| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 88237 | 2008-03-20 07:30:00 | Virus, Trojan, Spyware infection | colinf (13530) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 651921 | 2008-03-23 13:39:00 | Hi To apsattv: Have just run PrevX CSI, it found the following problem C:\WINNT\FireFoxUpdater.exe InMem: 0 Det [BP] MD5: FAA78EA3E3964F414A3008A86CCF6661 PX5: 0BAA5BC3000B3E9C426C003ED7AB18008700E3C6 Malware Group: Trojan.DownZero I can supply the whole log if you wish. Colin Is there more? sure post the whole log. Lot of hits on a search for "firefoxupdater.exe" in google. Hmm? a lot are Asian.. Over to you speedy? :banana |
apsattv (7406) | ||
| 651922 | 2008-03-23 22:19:00 | That downloader can be removed . . . Download the OTMoveIt by OldTimer ( . bleepingcomputer . com/oldtimer/OTMoveIt2 . exe" target="_blank">download . bleepingcomputer . com) Save it to your desktop . Please double-click OTMoveIt . exe to run it Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): C:\WINNT\FireFoxUpdater . exe Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste . Click the red Moveit! button . Close OTMoveIt If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process . If you are asked to reboot the machine choose Yes . |
Pancake (6359) | ||
| 651923 | 2008-03-23 22:28:00 | Hi I have run the registry repair program. It reported the repair was successful. However regedit is still not runable unless it is renamed, and the registry entries are still locked. Colin |
colinf (13530) | ||
| 651924 | 2008-03-23 22:32:00 | Hi Have run OTmoveit and it has moved the file successfully. Colin |
colinf (13530) | ||
| 651925 | 2008-03-23 22:48:00 | Do you have a repair/setup disc.If you do it looks like you will have to do a system repair. vistahomepremium.windowsreinstall.com |
Pancake (6359) | ||
| 651926 | 2008-03-23 22:49:00 | Hi Have rebooted, and run Prevx again. It reports no problems. Regedit and locked reg entires problems remain. I dont have a windows 2000 pro setup CD, could I download one from the web somewhere? It occurs to me that some malware has the capability to stop regedit from running and may be capable of locking registry entries. A shell command redirect, or some-such. Is it possible that some malware is still on the pc, but well hidden? Or maybe some of the malware already removed has left the registry lock behind it? Colin |
colinf (13530) | ||
| 651927 | 2008-03-23 23:13:00 | Hi I dont have a windows 2000 pro setup CD, could I download one from the web somewhere? No, unless its pirated Have u got any version of Windows on cd? |
Speedy Gonzales (78) | ||
| 651928 | 2008-03-23 23:27:00 | I can get hold of XP home or Vista Home premium. Do you have a preference? Colin |
colinf (13530) | ||
| 651929 | 2008-03-23 23:32:00 | Are they legit?? Never used Vista, probably never will. It'll probably be better doing a clean install / and reinstalling whatever version |
Speedy Gonzales (78) | ||
| 651930 | 2008-03-24 01:25:00 | Hi I have just googled "Windows 2000 locked registry keys" and one of the links mentions Regedt32.exe a registry editor in Win 2k that can change permissions of registry keys and values. I found the file on the system I am repairing, but had to rename it to get it to work. It allows me to change the permissions on the locked registry keys from read only to full control and thereby delete them. However there are literally hundreds of entires to delete and will take me hours to fix them. Is it possible for one of you script experts to write a script to delete the appropriate key from a combofix log or whatever? Or shall I continue to do it the hard way? I have renamed my version of regedt32.exe to reg32.exe Note to Speedy Both of XP Home, and Vista Home Premium are legal, and the Vista is running on my personal pc Also Have run Trojan remover and it is still giving Access Denied messages when I try to delete the suspicios debugger entries during the scan. Colin |
colinf (13530) | ||
| 1 2 3 4 5 6 | |||||