Google Groepen ondersteunt geen nieuwe Usenet-berichten of -abonnementen meer. Historische content blijft zichtbaar.
Dismiss

roimoi trojan

0 weergaven
Naar het eerste ongelezen bericht

Prinxce of Darkxness

ongelezen,
13 feb 2004, 04:55:2313-02-2004
aan
my brother's pc is infected by a trojan called roimoi, he tried about a
dozen anti-trojan apps but none of them has been able to remove the thing.
there's one program called boclean that has the trojan in their list, but
since my bro doesnt have a creditcard he cant purchase the app, and there's
no trial or demo version.
does anyone in here know of another way to remove the roimoi trojan?
any help appreciated, tia!


trout

ongelezen,
13 feb 2004, 05:28:4213-02-2004
aan
Prinxce of Darkxness wrote:

Has any other anti-trojan *detected* it? What program told him he
*has* it? What exactly has he tried?
The fact that the *only* reference out there seems to be on the Boclean
site suggests that this is a name that only they are using for a variant
of an existing trojan. Other programs might simply call it something
else.
If he hasn't, already; download, update and run these two free programs:
Spybot Search & Destroy
<http://security.kolla.de/>
Ad-Aware
<http://www.lavasoftusa.com/>
And run an on-line scan:
<http://housecall.antivirus.com/>
--
"Post detailed information."


Prinxce of Darkxness

ongelezen,
13 feb 2004, 06:15:1613-02-2004
aan

"trout" <m...@privacy.net> schreef in bericht
news:c0i8sr$13q6oh$1...@ID-179272.news.uni-berlin.de...

other (updated) anti=trojans detected nothing, AVG, spybot and ad-aware also
didnt find anything. the reason we think it's a trojan is because a google
search on roimoi only comes up with the boclean list of trojans. removing
roimoi doesnt work, it keeps installing itself, so our guess is it must be a
trojan


trout

ongelezen,
13 feb 2004, 06:43:3513-02-2004
aan
Prinxce of Darkxness wrote:

But where are you actually seeing it (Task Manager, Start-up folder,
Add/Remove)? And how are you 'removing' it?
Where is it listed, and as what? A program? What does it appear as,
as far as file extension? (And what OS is he using?)
--
"I still see no reference to this anywhere else."


Prinxce of Darkxness

ongelezen,
13 feb 2004, 06:48:1313-02-2004
aan

> But where are you actually seeing it (Task Manager, Start-up folder,
> Add/Remove)? And how are you 'removing' it?
> Where is it listed, and as what? A program? What does it appear as,
> as far as file extension? (And what OS is he using?)
> --
> "I still see no reference to this anywhere else."


it's in the registry, removed the entry with regcleaner but it keeps coming
back... or are we seeing ghosts here? OS is win98 se


Prinxce of Darkxness

ongelezen,
13 feb 2004, 09:33:5713-02-2004
aan

"Prinxce of Darkxness" <now...@nothin.on.tv> schreef in bericht
news:402cb990$0$41475$a344...@news.wanadoo.nl...

and since roimoi keeps installing itself in the registry, and google only
comes up with 2 things; 1)a roimoi trojan in the boclean list, or 2)the
french version of 'the King and I', we assume it's the trojan....


°Mike°

ongelezen,
13 feb 2004, 14:05:0713-02-2004
aan
On Fri, 13 Feb 2004 15:33:57 +0100, in
<402ce075$0$70748$4a44...@news.euronet.nl>
Prinxce of Darkxness scrawled:

<snip>

>and since roimoi keeps installing itself in the registry, and google only
>comes up with 2 things; 1)a roimoi trojan in the boclean list, or 2)the
>french version of 'the King and I', we assume it's the trojan....

Install HijackThis and post the contents of your log
here.

HijackThis
http://www.tomcoyote.org/hjt/


--
Basic computer maintenance
http://uk.geocities.com/personel44/maintenance.html

Pouloum

ongelezen,
18 feb 2004, 18:40:3818-02-2004
aan
°
> Install HijackThis and post the contents of your log
> here.
>
> HijackThis
> http://www.tomcoyote.org/hjt/

I've got the same trojan and the same probleme

I'm sorry your link for hijackthis is down

roimoi is created in register when i open explorer.exe i tried to
delete explorer.exe and put one it work instead of. But still create
roimoi in register

i also delete the original prog of roimoi it was something like
w5104x.exe

trout

ongelezen,
18 feb 2004, 18:52:2818-02-2004
aan
Pouloum wrote:

> °
>> Install HijackThis and post the contents of your log
>> here.
>>
>> HijackThis
>> http://www.tomcoyote.org/hjt/
>
> I've got the same trojan and the same probleme
>
> I'm sorry your link for hijackthis is down

<snip>

Yes, there seems to be a server problem. Try here:
http://www.spychecker.com/program/hijackthis.html
--
"Seems to be working."


Pouloum

ongelezen,
19 feb 2004, 04:56:0719-02-2004
aan
> > °
> >> Install HijackThis and post the contents of your log
> >> here.
> >>

Ok lets go but roimoi do not apear in this list but still activ when i
star windows explorer


Logfile of HijackThis v1.97.7
Scan saved at 10:53:12, on 19/02/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\rmtcfg\files\mdll.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINNT\regedit.exe
C:\Documents and Settings\Julien\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://searchcentral.cc/search.php?v=4&aff=3304
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://searchcentral.cc/index.php?v=4&aff=3304
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
= Liens
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} -
C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {D49DED87-58C0-4D85-9915-D489565CAD9A} -
C:\WINNT\b68MU8d78.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} -
C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: searchsprint - {AEE46806-2C5A-4A4E-A5DD-B4531F64A187} -
C:\WINNT\oY0iF27.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE
/STARTUP
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program
Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [runmdll]
C:\WINNT\SYSTEM32\RMTCFG\FILES\mdllstart.bat
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers
communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CrocPopup+ ] C:\Program
Files\crocpopup+\Crocpopup+.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [D2ProphecySetup.exe]
C:\DOCUME~1\Julien\Bureau\D2PROP~1.EXE /r
O8 - Extra context menu item: &Download with &DAP -
C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP -
C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Console Java (Sun) (HKLM)
O9 - Extra button: Run DAP (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags
Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
(PPSDKActiveXScanner.MainScreen) -
http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://207.188.7.150/060005c6515160c97905/netzip/RdxIE601_fr.cab
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) -
http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {65B818E1-F4D8-4F96-A1DF-35F3D1C86194}
(limmyloding.limmyform) - http://bins.roings.com/roing.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
- http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
(MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan
Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37864.2624421296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown
Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) -
http://www.tukati.com/software/4/1.7.20.20/tukati.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A8C9A69-8E14-4155-99DC-9DA989AF615E}:
NameServer = 80.10.246.130 80.10.246.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A8304B1-92D7-40FB-879D-819B7AA9B255}:
NameServer = 192.168.0.1

Pouloum

ongelezen,
19 feb 2004, 15:57:4519-02-2004
aan
Okai i detroy it so here the solution go luck :)
U have a .dll and a .exe to delete and after its seam ton be ok

Yes this is a nasty one. As far as I can tell even BOClean doesn't
get rid of this, but I can't be fully sure of that. I'm not at the PC
that was infected with this recently, but as I recall I fixed it in a
Win 2K system by:

Running HijackThis and looking for 2 unusual Browser Helper Objects
that reference DLL's in your $Windows$ folder (typically C:/WINNT).
They have strange names like o345678.dll. Rebooting to safe mode, I
renamed those files to something else. I then started regedit and
navigated to HKEY_LOCAL_MACHINE/SOFTWARE. Look for the roimoi key.
You'll notice a few subkeys there that you can't see in normal
mode..... I deleted the whole friggin' key.
I also did a file search for files added at the same time as the
aforementioned DLL's - I found an EXE in the WINNT folder and a BAT
file in my temp dir that I also nuked.

Obviously be careful anytime you edit the registry....

0 nieuwe berichten