Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had A Virus, Now Clean, But Xp Pro Is Now Crippled


  • Please log in to reply
12 replies to this topic

#1 MinAust

MinAust

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 01 June 2008 - 04:15 PM

I was recently hit by a variant of the Win32.beagle trojan/worm/whatever that nuked both NAV 2006 and ZoneAlarm. Killed the processes and overwrote the executables for both. The recovery process was slow and painful. I removed both HDs, installed a scratch hd from an unused system, installed XP Pro sp2 and avast anti-virus with current definitions, and scanned both my original HDs , jumpered as slave. Many nasties were found and eliminated – mostly Win32.beagle variants. System is now clean according to both NAV (like I trust NAV any more) and avast. But:

Problems that cropped up the moment of infection and still persist are:
1. Windows Explorer Search function no longer works. A popup window says “Unexpected error. Action could not be completed.
2. Task manager won’t run. A message says it is disabled by the administrator. That’s me!
3. The settings in Windows Explorer “Display the content of system folders” and “Hide protected operating system files” are not being honored. I can’t see OS files or system folders regardless of how the checkboxes are set. They aren’t being changed, just ignored.

Anybody have any ideas? I’m lost.

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 01 June 2008 - 04:25 PM

Hi MinAust and welcome to Bleepingcomputer.

1. I don't know why, but I will do a bit more research on that a get back to you.
2. To enable taks manager there are two ways.

If your task manager was disabled without you doing anything it might be a malware of some sort most likely a virus. To enable your task manager you can do it by going to Start> Run>
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
or
Start>Run>regedit
Before we do anything lets backup the registry
navigate to HKEY_CURRENT_USER\Software\Microsoft \Windows\CurrentVersion\Policies\System
Right click on system and press export and save it somewhere handy.
Now Delete "DisableTaskMgr ".
If anything goes wrong just double click the .reg file that you export and it will add the information back.

3. Make sure that you click apply then Ok once you changed it.

Regards,
Extremeboy

Edited by extremeboy, 01 June 2008 - 04:26 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 01 June 2008 - 04:26 PM

Try running the Remove Restrictions Tool (RRT).
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 01 June 2008 - 04:52 PM

Hi,
Regards to the search malfunction, try one of these:
Go to Start>run>regsvr32 C:\WINDOWS\srchasst\srchui.dll
When you go to Start and on your start menu is the search button there?

Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 MinAust

MinAust
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 01 June 2008 - 06:01 PM

Hi,
Regards to the search malfunction, try one of these:
Go to Start>run>regsvr32 C:\WINDOWS\srchasst\srchui.dll
When you go to Start and on your start menu is the search button there?


Yep, it's there - everything looks normal until I click it. That's when I get the error message I described above. Could it be that that DLL is corrupt?

Thanks for the feedback.

Edited by MinAust, 01 June 2008 - 06:03 PM.


#6 MinAust

MinAust
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 01 June 2008 - 06:05 PM

Try running the Remove Restrictions Tool (RRT).


Got it, thanks. I'll let you know if it works.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 01 June 2008 - 06:21 PM

Hi,
Try navigating to C:\windows\inf\Srchasst.inf
Those are hidden so you need to allow hidden files,however you said that your Windows Explorer “Display the content of system folders” and “Hide protected operating system files” are not being honored.
So try Start>Run, type "%systemroot%\inf"(without quotes), and then click OK.
Locate the Srchasst.inf file.
Right-click the Srchasst.inf file, and then click Install.
Take a look here for some help too: http://phorums.com.au/archive/index.php/t-90312.html

Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:07:47 PM

Posted 01 June 2008 - 06:42 PM

Running virus scans on a slave drive will remove the viruses that are detected by that antivirus - BUT, it will not remove the registry entries for these nasties.

At work, we run several scans to remove viruses - and still have difficulties with the "lurkers" - so I'd suggest several further scans to ensure that you are indeed free of viruses.

Once you get back into your original operating system, you'll have to scan all over again to remove traces of the registry issues (and I suspect that that's causing some of your problems). The scans won't get rid of them all, so you'll have to go in and manually remove some of them. This is what you're experiencing with the problems that you've mentioned.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:47 PM

Posted 01 June 2008 - 06:55 PM

In addition to John excellent observations I might add that a lot of malware detection uses heuristic behavior, I would not assume the infected drives are clean at all
Chewy

No. Try not. Do... or do not. There is no try.

#10 MinAust

MinAust
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 02 June 2008 - 01:56 PM

Try running the Remove Restrictions Tool (RRT).


Bingo! Thanks!

#11 MinAust

MinAust
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 02 June 2008 - 02:31 PM

Right-click the Srchasst.inf file, and then click Install.
Take a look here for some help too: http://phorums.com.au/archive/index.php/t-90312.html

Regards,
Extremeboy


Was worth a shot, but it didn't help.

#12 MinAust

MinAust
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 02 June 2008 - 04:56 PM

Running virus scans on a slave drive will remove the viruses that are detected by that antivirus - BUT, it will not remove the registry entries for these nasties.

At work, we run several scans to remove viruses - and still have difficulties with the "lurkers" - so I'd suggest several further scans to ensure that you are indeed free of viruses.

Once you get back into your original operating system, you'll have to scan all over again to remove traces of the registry issues (and I suspect that that's causing some of your problems). The scans won't get rid of them all, so you'll have to go in and manually remove some of them. This is what you're experiencing with the problems that you've mentioned.


I went back to my original drive the next day, and scanned the diddley out of it. Came back clean. I knew about the registry entries, so I got them manually. I think (read that as 'hope') I got them all. I didn't have much of a choice - this bug wasn't going to sit there and let me install an anti-virus. So, you do what you've got to do.

#13 MinAust

MinAust
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 03 June 2008 - 03:34 AM

A further note:

I've done some further research, and I've discovered what bug hit me, and basically, I'm screwed. It was Rootkit: Haxdoor. This bug has several self-defense mechanisms. It has a database of filenames used by numerous anti-viral/anti-spyware programs, and will delete or overwrite those files.

One victim amused himself by creating dummy files utilizing some known a/v filenames, and saw those files disappear almost immediately. When I said “this bug wasn’t going to let me install an anti-virus”, I didn’t know how literal that was.

This thing is described as “hard-to-remove malware”. Kill the process, it restarts. Kill the files, they reappear. The heck of it is, in my floundering around immediately after the infection, I killed it by accident – I removed the autorun registry key for it, then rebooted before it could be restored. I’d like to claim genius, but it was dumb luck.


The other defense mechanism is it disables the tools you'd normally use to discover the infection, kill the processes, locate the relevant files, and delete them. Therefore, no task manager, no search, no ability to see system files or inside system folders, and one problem I neglected to mention – no ability to boot into safe mode. Booting into safe mode results in a BSOD.

Problem is that once the bug is squashed, those problems persist.

The safe mode problem was fixed just a few minutes ago. “SafeBootKeyRepair.exe” by sUBs. It worked for me but I don’t have a link for it.

What I’m about to do is create a Bart PE boot disk – a working minimal XP installation on a bootable CD/DVD. That won’t help me now, but if this ever happens again…




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users