can i delete?

Discussion in 'Trojan Defence Suite' started by TOONEW, Sep 5, 2003.

Thread Status:
Not open for further replies.
  1. TOONEW

    TOONEW Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    2
    i ran my scan and i got these two alarms but im not sure if i can delete them??
    Scan Control Dumped @ 21:03:11 04-09-03
    RegVal Trace: RAT.Imiserv: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [Win Server=C:\WINDOWS\winserv.exe]

    RegVal Trace: RAT.Imiserv: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [Win Server Updt=C:\WINDOWS\wupdt.exe]

    any and all help is appreciated.Thanks...
     
  2. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Hi TOONEW and welcome

    yes you should delete those registry entries but you should search for the files as well. Have a look here:
    http://www.sophos.com/virusinfo/analyses/trojimiserv.html
    After you have done this restart your system and scan again to look if they have really gone.
    Dolf
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi TOONEW and welcome!

    And if you're on XP or ME you should make a new restore point so they don't come back either.
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Welcome Toonew, If you can tell us a a little more about your system, OS, security software etc. there may be other recommendations that can help you secure your system.
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    If you still have the files wupdt.exe and winserv.exe email them to gavin@diamondcs.com.au for confirmation :) You should delete the registry entries immediately and reboot, if they are still there then make sure the EXE files are not running -

    In TDS, go to System Analysis, Process List and find wupdt.exe or winserv.exe, right click, choose Kill Process

    Then from the same menu, choose Autostart Explorer, ensure the 2 registry keys you noted are gone

    Reboot, trojan essentially dead as it cant start itself :D
    Delete the files if detected in a file scan, please send them in for confirmation - or in case they are a new variant !
     
Thread Status:
Not open for further replies.