Go Premium for a chance to win a PS4. Enter to Win


I have a Trojan Horse -- CENF.EXE -help

Posted on 2003-11-27
Medium Priority
Last Modified: 2016-03-23
Apparently, my PC works fine.

I have detected a program called CENF.EXE, who was accesing to IP port 119.  

When I cancel this program from the task manager, it reactivates automatically when I run any program.

Also, when I'm trying to access to REGEDIT, appears an error message "Memory access violation in module kernel 2 at 4849: ..." etc..etc

I think it's like a virus.. or a trojan horse.

I don't want to reinstall my Windows. Any help ?

Meanwhile I change the routing of that IP to anywhere.
Question by:carlosmolina100
  • 7
  • 4
  • 3
  • +1

Expert Comment

ID: 9833693
Is it CENF.exe or CONF.EXE ???

Author Comment

ID: 9833718

14/11/2003  05:08p             106,496 cenf.exe

Expert Comment

ID: 9833734
it is something new, that I guess is pretending to be NetMeeting, and is connecting to some news server, you can run net monitor and see what data is beeing posted to that server. I was accually able to find the guy that usedthis IP to post to usenet, that was his last post:

Thank you Red. I locate the MGWIN.INI and edit it as listed here but no
luck. The program keeps on asking for UserName and Code. I think I may not
do it correctly since I am not a computer expert. Please give me further
"Red Rackham" <astaga@pirate.com> wrote in message
> The correct registration code is stored in the MGWIN.INI
> as follows :
> [REG]
> RegCode=VYHH7EUG
> [REG]
> RegCode=6D7X4CHA
> [REG]
> Times=1
> 1=1049773538
> RegCode=A6GJJEF9
> "Free Hui" <fhui01@oacbell.net> wrote in
> news:7vFqb.3313$7g2.2390@newssvr29.news.prodigy.com:
> > Andy, Thank you for your code. When I enter the User Name and code, I
> > have to restart the program to verify. When I restart the program, the
> > program requests to enter user name and code again. Any further help?
> > "Andy" <Andy@nomail.com> wrote in message
> > news:ejilqv8ih3d5fva5uiu68qiqm0ogadvqnt@4ax.com...
> >> On Thu, 06 Nov 2003 21:55:45 GMT, "Free Hui" <fhui01@oacbell.net>
> >> wrote:
> >>
> >> >Can any one post a register code for me? Thank you.
> >> >
> >> Free Hui
> >> F3DC3C3A

it's good that you redirected the traffic, so far no fix from the symantec for that.

Take Care
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.


Author Comment

ID: 9834026
Thanks for answer Sebo.  How do you obtained the information about the guy who posted to Usenet ?.

I found that IP with Nslookup --> news.rt.ru (from Russia ??)


Name:  news.rt.ru

Nobody have the same problem ?
What I have to do ?
LVL 13

Expert Comment

ID: 9834624
Try to use regedt32 instead of regedit to see if you can get to the registry to locate the launch for CENF.EXE.

Since it can put itself back, it's checking for its .EXE and rebuild as needed.  What you may want to try is to boot to recovery console and remove it from there.  Use your CD to do a repair install or to install the recovery console by running from your CD...i\386\winnt32.exe /cmdcons.....

Please send me the CENF.EXE for analysis and for my cybersecurity class....
Digitrash@hotmail.com or nguyentd@pgcc.edu.


Author Comment

ID: 9835008
When I run regedt32 appears a message box saying something like "Administrator has disabled the modification of the Registry"   :(

Using the console, when I rename cenf.exe to cenf.exxxx, and then cancel the process with the task manager, then I can't run any command or program (appears a message like: "can't find the program or some of the components")    :(

I'll wait some days before repair my Windows.  

I sent you the cenf.exe file.  Maybe you can find a clue to avoid repair the Windows.

Expert Comment

ID: 9835252
You have a client installed on your machine!

C entral  E urope  N ews  F lash     - cenf.exe

Whois results for: news.rt.ru (rt.ru)

news://news.rt.ru/ *****this is interesting*****

domain:     RT.RU
type:       CORPORATE
nserver:    ns.rt.ru.
nserver:    ns2.rt.ru.
nserver:    ns.rtcomm.ru.
nserver:    ns2.rtcomm.ru.
org:        OJSC "Rostelecom"
phone:      +7 095 9732139
phone:      +7 095 7872849
fax-no:     +7 095 9733074
fax-no:     +7 095 7872850
e-mail:     uit@nmc.rospac.ru
e-mail:     ved@nmc.rospac.ru
e-mail:     registry@rt.ru
e-mail:     for@nmc.rospac.ru
created:    1997.01.14
paid-till:  2004.02.01
source:     RIPN

Last updated on 2003.11.28 08:35:46 MSK/MSD

I would email them and find out everything you can!

good luck

Expert Comment

ID: 9837703
I got that info from www.deja.com its web that holds all the recors of the messages that were posted in the news groups, I think some russian dude is testing new exploit, check your firewall , and try to think of the software that you installed lately.
Take Care

Author Comment

ID: 9838813
Thanks wtrmk74.. i'll be waiting.

Also, thanks Sebo for the info.  I have installed some software from unknown people... :S..
I know it.

Carlos Molina

LVL 13

Expert Comment

ID: 9840363
>> "Administrator has disabled the modification of the Registry"

It sounds like you have been rooted.... Which account are you using?  Go into the User and group to see if there is any administrator account that should NOT be there.  The intruder may have created dummy account for you and took over the administrator's account.  The intruder may have set registry entry to relaunch or check for cenf.exe process, so he didn't want you to access the registry.  

Accessing and cleaning up the registry may be the key to solving the problem.  When did you run an ERD or SP?  If it's recent you can try the following:

1. You can mount the drive as slave to another system.
2. Make the backup of the current files c:/winnt/system32/config
3. Copy the registry files from c:/repair/regback
4. Reinstall drive and reboot your system

>> I sent you the cenf.exe file.
Which account did you send it to ?


Author Comment

ID: 9841375
I sent CENF.EXE  file to both addresses: Digitrash@hotmail.com <Digitrash@hotmail.com>
nguyentd@pgcc.edu <nguyentd@pgcc.edu>

There's no more account names.   I think he had the rights because my default account is administrator, and I ran many programs I downloaded from kazaa.

Sorry,  I don't understand how to "mount the drive as slave to ...".      Also, I can't find the c:/repair folder.   I found c:\winnt\repair, but not regback.

What means "reinstall drive"...   I believe that I need more details    :(    

Thank you.

Expert Comment

ID: 9842886
did you get a chance to email the developers yet!

I think Gnart is talking about pulling your hard drive out of that computer and adding  it as a slave to another functioning computer.

This is done by changing the jumper settings on the back of the drive.

LVL 13

Accepted Solution

Gnart earned 40 total points
ID: 9843446
>> I sent CENF.EXE  file to both addresses: Digitrash@hotmail.com
>> nguyentd@pgcc.edu
Thanks, I checked digitrash and didn't see it.  I will check again.  I have not had the chance to check nguyentd because they are down for service.

>> I think he had the rights because my default account is administrator, and I ran many programs I downloaded from kazaa.
He sure did.  Did you have a password on it?  If you did, he probably installed a backdoor to your machine with a keystroke logger and emailed your password to himself.  After that you are done.

>> Also, I can't find the c:/repair folder.   I found c:\winnt\repair, but not regback.
Look like you never did a service pack or create a Emergency Repair Disk for your machine, else the \regback would be there.  The files in c:\winnt\repair are the registry files when you first installed your Windows.  You can take control of your system by restoring them, but the registry entries for your software would not be there.  Let's try something else "see below"

>> Sorry,  I don't understand how to "mount the drive as slave to ...".
If you are using two IDE drives whether they are zip, HD, or CD on the same IDE controller you will need to jumper one drive as master and the other as slave.  So if you are to put that drive in another computer you will need to jumpered it as slave.  

The options are:
1) put your current drive in another Win2K computer as slave.
2) put an old drive in your current system as master and jumpered your current drive as slave.  Install the OS on the newly inserted drive and create additional administrative accounts.  Rename the "SAM" file in your olddrive:\winnt\system32\config to SAM-BAD.  Copy the "SAM" in the newdrive:\winnt\repair into olddrive:\winnt\system32\config

Restore the old configuration - boot up and login as administrator and see if you can get your administrative control back.....after that you should be able to correct the problem.  It's just a matter of how much time do you want to spend verses the time to reinstall the OS.  Remember to disconnect the system from the Internet - he has keystroke logger in your machine.

Good luck - it can be done... just planned it out and take the correct steps.

LVL 13

Expert Comment

ID: 9846833

Would you please send CENF.exe again?  It didn't get to either one of my addresses.  Send to the following, take out the "AT" and replace it with @:

digitrashAThotmail.com, nguyentdATpgcc.edu, tdn4itATyahoo.com, tdn4itAThotmail.com,
gnartAThotmail.com, INetmailerATgmx.net.

Hopefully one of them will get through.

TIA - cheers....

Author Comment

ID: 9855118

Sorry for the delay to response.  Searching the web, last Saturday I downloaded a demo version from http://www.innosetup.com of the "Trojan Remover". Then it found and removed the "Worm/Swen" virus or trojan.

Thanks to all for help me, specially to Gnart  
-- Someday, I will use your procedure :)) --
I sent the CENF.EXE file to the other address.



Trojan Remover Ver 6.1.3. For information, email simplysupsupport@aol.com
[Unregistered version]
Scan started at: 29/11/2003 12:53:33
Using Database v6056
Operating System: Microsoft Windows 2000 Version: 5.0 (Build: 2195 )
Checking Registry exefile command for modifications
The exefile\shell\open\command Registry Key loads the following program:
C:\WINNT\cenf.exe - this file appears to contain Worm/Swen.
Trojan Remover has restored the Registry exefile\shell\open key.
C:\WINNT\cenf.exe has been renamed to C:\WINNT\cenf.ex$.
Checking for traces of the Internet Worm VBS/LifeStages
12:54:21 : Scanning ----------WIN.INI-----------
WIN.INI found in C:\WINNT
12:54:21 : Scanning --------SYSTEM.INI---------
12:54:21 : Scanning -----WINDOWS REGISTRY-----
Checking HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vxd ...


Expert Comment

ID: 9864154
Glad everything worked out for you !

Remember to assign your points and close this thread !

Have a great holiday season
and New Year !


Author Comment

ID: 9864387
I assigned the points to Gnart, because I can't assign to the Trojan Remover...ha..ha...

Thank you for your efforts Gnart (and for all). I learned a bit more.

I forgot to recommend Active Ports, a freeware software, because it helped me to know on-line (better to use netstat -a) about TCP and UDP connections, and the process related to each listen port and established connections.  If somebody knows something better (and freeware), pls tell me.

Program information
Program Archive Name:
Program Name:
 Active Ports
Target OS:
 Windows NT/2000/XP
Program Description:
 Shows all open TCP/IP and UDP ports
Software type:
Company Name:
  SmartLine Inc.
Contact WWW URL:



Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
What we learned in Webroot's webinar on multi-vector protection.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Suggested Courses

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question