Jump to content

Virus Attack - need help


Recommended Posts

Posted

Hi,

I came across a Trojan couple of days ago and i can't get rid of it.I have tried everything I could find online. It disable my Task Manager and Registry tools. I have opened them using third party software but after every few moments if I turn them off they went back to being disabled.

I have tracked the virus and find out the registry is at following path:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system

Here the Task Manger and Registry are being diasbaled and when I enable it after 5 seconds they went back to there disabled state. I can't see any software or process running except for svchost.exe. Five of them are in process.

I have used Process Monitor and Explorer to find it but nothing. If I Reinstall windows it came back even after I have repartioned my whole hard disk.

Could use some suggestion to how to find out which file is constantly updating registry.

Take Care

Iffy

Posted
Hi,

I came across a Trojan couple of days ago and i can't get rid of it.I have tried everything I could find online. It disable my Task Manager and Registry tools. I have opened them using third party software but after every few moments if I turn them off they went back to being disabled.

I have tracked the virus and find out the registry is at following path:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system

Here the Task Manger and Registry are being diasbaled and when I enable it after 5 seconds they went back to there disabled state. I can't see any software or process running except for svchost.exe. Five of them are in process.

I have used Process Monitor and Explorer to find it but nothing. If I Reinstall windows it came back even after I have repartioned my whole hard disk.

Could use some suggestion to how to find out which file is constantly updating registry.

Take Care

Iffy

It came back after you formatted the HDD and reinstalled windows? Sound slike you downloaded something or have a program you ar installing with a root kit in it. Unless of course you are running a pirated version of windows, then your out of luck.

Posted

How many hard drives do you have in your machine? Any network shares where you are? What apps are you installing after format?

Posted

You can try tasklist from a command prompt and then taskkill to stop one of them.

Posted
couldnt it be MBR virus as some formats don't touch that area?

I've never seen or heard of a MBR virus that does anything but corrupt your boot process and Windows would rewrite the MBR when installing anyways.

This sounds like an infected, pirated, install... I'm assuming you booted into Safe Mode and tried virus removal tools, registry cleaners, and temporary file cleaner from there? I've found great success with Malwarebytes' Anti-Malware if you haven't already tried it

Posted
Wipe the drive with DBAN a few good rounds and do a re-install if you got a legit copy of Windows.

Wrong thing for the job. DBAN is keeping data safe by erasing it. Removing access to a 'broken' file system is as simple as creating a blank file system.

Posted
I have used Process Monitor and Explorer to find it but nothing. If I Reinstall windows it came back even after I have repartioned my whole hard disk.

Already been used...

Maybe the infection's spreading through your network from other computers? You don't have any shares set up?...

Seriously though. If you got a pirated copy now you know why its bad. Either go back to the previous legit copy you got with your PC or look to an alternitive like BeOS or give linux a try.

Posted

The fact that he hasn't replied kind of tells me hes not using legit software.

Posted
The fact that he hasn't replied kind of tells me hes not using legit software.

You are implying his guilt via his right to remain silent. If he lives in America he could have used the fifth and been equally not guiltily.

Posted
You are implying his guilt via his right to remain silent. If he lives in America he could have used the fifth and been equally not guiltily.

Under the Bush regime, he is guilty until he escapes from Gitmo. :)

Posted

Hay guys comeone.. the reason I didn't reply is that I am In Pakistan and there is a 12 hours time difference between your country and mine.. which means that the time you all responded to it I was sound asleep... and there is a Power shortage situation in my country currently so there was no electricity in the moring time...so have a heart and some patience for me ok..

Anyway I am using a Registerd Windows XP Home version. and yes I have network shares setups and no it is not coming from there as I have checked every file there and that system is ineffected. There is only one harddrive on that system and I use a IDE to USB based backup drive which hasn't been plug in for quite sometime. As I didn't want the data there to be corrupted so I haven't plug it in yet.

I have used Process Monitor and there was some activity but it was too much recommend what should I search there and if anyone know how a file could keep a check on Registry without showing on Task Manager. and how can I identify it.

Take Care and for next time unload your guns before you Enter HAK5 zone :-)

Posted

What you need to do is take all the data you want to back up and stick it on a seperate drive. Then get a copy of Ubuntu and use that to do a virus scan on all your data. Use several scanners and go deep. https://help.ubuntu.com/community/Antivirus

Once you have cleared your data, format the disk and reinstall Windows using a clean ISO, using different passwords. Before you plug it into a network port, install AV, Windows Defendor and a firewall. Then run Microsoft Update and install every update. This will ensure that your machine is clean. Scan your backed up data again on the way in. If it gets a virus after this, you are doing something foolish or its not a virus.

Posted
What you need to do is take all the data you want to back up and stick it on a seperate drive. Then get a copy of Ubuntu and use that to do a virus scan on all your data. Use several scanners and go deep. https://help.ubuntu.com/community/Antivirus

Once you have cleared your data, format the disk and reinstall Windows using a clean ISO, using different passwords. Before you plug it into a network port, install AV, Windows Defendor and a firewall. Then run Microsoft Update and install every update. This will ensure that your machine is clean. Scan your backed up data again on the way in. If it gets a virus after this, you are doing something foolish or its not a virus.

If he is going to go to all that trouble then he should just wipe the drive with Kill Disk and reinstall and forget the Ubuntu, because he could just scan the data ha backed up with his anti-Virus if he has one. If he does not than Ubuntu solution would work.

Posted

Ubuntu comes with a virus scanner? For windows even?

Posted

IF the virus has returned after a full format and reinstall, I believe he's installing infected crap from either network shares or some backed up data he has.

If he is running a proprietary brand of pc ie dell etc...it may be remotely possible that a virus may have copied itself to the recovery partition (if it has one) and could be working its voodoo from there altho i've never heard of it before.

He needs to format the MBR, delete the windows partition completely, (this may included giving the ass to anything pox he's downloaded and backed up) and reinstalling a fresh copy of winblows.

Immediately (if its a legit copy), auto update.

That's all I can think of at the moment.

If it's still getting infected after all this ....PEBKAC I'm sure of it.

Posted

Hay everyone thanks for everything you have said and for all the suggestions you have given. I have backep up all my files which were in .doc, .pdf and some photoshop files. I have some softwares installed which I have deleted as I will download them later, gain.

Just wanna say say thanks for anyone and everyone who took time to help an IT friend in need.

Take Care

Posted

Yeah, the recovery partition is a problem now. The way they have it set up now, it is readily available for read/write in Windows by default on new machines. One of the first things I do for friends it to remove the drive letter for it in disk management.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...