A Digital Age Deserves A Digital Leader

Emergency Help Needed!

Emergency Help Needed!

Postby RIP! » Fri Jan 10, 2003 4:37 pm

Hi all ... as u may or may not have read in another thread I have located a virus on my system. Well the prob. is the object that has the BackDoor.Optix Trojan is in my Windows\System32\regsrv.exe file and it tells me that it can't heal it, that the file must be removed.

Now from the name of the file I gather that it has something to do with my registry only I am not sure what and can't locate any info. I am using AVG (latest ver. / dat files) and I am not sure if I should remove the file or ignore it and try some other AV pgm. or just what I should do here.

If anyone can help me out here I would greatly appreciate it.

Thanks,
RIP!

Postby Yappinator » Fri Jan 10, 2003 4:46 pm

Hey Rip

I recommend going to

http://www.trendmicro.com

And doing a scan without registering. May trend has a fix

Also here

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.optix.04.b.html


good luck

yaps
Yappinator

Postby Mac33 » Fri Jan 10, 2003 5:04 pm

Nice one Karen...RIP let us know how you get on, and if you have further problems we are here to help you.
all the best :huzzah:
PROfessional Member
User avatar
Posts: 4910
Joined: Tue Mar 12, 2002 4:55 pm
Location: Scotland

Postby XP Maniac » Fri Jan 10, 2003 5:06 pm

Just DELETE the file, I dont think that file should actually exist, but there are a few named simillar to it.

Delete the file is my advice.
Last edited by XP Maniac on Fri Jan 10, 2003 5:09 pm, edited 1 time in total.
Dave Partridge

The Security Installer
PROfessional Member
User avatar
Posts: 93
Joined: Sat Jul 13, 2002 11:36 pm
Location: The West Midlands, UK.

Postby purplehawk » Fri Jan 10, 2003 5:09 pm

Delete it.
purplehawk

Postby s. sengupta » Fri Jan 10, 2003 6:05 pm

Simple removal or deletion will not solve the case.As we all know that trojans execute lots of things and run in the background.So you have to delete the values from the registry too.Otherwise it will again create problems.

What you will do:-
1]Run a full system scan, and delete all files that are detected as Backdoor.Optix.
2] Remove the value from the registry:-
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, delete the value

winhelperapp %system%\msdodi.exe

5. Exit the Registry Editor.

[b] End The Trojan Process
:-

1. Press Ctrl+Alt+Delete one time.
2. Click Task Manager.
3. Click the Processes tab.
4. Double-click the Image Name column header to sort the processes alphabetically.
5. Scroll through the list, and look for Msdodi.exe
6. If you find the file, click it, and then click End Process.
7. Exit the Task Manager.
Image
Further :- http://securityresponse.symantec.com/avcenter/venc/data/backdoor.optix.04.b.html
Last edited by s. sengupta on Fri Jan 10, 2003 6:22 pm, edited 1 time in total.
Image
PRO Level 15
User avatar
Posts: 1226
Joined: Wed Jun 26, 2002 11:52 am
Location: India

Postby Yappinator » Fri Jan 10, 2003 6:11 pm

After Backdoor.Optix.04.b is installed, it waits for commands from the remote client. The commands allow the hacker to perform the following actions:

Deliver system and network information, including login names and cached network passwords, to the hacker.
Manage the installation of the Trojan.
Download and execute files.


Scary! This is from the http://securityresponse.symantec.com/av ... .04.b.html

Link
Yappinator

Postby *Starz* » Fri Jan 10, 2003 6:14 pm

Thanks ssg & Yaps...

Keeping that information on file... :yesnod:
[align=center]Image

~ You Are Never Given A Wish Without Being Given The Power To Make It Come True ~[/align]
PRO Level 16
User avatar
Posts: 1893
Joined: Sat Aug 17, 2002 1:05 am
Location: Great Smoky Mountains

Postby RIP! » Fri Jan 10, 2003 6:37 pm

Hey all ... Thanks for all the input.

After about 4 diff. scan pgms. scanning my system there was a total of 2 files find by 3 of them and neither of the 3 was my default AV pgm. :( so I guess you know I will be changing that.

Ok, I was able to delete the winamp file that was in my windows\system32 folder but I wasn't able to del. the regsrv.exe file that is there. SS I have chk'ed the Reg. and the key isn't there nor is the msdodi.exe in the running processes. So I am going to try a safe boot and see can I delete the regsrv.exe and then do a couple more scans and I will let you all know how it goes.

Thanks once again.
RIP!

Postby RIP! » Fri Jan 10, 2003 7:28 pm

Well I think I might be in trouble here.... :cry:

I am on my second system right now, I done what I said I was going to try on my main system (safe boot and del that regsrv.exe file). After I done that things stopped working for me and AVG keep telling me that there was a trojan infection on my system to run a full scan, yet I can't load AVG and I don't see the icon in the systray.

I checked the runing proccesses once again for the msdodi.exe file and it's not there, and I can't open regedit now to see if it managed to put some other run file there.

I am at a total lose as to what to do besides a clean install and I can't afford to lose stuff that is on my system, not to mention the down time. This is my lifes blood here..... :cry:
RIP!

Next

Return to Security & Virus

Who is online

Users browsing this forum: No registered users and 0 guests

cron
cron