Page 6 of 6 FirstFirst ... 23456
Results 51 to 59 of 59

Thread: need help w/ hard to kill trojan

  1. #51
    Member
    Join Date
    Feb 2008
    Posts
    47

    Default

    So the keys there really should be hidden then? Well I think I screwed it again then as I did tuch them, and now I cannot boot as I get a lsass.exe system - system error : Object not found. I did export a copy of the keys, and I can get into the recovery console. Is it possible to execute a .reg file there?

    damit I am too unpatient!
    Life on Earth is expensive but it includes a free trip around the Sun every year.

  2. #52
    Member
    Join Date
    Feb 2008
    Posts
    47

    Default

    I managed to get back into safe mode and should now be able to restore registry with my backup. Then what I need is to find where and what make programs think we are in safe mode. There must be some flag or something?
    Life on Earth is expensive but it includes a free trip around the Sun every year.

  3. #53
    Security Expert-Emeritus steamwiz's Avatar
    Join Date
    Dec 2005
    Location
    Yorkshire. U.K.
    Posts
    1,313

    Default

    I guess this is too late now ...

    Recovery console uses reg.exe

    Try this ...

    reg import C:\your reg backup file or A:\ if it's on a floppy

    You may want to have a look at this for uses of reg.exe in recovery console :-

    http://www.resellerratings.com/forum...7&postcount=41
    MICROSOFT MVP - Security 2004/9 .member of ASAP since 2004 - member of U.N.I.T.E

  4. #54
    Member
    Join Date
    Feb 2008
    Posts
    47

    Default Ok I am back at the wheel

    It appear reg is not or no longer a part of RC on XP SP2 CD, but I managed the situation anyhow.

    This url helped me to get back into windows
    http://www.easydesksoftware.com/news/news36.htm

    Then I found I had some old registry backups done with ERUNT, I restored the oldest one although it was since before I got it properly cleaned out. With the infected files gone this shouldn't be a problem and I got back a less "messed by me" registry. I then just booted into safe mode and cleaned up the registry again.

    But before I did that I once again run the reset of of permissions (url in earlier post).

    I didn't apply your reg fix for authentication though, I checked on my notebook and it looks the same and it hasn't been infected. So this key was obviously not changed by the infection.

    To solve the issue where windows always think it's in safe mode I found and removed a key named .../Safeboot/Option in all the controlset keys.

    I was then able to reinstall Windows Installer 3.1, and IE7 but WU didn't quite work yet. I found out that the tip I followed before missed a part. here is an url to a more complete solution
    http://www.grq.net/windowsupdate.html

    I took advantage of the previous tip though by putting the commands into .bat files.

    Now WU worked and I got all updates, and I could also install BitDefender and have done a DeepScan that came out clean.

    I will do a few more scans, just to be safe, Install my java and Firewall etc. and hope to be back with some final logs tommorow I guess. Well last time kav took 20 hours to scan but it maybe was due to the infection. Deep scan with bitdefender took 6 hours.

    So it seem lik I am on the happy side again then
    Life on Earth is expensive but it includes a free trip around the Sun every year.

  5. #55
    Security Expert-Emeritus steamwiz's Avatar
    Join Date
    Dec 2005
    Location
    Yorkshire. U.K.
    Posts
    1,313

    Default

    Hi

    removing the SafeBoot\Option key/value removes the file security tab ... you may be interested in this :-

    http://www.terminally-incoherent.com/blog/2007/07/ ... scroll down nearly to the bottom under heading Adding the File Security Tab in XP Home
    Adding the File Security Tab in XP Home
    Thursday, July 26th, 2007
    If you own XP Home you are probably painfully aware of some of it’s limitations. The home edition of the OS for example won’t let you have a detailed file access control. The security tab where you can give or deny users permissions on given file or folder is simply missing from the properties dialog in this version.

    Of course you can still modify file access permissions by using simple workarounds like:

    Booting into Safe Mode
    Using the cacls command on the command line
    Using a 3rd party tool such as ACLView
    Patching your system with a untested, unofficial patch.
    None of this options is convenient, and the last one is particularly unsafe. While this patch does not have to be malicious, it’s just to easy to slip a rootkit into this type of system file patch.

    Today I found yet another solution, while looking for something completely different. Someone at the MSFN forum simply noticed that you can cheat the system into thinking it is in safe mode by tweaking the registry, opted to create two reg files. First one to enable the security tab:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option]
    "OptionValue"=dword:00000001

    And another one to disable it:

    Windows Registry Editor Version 5.00

    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option]
    The change is instant, and does not require a restart. Why do you need to disable it? Because with that dword in place, your XP will be absolutely convinced that it is running in safe mode, and thus won’t let you run certain software, or perform any installations.

    The problem with their solution is that you need to remember to click on the second reg file to restore your registry back to normal. So I decided to improve on it with a little shell script that will add that key, wait for you to finish your file access related tasks, and then remove the key before closing:

    Code:
    @echo off
    echo 'Enabling Security Tab'
     
    reg add HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option /v OptionValue /t REG_DWORD /d 00000001
     
    echo 'Please keep this window open while you use the tab. When done, follow the prompts on the screen.'
    pause
     
    reg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option /f
    You simply run this batch script, then leave it open at the prompt, do what you have to do, then go back and hit enter. The key will be automatically removed as the script closes.
    MICROSOFT MVP - Security 2004/9 .member of ASAP since 2004 - member of U.N.I.T.E

  6. #56
    Member
    Join Date
    Feb 2008
    Posts
    47

    Default

    Ok but I have XP Pro

    One thing I noticed thow is that I only have 2 account types, Administrator and Limited - which is the same as for XP Home, Pro is supposed to have other types as well I think, like Power user etc. ? Can the Bagle have done changes to Registry that make it appear as if I have XP Home? Right clicking My Computer and selecting Properties clearly state I have
    System:
    Microsoft Windows XP
    Professional
    Version 2002
    Service Pack 2

    And yes you are right, if I right click a folder or file and select properties, there is no security tab - I think that's what you mean?

    But again, my system is Pro and not Home. My registry is probably screwed up in some way for sure. I hope the file I uploaded with the infector can cast some light on what kind of changes this evil thing really do.

    Otherwise system seem to be fine now, although I haven't run many programs yet. Done some scans which have come up clean. Will do a KAV scan now though. I am just a bit fear ful of opening IE as it seem to invite all kinds of evil

    Quote Originally Posted by steamwiz View Post
    Hi

    removing the SafeBoot\Option key/value removes the file security tab ... you may be interested in this :-

    http://www.terminally-incoherent.com/blog/2007/07/ ... scroll down nearly to the bottom under heading Adding the File Security Tab in XP Home
    Life on Earth is expensive but it includes a free trip around the Sun every year.

  7. #57
    Member
    Join Date
    Feb 2008
    Posts
    47

    Default

    Oh by the way, I noticed there is an account not added by me called "ASP.NET Machine A..." but I have a vague idea this once was created by "LogMeIn" which I once tried out but then removed. It's set up as a LUA so should be able to do something bad and I can probably just delete it.
    Life on Earth is expensive but it includes a free trip around the Sun every year.

  8. #58
    Security Expert-Emeritus steamwiz's Avatar
    Join Date
    Dec 2005
    Location
    Yorkshire. U.K.
    Posts
    1,313

    Default

    HI

    I guess I never asked you if you had home or pro ... FYI I just ran the batch on my XPhome .. works great.

    Maybe this is all you need to do to see the security tab in XP Pro

    enable Simple File Sharing in Windows XP Professional :-

    My Computer >> Tools >> Folder Options >> View >> (scroll to bottom) >> CHECK Use simple file sharing (Recommended)

    steam
    MICROSOFT MVP - Security 2004/9 .member of ASAP since 2004 - member of U.N.I.T.E

  9. #59
    Security Expert-Emeritus steamwiz's Avatar
    Join Date
    Dec 2005
    Location
    Yorkshire. U.K.
    Posts
    1,313

    Default

    RE: ASP.NET Machine Account

    http://support.microsoft.com/kb/555299
    MICROSOFT MVP - Security 2004/9 .member of ASAP since 2004 - member of U.N.I.T.E

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •