tomred
2011-12-21, 23:56
Hi,
Windows XP SP3
First a little history. A user's PC was infected. The symptoms were a that the floppy drive would be seeked very regularly and the winsock was being blocked so the email was not working. I tried several things but when the bootable spybot CD failed to clean the infection, I removed the PC and gave the user a fresh Win XP SP2 machine last week. Then I made a childish error. I copied the user's docs from his infected PC to a usb key took them to his new PC. It immediately started to display the old symptons. I read the usb key on a linux box and noticed a .trash folder with 3 executables; one of an install_flash with the correct icon.
I have spent several hours looking at this tonight. I first tried to use the Spybot immunize feature but spybot wouldn't run. The exe appeared to duplicate. I ran rootalyzer. There was a file in %systemroot%\system32\config\systemprofile\programs\start meun\startup, not visible through explorer. I installed and booted into the recovery console. Removed the file. I had to use gpedit to enable access to the "Documents and Settings" so I could remove the file with the same name in the user's profile (local setting\application data). I also copied processExplorer into the startup to see if I work out what was happening.
On rebooting it was obvious something was still not right. There looked to be a process associated with the java runtime installation in "C:\program files". RootAlzyer showed that the files were back in place. There were multiple run entries in the users registry (cunning as the file can't be seen), and one under wininit.
However every time I edited the registry and removed the entries then ran regedit again the entries under run were back. What I need is a way to save a copy of the registry and then, in the recovery console, replace the contaminated one with the saved version. But I'm no the edge of my expertise now and I need some advice on how I can do that. Does anyone know if, when you save the registry, the file is in the right format? What name should I save it as and where the system registry is so I can replace it?
It would also be good to know what name this type of virus is?
Thanks in advance.
Dp.
Windows XP SP3
First a little history. A user's PC was infected. The symptoms were a that the floppy drive would be seeked very regularly and the winsock was being blocked so the email was not working. I tried several things but when the bootable spybot CD failed to clean the infection, I removed the PC and gave the user a fresh Win XP SP2 machine last week. Then I made a childish error. I copied the user's docs from his infected PC to a usb key took them to his new PC. It immediately started to display the old symptons. I read the usb key on a linux box and noticed a .trash folder with 3 executables; one of an install_flash with the correct icon.
I have spent several hours looking at this tonight. I first tried to use the Spybot immunize feature but spybot wouldn't run. The exe appeared to duplicate. I ran rootalyzer. There was a file in %systemroot%\system32\config\systemprofile\programs\start meun\startup, not visible through explorer. I installed and booted into the recovery console. Removed the file. I had to use gpedit to enable access to the "Documents and Settings" so I could remove the file with the same name in the user's profile (local setting\application data). I also copied processExplorer into the startup to see if I work out what was happening.
On rebooting it was obvious something was still not right. There looked to be a process associated with the java runtime installation in "C:\program files". RootAlzyer showed that the files were back in place. There were multiple run entries in the users registry (cunning as the file can't be seen), and one under wininit.
However every time I edited the registry and removed the entries then ran regedit again the entries under run were back. What I need is a way to save a copy of the registry and then, in the recovery console, replace the contaminated one with the saved version. But I'm no the edge of my expertise now and I need some advice on how I can do that. Does anyone know if, when you save the registry, the file is in the right format? What name should I save it as and where the system registry is so I can replace it?
It would also be good to know what name this type of virus is?
Thanks in advance.
Dp.