C
chausan
Hi,
My brother's PC (installed with XP Home) was suspected infected from
virus. After updating the norton anti-virus and re-scan the HD, I
found below files reported infected from virus.
Norton reported to me that those infected files couldn't be repaired.
I would like to isolate them but I'm afraid that after such action,
these files will be unavailable for windows use and make some critical
windows function unavailable.
I want to overwrite those files from copy of XP installation CD.
However, I couldn't find them by find command nor SFC command as I
tried to pick them up from CD put into my windows 98 notebook.
I would like to ask where XP home store those files in installation CD
? What utility could be used to extract them then ?
1. File DLLHOST.EXE reported infected by W32.Welchia.WORM
C:\WINDOWS\system32
17/09/2001 21:00 4,608 dllhost.exe
1 file(s) 4,608 bytes
C:\WINDOWS\system32\dllcache
17/09/2001 21:00 4,608 dllhost.exe
1 files(s) 4,608 bytes
C:\WINDOWS\system32\wins
01/09/2003 10:47 10,240 DLLHOST.EXE
1 files(s) 10,240 bytes
2. down.exe infected by W32.HLLW.Raleka
C:\WINDOWS\system32
14/09/2003 18:54 14,091 down.com
1 files(s) 14,091 bytes
3. GLOBALC.DLL infected by BackdoorRtkit
C:\WINDOWS\system32\RtKit
14/09/2003 18:54 122,880 globalc.dll
1 file(s) 122,880 bytes
4. ntcs.dll infected by BackdoorRtkit
C:\WINDOWS\system32\RtKit
14/09/2003 18:54 47,616 ntcs.dll
1 file(s) 47,616 bytes
5. packet.dll infected by BackdoorRtkit
C:\WINDOWS\system32\RtKit
14/09/2003 18:54 40,960 packet.dll
1 file(s) 40,960 bytes
6. rtkit.exe infected by BackdoorRtkit
C:\WINDOWS\system32\RtKit
14/09/2003 18:54 128,000 rtkit.exe
1 file(s) 128,000 bytes
7. SVCHOST.EXE infected by W32.HLLW.Raleka
C:\WINDOWS\system
14/09/2003 18:54 14,368 svchost.exe
1 file(s) 14,368 bytes
C:\WINDOWS\system32
17/09/2001 21:00 12,800 svchost.exe
1 file(s) 12,800 bytes
C:\WINDOWS\system32\dllcache
17/09/2001 21:00 12,800 svchost.exe
1 file(s) 12,800 bytes
C:\WINDOWS\system32\wins
01/09/2003 10:47 19,728 SVCHOST.EXE
1 file(s) 19,728 bytes
8. SVCHOST32.EXE infected by W32.HLLW.Raleka
C:\WINDOWS\system32
14/09/2003 18:54 14,368 svchost32.exe
1 file(s) 14,368 bytes
9. SVCHOST[1].EXE infected by W32.HLLW.Raleka
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\O47L1YUU
14/09/2003 18:54 14,368 svchost[1].exe
1 file(s) 14,368 bytes
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\POKR9HPF
01/09/2003 11:54 14,368 svchost[1].exe
1 file(s) 14,368 bytes
10. ntrootkit.exe infected by BackdoorRtkit
C:\WINDOWS\system32
14/09/2003 18:54 128,000 ntrootkit.exe
1 file(s) 128,000 bytes
11. ntrootkit[1].exe infected by BackdoorRtkit
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\0HMJS9QB
14/09/2003 18:54 128,000 ntrootkit[1].exe
1 file(s) 128,000 bytes
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\KHANKH6F
01/09/2003 11:54 128,000 ntrootkit[1].exe
1 file(s) 128,000 bytes
My brother's PC (installed with XP Home) was suspected infected from
virus. After updating the norton anti-virus and re-scan the HD, I
found below files reported infected from virus.
Norton reported to me that those infected files couldn't be repaired.
I would like to isolate them but I'm afraid that after such action,
these files will be unavailable for windows use and make some critical
windows function unavailable.
I want to overwrite those files from copy of XP installation CD.
However, I couldn't find them by find command nor SFC command as I
tried to pick them up from CD put into my windows 98 notebook.
I would like to ask where XP home store those files in installation CD
? What utility could be used to extract them then ?
1. File DLLHOST.EXE reported infected by W32.Welchia.WORM
C:\WINDOWS\system32
17/09/2001 21:00 4,608 dllhost.exe
1 file(s) 4,608 bytes
C:\WINDOWS\system32\dllcache
17/09/2001 21:00 4,608 dllhost.exe
1 files(s) 4,608 bytes
C:\WINDOWS\system32\wins
01/09/2003 10:47 10,240 DLLHOST.EXE
1 files(s) 10,240 bytes
2. down.exe infected by W32.HLLW.Raleka
C:\WINDOWS\system32
14/09/2003 18:54 14,091 down.com
1 files(s) 14,091 bytes
3. GLOBALC.DLL infected by BackdoorRtkit
C:\WINDOWS\system32\RtKit
14/09/2003 18:54 122,880 globalc.dll
1 file(s) 122,880 bytes
4. ntcs.dll infected by BackdoorRtkit
C:\WINDOWS\system32\RtKit
14/09/2003 18:54 47,616 ntcs.dll
1 file(s) 47,616 bytes
5. packet.dll infected by BackdoorRtkit
C:\WINDOWS\system32\RtKit
14/09/2003 18:54 40,960 packet.dll
1 file(s) 40,960 bytes
6. rtkit.exe infected by BackdoorRtkit
C:\WINDOWS\system32\RtKit
14/09/2003 18:54 128,000 rtkit.exe
1 file(s) 128,000 bytes
7. SVCHOST.EXE infected by W32.HLLW.Raleka
C:\WINDOWS\system
14/09/2003 18:54 14,368 svchost.exe
1 file(s) 14,368 bytes
C:\WINDOWS\system32
17/09/2001 21:00 12,800 svchost.exe
1 file(s) 12,800 bytes
C:\WINDOWS\system32\dllcache
17/09/2001 21:00 12,800 svchost.exe
1 file(s) 12,800 bytes
C:\WINDOWS\system32\wins
01/09/2003 10:47 19,728 SVCHOST.EXE
1 file(s) 19,728 bytes
8. SVCHOST32.EXE infected by W32.HLLW.Raleka
C:\WINDOWS\system32
14/09/2003 18:54 14,368 svchost32.exe
1 file(s) 14,368 bytes
9. SVCHOST[1].EXE infected by W32.HLLW.Raleka
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\O47L1YUU
14/09/2003 18:54 14,368 svchost[1].exe
1 file(s) 14,368 bytes
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\POKR9HPF
01/09/2003 11:54 14,368 svchost[1].exe
1 file(s) 14,368 bytes
10. ntrootkit.exe infected by BackdoorRtkit
C:\WINDOWS\system32
14/09/2003 18:54 128,000 ntrootkit.exe
1 file(s) 128,000 bytes
11. ntrootkit[1].exe infected by BackdoorRtkit
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\0HMJS9QB
14/09/2003 18:54 128,000 ntrootkit[1].exe
1 file(s) 128,000 bytes
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary
Internet Files\Content.IE5\KHANKH6F
01/09/2003 11:54 128,000 ntrootkit[1].exe
1 file(s) 128,000 bytes