Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help With Systempre.exe


  • This topic is locked This topic is locked
6 replies to this topic

#1 dcarwin

dcarwin

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 20 August 2008 - 01:06 PM

Need help removing systempre.exe

[I did double post this (see post in breaking news) as this seems like a new name at least. My intention was not to clog the forums, but since google only gave me three hits (two here, one at sdfix, it seemed that this one was new enough to warrant mention as a news item. I will happily nuke the other post if instructed.]


O4 - HKLM\..\Run: [System Presets] systempre.exe

Symptoms observed:
=============
- taskmgr disabled
- msconfig disabled
- regedit disabled
- many websites blocked (including bleeping computer)
- hijackthis prevented from running (runs if renamed)

NOTE: gpedit.msc is not disabled and will run, allowing you to manually throw DISABLE on the taskmanager blocking etc.
On next reboot the DISABLE setting is ignored and must be bounced.

- systempre.exe sitting in WINDOWS\system32\
- <random named exe file> sitting in WINDOWS\system32\ (examples iafxqxs.exe, ygyvosm.exe, vscnnq.exe)

- HKLM\..\Run: [System Presets] systempre.exe
- HKLM\..\Run: [System Presets] <random named file>.exe

SDFix fails to remove as virus reinstates

====
Andy Manchesta just added mention of this one to SDFix on Aug 18th.

http://andymanchesta.com/SDFix_Changelog.htm

His fix of removing from HKLM\...\Run is not sufficient to remove the virus. The virus is also running under a random name and reinstalls/renames itself on each boot and reinstates systempre.exe as well. It seems to have a delayed start. Doing a manual cleanup (remove exes and lines from HKLM\...\run) in safe mode along with running SDFIX to reset the user policies seems to work, but after a few minutes the policies revert to the restricted mode and systempre.exe is back in place.

My next step is to install process manager. All suggestions welcome.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:58 AM

Posted 20 August 2008 - 01:24 PM

IMPORTANT NOTE: One or more of the identified infections (systempre.exe) is a backdoor Trojan. Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge. Read Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

SDFix should have removed this malware. If not, then other malware may be on your system interferring with the removal script. Sometimes another piece of malware which has not been detected protects other files (which have been detected) so they cannot be permanently deleted. Others are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself.

Although the backdoor Trojan has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let me know how you wish to proceed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 dcarwin

dcarwin
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 20 August 2008 - 04:03 PM

Thanks Qman,

I *think* I got it this time but I am still testing. Your warnings on the threat level are much appreciated though, and we will begin the process of resetting all passwords.
I will sit on the fence and think a while about the full drive wipe.

===

EDIT: I was wrong. Malware is still there. It seems fine until the network cable goes in, and then the restricted policy goes into effect.

Edited by dcarwin, 20 August 2008 - 04:12 PM.


#4 dcarwin

dcarwin
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 20 August 2008 - 09:27 PM

I am going to ask you for help going forward. Let me know what you'd like to have me upload or send to you.

I have hijackthis.log and the systemreport.txt ready.

Thanks.

Edited by dcarwin, 20 August 2008 - 09:28 PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:58 AM

Posted 21 August 2008 - 07:46 AM

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In Step 9 there are instructions for downloading the HijackThis Installer and creating a log. This is an automatic setup version which will install the program in the proper location.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 dcarwin

dcarwin
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 21 August 2008 - 04:09 PM

Thank you.

Followed prep steps and posted. Link here: http://www.bleepingcomputer.com/forums/t/164644/infected-with-systempreexe-and-some-hidden-morphing-installer/

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:58 AM

Posted 21 August 2008 - 04:14 PM

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusion, I am closing this topic until you are cleared by the HJT Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Thanks for your cooperation and good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users