Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With A Trojan That I Cannot Get Rid Of


  • This topic is locked This topic is locked
10 replies to this topic

#1 UncleJ

UncleJ

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:07 PM

Posted 15 September 2008 - 03:31 AM

Hello all, first time poster, but I've read a lot of the stuff on the forums!

I do not know how I got this trojan, but basically, it has infected one of my files in the temp folder (can't find the file) called "??-name list.doc".

Symptoms:
*The "Run" process on my computer is gone from the start menu
*I cannot get access to:
regedit (says that it has been disabled from administrator)
gpedit.msc
task manager (grayed out on toolbar)
spybot (cannot run it)
killbox
combofix
cmd
autoruns
hijackthis
system restore
*Get BSOD stop code 0x0000007b when I try to run safemode

Tried solutions

Luckily, I got Malwarebytes to work and i did a quick scan and took care of the 5 infected files (4 registry files and one infected file). I thought I got rid of it by cleaning, but it just comes back every time!! This is so frustrating. Everything else runs, but I'm afraid since I bought some things online after this happened (before I ran the scan though...).

I cannot get into safemode and I cannot run spybot, combofix, killbox, or any other anti-malware program besides malwarebytes, which doesn't seem to get rid of it.

Here are the logs from Malwarebytes:

Scan type: Quick Scan
Objects scanned: 63951
Time elapsed: 6 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun (Hijack.Run) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD (Hijack.CMDPrompt) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Li-Shuan Chen\Local Settings\Temp\??-name list.doc (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.

There is nothing wrong with my computer besides that and I'd just really like to get rid of it before anything else bad happens. Also, I run SP3 Windows XP. I actually help fix computers at my university and am baffled at this problem, much to my dismay.

Thanks a lot for any help!

-UncleJ

Edited by UncleJ, 15 September 2008 - 03:32 AM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:07 PM

Posted 15 September 2008 - 07:10 AM

Can you access a command prompt from safe mode or last know good?

Do you have a disk to run a windows repair with?
Chewy

No. Try not. Do... or do not. There is no try.

#3 UncleJ

UncleJ
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:07 PM

Posted 15 September 2008 - 08:34 AM

I do not have a disk to run a windows repair, unless there's some sort of CD that came with my laptop...I have to check later, I cannot access cmd through safemode as it always BSODs. I have no tused Last known good. I will definitely try last known good though, when I come back from work.

#4 dhants20

dhants20

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 15 September 2008 - 09:15 AM

do you happen to have virus alert on your clock or properties of My Computer? You could try launching your computer to safemode with command prompt that for sure will not have any viruses running on it then you could just add the registry entries for your taskmanager and regedit.

make sure to type this command as is:
REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskmgr /t REG_DWORD /d 0 /f
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskmgr /t REG_DWORD /d 0 /f
REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

the run button is actually just hidden from the start button, try pressing on the windows button and r at the same time and instead of typing cmd, type command.com, that will also open up the command prompt. since there are policies modified, I would suggest that when you have access to your registry delete the policy folder from HKCU\Software\Microsoft\Windows\CurrentVersion\Policies and HKLM\Software\Microsoft\Windows\CurrentVersion\Policies

as for the infection that is in your temp file...download avenger and delete the temp folder

Folders to delete:
%temp%

or open up that folder in command.com and delete all the files there, check the attributes of all the files there and do cacls on files that can not be deleted or delete the %temp% folder itself

echo y | del.
echo y | rd %temp%
cacls filename.ext /t /c /p everyone:n

let me know if you need help in manually removing those infections that you have... :thumbsup:

Edited by dhants20, 15 September 2008 - 09:23 AM.


#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:07 PM

Posted 15 September 2008 - 09:24 AM

I actually help fix computers at my university


most computer tech's will have a generic xp disk, I have home and pro oem with sp3 slipstreamed so I can run windows as a repair disk in cases like this

I just use my client's numbers

Try to access the command prompt in the safe mode choice screen, not from safe mode itself
Chewy

No. Try not. Do... or do not. There is no try.

#6 UncleJ

UncleJ
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:07 PM

Posted 15 September 2008 - 10:00 PM

do you happen to have virus alert on your clock or properties of My Computer? You could try launching your computer to safemode with command prompt that for sure will not have any viruses running on it then you could just add the registry entries for your taskmanager and regedit.

make sure to type this command as is:
REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskmgr /t REG_DWORD /d 0 /f
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskmgr /t REG_DWORD /d 0 /f
REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f


Thanks for the advice dhants20,

I do not have a virus alert anywhere on my computer and I cannot go to safemode at all since it gives me a BSOD of 0x0000007b stop code. The run function is not hidden, I think it is actually gone because the windows "r" does not work. I have no idea what to do for this case.

#7 UncleJ

UncleJ
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:07 PM

Posted 15 September 2008 - 10:02 PM

I actually help fix computers at my university


most computer tech's will have a generic xp disk, I have home and pro oem with sp3 slipstreamed so I can run windows as a repair disk in cases like this

I just use my client's numbers

Try to access the command prompt in the safe mode choice screen, not from safe mode itself


What should I do when I access the cmd from the choice screen? I do not know if i can, but just as a precaution, I'd like to know what to do from there? I have not really used MSDOS in awhile...a little rusty with the commands. I will definitely obtain an xp disk and run the repair later tonight and post results. Thanks DaChew.

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:07 PM

Posted 15 September 2008 - 10:12 PM

If you can get the right disk to run a repair, it would be important to keep the computer isolated from the internet, as the main core of the malware will still be there, using system restore from a command prompt is another easy option to try to get safe mode boot back and start the disinfection

A word of warning, a lot of these severe infections are best treated with a clean install and changing all confidental financial information

http://technet.microsoft.com/en-us/library/cc512587.aspx
Chewy

No. Try not. Do... or do not. There is no try.

#9 UncleJ

UncleJ
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:07 PM

Posted 16 September 2008 - 12:00 AM

If you can get the right disk to run a repair, it would be important to keep the computer isolated from the internet, as the main core of the malware will still be there, using system restore from a command prompt is another easy option to try to get safe mode boot back and start the disinfection

A word of warning, a lot of these severe infections are best treated with a clean install and changing all confidental financial information

http://technet.microsoft.com/en-us/library/cc512587.aspx


I actually got into safemode with using the last known good config. I managed to get into spybot and run a scan, but again, it didn't get rid of anything...Should I just follow the other poster's advice when in safemode? I cannot get a xp CD until a lot later...sigh..

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:07 PM

Posted 16 September 2008 - 12:26 AM

http://www.bleepingcomputer.com/forums/ind...mp;#entry941833

I prefer to use a program even if I have to download it to a usb drive and transfer and install it

SDFix has a

XP_CodecRepair.inf




[Version]
Signature="$Windows NT$"

[DefaultInstall]
DelReg=RemoveRestrictions
AddReg=ResetRegChanges

[ResetRegChanges]
HKCU,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Start_ShowControlPanel,0x10001,0x00000002
HKCU,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Start_ShowHelp,0x10001,0x00000001
HKCU,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Start_ShowMyComputer,0x10001,0x00000002
HKCU,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Start_ShowMyDocs,0x10001,0x00000001
HKCU,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Start_ShowMyMusic,0x10001,0x00000001
HKCU,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Start_ShowMyPics,0x10001,0x00000001
HKCU,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Start_ShowNetPlaces,0x10001,0x00000001
HKCU,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Start_ShowRun,0x10001,0x00000001
HKCU,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,Start_ShowSearch,0x10001,0x00000001
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDrives,0x10001,0x00000000

[RemoveRestrictions]
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies","DisableRegistryTools"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies","DisableTaskMgr"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies","NoDispCPL"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoSetFolders"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoStartMenuMorePrograms"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoToolbarCustomize"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","StartMenuLogoff"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableCMD"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableRegistryTools"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableTaskMgr"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\System","NoDispCPL"
HKCU, "Software\Policies\Microsoft\Internet Explorer\Restrictions","NoBrowserOptions"
HKCU, "Software\Policies\Microsoft\Windows\system","DisableCMD"


http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/
Chewy

No. Try not. Do... or do not. There is no try.

#11 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:05:07 PM

Posted 18 September 2008 - 01:00 AM

I have moved your HijackThis log to the Misplaced HJT Logs forum.
Please follow all directions that I've posted, as a reply to your log.
By following these instruction, it will ensure, that your HJT log is taken care of, in the most timely manner.
Your log can be found at this link: http://www.bleepingcomputer.com/forums/top...tml#entry948325

Since you have posted a HJT log, I'm going to close this topic.

From this point on, the HijackThis Team are the only members you should take advice from, until your log has been declared clean.
If you have any questions, don't hesitate to send me a PM.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users