Author Topic: Infected! (Read 3064 times)

dfhansen · « **on:** October 07, 2009, 11:46:10 AM »

Hi there,

I appear to have a virus which replicates via USB sticks. It activates the process recycld.exe and installs an autorun on the USB to infect new computers. It also deactivates task manager and acess to the registry! I have tried multiple virus scanners (including avast) in both normal and safe mode, but none of them seem to find it... Avast on another computer stopped it being infected, but it wont seem to remove the infection from this machine.

Please help as i have no idea what to try next!

Thanks

Milos · « **Reply #1 on:** October 07, 2009, 12:19:47 PM »

Hi,
it may be caused by some registry values.
Try to run "regedit" and check keys listed below.

If the regedit tool is also disabled, maybe "HKLM(HKCU)\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools", Value=1, solution can be found here: http://www.pcreview.co.uk/forums/thread-1713099.php

If you can't run regedit.exe after you set "HKLM(HKCU)\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools" to value 0, then it could be caused by "HKLM(HKCU)\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe", so you can rename/copy regedit.exe to another name i.e. re.exe and try to run this one.

Task manager can be disabled by:
HKLM(HKCU)\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr, if the value is set to 1.

Maybe some application blocks others:
If regedit is succesfully launched then check this keys (HKLM=HKEY_LOCAL_MACHINE, HKCU=HKEY_CURRENT_USER):
HKLM(HKCU)\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM(HKCU)\Software\Microsoft\Windows\CurrentVersion\RunServices\
HKLM(HKCU)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
HKLM(HKCU)\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKLM(HKCU)\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
HKLM(HKCU)\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM(HKCU)\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKLM(HKCU)\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
HKLM(HKCU)\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
(subkeys with key "Debugger" set to i.e. "ntsd -d" (except key "Your Image File Name Here without a path")).

Also check startup folder in start menu (i.e. C:\Documents and Settings\ for WinXP):
<start_menu>\All Users\Start Menu\Programs\Startup
<start_menu>\<loginName>\Start Menu\Programs\Startup

If you find some files, that links from registry keys listed above, or the "recycld.exe", please send it to virus@avast.com to improve protection.

Milos

nmb · « **Reply #2 on:** October 07, 2009, 08:32:46 PM »

found this tool : http://www.raymond.cc/blog/archives/2009/09/06/re-enable-brings-back-run-task-manager-regedit-cmd-folder-options-and-system-restore/

two versions are available : 1. if you have already installed .net, download app without .net
2. if you don't, no need to install .net, just download the app with .net . as explained in the blog

see if it can help.

come back.

nmb

scythe944 · « **Reply #3 on:** October 07, 2009, 09:10:48 PM »

I've had Malware Bytes fix problems like this, have you given it a try?

Shubham · « **Reply #4 on:** October 11, 2009, 09:07:42 PM »

Please make sure that the setup u used to install Avast is fine

Author Topic: Infected! (Read 3064 times)

dfhansen

Infected!

Milos

Re: Infected!

nmb

Re: Infected!

scythe944

Re: Infected!

Shubham

Re: Infected!