Link to home
Start Free TrialLog in
Avatar of carlosmolina100
carlosmolina100

asked on

I have a Trojan Horse -- CENF.EXE -help

Apparently, my PC works fine.

I have detected a program called CENF.EXE, who was accesing to IP  81.176.66.26 port 119.  

When I cancel this program from the task manager, it reactivates automatically when I run any program.

Also, when I'm trying to access to REGEDIT, appears an error message "Memory access violation in module kernel 2 at 4849: ..." etc..etc

I think it's like a virus.. or a trojan horse.

I don't want to reinstall my Windows. Any help ?

Meanwhile I change the routing of that IP to anywhere.
Avatar of Sebo2000
Sebo2000

Is it CENF.exe or CONF.EXE ???
Avatar of carlosmolina100

ASKER

C:\winnt\CENF.EXE

14/11/2003  05:08p             106,496 cenf.exe
it is something new, that I guess is pretending to be NetMeeting, and is connecting to some news server, you can run net monitor and see what data is beeing posted to that server. I was accually able to find the guy that usedthis IP to post to usenet, that was his last post:

Thank you Red. I locate the MGWIN.INI and edit it as listed here but no
luck. The program keeps on asking for UserName and Code. I think I may not
do it correctly since I am not a computer expert. Please give me further
guidiance.
"Red Rackham" <astaga@pirate.com> wrote in message
news:Xns942CC2C02290Fastagapiratecom@81.176.66.26...
> The correct registration code is stored in the MGWIN.INI
> as follows :
> [REG]
> UserName=PIRATES ORDER
> RegCode=VYHH7EUG
>
> MGUTIL_WIN.INI
> [REG]
> UserName=PIRATES ORDER
> RegCode=6D7X4CHA
>
> PRIVACY_WIN.INI
> [REG]
> Times=1
> 1=1049773538
> UserName=PIRATES ORDER
> RegCode=A6GJJEF9
>
>
>
>
>
> "Free Hui" <fhui01@oacbell.net> wrote in
> news:7vFqb.3313$7g2.2390@newssvr29.news.prodigy.com:
>
> > Andy, Thank you for your code. When I enter the User Name and code, I
> > have to restart the program to verify. When I restart the program, the
> > program requests to enter user name and code again. Any further help?
> > "Andy" <Andy@nomail.com> wrote in message
> > news:ejilqv8ih3d5fva5uiu68qiqm0ogadvqnt@4ax.com...
> >> On Thu, 06 Nov 2003 21:55:45 GMT, "Free Hui" <fhui01@oacbell.net>
> >> wrote:
> >>
> >> >Can any one post a register code for me? Thank you.
> >> >
> >> Free Hui
> >> F3DC3C3A

it's good that you redirected the traffic, so far no fix from the symantec for that.

Take Care
Sebo
Thanks for answer Sebo.  How do you obtained the information about the guy who posted to Usenet ?.

I found that IP with Nslookup --> news.rt.ru (from Russia ??)

C:\WINNT>nslookup
> 81.176.66.26
..
...

Name:  news.rt.ru
Address:  81.176.66.26

Nobody have the same problem ?
What I have to do ?
Try to use regedt32 instead of regedit to see if you can get to the registry to locate the launch for CENF.EXE.

Since it can put itself back, it's checking for its .EXE and rebuild as needed.  What you may want to try is to boot to recovery console and remove it from there.  Use your CD to do a repair install or to install the recovery console by running from your CD...i\386\winnt32.exe /cmdcons.....

Please send me the CENF.EXE for analysis and for my cybersecurity class....
Digitrash@hotmail.com or nguyentd@pgcc.edu.

cheers
When I run regedt32 appears a message box saying something like "Administrator has disabled the modification of the Registry"   :(

Using the console, when I rename cenf.exe to cenf.exxxx, and then cancel the process with the task manager, then I can't run any command or program (appears a message like: "can't find the program or some of the components")    :(

I'll wait some days before repair my Windows.  

I sent you the cenf.exe file.  Maybe you can find a clue to avoid repair the Windows.
You have a client installed on your machine!


C entral  E urope  N ews  F lash     - cenf.exe

Whois results for: news.rt.ru (rt.ru)

news://news.rt.ru/ *****this is interesting*****

domain:     RT.RU
type:       CORPORATE
nserver:    ns.rt.ru. 195.161.0.135
nserver:    ns2.rt.ru. 195.161.3.22
nserver:    ns.rtcomm.ru.
nserver:    ns2.rtcomm.ru.
state:      REGISTERED, DELEGATED
org:        OJSC "Rostelecom"
phone:      +7 095 9732139
phone:      +7 095 7872849
fax-no:     +7 095 9733074
fax-no:     +7 095 7872850
e-mail:     uit@nmc.rospac.ru
e-mail:     ved@nmc.rospac.ru
e-mail:     registry@rt.ru
e-mail:     for@nmc.rospac.ru
registrar:  RUCENTER-REG-RIPN
created:    1997.01.14
paid-till:  2004.02.01
source:     RIPN


Last updated on 2003.11.28 08:35:46 MSK/MSD

I would email them and find out everything you can!

good luck
wtrmk74
I got that info from www.deja.com its web that holds all the recors of the messages that were posted in the news groups, I think some russian dude is testing new exploit, check your firewall , and try to think of the software that you installed lately.
Take Care
Sebo
Thanks wtrmk74.. i'll be waiting.

Also, thanks Sebo for the info.  I have installed some software from unknown people... :S..
I know it.

Carlos Molina

>> "Administrator has disabled the modification of the Registry"

It sounds like you have been rooted.... Which account are you using?  Go into the User and group to see if there is any administrator account that should NOT be there.  The intruder may have created dummy account for you and took over the administrator's account.  The intruder may have set registry entry to relaunch or check for cenf.exe process, so he didn't want you to access the registry.  

Accessing and cleaning up the registry may be the key to solving the problem.  When did you run an ERD or SP?  If it's recent you can try the following:

1. You can mount the drive as slave to another system.
2. Make the backup of the current files c:/winnt/system32/config
3. Copy the registry files from c:/repair/regback
4. Reinstall drive and reboot your system

>> I sent you the cenf.exe file.
Which account did you send it to ?

cheers.....
I sent CENF.EXE  file to both addresses: Digitrash@hotmail.com <Digitrash@hotmail.com>
nguyentd@pgcc.edu <nguyentd@pgcc.edu>

There's no more account names.   I think he had the rights because my default account is administrator, and I ran many programs I downloaded from kazaa.

Sorry,  I don't understand how to "mount the drive as slave to ...".      Also, I can't find the c:/repair folder.   I found c:\winnt\repair, but not regback.

What means "reinstall drive"...   I believe that I need more details    :(    

Thank you.
did you get a chance to email the developers yet!

I think Gnart is talking about pulling your hard drive out of that computer and adding  it as a slave to another functioning computer.

This is done by changing the jumper settings on the back of the drive.

wtrmk74
ASKER CERTIFIED SOLUTION
Avatar of Gnart
Gnart

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Carlos,

Would you please send CENF.exe again?  It didn't get to either one of my addresses.  Send to the following, take out the "AT" and replace it with @:

digitrashAThotmail.com, nguyentdATpgcc.edu, tdn4itATyahoo.com, tdn4itAThotmail.com,
gnartAThotmail.com, INetmailerATgmx.net.

Hopefully one of them will get through.

TIA - cheers....

Sorry for the delay to response.  Searching the web, last Saturday I downloaded a demo version from http://www.innosetup.com of the "Trojan Remover". Then it found and removed the "Worm/Swen" virus or trojan.

Thanks to all for help me, specially to Gnart  
-- Someday, I will use your procedure :)) --
I sent the CENF.EXE file to the other address.

Regards,

Carlos


***** NORMAL SCAN FOR ACTIVE TROJANS *****
Trojan Remover Ver 6.1.3. For information, email simplysupsupport@aol.com
[Unregistered version]
Scan started at: 29/11/2003 12:53:33
Using Database v6056
Operating System: Microsoft Windows 2000 Version: 5.0 (Build: 2195 )
-----------------------------------
Checking Registry exefile command for modifications
The exefile\shell\open\command Registry Key loads the following program:
C:\WINNT\cenf.exe - this file appears to contain Worm/Swen.
Trojan Remover has restored the Registry exefile\shell\open key.
C:\WINNT\cenf.exe has been renamed to C:\WINNT\cenf.ex$.
--------------------
Checking for traces of the Internet Worm VBS/LifeStages
------------------------------
12:54:21 : Scanning ----------WIN.INI-----------
WIN.INI found in C:\WINNT
------------------------------
12:54:21 : Scanning --------SYSTEM.INI---------
SYSTEM.INI found in C:\WINNT
------------------------------
12:54:21 : Scanning -----WINDOWS REGISTRY-----
Checking HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vxd ...
..
..


Glad everything worked out for you !

Remember to assign your points and close this thread !


Have a great holiday season
and New Year !

wtrmk74
I assigned the points to Gnart, because I can't assign to the Trojan Remover...ha..ha...

Thank you for your efforts Gnart (and for all). I learned a bit more.

I forgot to recommend Active Ports, a freeware software, because it helped me to know on-line (better to use netstat -a) about TCP and UDP connections, and the process related to each listen port and established connections.  If somebody knows something better (and freeware), pls tell me.

~~~~~~~~~~~~~~~~~~~~
Program information
~~~~~~~~~~~~~~~~~~~
Program Archive Name:
 aports.zip
Program Name:
 Active Ports
Target OS:
 Windows NT/2000/XP
Program Description:
 Shows all open TCP/IP and UDP ports
Software type:
 Freeware
Company Name:
  SmartLine Inc.
Contact WWW URL:
  http://www.ntutility.com

Regards,

Carlos