Jump to content

Renos.y trojan in XP Professional

Guest Gary Adams Lsu Edu

By Guest Gary Adams Lsu Edu
in Techno Babble

 Share

Recommended Posts

Guest Gary Adams Lsu Edu

Guest Gary Adams Lsu Edu

Posted
Posted

Virus or trojan in my Windows XP desktop.

 

Live care found ; renos.y

 

This XP Professional Compaq Evo has a trojan or virus.

 

It was cleaned with;

 

1. Ad Aware

2. Spy Bot Search and Destroy

3. Microsoft Live One Care

 

Somewhere in the registry there is a startup or run command that created an

excutable file in the c:\Windows\Temp directory. But I cannot find it.

i TRIED aUTORUNS BUT i CANNOT find the startup command.\fg

Here is the registry info relating to the new file found in the Temp folder

after each restart.

The filename changes at each restaRT.

 

PendingFileRenameOperations

\??\C:\WINDOWS\TEMP\E1167036.exe

 

Pending Rename Operations

CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

 

Session Manager

PendingFileRenameOperations

\??\C:\WINDOWS\TEMP\E1167036.exe

 

ControlSet003

BackupRestore

KeysNotToRestore

Pending Rename Operations

CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

 

ControlSet same as above

 

SessionMangeger

PendingFileRenameOperations

\??\C:\WINDOWS\TEMP\E1167036.exe

 

It is somwhere in the autostart area of the registry ?

  • Replies 3
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Malke

Guest Malke

Posted
Posted

Gary Adams Lsu Edu wrote:

<span style="color:blue">

> Virus or trojan in my Windows XP desktop.

>

> Live care found ; renos.y

>

> This XP Professional Compaq Evo has a trojan or virus.

>

> It was cleaned with;

>

> 1.  Ad Aware

> 2.  Spy Bot Search and Destroy

> 3.  Microsoft Live One Care

>

> Somewhere in the registry there is a startup or run command that created

> an excutable file in the c:WindowsTemp directory.  But I cannot find it.

> i TRIED aUTORUNS BUT i CANNOT find the startup command.fg

> Here is the registry info relating to the new file found in the Temp

> folder after each restart.

> The filename changes at each restaRT.

>

> PendingFileRenameOperations

> ??C:WINDOWSTEMPE1167036.exe

>

> Pending Rename Operations

> CurrentControlSetControlSession ManagerPendingFileRenameOperations

>

> Session Manager

> PendingFileRenameOperations

> ??C:WINDOWSTEMPE1167036.exe</span>

 

(snippage)

 

It probably has a guard file. Since I don't know how you cleaned (eg., did

you do prep work? scan in Safe Mode?), follow the general malware removal

steps at this link:

 

http://www.elephantboycomputers.com/page2....emoving_Malware

 

Include scanning with David Lipman's Multi_AV and follow instructions to do

all scans in Safe Mode. Please see the special Notes regarding using

Multi_AV in Vista.

 

http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions

http://tinyurl.com/yoeru3 - download link and more instructions

 

When all else fails, get guided help. Choose one of the specialty forums

listed at the first link. Register and read its posting FAQ. PLEASE DO NOT

POST LOGS IN THE MS NEWSGROUPS.

 

Malke

--

MS-MVP

Elephant Boy Computers - Don't Panic!

FAQ - http://www.elephantboycomputers.com/#FAQ

Guest Dell Techie

Guest Dell Techie

Posted
Posted

Turn off and turn your system restore back on to flush the virus from the

restore folder.

 

Run a clean up tool to remove the other virus from other temp folders

http://securitynewsfromthenet.blogspot.com...eople-from.html

 

 

Run Malwarebytes Anti-Malware

http://securitynewsfromthenet.blogspot.com...alware-105.html

 

Run an online scan

http://spywarefighter.blogspot.com/2008/09...nline-scan.html

http://spywarefighter.blogspot.com/2008/09...virus-scan.html

  • 2 months later...
Guest ares

Guest ares

Posted
Posted

DELL techie, I hope that's just your handle not your job. It comes close to

being rule one for malware removal...as well as downloading in

general..ALWAYS go to the source, even if innocently intended..spyware

fighter to trend micro gives more garbage double the chance to get in.

Physician heal thy self,

Darrel

 

"Dell Techie" wrote:

<span style="color:blue">

> Turn off and turn your system restore back on to flush the virus from the

> restore folder.

>

> Run a clean up tool to remove the other virus from other temp folders

> http://securitynewsfromthenet.blogspot.com...eople-from.html

>

>

> Run Malwarebytes Anti-Malware

> http://securitynewsfromthenet.blogspot.com...alware-105.html

>

> Run an online scan

> http://spywarefighter.blogspot.com/2008/09...nline-scan.html

> http://spywarefighter.blogspot.com/2008/09...virus-scan.html</span>

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...