locate.exe
in [Windows Viruses]
|
Prev: hacktool.rootkit
Next: Zlop.CL
From: Gopi on 21 Nov 2005 06:00 hello in our network, several system affect by virus and i went on safe mode and edit the registry, delete the values (locate.exe and hpws.exe) restart and its works fine. after sometime, it affected again. (i cannot edit the registry or anything) again i have to go thro safe mode. we are using Etrust Antivirus server, is there anyway to clean this? several servers affected with this, and all are having up to date microsoft patches. Thanks Gopi
From: Malke on 21 Nov 2005 08:06 Gopi wrote: > hello > in our network, several system affect by virus and i went on safe mode > and edit the registry, delete the values (locate.exe and hpws.exe) > restart and its works fine. > > after sometime, it affected again. (i cannot edit the registry or > anything) again i have to go thro safe mode. > > we are using Etrust Antivirus server, is there anyway to clean this? > several servers affected with this, and all are having up to date > microsoft patches. > If the malware is returning, then you haven't cleaned it. Either someone is doing the same bad behavior that got you the worm or other machines on the network are infected and are reinfecting the servers. Here is a link with more information about the worm you apparently have: http://info.ahnlab.com/securityinfo/virus_view_eng_new.jsp?SEQ_NO=2085 You are going to have to take down the network and scan all servers and workstations for viruses. You can't do just one or two and leave them connected. I don't know how effective Etrust AV server is, but you might want to try another av scanner temporarily. Malke -- Elephant Boy Computers www.elephantboycomputers.com "Don't Panic!" MS-MVP Windows - Shell/User
From: Peter Foldes on 21 Nov 2005 08:32 If that is the case then disconnect all from the Network or close your Network and re-do all machines . You might have one machine that you missed and do not see or one or more that you did not clean properly. -- Peter Please Reply to Newsgroup for the benefit of others Requests for assistance by email can not and will not be acknowledged. "Gopi" <gopigopi(a)hotmail.com> wrote in message news:%23hi0KCp7FHA.2600(a)tk2msftngp13.phx.gbl... > hello > in our network, several system affect by virus and i went on safe mode and > edit the registry, delete the values (locate.exe and hpws.exe) restart and > its works fine. > > after sometime, it affected again. (i cannot edit the registry or anything) > again i have to go thro safe mode. > > we are using Etrust Antivirus server, is there anyway to clean this? several > servers affected with this, and all are having up to date microsoft patches. > > Thanks > Gopi > > >
From: Peter Foldes on 21 Nov 2005 08:34 Oooops. Sorry Malke I did not see your post when posting -- Peter Please Reply to Newsgroup for the benefit of others Requests for assistance by email can not and will not be acknowledged. "Malke" <notreally(a)invalid.invalid> wrote in message news:%23O0psxp7FHA.4012(a)TK2MSFTNGP14.phx.gbl... > Gopi wrote: > >> hello >> in our network, several system affect by virus and i went on safe mode >> and edit the registry, delete the values (locate.exe and hpws.exe) >> restart and its works fine. >> >> after sometime, it affected again. (i cannot edit the registry or >> anything) again i have to go thro safe mode. >> >> we are using Etrust Antivirus server, is there anyway to clean this? >> several servers affected with this, and all are having up to date >> microsoft patches. >> > If the malware is returning, then you haven't cleaned it. Either someone > is doing the same bad behavior that got you the worm or other machines > on the network are infected and are reinfecting the servers. Here is a > link with more information about the worm you apparently have: > > http://info.ahnlab.com/securityinfo/virus_view_eng_new.jsp?SEQ_NO=2085 > > You are going to have to take down the network and scan all servers and > workstations for viruses. You can't do just one or two and leave them > connected. I don't know how effective Etrust AV server is, but you > might want to try another av scanner temporarily. > > Malke > -- > Elephant Boy Computers > www.elephantboycomputers.com > "Don't Panic!" > MS-MVP Windows - Shell/User
From: Gopi on 22 Nov 2005 01:53
Thanks Malke No i guess we fix the error, anyway let me wait for one more day if any issues return back or not. i run the microsoft malware utility to fix this issue but i got the message that, virus (rbot) can not be removed. so i stop the sql services (i notice that the affected systems all are having sql) from command prompt i kill the locate.exe task, rename the locate.exe (windows\syste32 folder) and delete that file, edit the registry and delete the locate.exe entry. Then thro GFI languard find the what are the patches are missing . (all our servers are up to date )but find out some of the valnurability patches are missing (it shows only n gfi languard, normal windows update it doest show) update the missing patches then re run the malware, this time it shows no virus found. i guss it will be fine. let me wait for one more day. is there anything i can check / do more? Thanks Gopi "Malke" <notreally(a)invalid.invalid> wrote in message news:%23O0psxp7FHA.4012(a)TK2MSFTNGP14.phx.gbl... > Gopi wrote: > >> hello >> in our network, several system affect by virus and i went on safe mode >> and edit the registry, delete the values (locate.exe and hpws.exe) >> restart and its works fine. >> >> after sometime, it affected again. (i cannot edit the registry or >> anything) again i have to go thro safe mode. >> >> we are using Etrust Antivirus server, is there anyway to clean this? >> several servers affected with this, and all are having up to date >> microsoft patches. >> > If the malware is returning, then you haven't cleaned it. Either someone > is doing the same bad behavior that got you the worm or other machines > on the network are infected and are reinfecting the servers. Here is a > link with more information about the worm you apparently have: > > http://info.ahnlab.com/securityinfo/virus_view_eng_new.jsp?SEQ_NO=2085 > > You are going to have to take down the network and scan all servers and > workstations for viruses. You can't do just one or two and leave them > connected. I don't know how effective Etrust AV server is, but you > might want to try another av scanner temporarily. > > Malke > -- > Elephant Boy Computers > www.elephantboycomputers.com > "Don't Panic!" > MS-MVP Windows - Shell/User |