Herman, Frank and others who may choose to e-mail me:

I never did find a full solution to the problem beyond the action I took outlined on this board.

So if you have the problem, too, please continue posting here for assistance. The board has been extraordinarily useful. Maybe others, like Horned Owl has, will then come up with some useful observations. Until the anti-virus companies sit up and take notice of this one no one person may have a full answer.

Millreef3,

I figured out a solution for the virus problem and would like to share it with you so that you may post it on the board for everyone else.

I took a similar approach to Horned_owl by looking at the system.dat file. The system .dat file is the actual file that the "computer registry" is written to, so deleting it will only cause problems. This is what I did, although the situation may be different for each person:

Using "msconfig", I looked at the startup tab to see whether there were any strange entries. I found a check mark for a program called "qwe." I unchecked this box then rebooted my computer and found that the virus disappeared.

From there I exported the system.dat file to a txt file by using the following command from "run": regedit /e registry.txt This command put the entire registry onto my desktop in text format file in the registry.txt file.

I then opened the registry.txt file using MSWord. I then did a search using the hot keys of "Ctrl F", which is a search function, and looked for any strange lines that read "run" or "load". I had the search function search for "whole words" only. I found two that were located in the following places:

HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWSCURRENT VERSIONRUN
HKEY_USERS_DEFAULTSOFTWAREMICROSOFTWINDOWSCURRENT VERSIONRUN
Mind you, the virus characteristics that Horned_owl found were slightly different than the one my friend had, but I suspect that the location of the script lines will be similar to the places that I found for my friend.

I wrote down the location of the script lines. Now that the location was isolated, I went back to the "regedit" function and deleted the annoying script lines from the noted locations.

Problem was solved without destroying the system registry. No other virus files seem to exist anywhere else.

Regards,

Herman Eng

Do these fixes work for Windows XP Prof. version? I have the similiar situation. My outlook Express seems to be getting e-mails (possible internally generated) and when I just highlight them IE6 procedes to try to open a flood of sites all XXX. I do not ever browse those sites and am very distraught that my daughter may be one day surfing or getting e-mail and this could happen!! My Norton Antivirus 2001 is completely up to date and A fully system scan finds nothing even with all files shown but every boot up It finds "JS.EXCEPTION.EXPLOIT" I have even quarantined the files and deleted but this continues to happen every time I Open Outlook Express 6.0. The whole process starts over. I use my firewall to block this action from happening but I know the worm is still trying to execute somewhere. the site is something like "www.hitboxsomething dot com. I dont have any problems diconnecting my connection. So My situation is slightly dif than the other here. Any suggestions would be greatly appreciated.!!! Awesome forum you guys have here! This is the only place I found that applies to my situation..
Ps. All the E-mails have return address of MSN? I have tried to email back to them and mail is returned from server??????
Thanks again in advance! :)for any replies.

(edited by: tedster at 8:04 pm (utc) on Feb. 25, 2002)