Infected File

McAfee VS6.02 found an infected file: C:\WINDOWS\ausvc.exe.
Virus: Downloader-W. I am running WIN98. I have run disk cleanup. Went to Start/Windows Explorer/checked the files. Found "ausvc.exe ". Cleaning, quarantine and delete failed. Error message: Access to File denied. I have failed to get back to McAfee, but they had previously told me that this was a MS problem. Is there a solution? TIA, willieboy

 

You should be able to delete it by booting to a native dos session.
I would rename it first and see if the system still boots without any problems. Then if you think you need to delete it, you should now be able to di it in Windows since it's renamed and surely not actively being used.

Good luck.

ps, To boot to a native dos session, press and hold the f8 key following POST (beep) and you should get the menu screen to allow you to boot dos.

The command for doing the rename is:

ren c:\windows\ausvc.exe ausvc.xxx

Just in case you needed that.

 

Did a search on my Win98SE OS for *ausvc* and came up with nothing. So looks like you may be able to delete that file safely.

Here's some more info on ausvc.exe at this URL. Here

Click on "A" on the index and scroll down the list until you find the ausvc.exe file name. It is inserted as a result of a virus.

John

 

See here.

 

Thank you Zephyr and JohnB. A lot of good info there! But I am still in a quandry. I tried to go to the 'native DOS session' as you suggested. When I clicked on F8 up came: NORMAL, LOGGED(BOOTLOG.TXT),SAFEMODE,STEP BY STEP CONFIRMATION, COMMAND PROMPT ONLY and SAFE MODE COMMAND PROMPT ONLY. Is one of these the proper one? If it doesn't say exactly what I am looking for, I am really lost! I still can't just delete the ausvc.exe file. The computer won't let me. Right now I am a little bleary eyed trying different paths. willieboye

 

Choose Command Prompt Only from that menu and you'll be on the way.

When you get the DOS prompt (Black sceen with white text on it) that will be what is referred to as a native Dos session in this case.

Go ahead and issue the commands I gave earlier. You may choose to just delete the file outright, that's your privelege and will cause no harm in this case since that's the recommended procedure for this particular virus elimination method.

Good luck and post back if you need further. Don't go through a lot of grief by not asking for guidance when needed.

 

Hi again! You need to select "COMMAND PROMPT ONLY" from the list. This will get you into a "native DOS" session with only the C:\ prompt showing. None of your drivers/cd-rom/os will be loaded. If the ausvc.exe file is in the C:\Windows directory as you inidcated type the following at the C:\ prompt and "enter" after each line:

cd windows
del ausvc.exe

This should give you a message that one file has been deleted and delete the offending file. When finished use Control>Alt>Delete to restart your computer.

Good luck and post back good or bad.

JohnB

Edit: Looks like Zephyr beat me to the punch by 4 min., at least we both gave you the same info.

 

OOOOPS, sorry Brett. I completely missed your posting. In a hurry to get started. You gave me the incentive to contact McAfee again. This time I got some answers. I don't know what happened yesterday, but they sloughed me off. I just completed and hour+ Scan from DOS and the virus wAS deleted. So I am very happy. Zephyr and John B...thanks again, especially with the follow through!! (I have been trying to remember where I saw the "Startup in DOS ". In the 'START/SHUTDOWN window, of course. Again thanks to all for your efforts. This case is now closed!! willieboye

 

The link brett gave you said,

Before you "close the case ", review your IE Internet Zone security settings (tools/internet options) and install the latest Microsoft Virtual Machine See http://www.microsoft.com/technet/security/bulletin/ms00-075.asp for details.

 

Hello Alice,
And here I thought that I was home free. I find that I have Build 3309. Am I corrrect to assume that I should download MS VM Build 3805?

And thank you for the alert. I DO need a lot of help!!

 

Absolutely and you can get it here.

 

Hi willieboye,

As brett said you should download and install the Microsoft VM Build 3805 since your version 3309 is way outdated and vulnerable.

 

Hi Alice and Brett.
Thanks for the additional info. Now I have to figure out how to download the file. Tried over eight times yesterday and could only go as far as 14%, then the connections is broken. I tried earlier today and got as far as 16%. willieboye

 

You didn't say if you were doing a "save" or "open" type of download. My strong preference is to save the file on my PC and then install.

Also, you might have better luck with the download if using some 3rd party program that will hit multiple sites with the file and pull pieces from each site and re-assemble them on your PC. These same programs have support for "resume a blown download from where it blew up" feature that will work if the site supports "resume" which m$ does.

There are a number of programs available. My favorite is DAP which you can get from Here. About 1.4Mb and will integrate with your browser to become your default download program if you wish. They have a free version and a pro version you have to pay for. I do fine with the free one.

 

Thank you, Newt.
Just before I read your reply I was finally able to download the 'repair' file. I checked Start, Run, Command and JVIEW. I find that I now have 'build 3805'. So I guess everything is updated.
I did a 'save' download, and believe that I will take your advice and go to a third party download helper.
My sincere thanks to all who replied to this thread. A great amount of valued advice!! It all helped. willieboye

 

Hi again,

Glad to hear you were able to download and install the VM update and that JVIEW now shows you are at version .3805

If you want to keep on top of the Microsoft Security updates, look
HERE every so often for the updates that apply to your system or sign up for the e-mail notification. The update you just installed is listed as
MS02-013: 04 March 2002 Cumulative VM Update

You could also check the announcements about security updates that are posted in this forum.

 

Hello Alice,
Again thanks. I tried the link, but up popped the 'cannot find page', so I will have to try again later. I appreciate you getting me "straightened out ". willieboye

 

Hi willieboy,

That link works fine for me (using Netscape) but here's the longer version of the same link in case it works better for you:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/current.asp

 

Hi Alice,
Once again I must thank you. You are just too good to me.
Yesterday I found that my DUN was missing a few items. I have updated this. So things should be much better now.Again, I can not thank you enough. And especially check back more often.
willieboye