I'm running XP Pro SP2 and use AVG free, Spybot, Ad-Aware SE and a-squared 2 new processes have appeared yesterday and are both loaded by registry at startup as:- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "LangSupportEx"="mspmspv.exe" "IPConfig"="svcxnw32.exe" and:- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LangSupportEx"="mspmspv.exe" "IPConfig"="svcxnw32.exe" Both files are located in C:\WINDOWS\system32\ Properties:- mspmspv.exe 18.5 KB (18,976 bytes) 30 December 2004, 11:26:14 svcxnw32.exe 18.5 KB (18,976 bytes) 30 December 2004, 18:28:59 According to netstat, the processes are established to the following addresses using TCP:- mspmspv.exe:- 17-112.202-68.se.rr.com [68.202.112.17] on port 6667 svcxnw32.exe:- astound-64-83-195-190.mn.astound.net: [64.83.195.190] on port 6667 I have scanned using all the installed malware/virus scanners mentioned above but they are not detected. I've also tried a web search but so far no luck. Does anyone have any info about these? They look like Trojans to me. How did they get in? Martyn
Are these Trojans?
17 posts
• Page 1 of 2
•
1, 2
- MS SQL SERVER
- delphi
- Internet Explorer
- Microsoft Project
- Windows XP
- as400
- MS SQL SERVER
- Telecommunication
- Mathematica
- windows live messenger
Jump to:
- 1. unwanted logo link in taskbar keeps saying unwanted spyware in sys
I've somehow managed to get a flashing sheid shaped link in my taskbar. It's a link to a webpage for a latvain based webpage called "virusprotect". It keeps flashing a message claiming spyware is in my system. I've run my norton security and it can find nothing. Right clicking it just links to the site. I cant find any way to delete it...even system restore keeps coming up "can not system restore to this date". Help! - 2. Win32.TrojanSpy.Goldun False Positive?
Hello, I started a thread 1-12-08 about Ad-Aware finding this Trojan. I did nothing to eliminate it, and several subsequent checks with Ad-Aware showed nothing. I am still treating the machine as infected and plan to restore the original HP Recovery partition CDs. Has anyone seen this appearance and disappearance act, and could this be considered a "false positive"? Thanks for any thoughts, Ellen - 3. Suspected virus causing windows temp to fill up
Dear All I am running Windows XP, service pack 2 with onecare. On investigating why my machine has run out of space I found that my windiws\temp folder was filling up with mysterious folders labelled zf????.tmp. A new folder is created every 3-4 days. Is this a virus or some sort of malware? thanks
Next
Are these Trojans?
by MartynB » Sun, 02 Jan 2005 00:03:27 GMT
Re: Are these Trojans?
by Lance » Sun, 02 Jan 2005 00:54:11 GMT
This post suggests it's a new trojan: http://www.**--****.com/ (Google groups, news.admin.net-abuse.sightings) Do you have any of the other files they mention? mspmspv.exe is associated with that "Santa like you've never seen him before" newsgroup posts. However, check your spelling as MsPMSPSv.exe (extra "S") is a legitimate Windows Media Player file. Port 6667 is used by IRC, a popular way for worms/viruses to receive updated instructions. If it were me, I'd submit those two files to my AV vendor and disconnect the computer from the internet. Then start manually removing files and see how far I can get. Lance ***** MartynB thought carefully and wrote on 12/31/2004 7:03 AM:
Re: Are these Trojans?
by David H. Lipman » Sun, 02 Jan 2005 03:48:32 GMT
1) Download the following two items...
Trend Sysclean Package
http://www.**--****.com/
Latest Trend signature files.
http://www.**--****.com/
Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
Download SYSCLEAN.COM and place it in that directory.
Download the signature files (pattern files) by obtaining the ZIP file.
For example; lpt325.zip
Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.
2) If you are using WinME or WinXP, disable System Restore
http://www.**--****.com/
3) Reboot your PC into Safe Mode and shutdown as many applications as possible
4) Using the Trend Sysclean utility, perform a Full Scan of your platform and
clean/delete any infectors found
5) Restart your PC and perform a "final" Full Scan of your platform
6) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
7) Reboot your PC.
8) If you are using WinME or WinXP, create a new Restore point
* * * Please report back your results * * *
--
Dave
| I'm running XP Pro SP2 and use AVG free, Spybot, Ad-Aware SE and a-squared
|
| 2 new processes have appeared yesterday and are both loaded by registry at
| startup as:-
|
| [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
| "LangSupportEx"="mspmspv.exe"
| "IPConfig"="svcxnw32.exe"
|
| and:-
|
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
| "LangSupportEx"="mspmspv.exe"
| "IPConfig"="svcxnw32.exe"
|
| Both files are located in C:\WINDOWS\system32\
| Properties:-
| mspmspv.exe 18.5 KB (18,976 bytes) 30 December 2004, 11:26:14
| svcxnw32.exe 18.5 KB (18,976 bytes) 30 December 2004, 18:28:59
|
| According to netstat, the processes are established to the following
| addresses using TCP:-
|
| mspmspv.exe:-
| 17-112.202-68.se.rr.com [68.202.112.17] on port 6667
|
| svcxnw32.exe:-
| astound-64-83-195-190.mn.astound.net: [64.83.195.190] on port 6667
|
| I have scanned using all the installed malware/virus scanners mentioned
| above but they are not detected. I've also tried a web search but so far no
| luck.
|
| Does anyone have any info about these? They look like Trojans to me. How did
| they get in?
|
| Martyn
|
|
Re: Are these Trojans?
by proch_omen » Sun, 02 Jan 2005 04:30:20 GMT
Martyn, I got the svcxnw32.exe yesterday with a timestamp pretty close to what you have. I've been debugging this for the past 3 hours. It must be new because there isn't much info on it. I consider my machines reasonably secure so I'm confused as to how I got this as well...
Re: Are these Trojans?
by proch_omen » Sun, 02 Jan 2005 04:46:11 GMT
I also have mspmspv.exe which is the exact same size and also has a timestamp of a few hours earlier yesterday... both files are the same size as yours.
Re: Are these Trojans?
by proch_omen » Sun, 02 Jan 2005 05:21:25 GMT
mspmspv.exe showed up yesterday morning when the machine was first booted up. From the history of files created, it doesn't look like anything was done beforehand. Something tells me that we ought to figure this out before midnight
Re: Are these Trojans?
by proch_omen » Sun, 02 Jan 2005 05:42:14 GMT
OfficeOSA.exe and MicrosoftOffice.ht are possibly involved as well
Re: Are these Trojans?
by proch_omen » Sun, 02 Jan 2005 05:51:58 GMT
Ok, I remember opening a JPG of some redneck with a shotgun from USENET. This must have exploited a buffer overflow in Outlook Express. a-squared registry at mentioned far no How did
Re: Are these Trojans?
by David H. Lipman » Sun, 02 Jan 2005 07:48:18 GMT
McAfee defined that hosted page as having the "Exploit-HelpZonePass" which probably then installed the malware. -- Dave | Ok, I remember opening a JPG of some redneck with a shotgun from | USENET. This must have exploited a buffer overflow in Outlook Express. | | | | > I'm running XP Pro SP2 and use AVG free, Spybot, Ad-Aware SE and | a-squared | > | > 2 new processes have appeared yesterday and are both loaded by | registry at | > startup as:- | > | > [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] | > "LangSupportEx"="mspmspv.exe" | > "IPConfig"="svcxnw32.exe" | > | > and:- | > | > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] | > "LangSupportEx"="mspmspv.exe" | > "IPConfig"="svcxnw32.exe" | > | > Both files are located in C:\WINDOWS\system32\ | > Properties:- | > mspmspv.exe 18.5 KB (18,976 bytes) 30 December 2004, 11:26:14 | > svcxnw32.exe 18.5 KB (18,976 bytes) 30 December 2004, 18:28:59 | > | > According to netstat, the processes are established to the following | > addresses using TCP:- | > | > mspmspv.exe:- | > 17-112.202-68.se.rr.com [68.202.112.17] on port 6667 | > | > svcxnw32.exe:- | > astound-64-83-195-190.mn.astound.net: [64.83.195.190] on port 6667 | > | > I have scanned using all the installed malware/virus scanners | mentioned | > above but they are not detected. I've also tried a web search but so | far no | > luck. | > | > Does anyone have any info about these? They look like Trojans to me. | How did | > they get in? | > | > Martyn |
Re: Are these Trojans?
by Br0wnbear » Sun, 02 Jan 2005 07:56:04 GMT
Proch and Martyn
Good Call Proch.
Exactly when it came in.
I also went to the same site to see what was happening after seeing
the warning on here.
I was also doing Microsoft updates at the time. After these were
finished I restarted the machine.
My NOD32 stopped it when I restarted my computer, xp.exe tried to
access a site off of the computer. Here is the log from the file.
Time Module Object Name
Virus Action User Info
29/12/2004 17:26:37 PM IMON file
h:ttp://paddy.home.comcast.net/xp.exe probably unknown NewHeur_PE
virus quarantined - connection terminated TH03-NB003\jdbrown
I terminated the link when it came up and removed the files from the
Startup folder. Those files were OfficeOSA.exe and MicrosoftOffice.hta
Submit them here for analysis
http://www.**--****.com/
Here is a link for the exploit for anyone else who is reading.
http://www.**--****.com/ {*filter*}hound.exploit.21.html
hth
John Brown
Bears are hibern8n but we wake up to help once in awhile.
Re: Are these Trojans?
by MartynB » Mon, 03 Jan 2005 09:16:36 GMT
hanks to everyone for your help!
Sorry I haven't replied sooner, but I've been off the 'net for a while as
you'll see below.
Status:-
I took David Lipman's advice and downloaded the Trend Sysclean package and
latest Trend signature files.
Turned off system restore.
When trying to reboot to safe mode, the computer wouldn't autoboot so had to
power off/on.
Booted safe mode then ran Trend Sysclean, this is what it found:-
.
Success Clean [TROJ_CHUM.B] from C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\OfficeOSA.exe
Success Clean [DOS_AGOBOT.GEN] from C:\Documents and
Settings\Martyn\Desktop\old name hosts
Success Clean [TROJ_UPLOADER.F] from C:\Documents and Settings\Martyn\Local
Settings\Temp\GLF7FGLF7F.EXE
Success Clean [TROJ_CHUM.B] from C:\Documents and Settings\Martyn\Local
Settings\Temporary Internet Files\Content.IE5\GXUB81AJ\xp[1].exe
Success Clean [TROJ_CHUM.B] from C:\System Volume
Information\_restore{E0142BE0-B807-42D0-B9DC-71953C4DA509}\RP1\A0000004.exe
Success Clean [TROJ_CHUM.B]from C:\WINDOWS\system32\mspmspv.exe
.
The files above were automatically deleted, but it didn't find svcxnw32.exe
which had the same file size as mspmspv.exe. I deleted that one manually.
I tried to check the registry for unwanted entries but couldn't execute
regedit (I put this down to being in safe mode, but see below)
I thought that was it - but wait! there's more!
After rebooting back to normal mode I noticed some odd behavior:-
The WinXP Firewall was disabled (couldn't be re-enabled)
Automatic Updates was disabled (couldn't be re-enabled)
System Restore had re-enabled itself (was able to disable it again)
No tasks were visible in Task Manager
Regedit couldn't be executed (system message:- "Registry editing has been
disabled by your administrator")
After opening Microsoft Management Console and clicking on Services, the
Management Console closed again.
Checked startup entries using Startup Inspector for Windows and found:-
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices
"WinService32"="drvstat16.exe -services"
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run
"IPConfig"="svcxnw32.exe"
"WinService32"="drvstat16.exe -drivers"
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
"IPConfig"="svcxnw32.exe"
"WinService32"="drvstat16.exe -services"
Startup Inspector reported that registry editing was disabled, so I couldn't
remove the entries.
I eventually managed to edit the registry from a Command Prompt with:-
and so on for the other entries.
I found drvstat16.exe in C:\WINDOWS\system32\ but could not delete it
(access denied) but managed to rename it to drvstat16.exe.vir
I found C:\WINDOWS\system32\svcxnw32.exe and renamed it to svcxnw32.exe.vir
Also noticed that the properties of C:\WINDOWS\system32\Services.msc showed
that the file had just been updated compared to other Microsoft Common
Console Documents which all had the date of 18 August 2001, 08:00:00.
I therefore renamed it as Services.msc.vir to be safe.
After the next re-boot I ran Trend Sysclean again but it didn't find
anything.
Found that the service "Security Center" was disabled. Set it back to
Automatic and started it.
I was then able to switch on the WinXP Firewall.
So, things were more or less back to normal except for:-
Executing Regedit still gives the error message as above
Clicking on Services in Adm
Sorry I haven't replied sooner, but I've been off the 'net for a while as
you'll see below.
Status:-
I took David Lipman's advice and downloaded the Trend Sysclean package and
latest Trend signature files.
Turned off system restore.
When trying to reboot to safe mode, the computer wouldn't autoboot so had to
power off/on.
Booted safe mode then ran Trend Sysclean, this is what it found:-
.
Success Clean [TROJ_CHUM.B] from C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\OfficeOSA.exe
Success Clean [DOS_AGOBOT.GEN] from C:\Documents and
Settings\Martyn\Desktop\old name hosts
Success Clean [TROJ_UPLOADER.F] from C:\Documents and Settings\Martyn\Local
Settings\Temp\GLF7FGLF7F.EXE
Success Clean [TROJ_CHUM.B] from C:\Documents and Settings\Martyn\Local
Settings\Temporary Internet Files\Content.IE5\GXUB81AJ\xp[1].exe
Success Clean [TROJ_CHUM.B] from C:\System Volume
Information\_restore{E0142BE0-B807-42D0-B9DC-71953C4DA509}\RP1\A0000004.exe
Success Clean [TROJ_CHUM.B]from C:\WINDOWS\system32\mspmspv.exe
.
The files above were automatically deleted, but it didn't find svcxnw32.exe
which had the same file size as mspmspv.exe. I deleted that one manually.
I tried to check the registry for unwanted entries but couldn't execute
regedit (I put this down to being in safe mode, but see below)
I thought that was it - but wait! there's more!
After rebooting back to normal mode I noticed some odd behavior:-
The WinXP Firewall was disabled (couldn't be re-enabled)
Automatic Updates was disabled (couldn't be re-enabled)
System Restore had re-enabled itself (was able to disable it again)
No tasks were visible in Task Manager
Regedit couldn't be executed (system message:- "Registry editing has been
disabled by your administrator")
After opening Microsoft Management Console and clicking on Services, the
Management Console closed again.
Checked startup entries using Startup Inspector for Windows and found:-
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices
"WinService32"="drvstat16.exe -services"
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run
"IPConfig"="svcxnw32.exe"
"WinService32"="drvstat16.exe -drivers"
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
"IPConfig"="svcxnw32.exe"
"WinService32"="drvstat16.exe -services"
Startup Inspector reported that registry editing was disabled, so I couldn't
remove the entries.
I eventually managed to edit the registry from a Command Prompt with:-
and so on for the other entries.
I found drvstat16.exe in C:\WINDOWS\system32\ but could not delete it
(access denied) but managed to rename it to drvstat16.exe.vir
I found C:\WINDOWS\system32\svcxnw32.exe and renamed it to svcxnw32.exe.vir
Also noticed that the properties of C:\WINDOWS\system32\Services.msc showed
that the file had just been updated compared to other Microsoft Common
Console Documents which all had the date of 18 August 2001, 08:00:00.
I therefore renamed it as Services.msc.vir to be safe.
After the next re-boot I ran Trend Sysclean again but it didn't find
anything.
Found that the service "Security Center" was disabled. Set it back to
Automatic and started it.
I was then able to switch on the WinXP Firewall.
So, things were more or less back to normal except for:-
Executing Regedit still gives the error message as above
Clicking on Services in Adm
Re: Are these Trojans?
by David H. Lipman » Mon, 03 Jan 2005 09:38:07 GMT
artyn:
Sounds like you are STILL infected.
Obtain McAfee's virus and worm removal tool, Stinger: http://vil.nai.com/vil/stinger/
1) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
2) Reboot your PC into Safe Mode
3) Using McAfee Stinger, perform a Full Scan of your platform and clean/delete any
infectors found
4) Restart your PC and perform a "final" Full Scan of your platform
5) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
6) Reboot your PC.
7) If you are using WinME or WinXP, create a new Restore point
You should also try some of the below online scanners.
BitDefender:
http://www.bitdefender.com/scan/license.php
Computer Associates:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
DialogueScience:
http://www.antivir.ru/english/www_av/
F-Secure:
http://support.f-secure.com/enu/home/ols.shtml
Freedom Online scanner:
http://www.freedom.net/viruscenter/index.html
Panda:
http://www.pandasoftware.com/activescan/
Symantec:
http://security.symantec.com/
* * * Please report back your results * * *
--
Dave
"MartynB" < XXXX@XXXXX.COM > wrote in message
news:% XXXX@XXXXX.COM ...
| Thanks to everyone for your help!
|
| Sorry I haven't replied sooner, but I've been off the 'net for a while as
| you'll see below.
|
| Status:-
| I took David Lipman's advice and downloaded the Trend Sysclean package and
| latest Trend signature files.
| Turned off system restore.
| When trying to reboot to safe mode, the computer wouldn't autoboot so had to
| power off/on.
| Booted safe mode then ran Trend Sysclean, this is what it found:-
| .
| Success Clean [TROJ_CHUM.B] from C:\Documents and Settings\All Users\Start
| Menu\Programs\Startup\OfficeOSA.exe
| Success Clean [DOS_AGOBOT.GEN] from C:\Documents and
| Settings\Martyn\Desktop\old name hosts
| Success Clean [TROJ_UPLOADER.F] from C:\Documents and Settings\Martyn\Local
| Settings\Temp\GLF7FGLF7F.EXE
| Success Clean [TROJ_CHUM.B] from C:\Documents and Settings\Martyn\Local
| Settings\Temporary Internet Files\Content.IE5\GXUB81AJ\xp[1].exe
| Success Clean [TROJ_CHUM.B] from C:\System Volume
| Information\_restore{E0142BE0-B807-42D0-B9DC-71953C4DA509}\RP1\A0000004.exe
| Success Clean [TROJ_CHUM.B]from C:\WINDOWS\system32\mspmspv.exe
| .
| The files above were automatically deleted, but it didn't find svcxnw32.exe
| which had the same file size as mspmspv.exe. I deleted that one manually.
| I tried to check the registry for unwanted entries but couldn't execute
| regedit (I put this down to being in safe mode, but see below)
|
| I thought that was it - but wait! there's more!
|
| After rebooting back to normal mode I noticed some odd behavior:-
|
| The WinXP Firewall was disabled (couldn't be re-enabled)
| Automatic Updates was disabled (couldn't be re-enabled)
| System Restore had re-enabled itself (was able to disable it again)
| No tasks were visible in Task Manager
| Regedit couldn't be executed (system message:- "Registry editing has been
| disabled by your administrator")
| After opening Microsoft Management Console and clicking on Services, the
| Management Console closed again.
|
| Checked startup entries using Startup Inspector for Windows and found:-
|
Sounds like you are STILL infected.
Obtain McAfee's virus and worm removal tool, Stinger: http://vil.nai.com/vil/stinger/
1) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
2) Reboot your PC into Safe Mode
3) Using McAfee Stinger, perform a Full Scan of your platform and clean/delete any
infectors found
4) Restart your PC and perform a "final" Full Scan of your platform
5) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
6) Reboot your PC.
7) If you are using WinME or WinXP, create a new Restore point
You should also try some of the below online scanners.
BitDefender:
http://www.bitdefender.com/scan/license.php
Computer Associates:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
DialogueScience:
http://www.antivir.ru/english/www_av/
F-Secure:
http://support.f-secure.com/enu/home/ols.shtml
Freedom Online scanner:
http://www.freedom.net/viruscenter/index.html
Panda:
http://www.pandasoftware.com/activescan/
Symantec:
http://security.symantec.com/
* * * Please report back your results * * *
--
Dave
"MartynB" < XXXX@XXXXX.COM > wrote in message
news:% XXXX@XXXXX.COM ...
| Thanks to everyone for your help!
|
| Sorry I haven't replied sooner, but I've been off the 'net for a while as
| you'll see below.
|
| Status:-
| I took David Lipman's advice and downloaded the Trend Sysclean package and
| latest Trend signature files.
| Turned off system restore.
| When trying to reboot to safe mode, the computer wouldn't autoboot so had to
| power off/on.
| Booted safe mode then ran Trend Sysclean, this is what it found:-
| .
| Success Clean [TROJ_CHUM.B] from C:\Documents and Settings\All Users\Start
| Menu\Programs\Startup\OfficeOSA.exe
| Success Clean [DOS_AGOBOT.GEN] from C:\Documents and
| Settings\Martyn\Desktop\old name hosts
| Success Clean [TROJ_UPLOADER.F] from C:\Documents and Settings\Martyn\Local
| Settings\Temp\GLF7FGLF7F.EXE
| Success Clean [TROJ_CHUM.B] from C:\Documents and Settings\Martyn\Local
| Settings\Temporary Internet Files\Content.IE5\GXUB81AJ\xp[1].exe
| Success Clean [TROJ_CHUM.B] from C:\System Volume
| Information\_restore{E0142BE0-B807-42D0-B9DC-71953C4DA509}\RP1\A0000004.exe
| Success Clean [TROJ_CHUM.B]from C:\WINDOWS\system32\mspmspv.exe
| .
| The files above were automatically deleted, but it didn't find svcxnw32.exe
| which had the same file size as mspmspv.exe. I deleted that one manually.
| I tried to check the registry for unwanted entries but couldn't execute
| regedit (I put this down to being in safe mode, but see below)
|
| I thought that was it - but wait! there's more!
|
| After rebooting back to normal mode I noticed some odd behavior:-
|
| The WinXP Firewall was disabled (couldn't be re-enabled)
| Automatic Updates was disabled (couldn't be re-enabled)
| System Restore had re-enabled itself (was able to disable it again)
| No tasks were visible in Task Manager
| Regedit couldn't be executed (system message:- "Registry editing has been
| disabled by your administrator")
| After opening Microsoft Management Console and clicking on Services, the
| Management Console closed again.
|
| Checked startup entries using Startup Inspector for Windows and found:-
|
Re: Are these Trojans?
by MartynB » Mon, 03 Jan 2005 10:08:43 GMT
ave:
You were right.
I downloaded Stinger, but when I run it tells me it's out of date...
However a quick scan of C:\WINDOWS\system32 found the following:-
C:\WINDOWS\system32\sqcsys.dll
Found the W32/Bugbear.b!data virus !!!
C:\WINDOWS\system32\sqcsys.dll has been deleted.
C:\WINDOWS\system32\zqnzhzi.dll
Found the W32/Bugbear.b!data virus !!!
C:\WINDOWS\system32\zqnzhzi.dll has been deleted.
Number of clean files: 6050
Number of infected files: 2
Number of files deleted: 2
I will try some of the online scanners you suggest and do a full scan again
with Stinger overnight.
Martyn
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news: XXXX@XXXXX.COM ...
You were right.
I downloaded Stinger, but when I run it tells me it's out of date...
However a quick scan of C:\WINDOWS\system32 found the following:-
C:\WINDOWS\system32\sqcsys.dll
Found the W32/Bugbear.b!data virus !!!
C:\WINDOWS\system32\sqcsys.dll has been deleted.
C:\WINDOWS\system32\zqnzhzi.dll
Found the W32/Bugbear.b!data virus !!!
C:\WINDOWS\system32\zqnzhzi.dll has been deleted.
Number of clean files: 6050
Number of infected files: 2
Number of files deleted: 2
I will try some of the online scanners you suggest and do a full scan again
with Stinger overnight.
Martyn
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news: XXXX@XXXXX.COM ...
Re: Are these Trojans?
by MartynB » Mon, 03 Jan 2005 10:35:11 GMT
Dave: A question regarding Bitdefender. When I clicked on "agree" in http://www.**--****.com/ , the file immediately began downloading directly into C:\WINDOWS\bdonlinescan\avxLive.exe, which is fine since I agreed to that. My problem is that if it's so easy for Bitdefender (who is a trustworthy company) to download a file to my PC, ANY unscrupulous site could do the same by just visiting their page. What about Microsoft security - shouldn't there be at least some sort of warning from the system that such a file transfer could be dangerous? Martyn Snip
Re: Are these Trojans?
by David H. Lipman » Mon, 03 Jan 2005 10:40:07 GMT
Martyn: Only WinXP SP2 will supply such a warning. I hope you received my email reply. It has valuable information in it ;-) -- Dave | Dave: | | A question regarding Bitdefender. When I clicked on "agree" in | http://www.**--****.com/ , | the file immediately began downloading directly into | C:\WINDOWS\bdonlinescan\avxLive.exe, which is fine since I agreed to that. | My problem is that if it's so easy for Bitdefender (who is a trustworthy | company) to download a file to my PC, ANY unscrupulous site could do the | same by just visiting their page. What about Microsoft security - shouldn't | there be at least some sort of warning from the system that such a file | transfer could be dangerous? | | Martyn | | > Martyn: | > | > Sounds like you are STILL infected. | > | > Obtain McAfee's virus and worm removal tool, Stinger: | > http://www.**--****.com/ | > | > 1) If you are using WinME or WinXP, disable System Restore | > http://www.**--****.com/ | > 2) Reboot your PC into Safe Mode | > 3) Using McAfee Stinger, perform a Full Scan of your platform and | > clean/delete any | > infectors found | > 4) Restart your PC and perform a "final" Full Scan of your platform | > 5) If you are using WinME or WinXP, Re-enable System Restore and | > re-apply any | > System Restore preferences, (e.g. HD space to use suggested 400 ~ | > 600MB), | > 6) Reboot your PC. | > 7) If you are using WinME or WinXP, create a new Restore point | > | > You should also try some of the below online scanners. | > | > BitDefender: | > http://www.**--****.com/ | > | > Computer Associates: | > http://www.**--****.com/ | > | > DialogueScience: | > http://www.**--****.com/ | > | > F-Secure: | > http://www.**--****.com/ | > | > Freedom Online scanner: | > http://www.**--****.com/ | > | > Panda: | > http://www.**--****.com/ | > | > Symantec: | > http://www.**--****.com/ | > | > | > * * * Please report back your results * * * | > | > | > -- | > Dave | > | Snip | |
17 posts
• Page 1 of 2
•
1, 2
Who is online
Users browsing this forum: No registered users and 11 guest