Ok Dave, this is my last question then I either shoot it or erase it and
start over. Why when I try to go into Event Viewer under application, system
or security it just says Unable to complete the operation " application"
interface not known?

"David H. Lipman" wrote:

> From: "Teri" <Teri@discussions.microsoft.com>
>
> | When I first detected a virus I had alot of files that were marked as private
> | or hidden I guess. Thats how they showed up in the attributes and everytime
> | I ran anykind of scan it couldn't read them it just said access denied. I
> | tried to go back and make them all not private. I probably messed something
> | up. I was wrong about my system being clean, check out my running processes
> | right now. Trend reported that they had deteted and fixed a W32/Codbot-AC!
> | located in the WUAPI. Exe file. Does that mean that they deleted the
> | WUAPI.exe file? It is still here running along with MediaGateway that I have
> | never seen . I also found 2 registry files in my documents that were names
> | wuapiii.
> | I appreciate your time Mr. Lipman, I am trying to avoid erasing my
> | harddrive. If I kill the process it doesn't go away. I ran all the scans
> | again and none of them detected it or the MediaGateway.
> | RUNNING PROCESSES
> | csrss.exe 404 C:\WINDOWS\system32\csrss.exe Client Server Runtime Process
> | 5.1.2600.0. © Microsoft Corporation. All rights reserved.
> | Explorer.EXE 1228 C:\WINDOWS\Explorer.EXE Windows Explorer 6.00.2800.1106.
> | © Microsoft Corporation. All rights reserved.
> | iexplore.exe 1556 C:\Program Files\Internet Explorer\iexplore.exe Internet
> | Explorer 6.00.2800.1106. © Microsoft Corporation. All rights reserved.
> | lsass.exe 484 C:\WINDOWS\system32\lsass.exe LSA Shell (Export Version)
> | 5.1.2600.1106. © Microsoft Corporation. All rights reserved.
> | MediaGateway.exe 1392 C:\Program Files\Media Gateway\MediaGateway.exe Media
> | Gateway 2, 0, 0, 0. Copyright 2005
> | PrcView.exe 1528 C:\Documents and Settings\Terri\My
> | Documents\Unzipped\PrcView\PrcView.exe Process Viewer Application 3.7.3.1.
> | Developed by Igor Nys, 1995-2003
> | services.exe 472 C:\WINDOWS\system32\services.exe Services and Controller
> | app 5.1.2600.0. © Microsoft Corporation. All rights reserved.
> | smss.exe 340 C:\WINDOWS\System32\smss.exe Windows NT Session Manager
> | 5.1.2600.1106. © Microsoft Corporation. All rights reserved.
> | svchost.exe 660 C:\WINDOWS\system32\svchost.exe Generic Host Process for
> | Win32 Services 5.1.2600.0. © Microsoft Corporation. All rights reserved.
> | svchost.exe 732 C:\WINDOWS\System32\svchost.exe Generic Host Process for
> | Win32 Services 5.1.2600.0. © Microsoft Corporation. All rights reserved.
> | svchost.exe 800 C:\WINDOWS\System32\svchost.exe Generic Host Process for
> | Win32 Services 5.1.2600.0. © Microsoft Corporation. All rights reserved.
> | winlogon.exe 428 C:\WINDOWS\system32\winlogon.exe Windows NT Logon
> | Application 5.1.2600.1106. © Microsoft Corporation. All rights reserved.
> | wmiapsrv.exe 1916 C:\WINDOWS\System32\wbem\wmiapsrv.exe WMI Performance
> | Adapter Service 5.1.2600.0. © Microsoft Corporation. All rights reserved.
> | wuapi.exe 1536 C:\WINDOWS\System32\wuapi.exe wuapi.exe
> | YPager.exe 1764 C:\Program Files\Yahoo!\Messenger\YPager.exe YPager.exe
>
>
> First off, its Dave. Please don't be so formal ;-)
>
> Some files are open by the OS and thus their respecitive File Handles are held open atnd
> thos files can not be scanned. In addition, they also can be infected either. So it isn't
> a file attribute problem and those error messages are normal and are not to be worried
> about.
>
> It looks like you have cleaned your PC of infectors. All those running processes look to be
> both legitimate and correct.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

From: "Teri" <Teri@discussions.microsoft.com>

| Ok Dave, this is my last question then I either shoot it or erase it and
| start over. Why when I try to go into Event Viewer under application, system
| or security it just says Unable to complete the operation " application"
| interface not known?


Sorry,....

No idea except make sure the "Event Log" NT Service is running.

In a comand prompt type the two following command lines...

sc start EventLog
sc config EventLog start= auto

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

After running Sophos again it came back with the Backdoor.Win32.SdBot.afu in
the Windows\System32\Defrag~1.exe AND Backdoor.Win32.Codbot.az in the
C:\Windows\System32\Wuapi.exe. Thank you for hanging with me on this but I
think I have it from here.

"David H. Lipman" wrote:

> From: "Teri" <Teri@discussions.microsoft.com>
>
> | Ok Dave, this is my last question then I either shoot it or erase it and
> | start over. Why when I try to go into Event Viewer under application, system
> | or security it just says Unable to complete the operation " application"
> | interface not known?
>
>
> Sorry,....
>
> No idea except make sure the "Event Log" NT Service is running.
>
> In a comand prompt type the two following command lines...
>
> sc start EventLog
> sc config EventLog start= auto
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

From: "Teri" <Teri@discussions.microsoft.com>

| After running Sophos again it came back with the Backdoor.Win32.SdBot.afu in
| the Windows\System32\Defrag~1.exe AND Backdoor.Win32.Codbot.az in the
| C:\Windows\System32\Wuapi.exe. Thank you for hanging with me on this but I
| think I have it from here.
|

Good luck and thanx for updating the thread.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Hey Dave I just thought I would let you know the outcome as perplexing as it
is. I spent a couple of nights on the phone with Microsoft and I guess one
of these turned out to be a new virus. We thought we had it but on reboot
instead of 2 I had 4 viruses. I had lost System Restore, my network
connection and alot of other things. I repartitioned and reinstalled today
and so I guess we will never know...

"David H. Lipman" wrote:

> From: "Teri" <Teri@discussions.microsoft.com>
>
> | After running Sophos again it came back with the Backdoor.Win32.SdBot.afu in
> | the Windows\System32\Defrag~1.exe AND Backdoor.Win32.Codbot.az in the
> | C:\Windows\System32\Wuapi.exe. Thank you for hanging with me on this but I
> | think I have it from here.
> |
>
> Good luck and thanx for updating the thread.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

From: "Teri" <Teri@discussions.microsoft.com>

| Hey Dave I just thought I would let you know the outcome as perplexing as it
| is. I spent a couple of nights on the phone with Microsoft and I guess one
| of these turned out to be a new virus. We thought we had it but on reboot
| instead of 2 I had 4 viruses. I had lost System Restore, my network
| connection and alot of other things. I repartitioned and reinstalled today
| and so I guess we will never know...
|
|

Thanx for the update and good luck !

If you don't practice Safe Hex, don't keep up with Critical Updates and don'r implement
proper security on the platform, you'll just be infected again.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm