Mn Posted January 18, 2008 Share Posted January 18, 2008 Here is my story. . . bare with me im bad with stories. . . Im a med student outside the stats and today during my 3rd year in med school i found my self with the first trojan that i cannot remove from my computer. I was amazed since ive been around the internet since late 1990's and i always had a passion for the "hacker-world-ideal" thust i read alot and i considered my self to be an user above average. Today i insterted 3 USB keys in my laptop to share with fellow students a couple of books, on my last USB i found my self confused because the logo on the USB pen drive changed and it looked similar to a regular folder. . . But that changed in a matter of seconds and i said to my self "meh. . . its just another virustrojan" that i can get rid off. So far ive tried everything under my sleeve (hex-edit,search,delete registries, search for recent activity) and the only thing i found out is the file name of whats currently running on my PC and a possible name or nickname. I got pissed off and before anyone could leave class and before my pc got online i went and change my credicardemailstudent-pwd to a different one using a different pc. <<viva le paranoia>> What have i been able to tell that this program did to my pc: 1- denied access to the USB pen drive in witch it came, thust i couldnt even format it 2- inserted it self on to registry to startup automatically 3- removed search, run, control panel, user accounts, task manager features 4- deleted all the administrator account privileges. . . thust i cant do crap. . . not even under safe mode I would appreciate it if anyone could help me with a solution to regain back admin powers and also if anyone is interested in any file on my computer related to that trojan i would gladly do all in my power to help you obtain the file. Quote Link to comment Share on other sites More sharing options...
VaKo Posted January 18, 2008 Share Posted January 18, 2008 Its time to backup and do the reinstall dance. Your system has been compromised and you can no longer trust the installed OS, end of story. And next time, disable autorun and get some decent AV running. Queue Sparda with "Ubuntu!"... Quote Link to comment Share on other sites More sharing options...
moonlit Posted January 18, 2008 Share Posted January 18, 2008 Its time to backup and do the reinstall dance. FDISK, format, reinstall, do-dah, do-dah, FDISK, format, reinstall, all the do-dah day... Quote Link to comment Share on other sites More sharing options...
Famicoman Posted January 18, 2008 Share Posted January 18, 2008 Lather, Rinse, Reinstall Quote Link to comment Share on other sites More sharing options...
digip Posted January 18, 2008 Share Posted January 18, 2008 Before wiping it out, I would load a live cd or windows recovery disc and try to locate what it is that was doing this. Better to be able to defend against it in the future before wiping out everything. also, you can make changes to the disk through the recovery cd, maybe putting you back to a previous day before this happened. This is usually the first thign I do for people when they bring me their pc and they have a virus, is I try to get it to a restore point PRIOR to when this pappened since they are almost always in tact. Also, you can install users from the console and take ownership back to the pc and deny any startup programs, etc, deleting them before a reboot or quarantining them. Run System File checker and let it overwrite any system files it finds to be out of whack as well. Then like Vako said, backup your files, scan them, and reinstall the entire OS to be safe. If your brave enough to edit the USB drive to see what happened, I would turn off autorun and autoplay before plugigng it in and then try scanning it. Then just right click the drive and do a format if need be. Looks like someone you were trying to help was purposly trying to mess with you. I would hope that if they did it as a joke, they would provide you with the fix. Sounds like it was a nasty one though and they meant to do this as they would have to make sure to turn it off when using their own USB drives. Quote Link to comment Share on other sites More sharing options...
moonlit Posted January 18, 2008 Share Posted January 18, 2008 Lesson learned I think: don't insert unknown media without turning auto-everything off. Quote Link to comment Share on other sites More sharing options...
digip Posted January 18, 2008 Share Posted January 18, 2008 Lesson learned I think: don't insert unknown media without turning auto-everything off. QFE! Still, does not protect the drive when inserting into someone elses pc.(not that there really is a fix for that one, unless you have a portable virus scanner that launches upon insert and the drive is some how read only) Quote Link to comment Share on other sites More sharing options...
Mn Posted January 18, 2008 Author Share Posted January 18, 2008 Mmmm... formatre-install ... was my last choice. Just wanted 2 things: #1- See if anyone was interested in obtaining a copy of the trojan to better analize it in their home #2- See if anyone knew a good way for me re-claiming my administrator rights But hey you cant have it all in life can ya? =) Cheerz! ~Mn Quote Link to comment Share on other sites More sharing options...
VaKo Posted January 18, 2008 Share Posted January 18, 2008 Just use ubuntu to pull it off of the stick and post it online. Quote Link to comment Share on other sites More sharing options...
Deveant Posted January 18, 2008 Share Posted January 18, 2008 what u need to do is format. Though just some other things so that u can backup, when loggin in as an Admin, are u using the windows Administrator Account under safe-mode, or are u just using ur own account that would have been demoted by the virus? If Administrator works, then find the file that doesnt belong, get the file name, and google it, there will be a few anti-virus sites which will tell u all the files / reg keys that need to be deleted, do so. Make a new Account, move ur shit and delete the old account, unless u can be stuffed editing all the permisions on the old account. Quote Link to comment Share on other sites More sharing options...
digip Posted January 18, 2008 Share Posted January 18, 2008 http://www.howtogeek.com/howto/windows/dis...and-usb-drives/ http://www.mydigitallife.info/2006/09/11/d...ives-launchpad/ And be sure to turn off autoplay and autorun. If you use a U3 drive, use the SHIFT block to keep the launchpad from running upon insert. Quote Link to comment Share on other sites More sharing options...
snakey Posted January 18, 2008 Share Posted January 18, 2008 run a linux live cd and do all the deleteing / changeing stuff from the live cd i've done that twice now and it worked a treat. Quote Link to comment Share on other sites More sharing options...
MRGRIM Posted January 18, 2008 Share Posted January 18, 2008 Boot in safe mode and start cleaning from there. I would also go and buy a deccent Spyware / Virus scanning application (personal preference is NOD32 ahem I am a reseller ) Boot off a Windows XP CD, you should be able to do 1 of 2 things 1. Press Shift (or Ctrl) + F11 to bring a command prompt up (I don't remember the exact key stroke, but google the terms and the method of doing it) this may or may not work given the state of the current OS 2. Do a quick reinstall, this should put the base OS back into place so you can boot into safe mode without having to wipe your disk. I wish you the very best in your attempt to recover, however a wipe is the best option, sorry :-( Quote Link to comment Share on other sites More sharing options...
Sparda Posted January 18, 2008 Share Posted January 18, 2008 i found my self with the first trojan that i cannot remove from my computer. Any trojan is very bad and requires a reinstall. Virus removal via anti virus is a temporary fix. Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted January 18, 2008 Share Posted January 18, 2008 What have i been able to tell that this program did to my pc: 1- denied access to the USB pen drive in witch it came, thust i couldnt even format it 2- inserted it self on to registry to startup automatically 3- removed search, run, control panel, user accounts, task manager features 4- deleted all the administrator account privileges. . . thust i cant do crap. . . not even under safe mode 1- Boot to a linux live cd like knoppix and format the drive 2- Try HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun, also check for rootkits 3- try gpedit.msc, or after disabling it at startup you may regain your rights as well --or try this .vbs we used in high school to enable it: Set WshShell = WScript.CreateObject("WScript.Shell") With WScript.CreateObject("WScript.Shell") On Error Resume Next .RegDelete "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools" .RegDelete "HKCUSoftwarePoliciesMicrosoftWindowsSystemDisableCMD" .RegDelete "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr" .RegDelete "HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystemDisableTaskMgr" .RegDelete "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemNoDispCPL" .RegDelete "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRestrictCPL" End With Mybox = MsgBox(jobfunc & enab & vbCR & "Ultimate Pwnage Complete :-p", 4096, t) ^^Coded by Javabudd^^ 4- try pulling the computer to "system" See this thred: http://forums.hak5.org/index.php/topic,2504.0.html Quote Link to comment Share on other sites More sharing options...
Sparda Posted January 18, 2008 Share Posted January 18, 2008 What have i been able to tell that this program did to my pc: 1- denied access to the USB pen drive in witch it came, thust i couldnt even format it 2- inserted it self on to registry to startup automatically 3- removed search, run, control panel, user accounts, task manager features 4- deleted all the administrator account privileges. . . thust i cant do crap. . . not even under safe mode 1- Boot to a linux live cd like knoppix and format the drive 2- Try HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun, also check for rootkits 3- try gpedit.msc, or after disabling it at startup you may regain your rights as well --or try this .vbs we used in high school to enable it: Set WshShell = WScript.CreateObject("WScript.Shell") With WScript.CreateObject("WScript.Shell") On Error Resume Next .RegDelete "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools" .RegDelete "HKCUSoftwarePoliciesMicrosoftWindowsSystemDisableCMD" .RegDelete "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr" .RegDelete "HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystemDisableTaskMgr" .RegDelete "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemNoDispCPL" .RegDelete "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRestrictCPL" End With Mybox = MsgBox(jobfunc & enab & vbCR & "Ultimate Pwnage Complete :-p", 4096, t) ^^Coded by Javabudd^^ 4- try pulling the computer to "system" See this thred: http://forums.hak5.org/index.php/topic,2504.0.html ^ Temp Fix ^ All that to avoid booting Ubuntu (some thing that every one should participate in at least twice daily)? What effort. Reminded me of the dltv tip for there most recent episodes "How to access cookies on Vista". Admittedly they usually do over complicate things but it would be much easier if you just used Firefox in the first place. Quote Link to comment Share on other sites More sharing options...
VaKo Posted January 18, 2008 Share Posted January 18, 2008 Thats overly complicated, just use a ubuntu disc to pull the data from the system then format the disc and reinstall windows. You can try and fix it, but in this case, if your install of windows was a car it would be a write off. Yes, you might be able to make it go again, but the wheels will come off when you next go over a speed bump. Ubuntu can read/write NTFS now, so while I personally don't use it as an installed OS it makes for an invaluable data recovery tool when dealing with a trashed windows install. Its far faster to nuke it and start again than it is to spend time pissing about with recovery attempts that will never work properly anyway. (a tip would be to partition your disk so that you have 20GB for windows and programs and the rest of the disc for data. That way the OS is considered a replaceable part rather than something integral.) Quote Link to comment Share on other sites More sharing options...
Razor512 Posted January 18, 2008 Share Posted January 18, 2008 i have dealt with some really nasty ones a long time ago, a user kept complaining about their system restore wont enable it's self and they kept getting lots of dll errors so when i took a look at it, I forgot the name of the trojan, but it was keylogger and also used for phishing the person used NOD32 but it didn't protect them from it. (and a full scan with it would only find 1 infected file which it would remove, but it would come back and the running process of it would also come back) I eventually got rid of it using a live cd (which was able to see the infected files that were invisible to windows and nod32 ) but windows was in such bad shape that i couldn't get it working right. so i just took screenshots of the desktop, start menu and some folders (backed up all of the music and documents) then i reinstalled windows and tried my best to make everything look exactly like it did before (just with out the problems) well at least i got paid $50 for fixing their problem since the person had a lot of software used in their home business that is annoying to setup. (never mix limewire or any other p2p with a pc for business use and when ever you download any music or anything else p2p, right click on the file then scan it before you run it. many trojans will usually get past the auto protection but not a regular scan) Quote Link to comment Share on other sites More sharing options...
snakey Posted January 19, 2008 Share Posted January 19, 2008 omg i had that that thing is crazy but im using the same pc today and its still going strong no reboot in 1 year. Quote Link to comment Share on other sites More sharing options...
Deveant Posted January 19, 2008 Share Posted January 19, 2008 (never mix limewire or any other p2p with a pc for business use and when ever you download any music or anything else p2p, right click on the file then scan it before you run it. many trojans will usually get past the auto protection but not a regular scan) musics rather safe of being virus free (mp3's im talking about). Its rather hard to wrapp a trojen into a mp3, and have it execute correctly, P2P is only gonna kill u when ur downloading the likes of games. Disclamer, Deveant in know way supports piracy nor the use of P2P applications for kiddie porn (u dirty people), though deveant does like talking about him self as 3rd person and goes off on lil rants every now and then when he has had a lil to much to drink, like... now. Quote Link to comment Share on other sites More sharing options...
Mark Manching Posted January 19, 2008 Share Posted January 19, 2008 Also: How to Remove f4ker.vbs/Malaysian Hacker from your system or flash drive How to remove pooh.vbs from your system or flash drive (Original Post on PC Express Online or my forums) Update: For P2P Protection... Doi! Sounds Like Helga G. Pataki! PeerGuardian 2.0 Funny UST Scandal Virus* FOLDER.HTT, DESKTOP.INI, THUMBS.DB: Viruses? Note: *means this link contains non-english topic if you're Philippino Language in the Philippines Quote Link to comment Share on other sites More sharing options...
Scorpion Posted January 24, 2008 Share Posted January 24, 2008 If your still having trouble with your task manager you should download DtaskManager its alot more advanced then windows and that will be able to kill programs and tells you where it's located and a few more things http://dimio.altervista.org/eng/ (and look for the program) Quote Link to comment Share on other sites More sharing options...
Trc202 Posted March 18, 2008 Share Posted March 18, 2008 is there any chance that i can get ahold of the virus, pm preffably, also if you submit it to http://www.virustotal.com/ they will tell you what it does on the computer Quote Link to comment Share on other sites More sharing options...
Chris Gerling Posted March 19, 2008 Share Posted March 19, 2008 I'd like a copy of this too. Quote Link to comment Share on other sites More sharing options...
nicatronTg Posted March 19, 2008 Share Posted March 19, 2008 Remember to RAR or 7z the file BEFORE sending it or else.... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.