Renos.y trojan in XP Professional

[Gary Adams Lsu Edu]

Virus or trojan in my Windows XP desktop.

Live care found ; renos.y

This XP Professional Compaq Evo has a trojan or virus.

It was cleaned with;

1. Ad Aware
2. Spy Bot Search and Destroy
3. Microsoft Live One Care

Somewhere in the registry there is a startup or run command that created an
excutable file in the c:\Windows\Temp directory. But I cannot find it.
i TRIED aUTORUNS BUT i CANNOT find the startup command.\fg
Here is the registry info relating to the new file found in the Temp folder
after each restart.
The filename changes at each restaRT.

PendingFileRenameOperations
\??\C:\WINDOWS\TEMP\E1167036.exe

Pending Rename Operations
CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

Session Manager
PendingFileRenameOperations
\??\C:\WINDOWS\TEMP\E1167036.exe

ControlSet003
BackupRestore
KeysNotToRestore
Pending Rename Operations
CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

ControlSet same as above

SessionMangeger
PendingFileRenameOperations
\??\C:\WINDOWS\TEMP\E1167036.exe

It is somwhere in the autostart area of the registry ?

 

[Malke]

Re: Renos.y trojan in XP Professional

Gary Adams Lsu Edu wrote:

> Virus or trojan in my Windows XP desktop.
>
> Live care found ; renos.y
>
> This XP Professional Compaq Evo has a trojan or virus.
>
> It was cleaned with;
>
> 1.  Ad Aware
> 2.  Spy Bot Search and Destroy
> 3.  Microsoft Live One Care
>
> Somewhere in the registry there is a startup or run command that created
> an excutable file in the c:\Windows\Temp directory.  But I cannot find it.
> i TRIED aUTORUNS BUT i CANNOT find the startup command.\fg
> Here is the registry info relating to the new file found in the Temp
> folder after each restart.
> The filename changes at each restaRT.
>
> PendingFileRenameOperations
> \??\C:\WINDOWS\TEMP\E1167036.exe
>
> Pending Rename Operations
> CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
>
> Session Manager
> PendingFileRenameOperations
> \??\C:\WINDOWS\TEMP\E1167036.exe

(snippage)

It probably has a guard file. Since I don't know how you cleaned (eg., did
you do prep work? scan in Safe Mode?), follow the general malware removal
steps at this link:

http://www.elephantboycomputers.com/page2.html#Removing_Malware

Include scanning with David Lipman's Multi_AV and follow instructions to do
all scans in Safe Mode. Please see the special Notes regarding using
Multi_AV in Vista.

http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
http://tinyurl.com/yoeru3 - download link and more instructions

When all else fails, get guided help. Choose one of the specialty forums
listed at the first link. Register and read its posting FAQ. PLEASE DO NOT
POST LOGS IN THE MS NEWSGROUPS.

Malke
--
MS-MVP
Elephant Boy Computers - Don't Panic!
FAQ - http://www.elephantboycomputers.com/#FAQ

 

[Dell Techie]

RE: Renos.y trojan in XP Professional

Turn off and turn your system restore back on to flush the virus from the
restore folder.

Run a clean up tool to remove the other virus from other temp folders
http://securitynewsfromthenet.blogspot.com/2007/03/clean-up-tools-to-prevent-people-from.html


Run Malwarebytes Anti-Malware
http://securitynewsfromthenet.blogspot.com/2008/03/malwarebytes-anti-malware-105.html

Run an online scan
http://spywarefighter.blogspot.com/2008/09/eset-online-scan.html
http://spywarefighter.blogspot.com/2008/09/trend-micro-housecall-online-virus-scan.html