TFTP

#10 01-05-2006, 04:19 AM

From: "Teri" <Teri@discussions.microsoft.com>

| When I first detected a virus I had alot of files that were marked as private
| or hidden I guess. Thats how they showed up in the attributes and everytime
| I ran anykind of scan it couldn't read them it just said access denied. I
| tried to go back and make them all not private. I probably messed something
| up. I was wrong about my system being clean, check out my running processes
| right now. Trend reported that they had deteted and fixed a W32/Codbot-AC!
| located in the WUAPI. Exe file. Does that mean that they deleted the
| WUAPI.exe file? It is still here running along with MediaGateway that I have
| never seen . I also found 2 registry files in my documents that were names
| wuapiii.
| I appreciate your time Mr. Lipman, I am trying to avoid erasing my
| harddrive. If I kill the process it doesn't go away. I ran all the scans
| again and none of them detected it or the MediaGateway.
| RUNNING PROCESSES
| csrss.exe 404 C:\WINDOWS\system32\csrss.exe Client Server Runtime Process
| 5.1.2600.0. © Microsoft Corporation. All rights reserved.
| Explorer.EXE 1228 C:\WINDOWS\Explorer.EXE Windows Explorer 6.00.2800.1106.
| © Microsoft Corporation. All rights reserved.
| iexplore.exe 1556 C:\Program Files\Internet Explorer\iexplore.exe Internet
| Explorer 6.00.2800.1106. © Microsoft Corporation. All rights reserved.
| lsass.exe 484 C:\WINDOWS\system32\lsass.exe LSA Shell (Export Version)
| 5.1.2600.1106. © Microsoft Corporation. All rights reserved.
| MediaGateway.exe 1392 C:\Program Files\Media Gateway\MediaGateway.exe Media
| Gateway 2, 0, 0, 0. Copyright 2005
| PrcView.exe 1528 C:\Documents and Settings\Terri\My
| Documents\Unzipped\PrcView\PrcView.exe Process Viewer Application 3.7.3.1.
| Developed by Igor Nys, 1995-2003
| services.exe 472 C:\WINDOWS\system32\services.exe Services and Controller
| app 5.1.2600.0. © Microsoft Corporation. All rights reserved.
| smss.exe 340 C:\WINDOWS\System32\smss.exe Windows NT Session Manager
| 5.1.2600.1106. © Microsoft Corporation. All rights reserved.
| svchost.exe 660 C:\WINDOWS\system32\svchost.exe Generic Host Process for
| Win32 Services 5.1.2600.0. © Microsoft Corporation. All rights reserved.
| svchost.exe 732 C:\WINDOWS\System32\svchost.exe Generic Host Process for
| Win32 Services 5.1.2600.0. © Microsoft Corporation. All rights reserved.
| svchost.exe 800 C:\WINDOWS\System32\svchost.exe Generic Host Process for
| Win32 Services 5.1.2600.0. © Microsoft Corporation. All rights reserved.
| winlogon.exe 428 C:\WINDOWS\system32\winlogon.exe Windows NT Logon
| Application 5.1.2600.1106. © Microsoft Corporation. All rights reserved.
| wmiapsrv.exe 1916 C:\WINDOWS\System32\wbem\wmiapsrv.exe WMI Performance
| Adapter Service 5.1.2600.0. © Microsoft Corporation. All rights reserved.
| wuapi.exe 1536 C:\WINDOWS\System32\wuapi.exe wuapi.exe
| YPager.exe 1764 C:\Program Files\Yahoo!\Messenger\YPager.exe YPager.exe

First off, its Dave. Please don't be so formal ;-)

Some files are open by the OS and thus their respecitive File Handles are held open atnd
thos files can not be scanned. In addition, they also can be infected either. So it isn't
a file attribute problem and those error messages are normal and are not to be worried
about.

It looks like you have cleaned your PC of infectors. All those running processes look to be
both legitimate and correct.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm