[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Autorun.inf Registry Editing has been disabled by your administrator

Posted on 2009-04-17
25
Medium Priority
?
1,097 Views
Last Modified: 2013-11-21
JEEEEZZZZ  Thanks for looking at my question.  Once again a relative "newby".  We apparently have been attacked by a "new" strain of the autorun.inf virus.  This one has attacked our server that Citrix runs on.  It has disabled the task manager and regedit abilities.  Through "group policy" I can get the task manager to work.  However no matter what I do, regedit will not.  I have tried MULTIPLE fixes I have found on this great site, but none have worked.  Several variations of "Regeditenable.vbs" type things. Nothing.  What this is doing is not allowing .exe files to run.  For instance our QuickBooks Pro is running on this server, you try to open and it just goes away and shows an error in the event log.  

Additionally, this server WILL NOT boot in safe mode.  You can choose all variations but it ends up booting normally.  

This is a Server2003 box, we're running Citrix Metaframe 4.0 I believe is the version.  Also we are using "Vipre Enterprise" on our network as well.  It detected the autorun virus, but apparently can't remove it.  IN talking to "Sunbelt Software" the makers of Vipre, they have requested logs and are going over them now as we speak and say that they haven't "Seen" this one before.  

I'm sure I'm leaving something pertinent out.  I'm about "fried", been at this for nearly 2 days solid with only about 5 hours of sleep!  HELP!

Thanks!
0
Comment
Question by:macwalker1
  • 12
  • 9
  • 3
  • +1
25 Comments
 
LVL 7

Accepted Solution

by:
lacrewga earned 1392 total points
ID: 24173021
Chances are, if it will not let you choose safe mode... look at autoexec.bat, win.ini and system.ini files in c:\ and maybe you will see something suspicious.
0
 

Author Comment

by:macwalker1
ID: 24173024
By the way here is the HiJackthis log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:00 PM, on 4/17/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\Documents and Settings\administrator.MAIL\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\Licensing\LS\lmgrd.exe
C:\Program Files\Citrix\Licensing\LicWMI\Citrix_GTLicensingProv.exe
C:\Program Files\Citrix\Licensing\LMC\Tomcat\bin\tomcat.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Citrix\Licensing\LS\CITRIX.exe
C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Program Files\Citrix\system32\cdmsvc.exe
C:\Program Files\Citrix\system32\encsvc.exe
C:\Program Files\Citrix\System32\Citrix\Ima\ImaSrv.exe
C:\Program Files\Citrix\System32\mfcom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Castelle\FaxPress\Daemon.exe
C:\Program Files\Sunbelt Software\SBEAgent\SBAMTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\ADMINI~1.MAI\LOCALS~1\Temp\rkoge.exe
C:\DOCUME~1\ADMINI~1.MAI\LOCALS~1\Temp\winhfpegq.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\dell\homepage\dellhome.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\dell\homepage\dellhome.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\dell\homepage\dellhome.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [CstlFaxTray] "C:\Program Files\Castelle\FaxPress\FaxTray.Exe" /s
O4 - HKLM\..\Run: [CstlDaemon] C:\Program Files\Castelle\FaxPress\Daemon.exe
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\SBEAgent\SBAMTray.exe
O4 - HKLM\..\Run: [RRT-Auto] C:\Documents and Settings\administrator.MAIL\Desktop\at\RRT.exe auto
O4 - HKLM\..\Run: [SBRegRebootCleaner] C:\Program Files\Sunbelt Software\SBEAgent\SBRC.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: []  (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: []  (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.mail\windows\system32\mswsock.dll' missing
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237851598092
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = retinanet.net
O17 - HKLM\Software\..\Telephony: DomainName = retinanet.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{2028E9A2-E596-4F86-AACB-1D5A6E1068C3}: NameServer = 10.0.0.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = retinanet.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{2028E9A2-E596-4F86-AACB-1D5A6E1068C3}: NameServer = 10.0.0.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = retinanet.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{2028E9A2-E596-4F86-AACB-1D5A6E1068C3}: NameServer = 10.0.0.2
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Diagnostic Facility COM Server (CdfSvc) - Citrix Systems, Inc. - C:\Program Files\Common Files\Citrix\System32\CdfSvc.exe
O23 - Service: Client Network (CdmService) - Citrix Systems, Inc. - C:\Program Files\Citrix\system32\cdmsvc.exe
O23 - Service: Citrix SMA Service - Citrix Systems Inc. - C:\Program Files\Citrix\Sma\SmaService.exe
O23 - Service: Citrix Virtual Memory Optimization - Citrix Systems, Inc. - C:\Program Files\Citrix\Server Resource Management\Memory Optimization Management\Program\CtxSFOSvc.exe
O23 - Service: CitrixLicensing - Macrovision Corporation - C:\Program Files\Citrix\Licensing\LS\lmgrd.exe
O23 - Service: Citrix XTE Server (CitrixXTEServer) - Citrix Systems, Inc. - C:\Program Files\Citrix\XTE\bin\XTE.exe
O23 - Service: Citrix Licensing WMI  (Citrix_GTLicensingProv) - Unknown owner - C:\Program Files\Citrix\Licensing\LicWMI\Citrix_GTLicensingProv.exe
O23 - Service: Citrix Print Manager Service (cpsvc) - Citrix Systems, Inc. - C:\Program Files\Citrix\system32\CpSvc.exe
O23 - Service: Citrix CPU Utilization Mgmt/CPU Rebalancer (CTXCPUBal) - Aurema Pty Limited - C:\Program Files\Citrix\Server Resource Management\CPU Utilization Management\bin\ctxcpubal.exe
O23 - Service: Citrix CPU Utilization Mgmt/Resource Mgmt (ctxcpuSched) - Aurema Pty Limited - C:\Program Files\Citrix\Server Resource Management\CPU Utilization Management\bin\ctxcpusched.exe
O23 - Service: Citrix CPU Utilization Mgmt/User-Session Sync (CTXCPUUsync) - Aurema Pty Limited - C:\Program Files\Citrix\Server Resource Management\CPU Utilization Management\bin\ctxcpuusync.exe
O23 - Service: License Management Console for Citrix Licensing (CTXLMC) - Alexandria Software Consulting - C:\Program Files\Citrix\Licensing\LMC\Tomcat\bin\tomcat.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Encryption Service - Citrix Systems, Inc. - C:\Program Files\Citrix\system32\encsvc.exe
O23 - Service: Independent Management Architecture (IMAService) - Citrix Systems, Inc. - C:\Program Files\Citrix\System32\Citrix\Ima\ImaSrv.exe
O23 - Service: MetaFrame COM Server (MFCom) - Citrix Systems, Inc. - C:\Program Files\Citrix\System32\mfcom.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: VIPRE Enterprise Agent (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe

--
End of file - 9376 bytes
0
 
LVL 7

Assisted Solution

by:lacrewga
lacrewga earned 1392 total points
ID: 24173038
You may also try deleting all temp and  temp internet files under local settings, content.ie5 and then rebooting... for example
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5(all subfolders and files
Do this for all users. Let me know if  you don't see the localsettings dir.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 7

Assisted Solution

by:lacrewga
lacrewga earned 1392 total points
ID: 24173048
Will it let you boot in DOS mode?
0
 
LVL 7

Assisted Solution

by:lacrewga
lacrewga earned 1392 total points
ID: 24173065
Also, if you  don't know what these files are for...
C:\DOCUME~1\ADMINI~1.MAI\LOCALS~1\Temp\rkoge.exe
C:\DOCUME~1\ADMINI~1.MAI\LOCALS~1\Temp\winhfpegq.exe
Try renaming them _rkoge.exe etc.
0
 

Author Comment

by:macwalker1
ID: 24173071
It will not allow allow DOS mode.
0
 

Author Comment

by:macwalker1
ID: 24173111
Hey thanks for the quick responses.  I don't see either of the above and I am familiar with the temp files. the others I am not and can't locate them as of yet.
0
 
LVL 7

Assisted Solution

by:lacrewga
lacrewga earned 1392 total points
ID: 24173129
In Windows Explorer, select file menu, tools, folder options. You will see 3 tabs... select the View tab, and  check the following...
Display contents of system folders
Show hidden files and folders
You will now see those subdirectories (let me know if not).
0
 
LVL 7

Assisted Solution

by:lacrewga
lacrewga earned 1392 total points
ID: 24173134
C:\DOCUME~1\ADMINI~1.MAI\LOCALS~1\Temp\rkoge.exe
C:\DOCUME~1\ADMINI~1.MAI\LOCALS~1\Temp\winhfpegq.exe
 the ~ is old dos short name stuff... will look like c:\documents and settings\ (etc)
0
 

Author Comment

by:macwalker1
ID: 24173152
Ok wow, right when I was about to go into the folder, it disappeared, all the "hidden files", but I got in before it did it to me again!  Did three times before I could be quick enough to get in!  Wow.  So, delete those temp and temp internet files for everyone?
0
 
LVL 7

Assisted Solution

by:lacrewga
lacrewga earned 1392 total points
ID: 24173196
Yes. Some of the system users will not have the local settings directory. (By the way, good fix for lots of virii). Don't forget rkoge and winhfpegq.exe.
0
 

Author Comment

by:macwalker1
ID: 24173235
I have went through and deleted any temp internet files and temp files I could find for all users, but I'm not seeing the other two files as of yet but still looking.. Thanks again for all the help!  I'd rather not have to wipe this thing clean and start over!
0
 
LVL 5

Assisted Solution

by:Mechanic_Kharkov
Mechanic_Kharkov earned 456 total points
ID: 24173242
These two files are still active. And You can not delete running exe file. You need it to be inactive while deleting.
At first try to kill processes (rkoge.exe, winhfpegq.exe) in task manager, then You'll be able to delete files.
 If files are starting again then try to boot from another media (flash, CD) and then kill all of these files. After that perform complete drive scan with some AV software.

And it seems that Your virus is too dirty-working to restore system by hands. :(
0
 

Author Comment

by:macwalker1
ID: 24173246
I can't find either of them.  I've used the search feature as well.  I find a winvafh.exe and winsgkdhg.exe and nothing on the rkoge.
0
 

Author Comment

by:macwalker1
ID: 24173257
Right this minute, I can't get into taskmgr either.  I have been able to by configuring it in GPO, but now I can't.  I am rebooting and see what happens.  Whew....
0
 

Author Comment

by:macwalker1
ID: 24173265
Still no taskmgr.
0
 
LVL 5

Assisted Solution

by:Mechanic_Kharkov
Mechanic_Kharkov earned 456 total points
ID: 24173272
And a bit about regedit. Check of DisableRegistryTools is implemented in regedit.exe. So, modified regedit can access registry without checking this value.
Try to find some patched regedit for Win2K.
e.g. here:
http://www.patheticcockroach.com/mpam4/index.php?p=28
0
 

Author Comment

by:macwalker1
ID: 24173285
Wow, after repeatedly running a VBS for accessing the registry that I found on here, and quickly jumping over there to the "run" box, it is now "open" but hell I don't know what to do with it now! lol.....
0
 
LVL 5

Assisted Solution

by:Mechanic_Kharkov
Mechanic_Kharkov earned 456 total points
ID: 24173289
No taskMgr, no regedit.. And You still have Explorer.. :-)
Now You are the hostage of infected system with no tools to kill this infection..

The only way to scan drive for viruses, booting from another drive.
You can connect this hard drive to clean machine with AV software installed to check it.
And in this case don't forget to configure hard disk boot sequence in BIOS settings to prevent boot from wrong device.
0
 

Author Comment

by:macwalker1
ID: 24173297
Well, I DID have taskmgr, now I don't however I have the registry open now which hasn't been opened for two days!
0
 
LVL 7

Assisted Solution

by:lacrewga
lacrewga earned 1392 total points
ID: 24173309
Goto  http://www.sysinternals.com and download Process Explorer(Similiar to Task Manager but much more powerful). Stop those processes and then delete rkoge etc.
0
 

Author Comment

by:macwalker1
ID: 24173345
Ok, I've done that but no luck on seeing those files to kill....and I never did find rkoge I know it's in the HiJackthis log, but I don't see it now...
0
 
LVL 7

Assisted Solution

by:lacrewga
lacrewga earned 1392 total points
ID: 24173361
Their names may have changed, but they will be in the same directory. (Run hijackthis again and look for directory and you will find changed names). Once stopped go to before mentioned directory and delete new name files.
0
 
LVL 5

Assisted Solution

by:Nicholas Iler
Nicholas Iler earned 152 total points
ID: 24175933
I would be very suspicious of these entries:
C:\DOCUME~1\ADMINI~1.MAI\LOCALS~1\Temp\rkoge.exe
C:\DOCUME~1\ADMINI~1.MAI\LOCALS~1\Temp\winhfpegq.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 (Maybe this virus keeps adding this value to your registry)
------------------------------------------------------------------------
I would attempt to mount the file system with some sort of live disk like Knoppix and attempt to delete any active "exe's" that may have taken over your server. If these files reappear then you know that the exe's are being recreated by a host file somewhere.
Really, I know building a new server can be a pain, although trying to clean a server that has been attacked I have found even more stressful in the past. Why, not just build a new server with exact software and migrate data in your quickbooks. When you got it just write change the IP address on the new server to that of the old server. That way you do not have to mess with the firewall.
hope that helps a bit,
Nicks
0
 

Author Comment

by:macwalker1
ID: 25716262
This question should be closed.  We eventually went through and re-imaged all workstations and salvaged the servers all except one.  This is and was one nasty virus.  Thanks for all your help.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Screencast - Getting to Know the Pipeline
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question