mcafee virus detector

oh my goodness
I'm on a high learning curve today.
I've just looked at my settings and the
HEURISTICS SCAN SETTINGS window
on the Sysyem Scan
shows that I have not enabled heuristics scanning.
If I tick the box I have 3 choices

1 enable macro heuristics scanning
2 enable program file heuristics scanning
3 enable macro and program file heuristic scanning

also, there is another box which says

remove all macros when cleaning infected documents.
Should I tick this or not

____________________________

ALSO I have now got a message coming up on e-mail from one particular person saying
AN ACTIVES CONTROL ON THIS PAGE IS NOT SAFE
YOUR CURRENT SECURITY CONTROLS PROHIBIT YOU RUNNING UNSAFE CONTROLS ON THIS PAGE.

I'VE NEVER HAD THIS WARNING BEFORE.
IS IT CONNECTED WITH THE VIRUS ?

Anne

Dear Kay

Thanks so much for your quick reply and all the information you gave me.

I am so dumb I don't even know what a MACRO is !!!

BUT I have set the heuristic settings as you have yours and ticked the remove all macros box and just hope it doesn't remove anything it shouldn't ;o)

I will do as you suggest about the ActiveX warning.

I don't know what ActiveX is !!

How do I learn all these things ??

Anyway, many thanks for your help.
I may be back !!!!

Anne

Hi Anne,

First, yes--that message is definitely connected to that virus. I would inform the source of this message that they may have a problem that needs checking with their AV program, making certain that they have current definitions installed first. Be up front and let them know that you did have this virus and have eradicated it, but that you are still getting this warning when receiving messages from this source, so the possiblity exists that they are infected. Most people are understanding when informed that they may be infected, and do what's necessary to see if they are infected.

This said, this quote from the McAfee article on the virus you had applies:

Indications Of Infection
Recipients of messages which contain Wscript/Kak.worm may receive warning messages such as:
"Do you want to allow software such as ActiveX controls and plug-ins to run?"

Users should select "NO" to this question. Also another warning dialogue box could be displayed:
"Scripts are usually safe. Do you want to allow scripts to run?"

Users should select "NO" also to this question. Further indications of infection are the existence of files KAK.HTA and KAK.HTM as mentioned above, registry modifications as mentioned above, added or modified default signature as mentioned above.


On your heuristics, I enable both macro and program files scanning--macro viruses attack Word and Excel macros for example, program files are more what you think of when you think of viruses. On the question of removing the macro when cleaning the document, I'm not clear on where they're going with this, so I am unable to advise you there. My AV program is Norton AV 2000, so the configuration is different in terms of specifics. I believe they may be asking if you want to delete the macro containing the virus, in addition to eradicating the virus, but I'm not clear on this, and someone running McAfee would be in a better position to advise you here. If that's what they are asking, then that's a matter of judgement on your part, as to how badly you want the macro involved. My position might well be that I don't until the sender cleans their system and resends a clean macro.

Hope this helps--it's a confusing, aggravating business.

Kay

Hi Anne,

First of all--right at the outset, you are not dumb. Wrap your mind around that from the start. What you are is inexperienced, and you have chosen one of the most complex times in the history of personal computing to get involved. That's the entire point of DellTalk and other forums like it. I've worked with computers for 6 years now, through all the versions of Windows as well as several versions of MS-DOS. I learned very gradually what you have had dumped on you all at once. It was so much easier for me, and for others like me, to have the gradual experience, and we're trying to help people out who have had it all dumped on them at once, all right?

Question: what is a macro? From Word 97 Help:

Using macros to automate tasks

If you perform a task repeatedly in Word, you can automate the task using a macro. A macro is a series of Word commands and instructions that you group together as a single command to accomplish a task automatically. Instead of manually performing a series of time-consuming, repetitive actions in Word, you can create and run a single macro ¾ in effect, a custom command ¾ that accomplishes the task for you.
Here are some typical uses for macros:

· To speed up routine editing and formatting
· To combine multiple commands
· To make an option in a dialog box more accessible
· To automate a complex series of tasks

Word offers two ways for you to create a macro: the macro recorder and Visual Basic Editor. The macro recorder can help you get started creating macros. Word records a macro as a series of Word commands in Visual Basic for Applications programming language. You can open a recorded macro in Visual Basic Editor to modify the instructions. You can also use Visual Basic Editor to create very flexible, powerful macros that include Visual Basic instructions that you cannot record. For more information about using Visual Basic in Word, see "Microsoft Word Visual Basic Reference" on the Help Contents tab. If "Microsoft Word Visual Basic Reference" does not appear on the Contents tab, the Visual Basic Help component was not installed with Word. For information about installing it, click .

After you've assigned a macro to a toolbar, a menu, or shortcut keys, running the macro is as simple as clicking the toolbar button or menu item or pressing the shortcut keys. You can also point to Macro on the Tools menu, click Macros, and then click the name of the macro you want to run.

You can store macros in templates or in documents. By default, Word stores macros in the Normal template so that they're available for use with every Word document. However, if a macro stored in the Normal template is useful only for a particular type of document, you may want to copy the macro to the template attached to that document and then delete the macro from the Normal template. To copy, delete, or rename a macro, use the Organizer. On the Tools menu, point to Macro, click Macros, and then click Organizer.


Question: What is an ActiveX control? Take this link to a Webopedia definition of ActiveX controls, and it will explain them much better than I can, OK? Bookmark the main Webopedia site; both that and this link to Whatis.com are invaluable resources in defining the terms you will hear if you spend much time here or at other forums.

How do I learn? Ask all the questions you can think of as they come up. Someone here knows just about everything there is to know about hardware and software issues, or they know where to find the answer. If you have time, just read some of the posts that interest you--I learn something new every time I read what some of the people here have to say--many of them are an invaluable resource to Dell and to all of us who learn from them. Finally, if you want a practical, organized method of learning, get hold of some books on whatever aspect of your computer interests you. Start with very basic levels--most books specifiy their target market; choose a beginning book, then move to the more in-depth and specific books, such as the Windows 98 Bible. Before long, you'll be over here helping others who are now in the position you once were.

Until you get the virus thing you're currently fighting straightened out, it's my view that you don't need to fight the macro coming in--I believe that is what McAfee refers to, but I would like to hear this from an experienced McAfee user; I don't believe they're talking about entering your Word software and deleting one of your pre-programmed macros, but I would want to be sure of that. Steve Anderson, the man who originally worked with you on your virus issue runs McAfee--unfortunately for us, he left on a trip this morning, which is why I stepped in. Since he isn't available, I'm hoping someone else who runs McAfee sees this, and can tell us both exactly what they are getting at with this macro deletion option. We'll just have to wait and see what works out on that, OK?

Be sure to keep asking questions--it's the way you learn, and it's what we're all here for, OK?

Kay

Edit: I found out that Steve isn't leaving today, so I have asked him to look at this and see what he can find out, OK? When he is free, he'll check on it and let you know, I'm sure. End Edit.

Dear Kay

Many thanks for your latest letter.
It's 9 am here in the UK so that's why the delay in replying.

OK, I'll call myself inexperienced from now on ;o)

I am SO grateful for all the information you have given me.
Thank goodness for DellTalk and people like yourself.

I have bookmarked both the links you gave me and I can see they will be a valuable source of information.

Oh, by the way, regarding Activex and DirectX. Someone who I receive stationery from told me I should update both of these and I went to the Microsoft page and updated DirectX but couldn't find ActivX, so if you could point me in the right direction I would be grateful.

I think that we all go happily along using our computers until something goes wrong and then - bang - we start a whole new learning process, so in a way this virus was a good thing.

My McAfee dealt with the virus. I think I just didn't have the programme set up correctly.
I assumed that all the setting were correct when I got my computer.

Once more, thanks so much for all your valuable help and encouragement.

Anne

PS I have a Dell T500

Hi Anne,
I'm very happy that you were able to clean the virus from your system. Kay ask me to look in on the forum and see if I could add to her sage advice.
The question of removing macros, I have mine checked to do it. My interpretation is to remove the "macro" virus rather than the macro file that is infected but, I might be mistaken. It is entirely possible that to clean a macro file the only way is to remove the entire file. I would much rather lose a file rather than keep the virus.
You ask about ActiveX updates. If you have installed IE 5.01 then you have the latest update for these files.
The only other advice that I can add is to check what McAfee versions that you are currently running. Do this: Right click the McAfee icon in the system tray and choose about. Here you will see what you have installed. The current versions are:
VShield 4.03
definitions 4.0.4071
scan engine 4.0.50
If you have anything lower then these, you aren't current and need to update. The software v.5.0 has just been released but, I would recommend waiting for a short period before updating so that the early "bugs" can be worked out.
One other thing, when you double click the icon you should have four scans listed and activated.
Feel free to ask questions, it's better to ask than to wonder.
I'll be back to the forum later today and will check to see if you have further questions although I'm very sure that Kay can answer 99.9%.
Steve

Dear Steve

Many thanks for your letter.
I appreciate it.

I have IE 500.2614.35001S

Mry McAfee version is
VShield 4.0.3
definitions 4.0.471
scan engine 4.0.02

My virus Scan scheduler shows 4 scans
V Shield
My computer
Drive C
Default Scan

V Shield is set to come on at start up
The others are set for once a day but they don't scan automatically - I have to press scan now -
Is that ok ?

How do I update McAfee scan engine.
When I updated yesterdat it said I had done everything I should do.

Also, when I go to IE update it says I have the current version.

I look forward to your advice.
Many thanks
Anne

Hi Steve

Me again

I just tried to update the current DAT files to the recommended 4071 but when I tried to run the download I was recommended NOT to run the programme as it said my current files were ok.
I thought I had better follow their instructions so clicked NO

Also, regarding the SECURECAST download
which is also available on the McAfee update site,
I didn't know whether I should download this or not.

Many thanks
Anne

Hi Anne,
First IE, the version that you have is the one which came with Win98SE and is not the v.5.01 which is the latest. There's nothing wrong with what you have although the update adds a few features and some patches. If you like go to IE Update Page and check to see if yhou can download from there. Your activeX and java files are also contained in Microsoft Virtual Machine so you should check the Update site to see if there is an update available.
Now McAfee, Your Scan engine is very old and should be updated. You were right not continue with the install since they suggest not to overwrite a DAT file with the same one. Wait until the next DAT's are posted and then do the Super Dat, it will update both. You need to check over your setup for the scans. The VShield is your boot up scan which runs at startup. The Scan my Computer is the only other that you need to run on a regular basis. The other two would be redundant, they are used to set up specalized short scans for when you need to scan a specific area and not do a complete scan. I'll give you the settings that I have for scan my computer and a brief explanation. Double click the VScan scheduler icon>double click Scan my Computer,on Program page Start in: Desktop (only because this is the way Explorer is arranged) click Configue, on the Schedule page Enable & Run daily checked, time is a time when your system is running everyday. If you make a change remember to click Apply>ok. Back on the Program page click configure,on the Detection page What to scan:
Scan Memory
Scan boot sectors
Program files
Start automatically (this turns it on so that you don't have to click run now, therefore, starts and stops without you having to be around)
By checking the Scan all files it will do a complete scan but will take 20 or more minutes-I do this maybe once a month but not everyday. The compressed files setting will go through all the CAB files if installed and will take over an hour to complete - I did this once just to check. Since you had a virus, it may not be a bad idea to run these scans just to check the entire system throughly.
How click the Heuristics button and set up just like you did for email scan, enable,enable macro & program, remove all macros.
The SecureCast option is for the BackWeb automatic download system. This is a personal preference issue. The people that I have been involved with setting up this system seem to like it. Takes the guess work out by pestering you to keep everything up to date. Although not completely automated, it takes the download step out of the update process.
Anne, I have given you a number of things to think about and look at so post back if you have further questions.
Steve

Hi Steve,

Thanks for your letter

Well, I went to the link you gave me and downloaded IE .5.01
There were so many choices so I only ticked two items. IE5.01 and Internet Browser.
I didn’t know whether I should choose any of the others or not. When they give choices I never know what to do.

I then went to the next page to look for ActivX and found the following choices under Windows 98 Downloads.

Internet Explorer 5.01 and Internet Tools
Internet Explorer 4.01 with Service Pack 2
Outlook Express Year 2000 Update
Updated Microsoft Virtual Machine for Internet Explorer 4 and 5 *
Add-on Windows Internet Features for Internet Explorer 4.0
Internet Explorer High Encryption Pack (128-bit encryption)
Administration Kit (IEAK)

I didn’t know if I should choose any of these so I didn’t, but you did mention Microsoft Virtual Machine and I wondered whether I should have downloaded that *


However, after I had done that I looked at the internet setting to see if it had changed and it still said 5.00.2919.630715.
Perhaps it doesn’t change.

I followed your instructions for McAfee but under the ACTION tab I wasn’t sure which boxes to tick or untick as there are
Clean
Delete
Exclude
Continue access
Stop access

I also didn’t know what to do with the REPORT, EXCLUSION AND SECURITY TABS so didn’t do anything.

I couldn’t see SECURECAST but I probably wasn’t looking properly.

I will also do as you suggest about updating the scan engine.
Can I download the SuperDat every time ?

I’m sorry I have written such a long letter with so many questions.
But many thanks for your help
Anne

Hi Anne,
The new version # that you list is the correct one for IE 5.01. I would recommend that you now go to the Windows Update page using your start menu for further updates. It should show you what is available that you don't already have installed. Windows 98SE had a number of things included so this would be the best way to check so that you don't waste time reinstalling something that you already have. If you have questions when you go there, post back and I give you my opinion.
The McAfee Action page should have everything checked except the Exclude file. The other pages are set up as a default and are best left alone. The SecureCast is a sepatate download and install which you must get from the McAfee site so you won't have anything about it on your system.
The SuperDat update should be done only when the Scan engine is updated. You look at the # (which now is 4050) to see if you are current. After doing the SuperDat then you will just do the DAT's when they come out.
Post back any further questions.
Steve

Hello Steve,

Thanks for your quick reply.

I will do as you say and check all the updates
and will write again if I have any more questions.

Thanks once again for all you help
I'm very grateful

anne