Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Root-Based Vrus/Trjn Stops anti-virus prgrms from Running, Renaming them to open but NOT scan


  • Please log in to reply
3 replies to this topic

#1 Kawan222

Kawan222

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 13 September 2009 - 08:27 AM

Hi all first post - thanks in advance --

Another major issue: Only 1 person on the computer (5 users) can be logged on at a time. Maybe caused by me deleting these keys in the registry:

in HK_C_U\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveAutoRun
NoFolderOptions
NoDriveTypeAutoRun

in HK_L_M\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveAutoRun
NoActiveDesktopChanges
NoCDBurning
NoDrives
NoDriveTypeAutoRun
NoSetActiveDesktop

in HK_USERS\.default\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoActiveDesktopChanges
NoDriveAutoRun
NoDriveTypeAutoRun
NoFolderOptions
NoSetActiveDesktop


This whole thing was probably caused by someone going to a bad website but the trojan/virus will not allow anti-virus programs to run like Spybot, AVG, and Malwarebytes. I renamed them all and they all opened, but once i hit 'scan', they would prepare and then suddenly shut down...when i tried to reopen them i got a message like "Windows cannot find the file or you do not have the permissions to access it."

The virus also disables the 'folderoptions' -- but i figured out how to delete the proper key from cmd.exe. I also figured out how to delete the entire contents of G:\Windows\Temp from cmd.exe because every time i tried to open it normally....it just shut down...even when i tried to view the contents in cmd.exe by using the "dir" command -- the whole cmd.exe shut down.....so finally i learned how to delete the contents from cmd.exe and that did the trick.

I opened Process Explorer and tried again to see if anything suspicious popped up and when i tried to run ComboFix, process explorer gave me a message saying: "You cannot rename ComboFix ...." So i think the virus renames the programs at a system-level because renaming again doesn't work -- i have to uninstall and reinstall JUST to get them to open -- i still can't get them to scan

THEN

I told my issue to spybot and they told me to run their root analyzer and Gmer.com's analyzer -- those scans WERE successful and i saved the logs of both and sent them to the spybot team -- haven't heard anything back from them. -- both scans showed a ton of results. Many of the threats have "SKYNET" in their name.

TODAY
I find there's a new problem -- any time i try to run a .exe -- i get an error message with the path name...for instance when i go Start -> Run ->Regedit i get: "Error: G:\Windows\regedit.exe" and option to press "OK" ... I click OK and it pops up about 4 times and then registry WILL open....though antivirus programs will NOT. On other profiles on this computer -- regedit "has been disabled by an administrator" -- I know most of the tricks to re-enable it but none of them worked.

SUSPICIOUS PROCESSES
From using process explorer here are some processes that may help you help me:
a.exe -- process explorer said the key value was: "pop rock" so i did a search for it in the registry and deleted it. in fact a whole folder was named poprock -- i deleted it and its contents.(HKEY_USERS\.default\Software\poprock)
b.exe --
services.exe? -- I know there's a chance that this is benign...but I don't know
windows Police Pro.exe
desote.exe -- this pops up in process explorer along with the error message I receive before opening every program.


I hope this wasn't too confusing...I've had a go at it myself over a few days and other people use this computer who know even less than me. I will wait patiently for a response.

Thanks much!

Edited by The weatherman, 13 September 2009 - 09:06 AM.
Moved from XP to a more appropriate forum. Tw


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:30 PM

Posted 14 September 2009 - 07:36 AM

Hi Kawan222, and :thumbsup: to Bleeping Computer!

ROOTREPEAL
-------------
We need to check for rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Pint-o-Guinness

Pint-o-Guinness

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 14 September 2009 - 03:54 PM

Hello There, I'm new here...

I'm very concerned/depressed about the malware/rootkit/virus that I have on my computer. It's called Antivirus Pro_2010 or PC antispyware 2010.

1.) I cannot run any antivirus programs to get rid of it.
2.) It stopped the RootRepeal scan before it's complete
3.) It has disabled my task manager
4.) It will not allow me to do a system restore at an earlier date.
5.) It has disabled "add/remove" feature in my Control Panel.

Please help!!!!

Thanks! :thumbsup:

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:30 PM

Posted 15 September 2009 - 02:57 AM

Lets check something else here.

Download and run Win32kDiag:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users