• Please review our updated Terms and Rules here

Please Help!

B

bigaj234

Member
Joined
Oct 10, 2008
Messages
13
I realize that this may not be the right place to put this, but I need help just the same. I am working on a computer that has been the victim of a trojan horse/ replicator virus. The virus is gone, but the system is still suffering some of the after effects of the virus. In the Windows XP control panel under the administrative services tab, in the services shortcut; the virus disabled certain components of the operating system such as the security center and even the ability for the operating system to be able to recognize any way for it to recognize its wireless or ethernet capabilities. Every time I right click on the tab to try and start the service again, the option to start the service has been grayed out, it will not let you select that service. If anybody has any advice please help me.

Thanks!
 
format c:

seriously... I (as well as most of us) have been in the business long enough to know that when it comes to advanced software issues like that... that it would take FAR less time to blow it all away and reinstall the operating system than to spend hours and hours mucking with it. So, get your data (pictures, music what have you) off and either use your system recovery disk that may have come with your machine OR your Windows install CD.


just my 2 cents...
 
I just recieved permission to do that. Yes I know that is usually the best option, but when you are dealing with another person's computer, reformatting the hd is not always an option. Thanks for your suggestion just the same though.
 
I repair computers every day, they most of the time must be formatted and reinstalled by disc..

Had an oddball one today though that would not restore correctly from the recovery partition, because that partition had the virus on it too, a rootkit...
 
I found that MalWareBytes (free) program gets rid of stuff that no other program will handle.

It cleans up, in my experience, enough stuff on the first pass to forgo having the do the old "copy and format" routine.

I pride myself on giving people back their computers with everything intact and working correctly (they may have to re-install some apps) and have even went as far as doing data recovery on their drives to get there.

I know that, in these cases, what I charge people works out to about 5 bucks an hour in labour charges, but, they are happy, and they recommend a lot of other people to me.
 
sc is your friend

sc is your friend

sc (at the command prompt) is your friend.
It is the command-line interface to the scm.

If that doesn't work, some of your permissions might have been mucked with. Technically if you have administrative access, you can take them back, but it can be a bit fiddly. There could be other things wrong, though.
What services are disabled ? If you post a list, I might have some ideas/paths to permissions.

The easiest way to generate the list is probably, from the cmd prompt:
Code: 
sc queryex>c:\state.txt
This will dump the extended state of all services into a text file, c:\state.txt

How did you determine the virus is gone ?

Have you run HiJackThis on it yet ? If not, get it and run it. HiJackThis dumps what's running, what's loading, and such, and is a handy tool for figuring out what shouldn't be there. There's quite a few forums out there that can help with interpretation.

Personally it's a matter of pride to return a computer with out having to do the 'ol wipe & reinstall. That's for the GeekSquad, the first step before they send you of to buy a new computer. But that's just me.

patscc
 
I tend to agree with Druid and Patcc. I only wipe and reinstall as a last resort. If the OS won't load, I usually boot from a Knoppix CD and dump as much of the owner's data to an external drive as I can recover. Then I can work on recovering the OS using a variety of disk utilities.

I really hate the computer companies that try to save a couple of extra bucks profit by not including recovery CDs/DVDs with their computers. Most owners never take the time to create them once they get the laptop home.
 
>I usually boot from a Knoppix CD

I recently discovered Ultimate Boot Disc for Windows. Makes recovery from most malware quite easy.
 
For the record, I had a similar little crap bug get on my computer compliments of a girlfriend's poor surfing habits. It was ALMOST interesting (just a bit more of a PITA than necessary) but yes I've seen a few that modify the local security policy to disable a few things like regedit and control panel. Depending on the services that's been disabled (like task manager, etc which these disabling settings remain intact despite the malware being gone) you can do a search online on how to enable the required setting.

From there you can usually make a .reg file and import it from the command line (regedit /s regfileyoumade.reg) (the /s is silent/don't ask if I'm sure).

Example reg file sample.reg:
Code: 
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\]
"DisableTaskMgr"=dword:00000000
"NoControlPanel"=dword:00000000
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\]
"DisableTaskMgr"=dword:00000000
"NoControlPanel"=dword:00000000
"DisableRegistryTools"=dword:00000000

regedit /s sample.reg

(note: if this doesn't work due to regedit being disabled you might be able to rename regedit.exe to something else or regedit.com and get around that as well.)
 
Does appear that This weekend in Caro would be an extremely poor choice. As in tons o' snow and really sh*tty outside.
 
regedit

regedit

barythrin said...regedit being disabled
Click to expand...
That little trick unfortunately doesn't work any more, M$ got wise and started putting actual permissions on the registry. For a while there were actually two versions, regedit for all the people just curious, and regedt32 for all those that needed to do some serious work. :)
patscc
 
Yeah, I posted that for general knowledge use but I didn't go through and thoroughly test everything. I do recall having to rename one of the regedit tools to the same name .com to get it past it's own security though, even though I thought they had fixed that issue as well by using file signatures.
 
justjunk said:
>I usually boot from a Knoppix CD

I recently discovered Ultimate Boot Disc for Windows. Makes recovery from most malware quite easy.
Click to expand...


A Puppy Live cd is my weapon of choice.

I have to go along with the nuke/reinstall crowd (after saving as much data as possible) then making an image of the new install with Acronis True Image (best $50 I've spent).

Most computers benefit from a fresh Windows installation, the "customer" is ecstatic that the machine is now a speed demon again, and vows to make regular backups which they don't do.

The next time (and there always is a next time) all I have to do is load the saved image and, Bob's you're uncle.

Kent
 
I like to clean a machine without doing the 'nuke' routine if I can (if for no other reason than digging into and learning about whatever nasty has its hooks in it), but I too tend to lean towards wiping a system, mainly because of work. We really can't take any chances in my workplace, so if something has been infected and we can't be sure of cleaning it, we always do images on fresh installs and periodic image updates. As someone mentioned earlier, its usually faster to wipe and paste an image back. If the bug gets into our on-air machines, we're in for that much more work, and lost revenue. UBCD Win, Macrium/Ghost, Hiren's, and a couple flavours of linux are some good tools to have either way.
 
You must log in or register to reply here.
Back
Top