Guest Chopper Posted January 16, 2008 Posted January 16, 2008 CA anti-spyware scan detects Ilomo Trojan in regscan.exe and tries to quarantine unsuccessfully. If I turn off auto quarantine I get a buffer over-run. When I re-scan right away, I get the same results. I can't find regscan.exe on my hard drive, either searching manually or with search function. I have everything turned on to show hidden and system files. CA anti-virus shows no infection. I'm running win2k, Sp4, update rollup 1 v2. When I boot into safe mode it takes a long, long time, and any program I try to run starts very slowly. Task manager doesn't show anything out of the ordinary running, either in normal boot or safe mode. Could the extremely slow boot into safe mode be related to this trojan? Latest scan log: 1/14/2008-6:40:42 PM , Detected , Ilomo , Trojan , File "C:\WINNT\system32\regscan.exe" , -1 1/14/2008-6:40:42 PM , Detected , Ilomo , Trojan , Key "hkey_user \S-1-5-21-842925246-115176313-725345543-500\\Software\Microsoft\Windows\Curr entVersion\Run" value "Regscan" , -1 1/14/2008-6:41:28 PM , Quarantined , Ilomo , Trojan , File "C:\WINNT\system32\regscan.exe" , -1 I also have temp files in temp directories-local disk\Documents and Settings\Administrator\Local Settings\Temp- with names like ~DF11F8.tmp that don't delete when I clear cache and when I try to manually delete I get message saying they are in use and new temp files immediately appear with similar names. Older temp files can be deleted, but not the new ones that are spawned. Is this normal or could it be related to this trojan? My desktop icons randomly relocate on boot up, and I noticed file named index.dat in - local disk\Documents and Settings\Administrator\Local Settings\History\history.IE5 and other locations that don't delete when I clear cache. Also find desktop.ini files buried in subfolders under temporary internet files folders. Could these be related to trojan? I have googled this problem and gone to quite a few sites including CA, Mcafee, Eset, Trend Micro and others and can't find an answer how to eliminate this pest. Reading between the lines of what I have found, I think I need to edit the registry and delete the hkey_user data, but I'm not real familiar with how to do safely. I believe I need to delete regscan.exe also, but to re-iterate, I can't find it on disk. Any advice would be appreciated, with enough detail for someone not real familiar with editing the registry.
Guest Danny Sanders Posted January 16, 2008 Posted January 16, 2008 Re: Ilomo trojan-regscan- how do I zap this thing? When you get a virus there is really no way to know if you have *really* gotten rid of it or not. What happens if you jump through all the hoops and rings you find here and there about getting rid of this Trojan and you think you have everything cleaned up and working nicely, and the first time you open notepad, which is really his file he renamed and put there just for this purpose, the Trojan gets installed again and opens the door to your server to him again? The point is you can go through and do everything you see on the 'net about getting rid of the Trojan but there is just no way to be sure there are no renamed Windows files on that server that will open it up as soon as you think you are done. The *only* way to be sure is to format - reinstall and restore from a backup before the Trojan hit. Sure it's a lot of work but it's a lot of work to jump through all the hoops and edit the registry only to find that the is back after rebooting the server. Cut out the extra work and format - reinstall and restore from a backup before the Trojan hit. Use the time you would have spent trying to get rid of the thing to secure the server. Install virus software make sure the server is regularly updated, lock down the firewall in front of this server and make sure only the necessary services are exposed to the Internet and make sure to keep on top of patching those exposed services. Recover quickly and spend your time making sure it doesn't happen again. hth DDS "Chopper" <HeyJoe@nospam.net> wrote in message news:478e2ab6$0$18416$4c368faf@roadrunner.com... > CA anti-spyware scan detects Ilomo Trojan in regscan.exe and tries to > quarantine unsuccessfully. If I turn off auto quarantine I get a buffer > over-run. When I re-scan right away, I get the same results. I can't find > regscan.exe on my hard drive, either searching manually or with search > function. I have everything turned on to show hidden and system files. CA > anti-virus shows no infection. > > I'm running win2k, Sp4, update rollup 1 v2. When I boot into safe mode it > takes a long, long time, and any program I try to run starts very slowly. > Task manager doesn't show anything out of the ordinary running, either in > normal boot or safe mode. Could the extremely slow boot into safe mode be > related to this trojan? > > Latest scan log: > 1/14/2008-6:40:42 PM , Detected , Ilomo , Trojan , File > "C:\WINNT\system32\regscan.exe" , -1 > 1/14/2008-6:40:42 PM , Detected , Ilomo , Trojan , Key "hkey_user > \S-1-5-21-842925246-115176313-725345543-500\\Software\Microsoft\Windows\Curr > entVersion\Run" value "Regscan" , -1 > 1/14/2008-6:41:28 PM , Quarantined , Ilomo , Trojan , File > "C:\WINNT\system32\regscan.exe" , -1 > > I also have temp files in temp directories-local disk\Documents and > Settings\Administrator\Local Settings\Temp- with names like ~DF11F8.tmp > that > don't delete when I clear cache and when I try to manually delete I get > message saying they are in use and new temp files immediately appear with > similar names. Older temp files can be deleted, but not the new ones that > are spawned. Is this normal or could it be related to this trojan? > > My desktop icons randomly relocate on boot up, and I noticed file named > index.dat in - local disk\Documents and Settings\Administrator\Local > Settings\History\history.IE5 and other locations that don't delete when I > clear cache. Also find desktop.ini files buried in subfolders under > temporary internet files folders. Could these be related to trojan? > > I have googled this problem and gone to quite a few sites including CA, > Mcafee, Eset, Trend Micro and others and can't find an answer how to > eliminate this pest. > > Reading between the lines of what I have found, I think I need to edit the > registry and delete the hkey_user data, but I'm not real familiar with how > to do safely. I believe I need to delete regscan.exe also, but to > re-iterate, I can't find it on disk. > > Any advice would be appreciated, with enough detail for someone not real > familiar with editing the registry. > >
Guest Pegasus \(MVP\) Posted January 16, 2008 Posted January 16, 2008 Re: Ilomo trojan-regscan- how do I zap this thing? "Danny Sanders" <DSanders@NOSPAMciber.com> wrote in message news:OvQyaAGWIHA.2268@TK2MSFTNGP02.phx.gbl... > When you get a virus there is really no way to know if you have *really* > gotten rid of it or not. What happens if you jump through all the hoops > and rings you find here and there about getting rid of this Trojan and you > think you have everything cleaned up and working nicely, and the first > time you open notepad, which is really his file he renamed and put there > just for this purpose, the Trojan gets installed again and opens the door > to your server to him again? > > The point is you can go through and do everything you see on the 'net > about getting rid of the Trojan but there is just no way to be sure there > are no renamed Windows files on that server that will open it up as soon > as you think you are done. The *only* way to be sure is to format - > reinstall and restore from a backup before the Trojan hit. Sure it's a lot > of work but it's a lot of work to jump through all the hoops and edit the > registry only to find that the is back after rebooting the server. Cut out > the extra work and format - reinstall and restore from a backup before the > Trojan hit. > > Use the time you would have spent trying to get rid of the thing to secure > the server. Install virus software make sure the server is regularly > updated, lock down the firewall in front of this server and make sure only > the necessary services are exposed to the Internet and make sure to keep > on top of patching those exposed services. > > Recover quickly and spend your time making sure it doesn't happen again. > > hth > DDS > > > "Chopper" <HeyJoe@nospam.net> wrote in message > news:478e2ab6$0$18416$4c368faf@roadrunner.com... >> CA anti-spyware scan detects Ilomo Trojan in regscan.exe and tries to >> quarantine unsuccessfully. If I turn off auto quarantine I get a buffer >> over-run. When I re-scan right away, I get the same results. I can't find >> regscan.exe on my hard drive, either searching manually or with search >> function. I have everything turned on to show hidden and system files. CA >> anti-virus shows no infection. >> >> I'm running win2k, Sp4, update rollup 1 v2. When I boot into safe mode it >> takes a long, long time, and any program I try to run starts very slowly. >> Task manager doesn't show anything out of the ordinary running, either in >> normal boot or safe mode. Could the extremely slow boot into safe mode be >> related to this trojan? >> >> Latest scan log: >> 1/14/2008-6:40:42 PM , Detected , Ilomo , Trojan , File >> "C:\WINNT\system32\regscan.exe" , -1 >> 1/14/2008-6:40:42 PM , Detected , Ilomo , Trojan , Key "hkey_user >> \S-1-5-21-842925246-115176313-725345543-500\\Software\Microsoft\Windows\Curr >> entVersion\Run" value "Regscan" , -1 >> 1/14/2008-6:41:28 PM , Quarantined , Ilomo , Trojan , File >> "C:\WINNT\system32\regscan.exe" , -1 >> >> I also have temp files in temp directories-local disk\Documents and >> Settings\Administrator\Local Settings\Temp- with names like ~DF11F8.tmp >> that >> don't delete when I clear cache and when I try to manually delete I get >> message saying they are in use and new temp files immediately appear with >> similar names. Older temp files can be deleted, but not the new ones that >> are spawned. Is this normal or could it be related to this trojan? >> >> My desktop icons randomly relocate on boot up, and I noticed file named >> index.dat in - local disk\Documents and Settings\Administrator\Local >> Settings\History\history.IE5 and other locations that don't delete when I >> clear cache. Also find desktop.ini files buried in subfolders under >> temporary internet files folders. Could these be related to trojan? >> >> I have googled this problem and gone to quite a few sites including CA, >> Mcafee, Eset, Trend Micro and others and can't find an answer how to >> eliminate this pest. >> >> Reading between the lines of what I have found, I think I need to edit >> the >> registry and delete the hkey_user data, but I'm not real familiar with >> how >> to do safely. I believe I need to delete regscan.exe also, but to >> re-iterate, I can't find it on disk. >> >> Any advice would be appreciated, with enough detail for someone not real >> familiar with editing the registry. >> Well said. There is another angle to it too: Unless the virus is extremely well documented, the OP will never know what damage it did. Some of the damage may not become apparent until much later. Many virus writers derive pleasure from corrupting a file here, a registry entry there, often randomly.
Guest chopper Posted January 23, 2008 Posted January 23, 2008 Re: Ilomo trojan-regscan- how do I zap this thing? I appreciate the quick response to my inquiry. "Scorched earth" may be best in the long run, but I would like to just take out the pest instead of burning everything down and starting over. I was able to get rid of it with "hijackthis", very powerful general purpose malware remover, but it must be used with extreme caution. I hardened all defenses, firewall, router, anti-virus, anti-spyware, so far everything running fine. If I do a format and re-install, any advantage to going with XPpro or XPpro 64bit over win2k? I have both, but am concerned about drivers for the 64bit version for printer, scanner, camera, etc. I have all the 64bit drivers for the computer internal hardware. I have found 64bit drivers for external hardware on some European support sites. I dual boot with vista currently, may try triple boot with XPpro, even quad boot with xppro64. That way if I can't find drivers for 64bit, could use hardware by reboot to alt. OS. I welcome your opinions. Chopper "Pegasus (MVP)" <I.can@fly.com.oz> wrote in message news:e4ultEGWIHA.536@TK2MSFTNGP06.phx.gbl... > > "Danny Sanders" <DSanders@NOSPAMciber.com> wrote in message > news:OvQyaAGWIHA.2268@TK2MSFTNGP02.phx.gbl... > > When you get a virus there is really no way to know if you have *really* > > gotten rid of it or not. What happens if you jump through all the hoops > > and rings you find here and there about getting rid of this Trojan and you > > think you have everything cleaned up and working nicely, and the first > > time you open notepad, which is really his file he renamed and put there > > just for this purpose, the Trojan gets installed again and opens the door > > to your server to him again? > > > > The point is you can go through and do everything you see on the 'net > > about getting rid of the Trojan but there is just no way to be sure there > > are no renamed Windows files on that server that will open it up as soon > > as you think you are done. The *only* way to be sure is to format - > > reinstall and restore from a backup before the Trojan hit. Sure it's a lot > > of work but it's a lot of work to jump through all the hoops and edit the > > registry only to find that the is back after rebooting the server. Cut out > > the extra work and format - reinstall and restore from a backup before the > > Trojan hit. > > > > Use the time you would have spent trying to get rid of the thing to secure > > the server. Install virus software make sure the server is regularly > > updated, lock down the firewall in front of this server and make sure only > > the necessary services are exposed to the Internet and make sure to keep > > on top of patching those exposed services. > > > > Recover quickly and spend your time making sure it doesn't happen again. > > > > hth > > DDS > > > > > > "Chopper" <HeyJoe@nospam.net> wrote in message > > news:478e2ab6$0$18416$4c368faf@roadrunner.com... > >> CA anti-spyware scan detects Ilomo Trojan in regscan.exe and tries to > >> quarantine unsuccessfully. If I turn off auto quarantine I get a buffer > >> over-run. When I re-scan right away, I get the same results. I can't find > >> regscan.exe on my hard drive, either searching manually or with search > >> function. I have everything turned on to show hidden and system files. CA > >> anti-virus shows no infection. > >> > >> I'm running win2k, Sp4, update rollup 1 v2. When I boot into safe mode it > >> takes a long, long time, and any program I try to run starts very slowly. > >> Task manager doesn't show anything out of the ordinary running, either in > >> normal boot or safe mode. Could the extremely slow boot into safe mode be > >> related to this trojan? > >> > >> Latest scan log: > >> 1/14/2008-6:40:42 PM , Detected , Ilomo , Trojan , File > >> "C:\WINNT\system32\regscan.exe" , -1 > >> 1/14/2008-6:40:42 PM , Detected , Ilomo , Trojan , Key "hkey_user > >> \S-1-5-21-842925246-115176313-725345543-500\\Software\Microsoft\Windows\Curr > >> entVersion\Run" value "Regscan" , -1 > >> 1/14/2008-6:41:28 PM , Quarantined , Ilomo , Trojan , File > >> "C:\WINNT\system32\regscan.exe" , -1 > >> > >> I also have temp files in temp directories-local disk\Documents and > >> Settings\Administrator\Local Settings\Temp- with names like ~DF11F8.tmp > >> that > >> don't delete when I clear cache and when I try to manually delete I get > >> message saying they are in use and new temp files immediately appear with > >> similar names. Older temp files can be deleted, but not the new ones that > >> are spawned. Is this normal or could it be related to this trojan? > >> > >> My desktop icons randomly relocate on boot up, and I noticed file named > >> index.dat in - local disk\Documents and Settings\Administrator\Local > >> Settings\History\history.IE5 and other locations that don't delete when I > >> clear cache. Also find desktop.ini files buried in subfolders under > >> temporary internet files folders. Could these be related to trojan? > >> > >> I have googled this problem and gone to quite a few sites including CA, > >> Mcafee, Eset, Trend Micro and others and can't find an answer how to > >> eliminate this pest. > >> > >> Reading between the lines of what I have found, I think I need to edit > >> the > >> registry and delete the hkey_user data, but I'm not real familiar with > >> how > >> to do safely. I believe I need to delete regscan.exe also, but to > >> re-iterate, I can't find it on disk. > >> > >> Any advice would be appreciated, with enough detail for someone not real > >> familiar with editing the registry. > >> > > Well said. There is another angle to it too: Unless the virus is extremely > well documented, the OP will never know what damage it did. Some > of the damage may not become apparent until much later. Many virus > writers derive pleasure from corrupting a file here, a registry entry there, > often randomly. > >
Recommended Posts