Optix Pro 10.

Discussion in 'General Software' started by peaz, Jan 17, 2003.

  1. peaz

    peaz ARP Webmaster Staff Member

    My gf's PC just got infected by a trojan called Optix Pro 10.

    it seems that it copies itself as a winampw.exe file and resides itself at the system32 folder.

    basically it edits the registry so that the run command for exefiles so that it get's loaded by that winampw.exe...

    trojaned
    HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
    "winampw.exe %1" %*

    from the symantec link below... it seems that the trojan's pretty dangerous. so u guys betetr keep your antivirus and firewall updated.

    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.optixpro.10.html

    anyway, what happened here was that norton av wasn't able to block the torjan from editing the registry(optix pro successfully blocked the AV at 1st). but norton was later able to detect and quarentine the winampw.exe file. This caused all exe not being able to run as there's no more winampw.exe file.

    here's how to get back control on your PC... as extracted from the symantec page...

    1. stop the torjan process.. Ctrl+Alt+Delete. Scroll through the list, and look for Kernel32.exe and then click End Process. if it's not there, then it's highly likely your antivirus was able to stop it from loading.

    2. goto the windows folder and create a copy of regedit.exe and rename that copy to regedit.com
    run regedit.com

    3. Using regedit.
    Edit the following registry entry...
    HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command

    "winampw.exe %1" %* -> "%1" %*

    4. rerun the antivirus to scan your hard disk for more of the trojan
     
  2. Gleikron

    Gleikron Newbie

    Wow

    Ok first of all I wanna say that the optix pro trojan doesn't install as that exe, it's totally customizeable, and also you can install it to any directory you want. I personally use the file name svchost.exe because most computers tend to have multiple versions of that running :) So for those of you trying to get rid of this, you'll have to look for a lot more than winamp.exe or whatever ;D As of now there aren't really any new trojan removers that optix pro doesn't kill. Optix looks for specific exe's and automatically terminates them when opened. I'm not sure if this works or not, but try renaming the exe file of any random trojan remover, it might work. After that, scan for j00r viruz!
     
  3. ethic

    ethic Newbie

    Re: Wow

    In resistance to remove this trojan it varys under various methods not explained by the media, "usaully." It's not as hard as you may think it's, here I will explain various methods and approaches of the removal of Optix Pro.

    Methods:
    :wall:
    Get a virus scanner which isn't killed from Optix Pro/Lite, which has been described above. Preferably i'd reccommend 'Anti-Trojan 5.5 Build 421,'
    it will run a scan within you system for Optix Pro/Lite. To allocate the file, search within the drive you have "Windows NT/2000/XP" presently installed. By defualt Optix Pro/Lite stores it's server file within %windir% or %winsys%

    Example:

    %windir%: C:\WINDOWS
    %winsys%: C:\WINDOWS\SYSTEM

    Note: First search throughout the following directorys to see if the server is installed under it's defualt settings.

    -Once you have located the file confirm "Anti-Trojan 5.5 Build 421" to deleate it, if it resists download a tool called "Resource Hacker," which can be found within http://google.com

    Using "Resource Hacker":

    Open reshack.exe and then open your server file.

    Example:

    SERVER: winlogon.exe

    -Once you've opened the exe proceed into deleting the folowing dirs within the exe:

    Icon

    RCData
    -DVCLAL
    \_> 0001058C 26 3D 4F 38 C2 82 37 B8 F3 24 42 03 17 9B 3A &=O8‚7¸ó$B••›:
    -Packageinfo
    \_>



    0001059C 01 00 00 CC 00 00 00 00 14 00 00 00 01 AD 73 65 •••Ì•••••••••­se
    000105AC 72 76 65 72 00 10 73 41 63 74 69 76 65 58 00 00 rver••sActiveX••
    000105BC C7 53 79 73 74 65 6D 00 00 81 53 79 73 49 6E 69 ÇSystem••SysIni
    000105CC 74 00 0C 4B 57 69 6E 64 6F 77 73 00 10 55 54 79 t••KWindows••UTy
    000105DC 70 65 73 00 1C 33 4D 65 73 73 61 67 65 73 00 1C pes••3Messages••
    000105EC A7 57 69 6E 53 76 63 00 1C 3F 57 69 6E 49 6E 65 §WinSvc••?WinIne
    000105FC 74 00 1C A9 57 69 6E 53 6F 63 6B 00 1C 21 54 6F t••©WinSock••!To
    0001060C 6F 6C 48 65 6C 70 33 32 00 00 2E 64 61 74 61 00 olHelp32••.data•
    0001061C 00 17 53 65 74 4D 65 6D 00 00 92 75 74 69 6C 73 ••SetMem••’utils
    0001062C 00 0C EF 55 72 6C 4D 6F 6E 00 00 0D 69 6E 73 74 ••ïUrlMon•••inst
    0001063C 61 6C 6C 00 00 8E 46 77 41 76 00 00 06 45 53 6F all••ŽFwAv•••ESo
    0001064C 63 6B 00 00 E9 4E 6F 74 69 66 79 00 00 8A 64 65 ck••éNotify••Šde
    0001065C 6C 70 68 69 00 00 00 lphi•••

    Ok now save your exe in the following dir to change the executables settings:

    Save as..> winlogon.exe

    NOTE: This will delete all the client options within the server, therefore the intruder cannot connect.

    Ok great! You're almost done.

    What's next?

    Go into your windows "Control Panel" and create a new administrative account. Give it password protection if needed...

    Backup your files in "My Documents," etc, if you wish to keep files that another user account has within "C:\Documents & Settings."

    - Ok backed them up? Delete your other user accounts and confirm them not keep it's files. Therefore when you are to log in to your new account you are insured you have no infections! That's it bro the trojan is disabled. I'm not sure of it's av killers though.. :snooty:
     
  4. bushey

    bushey Newbie

    I'm sorry if this isn't related, but i don't know where else to turn. My computer started not working one day, and every time I attempted to open a file or program, it would give me an error message. The message is something like this, but not exact.

    Windows cannot find the file winampw.exe.
    Please select the source of the file.

    Like I said, it is not exact, but something like that. I have missed my computer, and am forced to use the libraries to send emails. It has been like this for about a year, but I can not afford to take it in. If you think you may be able to help me, please let me know. I would appreciate it greatly. I have Windows 98, my computer is a Hewlett Packard. I am unable to do anything on it because all that comes up is an error message. Please help. Thank you.

    Bushey

    ps my email is [email protected] if you can help. PLEASE.
     
  5. Adrian Wong

    Adrian Wong Da Boss Staff Member

    Wow.. Looks like your system has been infected by the Optix Pro 10. :think:

    Please follow the instructions posted above. :mrgreen:
     

Share This Page