Please Help Me Out

Discussion in 'Trojan Defence Suite' started by Unhappy User, Aug 13, 2003.

Thread Status:
Not open for further replies.
  1. Unhappy User

    Unhappy User Guest

    Well, i ran and used tds-3. It worked at removing the trojan i had, i think. the thing is, when i was deleting registry keys and the launcher, i didnt look too hard. I dont know if i deleted something essential, but when i restarted i was unable to run any programs other than explorer, internet explorer, and notepad. What is wrong, and what can i do?
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Unhappy User, and welcome.
    Do you remember which nasty you removed?
    Do you remember which keys you deleted?
    Are you running XP with the option of system restore enabled so you could go back to a foermer restore point?
    Normally before editing the registry we are advised to make a copy of it first and to look very carefully what we change.......
    I'm sure somebody is able to tell the name of the registry file, was ever posted somewhere in this forum and if there might be anything to do with that, as windows so often makes copies of everything everywhere in the hidden.......
     
  3. Unhappy User

    Unhappy User Guest

    Yea, it was Optix. I got it because i went on gamesnet and that day they were infected. Now i did a system restore and i can run programs, so i am writing this from mozilla. Well, I'm not sure if i got rid of the trojan though, but i did system restore to two days ago and get my programs working. Does system restoring to before you got the trojan do anything?

    Thank you for your very quick response it is extremely kind of you to help like that.
     
  4. Unhappy User

    Unhappy User Guest

    Oh ya, just so you know, i figured it that you can run any program using just the command prompt, ghetto dos style, and thats how i got system restore to work, earlier that didnt work either.
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Make sure you update the TDS database and do a full system scan with everything checked and on highest sensitivity!
    Glad you are back this far already!
    It makes mods and other users around always extremely happy to have another member of the internet community back on trail of course!

    System restore should bring you back to the clean situation if you know when it happened and it should also bring the registry back to that situation.
     
  6. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    i remember i had to do that lol use boot disk to get into system restore sucked real old school

    will i suggest you do a scan algain and this time don't go deleting registry keys don't delete the trojan

    click on note pad or what ever method of dump or copy ot paste or getting the text report

    then come back here and post what it is and you will get instructions on how to fix your pc and get rid of trojan
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Can you run this ?

    http://www.diamondcs.com.au/cleanrun.reg

    Click yes to import, does this fix it ? :)
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    What registry tool is is that Gavin? For all systems or only some and for all situations?

    Fortunately Unhappy User was able to get back to before the infection restore but i always want to be at least 500% sure or more! :)
     
  9. Unhappy User

    Unhappy User Guest

    Ok, here is the deal, after the system restore to two days before everything i had installed before that was deleted, including tds-3, everything seems to be back to normal, which is good. I just am not sure if I am still infected by optix, but I am also not sure if i should install and run tds-3 again.
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Unhappy user, You have nothing to lose by running it again as Jooske suggested, to be certain you could also run a couple of the on line scans. :D
     
  11. Unhappy User

    Unhappy User Guest

    Okay, I guess you're right, I'll install and run it again. If it doesn't solve all my problems i'll post again in like 5 or 6 hours. Like I said earlier, you guys post like 10 minutes after I do, you guys are AMAZING.
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks for the compliment. DCS is renowned for it's product support.
    Good luck with your efforts.
     
  13. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi UnhappyUser,

    I would recommend that you do reload TDS, update defs, set to highest sensitivity and rescan. It may be that with the SystemRestore (in addition to the other manual changes you made previously) that the Optix components are no longer active but given that you did have it recently I think it is best to be sure. Also, there is a good possibility that some components are still present though not envoked on startup.

    If you are at all unsure what to do if TDS finds something, please don't hesitate to post what you find here and someone will guide you.

    Also, given the origin of the beast (the gaming environment you were in) you might want to consider downloading and trialing DCS's Port Explorer which will show you all active connections and all listening ports on your system and associate them with the executeable owning the socket. Also, you can set it to spy on any socket so you can determine what sort of data is being exchanged over it.

    Regards,

    Dan

    {late edit - LOL , while I was phrasing my response you folks were already chatting back and forth}
     
  14. Unhappy User

    Unhappy User Guest

    Ok, when I ran the scan it came up with 3 positive identifications: Optix pro
    1.2a, DDoS.RAT.k0wbot 1.2, Keylog Nuclear 1.1 (UPX). And then it had 2 RegVal traces: RAT.k0wbot, and RAT.k0wbot. Those were the two i deleted earlier when my computer screwed up. They are under Software\Microsoft\Windows\CurrentVersion\Run [Windows Explorer Update Build 1142=explorer32.exe. And Software\Microsoft\Windows\CurrentVersion\RunServices [Windows Explorer Update Build 1142=explorer32. Respectively. What should I doo_O
     
  15. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Okay,

    I am a bit unclear on what you did with the registry previously.
    Did you just delete these two entries and nothing else?

    Also, is the explorer32.exe process running?

    if it is, you should try to stop the process via the

    System Analysis -> Process List applet

    or

    System Analysis -> Services & Drivers -> Services & Driver Explorer

    Once this is done you might try removing those two regtraces. And the files noted in the TDS output.
     
  16. Unhappy User

    Unhappy User Guest

    System Analysiso_O?
     
  17. Unhappy User

    Unhappy User Guest

    How do I get to system analysis? Also, the regkeys I deleted last time were the ones I listed in the post before, under HKEY_LOCAL_MACHINE.

    Ok, I'm gonna wait for an answer on this, then I will do what you guys tell me to do. Thanks for the help guys, keep it comin'!
     
  18. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    This one:
     

    Attached Files:

    • SA.jpg
      SA.jpg
      File size:
      60.1 KB
      Views:
      607
  19. Unhappy User

    Unhappy User Guest

    thanks a lot!
     
  20. Unhappy User

    Unhappy User Guest

    Ok, i killed the processes then I deleted the first two trojans i mentioned, i didnt delete the reg keys because i wasnt sure about it. I also didnt delete the third one because i didnt see the process it ran on in the list, so i didnt know if it was running or not. I would do more, but i am gonna be gone fore 1-2 days, please tell me anything you think will help before 7:30 tomorrow.
     
  21. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Modifying the registry should be done with great care, so no advise on this one now from my side.
    However if you run a full system scan, and all executables have been gone you shouldn't worry for now.
    Dolf
     
  22. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    You might want to reboot the system to see if you get any errors or problems. Also, just in case, you should download (if you haven't already) the reg script that Gavin posted earlier in the thread. If you have issues running programs after the reboot doubleclick on that reg file and see if that makes the problem go away. Removing those reg-keys in themselves will not cause any problems as they are just the means by which the trojan was automatically starting.

    Hmmm, if you want to be extra careful on the reg mod you might try to download and run DCS's AutostartViewer from

    http://www.diamondcs.com.au/downloads/asviewer.zip

    Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.
     
  23. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    If Optix Pro has been installed, and they chose the EXE file association method, then your EXE files will no longer run, they are looking for the TROJAN file

    The registry fix I posted should fix the only problem I can see - if you delete the registry entries mentioned nothing bad will happen (delete them from Autostart Explorer and make sure they dont come back)

    The registry patch fixes (among other associations)

    HKEY_CLASSES_ROOT\exefile\shell\open\command

    back to "%1" %*

    Instead of "%1" trojan.exe

    Have you run this yet ? It should fix any problems running files, it wasn't TDS that caused the problem, it was the LACK of the trojan..

    http://www.diamondcs.com.au/cleanrun.reg
     
  24. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    When the system is really clean and as you are comfortable with make a new restorepoint manually.
    Normally i would suggest to disable the system restore reboot and enable and make the manual system restore point, so with deletion of all other restore point also the infection should be gone.
    In this case i wonder what is best: would there be not any risk of losing the current happy and clean situation if now the disable/reboot/enable/new system restore point procedure is done?
     
  25. Unhappy User

    Unhappy User Guest

    Ok, the reg keys were still there but the trojan was deleted. I will worry about the keys and the keylogger when i get back. Thanks a lot, like i said 1 - 2 days.
     
Thread Status:
Not open for further replies.