Iffy Posted February 5, 2009 Posted February 5, 2009 Hi, I came across a Trojan couple of days ago and i can't get rid of it.I have tried everything I could find online. It disable my Task Manager and Registry tools. I have opened them using third party software but after every few moments if I turn them off they went back to being disabled. I have tracked the virus and find out the registry is at following path: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system Here the Task Manger and Registry are being diasbaled and when I enable it after 5 seconds they went back to there disabled state. I can't see any software or process running except for svchost.exe. Five of them are in process. I have used Process Monitor and Explorer to find it but nothing. If I Reinstall windows it came back even after I have repartioned my whole hard disk. Could use some suggestion to how to find out which file is constantly updating registry. Take Care Iffy Quote
digip Posted February 5, 2009 Posted February 5, 2009 Hi, I came across a Trojan couple of days ago and i can't get rid of it.I have tried everything I could find online. It disable my Task Manager and Registry tools. I have opened them using third party software but after every few moments if I turn them off they went back to being disabled. I have tracked the virus and find out the registry is at following path: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system Here the Task Manger and Registry are being diasbaled and when I enable it after 5 seconds they went back to there disabled state. I can't see any software or process running except for svchost.exe. Five of them are in process. I have used Process Monitor and Explorer to find it but nothing. If I Reinstall windows it came back even after I have repartioned my whole hard disk. Could use some suggestion to how to find out which file is constantly updating registry. Take Care Iffy It came back after you formatted the HDD and reinstalled windows? Sound slike you downloaded something or have a program you ar installing with a root kit in it. Unless of course you are running a pirated version of windows, then your out of luck. Quote
Swathe Posted February 5, 2009 Posted February 5, 2009 How many hard drives do you have in your machine? Any network shares where you are? What apps are you installing after format? Quote
digip Posted February 5, 2009 Posted February 5, 2009 You can try tasklist from a command prompt and then taskkill to stop one of them. Quote
Scorpion Posted February 5, 2009 Posted February 5, 2009 couldnt it be MBR virus as some formats don't touch that area? Quote
SomethingToChatWith Posted February 5, 2009 Posted February 5, 2009 Wipe the drive with DBAN a few good rounds and do a re-install if you got a legit copy of Windows. Quote
H@L0_F00 Posted February 6, 2009 Posted February 6, 2009 couldnt it be MBR virus as some formats don't touch that area? I've never seen or heard of a MBR virus that does anything but corrupt your boot process and Windows would rewrite the MBR when installing anyways. This sounds like an infected, pirated, install... I'm assuming you booted into Safe Mode and tried virus removal tools, registry cleaners, and temporary file cleaner from there? I've found great success with Malwarebytes' Anti-Malware if you haven't already tried it Quote
Sparda Posted February 6, 2009 Posted February 6, 2009 Wipe the drive with DBAN a few good rounds and do a re-install if you got a legit copy of Windows. Wrong thing for the job. DBAN is keeping data safe by erasing it. Removing access to a 'broken' file system is as simple as creating a blank file system. Quote
SomethingToChatWith Posted February 6, 2009 Posted February 6, 2009 Well it would do the trick :) Go get mbrwizard than and wipe the mbr clean if you really think its a mbr virus that won't go away. Quote
DingleBerries Posted February 6, 2009 Posted February 6, 2009 Process Monitor v2.03 Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. [sic] http://technet.microsoft.com/en-us/sysinte...s/bb896645.aspx SpyMe Tools SpyMe Tools is very useful in detecting Registry and Disk changes. http://www.lcibrossolutions.com/spyme_tools.htm Quote
SomethingToChatWith Posted February 6, 2009 Posted February 6, 2009 I have used Process Monitor and Explorer to find it but nothing. If I Reinstall windows it came back even after I have repartioned my whole hard disk. Already been used... Maybe the infection's spreading through your network from other computers? You don't have any shares set up?... Seriously though. If you got a pirated copy now you know why its bad. Either go back to the previous legit copy you got with your PC or look to an alternitive like BeOS or give linux a try. Quote
digip Posted February 6, 2009 Posted February 6, 2009 The fact that he hasn't replied kind of tells me hes not using legit software. Quote
Sparda Posted February 6, 2009 Posted February 6, 2009 The fact that he hasn't replied kind of tells me hes not using legit software. You are implying his guilt via his right to remain silent. If he lives in America he could have used the fifth and been equally not guiltily. Quote
digip Posted February 6, 2009 Posted February 6, 2009 You are implying his guilt via his right to remain silent. If he lives in America he could have used the fifth and been equally not guiltily. Under the Bush regime, he is guilty until he escapes from Gitmo. :) Quote
Iffy Posted February 6, 2009 Author Posted February 6, 2009 Hay guys comeone.. the reason I didn't reply is that I am In Pakistan and there is a 12 hours time difference between your country and mine.. which means that the time you all responded to it I was sound asleep... and there is a Power shortage situation in my country currently so there was no electricity in the moring time...so have a heart and some patience for me ok.. Anyway I am using a Registerd Windows XP Home version. and yes I have network shares setups and no it is not coming from there as I have checked every file there and that system is ineffected. There is only one harddrive on that system and I use a IDE to USB based backup drive which hasn't been plug in for quite sometime. As I didn't want the data there to be corrupted so I haven't plug it in yet. I have used Process Monitor and there was some activity but it was too much recommend what should I search there and if anyone know how a file could keep a check on Registry without showing on Task Manager. and how can I identify it. Take Care and for next time unload your guns before you Enter HAK5 zone :-) Quote
VaKo Posted February 6, 2009 Posted February 6, 2009 What you need to do is take all the data you want to back up and stick it on a seperate drive. Then get a copy of Ubuntu and use that to do a virus scan on all your data. Use several scanners and go deep. https://help.ubuntu.com/community/Antivirus Once you have cleared your data, format the disk and reinstall Windows using a clean ISO, using different passwords. Before you plug it into a network port, install AV, Windows Defendor and a firewall. Then run Microsoft Update and install every update. This will ensure that your machine is clean. Scan your backed up data again on the way in. If it gets a virus after this, you are doing something foolish or its not a virus. Quote
Machstorm Posted February 6, 2009 Posted February 6, 2009 What you need to do is take all the data you want to back up and stick it on a seperate drive. Then get a copy of Ubuntu and use that to do a virus scan on all your data. Use several scanners and go deep. https://help.ubuntu.com/community/Antivirus Once you have cleared your data, format the disk and reinstall Windows using a clean ISO, using different passwords. Before you plug it into a network port, install AV, Windows Defendor and a firewall. Then run Microsoft Update and install every update. This will ensure that your machine is clean. Scan your backed up data again on the way in. If it gets a virus after this, you are doing something foolish or its not a virus. If he is going to go to all that trouble then he should just wipe the drive with Kill Disk and reinstall and forget the Ubuntu, because he could just scan the data ha backed up with his anti-Virus if he has one. If he does not than Ubuntu solution would work. Quote
digip Posted February 7, 2009 Posted February 7, 2009 Ubuntu comes with a virus scanner? For windows even? Quote
Machstorm Posted February 7, 2009 Posted February 7, 2009 I don't know really, I just took his word for it. Quote
psydT0ne Posted February 7, 2009 Posted February 7, 2009 IF the virus has returned after a full format and reinstall, I believe he's installing infected crap from either network shares or some backed up data he has. If he is running a proprietary brand of pc ie dell etc...it may be remotely possible that a virus may have copied itself to the recovery partition (if it has one) and could be working its voodoo from there altho i've never heard of it before. He needs to format the MBR, delete the windows partition completely, (this may included giving the ass to anything pox he's downloaded and backed up) and reinstalling a fresh copy of winblows. Immediately (if its a legit copy), auto update. That's all I can think of at the moment. If it's still getting infected after all this ....PEBKAC I'm sure of it. Quote
Iffy Posted February 7, 2009 Author Posted February 7, 2009 Hay everyone thanks for everything you have said and for all the suggestions you have given. I have backep up all my files which were in .doc, .pdf and some photoshop files. I have some softwares installed which I have deleted as I will download them later, gain. Just wanna say say thanks for anyone and everyone who took time to help an IT friend in need. Take Care Quote
SomethingToChatWith Posted February 8, 2009 Posted February 8, 2009 Yeah, the recovery partition is a problem now. The way they have it set up now, it is readily available for read/write in Windows by default on new machines. One of the first things I do for friends it to remove the drive letter for it in disk management. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.