Enterprise trojan gagging regedit?

[Guest]

Okay, couple of days ago, I did something stupid and opened an email apparently from my ISP. It turns out that Cyberus has apparently been targetted by the same dipwads running that "Microsoft Critical Update" email worm

I ran AdAware and the free version of Spyhunter, and Spyhunter identified it as the Enterprise trojan living in my winupd.exe process. I've tried simply ending the process and deleting it, but it just regenerates, sometimes in mere seconds

Firewalls are active, so I don't think it's actually managing to do anything online, but it's eating up processor speed and generally annoying me

Just did a websearch and found this page ( http://www.dark-e.com/archive/trojans/enterprise/index.shtml ), which tells me to use regedit to edit HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Whenever I try to open regedit however, it closes after 1-2 seconds and winupd promptly regenerates

Is there any way to open regedit without waking up this little demon?

 

[Bruce Chambers]

Greetings --

The type of behavior you describe, which also often applies to
Taskmgr.exe and MSConfig.exe (for WinXP), is typical behavior of more
than one virus/worm, the three below being the most common:

W32.Klez
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

W32.Yaha
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

W32.Spybot.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html

Because many of the newer viruses and worms, such as the
Spybot mentioned above, can disable antivirus applications whose
definitions aren't kept up-to-date, try using one or more of the free
on-line scanners to double-check your system.

Trend Micro - Free online virus Scan
http://housecall.trendmicro.com/

McAfee Security - FreeScan
http://www.mcafee.com/myapps/mfs/default.asp

Symantec Security Check
http://security.symantec.com/ssc/home.asp


Bruce Chambers

--
Help us help you:




You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Guest]

Trend Micro - Free online virus Sca

http://housecall.trendmicro.com

That got it. Thanks.

 

[Guest]

Sounds like you have solved your problem, but in case you didn't, I had the same problem and I think I've fixed it. I downloaded, ran, updated, and ran again, both Spybot and AdAware (freeware you can get easily if you Google the names). I think those programs found and took out the HKEY. files, but I was still having the problem, as the winupd.exe file was still there and running and sucking up my CPU usage. Pestpatrol.com had information that said you should delete the following files from your machine by using Windows Explorer: "enterprise.exe" "leiame.txt", and "winupd.exe" if you have them on your computer. I actually deleted all the "winupd" files on my computer, since they all indicated that they were modified at the same time--the time I stupidly opened an e-mail attachment purportedly from my ISP. This think was pernicious and annoying, but hopefully we've both gotten it fixed. Actually, your original e-mail helped me and I doubt I would have figured it out without paying a techie, so thanks!