|
Posted by mfc on April 10, 2007, 3:17 pm
If you were Registered and logged in, you could reply and use other advanced thread options
itself to the winlogon process via a key in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\cmdmant
So thats one more start up place to look.
>> Please help, I have a trojan and am trying to kill it myself, All the
>> free
>> Antivirus and Spyware software have failed to kill it so far. Here is
>> what I
>> have done so far :-
>>
>> 1. I have killed everything in the startup registry keys i cant verify to
>> be
>> genuine I have just the following left
>> a. ctfmon.exe - used by ms office
>> b. avg7_cc - used by avg anti virus
>> c. zonealarm client
>> d. nvcpldaemon - used by nvida
>>
>> 2. The trojan was creating exes in the system32 directory so i created
>> text
>> files of the same name and set them to read only so they cant be override
>> by
>> the trojan
>>
>> 3. i have checked that i do not have a login script attached to my
>> profile.
>>
>> I believe the trojan cannot start now, but i still get errors using
>> bootup
>> :-
>>
>> "The NTVDM CPU has encounted illegal instructions" and it gives the name
>> of
>> the exe that was being created by the trojan which cant start now because
>> its been replaced by my read only text file.
>>
>>
>> My question is, what causes the NTVDM to try and execute? I cannot see
>> anything in the start up.
>>
> Are you sure that you are remove *all* startup occurrences? To be
> completely sure use autoruns.exe utility from sysinternals suite.
>
> --
> With best regards
> Nickolay Domukhovsky, MCSA
| 
XML site map