NEED SERIOUS PC HELP PLEASE

Discussion in 'malware problems & news' started by WhiteShadow., Feb 3, 2005.

Thread Status:
Not open for further replies.
  1. WhiteShadow.

    WhiteShadow. Registered Member

    Joined:
    Feb 3, 2005
    Posts:
    12
    I'm not good with computers or anything but I know the basics, so here's my story.
    In attempt to open a file on my desktop (Specifically a maphack program that works with Diablo2, an online game. The maphack itself is harmless even in the game) a message came up saying the mother file is a hidden file in my System32 folder and it may be a trojan, this had never happened before. I went in to see it was a .exe file, cant remember the name but it started with 'M' and looked like random letters. After I deleted it no files on my computer would open. I restarted my computer, NOTHING CAME UP.
    I cannot open any file, or run command prompt or anything, and when my computer starts up there's nothing but a black screen and mouse cursor. I can use Ctrl+Alt+Delete and it doesn't look like any unusual programs are running.

    I tried safe mode, and starting from "last known settings that worked" in the Windows XP 'F8' command during startup and they didnt make any difference.
    This is what I know about the file: It was created on my compter January 24th. The only things i downloaded/installed since then were P2P file sharing programs, specifically Kazaa, Grokster, and Morpheus.
    EVERYTHING ON MY COPUTER WORKED FINE UNTIL I DELETED THE FILE FROM MY SYSTEM32 FOLDER.
    I'm sending this from a friend's computer and will check the tread at least daily.
    If anybody could give me any advice or help i'd appreciate it a lot, Thanks.
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi WhiteShadow. :)

    Welcome to Wilders.

    Can u get to your Start Menu?

    If so, u might want to run System File Checker.

    To do this, go to the Run box on the Start Menu and type in: sfc /scannow.



    snowbound
     
  3. WhiteShadow.

    WhiteShadow. Registered Member

    Joined:
    Feb 3, 2005
    Posts:
    12
    I can't get to start menu, my taskbar doesnt show up on startup, and my Windows key doesn't do anything.
    Also I dunno if I'll be able to run anything because I use Task Manager from Ctrl+Alt+Delete and choose "Run..." and try to open command prompt or run files and it wont let me open ANYTHING it seems.
    What a pickle im in. :oops:


    WHENEVER I TRY TO RUN SOMETHING I GET A MESSAGE TELLING ME MY COMPUTER CANNOT FIND THE FILE EVEN THOUGH IM POSITIVE THEY EXIST.
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Can u tell us exactly what file(s) the message says are missing?



    snowbound
     
  5. WhiteShadow.

    WhiteShadow. Registered Member

    Joined:
    Feb 3, 2005
    Posts:
    12
    Any File I try to open. If I were to try and run CMD to open command prompt it would say 'cmd' does not exist, even though it does. When I tried to run sfc /scannow it said 'sfc' does not exist.
    Whenever I try to open or run anything it tells me it doesnt exist.
    I know it didnt clear my hard drive or anything because when it first happened beforei restarted I had windows opened and Was trying to open things like Winamp by clicking on them and it kept telling me it didnt exist.
    I cant open any windows or anything now because when I start my computer whether its in safe mode or whatever all I get is a black screen and my mouse cursor.
     
  6. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    Something I would recommmend (because I had to do it recently with my XP home box) is use a Win98 boot disk and do your file manipulation via dos. If you are unfamiliar with any of this, then I apologize if I confused you any more....just a suggestion.

    Good Luck! :)
     
  7. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    How about when you provide complete path information, for example use C:\WINDOWS\SYSTEM32\CMD.EXE instead of cmd, does that work?

    Blue
     
  8. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Hi, depending on which versions you have, the P2P programs Kazaa, Grockster & Morpheus, come with Adware/Trojans.

    If you can not get to system restore, Boot to your Windows XP CD (change the boot process from bios) , from there you can choose to repair the Windows installation, this should work with no file lose, it only replaces the OS on top of the previous 1. You will need to get the Windows updates again though.


    Basiclly.

    1. Place XP cd in cd drive

    2. Restart and enter bios (usually by pressing delete or F8 during bootup)

    3. Change the order of the boot sequence, it will be currently be your hard drive.

    4. You will now boot to the XP set up page, choose REPAIR

    5. Follow the windows prompts till completion.

    6. When its finished you need to restart and change the boot back to the hard drive.
     
  9. WhiteShadow.

    WhiteShadow. Registered Member

    Joined:
    Feb 3, 2005
    Posts:
    12
    Thanks Sweetie that sounds good, I didn't know you could reload your opperating system or whatever without reformatting hard drive. Only thing is I'm at school right now it'll be a few days before I can get my disks and such, but I will give it a try as soon as I can.
    Hopefully that will work but until then I'm open to any other suggestions anybody might have.
     
  10. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    Try this.

    ctrl-alt-del
    task manager
    new task
    type "explorer.exe" without the quotes
    does that give you windows explorer? You can browse folders?

    Thanks,

    Chris
     
  11. Butters

    Butters Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    39

    As someone who has dabbled in file sharing I can tell you that you need a really tight system to fileshare and not get burned. Not only are there a lot of dropper trojans piggybacking with normal files, there are entire strains of viruses that are specific to P2P. They actually choose to spread as part of the shared files on people's systems. You think you are downloading an mp3 or an application, but it is a virus. It is very difficult for most antivirus software to detect. Not only is it encrypted by the archiving process, it is encrypted and sent piecemeal as file "hash" by the P2P clients. Filesharing almost guarantees that malware gets on your computer so you need an antivirus that is very aggressive, with a high detection rate. (I recommend NOD32).

    It sounds like you might have been duped (or panicked) into deleted a needed system file. Since you don't remember the name, we can't really say for sure. It is also possible that what you thought was caused by deleting the file was really just the delivery of a virus payload. Repairing Windows might be your only option, but if there is any way to run your antivirus that would be best. Can you run your anti-virus from safe mode? You could also try entering "safe mode with networking" and try to perform an offsite scan, such as Trend Micro or BitDefender. The last option assumes that you can somehow navigate well enough to open Internet Explorer and establish a connection. What file system are you on, I know you said that you are using XP, do you know if it is NTFS or Fat32? (Either would rule out a Win95 boot disk). If you can boot off the WinXP CD, you should be able to navigate normally (I think). You might need to enter BIOS and make your CD bootable.
     
    Last edited: Feb 4, 2005
  12. Hi,

    I have an idea what's happened.
    The Trojan/Virus changed file extensions : exe, com, pif, bat to its file.
    When you delete the virus file Windows could not execute the file.
    If you run regedit you will see in the key:
    HKEY_CLASSES_ROOT\exefile\shell\open\command
    Default Value="%1" %*
    Virus changed it to something like this:
    Default Value="mother****er.exe %1" %*

    You need to get access to the registry.
    The simple reg file can resolve your problem.
    fixexe.reg:
    REGEDIT4

    [HKEY_CLASSES_ROOT\.exe]
    @="exefile"

    [HKEY_CLASSES_ROOT\exefile]

    [HKEY_CLASSES_ROOT\exefile\DefaultIcon]
    @="%1"

    [HKEY_CLASSES_ROOT\exefile\shell]

    [HKEY_CLASSES_ROOT\exefile\shell\open]

    [HKEY_CLASSES_ROOT\exefile\shell\open\command]
    @="\"%1\" %*"

    Try to run it from Task Manager.

    If it will not work, please, let me know:
    ateam@greatis.com

    Dmitry
     
  13. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    Ive recently give two link about free tools which could help to eradicate some malwares.

    ***UnHookExec: to reset the shellcommand registry keys:

    Just tell a friend to download the tool on a floppy disk and follow the instructions (you can print the page for instance):

    http://securityresponse.symantec.co....to.reset.shellopencommand.registry.keys.html


    ***If it's difficult to get the safe mode:Toogle Mode utility (you can also print the page and follow the instructions):

    http://www.invircible.com/item/80

    I hope it could help...

    Regards
     
  14. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    I do recommend following Dmitry's advice first and foremost!

    regards,

    paul
     
  15. WhiteShadow.

    WhiteShadow. Registered Member

    Joined:
    Feb 3, 2005
    Posts:
    12
    HI!
    I've tried Dimitry's advice:

    "You need to get access to the registry.
    The simple reg file can resolve your problem.
    fixexe.reg:
    REGEDIT4

    [HKEY_CLASSES_ROOT\.exe]
    @="exefile"

    [HKEY_CLASSES_ROOT\exefile]

    [HKEY_CLASSES_ROOT\exefile\DefaultIcon]
    @="%1"

    [HKEY_CLASSES_ROOT\exefile\shell]

    [HKEY_CLASSES_ROOT\exefile\shell\open]

    [HKEY_CLASSES_ROOT\exefile\shell\open\command]
    @="\"%1\" %*"

    Try to run it from Task Manager."

    I tried to run Fixexe.reg from Run command on task manager and i got the usual "Windows cannot find" error. Then i tried running "fixexe.reg:regedit4" and i got a new error, it tells me "The Parameter is Incorrect."
    Am I doing it wrong?
    I had all my disks that came with my computer sent here i'll have them sat morning, so i can try to repair my OS like Sweetie(*)(*) suggested, if all else fails.
    At this point reformatting and reloading OS is a last resort that i hope i dont have to do because there's alot of important information i'm hoping to save, but i think after its all over i'll get an external hard drive to back up important data and reformat anyways and try not to get burned again.

    As far as kareldjag's advice i dont think i can do it unless im not understanding the instructions correctly. I can easily get the file but the directions tell me to install it or whatever and i dont know how i can do that when any time i try to open a file on my computer i'm getting an error that windows cannot find even when its most certainly there. And when i turn on my computer i get nothing but a black screen and a cursor and all i can do is look at task manager.
     
  16. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    I think you need to create the regfile. If you have access to another PC with floppy drive you can (using Dmitry's regfile):

    open notepad
    copy this and paste into notepad

    -----------------copy below here---------------------
    REGEDIT4

    [HKEY_CLASSES_ROOT\.exe]
    @="exefile"

    [HKEY_CLASSES_ROOT\exefile]

    [HKEY_CLASSES_ROOT\exefile\DefaultIcon]
    @="%1"

    [HKEY_CLASSES_ROOT\exefile\shell]

    [HKEY_CLASSES_ROOT\exefile\shell\open]

    [HKEY_CLASSES_ROOT\exefile\shell\open\command]
    @="\"%1\" %*
    -----------------copy above here---------------------

    Save as fixexe.reg
    save to floppy
    put floppy in your pc hit ctrl-alt-del -->task manager-->new task and browse to floppy and double click on the fixexe.reg file and hit 'OK'

    Let us know how it goes,

    Chris
     
    Last edited: Feb 4, 2005
  17. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    Well...if none of these methods works, it means that it 's a licentiously virus/trojan.

    But in any case, stay optimist and wait before reformating.
    There's always solutions against malwares...

    ***To reactivate the Task Manager, you can download one of these vbs file
    It wil logiacally work:

    *1*http://perso.wanadoo.fr/doc.jm/bin/VirusBdRRepair.vbs (right clik)

    *2*http://www.kellys-korner-xp.com/regs_edits/regtmcmdrestore.vbs (direct download)

    ***Other solution:to the exe ability:

    *save/download this vbs file: http://kiwin.free.fr/stockreg/execut.reg
    *Put it in the racine of C,
    *On DOS Mode and with keyboard: C:\execut.reg
    *Restart the computer.

    Logically, you'll be able to execute files/applications.

    I'm not sure, but it's perhaps the Subwoofer backdoor:

    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.subwoofer.html

    Good luck.

    Regards


    *
     
  18. WhiteShadow.

    WhiteShadow. Registered Member

    Joined:
    Feb 3, 2005
    Posts:
    12
    SUCCESS!!!....I think...

    Ok i made the file Fixexe.reg and used task manager to run it from Floppy drive. It asked if i wanted to add file to registry >yes> then it told me the file was successfully added to registry. I restarted my computer. Nothing has changed.
    Then i tried the suggestion by kareldjag:
    "***Other solution:to the exe ability:

    *save/download this vbs file: http://kiwin.free.fr/stockreg/execut.reg
    *Put it in the racine of C,
    *On DOS Mode and with keyboard: C:\execut.reg
    *Restart the computer.

    Logically, you'll be able to execute files/applications."

    SUCCESS!!!... i think.
    After i copied execut.reg to my registry, my computer started and my desktop appeared! I'm also able to open files now.


    One more request for help:
    I'd like to do a scan and clean my computer out of this wretched thing! looking for advice on what scans to do/use and if anybody thinks i might run into any other problems down the road?
     
  19. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Simply for posterity and later use in case kareldjag's reg file is not available someday....I have inclosed the contents of the execut.reg file:

    Code:
    // Suivre les instructions de cette page pour utilisation :
    http://kiwin.free.fr/stockreg/execut.htm
    
    // Edité par KiWin@free.fr
    
    [HKEY_CLASSES_ROOT\.exe]
    "Content Type"="application/x-msdownload"
    @="exefile"
    
    [HKEY_CLASSES_ROOT\exefile\DefaultIcon]
    @="%1"
    
    [HKEY_CLASSES_ROOT\exefile]
    "EditFlags"=hex:d8,07,00,00
    @="Application"
    
    [HKEY_CLASSES_ROOT\exefile\shell]
    @=""
    
    [HKEY_CLASSES_ROOT\exefile\shell\open]
    @=""
    "EditFlags"=hex:00,00,00,00
    
    [HKEY_CLASSES_ROOT\exefile\shell\open\command]
    @="\"%1\" %*"
     
  20. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    Have a little pity for my tired eyes Bubba :D ;) .

    The more difficult is done.

    WhiteShadow will find what he want on this forum to check his computer and to eradicate this big Malware.


    Nice Week-end

    Regards
     
  21. Butters

    Butters Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    39
    Re: SUCCESS!!!....I think...


    Great! Here's a page with a number of links:

    http://www.bluetack.co.uk/modules.php?name=Web_Links&l_op=viewlink&cid=9


    Free Online Scans: (most, if not all, require IE 5.x)

    McAfee: http://us.mcafee.com/root/mfs/default.asp (free, but requires registration).

    Symantec: http://tinyurl.com/4fp54

    Trend Micro: http://housecall.trendmicro.com/

    BitDefender: http://www.bitdefender.com/scan/licence.php (Some false positives, but a good scanner).


    If you want to try a new scanner you can do worse than NOD32 (30 day trial).
    http://www.nod32.com/home/home.htm


    Problems down the road? Not if you get rid of it and then come back for tips on tightening up your security.
     
    Last edited: Feb 4, 2005
  22. WhiteShadow.

    WhiteShadow. Registered Member

    Joined:
    Feb 3, 2005
    Posts:
    12
    NEW PROBLEMS FOR ME

    Alright my computer is in working order but i have a feeling the battle is far from over.
    I did an online scan at Symantec.com i believe, and it found about 100 trojan viruses on my computer, NOT GOOD.
    I'd rather not go through removal steps for each one individually so i tried running my computer's virus scan.
    I have McAfee home edition on my computer but every time i try to open it and scan it'll just chill for a sec and then close out completely and instantly.
    I need a scan that will detect and clean viruses, or advice on how to make my McAfee work?
    One thing i've noticed is that the file "msiexec16.exe" is running and shouldn't be, even when i end process it pops up when i try to run McAfee again then McAfee closes, Odd?
     
  23. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi WhiteShadow.,

    You can find more info here: msiexec16.exe and msiexec16.exe - Dangerous. If the process is visible in Task Manager, you should be able to terminate it and delete the executable. You can clean the registry entries later.

    Nick
     
  24. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    ***For cleaning the malwares:

    Download Sysclean (sysclean package) and the latest database (follow the instruction on this page).
    Run it firstly on safe mode.

    http://www.trendmicro.com/download/dcs.asp

    ***For McAfee:
    *try the help support; or install it again.

    A little advice:Read some stick posts on this forum to get a strog defense before playing with P2P.

    Regards
     
  25. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    i'd suggest to do the following: ( for tightening up your defenses ;) )



    download the trial version of tds-3 anti trojan from here:
    http://www.diamondcs.com.au/tds/downloads/tds3setup.exe
    install it, but do not launch it yet

    update it: right click the link below, select "save as"
    http://www.diamondcs.com.au/tds/radius.td3

    save it to the directory where you installed tds-3, overwriting the previous radius.td3.

    reboot into safe mode
    Starting your computer in Safe mode

    while in safe mode do a full system scan with tds-3:
    launch tds-3. in the top bar of tds window click system testing> full system scan.
    detections will appear in the lower pane of tds window. after the scan is finished ( it'll take a while ) right click the list> select save as txt. save it and post the contents of the scandump.txt here for us to see ( when in normal mode)

    After posting the scanlog go ahead and right click the list again, this time select delete! Delete everything labelled positive identification
     
Loading...
Thread Status:
Not open for further replies.