Jump to content

How to remove this ? trojan infecting winsys16,winsys32

Innocent Devil
 Share

Recommended Posts

Innocent Devil

Innocent Devil

Posted
Posted (edited)

whever i open cmd.exe

avast! warns thats the files named

scrsys16_061230.scr

winsys16_061230.dll

are infected by Win32:hupigon-BQO [Trj]

and

winsys32_061230.dll infected by Win32:Delf-ECW [Trj]

then i press move to chest

this appears everytime cmd is opened

i tried boot time scannin and deleted these files but it reappears wen cmd opens

also tries microsoft malicious software removal tool

am using xp sp2 rtm with avast! 4.7 Home edition

EDIT:

It is a trojan

sorry, i mis typd the trojan name, now its corrected

Edited by Innocent Devil

PC_LOAD_LETTER

PC_LOAD_LETTER

Posted
Posted

Id try a different Antivirus if that one isnt working (avg is free)

also, i was unable to find any information on 'Win32:hupogon-BQO' if you need help with this virus, it might help us to know what exactly its called

Tarun

Tarun

Posted
Posted

It sounds like they're getting restored from the dllcache folder. So you may want to try going into the command prompt and running sfc /purgecache then scanning your Windows directory for viruses.

Innocent Devil

Innocent Devil

Posted
  • Author
Posted

As I said, i tried boot time scanning, found nothing

if iput it ignore in avast (clicking Noaction button)

another problem happens, sme process opens iexplore.exe and it consumes memory, there is lot of iexplore.exe

process in taskmgr

let me check once more with boot time scanning .....

eidenk

eidenk

Posted
Posted

Once you'll have cleaned those very visible things, get interested in the several invisible and stable rootkits your system is likely to be infected with.

PC_LOAD_LETTER

PC_LOAD_LETTER

Posted
Posted (edited)

just get Icesword and look in the process list for items in RED. those are items that are not visible to the OS directly(aka rootkits).

there are other ways to fond 'em but IceSword has never let me down

Edited by geek
Innocent Devil

Innocent Devil

Posted
  • Author
Posted

cmd.exe problem solved :thumbup

its due to some autorun entry in HKLM\software\Cicrosoft\Command Processor

{thanx to Sysinternals autoruns}

its loads 2 memory by userinit {HKLM\Software\Microsoft\windows NT\CurrentVersion\winlogon}

userinit=C:\WINDOWS\system32\userinit.exe,rundll32.exe userinit.exe,rundll32.exe,rundll32.exe start,rundll32.exe C:\WINDOWS\system32\winsys16_061230.dll start

i deleted it and put just

C:\WINDOWS\system32\userinit.exe

wat is supposed to be default uerinit value ??

Now, problem is from winlogon and iexplore.exe

after loading desktop

iexplore.exe runs in background,

by checking with unlocker it is locked by winlogon.exe

how to prevent this? ,why winlogon starting it ??

The root of the Trojan is still hidden (ans i cant make un hide folders, it just resets)

and can be seen in list of screensaves as scrsys16_061230

eidenk

eidenk

Posted
Posted (edited)
Now, problem is from winlogon and iexplore.exe

after loading desktop

iexplore.exe runs in background,

by checking with unlocker it is locked by winlogon.exe

how to prevent this? ,why winlogon starting it ??

My guess is you have a kernel mode rootkit installed which is responsable for that. It is very likely that your iexplore.exe process is the genuine Internet Explorer that has been launched by it, has been injected with so-called FWB code by it and serves as a backdoor server. Well, it is a possible explanation.

You should look at your system with IceSword recommended above IMO.

Edited by eidenk
Innocent Devil

Innocent Devil

Posted
  • Author
Posted

checked with IceSword found nothing in red

btw iexplore.exe problem too solved

its bcoz ,i havnt configured the Phone and Modem options in CP

after setting region and code and all, rebooted there after no iexplore.exe process initiated by winlogon.exe

(i dunno y i should set this as i use cable internet connecting directly 2 the lan card :crazy: )

to conclude that I hope the problem is ALMOST solved.

still the presence of scrsys16_061230.scr in Sreensaver list is a prob.

wen i select it, avast detects and moves to chest (i afraid even that triggers the reactivation of the trojan)

Another problem to add is that i cant unhide folders (it resets back to hide folders)

in registry i found that HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden

is a REG_SZ value, is it actually a REG_DWORD?

maually making it a DWORD fails, as it automaically revert back to REG_SZ

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...