Thursday, 12 November 2009

dell cs system fucked up by virus

my dell latitude CS got infected with pagefile.exe virus
boot into winflp safe mode
usb device, c: is filled with pagefile.exe and autorun.inf
yl177.com is popup in internet explorer

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableRegistryTools"=dword:00000000
dont work
it means
regedit.exe fucked up so i "copy regedit.exe regedit.com"


del the registry under
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options] the debugger value
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe]
"Debugger"="C:\\Windows\\system32\\pagefile.exe"
i exported the *.reg and use microsoft sysinternals' reg.exe
reg delete [path] /v debugger /f , using notepad++ portable to make a .bat file


HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
delete "Window Title" to restore default title name

[HKEY_CURRENT_USER Software\Policies\Microsoft\Internet Explorer\Control Panel]
"HomePage"=dword:00000000
enable changing ie homepage


"Show Hidden Files and Folders" always points to "Do not show hidden files and folders" in "Folder options" , so

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"hidden" change it to 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" , DWORD=1


del c: d: e: f: autorun.inf pagefile.exe in root
del c:\windows\system32\pagefile.exe

search registry for yl177
like [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "searchpage"
del it
also
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Connection Wizard]
and more




added 13/11
also the service and file
IE_WinServerName,Windows CreaterIE,c:\windows\webthund.exe
search it in regedit
and del the service
then attrib -s -h to the file and del it





useful tools , sysinternals , regjump , reg , procexp
regedit, attrib -s -h, dir /a:sh, ....... and more

"Show Hidden Files and Folders" problem - do not work
repaire regedit.exe registry
internet explorer homepage hijacked
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Labels

Search This Blog