C
Chopper
CA anti-spyware scan detects Ilomo Trojan in regscan.exe and tries to
quarantine unsuccessfully. If I turn off auto quarantine I get a buffer
over-run. When I re-scan right away, I get the same results. I can't find
regscan.exe on my hard drive, either searching manually or with search
function. I have everything turned on to show hidden and system files. CA
anti-virus shows no infection.
I'm running win2k, Sp4, update rollup 1 v2. When I boot into safe mode it
takes a long, long time, and any program I try to run starts very slowly.
Task manager doesn't show anything out of the ordinary running, either in
normal boot or safe mode. Could the extremely slow boot into safe mode be
related to this trojan?
Latest scan log:
1/14/2008-6:40:42 PM , Detected , Ilomo , Trojan , File
"C:\WINNT\system32\regscan.exe" , -1
1/14/2008-6:40:42 PM , Detected , Ilomo , Trojan , Key "hkey_user
\S-1-5-21-842925246-115176313-725345543-500\\Software\Microsoft\Windows\Curr
entVersion\Run" value "Regscan" , -1
1/14/2008-6:41:28 PM , Quarantined , Ilomo , Trojan , File
"C:\WINNT\system32\regscan.exe" , -1
I also have temp files in temp directories-local disk\Documents and
Settings\Administrator\Local Settings\Temp- with names like ~DF11F8.tmp that
don't delete when I clear cache and when I try to manually delete I get
message saying they are in use and new temp files immediately appear with
similar names. Older temp files can be deleted, but not the new ones that
are spawned. Is this normal or could it be related to this trojan?
My desktop icons randomly relocate on boot up, and I noticed file named
index.dat in - local disk\Documents and Settings\Administrator\Local
Settings\History\history.IE5 and other locations that don't delete when I
clear cache. Also find desktop.ini files buried in subfolders under
temporary internet files folders. Could these be related to trojan?
I have googled this problem and gone to quite a few sites including CA,
Mcafee, Eset, Trend Micro and others and can't find an answer how to
eliminate this pest.
Reading between the lines of what I have found, I think I need to edit the
registry and delete the hkey_user data, but I'm not real familiar with how
to do safely. I believe I need to delete regscan.exe also, but to
re-iterate, I can't find it on disk.
Any advice would be appreciated, with enough detail for someone not real
familiar with editing the registry.
quarantine unsuccessfully. If I turn off auto quarantine I get a buffer
over-run. When I re-scan right away, I get the same results. I can't find
regscan.exe on my hard drive, either searching manually or with search
function. I have everything turned on to show hidden and system files. CA
anti-virus shows no infection.
I'm running win2k, Sp4, update rollup 1 v2. When I boot into safe mode it
takes a long, long time, and any program I try to run starts very slowly.
Task manager doesn't show anything out of the ordinary running, either in
normal boot or safe mode. Could the extremely slow boot into safe mode be
related to this trojan?
Latest scan log:
1/14/2008-6:40:42 PM , Detected , Ilomo , Trojan , File
"C:\WINNT\system32\regscan.exe" , -1
1/14/2008-6:40:42 PM , Detected , Ilomo , Trojan , Key "hkey_user
\S-1-5-21-842925246-115176313-725345543-500\\Software\Microsoft\Windows\Curr
entVersion\Run" value "Regscan" , -1
1/14/2008-6:41:28 PM , Quarantined , Ilomo , Trojan , File
"C:\WINNT\system32\regscan.exe" , -1
I also have temp files in temp directories-local disk\Documents and
Settings\Administrator\Local Settings\Temp- with names like ~DF11F8.tmp that
don't delete when I clear cache and when I try to manually delete I get
message saying they are in use and new temp files immediately appear with
similar names. Older temp files can be deleted, but not the new ones that
are spawned. Is this normal or could it be related to this trojan?
My desktop icons randomly relocate on boot up, and I noticed file named
index.dat in - local disk\Documents and Settings\Administrator\Local
Settings\History\history.IE5 and other locations that don't delete when I
clear cache. Also find desktop.ini files buried in subfolders under
temporary internet files folders. Could these be related to trojan?
I have googled this problem and gone to quite a few sites including CA,
Mcafee, Eset, Trend Micro and others and can't find an answer how to
eliminate this pest.
Reading between the lines of what I have found, I think I need to edit the
registry and delete the hkey_user data, but I'm not real familiar with how
to do safely. I believe I need to delete regscan.exe also, but to
re-iterate, I can't find it on disk.
Any advice would be appreciated, with enough detail for someone not real
familiar with editing the registry.