Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected ...alot. sda64.exe, braviax, Windows Police Pro, desote.exe


  • Please log in to reply
3 replies to this topic

#1 WACOMalt

WACOMalt

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 19 September 2009 - 06:50 PM

So I am fixing a computer for a client, and am blow away by the number of issues they let themselves get before they tried to fix anything.

When I got the computer, it would start, and you would only get the cursor and background. explorer could not be run. Period. Any attempt to load explorer.exe or any other exe file was blocked.

So the things I KNOW the computer had were:

-sda64.exe
-braviax
-Windows Police Pro
-desote.exe

So, through a lot of work I now get my icons again, and explorer is.. sort of working. I fixed the EXEs mostly (there was an "Open with..." dialog whenever you'd click an EXe.).
Pretty sure sda64 is gone now, same with windows police pro. Braviax is crippled, as I replaced braviax.exe with a blank read only text file.
Something is preventing SDFix, HiJackThis, Mbam, and everythign else I try from running. I can rename the executables for these programs and get them to start, but then they usually crash after a few seconds.
SD fix crashes after two lines (so fast I can't read them) after hitting Y to start.
HiJackThis crached halfway through a scan, and malwarebytes anti malware never shows up (though shows it's process in the task manager)
If I could just get whatever is blocking me from running the programs to die, then I think I would be home free. SDFix will remove everything that I know I have, but I can't run it due to one more thing that I haven't identified yet.

No logs, as nothing can run. Sorry. :/

btw, most windows tools are working now though (regedit ect.)

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:44 AM

Posted 19 September 2009 - 09:35 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Direct Download (Recommended)
  • Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)

  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Riight-click on rootrepeal.exe and rename it to tatertot.scr
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 WACOMalt

WACOMalt
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 20 September 2009 - 10:56 AM

Sorry to say I fixed it on my own (sorry because you gave me such a great guide I could have used instead!)

To summarize what I did though. I used ComboFix (renamed so it could launch) this didn't remove everything, but did get rid of whatever was stopping certain apps to run. (A bunch of rootkits)

After that I ran SDFix, which got rid of more stuff, and after that I ran MalwareBytes' Anti-Malware which seemed to get the rest. However I had a few issues left over as scars. The registry has one subkey that was locked (It had "NT AUTHORITY\SYSTEM" Set as the owner by the viruses). When trying to install AVG, it needs access to that, and it gave me an error.

So I spent a few hours but figured out how to fix it. It was not a null byte in the name or anything, but it's owner was "NT AUTHORITY\SYSTEM". So I found a guide on how to run a command prompt window as NT AUTHORITY\SYSTEM, the first method (a scheduled task set to launch the cmd window) did not work, I assume windows has patched that vulnerability. The second method worked though, using a tool called autoexnt, which is a service from the server2003 tool kit. It simply executes a batch command at startup. Since services run as NT AUTHORITY\SYSTEM, having it launch a cmd window gave me control. So I ran regedit from that cmd window, and was then able to set the propper owner of the keys.

I will be remembering this trick, as I have had simmilar issues on client's PCs before that mode me backup their files, wipe the PC, restore the files. Which I always hate doing. People spend weeks getting everything back to how it was.

Thank you for that guide, I will certainly keep that handy for the future. And I hope this tidbit about NT AUTHORITY\SYSTEM helps someone else out.

I find it funny that I basically had to run regedit in the same fashion a virus had before, just to get control back. I just hope no one finds my tip, and uses this access in a bad way. That is certainly a lot of power.

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:44 AM

Posted 20 September 2009 - 05:23 PM

If there are no longer signs of malware then please....

Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users