Guest jones.79 Posted October 31, 2008 Posted October 31, 2008 Does one of you know a good tool to search for "standard" registry keys changed by a trojan and/or reset them. E.g. that its not possible to change the background picture, access the taskmanager? Thanks, Markus Quote
Guest jones.79 Posted October 31, 2008 Posted October 31, 2008 Tool to search for changed reg keys Forgot a good subject...sorry... style_emoticons/ <span style="color:blue"> > Does one of you know a good tool to search for > "standard" registry keys changed by a trojan and/or reset them. > > E.g. that its not possible to change the background picture, > access the taskmanager? > > Thanks, > Markus</span> Quote
Guest Malke Posted October 31, 2008 Posted October 31, 2008 Re: Tool to search for changed reg keys jones.79 wrote: <span style="color:blue"> > Forgot a good subject...sorry... style_emoticons/ > <span style="color:green"> >> Does one of you know a good tool to search for >> "standard" registry keys changed by a trojan and/or reset them. >> >> E.g. that its not possible to change the background picture, >> access the taskmanager?</span></span> You've picked up some variety of the Smitfraud trojan or possibly one of the many rogue antispyware programs. You need to remove the infection. There are many tools specific to certain malware. In general, start here: http://www.elephantboycomputers.com/page2....emoving_Malware Include scanning with David Lipman's Multi_AV and follow instructions to do all scans in Safe Mode. Please see the special Notes regarding using Multi_AV in Vista. http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions http://tinyurl.com/yoeru3 - download link and more instructions You can also check to see if there are targeted removal steps for your malware here: Bleeping Computer removal how-to's - http://www.bleepingcomputer.com/forums/forum55.html or here: Malwarebytes malware removal guides - http://tinyurl.com/5xrpft ] These may work for you and all may be well. However, in many cases the computer will also be infected with Zlob and/or Vundo trojans and protected by a rootkit. These machines are extremely difficult to clean. If your machine is one of these cases, either get guided help at one of the specialty forums below OR back up your data and do a clean install of Windows. It is your choice. If you are unsure how to back up your data or how to do a clean install, you can take your machine to a local computer professional. I don't recommend using BigComputerStore/GeekSquad types of places. PLEASE DO NOT POST LOGS IN THE MS NEWSGROUPS. http://aumha.org/downloads/hijackthis.zip http://aumha.net/ - Click on the HijackThis forum. Read the announcement and the stickies first . http://www.atribune.org/forums/index.php?showforum=9 http://aumha.net/viewforum.php?f=30 http://www.bleepingcomputer.com/forums/forum22.html http://www.dslreports.com/forum/cleanup http://www.cybertechhelp.com/forums/forumdisplay.php?f=25 http://www.geekstogo.com/forum/Malware_Rem...o_Here-f37.html http://www.malwarebytes.org/forums/index.php?showforum=7 http://gladiator-antivirus.com/forum/index.php?showforum=170 http://spywarewarrior.com/viewforum.php?f=5 http://forums.techguy.org/54-security/ http://forums.tomcoyote.org/ http://www.thespykiller.co.uk/index.php?board=3.0 http://forums.subratam.org/index.php?showforum=7 Malke -- MS-MVP Elephant Boy Computers - Don't Panic! FAQ - http://www.elephantboycomputers.com/#FAQ Quote
Guest jones.79 Posted October 31, 2008 Posted October 31, 2008 Re: Tool to search for changed reg keys Thanks for the answer, I am a local computer professional style_emoticons/ And I removed the trojans and malware, but since now I changed the regkeys back to normal values manually. Is there a tool to "reset" this values...? Or something like that...or a .reg file with lots of that settings to import them... Quote
Guest Malke Posted October 31, 2008 Posted October 31, 2008 Re: Tool to search for changed reg keys jones.79 wrote: <span style="color:blue"> > Thanks for the answer, I am a local computer professional style_emoticons/ > And I removed the trojans and malware, but since now I > changed the regkeys back to normal values manually. > Is there a tool to "reset" this values...? Or > something like that...or a .reg file with > lots of that settings to import them...</span> Sorry. If you had provided that information in your first post, I wouldn't have bothered you with the usual response. It depends on what registry values you're talking about. Your question is unclear. Permissions? Entries? What? Since you are a computer professional, you know there are a lot of registry entries. And frankly, if there are still malware registry entries and/or the computer isn't working correctly, the machine isn't really clean. There is probably a rootkit at work or the OS has been damaged. There is no "one size fits all" registry. It all depends on the hardware, the operating system, and what is installed on the computer. The only way I know to get a standard out-of-the-box registry is to do a clean install of Windows. Another possibility is to do a Repair Install, but this will not solve issues if the machine is not clean. Unless once again I'm misunderstanding what you want based on not enough information in your post. Malke -- MS-MVP Elephant Boy Computers - Don't Panic! FAQ - http://www.elephantboycomputers.com/#FAQ Quote
Guest jones.79 Posted November 1, 2008 Posted November 1, 2008 Re: Tool to search for changed reg keys Sorry, my wrong, I should have told you. Well, I am talking about settings like HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-100x\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideIcons or the key, that fixes the background image, usually to a jpg that says "YOU ARE INFECTED" or stuff like that... And these values are set by the trojan, and remain, even if its is removed. So usually I have to enter the symptoms in a search engine and find the right key, and reset it manually, but that takes time... So the question is, is there a tool that resets this keys. Maybe with a GUI with bottons to mark the symptom and then reset the values... Or a regfile to overwrite the settings... Anything clear? I hope so, Thanks for your help, Markus Quote
Guest Malke Posted November 1, 2008 Posted November 1, 2008 Re: Tool to search for changed reg keys jones.79 wrote: <span style="color:blue"> > Sorry, my wrong, I should have told you. > > Well, I am talking about settings like > ></span> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced<span style="color:blue"> ></span> HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-100x\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced<span style="color:blue"> > HideIcons > > or the key, that fixes the background image, usually to a jpg that > says "YOU ARE INFECTED" or stuff like that... > > And these values are set by the trojan, and remain, even if > its is removed. So usually I have to enter the symptoms > in a search engine and find the right key, and reset > it manually, but that takes time... > > So the question is, is there a tool that resets this > keys. Maybe with a GUI with bottons to mark the > symptom and then reset the values... > Or a regfile to overwrite the settings...</span> Normally if you remove trojans with the right tools, the registry entries are fixed by those tools. For instance, the desktop image you talk about that usually comes from a Smitfraud/Zlob-type of infection will be fixed when you use SmitfraudFix. BTW, the solutions for that are below. So no, as I said there is no "one size fits all". As a professional, one tries to use the correct tool for the job and if all else fails, flatten the system and reinstall Windows. It is different if you are a malware researcher and/or it is your own machine and you can spend innumerable hours working over a system. As I'm sure you know, those of us who do this for a living can't spend 10 hours on a client's machine - particularly because it is common for a rootkit to still be alive afterwards and even then the machine will not be clean. I have one in the shop just like that now. The only way to ensure the client has a clean machine in cases like that - and an acceptable bill - is to wipe/reinstall. And that's how you get a clean registry. Hope that answered your question. Here's how to get rid of the desktop warning being displayed by malware. Go to the Display applet in Control Panel and look on the Desktop tab. Click on Customize Desktop, and then click on the Web tab. You will see that there are checkmarks next to "My Current Home Page" and probably "Lock Desktop Items". Uncheck these. By highlighting the "My Current Home Page" and clicking on the Properties button, you will be able to determine the name of the file that is the message. It might be called something like "security.html" or the like. Click Apply and OK out when you've made your changes. Then you want to find the .html malware file and delete it. If you can't enable desktop backgrounds after a virus, MVP Kelly Theriot has a fix. Look under Wallpaper-Desktop-Disable Changing here: http://www.kellys-korner-xp.com/xp_w.htm If Display tabs are missing, run Kelly's registry edit on line 285, right-hand side "Restore all display tabs". Check to see if these Registry entries exist: HKCU\Software\Microsoft\Windows\CurrentVersion\GroupPolicyobject\{21A7BE9D-5027-49C1-B6F7-757B707E1C94}User\Software\Policies\Microsoft\Windows\System If "GroupPolicyRefreshTime" and/or "GroupPolicyRefreshTimeOffset" are there, then delete them. HKCU\Software\Policies\Microsoft\Windows\System. If "GroupPolicyRefreshTime" and/or "GroupPolicyRefreshTimeOffset" are there, then delete them and then run the reg fix from Kelly's page. A default wallpaper called wp.bmp may be set in HKCU\Software\Policies\Microsoft\Windows\System created by the smitfraud.c virus. Remove that and you will be able to choose different wallpapers. For inability to change wallpaper after malware, here is another key: Hkey_Current_User/software/Microsoft/Windows/CurrentVersion/Policies/Explorer, Bogus values will be set to 0. Delete or set to 1. Malke -- MS-MVP Elephant Boy Computers - Don't Panic! FAQ - http://www.elephantboycomputers.com/#FAQ Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.