My AVG anti-firus software found the trojan horse backdoor.bionet virus in file called windrv32.exe. I could not find this file in windows explorer but I found it in the registry. Is it safe to remove this file from the registry? The AVG antivirus program usually isolates or removes the affected file, but in this case it said it could not. Please advise.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
trojan horse backdoor.bionet 1
- Thread starter fst9999
- Start date
-
1
- #2
What registry key? Is it a Run key? If so you could remove it from there. But that's not all you would need to do. Did it detect any other files as infected? Can you find any of these files: server.exe, bnhook.dll, c:\windows\libupdate.exe, c:\windows\bnhook.dll
Read this page here:
You might want to get and run BOClean. The makers say it can remove the bionet trojan. I'm not sure AVG can detect the whole trojan. You could try Moosoft's Cleaner as well. It's free to try.
Read this page here:
You might want to get and run BOClean. The makers say it can remove the bionet trojan. I'm not sure AVG can detect the whole trojan. You could try Moosoft's Cleaner as well. It's free to try.
Also, if you have win95, 98, or ME get and run Startlog.com then copy and paste the results of just Startlog (not the stubapths file) to your reply here so we can have a look.
- Thread starter
- #4
responding to Kento(and thank you), I am using windows 2000 and startlog.com does not exist. the affected file is in winnt\system32\windrv32.exe and I found it in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and I looked at the data in windrv32 using notepad :
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"3c1807pd"="C:\\WINNT\\SYSTEM32\\3cmlink.exe RunServices \\Device\\3cpipe-3c1807pd"
"AVG_CC"="C:\\PROGRA~1\\Grisoft\\AVG6\\avgcc32.exe /STARTUP"
"NeroCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp\\Winampa.exe\""
"WINDRV32"="WINDRV32.EXE"
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc.exe -osboot"
"acocash"="C:\\Program Files\\fastdownload2\\fastdown.exe -auto"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\pccguide.exe\""
"PCCClient.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\PCCClient.exe\""
"Pop3trap.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\Pop3trap.exe\""
"tcactive"=""
"tcmonitor"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
does any of this help?
I have run the following antivirus programs:
AVG--which continues to find the virus in windrv32.exe
PC-cillin which found nothing
Trend Micro Housecall which found 3 viruses-and cleaned them, but not the trojan backdoor bionet
I loaded The Cleaner from MooLive but it would not start up.
thanks for listening and any advice is welcome
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"3c1807pd"="C:\\WINNT\\SYSTEM32\\3cmlink.exe RunServices \\Device\\3cpipe-3c1807pd"
"AVG_CC"="C:\\PROGRA~1\\Grisoft\\AVG6\\avgcc32.exe /STARTUP"
"NeroCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp\\Winampa.exe\""
"WINDRV32"="WINDRV32.EXE"
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc.exe -osboot"
"acocash"="C:\\Program Files\\fastdownload2\\fastdown.exe -auto"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\pccguide.exe\""
"PCCClient.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\PCCClient.exe\""
"Pop3trap.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\Pop3trap.exe\""
"tcactive"=""
"tcmonitor"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
does any of this help?
I have run the following antivirus programs:
AVG--which continues to find the virus in windrv32.exe
PC-cillin which found nothing
Trend Micro Housecall which found 3 viruses-and cleaned them, but not the trojan backdoor bionet
I loaded The Cleaner from MooLive but it would not start up.
thanks for listening and any advice is welcome
Startlog.com isn't in win2000. It's at the link i gave but it won't work in 2000 so ignore that. Anyway, delete the "WINDRV32"="WINDRV32.EXE" entry you found at that Run key. But there has to be more to this trojan than a registry entry. Can you find a windrv32.exe file anywhere in the system? If not it might be a hidden file. Go into folder options--view tab and tick 'show all files' then ok out and search for that file and delete it. And did you find any of the files I mentioned before in my other reply? You might want to get BOClean and run it.
Do you know what this is:?
"acocash"="C:\\Program Files\\fastdownload2\\fastdown.exe -auto"
It's a p**n (XXX) dialer. They don't like the P word used here.
I would suggest you get rid of that before it creates one very big phone bill.
Do you know what this is:?
"acocash"="C:\\Program Files\\fastdownload2\\fastdown.exe -auto"
It's a p**n (XXX) dialer. They don't like the P word used here.
I would suggest you get rid of that before it creates one very big phone bill.- Thread starter
- #6
to Kento,
thanks for all your help.
I removed fastdownload. I found windrv32 as a hidden file in winnt\system32\windrv32.exe . Then I found it in the Task Manager processes. I ended it there. then ran AVG antivirus, which then found it again and let me move it to a "virus vault". Obviously it could not do this when it was a running program. So now I worry that my computer needs the file windrv32, but so far the computer is running well. And I did not find any of those other files you mentioned previously.
Thanks again
fst9999
thanks for all your help.
I removed fastdownload. I found windrv32 as a hidden file in winnt\system32\windrv32.exe . Then I found it in the Task Manager processes. I ended it there. then ran AVG antivirus, which then found it again and let me move it to a "virus vault". Obviously it could not do this when it was a running program. So now I worry that my computer needs the file windrv32, but so far the computer is running well. And I did not find any of those other files you mentioned previously.
Thanks again
fst9999
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question