Another major issue: Only 1 person on the computer (5 users) can be logged on at a time. Maybe caused by me deleting these keys in the registry:
This whole thing was probably caused by someone going to a bad website but the trojan/virus will not allow anti-virus programs to run like Spybot, AVG, and Malwarebytes. I renamed them all and they all opened, but once i hit 'scan', they would prepare and then suddenly shut down...when i tried to reopen them i got a message like "Windows cannot find the file or you do not have the permissions to access it."
The virus also disables the 'folderoptions' -- but i figured out how to delete the proper key from cmd.exe. I also figured out how to delete the entire contents of G:\Windows\Temp from cmd.exe because every time i tried to open it normally....it just shut down...even when i tried to view the contents in cmd.exe by using the "dir" command -- the whole cmd.exe shut down.....so finally i learned how to delete the contents from cmd.exe and that did the trick.
I opened Process Explorer and tried again to see if anything suspicious popped up and when i tried to run ComboFix, process explorer gave me a message saying: "You cannot rename ComboFix ...." So i think the virus renames the programs at a system-level because renaming again doesn't work -- i have to uninstall and reinstall JUST to get them to open -- i still can't get them to scan
I told my issue to spybot and they told me to run their root analyzer and Gmer.com's analyzer -- those scans WERE successful and i saved the logs of both and sent them to the spybot team -- haven't heard anything back from them. -- both scans showed a ton of results. Many of the threats have "SKYNET" in their name.
I find there's a new problem -- any time i try to run a .exe -- i get an error message with the path name...for instance when i go Start -> Run ->Regedit i get: "Error: G:\Windows\regedit.exe" and option to press "OK" ... I click OK and it pops up about 4 times and then registry WILL open....though antivirus programs will NOT. On other profiles on this computer -- regedit "has been disabled by an administrator" -- I know most of the tricks to re-enable it but none of them worked.
From using process explorer here are some processes that may help you help me:
a.exe -- process explorer said the key value was: "pop rock" so i did a search for it in the registry and deleted it. in fact a whole folder was named poprock -- i deleted it and its contents.(HKEY_USERS\.default\Software\poprock)
services.exe? -- I know there's a chance that this is benign...but I don't know
windows Police Pro.exe
desote.exe -- this pops up in process explorer along with the error message I receive before opening every program.
I hope this wasn't too confusing...I've had a go at it myself over a few days and other people use this computer who know even less than me. I will wait patiently for a response.
Edited by The weatherman, 13 September 2009 - 09:06 AM.
Moved from XP to a more appropriate forum. Tw