Virus After math, Intresting difference of control of PC

The AV eng found these.
Hacktool.Rootkit
Infostealer
Trojan Horse
Trojan.Dropper
W32.Aimdes.C@mm

Should note the AV eng was not Avast

Afterwards I could not load Avast or any other AV and tools such as regedt32, Sysinternals process explorer, hijack this ect. No policies were written. I could run regedt32 remotely and found nothing in the run files and such.

I found the problem in HKLM_MS_winnt_CV_image file execution. This had all the files you could think of connected to Av spy ware and tools linked to “Debugger”=“ntsd -d” This is a win2k debugger file.

I also had a folder I386 on the Sys drive which is not in our images we use. it was 1.1 gig in size and half uncompressed winxp install with a slew of .mof files such as 2AA23BB86A5EBD8BC2D820944E55B233.mof

I exported a clean reg of “HKLM_MS_winnt_CV_image file execution” from a good PC and imported the good one remotely. One this was done I regained control of the infected PC. I should mention I hand cleaned the PC of infected files that were left over after the av scan before hand.

My first step is to use process explorer to see what is going on in the background and see if I can shutdown the active files causing the problems down there by getting a handle on the sys. Only this time I couldn’t open it. I haven’t tried to rename it and see if it will open. i will import the bad reg back in and see if this works. I assume it will.

I am alarmed that a infected PC appears to Down loaded over 1 gig of files across our network. This XP install copy came from a OEM dell disk with most of the OEM stuff stripped out.
If any one is interested I have reg entry and info backed up including text file list of folder and the entire I386 folder minus viruses of course.

If we used Avast none of this would have been a problem. It seems to me the last several months the payload have been changing. this particular one allowed the pc to operate as normal for the user but it killed SAP and ACAD there by alerting the user to a problem.

Roger Berning


Welcome to the forums, healthpc. :slight_smile:

Thanks for posting the information above.

Please come back to visit often.


No problem to mention it here, on contrary, it’s good to know that avast detection should improve.
Was it an on-line scanner?

““Was it an on-line scanner?””

To be fair we this was in a enterprise environment and the engine is 2 years old though updates are current. The av is Symantec. It generally finds things after they occur where as the new is more proactive. Generally we just wipe and reload a image and call it done. But it does allow me the opportunity to go through a clean process and put the PC back to normal state. This was something I haven’t seen yet and I thought it might be helpful to someone else. The things some people do for fun. ;D

Roger Berning