My gf's PC just got infected by a trojan called Optix Pro 10. it seems that it copies itself as a winampw.exe file and resides itself at the system32 folder. basically it edits the registry so that the run command for exefiles so that it get's loaded by that winampw.exe... trojaned HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command "winampw.exe %1" %* from the symantec link below... it seems that the trojan's pretty dangerous. so u guys betetr keep your antivirus and firewall updated. http://securityresponse.symantec.com/avcenter/venc/data/backdoor.optixpro.10.html anyway, what happened here was that norton av wasn't able to block the torjan from editing the registry(optix pro successfully blocked the AV at 1st). but norton was later able to detect and quarentine the winampw.exe file. This caused all exe not being able to run as there's no more winampw.exe file. here's how to get back control on your PC... as extracted from the symantec page... 1. stop the torjan process.. Ctrl+Alt+Delete. Scroll through the list, and look for Kernel32.exe and then click End Process. if it's not there, then it's highly likely your antivirus was able to stop it from loading. 2. goto the windows folder and create a copy of regedit.exe and rename that copy to regedit.com run regedit.com 3. Using regedit. Edit the following registry entry... HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command "winampw.exe %1" %* -> "%1" %* 4. rerun the antivirus to scan your hard disk for more of the trojan
Wow Ok first of all I wanna say that the optix pro trojan doesn't install as that exe, it's totally customizeable, and also you can install it to any directory you want. I personally use the file name svchost.exe because most computers tend to have multiple versions of that running So for those of you trying to get rid of this, you'll have to look for a lot more than winamp.exe or whatever ;D As of now there aren't really any new trojan removers that optix pro doesn't kill. Optix looks for specific exe's and automatically terminates them when opened. I'm not sure if this works or not, but try renaming the exe file of any random trojan remover, it might work. After that, scan for j00r viruz!
Re: Wow In resistance to remove this trojan it varys under various methods not explained by the media, "usaully." It's not as hard as you may think it's, here I will explain various methods and approaches of the removal of Optix Pro. Methods: Get a virus scanner which isn't killed from Optix Pro/Lite, which has been described above. Preferably i'd reccommend 'Anti-Trojan 5.5 Build 421,' it will run a scan within you system for Optix Pro/Lite. To allocate the file, search within the drive you have "Windows NT/2000/XP" presently installed. By defualt Optix Pro/Lite stores it's server file within %windir% or %winsys% Example: %windir%: C:\WINDOWS %winsys%: C:\WINDOWS\SYSTEM Note: First search throughout the following directorys to see if the server is installed under it's defualt settings. -Once you have located the file confirm "Anti-Trojan 5.5 Build 421" to deleate it, if it resists download a tool called "Resource Hacker," which can be found within http://google.com Using "Resource Hacker": Open reshack.exe and then open your server file. Example: SERVER: winlogon.exe -Once you've opened the exe proceed into deleting the folowing dirs within the exe: Icon RCData -DVCLAL \_> 0001058C 26 3D 4F 38 C2 82 37 B8 F3 24 42 03 17 9B 3A &=O8‚7¸ó$B••›: -Packageinfo \_> 0001059C 01 00 00 CC 00 00 00 00 14 00 00 00 01 AD 73 65 •••Ì•••••••••se 000105AC 72 76 65 72 00 10 73 41 63 74 69 76 65 58 00 00 rver••sActiveX•• 000105BC C7 53 79 73 74 65 6D 00 00 81 53 79 73 49 6E 69 ÇSystem••SysIni 000105CC 74 00 0C 4B 57 69 6E 64 6F 77 73 00 10 55 54 79 t••KWindows••UTy 000105DC 70 65 73 00 1C 33 4D 65 73 73 61 67 65 73 00 1C pes••3Messages•• 000105EC A7 57 69 6E 53 76 63 00 1C 3F 57 69 6E 49 6E 65 §WinSvc••?WinIne 000105FC 74 00 1C A9 57 69 6E 53 6F 63 6B 00 1C 21 54 6F t••©WinSock••!To 0001060C 6F 6C 48 65 6C 70 33 32 00 00 2E 64 61 74 61 00 olHelp32••.data• 0001061C 00 17 53 65 74 4D 65 6D 00 00 92 75 74 69 6C 73 ••SetMem••’utils 0001062C 00 0C EF 55 72 6C 4D 6F 6E 00 00 0D 69 6E 73 74 ••ïUrlMon•••inst 0001063C 61 6C 6C 00 00 8E 46 77 41 76 00 00 06 45 53 6F all••ŽFwAv•••ESo 0001064C 63 6B 00 00 E9 4E 6F 74 69 66 79 00 00 8A 64 65 ck••éNotify••Šde 0001065C 6C 70 68 69 00 00 00 lphi••• Ok now save your exe in the following dir to change the executables settings: Save as..> winlogon.exe NOTE: This will delete all the client options within the server, therefore the intruder cannot connect. Ok great! You're almost done. What's next? Go into your windows "Control Panel" and create a new administrative account. Give it password protection if needed... Backup your files in "My Documents," etc, if you wish to keep files that another user account has within "C:\Documents & Settings." - Ok backed them up? Delete your other user accounts and confirm them not keep it's files. Therefore when you are to log in to your new account you are insured you have no infections! That's it bro the trojan is disabled. I'm not sure of it's av killers though..
I'm sorry if this isn't related, but i don't know where else to turn. My computer started not working one day, and every time I attempted to open a file or program, it would give me an error message. The message is something like this, but not exact. Windows cannot find the file winampw.exe. Please select the source of the file. Like I said, it is not exact, but something like that. I have missed my computer, and am forced to use the libraries to send emails. It has been like this for about a year, but I can not afford to take it in. If you think you may be able to help me, please let me know. I would appreciate it greatly. I have Windows 98, my computer is a Hewlett Packard. I am unable to do anything on it because all that comes up is an error message. Please help. Thank you. Bushey ps my email is [email protected] if you can help. PLEASE.
Wow.. Looks like your system has been infected by the Optix Pro 10. Please follow the instructions posted above.