Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removed trojan from registry


  • This topic is locked This topic is locked
8 replies to this topic

#1 Sergei_28

Sergei_28

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 11 May 2009 - 11:53 AM

First off all thanks for exelent and useful forum

this topic helped me a lot of today
regedit will not run

I had exactly the same problem.
Here is my registry with infection at "aux"="C:\\DOCUME~1\\Sergei\\LOCALS~1\\Temp\\..\\fqyqp.rup"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"VIDC.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"VIDC.IYUV"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"VIDC.UYVY"="msyuv.dll"
"VIDC.YUY2"="msyuv.dll"
"VIDC.YVU9"="tsbyuv.dll"
"VIDC.YVYU"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="C:\\WINDOWS\\system32\\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="C:\\WINDOWS\\system32\\l3codeca.acm"
"MSVideo8"="VfWWDM32.dll"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"wave1"="wdmaud.drv"
"midi1"="wdmaud.drv"
"mixer1"="wdmaud.drv"
"wave2"="wdmaud.drv"
"midi2"="wdmaud.drv"
"mixer2"="wdmaud.drv"
"msacm.siren"="sirenacm.dll"
"aux"="C:\\DOCUME~1\\Sergei\\LOCALS~1\\Temp\\..\\fqyqp.rup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP]
"wave"="rdpsnd.dll"
"mixer"="rdpsnd.dll"
"MaxBandwidth"=dword:000056b9
"wavemapper"="msacm32.drv"
"EnableMP3Codec"=dword:00000001
"midimapper"="midimap.dll"

Now my computer is OK. Removed it from registry and DrWeb cleaned 2 trojans and Malwarebytes' Anti-Malware - Vundo

But problem I still I canīt find path to fqyqp.rup file to delete it. Please advice where I can look for. Thanks!

Microsoft Windows XP Professional. Can post Combofix report

Edited by Sergei_28, 11 May 2009 - 03:17 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:39 PM

Posted 11 May 2009 - 03:39 PM

Hi Sergei_28,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Combofix is a power tool and should be run under supervision of a trained helper.

Lets see of the file is still there. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
"C:\Documents and Settings\Don\Local Settings\fqyqp.rup") DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL /a /f /q %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted successfully>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
NOTEPAD log.txt
del %0
  • Select save in:desktop
  • Fill in File name: remove.bat
  • Save as type: All file types (*.*)
  • Click Save and close the Notepad.
  • Double-click remove.bat on the desktop.
  • Copy/paste the content of the log.txt which opens up.


#3 Sergei_28

Sergei_28
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 11 May 2009 - 07:04 PM

Hi farbar

Thanks for attention to my post
Here is a log

Deleting files
"C:\Documents and Settings\Don\Local Settings\fqyqp.rup" not found

Sounds optimistic, but path looks for me strange!?

Combofix is a power tool and should be run under supervision of a trained helper.


Seems I run it fine with my expirience :thumbup2:

Edited by Sergei_28, 11 May 2009 - 07:14 PM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:39 PM

Posted 12 May 2009 - 02:32 AM

Sounds optimistic, but path looks for me strange!?


Yes that is the path and the file is not there any more. If you look at the path apart from the shortened folder names you will see \.. which it means one up. So C:\A\B\..\<filename> will be read: C:\A\<filename>.

Seems I run it fine with my expirience smile.gif


You run it by double-clicking on it, didn't you? I bet you can run an airplane if it is set to automatic pilot. :thumbup2:

So you are good to go now.

Happy Surfing!

Edited the reding of the path.

Edited by farbar, 12 May 2009 - 07:13 AM.


#5 Sergei_28

Sergei_28
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 12 May 2009 - 02:48 AM

You run it by double-clicking on it, didn't you? I bet you can run an airplane if it is set to automatic pilot. :thumbup2:

So you are good to go now.

Happy Surfing!


Thanks fabar for help!

Will try to run airplaine if bleepingcomputer can post a good guide like this :)
How to run combofix

Edited by Sergei_28, 12 May 2009 - 03:07 AM.


#6 Sergei_28

Sergei_28
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 12 May 2009 - 03:06 AM

It is not the END!

While replying and reading this topic I can't got an idea and thinking who is a Don and why he is in my computer Documents and Settings

"C:\Documents and Settings\Don\Local Settings\fqyqp.rup")


So I decided to look by explorer in C:\Documents and Settings\Sergei\Local Settings....

Amaizingly I found fqyqp.rup there!!!

So I changed remove.bat

@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
"C:\Documents and Settings\Sergei\Local Settings\fqyqp.rup") DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL /a /f /q %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted successfully>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
NOTEPAD log.txt
del %0

Here is a log
Deleting files
"C:\Documents and Settings\Sergei\Local Settings\fqyqp.rup" deleted successfully

Thanks again, I'm getting sharper (Where is an airplaine?))) :thumbup2:

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:39 PM

Posted 12 May 2009 - 03:31 AM

In the tutorial BC has provided and you mentioned the link, you may also read ComboFix Disclaimer, it says:

" The tool is for private use. It should never be used in an unsupervised environment"

Well done with the fix, looks I had a mistake, my apology.

Happy Surfing Sergei_28.

#8 Sergei_28

Sergei_28
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 12 May 2009 - 05:29 AM

Ok, will take care for future use of Combofix, thanks again for help, nice forum here!!!

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:39 PM

Posted 12 May 2009 - 07:16 AM

You are very welcome, glad it is sorted out.

This topic is closed now.

If you need this topic reopened please send me a PM. This applies only to the original poster.

If you have a new issue please open a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users