Well, i ran and used tds-3. It worked at removing the trojan i had, i think. the thing is, when i was deleting registry keys and the launcher, i didnt look too hard. I dont know if i deleted something essential, but when i restarted i was unable to run any programs other than explorer, internet explorer, and notepad. What is wrong, and what can i do?

Hi Unhappy User, and welcome.
Do you remember which nasty you removed?
Do you remember which keys you deleted?
Are you running XP with the option of system restore enabled so you could go back to a foermer restore point?
Normally before editing the registry we are advised to make a copy of it first and to look very carefully what we change.......
I'm sure somebody is able to tell the name of the registry file, was ever posted somewhere in this forum and if there might be anything to do with that, as windows so often makes copies of everything everywhere in the hidden.......

Yea, it was Optix. I got it because i went on gamesnet and that day they were infected. Now i did a system restore and i can run programs, so i am writing this from mozilla. Well, I'm not sure if i got rid of the trojan though, but i did system restore to two days ago and get my programs working. Does system restoring to before you got the trojan do anything?

Thank you for your very quick response it is extremely kind of you to help like that.

Oh ya, just so you know, i figured it that you can run any program using just the command prompt, ghetto dos style, and thats how i got system restore to work, earlier that didnt work either.

Make sure you update the TDS database and do a full system scan with everything checked and on highest sensitivity!
Glad you are back this far already!
It makes mods and other users around always extremely happy to have another member of the internet community back on trail of course!

System restore should bring you back to the clean situation if you know when it happened and it should also bring the registry back to that situation.

i remember i had to do that lol use boot disk to get into system restore sucked real old school

will i suggest you do a scan algain and this time don't go deleting registry keys don't delete the trojan

click on note pad or what ever method of dump or copy ot paste or getting the text report

then come back here and post what it is and you will get instructions on how to fix your pc and get rid of trojan

Can you run this ?

http://www.diamondcs.com.au/cleanrun.reg

Click yes to import, does this fix it ? :)

What registry tool is is that Gavin? For all systems or only some and for all situations?

Fortunately Unhappy User was able to get back to before the infection restore but i always want to be at least 500% sure or more! :)

Ok, here is the deal, after the system restore to two days before everything i had installed before that was deleted, including tds-3, everything seems to be back to normal, which is good. I just am not sure if I am still infected by optix, but I am also not sure if i should install and run tds-3 again.

Unhappy user, You have nothing to lose by running it again as Jooske suggested, to be certain you could also run a couple of the on line scans. ;D

Okay, I guess you're right, I'll install and run it again. If it doesn't solve all my problems i'll post again in like 5 or 6 hours. Like I said earlier, you guys post like 10 minutes after I do, you guys are AMAZING.

Thanks for the compliment. DCS is renowned for it's product support.
Good luck with your efforts.

Hi UnhappyUser,

I would recommend that you do reload TDS, update defs, set to highest sensitivity and rescan. It may be that with the SystemRestore (in addition to the other manual changes you made previously) that the Optix components are no longer active but given that you did have it recently I think it is best to be sure. Also, there is a good possibility that some components are still present though not envoked on startup.

If you are at all unsure what to do if TDS finds something, please don't hesitate to post what you find here and someone will guide you.

Also, given the origin of the beast (the gaming environment you were in) you might want to consider downloading and trialing DCS's Port Explorer which will show you all active connections and all listening ports on your system and associate them with the executeable owning the socket. Also, you can set it to spy on any socket so you can determine what sort of data is being exchanged over it.

Regards,

Dan

{late edit - LOL , while I was phrasing my response you folks were already chatting back and forth}

Ok, when I ran the scan it came up with 3 positive identifications: Optix pro
1.2a, DDoS.RAT.k0wbot 1.2, Keylog Nuclear 1.1 (UPX). And then it had 2 RegVal traces: RAT.k0wbot, and RAT.k0wbot. Those were the two i deleted earlier when my computer screwed up. They are under Software\Microsoft\Windows\CurrentVersion\Run [Windows Explorer Update Build 1142=explorer32.exe. And Software\Microsoft\Windows\CurrentVersion\RunServices [Windows Explorer Update Build 1142=explorer32. Respectively. What should I do???

Okay,

I am a bit unclear on what you did with the registry previously.
Did you just delete these two entries and nothing else?

Also, is the explorer32.exe process running?

if it is, you should try to stop the process via the

System Analysis -> Process List applet

or

System Analysis -> Services & Drivers -> Services & Driver Explorer

Once this is done you might try removing those two regtraces. And the files noted in the TDS output.

System Analysis????

How do I get to system analysis? Also, the regkeys I deleted last time were the ones I listed in the post before, under HKEY_LOCAL_MACHINE.

Ok, I'm gonna wait for an answer on this, then I will do what you guys tell me to do. Thanks for the help guys, keep it comin'!

This one:

thanks a lot!

Ok, i killed the processes then I deleted the first two trojans i mentioned, i didnt delete the reg keys because i wasnt sure about it. I also didnt delete the third one because i didnt see the process it ran on in the list, so i didnt know if it was running or not. I would do more, but i am gonna be gone fore 1-2 days, please tell me anything you think will help before 7:30 tomorrow.

Modifying the registry should be done with great care, so no advise on this one now from my side.
However if you run a full system scan, and all executables have been gone you shouldn't worry for now.
Dolf

You might want to reboot the system to see if you get any errors or problems. Also, just in case, you should download (if you haven't already) the reg script that Gavin posted earlier in the thread. If you have issues running programs after the reboot doubleclick on that reg file and see if that makes the problem go away. Removing those reg-keys in themselves will not cause any problems as they are just the means by which the trojan was automatically starting.

Hmmm, if you want to be extra careful on the reg mod you might try to download and run DCS's AutostartViewer from

http://www.diamondcs.com.au/downloads/asviewer.zip

Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.

If Optix Pro has been installed, and they chose the EXE file association method, then your EXE files will no longer run, they are looking for the TROJAN file

The registry fix I posted should fix the only problem I can see - if you delete the registry entries mentioned nothing bad will happen (delete them from Autostart Explorer and make sure they dont come back)

The registry patch fixes (among other associations)

HKEY_CLASSES_ROOT\exefile\shell\open\command

back to "%1" %*

Instead of "%1" trojan.exe

Have you run this yet ? It should fix any problems running files, it wasn't TDS that caused the problem, it was the LACK of the trojan..

http://www.diamondcs.com.au/cleanrun.reg

When the system is really clean and as you are comfortable with make a new restorepoint manually.
Normally i would suggest to disable the system restore reboot and enable and make the manual system restore point, so with deletion of all other restore point also the infection should be gone.
In this case i wonder what is best: would there be not any risk of losing the current happy and clean situation if now the disable/reboot/enable/new system restore point procedure is done?

Ok, the reg keys were still there but the trojan was deleted. I will worry about the keys and the keylogger when i get back. Thanks a lot, like i said 1 - 2 days.

I still dont know if you ran the cleanrun.reg ???

:D can i run it im on win me lol

i like new toys or would ithurt my pc since thers nothing wrong with it

Hey Mr. Blaze,

The cleanrun.reg script is meant only to restore the proper values for three registry keys (that is, set the system to only execute the file double-clicked or envoked from the command-line rather than that file in addition to whatever trojan modified those keys. So there is no point of running it unless you have a similar infestation on your system :o

:)

Ok, i'm back. I want to know more about that reg cleaning thing. Is it absolutely safe to run? I've installed some important stuff that I don't want to lose if I system restore.

It's safe
Dolf

I ran the cleanrun.reg, but after i scanned again, tds found the same registry entries. Do i need to restart?

HI ,

The cleanreg script returns three regkeys back to normal but does not address the reg traces that TDS finds, you should delete them from TDS (if they have that as an option) or manually. [ I'm sorry I can't guide you specifically as I have never had a live trojan on my system thanks to TDS ]. The purpose of the cleanreg script was to alleviate the problem you had the first time around when the trojan registry traces (as shown revealed in TDS) were removed (i.e. it was to address the problem you had running other files after that bootup)

HTH,

Dan

could you re-prase that, i dont understand. Do you want me to delete the traces or do something else completely?

Oh, sorry!

What I meant was once you scan with TDS and see the reg traces shown, try rightclicking on the entries to see if it allows you to remove them that way. If that is an option do it and then reboot. If that is not an option, note the registry values and use regedit to remove the respective entries (if you are removing them manually you should consider backing up the registry before doing so)

HTH,

Dan

Ok, I get it. But I'll do it tomorrow. One thing, i stopped winupdate and deleted the keylogger, but then when i restarted the computer, winupdate didnt run.

Make sure the entries are being deleted.. Open Autostart Explorer and delete them manually, then refresh it after a few seconds and make sure they are GONE. Hopefully they get deleted correctly then..

After running cleanrun.reg you should now be able to run all your EXE files again ? ;D