Trojan

[Magnum]

I working on a new "challenge."

I found a trojan and cleaned it with MBAM, but Windows Firewall keeps getting turned off.

The key below is a new one to me for starting up programs.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows Antivirus]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winav"
"hkey"="HKLM"
"command"="C:\\winav.exe"  <---Trojan !!!!
"inimapping"="0

Win Defender did not find anything.

Any suggestions of things to try ?

Andy

[Yuri]

Don't forget to check these:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

DLLs listed in the AppInit_DLLs value will be loaded into every user mode process. Not long ago my friend had a trojan that put its DLL in there and then operated through his browser.

AppInit_DLLs is normally empty, and LoadAppInit_DLLs is 0. If you boot in safe mode, those DLLs are not loaded. Or at least it looked like that.

[sinsi]

I'm pretty sure that key is where MSConfig stores its disabled startup items, so "winav.exe" isn't starting up.

Lots of malware will disable (and even uninstall) certain services, usually Windows Update, BITS and firewall.
Does the firewall start then stop, or not start at all? Some third party AVs have their own and disable windows'.
Run services.msc, click Windows Firewall and try to start the service.

You mention Windows Defender, is this Windows 8?

[dedndave]

there's probably more to it than the exe
what i mean is, besides that, there may also be a service running that protects it
so - you delete the exe, the service replaces it
you delete the regsitry entry, the service replaces it

to get rid of it, you may have to locate the service, first
of course, if you boot up without the service, the exe runs and re-installs that - lol
you have to shoot both at once, somehow

kill the service, kill the exe, delete the exe, then get rid of the service altogether
in some cases, it is easier to do without an internet connection
this prevents the thing from re-downloading itself
better yet - find the IPA and add it to your HOSTS file so that it can't access it again
in most cases, there are multiple IPA's to deal with
you can sometimes find them on sites like McAfee, Symantec, Kaspersky, f-secure, etc

the files are often hidden in the temp folders and/or application data folders
sometimes, windows\system32 or system32\drivers

i can usually get rid of them with HiJackThis and MBAM together
if that doesn't work, try TdssKiller
if that doesn't work, try Ad-Aware, which would probably involve getting rid of your current AV
if it's really persistant, and none of that gets it, try combofix - maybe GMER
after that, you are talking rebuild   :P

[Magnum]

I had winav.exe which is a trojan.

It's eradicated along with kernel.exe which I think was a virus.

Since I have been trying out different Linux distros, problems have occurred that look suspiciously like they are collateral damage.  :t

Andy

I have one of them quarantined to be studied.

Not much info can be found for studying those suckers.

I may use a hex editor in Linux on it.

[Magnum]

Maybe I am having bad luck with just one download,  but M.S. Security Essentials won't  install saying it can't find the file.

I'll deal with it later, trying to figure out why I can't get a working Linux on any of 2 pendrives or from a CD.

I download a boot repair iso and burned it.

It won't start either. :-)

Is it worth $15 to get an external Usb 3.0 card ?

Almost forgot, I have 4 usb ports and I think 2 are the 1.1 and 2 are 2.0.
Is there a way to see which is which ?

Andy

Found a fan in the dumpster.

Took 30 minutes to fix it.

It won't rotate, but no problem.
I did have to tape a pen to one of the blades.

I think the previous owner operated it with the front cage.

"The God of angel armies is always by my side."

[GoneFishing]

...

[sinsi]

>M.S. Security Essentials won't  install saying it can't find the file.
Sounds like a rootkit, they see "mseinstall.exe" and kill it. Try renaming it.
Some rootkits actually check the version resource, so renaming might not work.

You can get a bootable scanner from Microsoft - http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline

[Magnum]

Sinsi,

Thanks, renaming it worked.

Will remember that tip.

Andy

[Gunther]

Hi sinsi,

You can get a bootable scanner from Microsoft - http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline

do you have some experiences with it? Is it a good tool? It comes from MS, anyway.

Gunther

[Magnum]

M.S. security essentials is free and found a virus that others could not.

Recommend it.

If you have Automatic Updates set to disabled or manual, you might want to check those settings whenever you use
any M.S. security products.

Andy

[Gunther]

Hi Andy,

M.S. security essentials is free and found a virus that others could not.

Recommend it.

If you have Automatic Updates set to disabled or manual, you might want to check those settings whenever you use
any M.S. security products.

Andy

thank you for the fast reply. I'll give it a try.

Gunther

[sinsi]

Hi Gunther, I use MSE at home and put it on my customers' computers.
I used to scan their hard drives by taking them out and connecting with a USB-to-SATA adapter.
Using the offline scanner is a lot quicker and easier. The point is to scan without Windows getting in the way.