one it couldn't touch/fix/delete or quarentine. Son Chris has gone through several steps with me from afar, but it seems he will need to come here to deal with it in person. I'm wondering what this is and what I might expect?? I have stopped sending any e-mails as I fear spreading it around. SO, Mudcatters be advised : If you sent me e-mail recently, I will most likely not be answering it real soon. Art Thieme |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: Q (Frank Staplin) Date: 18 Apr 04 - 11:17 PM On Google, it is listed as Trojan Downloader.Win32.Diluca.e. Symentec says it creates a shortcut on your Windows desktop and sends information to a specific website. It affects all the windows except the antique. There are downloads that are supposed to remove it, but I know nothing about them- they may just have a replacement- he, he, he! We need JohninKansas or other good buddy to comment. |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: JohnInKansas Date: 18 Apr 04 - 11:20 PM This is evidently a new one, since Norton says they just added the signature yesterday (04/17). Since the virus definition is new, the cure might not be on your machine yet. You may get some additional help by running the online (it's free) Symantec Security Check. Your AV may have picked it up via "it looks suspicious" clues, but not know what to do about it. The onsite check direct from Norton may include a proper quarantine, if not a removal. Norton doesn't normally send autoupdates more than once a week, so you might not get the "official" cure for this one via normal update for a few days - if they don't think it's a severe threat. I haven't found a description/details yet - but you're "at the breakin' edge of the new stuff" from what I've seen so far. John |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: Stilly River Sage Date: 18 Apr 04 - 11:29 PM John found the same definition I did so I won't repeat it. The only other thing I found appeared to be in Italian and I don't know what it was about so I won't bother to post it. ;-) SRS |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: Q (Frank Staplin) Date: 18 Apr 04 - 11:36 PM Symentec has been very busy lately, with updates very frequently. A couple of weeks ago, on the weekly complete run through, they found and quarantined four items with Trojan viruses. The following week they were removed. I think I may have caught this new Dluca virus from a newspaper. I downloaded an editorial cartoon, and an icon for it popped up on my desktop, without any help from me. If nothing is caught at the next complete scan, I will ask Symentec about it and complain to the paper (Calgary Herald). |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: JohnInKansas Date: 18 Apr 04 - 11:39 PM Stilly - you must'a used Google like I did. More out of curiosity than need, I decided to let the Norton thing check me out. Unfortunately, it appears that it tried to "probe" me, and SWMBO's Norton Firewall detected it, so it has shut off all communication with the "suspect site" for the next 30 minutes. Norton is still thrashing away at "loading" the controls for the scan, but probably won't get anything through for a while. I think I'll go take a nap. John |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: Mark Clark Date: 19 Apr 04 - 12:31 AM Here are links that I think relate to the problem. I've been see this pop up as well but my AVG from Grisoft always catches it.AVG removes pup.exe and maybe will get everything if let my system become completely infected. Still, it looks like there are files that can be hunted down and removed manually.- Mark |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: JohnInKansas Date: 19 Apr 04 - 01:54 AM Norton instructions for removal of Dluca worms thru .D may be found at Downloader.Dluca.D. Instructions specific to the new .E apparently haven't been posted yet, but the instructions are the same for all previous versions. As noted above, the .E variety was just added to the signature files yesterday, so it may take a day or two to update the descriptions. The "basic" worm has been around since at least October 2003. This particular worm is classified as a "low threat," and doesn't appear to do much damage - except for sending stuff from your machine to "somebody." Complete removal requires a regedit. The required edit is pretty simple, and specific names of keys to be deleted are given. Print a copy of the instructions before you start the edit, so you'll have them in front of you. There are links on the Norton page that you can use to find instructions backing up the registry before you try to edit it, and for how to turn off the system restore for Windows versions that use it. Print them so you'll have the script offline. The steps needed are: 1. Safe Boot if you're using an older Win version, or Ctl-Alt-Del and on the "Processes Tab" of Task Manager, click on the file DLuxjp.exe and "end process." 2. Update your AV signature files, and run a "scan all files." If the AV finds anything "infected with DLuca.x" (any version a. thru .e) tell it to delete the file. 3. Edit the registry (get and PRINT instructions): Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run In the right pane, delete the value: "DLuxjp" = "C:\Program Files\Dialers\Dluxjp\Dluxjp.exe /noconnect" Delete the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DLuxjp Delete the key: HKEY_CURRENT_USER\SOFTWARE\SiteIcons\Dialers\DLuxjp Exit the Registry Editor. (And don't forget to "save changes" when you exit regedit.) I'd recommend going to the Norton page and making sure you have all the instructions, but if you can follow a recipe well enough to make sliced SPAM sandwiches, you should be able to get this done. If you're not comfortable with it, then get help, of course. Note that the .e variant might have slightly different "filenames" in the registry keys, but they're likely to be close enough that you won't have trouble recognizing them. You should be able to tell what's suspicious, and with a current backup you can instantly "undo" any changes you make. John |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: reggie miles Date: 19 Apr 04 - 02:53 AM Okay, but what about this one (Trojan Downloader Keenval.K)? I've looked at the Symantec site and at Grisoft (AVG) and even at McAfee but not one of them has a stitch of info about it. Well, I'm about to check back just now but thought I check here first, and here you folks are talking about Trojans. So, I thought I'd throw this one into the mix to see what you might dig up. I thought I was protected from this sort of nonsense. Does this mean I'm not? |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: JohnInKansas Date: 19 Apr 04 - 03:08 AM reggie - If you know you've got it, then you AV worked - at least part way. (Unless you have some other reason to think you need to worry.) If your AV tagged a file as containing a nasty of some kind, it should have offered to repair, quarantine or delete it. If it's been shut off by letting the AV do whichever it recommends, then you shouldn't have a lot to worry about, although there may - sometimes - be some "clean up" to do. I haven't seen this particular name, but if it's a variant of the Trojan Downloader it's probably pretty similar to the other one. If you're about to go check again, you can probably find anything I would. Be aware that many of the known malfile stuff goes by multiple names, and different AV groups refer to them differently. Yours may be just an "alias" for one better known by another name. If you don't get anything with the "full name" try fragments - i.e. just "Downloader" and or "Keenval." If you know the "name" of the file in which it was detected, or the layout (subject line, from, to, etc.) of an email in which it might have arrived, you might try searching fragments from them too. The shorter the "name" you put in, the more "hits" you're likely to get - but also the more "near misses." John |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: mack/misophist Date: 19 Apr 04 - 11:09 AM Linux anyone? |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: GUEST,Franziska Date: 20 Apr 04 - 02:39 PM Wie bekommt man das mist ding weg ? Schadet es meinem computer? wenn ja wie denn? Wie hab ich mir den eingefangen? Ich hab doch erst vor kurzem das neuen norton anti virus programm neu installiert die 2004 er edition... wäre lieb wenn ihr mir ne antwort geben könntet. vielen Dank Franziska |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: GUEST,Talon Date: 20 Apr 04 - 02:52 PM I think I may have figured out the new one. In the registry I found directions from symantec to erase the old dluca. I think the new one is named "wdwctrl". If this is a crucial program that I need an deleted by accident I guess I will find out, but Norton said wdwctrl was corrupted. The instructions for the old one were pretty accurate in the registry but it took a little bit of searching for the last one, just look for wdwctrl, I think. |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: Mark Clark Date: 20 Apr 04 - 02:55 PM Wir haben viele Anzeigen hier mit nützlichen Empfehlungen für entfernende schlechte Programme von Ihrem Computer und vom Halten er sauber. Führen Sie einige Suchen hier durch und Sie finden sie. - Mark |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: GUEST Date: 20 Apr 04 - 02:59 PM anyone know about that wdwctrl it seems that I have less suspect files I am scanning right now |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: GUEST Date: 20 Apr 04 - 03:04 PM crap in came back I think that is it though I am going to try and find out if it is located anywhere else |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: Art Thieme Date: 20 Apr 04 - 04:17 PM Whatever I've got seems to have turned off my Norton Auto scan and also my e-mail scan. When I click on "ENABLE" nothing seems to happen. I'm about to get fed up and dump this thing out the window |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: GUEST,gdloynd@cox.net Date: 20 Apr 04 - 05:47 PM Do you have any info on how I can remove this virus? My Norton will not delete or quarantine it? Thanks. Greg |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: Art Thieme Date: 20 Apr 04 - 06:09 PM Mine won't either |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: JohnInKansas Date: 20 Apr 04 - 07:32 PM There is no record of earlier variants of this virus doing anything to block Norton, although there are several others that have been around recently that do try to disable Norton or any other AV on the machine. It is possible, if this one got "launched" on your machine, that you have more than one virus. If you are using WinME, Win2K, or WinXP, all of which include "automatic backup and restore" services, it is essential that you TURN OFF SYSTEN RESTORE, before you try to clean up this one. (System restore is the WinXP, and I believe WinME, version. It's called something a little different in Win2K.) Since this virus makes changes to the registry that you must manually remove, System Restore will detect that the registry has changed the next time you reboot. It will try to restore any differences between what you have at boot to the "last known good" copy it made of the registry. (It will add back in, any keys that were in the backup that aren't in your "new" registry.) If the virus was already written when the system restore backup copy was made, it will reinstall the virus the next time you start the machine. When you turn off System Restore, it deletes all backup copies of the registry that it can use to put the virus back. Even when (not if) you turn system restore back on after you get cleaned up, it cannot use the registry backup that you should make manually before you do your changes to the registry. You should make the manual backup, since if you really, really, really, screw up during your edit, it may be useful to restore, even if it means putting the virus back in order to get to a fresh start; but you do NOT want Windows to be able to do a restore automatically. Step 1: Go to Nortons site (or your AV provider) and find "your virus." Step 2: Print a PAPER COPY of the COMPLETE instructions for removal. Step 3: While you're at the site, READ the instructions and follow any links to supplemental instructions you may need. PRINT a PAPER COPY of any of these. Step 4: Follow ALL of the instructions. You should MARK each step with a "check mark" when you are ready to start that step. When you have completed that step, put a "slash" (\) through the stem of the check mark to turn it into an "X." For this virus, and in general for anything that requires registry changes, the "generic procedure" is: 1. Turn OFF System Restore. 2. Terminate the "running instance" of the virus. For early versions of Windows, this means boot to Safe Mode (which doesn't execute the Start/Startup files). For WinXP, Ctl-Alt-Delete to bring up File Manager, Click the "Processes" tab, find the one you want, and "End Process." (Once you have done this step, you must not reboot until you've finished the cleanup.) 3. Repair (if necessary), and UPDATE TO THE LATEST AVAILABLE, your AV program and its signature files. If your program is "broken" and you can't repair immediately, use one of the online free Virus System Scan sites. 4. Do a complete system scan, and repair any problems found by the AV. Norton classifies this one as "Removal: Easy," and it should be if you follow the script exactly as it's given. John |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: JohnInKansas Date: 20 Apr 04 - 07:41 PM Side note: The "Translate" button converted the Franzisca/Mark Clark exchange well enough to let me see approximately what was discussed, but WHY did it "translate" my last post?????? OK - we are talking "computer" but I hoped it was in English.... OUCH. John |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: GUEST,niceinmiami Date: 21 Apr 04 - 01:34 AM went to Norton website but they don't have this virus on database yet, they have the earlier version downloader.ducla.d. Is this the same or do we need to wait for Norton to place on its list? |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: JohnInKansas Date: 21 Apr 04 - 03:55 AM niceinmiami - If your definitions are current, Norton should catch this one based on its "generic looks like another virus" routines. It may or may not adequately quarentine, and probably can't do a complete removal due to changes in the "randomly generated" file names used by the virus. So far as they've told us, you should be able to remove it using the instructions for the .d version, although you may find slightly different "calls" (filenames) in some of the registry keys. The "payload" in this worm opens your machine to send information about you to an as yet unidentified site. You make the call on whether you feel safe waiting, or want to try to kill it and clean it out now. It's unlikely the instructions will change, other than a better description of one or two specific file names, and you should be able to figure them out - or find someone who can help you do it. John |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: GUEST Date: 21 Apr 04 - 05:26 PM I also have this Downloader.Dluca.E. My Nortan Anti Virus will not delete this and I do not know what else to do. Can anyone assist with this issue? |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: JohnInKansas Date: 21 Apr 04 - 06:08 PM GUEST: At the top of this thread, at "18 Apr 04 - 11:20 PM" you'll find a link "Norton." Click that one and you'll find that Norton added signatures to their Norton AV files on April 17. If you haven't updated since then, you don't have the signature to allow Norton AV to identify the ".e" variant, but it will probably identify that a "Downloader" virus is infecting some files. It should offer to "fix, quarantine, or delete" each of these files. Unfortunately, complete removal requires a registry edit, since this worm uses variations in the file names it puts on your machine. Until all likely variations are identified, a complete removal utility can't be written (by anybody). You, being a little smarter than your computer, should be able to use the procedure given in the link at 19 Apr 04 - 01:54 AM to remove the .e variant, since you can tell that "anything" in the registry keys that the procedure tells you to look at is either a.) something you recognize - that probably should be there, or b.) is probably the .e virus. It is unlikely that any of the AV suppliers are going to be in a rush to make a "one button" removal tool for this one. This, and all earlier variants of this worm have been classified as "minimally destructive," "found on few machines," "unlikely to propagate rapidly," and "easy to remove." They are likely to conclude that the removal instructions already posted for the .d variant are sufficient. Once you have the updated signature file that identifies this thing by it's specific variant, it is likely that Norton (or any other AV) will be able to prevent it from infecting you again, but just updating now (if its already on your machine) will probably NOT give you a clean removal, since any quarantine or file deletions your AV may already have done will prevent your AV from finding "all the pieces." Use the procedure for removal of Downloader.Dluca.D, but make allowance for the possibility that a couple of the filenames that you find in the registry may be different than shown. The Norton procedure gives you the specific keys you need to look at, so it should not be difficult to decide whether you've found the virus or if you're looking at something that's normal for your system. John |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: Art Thieme Date: 22 Apr 04 - 12:45 AM John, I do appreciate your input. And I say that to you all with real respect and awe.-- I'm forwarding this entire thread to my son who has the chops to know what you are talking about. Unfortunately I don't. Sad, but true. Art |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: JohnInKansas Date: 22 Apr 04 - 08:19 PM Art - I don't think your son will have a problem with it. It did sort of offend me when the babble translator thought my posts weren't already in English and "translated" them, so maybe you're right on the leading edge there too, talkin' like a computer. I am surprised at the number of people who've said they got this one, since all the "pro" sources say it isn't getting around much. Have you guys all been sneaking off together and doing things you don't want us to know about????? It is fairly likely, although not necessary, that those who got it all have someone, or something, in common. It could be as simple as all being in the same (infected) person's address book, or all visiting the same infected site within some (probably short) time span. Curious info, but hard to pin down. John |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: GUEST Date: 23 Apr 04 - 12:36 AM Hi I was having the same problem with my computer and read this screen earlier, I knew I couldn't follow all the info so I ran spybot s&d advanced mode and its been over two hours and my norton screen has not come back on! Before it came on every 2 minutes, haven't tested it for a whole day yet but it seems to be working. P.S. I disabled my norton first before using spybot. Hope this helps everyone! |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: GUEST Date: 23 Apr 04 - 01:55 AM Hey it's me again, well it's been over 3 hours and I still have not had any of the Norton warnings that say I have the Downloader Dluca. E virus show up again hopefully this is working. Oh yeah after I ran the Spybot S&D advanced mode, I did turn on my Norton anti virus again. I am putting my computer on standby, and will give you all an update in the morning. As of now I'm A OK! hwshockeymom@aol.com |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: GUEST Date: 23 Apr 04 - 09:49 AM |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: GUEST Date: 23 Apr 04 - 01:13 PM Well hello again, I wrote last night about using the Spybot Search and Destroy advanced mode. Its been over 14 hours since I used Spybot and I have not had one single pop up about the Norton or Downloader Dluca E virus. This seems to have worked and it was very simple to do. Just disable your norton first, download Spybot,bring it up on your screen and start it. When it's done hit fix, and enable your norton again. Rosemary |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: GUEST,Jeff in Wyoming Date: 23 Apr 04 - 03:38 PM Yup, I got it too! (on 21 April) Symantec caught it, couldn't clean it and quarantined the file (wdwctrl.exe). Thought all was good until...things started happening. On opening OE I would get the message "Messenger has encountered a problem and must close". Since I wasn't even running Messenger I thought this was a little strange. OE would, eventually, open and work but was extremely slow. Then the Accessories submenu (Start - All Programs - Accessories) would take a couple of minutes to appear when accessed and when it did, of course, System Restore would not work (probably due to the quarantine. Additionally, I couldn't open any "User Accounts" without rebooting and opening them from startup. Internet Explorer and all programs would work, eventually, but not as they were supposed to. Tried the fix for Dluca.D and couldn't find the process to stop or files that they suggested to remove. Tried reloading OE and Messenger with no help! Also tried reloading a Norton Ghost version from January and ran into trouble - machine crashed. Cured the problems with an atom bomb - reformatted hard drive and reloaded windows. A drastic solution but at least I KNOW I'm clean. Good luck and if they ever find the guys that do this stuff, let me know - I'll bring the rope!!!!!!!! |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: GUEST,Jeff in Wyoming Date: 23 Apr 04 - 03:41 PM Ooops, I forgot - I ran Spybot and Adaware. Spybot found nothing but Adaware found 9 "dialers". Fixed them but still had the problem. Good luck, again. |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: JohnInKansas Date: 23 Apr 04 - 03:50 PM I do not get a warm feeling from the testimonials that Spybot has "cured" Downloader DLuca.e virus infection. Spybot is an excellent program, and I do use it. It is NOT an AntiVirus program. It removes adware and spyware, but is not intended to deal with virus infections. Downloader DLuca.e is a virus, and should be dealt with as such. Since the "payload" in this virus is spyware, it is possible that it is disabled by Spybot, by removing the "reporting" program; but I am reluctant to believe that Spybot has removed the "viral" components without some confirmation that it is equipped to do so. If you are using any version of Windows later than Win98, System Restore makes backups of the registry. If a backup was made while the virus was present on your machine, then you can be reinfected if the system decides to restore to that copy. NO PROGRAM can make changes to the "stored copies" held in system restore, which is why the procedure for removing this (and most) virus infections includes "dumping" the stored copies. Spybot CANNOT do this. Norton CANNOT do this. YOU must do it by turning off System Restore, and leaving it off until the virus is confirmed to have been cleared. If your viral signatures were updated anytime after about October 2003, your Norton should have had a signature for at least one or more of the Downloader DLuca variants, and would be able to quarantine or delete any individual file that contains the signature for the virus. This will normally prevent the virus from "executing" to install its other components on your machine, and would normally cause Norton to stop reporting this virus unless you are reinfected. The "payload" that this virus installs is, however, "just another program" once it's in place, and Norton won't remove it automatically, since the "program" is not a virus. That's why there's a procedure for removal, to allow you do get "the rest of it." Since the "payload" here is spyware, it is likely that Spybot would remove the spyware, but it would quite likely be reinstalled unless the Norton removal worked first and removed the viral component. If Spybot is able to remove the viral part of this, then it is doing something not described in its specification. Note that any time you change the configuration of your machine, including addition or deletion of any program, System Restore will compare the registry at boot to the "last good" copy, and may replace any "keys" that were in a "last known good" version that it doesn't find in your new version. There are some "rules" that System Restore follows for this, but it's hard to make any general predictions about when or whether it will happen. This could be why you were getting repeated Norton hits on the virus - because you were putting it back from System Restore every time you turned the machine on. It is possible that, because of the spyware payload, Spybot has been equipped to remove the whole thing, but it is NOT its normal purpose to deal with virus infections. Norton did detect the virus for you, and had you used the removal procedure recommended by Norton, the entire thing would have been removed. You may have successfully cleaned your machine by using both, in sequence. You should still clear your System Restore cache, for any Windows later than Win98, if you want to be confident that you won't be reinfected from that source. Just turn off System Restore, reboot, and then turn System Restore back on. [In Windows Explorer, right click on "My Computer," select "Properties" and then click on the "System Restore" tab, uncheck or check the "Turn Off System Restore On All Drives" box.] You could use the Norton procedure to look for the files the virus would have installed, and to look at the registry keys where it would have made entries, if you want to be sure you're clean. If you a comfortable with believing that you have successfully removed this thing, then by all means "drive on." I would make a few other checks, if it were my machine. John |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: JohnInKansas Date: 23 Apr 04 - 04:14 PM Perhaps a side note - I attempted to get to the Spybot site to see if they have added an AV capability with respect to this virus. I got far enough in to find that their site has been experiencing a DDoS attack for several days, and after about 4 "unable to reply due to traffic" link failures, I believe I'll wait a while to look further. If the assholes don't like them - enough to try to shut them down this way - they must be the good guys. John |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: GUEST,dianawk@bellsouth.net Date: 23 Apr 04 - 04:43 PM John, I have read all of the above information and think I am capable of following your instructions for removal of .E My problem is that now when I run virus scan (Norton), the virus isn't found in the system 32 folder as it did before. Infact, virus scan doesn't show any virus. I am not naive enough to believe the .e is gone. I just don't know how to find and eliminate it now. Any thoughts? Diana |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: GUEST,dianawk@bellsouth.net Date: 23 Apr 04 - 04:53 PM Also, the folder or file C:windows\system32\wdwctrl.exe isn't in my folder registery anymore either. Diana |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: JohnInKansas Date: 23 Apr 04 - 05:01 PM dianawk - When Norton found it the first time, it probably quarantined or deleted the file that contained the signature. Since in either case it removed it from the System32 folder, it won't "find" it again. If it was deleted, it's gone. If it was quarantined, you can look in Norton to see what files are in quarantine and delete them there. Since Norton only removes the files that are "viral," there may still be other files that the virus carried as payload that need to be removed. You should get them if you follow the procedure that Norton gives for the .d variant, if you allow for minor differences in what you find in the couple of registry keys you need to clear. You should be able to recognize what needs to be removed, with the script they give you. As stated, my "instructions" were just to summarize what needs to be done from a "logical process" standpoint. You should print the instructions from the Norton (or some other AV) site and follow them for your actual removal, since they include filenames to look for, and the specific keys that this virus adds in the registry. They also give details on when to delete a whole key, and when to delete only the "argument" for the key, that I omitted. The only minor point about the Norton instructions is that their "how to turn off system restore" in WinXP tells you to click on "My Computer" in the "Start" button list. For some "view" choices, "My Computer" isn't on that list. Just open Windows Explorer, and right click it there. John |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: GUEST,diana Date: 23 Apr 04 - 05:15 PM John, I went to Norton's and printed EVERYTHING I could find on the downloader.dluca.d (while I have the .e, this should be the same procedure). When Norton found the file originally, it said it was NOT quarantined or deleted. Just wondered why it didn't show in the latest scan, and you answered that. THANKS! Diana |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: Art Thieme Date: 24 Apr 04 - 02:50 PM Last night Norton was able to find and quarantine the Bloodhound.Packed virus (or so it said). Still have the Downloader though. Onward... Art |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: GUEST,Jody Date: 25 Apr 04 - 05:21 PM I'm a newbie at virus removal but followed thru on the instructions for "D" using the "wdwctrl" filename as the one to delete and it worked! You guys totally saved my sanity and $40 bucks to Norton. Plus my self-esteem has gone up tremendously. Thanks! |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: JohnInKansas Date: 25 Apr 04 - 09:26 PM Jody - If you got one virus, you'll likely get another before long. You really do need an AV program on your machine, and you do need to keep it up to date at least weekly. Although I prefer Norton to others I've tried, there are some that you can get free via download; but you also have to look at whether the "free" one you us keeps up to date with the "popular virus of the day." If you want a "free AV," find a recommendation in one of the other threads here, or get one from someone who knows that a particular one works. The "popup" offers you see while you surf, that tell you "you may be infected" and offer to "protect you," quite often are loaded with viruses and/or spyware. John |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: GUEST,Jody Date: 26 Apr 04 - 12:30 AM Thanks for caring John! I do have Norton on my machine and live update and all that. I'm learning, though, that there are those things that slip their way right through the proverbial cyber gate. Sneaky viruses. |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: GUEST,rshank@rochongenova.com Date: 05 May 04 - 09:43 PM I just installed Norton 2004 and ran all the updates; I am infected with downloader.Dluca.E. Muchos irritated that after $100 they don't have the .e variant fix. will try the .d variant fix as suggested. As a newbie, how do I turn off Norton to run Spybot and Spware Blaster? I also have wdwctrl.exe (I understand they are one and the same?) and vidcompat.exe Norton did not nail ANY of these- very disappointing. I could really use your help re search.exe- it is doing the passthrough index thing, driving me crazy, keeps hijacking my home page etc. tried going onto site, doing uninstall; reappears like a dandelion. Please be gentle, assume my skills are at the moron level if you don't mind... Any help would be deeply appreciated.Spent an hour on the phone with Dell, no help whatsoever, so much for spending $ on service! Thanks again r |
|
Subject: RE: Tech: virus: Downloader.Dluca.E ???? From: JohnInKansas Date: 05 May 04 - 11:59 PM rshank - If you're running anything later than Win98, you MUST follow the instructions at Norton with respect to turning off System Restore. If a backup has been made since you got this virus, any change you make to the system will cause system restore to put back any registry keys that are in the backup and not in the current system. Since this virus puts Registry keys in place to "re-run" itself, every time you boot it gets put back, if you don't dump the infected Registry backups. It is unlikely that Norton, or any other AV maker, will produce a "turnkey" removal specifically for this .e variant, since the instructions are there for the .d, they work for the .e, the virus is classed as a "low threat" and as a "removal simple" thing. There are too many destructive things out there for them to worry too much about this one. Inconvenient as it may be, it doesn't (apparently) destroy any data, although it does open your machine to the possibility that someone could get in to look at your stuff. Print the instructions. Follow ALL the instructions ONE STEP AT A TIME. I would recommend that you complete the Norton virus removal instructions BEFORE you run the Spyware removal programs, since deleting files that came with the virus will make it harder to follow the virus removal instructions. The two files you named are "payload" files for the virus, but in themselves do not contain a "virus," which is why Norton won't remove them. As far as AV software is concerned they're just a program that runs on your machine. You should have a "Norton Icon" in the system tray at the bottom right of your screen. The icons are small, but if you hover your mouse pointer over them, the name should pop up. If you double click on the Norton icon there, it will open the Norton control screen. You should see "Autoprotect Enabled." Change that to "disabled" and Norton shouldn't interfere with your other programs. If you just installed a new AV and it found any virus on your machine, it's quite likely that you had more than one thing there. While your new Norton may have disabled the viral parts of them all, you may have "leftovers" like the wdwctrl.exe and vidcompat.exe from DLuca. Unlike these two, which actually run and potentially do something (spy on you) most such remnants are relatively harmless. If you can get DLuca off, it would be well to watch for "unexpected events" at least for a few days. A common symptom is a popup that says "file not found" at restart, since your AV will remove the virus but usually will not remove the .dll that it puts in Startup to reload itself. John |
| Share Thread: |