TFTP

[Guest]

First I will tell you I run XP Home Edition on my pc.

I use the built in firewall in XP Home and I have the Microsoft Antispyware
and all available updates (critical). I have SP1 and I really do not want
SP2. I use the Prevx Home Anti-Virus software and I do regular scans on my
pc. I am an internet surfer and so I had to learn to "clean up". I use CW
Shredder, Hijack This and I have my computer configured so that nothing
starts up in msconfig. I use Stinger and Panda on line scan and Adaware and
Spybot S&D.

Even with all of that I recently was attacked by a couple of virus's
W32/Sdbot.ftp.worm and W32/Sdbot.DOF.worm. The first one was in the file
C:\Windows\System32\phhh.dll and Stinger found it. The 2nd one was in the
System32\TFTP1756 and Panda found it . My question is there is still a file
there called TFTP1544. I have learned that TFTP stands for Trivial File
Transfer Protocol and is used with the TCP/IP Protocol. There is still a
couple of files in my system 32 folder that I am curious about. One is a
TFTP1544 and the other is a TFTP.exe, are they supposed to be there?

 

[David H. Lipman]

From: "Teri" <[email protected]>

| First I will tell you I run XP Home Edition on my pc.
|
| I use the built in firewall in XP Home and I have the Microsoft Antispyware
| and all available updates (critical). I have SP1 and I really do not want
| SP2. I use the Prevx Home Anti-Virus software and I do regular scans on my
| pc. I am an internet surfer and so I had to learn to "clean up". I use CW
| Shredder, Hijack This and I have my computer configured so that nothing
| starts up in msconfig. I use Stinger and Panda on line scan and Adaware and
| Spybot S&D.
|
| Even with all of that I recently was attacked by a couple of virus's
| W32/Sdbot.ftp.worm and W32/Sdbot.DOF.worm. The first one was in the file
| C:\Windows\System32\phhh.dll and Stinger found it. The 2nd one was in the
| System32\TFTP1756 and Panda found it . My question is there is still a file
| there called TFTP1544. I have learned that TFTP stands for Trivial File
| Transfer Protocol and is used with the TCP/IP Protocol. There is still a
| couple of files in my system 32 folder that I am curious about. One is a
| TFTP1544 and the other is a TFTP.exe, are they supposed to be there?


There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

PREVX is not anti virus software. It is a supplemental program but insufficient to protect
your PC like an anti virus application. You need a full time anti virus application capable
of "On Access" and "On Demand" scanning capabilities. MS Anti Spyware, Ad-aware SE and
SpyBot S&D are for non-viral malware and won't help (with a few exceptions) with viral
malware.

Stinger is an "On Demand" AV scanner that only targets ~54 infectors, mostl;y Internet
worms. The SDBot happens to be one of them. However, there are NEW SDBots variants that
may not be caught by Stinger since it hasn't been updated in a month and when it was last
updated it wasn't updated for new variants for the SDBot and there are new variants now
being seen.

TFTP.EXE is a file native to the OS.
C:\Windows\System32\TFTPxxxx (where xxxx can be some number) is not a part of the OS and is
indicative of an infection and should be removed.


Here are some suggested FREE AV solutions...

AVAST -
http://www.avast.com/i_idt_1016.html - FREE

AntiVir -
http://www.free-av.com/ - FREE

AVG -
http://free.grisoft.com/freeweb.php/doc/2/lng/us/tpl/v5 - FREE

The *best* AV solutions however will cost money and they are Kaspersky and NOD32 in that
order.

The following can be used to replace Stinger. As mentioned before, Stinger has a limited
target list and is rarely updated. The below uses the command line scanners from; Sophos,
McAfee, Kaspersky and Trend Micro and each are reguarly updated. The McAfee commnad line
scanner alone will recognize approx. 155,000 infectors, both viral and non-viral. It is
suggested that you run the below utility.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } 4 batch files, 6 Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend, Kaspersky and McAfee Anti Virus Command
Line Scanners to remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[Guest]

Hi David, thank you so much for the post. I found it to be very helpful. I
took your advice and there were 4 more viruses. Before I started all of
these scanners I disabled System Restore and my firewall. When I went to
turn the firewall back on I got the message "Windows cannot display the
properties of this connection. The Windows Management Instrumentation (WMI)
information might be corrupt. To correct this, use System Restore to restore
Windows to an earlier time." Only one problem with that, there are no
earlier restore times.
McAfee
Summary report on C:\*.*
File(s)
Total files: ........... 49877
Clean: ................. 49813
Possibly Infected: ..... 2
Cleaned: ............... 0
Deleted: ............... 3
Non-critical Error(s): 2

Sophos
1 master boot record swept.
24393 files swept in 2 hours, 9 minutes and 41 seconds.
54 errors were encountered.
2 viruses were discovered.
2 files out of 24393 were infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email (e-mail address removed)
or telephone +44 1235 559933

Trend
119 files have been read.
119 files have been checked.
116 files have been scanned.
116 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.

Stop At : 11/5/2005 07:19:36 3 seconds (3.50 seconds) has elapsed.
2005-11-05, 07:19:29, Could not set file for reading on
"C:\WINDOWS\Prefetch\AC705RDP_EFGJ.EXE-2B9169C7.pf": Access is denied.





2005-11-05, 07:19:29, Could not set file for reading on
"C:\WINDOWS\Prefetch\ACROAUM.EXE-20EEC18B.pf": Access is denied.
2005-11-05, 07:19:29, Could not set file for reading on
"C:\WINDOWS\Prefetch\ACRORD32.EXE-13285B88.pf": Access is denied.
2005-11-05, 07:19:29, Could not set file for reading on
"C:\WINDOWS\Prefetch\ACRORD32INFO.EXE-013EA364.pf": Access is denied.
2005-11-05, 07:19:29, Could not set file for reading on
"C:\WINDOWS\Prefetch\AD-AWARE.EXE-2ED3360E.pf": Access is denied.
2005-11-05, 07:19:29, Could not set file for reading on
"C:\WINDOWS\Prefetch\ADOBEUPDATEMANAGER.EXE-32021652.pf": Access is denied.
2005-11-05, 07:19:29, Could not set file for reading on
"C:\WINDOWS\Prefetch\ALG.EXE-0F138680.pf": Access is denied.
2005-11-05, 07:19:29, Could not set file for reading on
"C:\WINDOWS\Prefetch\AUTORUN.EXE-055703AF.pf": Access is den


I only copied a few of these over but every file in the prefetch folder was
listed same as these.

From: "Teri" <[email protected]>

| First I will tell you I run XP Home Edition on my pc.
|
| I use the built in firewall in XP Home and I have the Microsoft Antispyware
| and all available updates (critical). I have SP1 and I really do not want
| SP2. I use the Prevx Home Anti-Virus software and I do regular scans on my
| pc. I am an internet surfer and so I had to learn to "clean up". I use CW
| Shredder, Hijack This and I have my computer configured so that nothing
| starts up in msconfig. I use Stinger and Panda on line scan and Adaware and
| Spybot S&D.
|
| Even with all of that I recently was attacked by a couple of virus's
| W32/Sdbot.ftp.worm and W32/Sdbot.DOF.worm. The first one was in the file
| C:\Windows\System32\phhh.dll and Stinger found it. The 2nd one was in the
| System32\TFTP1756 and Panda found it . My question is there is still a file
| there called TFTP1544. I have learned that TFTP stands for Trivial File
| Transfer Protocol and is used with the TCP/IP Protocol. There is still a
| couple of files in my system 32 folder that I am curious about. One is a
| TFTP1544 and the other is a TFTP.exe, are they supposed to be there?


There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

PREVX is not anti virus software. It is a supplemental program but insufficient to protect
your PC like an anti virus application. You need a full time anti virus application capable
of "On Access" and "On Demand" scanning capabilities. MS Anti Spyware, Ad-aware SE and
SpyBot S&D are for non-viral malware and won't help (with a few exceptions) with viral
malware.

Stinger is an "On Demand" AV scanner that only targets ~54 infectors, mostl;y Internet
worms. The SDBot happens to be one of them. However, there are NEW SDBots variants that
may not be caught by Stinger since it hasn't been updated in a month and when it was last
updated it wasn't updated for new variants for the SDBot and there are new variants now
being seen.

TFTP.EXE is a file native to the OS.
C:\Windows\System32\TFTPxxxx (where xxxx can be some number) is not a part of the OS and is
indicative of an infection and should be removed.


Here are some suggested FREE AV solutions...

AVAST -
http://www.avast.com/i_idt_1016.html - FREE

AntiVir -
http://www.free-av.com/ - FREE

AVG -
http://free.grisoft.com/freeweb.php/doc/2/lng/us/tpl/v5 - FREE

The *best* AV solutions however will cost money and they are Kaspersky and NOD32 in that
order.

The following can be used to replace Stinger. As mentioned before, Stinger has a limited
target list and is rarely updated. The below uses the command line scanners from; Sophos,
McAfee, Kaspersky and Trend Micro and each are reguarly updated. The McAfee commnad line
scanner alone will recognize approx. 155,000 infectors, both viral and non-viral. It is
suggested that you run the below utility.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } 4 batch files, 6 Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend, Kaspersky and McAfee Anti Virus Command
Line Scanners to remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[David H. Lipman]

From: "Teri" <[email protected]>

| Hi David, thank you so much for the post. I found it to be very helpful. I
| took your advice and there were 4 more viruses. Before I started all of
| these scanners I disabled System Restore and my firewall. When I went to
| turn the firewall back on I got the message "Windows cannot display the
| properties of this connection. The Windows Management Instrumentation (WMI)
| information might be corrupt. To correct this, use System Restore to restore
| Windows to an earlier time." Only one problem with that, there are no
| earlier restore times.

< logs snipped >

| I only copied a few of these over but every file in the prefetch folder was
| listed same as these.

The error messages on the Prefetch Folder files is normal. They can be ignored.

However, you left out the most important part of the McAfee log, what was found to be
infected and what the infector was. For exmple...

C:\WINDOWS\Application Data\Share-to-Web Upload Folder\3D Studio Max 3dsmax.exe ... Found
the W32/Netsky.c@MM virus !!!
The file has been deleted.
C:\WINDOWS\Application Data\Share-to-Web Upload Folder\Keygen 4 all appz.exe ... Found the
W32/Netsky.c@MM virus !!!
The file has been deleted.

I don't know what was found wrong with WMI. you may try the following to see if it corrects
it...

Create a FIXWMI.CMD batch file from the below script and run it and see if this corrects
your problem.

FIXWMI.CMD
------------------------

@echo on
cd /d c:\temp
if not exist %windir%\system32\wbem goto TryInstall
cd /d %windir%\system32\wbem
net stop winmgmt
winmgmt /kill
if exist Rep_bak rd Rep_bak /s /q
rename Repository Rep_bak
for %%i in (*.dll) do RegSvr32 -s %%i
for %%i in (*.exe) do call :FixSrv %%i
for %%i in (*.mof,*.mfl) do Mofcomp %%i
net start winmgmt
goto End

:FixSrv
if /I (%1) == (wbemcntl.exe) goto SkipSrv
if /I (%1) == (wbemtest.exe) goto SkipSrv
if /I (%1) == (mofcomp.exe) goto SkipSrv
%1 /RegServer

:SkipSrv
goto End

:TryInstall
if not exist wmicore.exe goto End
wmicore /s
net start winmgmt
:End

 

[Guest]

Don't ask me what I was thinking, I think I was caught up in the System
Restore issue.

McAfee
Scanning C: []
C:\q735015.exe\q735015.exe ... Found the StartPage-DU trojan !!!
The file or process has been deleted.
Scanning C:\*.*
C:\Documents and Settings\Terri\Local
Settings\Temp\bar.0\MWSSETUP.EXE\000dc980.EXE ... Found potentially unwanted
program Adware-MWS.
The file or process has been deleted.
The archive has been deleted.
C:\Recycled\Q330995.exe\Q330995.exe ... Found the StartPage-DU trojan !!!
The file or process has been deleted.


Sophos Anti-Virus
Version 3.99.0 [Win32/Intel]
Virus data version 3.99, November 2005
Includes detection for 112777 viruses, trojans and worms
Copyright (c) 1989-2005 Sophos Plc, www.sophos.com

System time 23:04:39, System date 04 November 2005
Command line qualifiers are: -f -di -all -remove -mime -mbr -noc -archive
-opt=ISCabinet

IDE directory is: c:\AV-CLS\Sophos

Using IDE file agent-en.ide
Using IDE file agent-eu.ide
Using IDE file agob-ads.ide
Using IDE file agobo-ts.ide
Using IDE file agobo-tw.ide
Using IDE file agobottu.ide
Using IDE file bacbanan.ide
Using IDE file bagdl-aa.ide
Using IDE file bagdl-ab.ide
Using IDE file bagle-ap.ide
Using IDE file bagle-bs.ide
Using IDE file bagled-y.ide
Using IDE file bagled-z.ide
Using IDE file bagledlw.ide
Using IDE file bancb-ha.ide
Using IDE file bancb-he.ide
Using IDE file bankas-l.ide
Using IDE file banke-gd.ide
Using IDE file bronto-a.ide
Using IDE file bronto-d.ide
Using IDE file bronto-e.ide
Using IDE file chode-j.ide
Using IDE file dadobr-h.ide
Using IDE file dagoni-a.ide
Using IDE file dload-wf.ide
Using IDE file dload-wo.ide
Using IDE file dload-xf.ide
Using IDE file dload-xq.ide
Using IDE file domwis-o.ide
Using IDE file esbot-b.ide
Using IDE file fanb-gen.ide
Using IDE file fanbot-c.ide
Using IDE file fanbot-h.ide
Using IDE file fanbot-k.ide
Using IDE file feute-ad.ide
Using IDE file forbotgn.ide
Using IDE file goldu-ak.ide
Using IDE file hanlo-b.ide
Using IDE file haxdo-an.ide
Using IDE file inor-v.ide
Using IDE file keylogap.ide
Using IDE file leebad-a.ide
Using IDE file lerma-a.ide
Using IDE file loosky-a.ide
Using IDE file midrug-b.ide
Using IDE file mitgl-ce.ide
Using IDE file mytob-bz.ide
Using IDE file mytob-ej.ide
Using IDE file mytob-ex.ide
Using IDE file mytob-ey.ide
Using IDE file mytob-fa.ide
Using IDE file mytob-fc.ide
Using IDE file mytob-ff.ide
Using IDE file mytob-fh.ide
Using IDE file mytob-fi.ide
Using IDE file mytob-gh.ide
Using IDE file oscabotn.ide
Using IDE file pardro-a.ide
Using IDE file paymit-b.ide
Using IDE file paymit-c.ide
Using IDE file perda-g.ide
Using IDE file poebot-p.ide
Using IDE file randex-y.ide
Using IDE file rbot-ank.ide
Using IDE file rbot-apj.ide
Using IDE file rbot-apu.ide
Using IDE file rbot-arq.ide
Using IDE file rbot-arx.ide
Using IDE file rbot-asf.ide
Using IDE file rbot-ash.ide
Using IDE file rbot-asi.ide
Using IDE file rbot-ass.ide
Using IDE file rbot-ast.ide
Using IDE file rbot-atc.ide
Using IDE file rbot-ate.ide
Using IDE file rbot-atl.ide
Using IDE file rbot-atq.ide
Using IDE file rbot-att.ide
Using IDE file rbot-auf.ide
Using IDE file rbot-aul.ide
Using IDE file rbot-auq.ide
Using IDE file rbot-awb.ide
Using IDE file ritdoo-b.ide
Using IDE file sdbot-zm.ide
Using IDE file squado-a.ide
Using IDE file taladraf.ide
Using IDE file tileb-ap.ide
Using IDE file tilebotp.ide
Using IDE file tompai-b.ide
Using IDE file wowpws-a.ide

Full Scanning

Could not open c:\Documents and Settings\NetworkService\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat
Could not open c:\Documents and Settings\NetworkService\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Could not check c:\Documents and Settings\Terri\Desktop\New
Folder\drv_sw_v2_60_ad.exe\SfxArchiveData\disk3/data4.cab (part of multi
volume archive)
Could not check c:\Documents and Settings\Terri\Desktop\New
Folder\drv_sw_v2_60_ad.exe\SfxArchiveData\disk2/data3.cab (part of multi
volume archive)
Could not check c:\Documents and Settings\Terri\Desktop\New
Folder\drv_sw_v2_60_d2.exe\SfxArchiveData\disk2/data3.cab (part of multi
volume archive)
Could not check c:\Documents and Settings\Terri\Desktop\New
Folder\drv_sw_v2_60_d3.exe\SfxArchiveData\disk3/data4.cab (part of multi
volume archive)
Could not open c:\Documents and Settings\Terri\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
Could not open c:\Documents and Settings\Terri\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG
Password protected file c:\Documents and Settings\Terri\My Documents\Game
Setup\winzip90.exe\SfxArchiveData\SETUP.WZ\WINZIP32.EX_
Could not open c:\hiberfil.sys
Password protected file c:\Program Files\Adobe\Acrobat
7.0\Reader\Messages\ENU\RdrMsgENU.pdf
Password protected file c:\Program Files\Adobe\Acrobat
7.0\Reader\Messages\ENU\read0600win_ENUyhoo0010.pdf
Password protected file c:\Program Files\Adobe\Acrobat
7.0\Reader\Messages\RdrMsgSplash.pdf
Password protected file c:\Program Files\Adobe\Acrobat
7.0\Reader\WebSearch\WebSearchENU.pdf
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\Ad-Aware SE Default.skn
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\arrow1.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\arrow2.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bck1.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt11.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt12.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt13.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt21.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt22.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt23.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt31.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt32.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt33.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt41.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt42.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt43.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt51.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt52.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt53.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt61.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt62.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\checkbox1.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\checkbox2.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\checkbox3.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\checkbox4.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\defbtn1.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\defbtn2.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\defbtn3.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\glyph1.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\glyph2.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\glyph3.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\glyph4.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\glyph5.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\glyph6.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\glyph7.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\main.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\preview.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\sprite1.bmpRemoval successful
Could not open c:\WINDOWS\system32\config\system.LOGRemoval failed
Could not open d:\

1 master boot record swept.
24393 files swept in 2 hours, 9 minutes and 41 seconds.
54 errors were encountered.
2 viruses were discovered.
2 files out of 24393 were infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email (e-mail address removed)
or telephone +44 1235 559933
43 encrypted files were not checked.
Ending Sophos Anti-Virus.

The other 2 scanners didn't find anything.

 

[David H. Lipman]

From: "Teri" <[email protected]>

| Don't ask me what I was thinking, I think I was caught up in the System
| Restore issue.
|
| McAfee
| Scanning C: []
| C:\q735015.exe\q735015.exe ... Found the StartPage-DU trojan !!!
| The file or process has been deleted.
| Scanning C:\*.*
| C:\Documents and Settings\Terri\Local
| Settings\Temp\bar.0\MWSSETUP.EXE\000dc980.EXE ... Found potentially unwanted
| program Adware-MWS.
| The file or process has been deleted.
| The archive has been deleted.
| C:\Recycled\Q330995.exe\Q330995.exe ... Found the StartPage-DU trojan !!!
| The file or process has been deleted.
|
| Removal successful
| Could not open c:\WINDOWS\system32\config\system.LOG
< snip >

Well I see Adware and a startPage Trojan and two true viruses. None of which I see should
affect Windows Management Instrumentation (WMI) from what I see.

W32/Codbot-AC
http://www.sophos.com/virusinfo/analyses/w32codbotac.html

W95/Whog-878b
http://www.sophos.com/virusinfo/analyses/w95whog878b.html

StartPage-DU trojan
http://vil.nai.com/vil/content/v_126244.htm

Since adware was found, I suggest the following...

Please download, install and update the following software...

Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

BHODemon
http://www.definitivesolutions.com/bhodemon.htm

Did you create and try the FixWMI Batch File ?

 

[Guest]

I have Adaware and Spybot installed already. My system right now I believe
is clean. Its got something to do with the file attributes. Read only or
Hidden are the only 2 options and neither one is checked on any of these. Is
that correct?

From: "Teri" <[email protected]>

| Don't ask me what I was thinking, I think I was caught up in the System
| Restore issue.
|
| McAfee
| Scanning C: []
| C:\q735015.exe\q735015.exe ... Found the StartPage-DU trojan !!!
| The file or process has been deleted.
| Scanning C:\*.*
| C:\Documents and Settings\Terri\Local
| Settings\Temp\bar.0\MWSSETUP.EXE\000dc980.EXE ... Found potentially unwanted
| program Adware-MWS.
| The file or process has been deleted.
| The archive has been deleted.
| C:\Recycled\Q330995.exe\Q330995.exe ... Found the StartPage-DU trojan !!!
| The file or process has been deleted.
|
| Removal successful
| Could not open c:\WINDOWS\system32\config\system.LOG
< snip >

Well I see Adware and a startPage Trojan and two true viruses. None of which I see should
affect Windows Management Instrumentation (WMI) from what I see.

W32/Codbot-AC
http://www.sophos.com/virusinfo/analyses/w32codbotac.html

W95/Whog-878b
http://www.sophos.com/virusinfo/analyses/w95whog878b.html

StartPage-DU trojan
http://vil.nai.com/vil/content/v_126244.htm

Since adware was found, I suggest the following...

Please download, install and update the following software...

Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

BHODemon
http://www.definitivesolutions.com/bhodemon.htm

Did you create and try the FixWMI Batch File ?

 

[David H. Lipman]

From: "Teri" <[email protected]>

| I have Adaware and Spybot installed already. My system right now I believe
| is clean. Its got something to do with the file attributes. Read only or
| Hidden are the only 2 options and neither one is checked on any of these. Is
| that correct?

I'm sorry... You lost me.

The file attributes on what ?

 

[Guest]

When I first detected a virus I had alot of files that were marked as private
or hidden I guess. Thats how they showed up in the attributes and everytime
I ran anykind of scan it couldn't read them it just said access denied. I
tried to go back and make them all not private. I probably messed something
up. I was wrong about my system being clean, check out my running processes
right now. Trend reported that they had deteted and fixed a W32/Codbot-AC!
located in the WUAPI. Exe file. Does that mean that they deleted the
WUAPI.exe file? It is still here running along with MediaGateway that I have
never seen . I also found 2 registry files in my documents that were names
wuapiii.
I appreciate your time Mr. Lipman, I am trying to avoid erasing my
harddrive. If I kill the process it doesn't go away. I ran all the scans
again and none of them detected it or the MediaGateway.
RUNNING PROCESSES
csrss.exe 404 C:\WINDOWS\system32\csrss.exe Client Server Runtime Process
5.1.2600.0. © Microsoft Corporation. All rights reserved.
Explorer.EXE 1228 C:\WINDOWS\Explorer.EXE Windows Explorer 6.00.2800.1106.
© Microsoft Corporation. All rights reserved.
iexplore.exe 1556 C:\Program Files\Internet Explorer\iexplore.exe Internet
Explorer 6.00.2800.1106. © Microsoft Corporation. All rights reserved.
lsass.exe 484 C:\WINDOWS\system32\lsass.exe LSA Shell (Export Version)
5.1.2600.1106. © Microsoft Corporation. All rights reserved.
MediaGateway.exe 1392 C:\Program Files\Media Gateway\MediaGateway.exe Media
Gateway 2, 0, 0, 0. Copyright 2005
PrcView.exe 1528 C:\Documents and Settings\Terri\My
Documents\Unzipped\PrcView\PrcView.exe Process Viewer Application 3.7.3.1.
Developed by Igor Nys, 1995-2003
services.exe 472 C:\WINDOWS\system32\services.exe Services and Controller
app 5.1.2600.0. © Microsoft Corporation. All rights reserved.
smss.exe 340 C:\WINDOWS\System32\smss.exe Windows NT Session Manager
5.1.2600.1106. © Microsoft Corporation. All rights reserved.
svchost.exe 660 C:\WINDOWS\system32\svchost.exe Generic Host Process for
Win32 Services 5.1.2600.0. © Microsoft Corporation. All rights reserved.
svchost.exe 732 C:\WINDOWS\System32\svchost.exe Generic Host Process for
Win32 Services 5.1.2600.0. © Microsoft Corporation. All rights reserved.
svchost.exe 800 C:\WINDOWS\System32\svchost.exe Generic Host Process for
Win32 Services 5.1.2600.0. © Microsoft Corporation. All rights reserved.
winlogon.exe 428 C:\WINDOWS\system32\winlogon.exe Windows NT Logon
Application 5.1.2600.1106. © Microsoft Corporation. All rights reserved.
wmiapsrv.exe 1916 C:\WINDOWS\System32\wbem\wmiapsrv.exe WMI Performance
Adapter Service 5.1.2600.0. © Microsoft Corporation. All rights reserved.
wuapi.exe 1536 C:\WINDOWS\System32\wuapi.exe wuapi.exe
YPager.exe 1764 C:\Program Files\Yahoo!\Messenger\YPager.exe YPager.exe

 

[David H. Lipman]

From: "Teri" <[email protected]>

| When I first detected a virus I had alot of files that were marked as private
| or hidden I guess. Thats how they showed up in the attributes and everytime
| I ran anykind of scan it couldn't read them it just said access denied. I
| tried to go back and make them all not private. I probably messed something
| up. I was wrong about my system being clean, check out my running processes
| right now. Trend reported that they had deteted and fixed a W32/Codbot-AC!
| located in the WUAPI. Exe file. Does that mean that they deleted the
| WUAPI.exe file? It is still here running along with MediaGateway that I have
| never seen . I also found 2 registry files in my documents that were names
| wuapiii.
| I appreciate your time Mr. Lipman, I am trying to avoid erasing my
| harddrive. If I kill the process it doesn't go away. I ran all the scans
| again and none of them detected it or the MediaGateway.
| RUNNING PROCESSES
| csrss.exe 404 C:\WINDOWS\system32\csrss.exe Client Server Runtime Process
| 5.1.2600.0. © Microsoft Corporation. All rights reserved.
| Explorer.EXE 1228 C:\WINDOWS\Explorer.EXE Windows Explorer 6.00.2800.1106.
| © Microsoft Corporation. All rights reserved.
| iexplore.exe 1556 C:\Program Files\Internet Explorer\iexplore.exe Internet
| Explorer 6.00.2800.1106. © Microsoft Corporation. All rights reserved.
| lsass.exe 484 C:\WINDOWS\system32\lsass.exe LSA Shell (Export Version)
| 5.1.2600.1106. © Microsoft Corporation. All rights reserved.
| MediaGateway.exe 1392 C:\Program Files\Media Gateway\MediaGateway.exe Media
| Gateway 2, 0, 0, 0. Copyright 2005
| PrcView.exe 1528 C:\Documents and Settings\Terri\My
| Documents\Unzipped\PrcView\PrcView.exe Process Viewer Application 3.7.3.1.
| Developed by Igor Nys, 1995-2003
| services.exe 472 C:\WINDOWS\system32\services.exe Services and Controller
| app 5.1.2600.0. © Microsoft Corporation. All rights reserved.
| smss.exe 340 C:\WINDOWS\System32\smss.exe Windows NT Session Manager
| 5.1.2600.1106. © Microsoft Corporation. All rights reserved.
| svchost.exe 660 C:\WINDOWS\system32\svchost.exe Generic Host Process for
| Win32 Services 5.1.2600.0. © Microsoft Corporation. All rights reserved.
| svchost.exe 732 C:\WINDOWS\System32\svchost.exe Generic Host Process for
| Win32 Services 5.1.2600.0. © Microsoft Corporation. All rights reserved.
| svchost.exe 800 C:\WINDOWS\System32\svchost.exe Generic Host Process for
| Win32 Services 5.1.2600.0. © Microsoft Corporation. All rights reserved.
| winlogon.exe 428 C:\WINDOWS\system32\winlogon.exe Windows NT Logon
| Application 5.1.2600.1106. © Microsoft Corporation. All rights reserved.
| wmiapsrv.exe 1916 C:\WINDOWS\System32\wbem\wmiapsrv.exe WMI Performance
| Adapter Service 5.1.2600.0. © Microsoft Corporation. All rights reserved.
| wuapi.exe 1536 C:\WINDOWS\System32\wuapi.exe wuapi.exe
| YPager.exe 1764 C:\Program Files\Yahoo!\Messenger\YPager.exe YPager.exe


First off, its Dave. Please don't be so formal ;-)

Some files are open by the OS and thus their respecitive File Handles are held open atnd
thos files can not be scanned. In addition, they also can be infected either. So it isn't
a file attribute problem and those error messages are normal and are not to be worried
about.

It looks like you have cleaned your PC of infectors. All those running processes look to be
both legitimate and correct.

 

[Guest]

Ok Dave, this is my last question then I either shoot it or erase it and
start over. Why when I try to go into Event Viewer under application, system
or security it just says Unable to complete the operation " application"
interface not known?

 

[David H. Lipman]

From: "Teri" <[email protected]>

| Ok Dave, this is my last question then I either shoot it or erase it and
| start over. Why when I try to go into Event Viewer under application, system
| or security it just says Unable to complete the operation " application"
| interface not known?


Sorry,....

No idea except make sure the "Event Log" NT Service is running.

In a comand prompt type the two following command lines...

sc start EventLog
sc config EventLog start= auto

 

[Guest]

After running Sophos again it came back with the Backdoor.Win32.SdBot.afu in
the Windows\System32\Defrag~1.exe AND Backdoor.Win32.Codbot.az in the
C:\Windows\System32\Wuapi.exe. Thank you for hanging with me on this but I
think I have it from here.

 

[David H. Lipman]

From: "Teri" <[email protected]>

| After running Sophos again it came back with the Backdoor.Win32.SdBot.afu in
| the Windows\System32\Defrag~1.exe AND Backdoor.Win32.Codbot.az in the
| C:\Windows\System32\Wuapi.exe. Thank you for hanging with me on this but I
| think I have it from here.
|

Good luck and thanx for updating the thread.

 

[Guest]

Hey Dave I just thought I would let you know the outcome as perplexing as it
is. I spent a couple of nights on the phone with Microsoft and I guess one
of these turned out to be a new virus. We thought we had it but on reboot
instead of 2 I had 4 viruses. I had lost System Restore, my network
connection and alot of other things. I repartitioned and reinstalled today
and so I guess we will never know...

 

[David H. Lipman]

From: "Teri" <[email protected]>

| Hey Dave I just thought I would let you know the outcome as perplexing as it
| is. I spent a couple of nights on the phone with Microsoft and I guess one
| of these turned out to be a new virus. We thought we had it but on reboot
| instead of 2 I had 4 viruses. I had lost System Restore, my network
| connection and alot of other things. I repartitioned and reinstalled today
| and so I guess we will never know...
|
|

Thanx for the update and good luck !

If you don't practice Safe Hex, don't keep up with Critical Updates and don'r implement
proper security on the platform, you'll just be infected again.