can i delete?

Discussion in 'Trojan Defence Suite' started by TOONEW, Sep 5, 2003.

Thread Status:
Not open for further replies.
  1. TOONEW

    TOONEW Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    2
    i ran my scan and i got these two alarms but im not sure if i can delete them??
    Scan Control Dumped @ 21:03:11 04-09-03
    RegVal Trace: RAT.Imiserv: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [Win Server=C:\WINDOWS\winserv.exe]

    RegVal Trace: RAT.Imiserv: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [Win Server Updt=C:\WINDOWS\wupdt.exe]

    any and all help is appreciated.Thanks...
     
  2. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Hi TOONEW and welcome

    yes you should delete those registry entries but you should search for the files as well. Have a look here:
    http://www.sophos.com/virusinfo/analyses/trojimiserv.html
    After you have done this restart your system and scan again to look if they have really gone.
    Dolf
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi TOONEW and welcome!

    And if you're on XP or ME you should make a new restore point so they don't come back either.
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Welcome Toonew, If you can tell us a a little more about your system, OS, security software etc. there may be other recommendations that can help you secure your system.
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    If you still have the files wupdt.exe and winserv.exe email them to gavin@diamondcs.com.au for confirmation :) You should delete the registry entries immediately and reboot, if they are still there then make sure the EXE files are not running -

    In TDS, go to System Analysis, Process List and find wupdt.exe or winserv.exe, right click, choose Kill Process

    Then from the same menu, choose Autostart Explorer, ensure the 2 registry keys you noted are gone

    Reboot, trojan essentially dead as it cant start itself :D
    Delete the files if detected in a file scan, please send them in for confirmation - or in case they are a new variant !
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.