Re: cleanup after malware/trojan/virus

On May 19, 3:35 pm, lex3001 <lex3...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Yes, the command prompt is fine.

"Jose" wrote:
On May 19, 1:50 pm, lex3001 <lex3...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Can you goto Start, Run, cmd <enter> and get to a command prompt or
not?

Jose

Well that may be explainable, but you have many other symptoms
(lingering problems) of some trojans that I have encountered before,
so I wish you would try the following. If it is too hard to
understand or doesn't make sense, please tell me where so I can fix my
"paste" copy for some other person later. Scanning programs will
detect and remove them sometimes, but not always and not all the
leftovers.

It is important to follow the process, even if you don't think you
need to for some reason (I already did that, I don't think so, that
can't be it, etc.).

First, download, install, update and do a full scan with these three
malware
detection programs:

Malwarebytes (MBAM): http://malwarebytes.org/
SuperAntiSpyWare: (SAS): http://www.superantispyware.com/
AVG (AVG): http://free.avg.com/

See if Start, Run, COMMAND works - it probably will. CMD and COMMAND
are not the same program.

The problem is the name of the running process - regedit.exe or
cmd.exe
(and maybe others). They can't show up as a running task.

You will also see that regedt32.exe will not work since it just runs
regedit.exe (at least in XP).

Get into your c:\windows folder and make a copy of regedit.exe - call
it copy.exe or something you can remember. You can do all this file
manipulation through Windows Explorer or your newfound COMMAND window.
The copy.exe is a process that will be allowed to run. Other names
(like test.exe)
may not run. If copy.exe won't run call it some other very unique
name.

Using Start, Run, your copy.exe should now work to get into the
registry.

You can delete copy.exe later if you want..

When you get into the registry, navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Drivers32

Highlight the Drivers32 folder on the left and observe the contents
in
the right hand pane. Then export the Drivers32 folder by choosing
File,
Export.

Name the export file something like drivers32 and save the file to the
desktop or someplace you can find it. It will have the default .reg
extension for registry files.

Depending on your expertise, you may be able to spot the problem in
the
list of Drivers32 entries right away and fix it. Even if you do
something
wrong, you just exported the key so you can always import the original
if
you need to restore it to the original state.

Look for entries in the right hand pane where the Value column has
double
backslahes and double dot (..) notations and filenames that do not
exist
or just don't make sense.

An example of a problem entry would be where the Name aux or aux2 has
a Data value of C:\\WINDOWS\\system32\\..\\jwmrus.yds

"aux" is a valid Name, but the Data value "jwmrus.yds" makes no sense.

These are the remnants of your trojan that your scan does not know
enough
about to delete. The scan may have deleted the referenced file, but
not the
registry entry. In the example above, "aux" should just be
"wdmaud.drv".
There are probably some other entries that have wdmaud.drv with no
path
in them to compare.

Fix the Data part of the entry by double clicking it, set the value to
wdmaud.drv (the most common thing needing replacement) and then click
OK
to save it. If something goes wrong, you have a registry backup
already.

If you can't spot the problem, then you need to post the registry
export
results by opening the exported file in a text editor, copying all the
text and pasting it in your next post.

Don't try to open the file by double clicking it, or choosing to Open
it.

Specifically open the exported file with a text editor. Right click
the exported
file, choose Open With and use notepad or wordpad to open the file.
There
should not be much in the file.

In the text editor, type Ctrl A to select all, Ctrl C to copy and then
post
back here and type Ctrl V to paste the results into the post.

If you end up changing the registry or deleting something to get this
to work, I would like to know exactly what you found and what you did
so I can update my notes.

Jose

.

Relevant Pages

  • reply
    ... >tried deleting it from the msconfig Startup tool system, ... neither the listed name or command line name ... First, ME comes with a registry backup application, try ... folder temporarily by using attrib.exe: ...
    (microsoft.public.security.virus)
  • Re: Modify Registry on all SBS2003 clients
    ... registry setting to all workstations. ... command "REG ADD" to modify registry. ... the following command will change the registry value as your ... You may copy above command into the login script file SBS_LOGIN_SCRIPT.bat ...
    (microsoft.public.windows.server.sbs)
  • Re: Run Command Line Missing
    ... The policy is not in affect or Win key + R would not work. ... all of these registry settings are under the ... Policy Settings for the Start Menu in Windows XP ... provided but the Run Command Line still doesn't appear. ...
    (microsoft.public.windowsxp.general)
  • Re: Run Command Line Missing
    ... The policy is not in affect or Win key + R would not work. ... all of these registry settings are under the ... Policy Settings for the Start Menu in Windows XP ... provided but the Run Command Line still doesn't appear. ...
    (microsoft.public.windowsxp.general)
  • Re: Task Manager wont run (Jose?)
    ... About an hour ago, there was a response from Daave, which actually was ... I suspect the problem is a leftover in the registry and since ... Then, for safety, export the Drivers32 folder ... Don't try to open the exported file by double clicking it, ...
    (microsoft.public.windowsxp.general)