Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How To Remove Virus Caused By Mmsvc32.exe?


  • Please log in to reply
2 replies to this topic

#1 Eye Gee

Eye Gee

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 24 November 2005 - 02:04 AM

I am running Windows XP

My VirusScan Mcfee shows the following:

Name: hosts
In Folder: c:\windows\system32\drivers\etc
Detected As: Qhosts.apd
Detection: Trojan
Status: Moved (Clean failed because the file isn't cleanable)
Application: mmsvc32.exe

I have tried to do the following in safe mode:
1. Removed from registry:
HKEY_LOCAL_MACHINE entry:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Microsoft Network Services Controller"="C:\\WINDOWS\\System32\\mmsvc32.exe"
2. Removed manually mmsvc32.exe the file from C:\WINDOWS\System32

Still after I rebooted again I got the same message from Virus Scan and the found that the file mmsvc32.exe has been placed in the same directory and an entry in registry to execute mmsvc32.exe again.

Anyone, any idea on how to remove the virus?

Regards,
Eye Gee

BC AdBot (Login to Remove)

 


#2 stidyup

stidyup

  • Members
  • 641 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 24 November 2005 - 03:49 AM

McAfee on Qhosts.apd

This is a detection for a modified HOSTS file.

This file is normally used by Windows to resolve the IP address for a URL. For performance reasons, Windows first looks in the HOSTS file (which normally exists in C:\WINDOWS\SYSTEM32\DRIVERS\ETC), and if no appropriate entry is found, it will try to use DNS and WINS to resolve the IP address.

Many worms and their variants, such as W32/Polybot.gen!irc and W32/Gaobot.worm are overwriting the HOSTS file with a modified version. The HOSTS file contains a list of URLs and redirects them to 127.0.0.1, which is the LocalHost.

By redirecting all network traffic for these URLs to Localhost, the user is unable to browse to the webpage of his or her AV or security software vendor. Additionally many AV products are unable to update themselves.


Sophos on one of the W32/Agobot variants

Is your system patched with all the latest MS Windows updates? If not you need to update as soon as you have removed the infection.

If you think you are infected submit a hijackthis log to the HJT Forum.

How to submit a hijackthis log

Download Hijackthis

Try running the following from safe mode (Getting to safe-mode) Sysclean you'll also need the virus template file from here lpt***.zip remember to extract the contents of the zip file into the same folder as Sysclean.com

or

DrWeb CureIT

or

KASFX which is powered by the Kaspersky AV engine, you will need internet access to update it. If you haven't got net access in safe mode, update it before you use it.

If your good with the command line also try Sophos Command Line scanner this command will scan all of your hdd's SAV32CLI.EXE -F -di -remove -dn -mbr -all -zip -p=avscanlog.txt and give you a log file to review afterwards.

Also try installing and running A2 Free and Ewido

I'd also run Spybot(Spybot Tutorial) and Adaware

If your using Win2K/XP run adaware/spybot from "safe mode with command prompt" If your using Win9x just run it from safe mode the command line options aren't needed..

At the C:\ prompt type the following:-

cd\
C:\progra~1\spybot~1\spybotsd.exe /autocheck /autofix
cd\
C:\progra~1\lavasoft\ad-awa~1\ad-aware.exe

Edited by stidyup, 24 November 2005 - 03:51 AM.


#3 Eye Gee

Eye Gee
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 28 November 2005 - 08:13 PM

Hi stidyup,

Thanks for the input.

Regards,
Eye Gee




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users