Disabled registry due to new, undetected trojans

[Mike S.]

I recently had my computer infected with four trojans due to them
being new and undetected by the majority of anti-virus programs. So I
submitted them to AVG who confirmed they were trojans and updated
their virus definitions. This removed the four trojans from my
computer. However, I still have problems that need to be fixed. One of
which is a disabled registry.

Here's what needs fixing (from my HijackThis log):
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files
\System\svchost.exe"

O2 - BHO: (no name) - {5277E001-1190-3001-0699-ca3230262a11} - C:
\Program Files\Common Files\System\wship_help.acm (file missing)

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System,
DisableRegedit=1

O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System,
DisableRegedit=1


Some people have suggested using combofix, SDFfix, or just using
HijackThis. Is there any reason why I can't just use HijackThis to fix
them? SDFix seems more complicated and unnecessary. Or does what I use
to fix those problems depend on my computer and whether it's up-to-
date and backed up, etc.?

I just want to use the safest, most reliable method to fix this
problem.

The only reason I'm even asking this here is because the people in the
malware forums I've posted in won't answer these questions - I guess
they're too busy. They just want to fix the problem and move on. I'm
interested in using this as a learning experience.

 

[Andrew E.]

Boot to xp cd,recovery,in recovery,follow the guide outlined by microsoft
in kb307545

 

[Patrick Keenan]

I recently had my computer infected with four trojans due to them
being new and undetected by the majority of anti-virus programs. So I
submitted them to AVG who confirmed they were trojans and updated
their virus definitions. This removed the four trojans from my
computer. However, I still have problems that need to be fixed. One of
which is a disabled registry.

Here's what needs fixing (from my HijackThis log):
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files
\System\svchost.exe"

O2 - BHO: (no name) - {5277E001-1190-3001-0699-ca3230262a11} - C:
\Program Files\Common Files\System\wship_help.acm (file missing)

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System,
DisableRegedit=1

O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System,
DisableRegedit=1


Some people have suggested using combofix, SDFfix, or just using
HijackThis. Is there any reason why I can't just use HijackThis to fix
them? SDFix seems more complicated and unnecessary. Or does what I use
to fix those problems depend on my computer and whether it's up-to-
date and backed up, etc.?

I just want to use the safest, most reliable method to fix this
problem.

The only reason I'm even asking this here is because the people in the
malware forums I've posted in won't answer these questions - I guess
they're too busy. They just want to fix the problem and move on. I'm
interested in using this as a learning experience.

To be clear, what seems to be happening is *not* that the registry is
disabled; if that were the case your system could not start.

Rather, registry *editing* seems to be disabled, a completely different
thing, and I would suggest that you first take an image of the system, so
you can quickly restore in case the procedure doesn't work, and then use HJT
to fix the damaged registry entry. You could also change that
DisableRegedit value to 0 instead of 1, and run it as a .reg file.

If you don't have imaging software, get the Acronis TrueImage trial version,
which is free and runs full-featured for IIRC 2 weeks, far more than the
time you need. Load it on another system, use that system as a host, make
the image, move your drive back and restart.

HTH
-pk

 

[neutrino]

I recently had my computer infected with four trojans due to them
being new and undetected by the majority of anti-virus programs. So I
submitted them to AVG who confirmed they were trojans and updated
their virus definitions. This removed the four trojans from my
computer. However, I still have problems that need to be fixed. One of
which is a disabled registry.

curious to know how these trojans were detected ? if they were
previously unknown...
what was the prog that detected them? or was it changes to your system
that alerted you?
even then - how did you detect them, and identify?

also - I second that suggestion - even if for use in future, get
Acronis or Ghost, and backup your system when clean, stuff like this
can be dealt to by reinstating "C" from the clean backup in minutes!
partition your drive if you dont have a second disk installed/or
external disk. and you can backup to either of those.