I recently received an email from what turned out to be a fake address which had an attachment that turned out to be a virus. In a moment of raging stupidity, I unzipped the attachment and allowed the file "svchosts.exe" to run when prompted. I also clicked "unblock" when consequently prompted about something by the Windows Firewall. I'll try to keep this short, but this is basically whats happened since...
File "svchosts.exe" deemed suspicious by Norton AV, submitted to Symantec. Meanwhile, I assume the file got deleted, because I can't find it anywhere on the computer anymore. However, a backup of it still exists in the Norton Quarantine. Symantec replies with an email saying that file "svchosts.exe" is infected with virus "W32.Mytob@mm".
I look at the virus encyclopedia on Symantec website to follow instructions for manual removal of the virus. I notice that the descriptions of "W32.Mytob@mm" such as possible sender names, email body, and attachment names, don't match the email I received. Furthermore, the changes/additions to the registry listed on the site haven't been changed/added on my computer. I look at all the other variants and the email I got does match some of them, however, none of the variants copy themselves as "svchosts.exe", according to the encyclopedia.
My problem is as follows... I've run a full system scan using my Norton AV and online scans from Symantec, Panda and Trendmicro websites. They all found nothing. I've run 2 different Symantec "Mytob" removal tools as well as the Microsoft Malicious Software Removal Tool, all 3 found nothing to remove. Yet... da da dum... if the virus is really gone, why does my registry still have the entry "Win32 Driver svchosts.exe" under
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/RunServices
HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/Run
Also, I went to Windows Firewall settings and found "svchosts.exe" still checked in the exceptions list, so I unchecked it and deleted it from the list. Lastly, although I can't find "svchosts.exe" on my computer anymore, there is a file "SVCHOSTS.EXE-06B6C8D2.pf" in my Windows/Prefetch folder (This file was created while this whole incident was occuring, according to its creation date and time).
I'm not very computer literate, is all the above normal? What does it all mean? Is the virus still on my computer in some form or another? It was determined to be "W32.Mytob@mm", but nothing about it matches the technical details provided by Symantec about that variant, so basically, I'm confused as to what the computer was even infected with. Those entries in my registry and that .pf file are making me think that the virus hasn't been removed properly.
What I'd like is to know that the virus has been completely removed and that any changes it has made to my system have been restored/reversed. How can I achieve or even just check this, apart from completely reformatting my harddisk? Any advice/help/background you could give me will be very much appreciated... Thank you.
File "svchosts.exe" deemed suspicious by Norton AV, submitted to Symantec. Meanwhile, I assume the file got deleted, because I can't find it anywhere on the computer anymore. However, a backup of it still exists in the Norton Quarantine. Symantec replies with an email saying that file "svchosts.exe" is infected with virus "W32.Mytob@mm".
I look at the virus encyclopedia on Symantec website to follow instructions for manual removal of the virus. I notice that the descriptions of "W32.Mytob@mm" such as possible sender names, email body, and attachment names, don't match the email I received. Furthermore, the changes/additions to the registry listed on the site haven't been changed/added on my computer. I look at all the other variants and the email I got does match some of them, however, none of the variants copy themselves as "svchosts.exe", according to the encyclopedia.
My problem is as follows... I've run a full system scan using my Norton AV and online scans from Symantec, Panda and Trendmicro websites. They all found nothing. I've run 2 different Symantec "Mytob" removal tools as well as the Microsoft Malicious Software Removal Tool, all 3 found nothing to remove. Yet... da da dum... if the virus is really gone, why does my registry still have the entry "Win32 Driver svchosts.exe" under
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/RunServices
HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/Run
Also, I went to Windows Firewall settings and found "svchosts.exe" still checked in the exceptions list, so I unchecked it and deleted it from the list. Lastly, although I can't find "svchosts.exe" on my computer anymore, there is a file "SVCHOSTS.EXE-06B6C8D2.pf" in my Windows/Prefetch folder (This file was created while this whole incident was occuring, according to its creation date and time).
I'm not very computer literate, is all the above normal? What does it all mean? Is the virus still on my computer in some form or another? It was determined to be "W32.Mytob@mm", but nothing about it matches the technical details provided by Symantec about that variant, so basically, I'm confused as to what the computer was even infected with. Those entries in my registry and that .pf file are making me think that the virus hasn't been removed properly.
What I'd like is to know that the virus has been completely removed and that any changes it has made to my system have been restored/reversed. How can I achieve or even just check this, apart from completely reformatting my harddisk? Any advice/help/background you could give me will be very much appreciated... Thank you.