| Featured Product |
|
Antivirus for your email server! Virus & content check mail with 5 virus scanning engines. Free 30 day trial available!
  
|
|
Spybot - hpsebc08.exe and msdirectx.sys
Authored by: mechBgon on Monday, March 21, 2005
Thanks for the detailed writeup! I made a couple rules for VirusScan Enterprise to block creation &/or execution of files by those names.
Reply to This
Spybot - hpsebc08.exe and msdirectx.sys
Authored by: asquemba on Tuesday, March 22, 2005
We aplicated these task:
1. reboot and press F8 and select safe mode
2. login as administrator
3. edit Regedit and find all keys IPOT USB Service DRIVER and delete
3.a Always remember backup of you Regedit (the Murphys law)
4. save and close Regedit
5. find in the System root System32, "hpsebc087.exe" the virus hidden like a system file of the operating system and delete.
6. scanning manually wiht your antivirus.
7. execute Microsoft anti-spyware.
8. Windows Update.
9. finally you can call to the "FROGMENGROUP"
Reply to This
Spybot - hpsebc08.exe and msdirectx.sys
Authored by: Korosu_Itai on Friday, March 25, 2005
I had another variant of this virus. In my case the executable file was compaq.exe. All the other parameters were the same: the register keys, the msdirectx.sys, the .pf file and the file was in System32 directory.
I had to use the WinXP CD to enter with the recuperation console in order to can delete the compaq.exe file. When I made it the computer return to function like usual.
I hope this help people with the same virus as us. Bye.
Reply to This
Spybot - hpsebc08.exe and msdirectx.sys
Authored by: mryerse on Friday, March 25, 2005
Thanks for the write-up on this. I was able to use process explorer to suspend and kill the process. I couldn't delete the exe though, for some reason. Updating my symantec defs and rebooting allowed auto-protect to detect it on bootup. I had also killed the process and deleted all the reg keys that start it on boot. Not sure if this contributed to it's removal or not.
Also, when I tried to access c$ or use remote assistance on the infected computer, it denied access until the virus was removed, even though I have local admin rights on it. Also, it was blocking vpc32.exe from running as well. Not sure exactly all this thing is doing, but it seems to be an example of how bad viruses/spyware can get. I think it could get much worse than this.
Reply to This
Spybot - hpsebc08.exe and msdirectx.sys
Authored by: Webmaster on Friday, March 25, 2005
It's been several days, but I have only been able to find one antivirus company that can give a description about this virus - even Symantec's web site turns up zero results.
Sophos - W32.SDBot.WH Description
There we go, it's called W32.SDBot.WH.
For those of you struggling with an infected computer, here is a cleaning routine you can put to use. Copy this text into a batch file (i.e. whcleaner.bat):
pskill.exe hpsebc08.exe
pause
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "IPOT USB Service DRV32" /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v "IPOT USB Service DRV32" /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx /v "IPOT USB Service DRV32" /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices /v "IPOT USB Service DRV32" /f
pause
del %SystemRoot%\System32\hpsebc08.exe
pause
Then download the pskill utility at SysInternals.com (and extract the exe from the zip file), and place it in the same directory as the batch script. Double-click the script, and kill the virus.
I didn't bother with trying to remove msdirectx.sys because antivirus/antispyware already detects it.
Reply to This
Spybot - hpsebc08.exe and msdirectx.sys
Authored by: cbaron on Friday, March 25, 2005
I have a msdirectx.sys but there is no hpsebc08.exe. The runonce does not have any funny programs.
I have created an empty msdirectx.sys so it can not load. Is my computer semisafe?
Reply to This
Spybot - hpsebc08.exe and msdirectx.sys
Authored by: cbaron on Friday, March 25, 2005
I did not like McAfee to much. Trend Micro found the virus
for me.In my case the program was called sdkcore.exe.
Reply to This
Spybot - hpsebc08.exe and msdirectx.sys
Authored by: ambush on Wednesday, April 06, 2005
I searched the registry for both compaq.exe (found around 12 extra instances) and msdirectx.sys (found 4 extras) that were there as well as the runservices/run keys.
Its gone now though.
ambush
Reply to This
Spybot - hpsebc08.exe and msdirectx.sys
Authored by: mechBgon on Friday, April 08, 2005
I was looking at Symantec's writeup on W32.Mytob.AD@mm and noticed they mentioned <b>directx.sys</b> as <a href="http://securityresponse.symantec.com/avcenter/venc/data/hacktool.rootkit.html">Hacktool.Rootkit</a>;.
<i>Hacktool.Rootkit is used to install backdoors on systems. They are made up of a variety of programs and scripts that break into systems and attempt to hide evidence of the intrusion. Attackers use these kits to gain Administrator or Superuser access on vulnerable systems.</i>
Big picture: so now a mass-mailing worm has been enhanced with a rootkit sidekick. There'll undoubtedly be more where that came from.
Reply to This
Spybot - hpsebc08.exe and msdirectx.sys
Authored by: the lightning on Monday, May 09, 2005
I had the same problems, but the .exe file was smsmsgen.exe
just tought you all should know.
Reply to This
Spybot - hpsebc08.exe and msdirectx.sys
Authored by: kbkuan on Thursday, May 12, 2005
this virus pretty sux. my norton only pick up the msdirectx.sys but not the .exe file. Just delete all msdirect.sys files first, it doesnt affect the system. This virus crashes the norton altogether. in my case it is called systeminfos.exe . i suppose the name might be quite different in different computers. but it was named "compaq service driver : systeminfos.exe" in the same registry entry mentioned by others . Just search and delete all entries associated with the infected .exe file. Also delete if u find any in :
c:windows
c:windowssystem32
c:windowsprefetch
Reply to This
|
|
