Author Topic: Domain Admin Virus?  (Read 5301 times)

0 Members and 1 Guest are viewing this topic.

compfix33

  • Guest
Domain Admin Virus?
« on: August 21, 2009, 02:51:22 PM »
i am locked out of my Task Manager it says it has been disabled by my administrator. System Restore gave me a similar message. so im locked out of everything. i installed avast and let it do its thing. it found alot of things ie (Neredr, Vitro, Fraudo, Hitagh some Agent, etc.) i am just now becoming aware of virus protection so i am very behind on protection and defense.  While the virus was full force it was always wanting me to go to a specific website that sold virus-remover-2009 but it looked suspicious. the virus also caused popups and a desktop bg image of the words "youve been infected". i looked in my remote connection and found some name i didnt recognize. also there is always a popup message that says "Error transfering file from FTP Server". So like i said i installed avast- i did a boot scan and it found what it could. it seems to have gotten rid of the popup messages (other than "Error transfering file from FTP Server ). But here is the current situation. When i start my comp up the My Documents window is always open automatically. The internet is not working anymore. And i get the FTP failed to transfer popup message still. Oh and im still locked out of Task Manager and System Restore. if anyone could just give me any advice on how to regain control of all the functions im locked out of and put a name (best guess) to what virus this is.

*real quick- i deleted some of the infected files i found, but now im seeing a lot of people say to only move to chest. am i doing anything wrong by having deleted the infected files?
*Avast (while scanning) found a file named avastantivirus.exe and wanted to delete or move it- i though that was odd so i skipped it. then everything acted weird (i was locked out of my start menu etc) so in safe mode i ran avast and told it to handle the avastantivirus.exe and it seemed to change things for the better.

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: Domain Admin Virus?
« Reply #1 on: August 21, 2009, 04:50:05 PM »
Hi,
"avastantivirus.exe" is not from Avast! installation -- you can delete it with no fears.

Task manager can be disabled in registry: "HKLM(HKCU)\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr", Value=1
so set value to 0.
if the regedit tool is also disabled "HKLM(HKCU)\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools", Value=1, solution can be found here: http://www.pcreview.co.uk/forums/thread-1713099.php

Also check (and delete) keys in
"HKLM(HKCU)\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\" subkeys with key "Debugger" set to i.e. "ntsd -d" (except key "Your Image File Name Here without a path").

EDIT:
if you can't run regedit.exe after you sets "HKLM(HKCU)\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools" to value 0, then it could be caused by "HKLM(HKCU)\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe", so you can rename/copy regedit.exe to another name i.e. re.exe and try to run this one.
« Last Edit: August 23, 2009, 08:57:52 AM by Milos »

CharleyO

  • Guest
Re: Domain Admin Virus?
« Reply #2 on: August 22, 2009, 12:50:21 AM »
***

In addition to what Milos instructed you to do, I suggest you also run malwarebytes antimalware after the completion of Milos' instructions. Download it, install it, update it, and then run a quick scan. Download the free version at the link below :

http://www.malwarebytes.org/mbam.php


You appear to have a rogue av program :

http://www.threatexpert.com/report.aspx?md5=20f00b692479d17f34811c6f84e61ef2

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FCbeplay.gen!A


***
« Last Edit: August 22, 2009, 12:52:14 AM by CharleyO »

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Domain Admin Virus?
« Reply #3 on: August 22, 2009, 11:29:29 AM »
Vitro was there? not a good sign (it usually leads to format + reinstall)... Neredr is a dropper of Rustock rootkit (also a heavyweight one), you seem to got a hard hit on your PC and it is really difficult to disinfect anything post-mortem, when no AV was installed before..

avast5

  • Guest
Re: Domain Admin Virus?
« Reply #4 on: August 22, 2009, 11:52:54 AM »
   
Hello

you can post a HijackThis log?

Thank you

John2009

  • Guest
Re: Domain Admin Virus?
« Reply #5 on: August 22, 2009, 04:41:05 PM »
if you have vitro, prepare for the fight if your life!

compfix33

  • Guest
Re: Domain Admin Virus?
« Reply #6 on: August 22, 2009, 11:18:25 PM »
thanks for everyones feedback. im going to try some of these instructions. ill return with more info.