Ok. I've got the latest/greatest, auto-update, fully enabled Norton AV and firewall running on my home pc. Yet, when I bump it out of sleep today, there's a high risk message box from norton in the middle of the screen stating a trogan horse has been detected on my computer, and it is unable to fix as it cannot delete the file (the file name is \windows\system32\winmmc32.exe). I do everything norton tells me to to fix, which included the following:

- boot in "safe" mode
- run a full virus scan (it detected the trojan, of course, but nothing else)
- quaranteen the file
- delete the file from quaranteen
- check the register, file is found there, delete the entry
- reboot in "normal" mode

After doing all this, I still get the Norton high risk message stating the same darn trojan is still there! Check myself, and sure enough, there's the file, as if nothing had been done. Figure something must be re-creating it, so I ran spybot and ad-aware and delete what they detect. Still no good. Not only does the file reappear, but the entry for it in the register reappears as well. Any ideas out there??? thanks.

__________________
. . . My moustache is touching my brain!!!!

I've had that Trojan too. I think I was able to remove it with Antivir (free). I'm not entirely sure if it was Antivir that removed it though, it was some mnths ago on another PC.

Good luck!

__________________
To the regular visitor of internet bulletin boards it is clear that it's an excellent idea your parents get to choose your real name.

I had something similar last week with a "wovex.exe" trojan. Norton identified it but could not clean it.

You will need to boot into Safe Mode, Command Prompt (DOS), then navigate to the directory of the exe and type del {virus name.exe}.

Since I don't know what you are running, how to get to the command prompt may be different. I am using Win2000.

__________________
Earth First! We'll mine the rest later.

I'm running XP (sorry, should have mentioned that). Can you even get a DOS window with XP? Is doing what you say (deleting it via straight DOS) any different than deleting under windows? thanks for the help!

__________________
. . . My moustache is touching my brain!!!!

run "cmd.exe" from start=>run

__________________
To the regular visitor of internet bulletin boards it is clear that it's an excellent idea your parents get to choose your real name.

Also, what might be happening is that xp seems to take a snapshot of the system32 directory, and replaces anything you delete. I've had a case of this on a co-worker's machine.

I'm not very familiar with xp's system restore functionality, so what I did was create a placeholder text file and renamed it to the same name as the viruses once they were deleted. This apparently satisfied windows restore.

__________________
And you, to whom adversity has dealt the final blow
With smiling [faces] lyin' to ye' everywhere ye' go
Turn to, and put out all your strength of arm and heart and brain
And like the Mary Ellen Carter, rise again.

Did you disable Windows XP System Restore http://service1.symantec.com/SUPPORT...01111912274039

In my case I could not delete under Windows because Windows said it was actively running, hence to need to get in DOS to delete.

I tried on our Win2000Pro machine here to refresh my memory.

Reboot and hit F8 before windows starts to load up. You should get a choice of how to boot up (something like 8 choices). As I previously mentioned find one that says something like Safe Mode with Command Prompt.

Next screen allows choice of OS, if you have multiple OS's on your system. Select the OS (in you case Windows XP).
In a couple of minutes, the Command Prompt will appear (mine seems to taking its time).

__________________
Earth First! We'll mine the rest later.

I did mosse's solution, I remember it now that I read it (that worked on '98 too). The virus thought it already had coppied itself when seeing this empty file with the correct name. I deleted it some days later to check, and it didn't return that time. I don't know why, maybe the virus check had done it's job by then?

__________________
To the regular visitor of internet bulletin boards it is clear that it's an excellent idea your parents get to choose your real name.

thanks for all the help guys. Logicboy, I did indeed disable the restore function. Forgot to list that.

teddytv. I didn't have any problems deleting the file, either under safe mode or normal mode (makes me wonder why norton couldn't do it, unless it has something to do with the file having an entry in the registry).

Nicholas. I did what you did. Created a dummy text file and renamed it to \windows\system32\winmmc32.exe. When I rebooted, I got a message back from windows saying it couldn't find that file, so I again edited the registry and (again) deleted the entry for the file name from the registry. Closed out the registry and re-opened it, and the entry was NOT back again!! =D> Plus, no more messages from Norton saying I have the virus!!! =D> =D> =D>

Looks like the dummy file thing does in fact trick the virus into thinking it's still there. I'll just keep things like this for a few weeks, then delete it and see if Norton can clean up if it re-installs itself again (I sent them the virus via their "submit" function, so they should be able to come up with something soon).

Thanks again guys! I love having this resource handy!!! 8)

__________________
. . . My moustache is touching my brain!!!!

Of course the dummy file doesn't really remove the trojan, it just prevents it from activating. I didn't have any damage from it though. It certainly works as a temporary version. I hope Norton comes up with something elegant.

__________________
To the regular visitor of internet bulletin boards it is clear that it's an excellent idea your parents get to choose your real name.

Maybe the trojan didn't return because "having the file but not the entry" goesd outside of the trojan's logical order, and thus prevents it from restoring itself. That might be why teh file didn't return after removing the dummy.

__________________
To the regular visitor of internet bulletin boards it is clear that it's an excellent idea your parents get to choose your real name.

Maybe it is the virus itself. As I said earlier, the trojan I had was a different one.

Anyhoo, glad you got it sorted out.

__________________
Earth First! We'll mine the rest later.

Agreed Nicolas. This solution just keeps Norton from constantly flashing its warning message over and over again, plus it should keep the trojan "inactive" for the most part. I also did not notice any damage, although it disconcerning to know that little bugger is sitting on my PC somewhere like it is.

before creating the dummy file, my deletion of the entry from the registry would result in its instantaneous re-addition (i.e. I'd close out of REGEDIT, then go back in immediately, and the entry would be there again). This even if I quaratined/deleted the file itself beforehand. As for the file itself, Norton would continue to show the warning even after quarantine/deletion, so it must have been impervious to this action. A reboot would result in the file being back in the \windows\systems32\ directory. So, the virus is sitting out there somewhere just waiting to re-install if it finds either the file or the registry entry gone. I would think Norton (Symantic) will get a new definition built shortly, although I'm concerned they didn't already have one built if you had this issue a few months ago. Makes me wonder if I have the best AV on the market or not!

Again, thanks to all of you for your time!

__________________
. . . My moustache is touching my brain!!!!

Maybe it is a newer version of the Trojan.

WARNING: your computer might very well have winmmc32.dll. This is a legal windows file (multimediacontrol) and is needed for some applications. winmmc32.exe however is the Trojan, and is not needed whatsoever.

__________________
To the regular visitor of internet bulletin boards it is clear that it's an excellent idea your parents get to choose your real name.

Oh, I thought Wally was really in trouble. #-o

Yeah, I feel like I dodged a pretty big bullet here! My hard drive crapped out on me earlier this year, and I wasn't looking forward to losing everything again by having to do a reformat/reload! I've been pretty confident in Norton AV/Firewall. Hopefully, this was an isolated event. . . :-?

__________________
. . . My moustache is touching my brain!!!!