McAfee: 2008

Monday, March 10, 2008

McAfee 1

http://spreadsheets.google.com/pub?key=palAGj0J6LZb1NG6BIXvWIA

http://spreadsheets.google.com/pub?key=pp823Y_Awar4U4a3oNHo8Hg

Sunday, March 9, 2008

When running DMSetup.exe, get "An error 800c0019

1) Click Start >> All Programs >> Accessories >> Notepad
2) Select the Notepad program
( Windows Vista users need to right click on the Notepad program and choose Run as administrator )

3) Click on File and then Open
4) Now browse to C:\Windows\System32\Drivers\etc
5) Change the file filter drop down box to All Files (*.*)
6) Select "Hosts" and click Open
( You will see the line "127.0.0.1 localhost " on the Hosts file )
7) Delete all the entries after the line "127.0.0.1 localhost "
8) Now please type in the following address "128.241.218.75 download.mcafee.com" as next line below the 127.0.0.1
localhost.

Please note: The address entry should look like

127.0.0.1 localhost
128.241.218.75 download.mcafee.com

9) Click on File and then Save.

OR>>

Click start.
Click run. (for vista user:- Click search.)

Type %systemroot%
open system32 folder
open drivers
open etc
Right click on hosts file
then select open with
select notepad
open now
Remove all the links related to McAfee

Also try this link :- http://service.mcafee.com/FAQDocument.aspx?id=107061&lc=1033&partner=McAfee&type=TS&ia=1

---------------------------------------------------------------------------------

unable to update the antivirus on Mobile device via GPRS.

I understand that you are unable to update the antivirus on Mobile device via GPRS. Am I correct?
I have an issue on Symbol MC70 device
we have around 150 MC70 devices accross Asia Pac with the same issue
May I know when did the issue start?
McAfee Virusscan Mobile version 1.2.0.0023
ever since we have installed antivirus
I can connect to GPRS and browse public web pages
but when I try to update anti virus comes back with an error "update failed"
This may happen if there is any temporary issues with our download server or there are any incompatible software on the mobile device.
Do you have any other information that you think may help us to provide correct resolution?
only other application we are running on the devices are Check point secure

I recommend that you perform the following steps:
1. Click Start on your phone.
2. Scroll down and click More.
3. Scroll down and click More.
4. Click McAfee VirusScan.
5. Click Menu.
6. Click Configure Options.
7. Choose the Updating Option you prefer and click Done.

After this, disable the "Check point secure VPN client" temporarily and then perform the following steps:
1. Click Start on your phone.
2. Scroll down and click More.
3. Scroll down and click More.
4. Click McAfee VirusScan.
5. Click Menu.
6. Click Update VirusScan.
7. Click Update.

Performing these steps should resolve the issue.
NOTE: The products must be registered with McAfee to be able to update regularly.

sorry i didnt understand this step...7. Choose the Updating Option you prefer and click Done.
May I know what are the options listed after you selected "Configure Options"?
our product is registered and i can update antivirus whne connected via GPRS
sorry when connected via active sync
Okay. In this case, you can disable the "Check point secure VPN client" temporarily and then try to update the VirusScan mobile software.
under update options > i have non of the boxes checked with a tick
first > update without prompt 2. update at internet connection 3. update at restart
then schedule updates > interval : weekely
then status
Please select "update at internet connection" option.
although i have already tried these options
Okay, we will try one more time. After selecting the "update at internet connection" option, click Done
Then disable the "Check point secure VPN client"
NOTE: This is temporarily. We can enable it again after the updates are
---------------------------------------------------------------------------------------------------------------------

Limewire Configuration

1. Start Limewire,

2. Then to “Tools” menu bar,

3. Then to “Options”,

4. Then to “Advanced” (on the left hand side),

5. Then under Advanced to “Firewall Configuration”

6. On the right hand side under “Router Configuration” you will see 3 button options

7. Choose the middle one called “Manual Port Forward”, don’t change the number, but record it for later

8. Then “Apply” and “OK”

Then exit Limewire

McAfee Security Center Configuration

1. Start “McAfee Security Center”

2. Then from the home page, click on “Internet and Network”

3. Then on the right hand side within the services protected box, click the arrow for “Configure”

4. Then select the “Firewall” portion, select the “On” button, then to “Advanced”

5. Then on the left hand side, select “System Services”

6. Then select the “Add” near the bottom of the right hand menu

7. Fill the out the form as follows

Program name: lime

Program category: (leave blank)

The next 4 port descriptions all get the number your recorded from the Limewire Manual Port Forward

Description: (leave blank)

8. “OK” the menu

9. Close McAfee Security Center

http://portforward.com/english/routers/firewalling/McAfee/McAfeeSecurityCenter/LimewireIn.htm

http://www.limewire.org/wiki/index.php?title=User_Cant_Connect

http://forums.mcafeehelp.com/viewtopic.php?p=485268&sid=3f13a6cb04b07dd4c29296c705ae8964

------------------------------------------------

Outlook Express

1. Go into the Tools menu.

2. Choose Accounts.

3. Click the Mail tab.

You probably just have one item in the white area. If you have more than one, that indicates you have more than one email account, and in that case, you will need to go through the following steps for each account.

4. Highlight the account and click the Properties button.

5. Click Servers.

Make sure your outgoing server is correct. For example, it should be smtp.abc.com , or, if your e-mail address ends in something other than @abc.com, replace abc.com with whatever it ends with. For instance coolcustomer@mcafee.net would need to put in smtp.mcafee.net .

6. Put a check-mark by My Server Requires Authentication at the bottom of the page, if it isn't already check-marked.

7. Click Settings.

8. Select Log on Using:

For the Account Name, type your entire email address.

For password, type in your email address password.

9. Click OK.

10. Click OK again.

11. Click Close. Try again and it should work.

Microsoft Outlook

1. Go into the Tools menu.

2. Choose Email Accounts.

Older versions of Outlook may have Accounts or Services. If that's what you have, your steps to follow will be more similar to Outlook Express above.

3. Click View or Change Existing Email Accounts and click Next.

4. Highlight the account and click the Change button.

5. Make sure your outgoing server is correct. For example, it should be smtp.abc.com , or, if your e-mail address ends in something other than @abc.com, replace abc.com with whatever it ends with. For instance coolcustomer@mcafee.net would need to put in smtp.mcafee.net .

6. Click More Settings.

7. Click Outgoing Server.

8. Check-mark My Server Requires Authentication.

9. Select Log on Using:

For the Account Name, type your full email address.

For password, type in your email address password.

10. Click OK.

11. Click Next.

12. Click Finish. Try again and it should work.

http://www.vcn.com/knowledgebase/article.php?id=434

------------------------------------------------------

Removing incompatible third party applications:

http://ts.mcafeehelp.com/displaydoc.asp?docid=419241&CategoryId=110155

------------------------------------------------

Removing Windows Defender:

To remove Windows Defender from Windows 2000 or Windows XP:

1. On the Start menu, point to All Programs, and then click Windows Defender.

2. Exit Windows Defender. (Click the arrow next to the help icon and point to Exit Windows Defender).

3. On the Start menu, click Control Panel, and then double-click Add or Remove Programs.

4. Click Windows Defender.

5. Click Remove, and then in the dialog box that follows, click Yes.

------------------------------------------------

Removing Norton Anti Virus:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

------------------------------------------------

Restarting the computer in Safe Mode:

http://ts.mcafeehelp.com/eSolution.asp?docID=68053

------------------------------------------------

Backing Up Registry:

http://tools.mcafeehelp.com/doc.php?siteid=1&docid=68037&support=ts

------------------------------------------------

Setting up Parental Control:

http://tools.mcafeehelp.com/doc.php?siteid=1&docid=405702&support=ts

------------------------------------------------

SuperDat:

http://ts.mcafeehelp.com/faq3.asp?docid=270

NOTE: The SuperDAT utility upgrades the VirusScan scanning engine and updates the DAT files at the same time.

------------------------------------------------

FAQs about McAfee's compatibility with Windows Vista:

http://us.mcafee.com/root/popup.asp?path=/common/en-us/popups/vista/faq.asp&close=true

------------------------------------------------

McAfee Forums:

http://ts.mcafeehelp.com/forumBridge/viewTopic.asp?t=112167#112167

-------------------------------------------------

Windows Vista screenshots:

tinyurl.com/yuqyxm

-------------------------------------------------

Missing Central.dll

http://download.mcafee.com/products/licensed/privacy_service/english/support_files/central.dll

-------------------------------------------------

The easiest way to remove SPAMfighter, is to use the Add/Remove Programs tool in the Windows Control Panel.
Its always a good idea to deactivate your anti-virus while uninstalling SPAMfighter.

Start Menu > Settings > Control Panel > Add/Remove Programs. Choose SPAMfighter and click Remove.

Start Menu > Programs > SPAMfighter. Run "Installation" and choose "Remove"

If that fails, please try this:

* Download this file and save it on your computer.
* Close outlook
* Deactivate your antivirus product
* Run the program Remove.exe.
* Delete the files in: "C:\program files\spamfighter" Directory
* Reboot

Here is the link to the file discussed

http://www.spamfighter.com/download/unregister.exe

http://www.spamfighter.com/download/remove.exe

----------------------------------------------------------------

Check and delete the following files in C:/Windows/System 32:

bsw.exe
helper.exe
hookdump.exe
intmon.exe
intmonp.exe
msmsgs.exe
msole32.exe
ole32vbs.exe
popuper.exe
shnlog.exe
uninstiu.exe
winhook.exe
winstall.exe
wp.exe
zloader3.exe
drsmartload45a45m.exe
drsmartload46a46m.exe
drsmartload849a849m.exe
drsmartload192a[1].exe
drsmartload45a7i.exe
drsmartload46a7i.exe
drsmartload849a7i.exe
drsmartload.exe
drsmartload45a7h.exe
drsmartload46a7h.exe
drsmartload849a7h.exe
drsmartload46a[1].exe
loader[1].exe
drsmartload45a[1].exe
drsmartload849a[1].exe
drsmartload849a8b5.exe
drsmartload45v.exe
drsmartload46v.exe
drsmartload849v.exe
drsmartload100a[1].exe
drsmartload45a.exe
drsmartload46a.exe
drsmartload849a.exe
drsmartload95a.exe
drsmartload1.exe
MTE3NDI6ODoxNg.exe
ntsystem.exe
cproc.exe
drsmartload44a[1].exe
MTE3NDI6ODoxNgnew.exe
MTE3NDI6ODoxNg[1].exe
drmv2clt.exe
drsmartload815a.exe
retadpu77.exe
arpl.exe
retadpu21.exe
wjiio.exe
retadpu[1].exe
retadpu[2].exe
retadpu.exe
retadpu1000106.exe

Find and Unregister DLL Files:

regsvr32 /u DLLName.dll

wldr.dll
param32.dll
hhk.dll
oleadm.dll
oleadm32.dll
dnr4019qe.dll
oybgrql.dll
atmtd.dll
winetn32.dll
ixt2.dll
tazth.dll
olnohdw.dll
ssqnool.dll
vtursro.dll
oembios32.dll

Find and Remove registry values:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunWindowsFY
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunWindowsFZ
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunmsnmessenger
FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainDefault_Page_URL=[siteaddress]
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainDefault_Search_URL=[siteaddress]
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainSearchBar=[siteaddress]
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainSearchPage=[siteaddress]
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainLocalPage=[siteaddress]
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerSearchCustomizeSearch=[siteaddress]
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerSearchSearchAssistant=[siteaddress]
HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerSearchURL(Default)=[siteaddress]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallinternetupdate
D5BC2651-6A61-4542-BF7D-84D42228772Centry.
f79fd28e-36ee-4989-aa61-9dd8e30a82fa
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\decorin
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\aea3d2df-2b2c-4d7b-81a0-d975c6dc088e
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\64ba30a2-811a-4597-b0af-d551128be340
5839511e-ec1b-4f91-ace3-fb88e52f5239
WMuse
ed39ecef-902e-4ed1-8434-71e8db89e5ca
aea3d2df-2b2c-4d7b-81a0-d975c6dc088e
64ba30a2-811a-4597-b0af-d551128be340
Microsoft\drsmartload2
19452E5B-963F-4886-766D-0526284B6F61
Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\incestuously
03413bf7-e34c-445b-bfc0-a2b127255871
Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\f31aee4a-1530-4fef-8537-79c6973bff9a
f31aee4a-1530-4fef-8537-79c6973bff9a
dfa61db1-388e-4c87-8d56-540fa229bcb4
SOFTWARE\Policies\06849E9F-C8D7-4D59-B87D-784B7D6BE0B3
Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\5f938c17-fbc7-4a3c-8526-85e5b1a1f762
5f938c17-fbc7-4a3c-8526-85e5b1a1f762
27321538-5739-4aa1-b84c-7d18e4383f1f
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\instcat
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\b292ec9f-a074-4115-8342-1f459702d8d2
b292ec9f-a074-4115-8342-1f459702d8d2
FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F
MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\ssqnool
MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\vtursro
0B9B7B2E-30E3-4C5D-AD2C-C38724979B4B
AB5FE6E5-7C72-4B89-85D0-D57E7AEAC236

Find and Delete the following files in Start->Search:

bsw.exe
helper.exe
hookdump.exe
intmon.exe
intmonp.exe
msmsgs.exe
msole32.exe
ole32vbs.exe
popuper.exe
wldr.dll
param32.dll
hhk.dll
oleadm.dll
oleadm32.dll
shnlog.exe
uninstiu.exe
winhook.exe
winstall.exe
wp.exe
zloader3.exe
hp[X].tmp
perfcii.ini
sites.ini
wp.bmp
drsmartload45a45m.exe
drsmartload46a46m.exe
drsmartload849a849m.exe
drsmartload192a[1].exe
dnr4019qe.dll
drsmartload45a7i.exe
drsmartload46a7i.exe
drsmartload849a7i.exe
drsmartload.exe
drsmartload45a7h.exe
drsmartload46a7h.exe
drsmartload849a7h.exe
drsmartload46a[1].exe
loader[1].exe
drsmartload45a[1].exe
drsmartload849a[1].exe
drsmartload849a8b5.exe
oybgrql.dll
drsmartload45v.exe
drsmartload46v.exe
drsmartload849v.exe
drsmartload100a[1].exe
atmtd.dll._
atmtd.dll
drsmartload45a.exe
drsmartload46a.exe
drsmartload849a.exe
drsmartload95a.exe
drsmartload1.exe
MTE3NDI6ODoxNg.exe
drsmartload2.dat
gwiz
ntsystem.exe
cprocsvc
cproc.exe
winetn32.dll
ixt2.dll
tazth.dll
drsmartload44a[1].exe
MTE3NDI6ODoxNgnew.exe
MTE3NDI6ODoxNg[1].exe
drmv2clt.exe
drsmartload815a.exe
olnohdw.dll
runner1
retadpu77.exe
arpl.exe
ssqnool.dll
retadpu21.exe
vtursro.dll
wjiio.exe
retadpu[1].exe
retadpu[2].exe
retadpu.exe
retadpu1000106.exe
oembios32.dll

---------------------------------------------------------------------------------------------------

McAfee technical quarry-part 16

Virus - Vital Information Resources Under Seize

Most viruses will try to execute before the user logs in or after the user logs in to the computer.

Virus typicaly reside in Load Points of the Windows.

There are several Load Points of Windows namely Registry, Startup Folder, System 32 folder, Temp folder, etc.

The Virus entries in the Registry will try to execute before the user logs in i.e when the computer starts.

The Virus entries in Startup folder and Temp folders will execute after the User logs in.

The Registry Load Points are:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\SOFTWARE\CurrentControlSet\Services\__NS_Service_3 (or another number)

If __NS_Service_ exists , right click on it and choose delete from the menu.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3 (or another number)

If LEGACY___NS_Service_ exists then right click on it and choose delete from the menu.

HKCU\Software\Microsoft\Windows\Current Version\Explorer\Browser Helper Objects

HKCR\AppID\

e.g {01234567-89AB-CDEF-0123-456789ABCDEF}

Startup Folder:

C:\Documents and Settings\%user%\Start Menu\Programs\Startup

%user% is the name of the user who has logged in currently to the computer.

Here we have to search for the virus entries and delete it.

Temp folder:

Click Start->Run

Type %temp% and click OK

Delete all files and folders.

System Folder:

C:\Windows\System32

Here we have to search for the virus entries and delete them. Most of the virus entries listed here will give you a access denied message when you try to delete it as the process or dll file associated with these files will be running in the background.

So we need to stop the process in Task Manager and then try to delete the infected file or we have to restart the computer in Safe Mode and delete the file.

Program Files:

Click Start->Run

Type %programfiles% and click OK.

Select the Virus folder and delete it.

e.g: WebSearch

MsConfig Utility:

Click Start->Run

Type msconfig and click OK.

The System Configuration Utility Window will open.

Click on the Startup tab.

Here we can disable programs or services that we do not want to run.

TaskManager:

Click Start->Run

Type taskmgr and click OK.

The Task Manager Window will open.

We can stop any process by checking the program associated with it in System Information Tool.

MsInfo32:

Click Start->Run

Type msinfo32 and click OK.

The System Information Window will open.

Click on Software Environment.

Then check Running Tasks and Startup Programs

Services Window:

Click Start->Run

Type services.msc and click OK.

The Services Window will open.

We can stop any services temporarily to delete a infected file.

Important Web sites for Virus Removal:

To check if a process running in the Task Manager is associated with a virus or not, we need to refer these two web sites:

http://www.processlibrary.com/

http://www.liutilities.com/products/wintaskspro/processlibrary/

---------------------

To check spyware removal instructions and other Windows issues:

http://www.pchell.com/support/

---------------------

Free Virus Removal Tools:

http://us.mcafee.com/virusInfo/default.asp?id=vrt

http://www.bitdefender.com/site/Download/browseFreeRemovalTool/

http://www.microsoft.com/security/malwareremove/default.mspx

www.foundstone.com

---------------------

Important Notes:

NOTE 1: We have to know the name of the virus by running a full scan of the anti virus software ( McAfee VirusScan ) before we proceed with the virus removal procedure. After getting the name of the virus, we can search it in google to find out the files and processes associated with it. Then it will be easy for us to detect these files and we can remove them from the Load Points.

NOTE 2: Whenever we are not able to delete a file/folder, we need to restart the computer in Safe Mode and then try deleting the file. In Safe Mode, the computer starts with minimum drivers and software and is mainly used for troubleshooting purpose in Windows.

1. Restart the computer.

2. When the computer is rebooting, press the F8 key repeatedly.

3. You will get a page with options. Use the arrow keys to select " Safe Mode" and press Enter.

4. The computer will now start in Safe Mode.

NOTE 3: Before proceeding with the Virus Removal steps, we need to disable the System Restore feature of Windows temporarily.

1. Right click on the 'My Computer' and select 'Properties'

2. Click on System Restore tab

3. Check the box next to "Turn Off System Restore on all drives"

4. Click 'Apply' and then click OK.

NOTE 4: Always inform the customer to take the backup of his/her personal data (music, videos, documents) and registry backup before proceeding with the virus removal.

NOTE 5: After the virus removal procedure is complete, inform the customer to regularly perform the McAfee VirusScan and Windows update and use the SiteAdvisor while surfing internet.

--------------------------------------------------------------------------

Check and delete the following files in C:/Windows/System 32:

Find and Unregister DLL Files:

regsvr32 /u DLLName.dll

wldr.dll
param32.dll
hhk.dll
oleadm.dll
oleadm32.dll
dnr4019qe.dll
oybgrql.dll
atmtd.dll
winetn32.dll
ixt2.dll
tazth.dll
olnohdw.dll
ssqnool.dll
vtursro.dll
oembios32.dll

Find and Remove registry values:

Check the Attributes on the WIN.INI and SYSTEM.INI Files

1. Click on the Start button.

2. Highlight Find then click on Files or Folders. The Find Files dialog box will then appear.

3. In the Named field type in WIN.INI.

4. In the Look In field type in C:\\WINDOWS

5. Click the Find Now button. The computer will then search for the WIN.INI file. When it is found, the file will be displayed towards the bottom of the dialog box.

When the search is finished, right-click on the small icon to the left of the file's name. A pop-up menu will appear.

6. Left-click on Properties. The Properties dialog box will then appear.

7. Make sure the Read-only checkbox located at the bottom is not checked. If it is checked, remove the check mark.

8. Click the Apply button, followed by the OK button.

9. Repeat steps 3 - 10, substituting SYSTEM.INI for WIN.INI.

Once you have removed the Read-only attribute from the WIN.INI and SYSTEM.INI files, close the Find Files dialog box by clicking the X in the top right corner.

Remove Trojan References from the WIN.INI and SYSTEM.INI Files

1. Click on the Start button then click on Run.

2. Type in SYSEDIT then click OK. The System Configuration Editor will then appear with several windows opening on your screen.

3. Close the autoexec.bat and config.sys windows. You will then be at the C:\\WINDOWS\\WIN.INI window.

Locate the line that begins with 'load='. Place a semicolon (;) in front of the line so that it reads:
;load= (other text may remain here) Write this line down. You will be using this information later.
Note: Many Trojan viruses are able toload using this load= line when they infect a computer. This line is also used occasionally by other legitimate programs. Inserting a semicolon will prevent Trojan files from loading but it may also disable functions of other programs (if they load from this line). After completing this process, if you recognize that a normal program will not load contact the manufacturer of that program to find out if an entry for their program should be placed in the load= line.

Locate the line that begins with 'run='. Place a semicolon (;) in front of the line so that it reads:
;run= (other text may remain here) Write this line down also. You will be using this information later.

4. Close the C:\\WINDOWS\\WIN.INI window. You will be asked if you wish to savechanges. Answer Yes. The C:\\WINDOWS\\SYSTEM.INI window will then be on top.

Locate the line that begins with 'shell=explorer.exe'.

If there is anything written after 'shell=explorer.exe' write itdown (usually something like: Winsyst.exe). 'Winsyst.exe' is the name of a Trojan. After you have written it down, erase everything written after'shell=explorer.exe' on that line. (Be absolutely sure you leave'shell=explorer.exe' and subsequent lines).

5. Close the C:\\WINDOWS\\SYSTEM.INI window by clicking the X in the top rightcorner. You will be asked if you wish to save changes. Answer Yes.

6. Close the remaining windows until you are back on the desktop.

Delete the Trojan Files

For further disinfection, remove the Trojan files by doing the following:

1. Click on the Start button.

2. Highlight Find then click on Files or Folders. The Find Files dialog box will then appear.

3. Type in the name of the Trojan file in the Named field. The name of the Trojan file can be found in the information you wrote down.
Note: To determine the name of the Trojan file refer to the lines you wrote down in steps 4, 5, and 8 above. Entries in the load= and run= lines are paths that point to a specific file and tell it to run. Determine each complete path on the load= line and the run= line (ex. C:\\windows\\emppkg3243.exe). A path normally begins with a root directory (i.e. C:\\) and ends with a particular file to run (i.e. pkg3243.exe). Generally, the portion that follows the last back slash 'pkg3243.exe' is the file, and the portion before the last back slash 'C:\\windows' is the location (or path) to that file.

Make sure the C: drive is selected in the Look In field so the entire C: drive will be searched.

4. Click the Find Now button. The computer will then search for the file. When it is found, the file will be displayed towards the bottom of the dialog box.

When the search is finished, right-click on the small icon to the left of the file's name. A pop-up menu will appear.

5. Left-click on Delete to delete the file. Answer Yes to any prompts asking if you are sure.
Note: If you are unable to delete the file, write down the location of the file (specified under the In Folder column), then see the Deleting Files in MS-DOS section below.

Deleting Files in MS-DOS

If you were unable to delete the virus or Trojan files in Windows, you shouldbe able to delete them in MS-DOS. Deleting a file in MS-DOS requires restartingthe computer in MS-DOS mode and then typing in the DOS commands to navigate tothe location of the file and then delete the file.
Note: Trojan virus files are most commonly located in the C:\\Windows or C:\\Windows\\System directories. The list of Trojan virus files above tells you the location of the most common Trojan viruses.

For example, if you had a file named WN32SYS.EXE in the C:\\Windows\\Systemdirectory that you were unable to delete in Windows you would do the followingto delete the file in MS-DOS:

· Click on the Start button then click on Shut Down.

· Select restart the computer in MS-DOS mode then click OK or Yes. Thecomputer will then restart in MS-DOS mode. You will be left at a screen with ablack background. The last line of the screen will say C:\\Windows> followedby a blinking cursor. This specifies that you are currently in the C:\\Windowsdirectory.

· To change to the C:\\Windows\\System directory you would type the following:CD SYSTEM (followed by the Enter key on the keyboard). The last line on the screen would then change to C:\\Windows\\System specifying that you are now in the C:\\Windows\\System directory.

· Some Trojan virus files are marked to allow read-only access. It is a goodpractice to remove any read-only access attributes the Trojan file may have. Toremove the read-only attribute of the WN32SYS.EXE file you would type thefollowing: ATTRIB -r -s WN32SYS.EXE (followed by the Enter key on the keyboard). The last line on the screen will then remain at C:\\Windows\\Systemspecifying you are still in the C:\\Windows\\System directory.

· To delete the WN32SYS.EXE file you would then type the following: DELWN32SYS.EXE (followed by the Enter key on the keyboard). The last line onthe screen will then remain at C:\\Windows\\System specifying you are still in the C:\\Windows\\System directory.

· To return to Windows, you would type the word EXIT followed by pressing theEnter key on the keyboard. The computer will then return to Windows.

The above example can be used to delete Trojan virus files in MS-DOS.

--------------------------------------------------------------------------------

McAfee technical quarry-part 15

BFU - Brute Force Uninstaller

Written by Merijn - http://www.merijn.org/

Description

BFU is a scripting program that can execute a series of preset commands like a Windows batch file, aimed at uninstalled programs that are hard to remove, uninstall improperly or simply unwanted. There are available options to let the script execution manage files, folders, ini files, Registry keys and values, hosts file content, processes loaded in memory, dll files, NT services and Winsock components. Message boxes can be displayed, the system can be rebooted, the Recycle Bin can be used for delete operations and programs can be started. Options for the script itself include unloading the shell (i.e. killing the Explorer.exe process), pausing between commands (or all commands) and setting a minimum required version number for BFU itself to be able to run the script. BFU itself does not store anything on the system and is uninstalled simply by deleting it.

A script can be activated by either downloading the script file (.bfu) and loading it into BFU by means of the 'select scriptfile' button, OR by downloading it directly into BFU with the 'open script url' button. When using the latter option, the scriptfile will be downloaded by BFU and saved on the system before loading it.

Command syntax

The format of the command is very simple, but has a few notes:

The is one of the list below, the amount and format (text, number) of arguments depends on the command.

The pipes (|) between the arguments are needed, as they determine how BFU interprets which argument represents what.

For example, if the SystemRun command is used to launch a program without any parameters but it still needs to be hidden from the user's view (default is 1, show it), the command would be:

SystemRun c:\windows\notepad.exe||0

The second argument is empty, but the third is not. The second pipe must not be omitted, or the 0 would be interpreted as parameter for Notepad and the window would be shown.

Whenever brackets are used in the 'Syntax' lines below, this means any of the items seperated by the pipes between them can be used. The brackets should not be used in scripts. For example, when the syntax for a command is DllRegister c:\file.dll|[0|1], this means either DllRegister c:\file.dll|0 or DllRegister c:\file.dll|1 can be used.

Writing scripts

The 'open script' dialog filters on *.bfu. A .bfu script file is plaintext, commands are not case-sensitive (though parameters can be, case depending). The order of commands can be anything, but it is recommended to put script options at the top and a system restart at the end. Any lines that do not start with a recognized command are ignored, but for readability comments should be easily recognizable, for example by starting them with a certain character (', #, //, /*,