Re: help needed with trojan threat

Discussion in 'NZ Computing' started by Ted, Mar 11, 2010.

  1. Ted

    Ted Guest

    On Mar 11, 2:56 pm, wrote:
    > I use ZoneAlarm firewall and ESET NOD32 antivirus.
    > I  downloaded an exe file and a keygen from a filesharing site the
    > other day. (Yes - I know I am a naughty boy - my version of Flash MX
    > which I fiddle about with as a hobby is getting old now and does not
    > meet the requirements of recent tutorials I find on the web)
    >
    >  I ran a patch.exe by accident but checking it with NOD32 it gets a
    > clean bill of health.
    > Another exe  installer file I ran through the NOD32 and because it
    > showed up a number of trojan warnings did not run it. It is now
    > quarantined.
    >
    > However  my NOD 32 now warns me whenever I start up the computer that
    > it is blocking 95.211.1.173.
    >
    > I have run a search on this and it is a netherlands site.
    > The search also took me tohttp://www.threatexpert.com/report.aspx?md5=388157aa795d12c4703f52914...
    > which details a threat as follows:
    >
    > Module Name
    >         dpnhupnp32.dll
    >
    > Module Filename
    >          %System%\dpnhupnp32.dll
    >
    > Address Space Details
    >         Process name: explorer.exe
    >         Process filename: %Windir%\explorer.exe
    >         Address space: 0x1E90000 - 0x1EB39DB
    >
    > There were registered attempts to establish connection with      
    >         95.211.1.173
    >
    > The page lists a number of registry keys that the threat creates.
    > Some do not appear at all in my registry but the following do
    >
    > HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.fsharproj
    > HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler
    >
    > HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host
    > HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
    >
    > The page lists a newly   created Registry Value  as:
    >
    > [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler]
    > (Default) = "{f7227766-6ea9-4a5d-acc4-d667c29824ab}"
    >
    > The value in my registry does not match this.
    >
    > The page does not give a newly created value for
    > HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
    >
    > A search on my computer did not find dpnhupnp32.dll
    >
    > I have run a complete antivirus scan and the HD should now be clean
    > but surely something must have been missed for the computer still to
    > be trying to access 95.211.1.173
    >
    > I would be grateful if someone could explain why my computer is trying
    > to access 95.211.1.173 and how I can stop it doing so.
    >
    > I tried using System Restore to reset the registry to what it was a
    > week earlier but got the message that no changes had been made to the
    > registry in that time.
    >
    > TIA
    > Reg


    I see from another ThreatExpert page(http://www.threatexpert.com/files/
    dpnhupnp32.dll.html) this:

    The file "dpnhupnp32.dll" is known to be created under the following
    filenames:
    %System%\dpnhupnp32.dll
    %System%\dpnwsock32.dll
    %System%\empop332.dll
    %Temp%\dpnhupnp32.dll

    Check for those other filenames.
     
    Ted, Mar 11, 2010
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Fitzy_bhoy

    Trojan Horse...Help needed

    Fitzy_bhoy, Aug 27, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    731
    Ralph Wade Phillips
    Aug 28, 2003
  2. gorf

    trojan virus help needed

    gorf, Jan 19, 2004, in forum: Computer Support
    Replies:
    5
    Views:
    500
    °Mike°
    Jan 19, 2004
  3. Joel Rubin
    Replies:
    2
    Views:
    691
  4. D@Z
    Replies:
    5
    Views:
    814
    Liza Smorgaborgsson
    Jan 30, 2006
  5. jamesa01
    Replies:
    2
    Views:
    482
    Steve
    Feb 27, 2006
Loading...

Share This Page