Hi All,

Just for grins, I ran an F-Prot for DOS scan on my system this morning, and was surprised by the report that it found 2 infections that NOD32 did not report during its scheduled overnight scan. F-Prot cannot disinfect, and I'm not yet ready to try the F-Prot delete option (because I really don't understand the infection completely or the files involved).

Does anyone have any suggestions for dealing with this? Should I simply delete dllcache33.exe?

BTW, why is F-Prot reporting 2 infections (I do realize this is not an F-Prot forum, of course, just hoping).

Regards!
Optigrab
Nod32, Outpost Pro v2, Boclean, SSM
******************************
Virus scanning report - 14 August 2003 @ 8:10

F-PROT ANTIVIRUS
Program version: 3.14a
Engine version: 3.14.2

VIRUS SIGNATURE FILES
SIGN.DEF created 1 August 2003
SIGN2.DEF created 4 August 2003
MACRO.DEF created 4 August 2003

Search: Local hard disks
Action: Report only
Files: Attempt to identify files
Switches: /ARCHIVE /PACKED
No viruses found in memory.
Hard disk boot sectors were not scanned.

Scanning C:
C:\PAGEFILE.SYS Not scanned (in use by another application)
C:\HIBERFIL.SYS Not scanned (in use by another application)
C:\WINNT\SYSTEM32\DLLCAC~1.EXE->secure.bat Infection: BAT/ServU.A
C:\WINNT\SYSTEM32\DLLCAC~1.EXE->secure.bat Infection: BAT/ServU.A

Hi optigrab,

you should pack those files and send them to eset's team to support@eset.com . This could be a new virus, which NOD32 can't detect yet. Or it could be just some part of a security program what you've just installed...

Vigy

Thanks Vigy! :)

I did the following: rebooted into Safe Mode, renamed dllcache33.exe to "dllcache33.old" and left it where it is - to be deleted after I can confirm it was not needed by anything. 8)

I sent Eset a zip file of "dllcache33.old".

F-Prot still recognizes an infection within "dllcache33.old", but I'm assuming it can do no harm as is.

I assume I'm now safe, but any other advice would be welcome.

Regards!
Optigrab

Renamed dll file is ok (prevention from loading). Now, I think it just a matter of time when eset will add the sample to the virus database and then NOD will be able to detect the virus (if it's really a virus). :)

Regards!


Vigy

It is probably just an instance of the ServU FTP daemon. It may be that you were hacked and were being used as a FTP server. There may be other hack-related things installed. You might check the create time of the Serv-U file and search for anything with the same or similar create or modify dates.

Does the following line suggest anything to anyone else ?

C:\WINNT\SYSTEM32\DLLCAC~1.EXE->secure.bat Infection: BAT/ServU.A

To me it suggests that the DLLCAC~1.EXE file is a self extracting ZIP file that contains a file called secure.bat and it is the secure.bat file that is infected.

This could explain why NOD32 did not detect the virus as the unpacker in NOD32 is said not to be as good as some other Anti Virus software - hopefully NOD32 would detect the virus when the file was unpacked and an attempt was made to access the infected file.

Hi,

thx. for the sample - it'll be added in the Monday's update.

Re. the unpackers - more info on this (http://www.wilderssecurity.com/showthread.php?t=10507;start=msg68199#msg68199) thread.

Take care, :)

jan