Something wrong with XP, after deleting a trojan "nrcs.exe"

J

jia.qinghua

Hi, here

I got a problem when XP restart.

My Anti-virus software Nod32, detect and delete a trojan file -
"nrcs.exe",

==============================

model type name virus operation user name information
core file c:\windows\nt\nrcs.exe a variant of
Win32/TrojanProxy.Ranky
==============================



However, the following information jump out everytime when computer
restart
==============================

Windows can't find the file 'c:\windows\nt\nrcs.exe'. Please make sure
the file name is right and try again.
==============================



That's because the anti-virus delete the trojan file, but didn't modify
the system
restart information. I tried to find some clue in "msconfig", and
didn't figure out it.

Could anyone give some light on it?

Thanks
 
D

DL

google, loads of info
As its malaware you could also try Adaware and SpyBot, both free and
designed specifically for malaware detection/removal
 
W

Wesley Vogel

Look in
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
or %allusersprofile%\Start Menu\Programs\Startup
and
C:\Documents and Settings\Your Name Here\Start Menu\Programs\Startup
or %userprofile%\Start Menu\Programs\Startup

for a shortcut to c:\windows\nt\nrcs.exe

If you find one, delete it.


Search your registry for any reference to nrcs.exe and delete the
reference(s).

Back up your registry first!!!

If you do not find one, open the Registry Editor...
Start | Run | Type: regedit | Click OK |
Hit your F3 key, type: nrcs.exe in the Find what box |
Click the Find Next button |
Delete every reference to nrcs.exe.

Keep hitting F3 until you see the Finished searching through the registry
message.

[[Important This article contains information about modifying the registry.
Before you modify the registry, make sure to back it up and make sure that
you understand how to restore the registry if a problem occurs. For
information about how to back up, restore, and edit the registry, click the
following article number to view the article in the Microsoft Knowledge
Base:]]
256986 Description of the Microsoft Windows Registry
http://support.microsoft.com/default.aspx?kbid=256986

How to backup the Windows XP Registry
http://windowsxp.mvps.org/registry.htm

It is very possible that you will find nrcs.exe in the following keys.

HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\
CurrentVersion\Run

Microsoft (R) Windows Vista/NT Runtime Compatibility Service = Windows
folder\nt\\nrcs.exe

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\
CurrentVersion\Windows load = Windows folder\nt\\nrcs.exe

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\
CurrentVersion\Windows load = Windows folder\nt\\nrcs.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon
Shell = explorer.exe Windows folder\nt\\nrcs.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon
Userinit = Windows system folder\userinit.exe, Windows folder\nt\\nrcs.exe

Userint should be: C:\Windows\System32\userinit.exe,
Yes, also the comma.

from...
http://info.ahnlab.com/securityinfo/virus_view_eng_new2.jsp?SEQ_NO=4783
--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Top