Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

mswi32.pif last bit of a nasty infection

Started by frankygee , Oct 12 2005 01:01 PM

  • Please log in to reply

#1
frankygee
Posted 12 October 2005 - 01:01 PM

frankygee

    New Member

  • Member
  • Pip
  • 1 posts
I use VNC to remotly access a W2K server.
A week ago the connection started dropping during periods of inactivity.
A scan (Spybot, Adaware, and Norton Corporate eddition) revealed a number of viruses/malware, including pokapoka and a number of w32 worms.
These have all been sucessfuly been removed (I hope) using a combination of Spybot, Adaware, Norton and AVG.
However although AVG identified and removed the mswi32.pif Trojan, it still reappears.
Have tried the following in Safe mode: AVG, Norton, Spybot and Adaware.
Surprisingly I have not found any info on the mswi32.pif processes which is MR.

Have tried looking at the mswi32.pif file on the system32 folder but it closes explorer when I try.

Any help would be greatly appriciated.


Logfile of HijackThis v1.99.1
Scan saved at 19:29:56, on 12/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\ComputerAssociates\ARCserve\casmrtbk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\winnt\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\winnt\system32\cba\pds.exe
C:\winnt\System32\llssrv.exe
C:\winnt\LogWatNT.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\winnt\system32\ntfrs.exe
C:\winnt\system32\regsvc.exe
C:\winnt\System32\locator.exe
C:\winnt\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\winnt\system32\mspmspsv.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\tcpsvcs.exe
C:\winnt\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\winnt\system32\ams_ii\hndlrsvc.exe
C:\winnt\system32\MsgSys.EXE
C:\winnt\system32\ams_ii\iao.exe
C:\winnt\system32\cba\xfr.exe
C:\winnt\System32\ismserv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
C:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
C:\winnt\System32\svchost.exe
C:\winnt\system32\mswi32.pif
C:\winnt\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\winnt\system32\internat.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\winnt\system32\mswi32.pif
D:\Spyware\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\winnt\system32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Wind Security] mswi32.pif
O4 - HKLM\..\RunServices: [Wind Security] mswi32.pif
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128674547640
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dfsales.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{9BACAB12-5BD0-4BD4-9443-4590A96A6FA3}: NameServer = 194.94.65.69,10.10.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dfsales.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dfsales.co.uk
O20 - Winlogon Notify: NavLogon - C:\winnt\system32\NavLogon.dll
O23 - Service: ARCserve Database Engine (ASDBEngine) - Computer Associates International, Inc. - C:\Program Files\ComputerAssociates\ARCserve\DBENG.exe
O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Computer Associates - C:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
O23 - Service: ARCserve Job Engine (ASJobEngine) - Unknown owner - C:\Program Files\ComputerAssociates\ARCserve\jobeng.exe
O23 - Service: ARCserve Message Engine (ASMsgEngine) - Computer Associates International, Inc. - C:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
O23 - Service: ARCserve Tape Engine (ASTapeEngine) - Unknown owner - C:\Program Files\ComputerAssociates\ARCserve\tapeeng.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - C:\Program Files\ComputerAssociates\ARCserve\Alert\ALERT.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\winnt\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\winnt\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\winnt\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\winnt\system32\cba\pds.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\winnt\LogWatNT.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: Smart Card Helper (SCardDrv) - Unknown owner - C:\winnt\system32\scardsvr32.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP