O4 - HKLM\..\Run: [Windows Media Player] mcafe32.exe
O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe

I believe this one is RBOT...
O4 - HKLM\..\Run: [Windows Media Player] msams.exe

No information on them anywhere.

Well, here is some info about:

Mcafe32

Windows Media Player

http://www.answersthatwork.com/Tasklist_pages/tasklist_m.htm

You have a Trojan virus which you picked up probably through the use of file sharing software like KaZaA, or through downloading and installing something from a malicious web page. At the time of writing, 16‑Jan‑2005, this Trojan is not picked up by the majority of antivirus programs.

Recommendation :
Get rid of this immediately
.....

MSAMS.EXE

WORM_RBOT.AHR

http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=WORM_RBOT.AHR
.........

O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe

seems to be: "Backdoor.Win32.Rbot.gen" Virus.

HTH

Excellent, thanks for that

You're Welcome

Thanks for picking this up, Marianna.

And of course thank you for submitting these, Mere_Mortal


Added to the List: /s6981-mcafe32_exe.html and /s6982-navprotect_exe.html

_________________
Tony CLSID List

You're Welcome, Tony - Teamwork is everything

Hello everyone,

Was wondering what people are using to remove mcafe32.exe? It doesn't seem to be stopped by Norton Antivirus (with dat files from the 20th)

I've attempted to remove the item from the registry but it appears to reinfect itself.

also has anyone had the problem with this causing a SYN FLOOD and crashing a wireless network?

Thanks!

You're welcome Tony

Hi Magic_Marker, Welcome to CCSP

Check the link for information...
http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=WORM_RBOT.AHR

You could by all means post a HijackThis Log to the main forum /f67-Trend_Micro_HijackThis_Logs.html

Regards,
M_M

M_M cool thanks!

Question. it doesn't seem to mention mcafe32.exe it points to different exe files. is this the same thing? sorry I don't have the machiene available right now but I may send a hijack log later to see what people think.

M

Well, it appears to be rather new, which is why it's in fact posted in here in the first place. There's not much mention of it anywhere, so consequentially, there'll be no specific fix for it. That's not to say a manual removal is out of the question though

It is likely an updated version of the RBOT Worm.

Just wanted to give an update.

In windows normal mode I just couldn't get things cleaned out completely and it kept reinfecting. was using spybot and microsoft anti-spy both indicated they removed everything but after a reboot they were always back or came back after a few minutes.

unplugged from network.

Disabled system restore.

I booted in safe mode, deleted any of the run keys that appeared to be related (I don't remember which ones but there were alot). rebooted and went back into safe mode.

I downloaded the latest antivirus .dat files from symantec and installed and did a full drive scan. (I saved the .dat to cd then installed from cd) Something in the antivirus was fixed when I ran the intelligent updater it indicated it had fixed some components. Had some files that didn't want to delete so I went into the c:\documents and settings\username\local settings\temporary internet files and deleted the directories that contained the virus files.

rebooted and ran both spy sweeper and microsoft anti spy. spy sweeper seemed to remove all other traces of adware / spyware. Rebooted and went into safe mode again. I ran spy sweeper again just to check then ran antispy for that extra measure. Just for grins I rebooted back into safe mode and ran antivirus again. no infected files found. i'm going to run a few more test on the machine but so far nothing has resurfaced. i'll keep you updated.


MM

according to symantec definitions 1/25/04 this is a variant of Spybot Worm
We have this all over our network, its bogging down LAN traffic pretty bad.

I believe they are the same problem

IRC.Sdbot [McAfee]
WORM_RBOT [Trend Micro]
W32.Spybot.Worm [Symantec]
Backdoor.Win32.Rbot.gen [Kaspersky]

Trend have updated their listing to include WORM_RBOT.AIJ,
which mentions NAVPROTECT.EXE...

http://es.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_RBOT.AIJ

Also check Pest Patrol's information...
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39437

I've just come across these removal tools...

ftp://ftp.f-secure.com/anti-virus/tools/f-bot.zip
ftp://ftp.f-secure.com/anti-virus/tools/f-sdbot.zip

Might be useful?

Hi all,
I'm new here...and new to WIN2000 as well. (I upgraded from ME which has been a PAINFUL process.) At any rate, Spysweeper keeps finding navprotect.exe trying to load upon startup. It's in the registry folder HKCU: Run and it's location is msfwe1.exe

I've googled msfwe1.exe and can't find anything on it. I thought someone here might know what it is and if it's even safe.

As a reference, I don't have NAV installed on my computer...and don't know why anything involving Navprotect would be popping up. Furthermore, I did try and remove it prior to the last reinstall of Win2000 and after removing it, the next day I was bombarded with like 700 spyware traces.

Help!
Thanks
Leah