Re: TFTP

From: Teri (Teri_at_discussions.microsoft.com)
Date: 11/05/05


Date: Sat, 5 Nov 2005 08:14:05 -0800

Don't ask me what I was thinking, I think I was caught up in the System
Restore issue.

McAfee
Scanning C: []
C:\q735015.exe\q735015.exe ... Found the StartPage-DU trojan !!!
        The file or process has been deleted.
Scanning C:\*.*
C:\Documents and Settings\Terri\Local
Settings\Temp\bar.0\MWSSETUP.EXE\000dc980.EXE ... Found potentially unwanted
program Adware-MWS.
        The file or process has been deleted.
        The archive has been deleted.
C:\Recycled\Q330995.exe\Q330995.exe ... Found the StartPage-DU trojan !!!
        The file or process has been deleted.

Sophos Anti-Virus
Version 3.99.0 [Win32/Intel]
Virus data version 3.99, November 2005
Includes detection for 112777 viruses, trojans and worms
Copyright (c) 1989-2005 Sophos Plc, www.sophos.com

System time 23:04:39, System date 04 November 2005
Command line qualifiers are: -f -di -all -remove -mime -mbr -noc -archive
-opt=ISCabinet

IDE directory is: c:\AV-CLS\Sophos

Using IDE file agent-en.ide
Using IDE file agent-eu.ide
Using IDE file agob-ads.ide
Using IDE file agobo-ts.ide
Using IDE file agobo-tw.ide
Using IDE file agobottu.ide
Using IDE file bacbanan.ide
Using IDE file bagdl-aa.ide
Using IDE file bagdl-ab.ide
Using IDE file bagle-ap.ide
Using IDE file bagle-bs.ide
Using IDE file bagled-y.ide
Using IDE file bagled-z.ide
Using IDE file bagledlw.ide
Using IDE file bancb-ha.ide
Using IDE file bancb-he.ide
Using IDE file bankas-l.ide
Using IDE file banke-gd.ide
Using IDE file bronto-a.ide
Using IDE file bronto-d.ide
Using IDE file bronto-e.ide
Using IDE file chode-j.ide
Using IDE file dadobr-h.ide
Using IDE file dagoni-a.ide
Using IDE file dload-wf.ide
Using IDE file dload-wo.ide
Using IDE file dload-xf.ide
Using IDE file dload-xq.ide
Using IDE file domwis-o.ide
Using IDE file esbot-b.ide
Using IDE file fanb-gen.ide
Using IDE file fanbot-c.ide
Using IDE file fanbot-h.ide
Using IDE file fanbot-k.ide
Using IDE file feute-ad.ide
Using IDE file forbotgn.ide
Using IDE file goldu-ak.ide
Using IDE file hanlo-b.ide
Using IDE file haxdo-an.ide
Using IDE file inor-v.ide
Using IDE file keylogap.ide
Using IDE file leebad-a.ide
Using IDE file lerma-a.ide
Using IDE file loosky-a.ide
Using IDE file midrug-b.ide
Using IDE file mitgl-ce.ide
Using IDE file mytob-bz.ide
Using IDE file mytob-ej.ide
Using IDE file mytob-ex.ide
Using IDE file mytob-ey.ide
Using IDE file mytob-fa.ide
Using IDE file mytob-fc.ide
Using IDE file mytob-ff.ide
Using IDE file mytob-fh.ide
Using IDE file mytob-fi.ide
Using IDE file mytob-gh.ide
Using IDE file oscabotn.ide
Using IDE file pardro-a.ide
Using IDE file paymit-b.ide
Using IDE file paymit-c.ide
Using IDE file perda-g.ide
Using IDE file poebot-p.ide
Using IDE file randex-y.ide
Using IDE file rbot-ank.ide
Using IDE file rbot-apj.ide
Using IDE file rbot-apu.ide
Using IDE file rbot-arq.ide
Using IDE file rbot-arx.ide
Using IDE file rbot-asf.ide
Using IDE file rbot-ash.ide
Using IDE file rbot-asi.ide
Using IDE file rbot-ass.ide
Using IDE file rbot-ast.ide
Using IDE file rbot-atc.ide
Using IDE file rbot-ate.ide
Using IDE file rbot-atl.ide
Using IDE file rbot-atq.ide
Using IDE file rbot-att.ide
Using IDE file rbot-auf.ide
Using IDE file rbot-aul.ide
Using IDE file rbot-auq.ide
Using IDE file rbot-awb.ide
Using IDE file ritdoo-b.ide
Using IDE file sdbot-zm.ide
Using IDE file squado-a.ide
Using IDE file taladraf.ide
Using IDE file tileb-ap.ide
Using IDE file tilebotp.ide
Using IDE file tompai-b.ide
Using IDE file wowpws-a.ide

Full Scanning

Could not open c:\Documents and Settings\NetworkService\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat
Could not open c:\Documents and Settings\NetworkService\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Could not check c:\Documents and Settings\Terri\Desktop\New
Folder\drv_sw_v2_60_ad.exe\SfxArchiveData\disk3/data4.cab (part of multi
volume archive)
Could not check c:\Documents and Settings\Terri\Desktop\New
Folder\drv_sw_v2_60_ad.exe\SfxArchiveData\disk2/data3.cab (part of multi
volume archive)
Could not check c:\Documents and Settings\Terri\Desktop\New
Folder\drv_sw_v2_60_d2.exe\SfxArchiveData\disk2/data3.cab (part of multi
volume archive)
Could not check c:\Documents and Settings\Terri\Desktop\New
Folder\drv_sw_v2_60_d3.exe\SfxArchiveData\disk3/data4.cab (part of multi
volume archive)
Could not open c:\Documents and Settings\Terri\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
Could not open c:\Documents and Settings\Terri\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG
Password protected file c:\Documents and Settings\Terri\My Documents\Game
Setup\winzip90.exe\SfxArchiveData\SETUP.WZ\WINZIP32.EX_
Could not open c:\hiberfil.sys
Password protected file c:\Program Files\Adobe\Acrobat
7.0\Reader\Messages\ENU\RdrMsgENU.pdf
Password protected file c:\Program Files\Adobe\Acrobat
7.0\Reader\Messages\ENU\read0600win_ENUyhoo0010.pdf
Password protected file c:\Program Files\Adobe\Acrobat
7.0\Reader\Messages\RdrMsgSplash.pdf
Password protected file c:\Program Files\Adobe\Acrobat
7.0\Reader\WebSearch\WebSearchENU.pdf
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\Ad-Aware SE Default.skn
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\arrow1.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\arrow2.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bck1.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt11.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt12.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt13.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt21.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt22.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt23.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt31.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt32.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt33.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt41.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt42.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt43.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt51.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt52.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt53.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt61.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\bt62.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\checkbox1.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\checkbox2.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\checkbox3.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\checkbox4.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\defbtn1.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\defbtn2.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\defbtn3.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\glyph1.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\glyph2.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\glyph3.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\glyph4.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\glyph5.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\glyph6.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\glyph7.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\main.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\preview.bmp
Password protected file c:\Program Files\Lavasoft\Ad-Aware SE
Personal\Skins\Ad-Aware SE default.ask\sprite1.bmp
>>> Virus fragment 'W95/Whog-878b' found in file c:\WINDOWS\system32\ActiveScan\pskavs.dll
Removal successful
Could not open c:\WINDOWS\system32\config\system.LOG
>>> Virus 'W32/Codbot-AC' found in file c:\WINDOWS\system32\wuapi.exe
Removal failed
Could not open d:\

1 master boot record swept.
24393 files swept in 2 hours, 9 minutes and 41 seconds.
54 errors were encountered.
2 viruses were discovered.
2 files out of 24393 were infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email support@sophos.com
or telephone +44 1235 559933
43 encrypted files were not checked.
Ending Sophos Anti-Virus.

The other 2 scanners didn't find anything.

"David H. Lipman" wrote:

> From: "Teri" <Teri@discussions.microsoft.com>
>
> | Hi David, thank you so much for the post. I found it to be very helpful. I
> | took your advice and there were 4 more viruses. Before I started all of
> | these scanners I disabled System Restore and my firewall. When I went to
> | turn the firewall back on I got the message "Windows cannot display the
> | properties of this connection. The Windows Management Instrumentation (WMI)
> | information might be corrupt. To correct this, use System Restore to restore
> | Windows to an earlier time." Only one problem with that, there are no
> | earlier restore times.
>
> < logs snipped >
>
> | I only copied a few of these over but every file in the prefetch folder was
> | listed same as these.
>
> The error messages on the Prefetch Folder files is normal. They can be ignored.
>
> However, you left out the most important part of the McAfee log, what was found to be
> infected and what the infector was. For exmple...
>
> C:\WINDOWS\Application Data\Share-to-Web Upload Folder\3D Studio Max 3dsmax.exe ... Found
> the W32/Netsky.c@MM virus !!!
> The file has been deleted.
> C:\WINDOWS\Application Data\Share-to-Web Upload Folder\Keygen 4 all appz.exe ... Found the
> W32/Netsky.c@MM virus !!!
> The file has been deleted.
>
> I don't know what was found wrong with WMI. you may try the following to see if it corrects
> it...
>
> Create a FIXWMI.CMD batch file from the below script and run it and see if this corrects
> your problem.
>
> FIXWMI.CMD
> ------------------------
>
> @echo on
> cd /d c:\temp
> if not exist %windir%\system32\wbem goto TryInstall
> cd /d %windir%\system32\wbem
> net stop winmgmt
> winmgmt /kill
> if exist Rep_bak rd Rep_bak /s /q
> rename Repository Rep_bak
> for %%i in (*.dll) do RegSvr32 -s %%i
> for %%i in (*.exe) do call :FixSrv %%i
> for %%i in (*.mof,*.mfl) do Mofcomp %%i
> net start winmgmt
> goto End
>
> :FixSrv
> if /I (%1) == (wbemcntl.exe) goto SkipSrv
> if /I (%1) == (wbemtest.exe) goto SkipSrv
> if /I (%1) == (mofcomp.exe) goto SkipSrv
> %1 /RegServer
>
> :SkipSrv
> goto End
>
> :TryInstall
> if not exist wmicore.exe goto End
> wmicore /s
> net start winmgmt
> :End
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>



Relevant Pages

  • Re: 0-length ntoskrnl.dll (NOT ntoskrnl.exe)
    ... Sophos and McAfee scans: ... Virus data version 4.12, December 2006 ... Using IDE file click-ea.ide ... Password protected file c:\Documents and Settings\All ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EGroup.IEAccess.C (dialer)
    ... Using IDE file agent-gg.ide ... Could not check c:\WINDOWS\Registration\R000000000007.clb (corrupt) ... Found potentially unwanted program Adware-Verticity. ...
    (microsoft.public.windowsxp.help_and_support)
  • Inflex scan report [0909123150275]
    ... SWEEP virus detection utility ... Using IDE file webber-a.ide ... Please send infected samples to Sophos for analysis. ... Name scanning off. ...
    (freebsd-isp)
  • Inflex scan report [08191544310717]
    ... SWEEP virus detection utility ... Using IDE file webber-a.ide ... Please send infected samples to Sophos for analysis. ... Name scanning off. ...
    (freebsd-isp)
  • Inflex scan report [08280919516279]
    ... SWEEP virus detection utility ... Using IDE file webber-a.ide ... Please send infected samples to Sophos for analysis. ... Name scanning off. ...
    (freebsd-isp)