grant-ellsworth
asked on
Multiple Virii on WinXP Pro, trojans, incl duplicate Rundll32, rogue iexplore.exe, registry editor has been disabled by your administrator
We have a standalone (not in a domain) Windows XP Pro SP2 machine with multiple infections showing up after removing one of them.
Initially it looked like the only infection was tbe :AV.EXE"/"AVE.EXE" rogue xp security window annoyance.
After disabling and removing ave.exe, we started having many other problems which included internet explorer launching and displaying ads, etc.
Further investigation revealed some "interesting" aspects:
1. In the user's Doc and Settings\<username>\ folder, there are 3 rundll32 varients = "rundll32.exe', "rundll32 .exe" (note space before period), "rundll32.exe.delme22"
--- > when I deleted these, the user's login became totally unusable and I had to change to another account - an admin account
2. In admin account, I found the same rundll32 stuff and left it alone
3. In admin account, we cannot edit the registry with Regedit or Regedt32 - popup msg saying "Registry editor has been disabled by your administrator"
4. In admin accunt, I ran the vbs scipt, tne unhookexe.inf file, the GPEdit user config change for "Disable Registryh Editing Tools/Disabled"
---> Rebooting machine didn't help and seems to have triggered or introduced even more malware
5. There were several hidden .exe files in the %2indir%\system32 with what looked like random file names created on the day the infections started to show up - some examples:
pemiseda.exe
vozasela.exe
nodajuse.exe
mupabevu.exe
munigero.exe
mevorare.exe
luyunaku.exe
6. We see an instance of IExplore running in the "System" account/username in Task manager; we end the procedss and it starts up again a few mins later
We have AVG 8.5 upto date with virus sigs - we do full nachine scans - it finds and deletes only one or 2 items, and the other problems persist.
We ranw TrendMicro's housecall - it found and removed 45 infections and 4 rootkits; we rebooted machine after Housecall finished - the Rundll32 files were still in the folders and we still can't edit the registry - even after rerunning some of the suggested scripts.
Any suggestions besides the F-Disk solution?
Initially it looked like the only infection was tbe :AV.EXE"/"AVE.EXE" rogue xp security window annoyance.
After disabling and removing ave.exe, we started having many other problems which included internet explorer launching and displaying ads, etc.
Further investigation revealed some "interesting" aspects:
1. In the user's Doc and Settings\<username>\ folder, there are 3 rundll32 varients = "rundll32.exe', "rundll32 .exe" (note space before period), "rundll32.exe.delme22"
--- > when I deleted these, the user's login became totally unusable and I had to change to another account - an admin account
2. In admin account, I found the same rundll32 stuff and left it alone
3. In admin account, we cannot edit the registry with Regedit or Regedt32 - popup msg saying "Registry editor has been disabled by your administrator"
4. In admin accunt, I ran the vbs scipt, tne unhookexe.inf file, the GPEdit user config change for "Disable Registryh Editing Tools/Disabled"
---> Rebooting machine didn't help and seems to have triggered or introduced even more malware
5. There were several hidden .exe files in the %2indir%\system32 with what looked like random file names created on the day the infections started to show up - some examples:
pemiseda.exe
vozasela.exe
nodajuse.exe
mupabevu.exe
munigero.exe
mevorare.exe
luyunaku.exe
6. We see an instance of IExplore running in the "System" account/username in Task manager; we end the procedss and it starts up again a few mins later
We have AVG 8.5 upto date with virus sigs - we do full nachine scans - it finds and deletes only one or 2 items, and the other problems persist.
We ranw TrendMicro's housecall - it found and removed 45 infections and 4 rootkits; we rebooted machine after Housecall finished - the Rundll32 files were still in the folders and we still can't edit the registry - even after rerunning some of the suggested scripts.
Any suggestions besides the F-Disk solution?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
when we have severe infection like you are having on this machine we certainly cant dpend upon particular product try many programs like
combofix
malwarebytes
spyware search and destroy
avira rescue cd suggested by 1st commenter also
and if it looks an root kit use this http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
use safe mode for scanning this system when u use malwarebytes and spyware search and destroy programs
after removal process do chkdsk /f and sfc /scannow to make file system healthy
Cheers
combofix
malwarebytes
spyware search and destroy
avira rescue cd suggested by 1st commenter also
and if it looks an root kit use this http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
use safe mode for scanning this system when u use malwarebytes and spyware search and destroy programs
after removal process do chkdsk /f and sfc /scannow to make file system healthy
Cheers
Before you reinstall, here are two suggestions: one simple, one harder.
1) Install Microsoft Security Essentials and scan. This may catch more than the others, or simply may catch different ones.
2) Run a linux toolkit (Like Triinity) that incorporates a virus scan engine so that you can remove the virii without running the OS. You could do the same by moving the disk to another computer as a data drive and scanning it from the other OS.
However, you will never be sure that you get all the viruses, and even if you do you may find that there is damage that can not be corrected. For example, files missing, unable to launch explorer, because hooks that the virus installed are still there, even if the virus itself is gone.
It's probably faster to reinstall.
1) Install Microsoft Security Essentials and scan. This may catch more than the others, or simply may catch different ones.
2) Run a linux toolkit (Like Triinity) that incorporates a virus scan engine so that you can remove the virii without running the OS. You could do the same by moving the disk to another computer as a data drive and scanning it from the other OS.
However, you will never be sure that you get all the viruses, and even if you do you may find that there is damage that can not be corrected. For example, files missing, unable to launch explorer, because hooks that the virus installed are still there, even if the virus itself is gone.
It's probably faster to reinstall.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Seems like the grand consensus is the F_DIsk solution. Situation remindsme of the MOnkey Virus of several years ago. Unfortuantely, doing a reconstruction will reqire a pair of boots on the ground which is what we hoped to avoid. Well, we'll try a couple of your suggestions like combofix before throwing in the towel.
Any ideas on what the specific infections are based on the specific info I listed?
Any ideas on what the specific infections are based on the specific info I listed?
ave.exe is one of the "drive by" browser infections that IE is prone to - it installs a fake antivirus that looks like Microsoft's Windows Security Center and throws up increasingly scary messages as bubbles over the taskbar
Download and unzip this emergency utility.
http://www.dougknox.com/xp/utils/xp_emergencyutil.zip
Navigate to C;|EmergencyUtils and try running
Copy_of_Regedit.com
If you are able to get into the registry using this, navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\WindowsN T\CurrentV ersion\Ima geFileExec utionOptio ns
Delete any entries under that key. They were installed by the virus to prevent you running most malware antivirus programs. After removing them, download and run malwarebytes. Try to run it from safe mode if possible. When you download it, rename it BEFORE it is saved... just keep the .exe extension.
http://www.dougknox.com/xp/utils/xp_emergencyutil.zip
Navigate to C;|EmergencyUtils and try running
Copy_of_Regedit.com
If you are able to get into the registry using this, navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWAR
Delete any entries under that key. They were installed by the virus to prevent you running most malware antivirus programs. After removing them, download and run malwarebytes. Try to run it from safe mode if possible. When you download it, rename it BEFORE it is saved... just keep the .exe extension.
Try the following to clean your system:
Microsoft Security Essentials : http://www.microsoft.com/security_essentials/
ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
a-squared: http://download1.emsisoft.com/a2usb.zip
Vipre Rescue: http://live.sunbeltsoftware.com/Download/
Online Virus Scanners:
http://www.bitdefender.com/scanner/online/free.html
Microsoft Security Essentials : http://www.microsoft.com/security_essentials/
ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
a-squared: http://download1.emsisoft.com/a2usb.zip
Vipre Rescue: http://live.sunbeltsoftware.com/Download/
Online Virus Scanners:
http://www.bitdefender.com/scanner/online/free.html
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ComboFix is a good way to go.... just attach the log so we can check it to make sure it's clean.
But if utilitites are disabled, or .exes won't run use exeHelper first, this also removes ave.exe
Please download exeHelper to your desktop.
http://www.raktor.net/exeH elper/exeH elper.com
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
But if utilitites are disabled, or .exes won't run use exeHelper first, this also removes ave.exe
Please download exeHelper to your desktop.
http://www.raktor.net/exeH
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
"(note space before period),"
That's a vundo file infector that infects legit files.. you definitely need comboFix but since registry editor is disabled use exeHelper first specially if tools won't run.
That's a vundo file infector that infects legit files.. you definitely need comboFix but since registry editor is disabled use exeHelper first specially if tools won't run.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Just letting all contributors know that we are investigating several of your proposals. I'll report back as soon as I have some results. Thanks a big bunch for all of your suggestions and insights into this monster.
----
The vandals who produce and propagate these things should be lightly boiled in oil and then placed in abolute solitary confinement with no windows, permanent dim lighting and a 6 by 10 cell for the rest of their days!!
----
The vandals who produce and propagate these things should be lightly boiled in oil and then placed in abolute solitary confinement with no windows, permanent dim lighting and a 6 by 10 cell for the rest of their days!!
i"ll suggest you this http://download.bitdefender.com/rescue_cd/ just great rescue cd give you an proper knopixx linux interface+virus scanner
grant-ellsworth said: "The vandals who produce and propagate these things should be lightly boiled in oil and then placed in abolute solitary confinement with no windows, permanent dim lighting and a 6 by 10 cell for the rest of their days!!"
If you consider the typical high fat diet and their likely surroundings, you may find that they are already owrking in dimly lit small rooms with no windows.
Given that XP SP2 suggests a machine that's a couple of years old, if you decide to bite the bullet and reinstall, make it worth your while and replace the hard drive with a new one so that you get 1) less chance of subsequent drive failure, 2) better performance, and 3) better productivity.
If you consider the typical high fat diet and their likely surroundings, you may find that they are already owrking in dimly lit small rooms with no windows.
Given that XP SP2 suggests a machine that's a couple of years old, if you decide to bite the bullet and reinstall, make it worth your while and replace the hard drive with a new one so that you get 1) less chance of subsequent drive failure, 2) better performance, and 3) better productivity.
ASKER
The only solution that made snce was to reinstall. We did. Then the useer/owner copied some files back from a usb flash-disk without turning off autorun. The av(e).exe rogue securiity window took up residence again. So, we rebuild again. I've run out of expletives to address this. This machine is about 1.5 yrs old.
Note for AnnOminouys: Let's add bars, take away all stimulation - no books, no mags, no tv, no radio, no computer, no social contact of any kind, no daylight, no darkness.and we might be approaching the desired result.
I'm in a hard place to award points for this - all comments were helpful and informative. Thanks I'm awarding points to those who emphasized the re-install.
Note for AnnOminouys: Let's add bars, take away all stimulation - no books, no mags, no tv, no radio, no computer, no social contact of any kind, no daylight, no darkness.and we might be approaching the desired result.
I'm in a hard place to award points for this - all comments were helpful and informative. Thanks I'm awarding points to those who emphasized the re-install.
ASKER
Grade A for all contributors.
Suggestion for recidivist XP users: make a separate account with admin rights and only give the user standard rights. Full patch, disable autorun and Microsoft Security Essentials also helps.
Until next time...
Until next time...
http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html
Unfortunately I have found in most cases it's faster to backup and reinstall windows.