Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   NZ Computing (http://www.velocityreviews.com/forums/f47-nz-computing.html)
-   -   Re: help needed with trojan threat (http://www.velocityreviews.com/forums/t717468-re-help-needed-with-trojan-threat.html)

Ted 03-11-2010 09:03 PM

Re: help needed with trojan threat
 
On Mar 11, 2:56*pm, r...@nospam.com wrote:
> I use ZoneAlarm firewall and ESET NOD32 antivirus.
> I *downloaded an exe file and a keygen from a filesharing site the
> other day. (Yes - I know I am a naughty boy - my version of Flash MX
> which I fiddle about with as a hobby is getting old now and does not
> meet the requirements of recent tutorials I find on the web)
>
> *I ran a patch.exe by accident but checking it with NOD32 it gets a
> clean bill of health.
> Another exe *installer file I ran through the NOD32 and because it
> showed up a number of trojan warnings did not run it. It is now
> quarantined.
>
> However *my NOD 32 now warns me whenever I start up the computer that
> it is blocking 95.211.1.173.
>
> I have run a search on this and it is a netherlands site.
> The search also took me tohttp://www.threatexpert.com/report.aspx?md5=388157aa795d12c4703f52914...
> which details a threat as follows:
>
> Module Name
> * * * * dpnhupnp32.dll
>
> Module Filename
> * * * * *%System%\dpnhupnp32.dll
>
> Address Space Details
> * * * * Process name: explorer.exe
> * * * * Process filename: %Windir%\explorer.exe
> * * * * Address space: 0x1E90000 - 0x1EB39DB
>
> There were registered attempts to establish connection with * * *
> * * * * 95.211.1.173
>
> The page lists a number of registry keys that the threat creates.
> Some do not appear at all in my registry but the following do
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.fsharproj
> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.fsharproj\Per sistentHandler
>
> HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host
> HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
>
> The page lists a newly * created Registry Value *as:
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.fsharproj\Per sistentHandler]
> (Default) = "{f7227766-6ea9-4a5d-acc4-d667c29824ab}"
>
> The value in my registry does not match this.
>
> The page does not give a newly created value for
> HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
>
> A search on my computer did not find dpnhupnp32.dll
>
> I have run a complete antivirus scan and the HD should now be clean
> but surely something must have been missed for the computer still to
> be trying to access 95.211.1.173
>
> I would be grateful if someone could explain why my computer is trying
> to access 95.211.1.173 and how I can stop it doing so.
>
> I tried using System Restore to reset the registry to what it was a
> week earlier but got the message that no changes had been made to the
> registry in that time.
>
> TIA
> Reg


I see from another ThreatExpert page(http://www.threatexpert.com/files/
dpnhupnp32.dll.html) this:

The file "dpnhupnp32.dll" is known to be created under the following
filenames:
%System%\dpnhupnp32.dll
%System%\dpnwsock32.dll
%System%\empop332.dll
%Temp%\dpnhupnp32.dll

Check for those other filenames.



All times are GMT. The time now is 08:36 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.