Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Virus Problem

Posted on 2004-10-27
17
Medium Priority
?
222 Views
Last Modified: 2013-12-04
Have a file srvcat.exe.  It is located in the c:\windows\cursors folder.  I cannot delete this file.  I am running window xp home and this file won't allow me to open the task manager, registry or connect to hotmail when XP is opened normally.  Something creates a *srvcat in the HKLM/software/microsoft/windows/currentversion/run folder of the registry and a srvcat.exe in the HKLM/software/microsoft/windows/currentversion/runonce folder.  I have run Norton 2005 (with the most recent updates) and pest patrol (with the most recent updates) as well as run Norton from the symantec web site.
In safe mode I can get into the registry and delete these files but not the source file on the hard drive.  The registry entry keeps returning.  There is a process in the task manager called *srvcat that every time I "end process" immediately starts up again.
Our fire wall indicates that it is sending out files via ports 6777 and 7000.
There is no reference to this file on google, symantec or mcafee.  Any ideas how to find out what is generating this file?
0
Comment
Question by:iss
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
  • +2
17 Comments
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12426047
Do you run or have installed some kind of cateloging service?
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 12426049
download SpyBot Search & Destroy from www.safernetworking.org - run that.  Failing that, I'd recommend downloading and running the silentrunners script from www.silentrunners.org - the process that keeps putting that back in the run key is likely started from within an IE run area.  Silent runners can help identify this.  Once done, you can reboot in safe mode and delete the questionable entries.

Also, any registry deletions you try to make, I STRONGLY recommend you export the key first to back it up.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 12426059
Sorry, had the wrong link there - see http://www.safer-networking.org/en/index.html
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12426074
>> In safe mode I can get into the registry and delete these files but not the source file on the hard drive.

why can u delete the file, do u get an access denied error ??
is this process running in safemode also ??
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12426076
0
 

Author Comment

by:iss
ID: 12426190
no cateloging running.  Symantec can see the file and says it is adware "adware.virtueMonde", but cannot do anything with the file.  The file is running in safe mode.  As soon as it is killed or any of the registry files erased they restart.  I renamed the runonce file and it recreated it.  I renamed the srvcat files in the registry and it corrected my changes.  Error message on delete is "cannot delete srvcat - Access denied".
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12426223
hmmmmmm can u try to take the ownership of this file and then delete it ??
HOW TO: Take Ownership of a File or Folder in Windows XP:
http://support.microsoft.com/?kbid=308421
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 12426224
Download Knoppix from www.linuxiso.org - boot to that and enable read/write access to the disk.  Then delete the file from knoppix.  (Maybe better ideas out there, but if something gets stubborn, that's what I'd do)
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12426226
The process defined here doesn't help either?
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.SU

System Restore turned off prior to the fix attempts?
0
 

Author Comment

by:iss
ID: 12426333
Not Worm_Agobot.su, doesn't have the required files.  It is running as a process so I cannot delete it as long as it is running and I cannot stop the process because it continually starts itself.  system restore turned off before I started this process.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12426364
Access Denied error means, u dont have the proper permissions, u try tis,
take the Ownership of this file from the Administrator account
and then boot into Recovery Console, and from there try deleting this file !!
check if u can delete it now or not ??
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12426382
What amazed me is that I can't find much of anything anywhere specific to srvcat.exe so it must be a worm or intrusion that uses a renaming convention in its process; really a tough one.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12426435
Though, found plenty on srv.exe; such as here:
http://www.pestpatrol.com/pestinfo/m/mc_r-desktop.asp
And tons of backdoor - related intrusions and removal tools.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12426474
Wonder if the newest Stinger Removal tool would help you.
http://vil.nai.com/vil/averttools.asp#stinger
0
 

Author Comment

by:iss
ID: 12426490
cannot delete it.  logged in as administrator and primary user.  Took ownership as both and won't delete.  Process is running and can't kill it.
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 2000 total points
ID: 12426507
>> Process is running and can't kill it.

yeah that's why i asked to boot in Recovery Console, its a DOS mode where it will be surely not running :)
for more info on Recovery Console, click here on How to Access Recovery Console >> http://www.webtree.ca/windowsxp/repair_xp.htm
0
 
LVL 3

Expert Comment

by:4ceReconSniper
ID: 12431528
run your anti virus using safe mode
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question