Solved

Virus Problem

Posted on 2004-10-27
218 Views
Last Modified: 2013-12-04
Have a file srvcat.exe.  It is located in the c:\windows\cursors folder.  I cannot delete this file.  I am running window xp home and this file won't allow me to open the task manager, registry or connect to hotmail when XP is opened normally.  Something creates a *srvcat in the HKLM/software/microsoft/windows/currentversion/run folder of the registry and a srvcat.exe in the HKLM/software/microsoft/windows/currentversion/runonce folder.  I have run Norton 2005 (with the most recent updates) and pest patrol (with the most recent updates) as well as run Norton from the symantec web site.
In safe mode I can get into the registry and delete these files but not the source file on the hard drive.  The registry entry keeps returning.  There is a process in the task manager called *srvcat that every time I "end process" immediately starts up again.
Our fire wall indicates that it is sending out files via ports 6777 and 7000.
There is no reference to this file on google, symantec or mcafee.  Any ideas how to find out what is generating this file?
0
Question by:iss
    17 Comments
     
    LVL 27

    Expert Comment

    by:Asta Cu
    Do you run or have installed some kind of cateloging service?
    0
     
    LVL 95

    Expert Comment

    by:Lee W, MVP
    download SpyBot Search & Destroy from www.safernetworking.org - run that.  Failing that, I'd recommend downloading and running the silentrunners script from www.silentrunners.org - the process that keeps putting that back in the run key is likely started from within an IE run area.  Silent runners can help identify this.  Once done, you can reboot in safe mode and delete the questionable entries.

    Also, any registry deletions you try to make, I STRONGLY recommend you export the key first to back it up.
    0
     
    LVL 95

    Expert Comment

    by:Lee W, MVP
    Sorry, had the wrong link there - see http://www.safer-networking.org/en/index.html
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    >> In safe mode I can get into the registry and delete these files but not the source file on the hard drive.

    why can u delete the file, do u get an access denied error ??
    is this process running in safemode also ??
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    0
     

    Author Comment

    by:iss
    no cateloging running.  Symantec can see the file and says it is adware "adware.virtueMonde", but cannot do anything with the file.  The file is running in safe mode.  As soon as it is killed or any of the registry files erased they restart.  I renamed the runonce file and it recreated it.  I renamed the srvcat files in the registry and it corrected my changes.  Error message on delete is "cannot delete srvcat - Access denied".
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    hmmmmmm can u try to take the ownership of this file and then delete it ??
    HOW TO: Take Ownership of a File or Folder in Windows XP:
    http://support.microsoft.com/?kbid=308421
    0
     
    LVL 95

    Expert Comment

    by:Lee W, MVP
    Download Knoppix from www.linuxiso.org - boot to that and enable read/write access to the disk.  Then delete the file from knoppix.  (Maybe better ideas out there, but if something gets stubborn, that's what I'd do)
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    The process defined here doesn't help either?
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.SU

    System Restore turned off prior to the fix attempts?
    0
     

    Author Comment

    by:iss
    Not Worm_Agobot.su, doesn't have the required files.  It is running as a process so I cannot delete it as long as it is running and I cannot stop the process because it continually starts itself.  system restore turned off before I started this process.
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    Access Denied error means, u dont have the proper permissions, u try tis,
    take the Ownership of this file from the Administrator account
    and then boot into Recovery Console, and from there try deleting this file !!
    check if u can delete it now or not ??
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    What amazed me is that I can't find much of anything anywhere specific to srvcat.exe so it must be a worm or intrusion that uses a renaming convention in its process; really a tough one.
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    Though, found plenty on srv.exe; such as here:
    http://www.pestpatrol.com/pestinfo/m/mc_r-desktop.asp
    And tons of backdoor - related intrusions and removal tools.
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    Wonder if the newest Stinger Removal tool would help you.
    http://vil.nai.com/vil/averttools.asp#stinger
    0
     

    Author Comment

    by:iss
    cannot delete it.  logged in as administrator and primary user.  Took ownership as both and won't delete.  Process is running and can't kill it.
    0
     
    LVL 65

    Accepted Solution

    by:
    >> Process is running and can't kill it.

    yeah that's why i asked to boot in Recovery Console, its a DOS mode where it will be surely not running :)
    for more info on Recovery Console, click here on How to Access Recovery Console >> http://www.webtree.ca/windowsxp/repair_xp.htm
    0
     
    LVL 3

    Expert Comment

    by:4ceReconSniper
    run your anti virus using safe mode
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Suggested Solutions

    Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
    Article by: btan
    The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    884 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now