TechSpot

Problem: Malware in registry

By Ventress
Nov 19, 2009
  1. I've been able to delete malware that sends command to load this program that msconfig blocks. I want to get rid of this program that appears in msconfig. According to msconfig the program, I want rid of, resides in HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Run. When I go there I can find one registry key that could be it but when I try to delete it an error appears. I've tried to delete it in safemode and I have tried to delete it as administrator but even then I get an error. I have all the permissions that should allow me to delete that key. Anyone have any idea how to solve this problem?
     
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  3. Ventress

    Ventress TS Rookie Topic Starter Posts: 23

    I doubt the name will help but it's (Oletus). It's highly possible that this key is not the problem but there isn't anything else.
     
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Are you using P2P Torrent software?

    I'm nearly positive that Combofix will remove that issue you are having
    But again you need to run through the guide stated above, since its all malware related
     
  5. Ventress

    Ventress TS Rookie Topic Starter Posts: 23

    Combofix didn't definitely help solve the problem, it caused one. After I had ran Combofix the computer restarted but it couldn't load Windows anymore. Fortunately I had the installation CD so I was able to fix it. Combofix didn't find anything wrong with the registry either. Why is msconfig saying it blocked a program, that doesn't exist, from starting then?
     
  6. kritius

    kritius TS Guru Posts: 2,084

    Heres a novel idea, not sure if you may have thought of it yet..........Post a log to let us see rather than wild guessing.
     
  7. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Ventress, I didn't ask you to run Combofix
    We cannot ask users to run Combofix until we see the logs, the reason is that Combofix is a very critical software package that should only be run under the supervision of a Malware specialist, plus there are a few recommendations to do before running Combofix. Else you may corrupt Windows ;)

    As stated to you, you should run through the GUIDE first
    But your call ;) Do you what you want to do, if you feel experienced enough :rolleyes:
    But since you have Repaired Windows, who knows what may be corrupted now
    ie After running through the GUIDE, you may need to run another Repair or System File Checker
    A Repair, will also lose all your Windows Security Updates since the time of the Setup files, ie What Service Pack are you on now?
     
  8. Ventress

    Ventress TS Rookie Topic Starter Posts: 23

    I have service pack 2. I guess I have no choice but to run that whole list of damn things... How bothersome.
     
  9. Ventress

    Ventress TS Rookie Topic Starter Posts: 23

    I have Service pack 2 on Vista home premium. I guess I have no choice but to run that long guide then. What logs should I post in here exactly?
     
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    As per the first reply to you, please read the guide and post the 3 logs:
    Malwarebytes
    SUPERAntispyware
    Hijackthis
    Its all in the Guide ;) If you have any issues doing this, please let us know
     
  11. Ventress

    Ventress TS Rookie Topic Starter Posts: 23

    Alright I ran the guide. Here are the logs.
     

    Attached Files:

  12. jobeard

    jobeard TS Ambassador Posts: 9,311   +617

    FYI:
    you can set permissions of registry keys, but usually it's a good idea to let Windows manage that.
     
  13. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    If you do not require the following 3 programs any longer, please uninstall them:
    Run IE Reset Fixit Tool:
    [​IMG]
    Or manually from here http://www.techspot.com/vb/post682762-2.html
    Then restart Internet Explorer

    Please download and run TFC by Old Timer: http://oldtimer.geekstogo.com/TFC.exe
    You may need to Restart during the cleaning process

    Now you can run Combofix
    • Download [​IMG]Combofix to your desktop.
    • Double click ComboFix & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here
    • together with a fresh HJT log. But restart first before creating this log
     
  14. Ventress

    Ventress TS Rookie Topic Starter Posts: 23

    Do you know how I can get an english version of Combofix? When I download I automatically get a finnish version so you might not understand much about the log.
     
  15. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    The log language is set by your Regional settings in your Windows
    Combofix is already in English
     
  16. Ventress

    Ventress TS Rookie Topic Starter Posts: 23

    Here are the requested logs.
     
  17. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Well I found all these suspicious (likely malware) in your Combofix log
    And I noticed that you have had (or presently have) these programs installed
    If Panda Security is still installed please uninstall it as you already have F-Secure Internet Security

    -------------------------------------------------------------

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the quotebox below into it:

    Save this as CFScript.txt, in the same location as ComboFix.exe


    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt please attachthis to your next reply.

    -------------------------------------------------------------

    But I'm thinking an online scan would be the best place to go at this point:
    Please do an online scan with Kaspersky
    Open >> Kaspersky Online Scanner in Internet Explorer
    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.


    Please provide the log from this scan as well
     
  18. Ventress

    Ventress TS Rookie Topic Starter Posts: 23

    Well msconfig doesn't report blocking anything anymore. When I go to msconfig the same program is still found there but I've unchecked it so it won't run.
     
  19. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Please run CCleaner to remove any temp files
    Then run TFC.exe to remove more temp files (restart may be required)

    Then run CCleaner again, but this time click on the "Registry" button, and do a scan and fix all issues (no backup required)
    You may need to run this multiple times until all errors are uncovered and fixed

    Then Restart

    Then run a scan only with HJT and attach > [​IMG] the log to a new reply



    Edit:

    Please download MBR.EXE by GMER. Save the file in your Root directory (C:\).

    Go to Start -> Run, type cmd and click OK.
    Copy and paste the following lines one by one in the open command window and press Enter after each line:

    cd\ & c:\mbr.exe -t
    c:\mbr.log


    A log file (c:\mbr.log) will open. Post the contents of it to your reply.

    --------------------

    Please click here to download AVP Tool by Kaspersky.
    • Save it to your desktop.
    • Reboot your computer into SafeMode.


      • You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
        Use your up arrow key to highlight SafeMode then hit enter.
    • Double click the setup file to run it.
    • Click Next to continue.
    • It will by default install it to your desktop folder.Click Next.
    • Hit ok at the prompt for scanning in Safe Mode.
    • It will then open a box There will be a tab that says Automatic scan.
    • Under Automatic scan make sure these are checked.
      • System Memory
      • Startup Objects
      • Disk Boot Sectors.
      • My Computer.
      • Also any other drives (Removable that you may have)

    After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
    Then choose OK again then you are back to the main screen.
    • Then click on Scan at the to right hand Corner.
    • It will automatically Neutralize any objects found.
    • If some objects are left un-neutralized then click the button that says Neutralize all
    • If it says it cannot be Neutralized then chooose The delete option when prompted.
    • After that is done click on the reports button at the bottom and save it to file, name it Kas.
    • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.



      • Note: This tool will self uninstall when you close it so please save the log before closing it.
     
  20. Ventress

    Ventress TS Rookie Topic Starter Posts: 23

    I won't even bother attaching the report made by AVP tool because it didn't find anything.
     
  21. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Did you run IE Reset, (as requested) 2 days ago? (^^ up there)
    Because many entries look to be individualized in your log
    You may want to do it again, with IE closed

    You can also open HJT scan only, and fix the following 3 entries:
    Then re-open Internet Explorer and run through the standard initial configurations by MS

    My biggest concern is this:
    But Kaspersky online scanner detected nothing
    We can just as easily copy another Atapi.sys from another computer, but do you have another computer running Windows Vista?
    If so, here is the command to copy Atapi.sys to your USB Flash Drive, from the other computer (please substitute F for your Flash drive drive letter)
    cmd /c copy C:\WINDOWS\system32\drivers\atapi.sys F:\ >log.txt&log.txt
    You will get notified: "1 file(s) copied"
    We can then copy this new file to your C:\, overwriting the old one
    But, do you have another computer to do this in the first place?

    Please run the following command, on the possible still infected computer:
    cmd /c dir /a c:\atapi.sys >log.txt&log.txt
    A text file opens, please post the content.
     
  22. Ventress

    Ventress TS Rookie Topic Starter Posts: 23

    I reseted IE again and fixed the 3 entries. I don't have another computer with Vista. Am I supposed to write cmd /c dir /a c:\atapi.sys >log.txt&log.txt in the command prompt? If I am then the file is not found.
     
  23. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Lets just go with "fixmbr" for Vista ;) (this will not upset your files, but its always best to backup first)
    1. Boot from your Vista Disc
    2. Select "Repair your computer"
    3. Choose "Command prompt"
    4. Type in: bootrec /FixMbr and then press Enter
    Once completed then type Exit, and Restart

    Run another Combofix, and provide the log as an Attachment
     
  24. Ventress

    Ventress TS Rookie Topic Starter Posts: 23

    Did the fix and here's the combofix log.
     

    Attached Files:

  25. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    That looks better :grinthumb

    The fault before, actually (I believe) came from DAEMON Tools Lite
    All seems ok now, but if you do not use this program any longer, please uninstall it.

    Can I ask why you use "F-Secure" Antivirus?
    It is not one of the big players in the world (although been around for years) I don't feel that it has protected you this time
    If "F-Secure" Antivirus is nearing the end of its subscription (paid service) I would suggest uninstall it, and update to a better (IMO) Antivirus, such as the one I use (and have used for a long time) Free Avira Antivirus (oh and its free ;))

    Un-install Combofix
    • Click START [​IMG] then RUN
    • Now type Combofix /uninstall in the runbox and click OK
    • Any popup errors about Antivirus just ok or close
    Note: 1 space after ComboFix in that uninstall command


    Remove old System Restore Points

    • Open System by clicking the Start button [​IMG], right-clicking Computer, and then clicking Properties.
    • In the left pane, click System protection [​IMG]. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
    • Under Protection Settings, click the disk, and then click Configure.
    • Click Turn off system protection, click OK, and then click OK again.
    Then turn it back on again.


    Restart, and let me know how its performing
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...