Trojan?

Discussion in 'Trojan Defence Suite' started by grant, Jan 22, 2004.

Thread Status:
Not open for further replies.
  1. grant

    grant Registered Member

    Joined:
    Jan 10, 2004
    Posts:
    11
    HI People, After formatting TDS3 comes up with this:RegVal Trace: Possible Trojan: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [*=C:\WINDOWS\Options\OEMReset.exe /Audit] Is this a real tyrojan or false alarm. I can delete the registry entry only until the next reboot, then it's back. Best, Grant
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    locate the file, send a zipped copy to submit@diamondcs.com.au to be sure
     
  3. grant

    grant Registered Member

    Joined:
    Jan 10, 2004
    Posts:
    11
    Thanks Jooske, I can't find the file however. The last time I saw this file is when I had XP Pro. After 2 weeks I threw it away(after wiping the drive+fdisk/formatting) went back to 98 and never had another trojan alarm until I got XPhome.
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Not necessarily a trojan; googled around and see it in several HJT logs on internet with no deletion advices, and this
    "oemreset.exe OEMCLEANUP Resets OEM installation settings at bootup. Not required unless you're new to PC's"
    So it seems harmless and sounds annoying in some cases. No reason to rebuild your system for that one, unless it would really contain a nasty. Thought Gavin mentioned in another thread this kind of alarms is not to worry about too much, but don't pin me on that till that advice is located back!
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Well it doesnt look like a trojan. What that is alarming on seems to be the DEFAULT key in the registry. You can have keys with names, or there is a default entry.. which shouldnt really be used

    It also should not be alarming, get the latest database and then run TDS, do a trace scan. Does it come back ? If so please right click the alarm and choose save as text, then paste it here
     
  6. grant

    grant Registered Member

    Joined:
    Jan 10, 2004
    Posts:
    11
    Hi! Yes it does return after the trace scan. Here is the text: Scan Control Dumped @ 22:11:46 26-01-04
    (Deleted) RegVal Trace: Possible Trojan: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [*=C:\WINDOWS\Options\OEMReset.exe /Audit]

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 0 bytes
    File: c:\documents and settings\all users\documents\my pictures\sample pictures\thumbs.db:encryptable

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 0 bytes
    File: c:\documents and settings\oo\my documents\my pictures\thumbs.db:encryptable

    RegVal Trace: Possible Trojan: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [*=C:\WINDOWS\Options\OEMReset.exe /Audit]

    The exrtra alarms that are now showing are from two digital photographs I just added. The first time I ever encountered the RegVal alarm is when I used XP Pro for two weeks a few years ago. Can't be a coincidence I have it back with XP home. I have the sensitivity turned to max. perhaps that's why it's alarming?
     
  7. grant

    grant Registered Member

    Joined:
    Jan 10, 2004
    Posts:
    11
    Hi, I just wiped thew drive 7 times and then formatted. The first thing I did online using opera was to download the KF for TDS3 and then run a scan. Same thing showed up.( Scan Control Dumped @ 12:51:38 28-01-04
    (Deleted) RegVal Trace: Possible Trojan: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [*=C:\WINDOWS\Options\OEMReset.exe /Audit]) The old fdisk/mbr I could do with 98 might make the difference. Anyways I hope it isn't a trojan as I used my credit card online.
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Grant, i posted above it is part of XP and a file you don't really need, as it's one resetting your system to defaults after reboot.
    It does come with XP, so somewhere it must be found, make all your files visible in the windows settings.
    There was not any need to reformatting the system for a file which comes with windows install.

    Gavin told you it is innocent and if you locate it to submit it so he can check it extra for you.

    For the NTFS ADS streams it has been posted various times in this forum you can in your scan options ignore files smaller then 88 bytes or 256 bytes, so certainly the 0 bytes files.
    They are rather usual in images, scanners might add them, etc.
     
Thread Status:
Not open for further replies.