iss
asked on
Virus Problem
Have a file srvcat.exe. It is located in the c:\windows\cursors folder. I cannot delete this file. I am running window xp home and this file won't allow me to open the task manager, registry or connect to hotmail when XP is opened normally. Something creates a *srvcat in the HKLM/software/microsoft/wi
In safe mode I can get into the registry and delete these files but not the source file on the hard drive. The registry entry keeps returning. There is a process in the task manager called *srvcat that every time I "end process" immediately starts up again.
Our fire wall indicates that it is sending out files via ports 6777 and 7000.
There is no reference to this file on google, symantec or mcafee. Any ideas how to find out what is generating this file?
In safe mode I can get into the registry and delete these files but not the source file on the hard drive. The registry entry keeps returning. There is a process in the task manager called *srvcat that every time I "end process" immediately starts up again.
Our fire wall indicates that it is sending out files via ports 6777 and 7000.
There is no reference to this file on google, symantec or mcafee. Any ideas how to find out what is generating this file?
Asta Cu
Do you run or have installed some kind of cateloging service?
download SpyBot Search & Destroy from www.safernetworking.org - run that. Failing that, I'd recommend downloading and running the silentrunners script from www.silentrunners.org - the process that keeps putting that back in the run key is likely started from within an IE run area. Silent runners can help identify this. Once done, you can reboot in safe mode and delete the questionable entries.
Also, any registry deletions you try to make, I STRONGLY recommend you export the key first to back it up.
Also, any registry deletions you try to make, I STRONGLY recommend you export the key first to back it up.
Sorry, had the wrong link there - see http://www.safer-networking.org/en/index.html
>> In safe mode I can get into the registry and delete these files but not the source file on the hard drive.
why can u delete the file, do u get an access denied error ??
is this process running in safemode also ??
why can u delete the file, do u get an access denied error ??
is this process running in safemode also ??
Might be related to this...
WORM_AGOBOT.SU
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.SU
WORM_AGOBOT.SU
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.SU
ASKER
no cateloging running. Symantec can see the file and says it is adware "adware.virtueMonde", but cannot do anything with the file. The file is running in safe mode. As soon as it is killed or any of the registry files erased they restart. I renamed the runonce file and it recreated it. I renamed the srvcat files in the registry and it corrected my changes. Error message on delete is "cannot delete srvcat - Access denied".
hmmmmmm can u try to take the ownership of this file and then delete it ??
HOW TO: Take Ownership of a File or Folder in Windows XP:
http://support.microsoft.com/?kbid=308421
HOW TO: Take Ownership of a File or Folder in Windows XP:
http://support.microsoft.com/?kbid=308421
Download Knoppix from www.linuxiso.org - boot to that and enable read/write access to the disk. Then delete the file from knoppix. (Maybe better ideas out there, but if something gets stubborn, that's what I'd do)
The process defined here doesn't help either?
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.SU
System Restore turned off prior to the fix attempts?
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.SU
System Restore turned off prior to the fix attempts?
ASKER
Not Worm_Agobot.su, doesn't have the required files. It is running as a process so I cannot delete it as long as it is running and I cannot stop the process because it continually starts itself. system restore turned off before I started this process.
Access Denied error means, u dont have the proper permissions, u try tis,
take the Ownership of this file from the Administrator account
and then boot into Recovery Console, and from there try deleting this file !!
check if u can delete it now or not ??
take the Ownership of this file from the Administrator account
and then boot into Recovery Console, and from there try deleting this file !!
check if u can delete it now or not ??
What amazed me is that I can't find much of anything anywhere specific to srvcat.exe so it must be a worm or intrusion that uses a renaming convention in its process; really a tough one.
Though, found plenty on srv.exe; such as here:
http://www.pestpatrol.com/pestinfo/m/mc_r-desktop.asp
And tons of backdoor - related intrusions and removal tools.
http://www.pestpatrol.com/pestinfo/m/mc_r-desktop.asp
And tons of backdoor - related intrusions and removal tools.
Wonder if the newest Stinger Removal tool would help you.
http://vil.nai.com/vil/averttools.asp#stinger
http://vil.nai.com/vil/averttools.asp#stinger
ASKER
cannot delete it. logged in as administrator and primary user. Took ownership as both and won't delete. Process is running and can't kill it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
run your anti virus using safe mode