Windows XP hijack

Started by Hans Manhave, October 05, 2011, 03:53:16 PM

Previous topic - Next topic

0 Members and 4 Guests are viewing this topic.

Hans Manhave

A friend's business has a machine hijacked by XP anti spyware or something.  I searched for how to remove in the files here, but cannot find all the references I thought there were.

I threw MalwareBytes at it.  SuperAntiSpyware.  ClamAV.  Ran the program the unhides all the desktop icons (that worked too). 

Ran all that in safe mode with networking.  When rebooting in regular Windows mode, it is immediately invaded again.

What step(s) am I missing?

Should I just pull the drive and attach it to a clean system to scan from there?
Fantasy is more important than knowledge, because knowledge has its boundaries - Albert Einstein

Jeff Zylstra

Download and run "autoruns" to see what is really happening.  Check for Browser Helper Objects, but more importantly, check for entries in the "run on startup" area of the registry.  My guess is that you are re-infecting yourself immediately because it is going out to the internet and downloading more stuff.  Also clean out the temp files.  A lot of stuff hides in the temp files and reloads from there.  Try that, and then run MalwareBytes again a couple of times to make sure it is clear.  My guess is that the temp files are the source of your reinfection.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Hans Manhave

Thank you.

Does the 'unplug & connect to clean machine' work for this too?  Or does that process lock the user folders from access & cleaning?  There is no password on the users.  Not part of a domain.
Fantasy is more important than knowledge, because knowledge has its boundaries - Albert Einstein

Jeff Zylstra

Quote from: HMan on October 05, 2011, 04:52:15 PM
Thank you.

Does the 'unplug & connect to clean machine' work for this too?  Or does that process lock the user folders from access & cleaning?  There is no password on the users.  Not part of a domain.

If you're speaking of unplugging the hard drive and using a USB drive connection to connect the infected drive to a clean computer, I would highly recommend that.  It will detect the malware files, and also clean the registry of the infected drive, if I'm not mistaken.  In explorer, just find the infected drive, right click on that drive and choose the option to scan that drive using MalwareBytes.   This is the method that I prefer.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Jan Regnier

#4
Hans...I think this is the bad thing that you cannot "X" out of the screen when it shows up. 
Had to go to Task Manager and delete the IExplorer (if that is what's being used). Run the Malwarebytes etc, restart and then deleted history, temp files etc from the browser.

I also had to add a file back that was needed in the registry - Robin pointed me to "bleepingcomputer.com" for the file.  Used a file called FixNCR.reg and RKill.

I attached the doc I put together after we got this....Maybe it will work...or not....but worth a try.
Jan Regnier
jan.regnier@meyersglaros.com
Meyers Glaros Group, Merrillville, IN 26 Users
EPIC 2020, Office 365, Indio

Hans Manhave

#5
I used RKill.  It found nothing.  Used unhide.exe to unhide or undelete all the desktop icons and programs that it messed with.  Unhide had to be named iexplore.exe to work, lol. 

Then I went back to the office and someone else was called in to handle it.  All that appears to be remaining is that sound files are being played randomly.  Not known how to fix that.

It was impossible to load the task manager during this fight.  No mouse click or ctrl-shift-esc etc combo would let it come up.

It is now out of my hands, I appreciate the input.
Fantasy is more important than knowledge, because knowledge has its boundaries - Albert Einstein

Jeff Zylstra

No problem.  I hate malware with a passion and I'm always glad to help if I can.  The sounds are probably being played because of windows "events" that are happening.  Going into control panel and checking the sounds area (or whatever it's called) should give some answers.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Hans Manhave

Quote from: Jeff Zylstra on October 06, 2011, 10:47:27 AM
No problem.  I hate malware with a passion and I'm always glad to help if I can.  The sounds are probably being played because of windows "events" that are happening.  Going into control panel and checking the sounds area (or whatever it's called) should give some answers.

I found quite a few web references to hijack sound files.  Forwarded all I knew and learned to the friend.  Seems like the autoruns utility should be able to locate the offending progs and the user could then disable them.  Will see what happens.
Fantasy is more important than knowledge, because knowledge has its boundaries - Albert Einstein

Billy Welsh

Billy Welsh
Director of Accounting
LCMC Health

Jeff Zylstra

Quote from: Billy Welsh on October 07, 2011, 02:53:53 PM
You guys need to offer your services out of patriotism...

http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/

Haven't these guys heard of drive imaging?  If these are closed loop systems that don't do anything but operate the drones, I would think that they could re-image these drives since all of them should be the same.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

TrishaOurs

Quote from: Jan Regnier on October 05, 2011, 05:26:40 PM
Hans...I think this is the bad thing that you cannot "X" out of the screen when it shows up. 
Had to go to Task Manager and delete the IExplorer (if that is what's being used). Run the Malwarebytes etc, restart and then deleted history, temp files etc from the browser.

I also had to add a file back that was needed in the registry - Robin pointed me to "bleepingcomputer.com" for the file.  Used a file called FixNCR.reg and RKill.

I attached the doc I put together after we got this....Maybe it will work...or not....but worth a try.


Oh this happened to our pc laptop right before we got our mac.  We never fully fixed the problem.  i am going to try this.  My hubby will be much happier if "his" laptop is back to normal.
Trisha Ours, CISR

Jeff Zylstra

Hey Trisha, try BleepingComputer.Com.  It's a forum dedicated to the fixing malware on PCs, and you will find tons of help there.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

TrishaOurs

Quote from: Jeff Zylstra on October 11, 2011, 03:18:40 PM
Hey Trisha, try BleepingComputer.Com.  It's a forum dedicated to the fixing malware on PCs, and you will find tons of help there.

Thanks!   :D
Trisha Ours, CISR

Robin Deatherage

I saw a new variation of a fake anti-virus infection last week.  It took some time but I finally got rid of it by running combofix and malwarebytes in safe mode then ran them both again in normal boot up. 
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Mark

Quote from: Robin Deatherage on October 11, 2011, 04:32:01 PM
I saw a new variation of a fake anti-virus infection last week.  It took some time but I finally got rid of it by running combofix and malwarebytes in safe mode then ran them both again in normal boot up.

How are people getting this stuff these days?  I must just be lucky here.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security