Multiple Virii on WinXP Pro, trojans, incl duplicate Rundll32, rogue iexplore.exe, registry editor has been disabled by your administrator

We have a standalone (not in a domain) Windows XP Pro SP2 machine with multiple infections showing up after removing one of them.

Initially it looked like the only infection was tbe :AV.EXE"/"AVE.EXE" rogue xp security window annoyance.

After disabling and removing ave.exe, we started having many other problems which included internet explorer launching and displaying ads, etc.

Further investigation revealed some "interesting" aspects:

1.  In the user's Doc and Settings\<username>\ folder, there are 3 rundll32 varients = "rundll32.exe', "rundll32 .exe" (note space before period), "rundll32.exe.delme22"
--- > when I deleted these, the user's login became totally unusable and I had to change to another account - an admin account
2.  In admin account, I found the same rundll32 stuff and left it alone
3.  In admin account, we cannot edit the registry with Regedit or Regedt32 - popup msg saying "Registry editor has been  disabled by your administrator"
4.  In admin accunt, I ran the vbs scipt, tne unhookexe.inf file, the GPEdit user config change for "Disable Registryh Editing Tools/Disabled"
---> Rebooting machine didn't help and seems to have triggered or introduced even more malware
5.  There were several hidden .exe files in the %2indir%\system32 with what looked like random file names created on the day the infections started to show up - some examples:
pemiseda.exe
vozasela.exe
nodajuse.exe
mupabevu.exe
munigero.exe
mevorare.exe
luyunaku.exe
6.  We see an instance of IExplore running in the "System" account/username in Task manager; we end the procedss and it starts up again a few mins later

We have AVG 8.5 upto date with virus sigs - we do full nachine scans - it finds and deletes only one or 2 items, and the other problems persist.

We ranw TrendMicro's housecall - it found and removed 45 infections and 4 rootkits; we rebooted machine after Housecall finished - the Rundll32 files were still in the folders and we still can't edit the registry - even after rerunning some of the suggested  scripts.

Any suggestions besides the F-Disk solution?
LVL 1
grant-ellsworthAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

uroboros1200Commented:
Try Avira AntiVir Rescue System it is a live cd that will let you scan the drive outside of windows. It has worked for me a few times.

http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html

Unfortunately I have found in most cases it's faster to backup and reinstall windows.
0
☠ MASQ ☠Commented:
Flattening the disk and starting again would certainly be quicker.  Is there any pressing need to recover the machine?
Downloading the current Combofix from bleepingcomputer.com onto another machine, renaming it to something random.exe and running it might give you an advantage in dealing with this but it does sound beyond simple recovery.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
acl-puzzCommented:
when we have severe infection like you are having on this machine we certainly cant dpend upon particular product try many programs like
combofix
 malwarebytes
 spyware search and destroy
avira rescue cd suggested by 1st commenter also

and if it looks an root kit use this http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

use safe mode for scanning this system when u use malwarebytes and spyware search and destroy programs

after removal process do chkdsk /f and sfc /scannow to make file system healthy


Cheers
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

AnnOminousCommented:
Before you reinstall, here are two suggestions: one simple, one harder.

1) Install Microsoft Security Essentials and scan. This may catch more than the others, or simply may catch different ones.

2) Run a linux toolkit (Like Triinity) that incorporates a virus scan engine so that you can remove the virii without running the OS. You could do the same by moving the disk to another computer as a data drive and scanning it from the other OS.

However, you will never be sure that you get all the viruses, and even if you do you may find that there is damage that can not be corrected. For example, files missing, unable to launch explorer, because hooks that the virus installed are still there, even if the virus itself is gone.

It's probably faster to reinstall.
0
Thomas Zucker-ScharffSolution GuideCommented:
I agree that unless there is some pressing need to recover this machine, your best bet is a reimage/reinstall.  With that in mind, if you still want to clean the machine, let me recommend using a boot CD - I suggest UBCD/UBCD4win as they have a plethora of useful tools on them already.  You have to build UBCD4Win, but you can download the iso for UBCD 4.11 from http://www.ultimatebootcd.com/download.html.  I like the build better and wrote an article on best way to go about building your own UBCD: http://www.experts-exchange.com/articles/Storage/Misc/Creating-a-bootable-CD-USB.html.  Also there are a slew of prebuilt ISOs out there and many are listed at this site:

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/
0
grant-ellsworthAuthor Commented:
Seems like the grand consensus is the F_DIsk solution.  Situation remindsme of the MOnkey Virus of several years ago.  Unfortuantely, doing a reconstruction will reqire a pair of boots on the ground which is what we hoped to avoid.  Well, we'll try a couple of your suggestions like combofix before throwing in the towel.

Any ideas on what the specific infections are based on the specific info I listed?
0
☠ MASQ ☠Commented:
ave.exe is one of the "drive by" browser infections that IE is prone to - it installs a fake antivirus that looks like Microsoft's Windows Security Center and throws up increasingly scary messages as bubbles over the taskbar
0
abelenkiyCommented:
trojan remover from http://www.simplysup.com/
update and scan
then use spybot to do the same.
0
flubbsterCommented:
Download and unzip this emergency utility.
http://www.dougknox.com/xp/utils/xp_emergencyutil.zip
Navigate to C;|EmergencyUtils and try running
Copy_of_Regedit.com

If you are able to get into the registry using this, navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions

Delete any entries under that key. They were installed by the virus to prevent you running most malware antivirus programs. After removing them, download and run malwarebytes. Try to run it from safe mode if possible. When you download it, rename it BEFORE it is saved... just keep the .exe extension.
0
xmachineCommented:
0
optomaCommented:
It's probably a Vundo file infector along with whatever else is there.
It renamed "rundll32 .exe" (note space before period) <that is more than likely a valid file.

For example:
http://www.howtogeek.com/howto/9727/how-to-get-rid-of-the-wmpscfgs.exe-virus-a-reader-contributed-guide/

If you run Combofix first and post its logfile, hopefully somebody else will see this thread and post a script to aid in repair + removal (Rpg or Grey are two that possibly can!)
0
rpggamergirlCommented:
ComboFix is a good way to go.... just attach the log so we can check it to make sure it's clean.
But if utilitites are disabled, or .exes won't run use exeHelper first, this also removes ave.exe

Please download exeHelper to your desktop.
http://www.raktor.net/exeHelper/exeHelper.com
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
0
rpggamergirlCommented:
"(note space before period),"

That's a vundo file infector that infects legit files.. you definitely need comboFix but since registry editor is disabled use exeHelper first specially if tools won't run.
0
AnnOminousCommented:
It's starting to look like a reinstall with a subsequent scan of all the files that you *need* to keep is the best bet. There is know way to know for certain that you have eliminated all the problems and even if you do eliminate the virus files themselves, the side effects of installation and removal may cause problems of their own.

Better to revert to a known working starting point.
0
grant-ellsworthAuthor Commented:
Just letting all contributors know that we are investigating several of your proposals. I'll report back as soon as I have some results.  Thanks a big bunch for all of your suggestions and insights into this monster.
----
The vandals who produce and propagate these things should be lightly boiled in oil and then placed in abolute solitary confinement with no windows, permanent dim lighting and a 6 by 10 cell for the rest of their days!!
0
acl-puzzCommented:
i"ll suggest you this http://download.bitdefender.com/rescue_cd/ just great rescue cd give you an proper knopixx linux interface+virus scanner
0
AnnOminousCommented:
grant-ellsworth said: "The vandals who produce and propagate these things should be lightly boiled in oil and then placed in abolute solitary confinement with no windows, permanent dim lighting and a 6 by 10 cell for the rest of their days!!"

If you consider the typical high fat diet and their likely surroundings, you may find that they are already owrking in dimly lit small rooms with no windows.

Given that XP SP2 suggests a machine that's a couple of years old, if you decide to bite the bullet and reinstall, make it worth your while and replace the hard drive with a new one so that you get 1) less chance of subsequent drive failure, 2) better performance, and 3) better productivity.
0
grant-ellsworthAuthor Commented:
The only solution that made snce was to reinstall.  We did.  Then the useer/owner copied some files back from a usb flash-disk without turning off autorun.  The av(e).exe rogue securiity window took up residence again. So, we  rebuild again.  I've run out of expletives to address this.  This machine is about 1.5 yrs old.

Note for AnnOminouys:  Let's add bars, take away all stimulation - no books, no mags, no tv, no radio, no computer, no social contact of any kind, no daylight, no darkness.and we might be approaching the desired result.

I'm in a hard place to award points for this - all comments were helpful and informative.  Thanks  I'm awarding points to those who emphasized the re-install.
0
grant-ellsworthAuthor Commented:
Grade A for all contributors.
0
AnnOminousCommented:
Suggestion for recidivist XP users: make a separate account with admin rights and only give the user standard rights. Full patch, disable autorun and Microsoft Security Essentials also helps.

Until next time...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.