Getting Windows back to normal after Trojan?

MikeHunt79 · 22 Jan 2009 at 16:49

I've found I cannot access things like "Folder Options" anymore, and I cannot run things like spybot...

Is there a way I can get Windows XP back to normal after stupidly running a dodgy .exe file?

I've already removed the Trojan btw...

Antar Bolaeisk · 22 Jan 2009 at 19:52

Probably not what you want to hear but re-installation may be the best bet.

Pho · 22 Jan 2009 at 19:59

Sure it's not still there?

Download malwarebytes anti-malware and try a scan. If it won't open rename the setup to something different and also rename mbam.exe in %programfiles%\Malwarebytes' Anti-Malware\ to something different too (that usually gets around exe blocking)

eXor · 22 Jan 2009 at 20:04

Antar Bolaeisk said:
re-installation may be the best bet.

^
This.

Maybe try running as a limited user? Poor man's UAC.

MikeHunt79 · 22 Jan 2009 at 20:15

Pho said:
Sure it's not still there?

Download malwarebytes anti-malware and try a scan. If it won't open rename the setup to something different and also rename mbam.exe in %programfiles%\Malwarebytes' Anti-Malware\ to something different too (that usually gets around exe blocking)

Cheers, I couldn't even install it so I guess I've still got something nasty running on here...

I scanned and found this:

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

22/01/2009 20:14:35
mbam-log-2009-01-22 (20-14-30).txt

Scan type: Quick Scan
Objects scanned: 42298
Time elapsed: 1 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\TDSScfum.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\TDSSnrsr.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\TDSSofxh.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\TDSSriqp.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\drivers\TDSSmaxt.sys (Trojan.TDSS) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\TDSS56af.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\Temp\TDSScf70.tmp (Trojan.TDSS) -> No action taken.
C:\WINDOWS\Temp\TDSSd443.tmp (Trojan.TDSS) -> No action taken.
C:\WINDOWS\Temp\TDSSd7dc.tmp (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\TDSSfxwp.log (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\TDSSpqxt.dll (Rootkit.Agent) -> No action taken.

:eek:

At least I know the problem now.

EDIT: I've rebooted and it's all gone, and all my settings have gone back to normal!

Awesome stuff, I've not head of malwarebytes before now but today it's been a lifesaver.

Pho · 22 Jan 2009 at 20:52

Malwarebytes is awesome. Just keep it updated and it usually does the job (coupled with a scan with a decent virus scanner after)

.

Your log shows no action taken on most things, I guess you cleaned it separately?

If you want to be really sure post up a Hijackthis log as well, or just paste it into the form on here and look for red/yellow entries.

MikeHunt79 · 22 Jan 2009 at 21:47

Well I just copied and pasted that log file immediately after scanning... I cleaned it straight after.

I also tried Hijack this, it found some problems, and I fixed them before I managed to install Malwarebytes, hence me thinking I was Trojan free when I wasn't.

I'm now doing a full scan with Comodo, but with a 1TB drive that is 80% full it's gonna be an overnight job! :eek:

Tom84 · 22 Jan 2009 at 21:58

Antar Bolaeisk said:
Probably not what you want to hear but re-installation may be the best bet.

In my experience when a machine has been badly hit it never runs like it did before the nasties got in, backup what you need and Format C:\

Ratbag · 22 Jan 2009 at 22:14

Try SuperAntiSpyware too. Along with Malwarebytes, its the best of the bunch.

thevet · 22 Jan 2009 at 22:51

bitdefender is great at detecting virus/malware

MikeHunt79 · 22 Jan 2009 at 23:03

Tom84 said:
In my experience when a machine has been badly hit it runs like it did before that nasties got in, backup what you need and Format C:\

Everything is pretty much backed up on another drive, I've been meaning to do a reinstall soon anyway...

Ratbag said:
Try SuperAntiSpyware too. Along with Malwarebytes, its the best of the bunch.

At first I though you were extracting the urine as SuperAntiSpyware sounds like some sort of joke name, but it exists and it's scanning right now.

So far I've run Comodo (full scan), Ccleaner, Spybot, Hijackthis, and Malwarebytes. If anything is still on this system I'll be very surprised...