Announcement

Collapse
No announcement yet.

Possible Virus?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Possible Virus?

    Keriofirewall asked for permission for ccases.exe to run (c:\winnt\system32\ccases) and the file had the .rar icon with a upwards pointing arrow.

    Anyway it created a couple (maybe more) of .exe files both of which asked permission to run(?). dqddss.exe kept asking permission to run or whatever from keriofirewall. I can't delete dqdds.exe and I can't turn off its running in the Windows task manager.

    Is this a virus??? How can I delete it??? Thanks!
    Night of the Werewolves II
    HarryPotterwars
    A Thief's Guide to Thievery for UT (video not complete yet)

  • #2
    well,

    first check if its a virus => google search.
    when ur sure, it is, u should use an antivirus program.

    how i delete those undeletables:

    1. reboot win to protected modus
    2. go "start/run" type "msconfig" and check the "service" and "autostart" tab. if u find the calls for this exe, disable it.
    3. delete the file and/or folder
    4. check the file "wininit.ini" for any entry that might call that exe. (easier: if u have that file, just delete it.)
    5. go "start/run" type "regedit" and search for that exe file to delete it.

    NOTE: be as sure as possible, that those exe might a virus before u delete. if not, just do step 2 and see what happens, if all progs run or not. maybe its an exe for any prog u use.
    A real huge Man will neither stamp on a Worm, nor crawl for an Emperor

    Thievery Customs Center
    Vietcong Customs Center

    Comment


    • #3
      Thx Brody. I tried googling for the files but I couldn't find them. Another one is cacasp.exe which is trying to get permission from my firewall. It also was created today! Aargggh.
      Night of the Werewolves II
      HarryPotterwars
      A Thief's Guide to Thievery for UT (video not complete yet)

      Comment


      • #4
        that really sounds like a typical virus. a backdoor thingy. go and delete those things.
        A real huge Man will neither stamp on a Worm, nor crawl for an Emperor

        Thievery Customs Center
        Vietcong Customs Center

        Comment


        • #5
          How did it get in? Did I d/l something or is there a vulnerable entry point?

          Ok I disabled ddqdsznfqs which runs dqddss.exe. This entry appeared twice in msconfig. I also disabled DSAcass which runs cacasp.exe. I deleted those 2 .exe files (there is only 1 copy of each on my computer - I used search). I also deleted ccases which I think created them.

          Do I still need to use regedit and wininit.ini?

          Thanks BrodyMan!
          Night of the Werewolves II
          HarryPotterwars
          A Thief's Guide to Thievery for UT (video not complete yet)

          Comment


          • #6
            unsure, i assume u get it by dl something, yes.

            well, the wininit.ini i suggest u to do. u can t crash anything by deleting it. wininit.ini is uusally an empty file and it is used only for programs, that got installed and need to overwrite existing files, that were in use while installing. for those things, the installing program writes in wininit.ini to install the rest by new boot. that is what u see in booting "system refresh".

            just delete the wininit.ini. then do a new boot and check what happens.
            i assume the regedit way will still need to do. but check it. do u have an antivir program?
            A real huge Man will neither stamp on a Worm, nor crawl for an Emperor

            Thievery Customs Center
            Vietcong Customs Center

            Comment


            • #7
              Yeah I got NAV, AVG, Ad-aware, SD&D, TCMonitor (which went off but I don't know how to use it properly). Therefore I assume it's the American Government and their Patriot Act

              Are you saying I should completely delete wininit.ini and then reboot into normal windows? I just want to clarify before I do something that could crash the computer.
              Night of the Werewolves II
              HarryPotterwars
              A Thief's Guide to Thievery for UT (video not complete yet)

              Comment


              • #8
                1) Uncheck everything - except for processes you know that you need - in MSCONFIG while in safe mode.

                2) Reboot into normal mode.

                3) Run a virus scan, or just delete the files. Personally, I'd do a scan.

                4) Problem solved.

                Comment


                • #9
                  I tried scanning those files individually and it didn't find any problem. But I have deleted them now but I just want to check with Brody before I delete wininit.ini.


                  I used regedit and found dqddss.exe and another one. I deleted them.
                  Night of the Werewolves II
                  HarryPotterwars
                  A Thief's Guide to Thievery for UT (video not complete yet)

                  Comment


                  • #10
                    yes, but u know, if that helped or not, u ll see after reboot only.
                    A real huge Man will neither stamp on a Worm, nor crawl for an Emperor

                    Thievery Customs Center
                    Vietcong Customs Center

                    Comment


                    • #11
                      Oh I see wininit.ini is not a windows file - it's a keylogger. Yeah I found and deleted the file and its regedit entry.


                      I'm looking through the registry and according to this site (http://www.2-files.com/filename/wininit-ini) there are a list of .dll's associated with wininit.ini. I found them on my registry but I can't delete them from the registry. I can't find the files themselves.
                      I have found in the registry:
                      rmtcore.dll
                      msrac32.dll
                      mserrtc.dll
                      wininit.ini

                      I'll reboot in safe mode and see if I can delete them then.
                      Night of the Werewolves II
                      HarryPotterwars
                      A Thief's Guide to Thievery for UT (video not complete yet)

                      Comment


                      • #12
                        hm, no. don t delete that dlls.

                        the wininit.ini is a file used for programs, that need to overwrite windows files, that are currently in use by windows, while the installing runs. then the prog cannot finish the installation and writes those install commands, that are still need to do, in the wininit.ini, so the installing would finish automatically with the windows boot.

                        when u delete those dll s now that u found, u would disable the fully function of wininit.ini. which is very bad. the wininit.ini can be misused for those trojan viruses, yes, but the wininit.ini would be need for some programs sometimes, too.

                        the function u should keep. just deleted the wininit.ini and no bad prog, that might current stand in, is longer able to install new with each reboot.
                        A real huge Man will neither stamp on a Worm, nor crawl for an Emperor

                        Thievery Customs Center
                        Vietcong Customs Center

                        Comment


                        • #13
                          Yeah well I did my best to delete them but these .dll's kept coming back:
                          msu00mwin.dll
                          swebhlp.dll
                          mserrtrc.dll

                          So how do I know if there's something wrong with the wininit.ini file? How do I know if wininit.ini is functioning correctly now?
                          PS Thx for the help Brody.

                          EDIT: I don't have wininit.ini on my computer anymore. Is that a problem?
                          Night of the Werewolves II
                          HarryPotterwars
                          A Thief's Guide to Thievery for UT (video not complete yet)

                          Comment


                          • #14
                            usually the wininit.ini file is empty.
                            the using is temporary by programs, u do install and might not finish the install due using dlls by windows.

                            when u have nothing installed, u can do nothing wrong when u delete this file. any program that might need it, will create it.
                            A real huge Man will neither stamp on a Worm, nor crawl for an Emperor

                            Thievery Customs Center
                            Vietcong Customs Center

                            Comment


                            • #15
                              So I'm OK then?
                              Night of the Werewolves II
                              HarryPotterwars
                              A Thief's Guide to Thievery for UT (video not complete yet)

                              Comment

                              Working...
                              X