cleanup after malware/trojan/virus

[lex3001]

I've found and removed a trojan from my wife's laptop using Microsoft's
malicious software removal tool, AVG, Trend, and Malwarebytes...

There are still some lingering problems that I need help fixing. Note that
in the process I did a repair install of Windows XP SP 3, hoping it would
resolve some of this (but instead I think it created a new problem).

I also had to do some cleanup in the registry -- windows updates was
disabled as the malware had renamed %SystemRoot% to %fystemRoot% in several
service entries. I have fixed all of those after jumping through several
hoops (finding a way to run regedit, resetting permissions on those subkeys,
etc.)

1. I still cannot run REGEDIT or REGEDT32 from the command prompt, from
Start->Run, by double-clicking it, etc. When I try, nothing happens. I use
Don Knox's emergency utility creator and I can run REGEDIT from another
folder when it is renamed, but how do I clean up this nasty problem? Is it a
registry entry? A piece of software still installed and running somehow? Etc.

2. After doing the repair install of Windows (this is a Dell Inspiron 700m),
I cannot adjust the Display Settings for the screen resolution. In Device
Manager, the Intel integrated graphics chipset is listed twice both with the
yellow error warning and Code 37. I have uninstalled them and run the
installer software multiple times from both Dell and Intel to no avail. argh.
Any ideas here?

Anything else I should be looking for here? I am really desparately trying
to avoid a reinstall of Windows.

 

[123Jim]

I've found and removed a trojan from my wife's laptop using Microsoft's
malicious software removal tool, AVG, Trend, and Malwarebytes...

There are still some lingering problems that I need help fixing. Note that
in the process I did a repair install of Windows XP SP 3, hoping it would
resolve some of this (but instead I think it created a new problem).

I also had to do some cleanup in the registry -- windows updates was
disabled as the malware had renamed %SystemRoot% to %fystemRoot% in
several
service entries. I have fixed all of those after jumping through several
hoops (finding a way to run regedit, resetting permissions on those
subkeys,
etc.)

1. I still cannot run REGEDIT or REGEDT32 from the command prompt, from
Start->Run, by double-clicking it, etc. When I try, nothing happens. I use
Don Knox's emergency utility creator and I can run REGEDIT from another
folder when it is renamed, but how do I clean up this nasty problem? Is it
a
registry entry? A piece of software still installed and running somehow?
Etc.

2. After doing the repair install of Windows (this is a Dell Inspiron
700m),
I cannot adjust the Display Settings for the screen resolution. In Device
Manager, the Intel integrated graphics chipset is listed twice both with
the
yellow error warning and Code 37. I have uninstalled them and run the
installer software multiple times from both Dell and Intel to no avail.
argh.
Any ideas here?

Anything else I should be looking for here? I am really desparately trying
to avoid a reinstall of Windows.

Make sure all your important data is backed up
You have tried running your antivirus in safe mode?

 

[Jose]

I've found and removed a trojan from my wife's laptop using Microsoft's
malicious software removal tool, AVG, Trend, and Malwarebytes...

There are still some lingering problems that I need help fixing. Note that
in the process I did a repair install of Windows XP SP 3, hoping it would
resolve some of this (but instead I think it created a new problem).

I also had to do some cleanup in the registry -- windows updates was
disabled as the malware had renamed %SystemRoot% to %fystemRoot% in several
service entries. I have fixed all of those after jumping through several
hoops (finding a way to run regedit, resetting permissions on those subkeys,
etc.)

1. I still cannot run REGEDIT or REGEDT32 from the command prompt, from
Start->Run, by double-clicking it, etc. When I try, nothing happens. I use
Don Knox's emergency utility creator and I can run REGEDIT from another
folder when it is renamed, but how do I clean up this nasty problem? Is it a
registry entry? A piece of software still installed and running somehow? Etc.

2. After doing the repair install of Windows (this is a Dell Inspiron 700m),
I cannot adjust the Display Settings for the screen resolution. In Device
Manager, the Intel integrated graphics chipset is listed twice both with the
yellow error warning and Code 37. I have uninstalled them and run the
installer software multiple times from both Dell and Intel to no avail. argh.
Any ideas here?

Anything else I should be looking for here? I am really desparately trying
to avoid a reinstall of Windows.

Can you goto Start, Run, cmd <enter> and get to a command prompt or
not?

Jose

 

[123Jim]

Make sure all your important data is backed up
You have tried running your antivirus in safe mode?

Thoughts: How could a repair install fail to replace your important system
files?
Is it because malware is running at start-up after repair? ....

How about download sysinternals .> Autoruns. ... Use it to prevent program
files which are set to run at startup but are not essential .. Then try a
repair install again .. now there should be no malware running on first boot
after repair which have probably been replacing system files with malware
undoing your repair.

 

[db ´¯`·.. >]

the lingering problems
are tricky to find.

the repair installation
is a very good idea
because even after
the system is disinfected,

there are usually some
system files that were
corrupted by the infection
and are needed to be
replaced with genuine
ones from the installation
cd.

you mentioned that the
repair install failed but
it is unclear as to what
attributed to the failure.

if you have a genuine
installation cd which is
sp2 but your system is
sp3,

then the repair installation
will not be allowed.

this is because the genuine
files on the sp2 cd are older
than those of sp3,

so in affect you are trying
to downgrade the system.

what you need to do is to
simply uninstall sp3 via
add/remove programs.

you may have to disable
or uninstall your antivirals
first and you may also have
to use safe mode.

after sp3 is removed, your
repair install should work
without problems.


--

db·´¯`·...¸><)))º>
DatabaseBen, Retired Professional
- Systems Analyst
- Database Developer
- Accountancy
- Veteran of the Armed Forces
- Microsoft Partner
- @hotmail.com
~~~~~~~~~~"share the nirvana" - dbZen

 

[Patrick Keenan]

I've found and removed a trojan from my wife's laptop using Microsoft's
malicious software removal tool, AVG, Trend, and Malwarebytes...

There are still some lingering problems that I need help fixing. Note that
in the process I did a repair install of Windows XP SP 3, hoping it would
resolve some of this (but instead I think it created a new problem).

I also had to do some cleanup in the registry -- windows updates was
disabled as the malware had renamed %SystemRoot% to %fystemRoot% in
several
service entries. I have fixed all of those after jumping through several
hoops (finding a way to run regedit, resetting permissions on those
subkeys,
etc.)

1. I still cannot run REGEDIT or REGEDT32 from the command prompt, from
Start->Run, by double-clicking it, etc. When I try, nothing happens. I use
Don Knox's emergency utility creator and I can run REGEDIT from another
folder when it is renamed, but how do I clean up this nasty problem? Is it
a
registry entry? A piece of software still installed and running somehow?
Etc.

2. After doing the repair install of Windows (this is a Dell Inspiron
700m),
I cannot adjust the Display Settings for the screen resolution. In Device
Manager, the Intel integrated graphics chipset is listed twice both with
the
yellow error warning and Code 37. I have uninstalled them and run the
installer software multiple times from both Dell and Intel to no avail.
argh.
Any ideas here?

The underlying drivers may need to be reloaded.

Anything else I should be looking for here? I am really desparately trying
to avoid a reinstall of Windows.

While you may be 'desperately trying to avoid a reinstall', sometimes that
is the *fastest* way to a working, reliable system. You can spend days
and days trying to fix subtle problems, or get a working system again in a
few hours (I often mix the reinstall with a movie rental).

My approach is often to get another hard disk (where I am, this is in the
$70 - $90 range) and a USB 2 drive adapter or case, install the new drive
and do a clean install to it; get that up and running. Once the system is
working properly, you can connect the old drive via the adapter or case,
scan it, and then copy the required user data. In essence, you use the
original drive as the backup. If you have all the key install disks set
up, and have exported any mail settings, this can go very quickly.

This is one of the few ways to be absolutely sure that problems such as
you're seeing are not related to some sort of malware or rootkit that your
tools missed.

HTH
-pk

 

[lex3001]

Yes, the command prompt is fine.

On May 19, 1:50 pm, lex3001 <[email protected]> wrote:

 

[lex3001]

The repair install did not fail -- it completed successfully and I had to
reactive windows, which was also successful. Instead of using the original
Dell CD which I couldn't find, I used a CD that already has SP3 built into it
(from MSDN).

So the repair install worked without any problems. The problem is that I
have lingering problems after the repair install.

 

[db ´¯`·.. >]

ok,

then since the repair
install is presumed
successful,

you may also have
to reinstall programs
like the anti virals
again.

however, you might
try to perform a
clean boot to begin
eliminating the probable
causes.

basically, boot up
in safemode and
disable your startups
and non microsoft
services.

then see if the system
regains stability.

if not, then you may
have to do the sp2
reinstallation
methodology.

the reason being is
that your slip stream
may be contaminated,

that is if you made it on
a system that had
dormant infections.

but try the clean boot
first and cross your
fingers.


--

db·´¯`·...¸><)))º>
DatabaseBen, Retired Professional
- Systems Analyst
- Database Developer
- Accountancy
- Veteran of the Armed Forces
- Microsoft Partner
- @hotmail.com
~~~~~~~~~~"share the nirvana" - dbZen

 

[David H. Lipman]

From: "lex3001" <[email protected]>

| I've found and removed a trojan from my wife's laptop using Microsoft's
| malicious software removal tool, AVG, Trend, and Malwarebytes...

| There are still some lingering problems that I need help fixing. Note that
| in the process I did a repair install of Windows XP SP 3, hoping it would
| resolve some of this (but instead I think it created a new problem).

| I also had to do some cleanup in the registry -- windows updates was
| disabled as the malware had renamed %SystemRoot% to %fystemRoot% in several
| service entries. I have fixed all of those after jumping through several
| hoops (finding a way to run regedit, resetting permissions on those subkeys,
| etc.)

| 1. I still cannot run REGEDIT or REGEDT32 from the command prompt, from
| Start->Run, by double-clicking it, etc. When I try, nothing happens. I use
| Don Knox's emergency utility creator and I can run REGEDIT from another
| folder when it is renamed, but how do I clean up this nasty problem? Is it a
| registry entry? A piece of software still installed and running somehow? Etc.

| 2. After doing the repair install of Windows (this is a Dell Inspiron 700m),
| I cannot adjust the Display Settings for the screen resolution. In Device
| Manager, the Intel integrated graphics chipset is listed twice both with the
| yellow error warning and Code 37. I have uninstalled them and run the
| installer software multiple times from both Dell and Intel to no avail. argh.
| Any ideas here?

| Anything else I should be looking for here? I am really desparately trying
| to avoid a reinstall of Windows.

you said you did a "...did a repair install of Windows XP SP 3,"
That was a mistake and you could have corrupted the OS instead of just cleaning up after
effects of malware.

Myinclination is to wipe the PC and reinstall the OS from scratch.

One other option...



Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Then post the contents of the HJT log in your post with a full explanation of your problem
and what you have done to date in one of the below expert forums...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/index.php?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13




/35905.asp

 

[Jose]

Yes, the command prompt is fine.

Well that may be explainable, but you have many other symptoms
(lingering problems) of some trojans that I have encountered before,
so I wish you would try the following. If it is too hard to
understand or doesn't make sense, please tell me where so I can fix my
"paste" copy for some other person later. Scanning programs will
detect and remove them sometimes, but not always and not all the
leftovers.

It is important to follow the process, even if you don't think you
need to for some reason (I already did that, I don't think so, that
can't be it, etc.).

First, download, install, update and do a full scan with these three
malware
detection programs:

Malwarebytes (MBAM): http://malwarebytes.org/
SuperAntiSpyWare: (SAS): http://www.superantispyware.com/
AVG (AVG): http://free.avg.com/

See if Start, Run, COMMAND works - it probably will. CMD and COMMAND
are not the same program.

The problem is the name of the running process - regedit.exe or
cmd.exe
(and maybe others). They can't show up as a running task.

You will also see that regedt32.exe will not work since it just runs
regedit.exe (at least in XP).

Get into your c:\windows folder and make a copy of regedit.exe - call
it copy.exe or something you can remember. You can do all this file
manipulation through Windows Explorer or your newfound COMMAND window.
The copy.exe is a process that will be allowed to run. Other names
(like test.exe)
may not run. If copy.exe won't run call it some other very unique
name.

Using Start, Run, your copy.exe should now work to get into the
registry.

You can delete copy.exe later if you want..

When you get into the registry, navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Drivers32

Highlight the Drivers32 folder on the left and observe the contents
in
the right hand pane. Then export the Drivers32 folder by choosing
File,
Export.

Name the export file something like drivers32 and save the file to the
desktop or someplace you can find it. It will have the default .reg
extension for registry files.

Depending on your expertise, you may be able to spot the problem in
the
list of Drivers32 entries right away and fix it. Even if you do
something
wrong, you just exported the key so you can always import the original
if
you need to restore it to the original state.

Look for entries in the right hand pane where the Value column has
double
backslahes and double dot (..) notations and filenames that do not
exist
or just don't make sense.

An example of a problem entry would be where the Name aux or aux2 has
a Data value of C:\\WINDOWS\\system32\\..\\jwmrus.yds

"aux" is a valid Name, but the Data value "jwmrus.yds" makes no sense.

These are the remnants of your trojan that your scan does not know
enough
about to delete. The scan may have deleted the referenced file, but
not the
registry entry. In the example above, "aux" should just be
"wdmaud.drv".
There are probably some other entries that have wdmaud.drv with no
path
in them to compare.

Fix the Data part of the entry by double clicking it, set the value to
wdmaud.drv (the most common thing needing replacement) and then click
OK
to save it. If something goes wrong, you have a registry backup
already.

If you can't spot the problem, then you need to post the registry
export
results by opening the exported file in a text editor, copying all the
text and pasting it in your next post.

Don't try to open the file by double clicking it, or choosing to Open
it.

Specifically open the exported file with a text editor. Right click
the exported
file, choose Open With and use notepad or wordpad to open the file.
There
should not be much in the file.

In the text editor, type Ctrl A to select all, Ctrl C to copy and then
post
back here and type Ctrl V to paste the results into the post.

If you end up changing the registry or deleting something to get this
to work, I would like to know exactly what you found and what you did
so I can update my notes.

Jose

 

[David H. Lipman]

From: "Jose" <[email protected]>

< snip >

| First, download, install, update and do a full scan with these three
| malware
| detection programs:

| Malwarebytes (MBAM): http://malwarebytes.org/
| SuperAntiSpyWare: (SAS): http://www.superantispyware.com/
| AVG (AVG): http://free.avg.com/

From the OP...

"I've found and removed a trojan from my wife's laptop using Microsoft's
malicious software removal tool, AVG, Trend, and Malwarebytes...

There are still some lingering problems that I need help fixing. Note that
in the process I did a repair install of Windows XP SP 3, hoping it would
resolve some of this (but instead I think it created a new problem)."

 

[Jose]

From: "Jose" <[email protected]>

< snip >

| First, download, install, update and do a full scan with these three
| malware
| detection programs:

| Malwarebytes (MBAM):  http://malwarebytes.org/
| SuperAntiSpyWare: (SAS):  http://www.superantispyware.com/
| AVG (AVG):  http://free.avg.com/

From the OP...

"I've found and removed a trojan from my wife's laptop using Microsoft's
malicious software removal tool, AVG, Trend, and Malwarebytes...

There are still some lingering problems that I need help fixing. Note that
in the process I did a repair install of Windows XP SP 3, hoping it would
resolve some of this (but instead I think it created a new problem)."

Collective consensus is that no scanning software can detect and
remove everything. It is good practice to have more than one in your
toolkit.

My experience with these symptoms and the specific trojans that cause
them direct my suggestions. I recognize these symptoms. It is not a
"try this and it might work" suggestion.

If this is what I think it is the Microsoft tools have never detected
the trojans that cause these symptoms. Neither has McAfee, Norton,
Trend or Spybot and others I can't remember. I have seen so many...
and then them scan right over these and many other infections.

I just recently added AVG to my list because in one case (with similar
symptoms) MBAM and SAS missed it but AVG found it. Other scanners
were useless. Maybe there is no need, and the OP can choose not to
run them.

My process has evolved from fixing this many times. There is nothing
included just for the heck of it.

Skipping a step or deviating from the offered solution is up to the
OP. This is the most efficient way to fix this problem if it is what
I am thinking.

It may not work, and I can change the process based on results, but if
the steps are followed, at least we will know what it isn't.

The rest of my post for removing the lingering bits still applies.

Jose

 

[David H. Lipman]

From: "Jose" <[email protected]>




| Collective consensus is that no scanning software can detect and
| remove everything. It is good practice to have more than one in your
| toolkit.

Not the point.

You told the OP "First, download, install, update ..." software he already indicated he
had used. Thu the suggestion is redundant.



| suggestions. I recognize these symptoms. It is not a
| "try this and it might work" suggestion.

| If this is what I think it is the Microsoft tools have never detected
| the
| trojans that cause these symptoms. Neither has McAfee, Norton,
| Trend or Spybot and
| others I can't remember. I have seen so many...
| and then them scan right over these
| and many other infections.

| I just recently added AVG to my list because in one case
| (with similar
| symptoms) MBAM and SAS missed it but AVG found it. Other scanners
| were
| useless. Maybe there is no need, and the OP can choose not to
| run them.

| My process
| has evolved from fixing this many times. There is nothing
| included just for the heck
| of it.

You missed the point and the rest of what you posted is moot.

The point is there was NOTHING wrong with the anti malware utilities you suggested EXCEPT
for the fact you didn't have the OP run anything he hadn't already used. That's the point
!

I agree one may catch what another may miss. That's why I include 4 different vendor AV
scanners in my Multi AV Scanning Tool.

So the OP said "...Microsoft's malicious software removal tool, AVG, Trend, and
Malwarebytes..."
OK -- then have the OP use; SpyBot S&D, BitDefender, F-Secure, etc...

But, I must also add the OP said...
"I did a repair install of Windows XP SP 3, hoping it would resolve some of this (but
instead I think it created a new problem)"

I agree, he exacerbated the problem.

 

[Jose]

From: "Jose" <[email protected]>

| On May 19, 5:03 pm, "David H. Lipman" <[email protected]>



| Collective consensus is that no scanning software can detect and
| remove everything.  It is good practice to have more than one in your
| toolkit.

Not the point.

You told the OP "First, download, install, update ..." software he already indicated he
had used.  Thu the suggestion is redundant.

| suggestions.  I recognize these symptoms.  It is not a
| "try this and it might work" suggestion.

| If this is what I think it is the Microsoft tools have never detected
| the
| trojans that cause these symptoms.  Neither has McAfee, Norton,
| Trend or Spybot and
| others I can't remember.  I have seen so many...
| and then them scan right over these
| and many other infections.

| I just recently added AVG to my list because in one case
| (with similar
| symptoms) MBAM and SAS missed it but AVG found it.  Other scanners
| were
| useless.  Maybe there is no need, and the OP can choose not to
| run them.

| My process
| has evolved from fixing this many times.  There is nothing
| included just for the heck
| of it.

You missed the point and the rest of what you posted is moot.

The point is there was NOTHING wrong with the anti malware utilities you suggested EXCEPT
for the fact you didn't have the OP run anything he hadn't already used.  That's the point
!

I agree one may catch what another may miss.  That's why I include 4 different vendor AV
scanners in my Multi AV Scanning Tool.

So the OP said "...Microsoft's malicious software removal tool, AVG, Trend, and
Malwarebytes..."
OK -- then have the OP use; SpyBot S&D, BitDefender, F-Secure, etc...

But, I must also add the OP said...
"I did a repair install of Windows XP SP 3, hoping it would resolve some of this (but
instead I think it created a new problem)"

I agree, he exacerbated the problem.

He did not mention SAS and I don't know what programs "..." refers to.

Spybot is good if you are hungry for cookies, but cookies are not the
problem here. Bit Defender is also hit and mostly miss. Maybe they
sometimes turn up really bad stuff, but they are not on my front line
anymore.

I have seen other programs blow right over this stuff, and even if the
ones I suggest will miss and sometimes find and "remove" the trojan,
but this particular problem points to things the scanning software
left behind.

Sure, maybe all the scanners have been run, but lots of other things
happened after that if the stated progression of troubleshooting is
correct - including a System Restore and registry tampering some of
which the OP claims was somewhat successful, but did not resolve the
problem. I am not surprised at all.

His problem #1 is classic, although I am surprised that CMD works, but
I also don't know that else has been changed on this box. The Doug
Knox fix and the 'f' in front of his registry values... I have seen
all this stuff before. Manually fixing it in the registry is risky
and not necessary, if you understand the real problem.

The DK emergency fix may enough get you going, but it is not a fix.
It is a workaround. (no offense Doug). You are still left with the
original problem. Even my idea has a workaround, but it is temporary
and let's you fix the real problem and then you can undo the
workaround.

Workarounds just don't fly with me. Fix the problem, not the symptom
of the problem.

Okay - please lets not turn this into a "which scanning software is
better thread", I apologize to everyone, and see what the OP has to
say next.

Jose