We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

Root Kit Zero Access / Win32 Patched HN Trojan

Options
1356789

Comments

  • RussJK
    RussJK Posts: 2,359 Forumite
    edited 8 July 2011 at 11:48PM
    Silver-Cat wrote: »
    It ives the same message when I select to run as administrator. Somethings messed up somewhere.

    Yes, it's normal for these viruses. You need to expect that it's not going to let you run things in the normal way. You just need to see what method works for opening a file and which doesn't. Once you know what method works, then you can run anything you want.

    So far: running a normal .exe doesn't work
    running with the 'Run as Administrator' doesn't either apparently

    so you still have:
    run a file called 'svchost.exe',
    run a file with an alternative extension e.g. .SCR, .COM, etc


    If you can't get it working with these, then insert a recovery disk and run a system restore - or use whatever method was provided with your laptop to do the same.
  • RussJK
    RussJK Posts: 2,359 Forumite
    edited 9 July 2011 at 12:56AM
    Don't beat your head trying to run things when they don't work. Just work out which methods don't work, and move on from there. Generally these fake programs will try to block programs working normally:
    1/ Actively block normal programs (.EXEs) > rename files to .SCR or .COM, rename to system files, or use Rkill to break the active process
    2/ Actively block specific programs, such Malwarebytes > rename them to something random, e.g. qrqweqwe.exe
    3/ Remove the registry entry for .EXEs > rename files to .SCR or .COM
    4/ Remove registry entries for all .EXE, .SCR, .COM etc > rename files to files e.g. svchost.exe, iexplore.exe, command.com

    Other tricks to run the files when they don't work include:
    - running task manager (ctrl alt delete, or CTRL SHIFT ESC), then doing File > Task (Run);
    - or right clicking on the files and doing Run as Administrator.
    - fixing the registry entries (usually will fail though if the malware is active, as it'll monitor certain registry keys for exactly this)
  • Silver-Cat
    Silver-Cat Posts: 242 Forumite
    ok, just got in and tried a few more but stuck on renaming file ends as doesn't seem to work.

    I ran rkill again, just about the only thing thats worked fully so far and got this.
    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person

    helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 09/07/2011 at 20:28:52.
    Operating System: Windows Vista (TM) Home Premium

    Processes terminated by Rkill or while it was running:
    \\\.\globalroot\Device\svchost.exe\svchost.exe
    \\?\C:\Windows\system32\wbem\WMIADAP.EXE
    C:\Windows\System32\grpconv.exe

    Rkill completed on 09/07/2011 at 20:29:00.

    Then I ran super-anti spyware in alternate start admin mode which found the following but again closed after a few mins
    Trojan Dropper\SVChost-fake
    1 in memory items
    1 in file

    are there any good online scans I can try please?
  • RussJK
    RussJK Posts: 2,359 Forumite
    You haven't said what happens when you try the GDATA or Trend scans...

    Eset have an online scanner:
    http://www.eset.com/us/online-scanner?ref=AFC-CJ&attr=4165901
  • RussJK
    RussJK Posts: 2,359 Forumite
    Are you in the Sheffield area?
  • Silver-Cat
    Silver-Cat Posts: 242 Forumite
    no, unfortunately.I am in bedfordshire
    GData says no fake virus
    trend data says unauthorised to run
  • RussJK
    RussJK Posts: 2,359 Forumite
    Give the online scanners a go (there is a stickied thread listing them all), otherwise you'll have to find out which method to use to run system restore from the recovery console on your PC.

    It's hard to help if you're not clear on the outcome of each thing. E.g. what happened when you tried these?
    RussJK wrote: »
    Alternatively Try installing Malwarebytes with this instead: http://www.users.on.net/~russ/minstall.scr to install it
    and if needed, this one to run it once installed http://www.users.on.net/~russ/mrun.scr
  • Silver-Cat
    Silver-Cat Posts: 242 Forumite
    I tried est and got the following

    C:\Program Files\Bonjour\mDNSResponder.exe Win32/Patched.HN trojan cleaned - quarantined
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe Win32/Patched.HN trojan cleaned - quarantined
    C:\Program Files\Google\Update\GoogleUpdate.exe Win32/Patched.HN trojan error while cleaning
    C:\Program Files\Kontiki\KService.exe Win32/Patched.HN trojan error while cleaning
    C:\Program Files\Launch Manager\WisLMSvc.exe Win32/Patched.HN trojan error while cleaning
  • Silver-Cat
    Silver-Cat Posts: 242 Forumite
    when ever I try to change the file name of anything I get the message access denied
  • Silver-Cat
    Silver-Cat Posts: 242 Forumite
    I get error messages on trying tto run the above link to malwarebytes.
    It says shellexecuteEx failed code 1155
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 350.8K Banking & Borrowing
  • 253.1K Reduce Debt & Boost Income
  • 453.5K Spending & Discounts
  • 243.8K Work, Benefits & Business
  • 598.7K Mortgages, Homes & Bills
  • 176.8K Life & Family
  • 257.1K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture