Norton can't help!

Hello everyone,

Norton has identified a virus on my system but reports that it can' t do anything about it saying "Access Denied". It reports the virus as curs[1].anr in Temorary Internet Files rooted in Documents and Settings/Owner/Local Settings.

I've cleared these Temporary Internet Files of course but I cannot see any .anr files in there but I can see four .gif files which I cannot remove no matter what I do, these .gif files show an Internet address www.digitalcity.com, or something like that. Also on running Hijackthis I notice a line has been added in the registry, something to do with "local-host", I delete this at every start up but it keeps re-appearing.

I've run the standard AOL virus scan and also Stinger but neither of these report any faults.

Has anyone else been having these problems and does any one know how to locate these .anr and .gif files and get rid of them?

Any help on this would be very much appreciated.

Kind regards,

Oliver

 

Hi....

Have you tried booting in Safe Mode and then deleting those files. Bit strange you cannot delete a .gif file.

And no, I don't have those in my Local Settings folders on any user profile.

I would get a *second* opinion with an online scan, [click on a link in my sig] and follow online prompts, etc. [You will have to dl an ActiveX file generally from each before the scan will go ahead, just follow the prompts you get each time]

Cheers, TAS

 

Yeah..scan in safe mode....actually before that...try running CCleaner.

 

Hello everyone,

Thanks for the replies, and Tas, yes, I will try one of your online scans, thank you very much for that.

Here's a bit more information that I've gleaned over the past 24 hours concerning this virus, at least as far as it affected my pc.

I've found that it actually created a brand new Network connection using the internal modem it found linked to my fax programme, amazing is'nt it! The number it dials is 09090 292820 which is for a company in Andorra offering adult services. I've lodged a complaint with Icstis. The really clever thing is this, when the internal modem actually made a connection I got none of the usual electronic clattering you usually get when a modem is in operation, if I had'nt picked up the 'phone to make a call I would'nt have known the line was in use. I use AOL Broadband and of course my Internet connection is through their external BT Voyager 105 DSL modem.

I've booted in Safe mode and I cannot see the .gif files or the .anr files that Norton reported. What is an .anr file anyway, new one on me. In safe mode I find that for some reason Norton and AVG 7.1 will not run but Spyware and Microsoft AntiSpyware Beta 1 will. Spyware reports 30 risks nearly all of them listed as HKLM's or HKCU's, I guess these are "deep registry" files and HijackThis does not see them. It also reported one risk in C:RECYCLERS and I can see this but not delete it, I get the report that the file is in use by another programme. Microsoft AntiSpyware reports no faults.

One other thing, in Safe mode the "local-host" line does not get added to the registry, in normal mode it does, every time.

This seems a particularly virulent virus to me and is probably going to cost some people an awful lot of money on their 'phone bills, I hope Icstis can get that number disconnected very quickly.

Kind regards,

Oliver

 

Hi Oliver.

In your original post you stated that you could 'not' see the .anr file, but could see the .gif files but could not delete them.

In the last post where you said you were in safe mode, you could not see 'any' of the files. Is that correct? If so, that's very strange.

I do take it you have the view hidden files option turned on. [Make sure, open Windows Explorer [Windows Key + E], Select: Tools | Folder Options | View TAB | make sure 'Show Hidden Files and Folders' is SELECTED and 'Hide extensions for known file types' is UNchecked.

If those were NOT as above, then once you have done that, try to navigate to the folder again in safe mode and see if you can then see/maybe delete.

But do that online scan anyway for sure.

Then probably is a good chance you may have to get extra help from another forum that does HiJackThis logs, but see what an online scan shows/deletes for you.

Cheers, TAS

edit: forgot... .anr files, well I get this: http://filext.com/detaillist.php?extdetail=ANR

something to do with street map directory from company Delmore [XMap scalable mapping software that provides users with digital mapping tools. Often found in the DeLorme Docs\Navigation folder] do you have something like that loaded?

If so, then it may be that Norton is givng a False Positive on this file [says its infected but it's not].

If you can see this file in normal mode, click on the Jotti's single file scan in my sig, it takes you to a page where about 13 14 AV programs scans a single uploaded file. Just do a browse, locate that file, then upload it and let it scan that single file.

Now, i just tried and the servers are very busy, told me to come back later, so you may have to wait a bit.

 

Hello Tass,

Thanks for your reply.

What I reported is correct and yes, I do have hidden files showing and unknown file extensions unchecked, it is very very srange. In normal mode the .gifs are quite clearly there but cannot be removed. I can see them in the tree in Thumbs and Irfanview viewers too and although in both of these a File Delete function is available it cannot delete them. Strangely Windows Media Player can't see them in the tree.

Thank you for your explanation of what .anr files are but I'm sorry to say that I've never used the programme you describe regarding steet maps.

I've tried the scanners you list in the top line of your signature but I'm afraid it has'nt helped. Two of them use Symantec and I already have that, and the other one, Kayser something or other shuts AOL down every time I try to access it. All very odd. I'll try the new one you list in your mail, thank you again.

Kind regards,

Oliver

 

The curs[1].anr doesn't need a program to run; it auto-downloads, triggered by code embedded in a web page, similar to the following:

style>
* {CURSOR: url("pluginst.anr")}
style>

Using this file as an example -- it is identified as a virus because of the filename contained in the file; here, it is "exploit=MS05-002" which is identified by the scanners as "Exploit/MS05-002.Ani.A exploit"

pluginst.anr

RIFF___ACONanih|___$___________________________w‚@_ëd??w‚@_ëd??ëT??w‚
@_ëT??w‚@_ëD??w‚@_ëD??w‚@_ë4??w‚@_ë4??w‚@_ë$??w‚@_
[removed]
hxxp://210.x.xx.xxx/cgi-bin/ie0601.cgi?exploit=MS05-002

--------

MS05-002 refers to the cursor vulnerability exploit described in MS05-002 -- an old exploit, but still floating around. This one was in the recent postcards.com email e-card that has been circulating.

The purpose of a .anr file is to download a trojan. Here, it is exefile.exe, identified as a trojan NewHeur_PE variant:

http://www.rsjones.net/imgs/ani-exploit3.gif

http://www.rsjones.net/imgs/ani-exploit.gif


-----