PDA

View Full Version : Re: files in the System32/win directory

Steven L Umbach
The link at SARC shows the instructions for that virus at the link below and says to
delete all files found related to that virus. Svhost is not a Windows file - svchost
is. You can run Task Manager to see what executables are currently being used by
processes. If an .exe file is not shown in that list nor in the
\winnt\system32\dllcachefolder it most likely is not a critical Windows operating
system file. Dll's are tougher to find if they are being currently used but you can
use the free ListDLL's from SysInternals for that. To be safe, instead of deleting
them you could rename them and after you are convinced after a couple of days using
your computer that it and all applications and hardware function fine delete them. If
one is a file needed for an application you find out later on, you could just
reinstall the application. Also searching http://www.google.com for a filename may
find information of whether it is related to a virus/worm or not and also comparing
to a like configured known clean operating system on another installation.. --- Steve

http://securityresponse.symantec.com/avcenter/venc/data/remacc.radmin.html
http://www.sysinternals.com/ntw2k/freeware/listdlls.shtml

"Bill" wrote in message
news:CB8D70F8-F4A2-4610-9400-847B7CD5977A@microsoft.com...
>I have a list of programs that are questionable and I need to determine if I
> should get rid of them or let them stay because they are suppose to be there.
> The list is as follows:
>
> scan1000.exe which is apparantly part of Exploit-sfind via Mcafee
> service.bat which is part of fired.bat via Mcafee
> service3.bat which is part of fired.bat via Mcafee
>
> No other program picks these up for some reason. I have used Symantec,
> McAfee, Panda, Trend Micro.
>
> The reason I am questioning these files is because Symantec AV picked up a
> program and called it remacc.radmin and there are various files associated
> with it. They are:
>
> svhost.exe
> raddrv.dll
> nvsvc.exe
> admdll.dll
>
> I would like to delete them or find some comfort in knowing I already got
> rid of the virus and trojan. The funny thing seems to be that the Trojans
> will just leave programs behind that are normal programs like unrar for
> instance.
>
> Please help
>
> --
> Bill Mitchell
> IT Man
> New2it


Karl Levinson [x y] mvp
I agree. The best way to remove virus files is always to use an anti-virus
program, and if it can name but not remove the virus, check the web site for
the vendor for that virus name in their virus encyclopedia for removal
instructions and/or a special removal tool.

"Steven L Umbach" wrote in message
news:ECwXc.240350$eM2.128978@attbi_s51...
> The link at SARC shows the instructions for that virus at the link below
and says to
> delete all files found related to that virus. Svhost is not a Windows
file - svchost
> is. You can run Task Manager to see what executables are currently being
used by
> processes. If an .exe file is not shown in that list nor in the
> \winnt\system32\dllcachefolder it most likely is not a critical Windows
operating
> system file. Dll's are tougher to find if they are being currently used
but you can
> use the free ListDLL's from SysInternals for that. To be safe, instead of
deleting
> them you could rename them and after you are convinced after a couple of
days using
> your computer that it and all applications and hardware function fine
delete them. If
> one is a file needed for an application you find out later on, you could
just
> reinstall the application. Also searching http://www.google.com for a
filename may
> find information of whether it is related to a virus/worm or not and also
comparing
> to a like configured known clean operating system on another
installation.. --- Steve
>
> http://securityresponse.symantec.com/avcenter/venc/data/remacc.radmin.html
> http://www.sysinternals.com/ntw2k/freeware/listdlls.shtml
>
> "Bill" wrote in message
> news:CB8D70F8-F4A2-4610-9400-847B7CD5977A@microsoft.com...
> >I have a list of programs that are questionable and I need to determine
if I
> > should get rid of them or let them stay because they are suppose to be
there.
> > The list is as follows:
> >
> > scan1000.exe which is apparantly part of Exploit-sfind via Mcafee
> > service.bat which is part of fired.bat via Mcafee
> > service3.bat which is part of fired.bat via Mcafee
> >
> > No other program picks these up for some reason. I have used Symantec,
> > McAfee, Panda, Trend Micro.
> >
> > The reason I am questioning these files is because Symantec AV picked up
a
> > program and called it remacc.radmin and there are various files
associated
> > with it. They are:
> >
> > svhost.exe
> > raddrv.dll
> > nvsvc.exe
> > admdll.dll
> >
> > I would like to delete them or find some comfort in knowing I already
got
> > rid of the virus and trojan. The funny thing seems to be that the
Trojans
> > will just leave programs behind that are normal programs like unrar for
> > instance.
> >
> > Please help
> >
> > --
> > Bill Mitchell
> > IT Man
> > New2it
>
>