IPB

Welcome Guest ( Log In | Register )

2 Pages V   1 2 >  
Reply to this topicStart new topic
> Trojan.Win32.Pakes.x3
MrD
post 30.06.2007 00:16
Post #1


Member
**

Group: Members
Posts: 22
Joined: 20.12.2006




Hi
Today I got my first trojan/virus in about 10 years!
Well I started my computer as usual and about 3 minutes later when KIS auto updated, a warning pops up:

Trojan.Win32.Pakes.x3 in c:\windows\regedit.exe 145 KB

So a press neutrulize, then delete...

A new warning says that "regedit.exe.new" wasn't found in C:\WINDOWS\system32\dllcache.

Then I start a scan of my C-drive...

One more is found in c:\i386\regedit.exe

How can I be sure that the trojan isn't active any more?

I've been running KIS 6 month...no warnings earlier, and my protections settings is set to "recommended". Critical areas are scanned every day with the highest setting.
I don't know where this trojan came from...
I was online surfing a couple of hours earlier, but no warnings from KIS at that time.
Go to the top of the page
 
+Quote Post
Lucian Bara
post 30.06.2007 00:18
Post #2


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




hello
it's a false alarm, please wait, it will be fixed in the next updates.

This post has been edited by Lucian Bara: 30.06.2007 00:18
Go to the top of the page
 
+Quote Post
GakunGak
post 30.06.2007 00:22
Post #3


Member
**

Group: Members
Posts: 11
Joined: 19.02.2006




Same thing happened to me, but this time mine is real and infected so I told KIS 7 to delete it...
Still scanning, could someone e-mail me a regedit.exe to ~no email please~ for WinXP +SP2 english!
This is emergency!!!!

This post has been edited by Lucian Bara: 30.06.2007 00:24
Go to the top of the page
 
+Quote Post
Lucian Bara
post 30.06.2007 00:24
Post #4


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




you can restore it from the backup. click on the protection status and go to the backup tab and restore the file.. but SFC should normally automatically restore the deleted regedit.
Go to the top of the page
 
+Quote Post
MrD
post 30.06.2007 00:26
Post #5


Member
**

Group: Members
Posts: 22
Joined: 20.12.2006




Ok, I also pressed delete on my files (in my first post). Do I need those files, and should I restore them? Never noticed that win xp sp2 has so many regedit-files..!?
Go to the top of the page
 
+Quote Post
Lucian Bara
post 30.06.2007 00:32
Post #6


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




QUOTE(MrD @ 29.06.2007 23:26)
Ok, I also pressed delete on my files (in my first post). Do I need those files, and should I restore them? Never noticed that win xp sp2 has so many regedit-files..!?
[right][snapback]385263[/snapback][/right]

restore them, here's an animation on how to do it (with v7), with v6 click on the statistics link in the main window

user posted image
Go to the top of the page
 
+Quote Post
MrD
post 30.06.2007 00:37
Post #7


Member
**

Group: Members
Posts: 22
Joined: 20.12.2006




Fantastic service from you...
Many thanks Lucian!
Go to the top of the page
 
+Quote Post
G4nj4
post 30.06.2007 02:26
Post #8


Member
**

Group: Members
Posts: 22
Joined: 4.05.2007




False Alarm?!?!!??!?!!?
Are you sure???
I just got this same friggen trojan,same symptoms,it infected regedit and upon deletion it created a regedit.exe.new!!!

Upon googling this trojan I get this:
http://www.kaspersky.com/viruswatchlite?se...3&hour_offset=4

I was this close to formatting.
Plz plz tell me this is really a false alarm!!
And if so how the hell is kaspersky even thinking its a threat?I dont understand someone please explain!!
I mean if its a false alarm then why is it creating a regedit.exe.new?Isnt that typical behaviour of a virus?Or did kaspersky make that new regedit?

This post has been edited by G4nj4: 30.06.2007 02:32
Go to the top of the page
 
+Quote Post
Baz^^
post 30.06.2007 02:31
Post #9


Wrestling Champion
**************

Group: Gold beta testers
Posts: 8799
Joined: 10.03.2007




It is a false alarm as stated. Every anti virus software has false detections from time to time (it happens), Kaspersky has a very low rate of false detections and it is being corrected as we speak. You can restore from backup as shown in the animation above.

A false detection happens when a new malicious software signature is added to detections, but this signature also mistakenly flags a non malicious file as infected because it has a similarity to an infected file (for example)

This post has been edited by MAPKOBKA^^: 30.06.2007 02:33


--------------------
Kind Regards,

Baz
Go to the top of the page
 
+Quote Post
G4nj4
post 30.06.2007 02:36
Post #10


Member
**

Group: Members
Posts: 22
Joined: 4.05.2007




Ok Ok,so then why did regedit.exe.new get created?Did kaspersky do that?
And also I deleted everything from backup.
How can I get regedit up and running again?Cause its no longer there sad.gif

Can I just download it from google or something?
Go to the top of the page
 
+Quote Post
sehh
post 30.06.2007 12:10
Post #11


Member
**

Group: Members
Posts: 17
Joined: 12.09.2006




A few days ago i removed my KAV6 and installed KAV7, just to play around (trial license for now).

Before uninstalling KAV6, i did a full system scan which found nothing.

Today KAV7 says that i've got a: Trojan.Win32.Pakes.x3

File with trojan is: c:\windows\regedit.exe

Could this be a false positive or is this a read trojan which KAV6 couldn't detect? If its a real trojan, then what does it do? What kind of damage has it done?


PS:
windows xp (sp2) also pops up a window that says:
"Windows File Protection, files that are required to run windows have been replaced by unrecognized ones... etc etc"
Go to the top of the page
 
+Quote Post
Lagerx
post 30.06.2007 12:35
Post #12


Advanced Member IV
******

Group: Gold beta testers
Posts: 750
Joined: 12.02.2007
From: Estonia




Yo need to look what Lucian Bara sayed.
You can restore it from backup.
Go to the top of the page
 
+Quote Post
Lagerx
post 30.06.2007 12:36
Post #13


Advanced Member IV
******

Group: Gold beta testers
Posts: 750
Joined: 12.02.2007
From: Estonia




http://forum.kaspersky.com/index.php?showtopic=42082
Its false alarm.Its repaired now i think.Update signatures.

This post has been edited by Lagerx: 30.06.2007 12:37
Go to the top of the page
 
+Quote Post
sehh
post 30.06.2007 13:53
Post #14


Member
**

Group: Members
Posts: 17
Joined: 12.09.2006




problem solved, thanks!!
Go to the top of the page
 
+Quote Post
misacuenta
post 30.06.2007 14:18
Post #15


Advanced Member I
***

Group: Members
Posts: 127
Joined: 10.03.2006
From: Spain




The same problem, yesterday detect virus (and KIS delete file) "Packed.Win32.PolyCrypt.b" in the file "PrintServer130.exe" (WordPerfect X3) and now, after update the signatures, KIS no detect the virus. I restore them wacko.gif


--------------------
KIS 7.0.1.325
Proc. AMD Dual Core
Go to the top of the page
 
+Quote Post
Whizard
post 30.06.2007 21:22
Post #16


Professional
***************

Group: Moderators
Posts: 20710
Joined: 19.11.2005
From: Toronto/Canada




So if you restore, will the problem still be present?


--------------------
Networking and Security Guru
~^Whizard^~
Go to the top of the page
 
+Quote Post
misacuenta
post 1.07.2007 14:56
Post #17


Advanced Member I
***

Group: Members
Posts: 127
Joined: 10.03.2006
From: Spain




QUOTE(Whizard @ 30.06.2007 18:22)
So if you restore, will the problem still be present?
[right][snapback]385791[/snapback][/right]


No, with the new signatures update the problem is solved, no detect the virus in the file. Thanks smile.gif


--------------------
KIS 7.0.1.325
Proc. AMD Dual Core
Go to the top of the page
 
+Quote Post
gammax500
post 2.07.2007 01:07
Post #18


Newbie
*

Group: Members
Posts: 2
Joined: 2.07.2007




I've read the post http://forum.kaspersky.com/index.php?showtopic=42082 that talks about this detection report - which seems to say this is a false detection and that the next KAV update would correct it. However I have run updates and still receive this report on a full scan.

The complete detected error says:
"detected: Trojan program Trojan.Win32.Pakes.x3 Running module: regedit.exe\regedit.exe"

I'm not sure how to proceed -- would appreciate any advice.

BTW because this is regedit, I have NOT tried to do anything to this file (like neutralize or remove)

Thanks -

This post has been edited by gammax500: 2.07.2007 01:09
Go to the top of the page
 
+Quote Post
Lucian Bara
post 2.07.2007 01:11
Post #19


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




hello
do another update, reboot
then right click on protection choose reports, and in the detected tab right click and select discard all. do a nother scan on the file.

if it still occurs post the database information posted under service (release date) & an update report

This post has been edited by Lucian Bara: 2.07.2007 01:11
Go to the top of the page
 
+Quote Post
Piston Ron
post 2.07.2007 03:11
Post #20


Kaspersky Fan I
********

Group: Members
Posts: 1479
Joined: 25.04.2005
From: Lebanon, Ohio




QUOTE(gammax500 @ 1.07.2007 17:07)
I've read the post http://forum.kaspersky.com/index.php?showtopic=42082 that talks about this detection report - which seems to say this is a false detection and that the next KAV update would correct it.  However I have run updates and still receive this report on a full scan. 

The complete detected error says:
"detected: Trojan program Trojan.Win32.Pakes.x3  Running module: regedit.exe\regedit.exe"

I'm not sure how to proceed -- would appreciate any advice.

BTW because this is regedit, I have NOT tried to do anything to this file (like neutralize or remove)[right][snapback]386561[/snapback][/right]

You're using WinXP SP2, correct? You should have several copies of regedit.exe on your HD. Back one up on a CD, Flash Drive, 5.25 Floppy [grin], whatever. Here are all of the copies of regedit in my C:\Windows directory.

http://img74.imageshack.us/img74/6378/kis57oh2.jpg

Since the current version of regedit for Windows was released with SP2, you can always burn a copy of the SP2 CD.

http://www.microsoft.com/windowsxp/sp2/default.mspx

When I was using dialup, I ordered one. Small postage/media charge, and I got it in the mail the next day.

Ed. Note.: BTW, this FP has been fixed, correct? I never got a hit myself with my AVS 6.0.2.621 install, with riskware category unchecked.

Ron smile.gif


This post has been edited by Piston Ron: 2.07.2007 03:15
Go to the top of the page
 
+Quote Post

2 Pages V   1 2 >
Reply to this topicStart new topic

 



Lo-Fi Version Time is now: 20.10.2014 12:05