Help fixing aftermath of invasion

Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

Have you tried doing a System Restore. BTW do not use IE. Always use Firefox which can block attacks like this. No need for Ad Muncher if you use Firefox.

Here is a reg fix for the screensaver tab missing.

 

Start > Run > Regedit



Navigate to



HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System



If there is a DWoRD Value called "NoDispScrSavPage" with a data value of 1

this will disable the screen saver tab. Change the value to 0 to

see the tab again.

 

Hi LisaB.

 

I am typing the rest out, and will post later on.

 

A quick addition, "Trojan.Blusod"  disables the stem restore.

 

Full meesage soon.

 

Quads 

opps.

 

"Trojan.Blusod"  disables the system restore. 

Now Hi

 

"Trojan.Blusod"  attempts (or suceeds) to download files to your PC. It disables Sysyem Restore, and changes some of your user settings like the wallpaper and screensaver.

 

Your Desktop went white due to probably the files that Trojan.Blusod" downloaded on to your PC having been removed (hopefully). So now on start-up windows can't find the image file. This is because the registry entries have not been fixed. The reason that your screesaver and wallpaper tabs are missing (or greyed out) are they have been disabled.

 

The 2 files the Trojan set for the wallpaper and screensaver are:-

 

C:\WINDOWS\\system32\blph***************.scr      (***....  = random characters)

C:\WINDOWS\\system32\blph***************.bmp      (***....  = random characters) 

 

Now download and install Malwarebytes Antimalware and do a database update. Do a "Full Scan"

 

After that is finished and any files removed that registry has to be fixed.

 

Delete these entries,

 

HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver\”EULAAccepted” = “1″

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"lph[RANDOM CHARACTERS]" = "%System%\lph[RANDOM CHARACTERS].exe"

 

And chage these entries back to these previous settings if needed,

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”lph[RANDOM CHARACTERS]” = “%System%\lph[RANDOM CHARACTERS].exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier\”InstallationID” = “906b1f2d-66b5-439e-8c02-9d08858fe527″
HKEY_CURRENT_USER\Control Panel\Desktop\”ConvertedWallpaper” = “%System%\ph[RANDOM CHARACTERS].bmp”
HKEY_CURRENT_USER\Control Panel\Desktop\”SCRNSAVE.EXE” = “%System%\blph[RANDOM CHARACTERS].scr”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”NoDispBackgroundPage” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”NoDispScrSavPage” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\”DisableSR” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\”Start” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\”ImagePath” = “*system32\DRIVERS\sr.sys*”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\Parameters\”FirstRun” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\”Start” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\”ImagePath” = “*system32\DRIVERS\sr.sys*”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters\”FirstRun” = “0″
HKEY_CURRENT_USER\Control Panel\Colors\”Background” = “0 0 255″
HKEY_CURRENT_USER\Control Panel\Desktop\”ScreenSaveActive” = “1″

HKEY_CURRENT_USER\Control Panel\Desktop\”TileWallpaper” = “0″ 

 

 

Try that

 

Cheers

 

Quads 

 

 

 

 

 

 

Good find Quads. But in addition before all that try running a full scan with SuperAntiSpyware and Malware Bytes Anti Malware.

 

Thanks hugely, all, for your answers!

 

I will print out the info, read it, and try the suggestions.

 

A couple questions about Trojan.Blusod disabling System Restore:

1. How can I tell if it did? When I go to System Restore, the box is unchecked.

2. So I guess this means that even if Norton AV gets trojans and viruses, it doesn't keep them from doing damage?

 

By the way, I don't mind the editor breaking my link to the web page I gave, but it wasn't where the problem was. One of the links on that page was the problem. Guess it's not really necessary info, though.

Message Edited by LisaB on 09-24-2008 01:22 PM

LisaB wrote:

Thanks hugely, all, for your answers!

 

I will print out the info, read it, and try the suggestions.

 

A couple questions about Trojan.Blusod disabling System Restore:

1. How can I tell if it did? When I go to System Restore, the box is unchecked.

2. So I guess this means that even if Norton AV gets trojans and viruses, it doesn't keep them from doing damage?

 

By the way, I don't mind the editor breaking my link to the web page I gave, but it wasn't where the problem was. One of the links on that page was the problem. Guess it's not really necessary info, though.

Message Edited by LisaB on 09-24-2008 01:22 PM

1. If the box is unchecked than it is off. Mayeb you did this or maybe some trojan did.

2. If Norton catches malware it should disinfect them. What version are you running?

 

The best thing to start is to download Norton Antibot. You can download it from here

Let's see if that catches something. 

If that doesn't do the trick for you, please download Malwarebytes and rusn a scan. You can download that from here


Dieselman743 wrote:

Good find Quads. But in addition before all that try running a full scan with SuperAntiSpyware and Malware Bytes Anti Malware.

 


I did say "Now download and install Malwarebytes Antimalware and do a database update. Do a "Full Scan" After that is finished and any files removed that registry has to be fixed." LOL
Tried to type everything out simply as possible to understand, I just copied and pasted the reg entries.
Thanks 
Quads 

 

1 Like

Hi LisaB

 

Basically the system restore is turned off, or even sometimes you can't even get to the settings box.  Like you had with your screensaver and wallpaper tabs.

 

Sometimes, any security program may not stop the infection, 1. that's whay the definition database needs to be keeps up to date.  Some nasties are even created to try and disable the security software (including firewall).

 

One thing you could do afterwards is to run a registry cleaner.  To remove and not needed reg entries related to your infection as the files are now gone. 

 

Thanks

Quads 

First, make absolutely sure this virus is gone (I think it is one of the nastiest ones out there -- a new mutation appears every so often and AV is only as good as the signatures that have already been recognized).  Follow the above advice about a variety of virus testers just to be sure.

 

I have seen desktops so ravaged I have not been comfortable restoring them.

 

Instead, I ...

a.  create a new user with administrator rights

b.  transfer over settings of things that have not been harmed (outlook, etc) using system migration wizard (if possible) or export/import, etc.

c.  if the desktop for the new user is clean and stays that way, then I delete (using the complete option) the other user.

(d.)  if I am happy with the name of this new user, I leave things as they are; otherwise, I create a new user under the old name and transfer all settings back to that user, then delete the current one.

Hi LisaB

 

Just another thing you could  do, is place these enteries inside your "hosts" file using Notepad.

127.0.0.1       antivirusxp2008.com
127.0.0.1     youpornztube.com

Exactly like written.
Antivirusxp2008 is a rogue security program and the trojan could accessing these sites to download files, even if the trojan is gone, these can be typed into the host file stopping the sites being accessed in future 

Windows checks the HOSTS file BEFORE it looks to your ISP to find the site. Editing the HOSTS file prevents access to the outside sites by redirecting traffic back to your own computer. It can block applications (viruses, trojans,downloaders) from accessing specific sites, by redirecting any (would be) outgoing communication back to your own computer, preventing it from accessing whatever material it was trying to get.

127.0.0.1 is the IP address of your PC usually. 

 

Now as for "Adware.CWSIEFeats", this is the lesser of 2 evils, It should be easier for the scanners to remove, although afterwards you may have to reset (enter) your browser settings, Homepage, search etc.

 

As to creating a new user account and transfering the settings across,  Sometimes this won't works as transfering the settings from the affected account ( with the previosly stated registry entries not fixed) can cause the new account to have the same problem once the settings for the sceensaver and wallpaer are transfered.

 

LisaB, well done on your first detailed post, the more details and symptoms the better for us to work out the fix.

 

Cheers

 

Quads 

As Quads pointed out, you need to be careful about transferring settings over.  I would transfer nothing except what can’t be brought any other way.  I certainly wouldn’t bother with trivial items like screensaver or wallpaper – the idea is to start afresh.  If you use outlook express, you can grab your inbox and outbox et al, and copy them over.  If you use Office Outlook, it has a great export tool right in the Files drop-down menu.  Bring over as little as possible!

First, thanks for all the tips and answers, everyone!

 

Quads, also thanks for the good words about my initial writeup. I'm a software tester, so I should know how to write these things up. Had I not been so upset, I could have written a cleaner, more concise, better organized post. However, I've never learned about the Registry and am not all that technically knowledgeable.

 

I also want to correct what I said about System Restore. The check box is unchecked, but what the check box says is, "Turn off System Restore on all drives." So that would mean it's on and was never affected, wouldn't it? Not that it's disabled (unless the trojan changed the wording on the check box?) But when I backed up the registry, I wasn't prompted to enable it, so I think it's okay. Just want confirmation.

 

I didn't have the heart to tackle the repairs yesterday, so I've been working on them today, starting with Quads' posts.

1. I backed up the (invaded) registry before doing anything, just in case.

2. I looked for the two files you mentioned, Quads, the blph* files in Windows\System32, but they weren't there. I gather this is not a problem?

3. Downloaded Malwarebytes AntiMalware, updated it and ran the full scan. I'm pasting the relevant parts here:

 

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 5
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 2

 

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphc134j0e125 (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\.tt1.tmp.vbs (Trojan.FakeAlert) -> No action taken.

This was before I clicked the Remove Selected button. I didn't realize I had to log the results - thought that would be automatic. Anyway, the removal was successful, according to the software.

4. Then I right-clicked on my desktop and selected Properties. Lo and behold, my Desktop and Screensaver tabs were back, so I restored my wallpaper and temporarily added a screensaver just to make sure it worked (I don't usually use one). I did this via the GUI.

5. Next, I went to your list, Quads, found the first entry, HKEY_CURRENT_USER..."EULAAccepted"="1" and deleted the entire key, not just the value. Was that what I was supposed to do?

6. The second entry you said to delete was not there, no key like this. Is this okay?

7. Then you have a list of keys to be changed back to original values. Are the values in your post the correct ones or the bad ones? I have no idea what my original values were, and I don't even have the first two files (or whatever they're called) in your list. Do I need to add them????? For the others, the values I have are the ones in your list.

8. Again, I restored my wallpaper using the GUI, but the last HKEY in your list still shows the 0 value in the Registry. Is this correct or a problem?

 

I have all the other suggestions and will look at every one, but I want to do this carefully, to fix things before adding more security, for example. So let me get these questions answered first, then I'll work on the rest.

 

Thanks again for all the help!

Message Edited by LisaB on 09-25-2008 06:56 PM

Hi LisaB
 
1. Backed up registry, GOOD
2. No the fact the files are not there is also good and no problem.
 
Looks as though Malwarebytes fixed a lot of entries, The entry I posted vs the Malwarebytes entry in log. 
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”lph[RANDOM CHARACTERS]” = â€ś%System%\lph[RANDOM CHARACTERS].exe” is the same as
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphc134j0e125 (Trojan.FakeAlert) -> No action taken."

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier\”InstallationID” = â€ś906b1f2d-66b5-439e-8c02-9d08858fe527″ is the same as 
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken". in the Malwarebytes log 
 
 HKEY_CURRENT_USER\Control Panel\Desktop\”ConvertedWallpaper” = â€ś%System%\ph[RANDOM CHARACTERS].bmp”
"HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> No action taken." in Malwarebytes log
 
HKEY_CURRENT_USER\Control Panel\Desktop\”SCRNSAVE.EXE” = â€ś%System%\blph[RANDOM CHARACTERS].scr”
"HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> No action taken." in Malwarebytes log
 
7. The Values posted were the correct ones, Actually Malwarebytes stated this in the below entries " Bad: (1) Good: (0)" that's cool.
 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”NoDispBackgroundPage” = â€ś0″
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken." 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”NoDispScrSavPage” = â€ś0″
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\”DisableSR” = â€ś0″  As written shouldd say "0"
 
You can check these entries also to just make sure the values are correct,if you like, the values written are the values should be shown .  opps, may have already done that.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\”Start” = â€ś0″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\”ImagePath” = â€ś*system32\DRIVERS\sr.sys*”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\Parameters\”FirstRun” = â€ś0″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\”Start” = â€ś0″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\”ImagePath” = â€ś*system32\DRIVERS\sr.sys*”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters\”FirstRun” = â€ś0″
HKEY_CURRENT_USER\Control Panel\Colors\”Background” = â€ś0 0 255″
HKEY_CURRENT_USER\Control Panel\Desktop\”ScreenSaveActive” = â€ś1″
HKEY_CURRENT_USER\Control Panel\Desktop\”TileWallpaper” = â€ś0″  
 
8.  the last entry value of "0 is correct.   
 
Looks as though Malwarebytes may have done it's job., any more Questions??
 
Cheers
 
Quads 

I just wrote a wrap-up post and got blown out of the system and asked to log in again. Don't have the patience to rewrite it, so I'll just say that I've done all the checks I wanted to do, and everything seems back to normal.

 

I'm leery of adding things to files and downloading software that essentially does the same thing as what I have, in case an incompatibility screws things up, so I'll hold off on most of your suggestions.

 

mijcar's point about AV software only being able to fight what it can recognize and Quads' about some malware disabling AV software are two things I'm concerned about, so I may still take Dieselman's suggestion about running SuperAntiSpyware.

 

Thanks again, everyone!

Hi LisaB

 

Having Norton and an on demand product for scanning like Spyot S&D, Ad-Aware, MalwareBytes and SuperAntispyware free there is no problem.

 

It's when you have 2 or more realtime products installed like.  Norton NIS + ZoneAlarm.   Norton + AVG or Avast  etc.   that is where the conflict arises.  Also Norton and Webroot Spysweeper 5.8

 

bye

 

Quads 

Okay, Quads, I understand about not having two AV programs installed. And I see that it’s okay to have Norton and MalwareBytes together. But is it okay to have these and also SuperAntiSpyware?

Hi LisaB

 

It's OK to have SuperAntiSpyware free installed on your PC as well, as the free edition is also not realtime. It's like MalwareBytes, you have to st art the program, you can run a scan then close it after. It doesn't "start-up" when Windows does.   Like Norton.

 

 

Quads