Virus Problem

Have a file srvcat.exe.  It is located in the c:\windows\cursors folder.  I cannot delete this file.  I am running window xp home and this file won't allow me to open the task manager, registry or connect to hotmail when XP is opened normally.  Something creates a *srvcat in the HKLM/software/microsoft/windows/currentversion/run folder of the registry and a srvcat.exe in the HKLM/software/microsoft/windows/currentversion/runonce folder.  I have run Norton 2005 (with the most recent updates) and pest patrol (with the most recent updates) as well as run Norton from the symantec web site.
In safe mode I can get into the registry and delete these files but not the source file on the hard drive.  The registry entry keeps returning.  There is a process in the task manager called *srvcat that every time I "end process" immediately starts up again.
Our fire wall indicates that it is sending out files via ports 6777 and 7000.
There is no reference to this file on google, symantec or mcafee.  Any ideas how to find out what is generating this file?
issAsked:
Who is Participating?
 
SheharyaarSaahilConnect With a Mentor Commented:
>> Process is running and can't kill it.

yeah that's why i asked to boot in Recovery Console, its a DOS mode where it will be surely not running :)
for more info on Recovery Console, click here on How to Access Recovery Console >> http://www.webtree.ca/windowsxp/repair_xp.htm
0
 
Asta CuCommented:
Do you run or have installed some kind of cateloging service?
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
download SpyBot Search & Destroy from www.safernetworking.org - run that.  Failing that, I'd recommend downloading and running the silentrunners script from www.silentrunners.org - the process that keeps putting that back in the run key is likely started from within an IE run area.  Silent runners can help identify this.  Once done, you can reboot in safe mode and delete the questionable entries.

Also, any registry deletions you try to make, I STRONGLY recommend you export the key first to back it up.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Sorry, had the wrong link there - see http://www.safer-networking.org/en/index.html
0
 
SheharyaarSaahilCommented:
>> In safe mode I can get into the registry and delete these files but not the source file on the hard drive.

why can u delete the file, do u get an access denied error ??
is this process running in safemode also ??
0
 
Asta CuCommented:
0
 
issAuthor Commented:
no cateloging running.  Symantec can see the file and says it is adware "adware.virtueMonde", but cannot do anything with the file.  The file is running in safe mode.  As soon as it is killed or any of the registry files erased they restart.  I renamed the runonce file and it recreated it.  I renamed the srvcat files in the registry and it corrected my changes.  Error message on delete is "cannot delete srvcat - Access denied".
0
 
SheharyaarSaahilCommented:
hmmmmmm can u try to take the ownership of this file and then delete it ??
HOW TO: Take Ownership of a File or Folder in Windows XP:
http://support.microsoft.com/?kbid=308421
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Download Knoppix from www.linuxiso.org - boot to that and enable read/write access to the disk.  Then delete the file from knoppix.  (Maybe better ideas out there, but if something gets stubborn, that's what I'd do)
0
 
Asta CuCommented:
The process defined here doesn't help either?
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.SU

System Restore turned off prior to the fix attempts?
0
 
issAuthor Commented:
Not Worm_Agobot.su, doesn't have the required files.  It is running as a process so I cannot delete it as long as it is running and I cannot stop the process because it continually starts itself.  system restore turned off before I started this process.
0
 
SheharyaarSaahilCommented:
Access Denied error means, u dont have the proper permissions, u try tis,
take the Ownership of this file from the Administrator account
and then boot into Recovery Console, and from there try deleting this file !!
check if u can delete it now or not ??
0
 
Asta CuCommented:
What amazed me is that I can't find much of anything anywhere specific to srvcat.exe so it must be a worm or intrusion that uses a renaming convention in its process; really a tough one.
0
 
Asta CuCommented:
Though, found plenty on srv.exe; such as here:
http://www.pestpatrol.com/pestinfo/m/mc_r-desktop.asp
And tons of backdoor - related intrusions and removal tools.
0
 
Asta CuCommented:
Wonder if the newest Stinger Removal tool would help you.
http://vil.nai.com/vil/averttools.asp#stinger
0
 
issAuthor Commented:
cannot delete it.  logged in as administrator and primary user.  Took ownership as both and won't delete.  Process is running and can't kill it.
0
 
4ceReconSniperCommented:
run your anti virus using safe mode
0
All Courses

From novice to tech pro — start learning today.