1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

XP Security Tool Attack

Discussion in 'Virus & Other Malware Removal' started by edmundtheimpaler, Apr 30, 2010.

Thread Status:
Not open for further replies.
  1. edmundtheimpaler

    edmundtheimpaler Thread Starter

    Joined:
    Apr 30, 2010
    Messages:
    5
    A couple of days ago I was attacked by this XP Security Tool bug that seems to be going around. (I believe it's ave.exe). I dl'ed a registry key to restore functionality to .exe's got malwarebytes up and running scanned the system. It removed loads of threats, but it was obvious that whatever it was was still on the system. It looked as if everything was going better (if not great) because I was now able to access the various security websites and programs that it was previously blocking as well as not having anymore XP Security Tool pop-ups, but through the scans and stuff it was obviously still on the system. (This is bizarre too... I keep coming across "9dey.exe" in scans which I'm fairly sure is related to the problem, however I have been unable to find anything about said executable anywhere on the internet.) Anyway, this brings me to last night when something big happened because Norton started going crazy saying something like "The Mail Server rejected your message, Spam, etc." and all of these dialog bubbles from Norton began popping up on the screen. Taking it over so to speak. So I went to reboot, upon reboot the Windows log-in screen with the Password and Username appeared (which is odd because it was never set up to go to that screen, previously it would just Boot Windows and go to the desktop). I just hit enter leaving the password field blank, which seemed to do the trick because Windows logged-on and immediately logged back off. I can't get task manager open in the interval between log on and log off. In Safe Mode I have the same log-on/log-off problem. It seems i can get into the Microsoft Windows Recovery Console through the DOS prompt but I don't even know where to begin with that. I have the Avira AntiVir Rescue Disc which I ran last night however, it could not remove or fix any of the problems it found. In a moment of desperation I tried using the HP System Restore function, which resulted in a blue screen of death with the following message:

    Stop: c000021a {Fatal System Error}
    The Windows Logon Process system process terminated unexpectedly with a status of 0x00000080 (0x00000000 0x00000000).
    The system has been shut down.


    Thank you for any help that you kind people might be able to provide. I'd like to give you some more information because I realize the previous paragraph probably sounded like the ramblings of a madman but since I can't get into the system I can't really get any of the logs and such. Unless there is a way to get to them through DOS. Even then, I don't know how I would get them off of the infected machine onto this one to provide them. But any help is greatly appreciated.
     
  2. edmundtheimpaler

    edmundtheimpaler Thread Starter

    Joined:
    Apr 30, 2010
    Messages:
    5
    In an attempt to work-around the constant logging on and off of Windows I attempted fix located here: http://support.microsoft.com/kb/307545

    Now the pesky Windows Log-In window does not appear upon startup (and consequently, I hoped whatever process was logging out of Windows immediately after logging on to Windows.) This happened in all versions of Safe Mode as well. However, now upon start-up I receive the message:

    "System error: Lsass.exe
    When trying to update a password the return status indicates that the value provided as the current password is not correct."

    From what I understand, this is caused by some sort of difference between the original SAM file and the backup SAM file. I read somewhere that a possible solution to this problem would be to replace the backup SAM with the original SAM. As I backed up the original SAM file, as per the instructions I figured I would have no problem returning them. However, when I tried to log back in to Windows Recovery Console, the Administrator Password that I was using to log in and out of Windows on the recovery console was different from what it previously was, a blank field. Just hitting enter at the password prompt no longer worked. I understand there's a number of programs that will either change your password or decrypt your password, but they all seem to cost about $20 and I'm not too sure about sending someone my password to decrypt and then being told I need $20 to get the decrypted version off of them, so I figured I'd try to workaround first.

    So I've been going through Live versions of Linux in an attempt to copy my SAM backup over the newly created file. I couldn't get Knoppix to boot. I'm currently using Puppy Linux. However when I try to write the files to the infected drive, it informs me that the NTFS drive is read-only. I got the permissions to load and I gave write permissions on the infected drive to everybody. However, it was still read-only. I guess what I'm wondering is, could the Malware have made the drive read-only? Or is the drive read-only because that's how it is in the recovery console as well, and I would imagine you would have to actually boot Windows to access write permissions? Or is it that Puppy Linux just doesn't have the resources or permissions or the influence (I know the concept of influence in computing is rather unscientific but I can't think of any other way to word it and I don't know very much about booting) to make that sort of a change to the hard drive? I have a few external hard-drives so I'm not really against installing a beefier version of Linux and seeing what I can do through it (I don't want to repartition the infected drive). Or would that not sort anything out?

    I'm not entirely against backing my stuff up with Linux and then doing a reformat and a clean install. However, I'd like to avoid that if it all possible.

    Any help would be greatly appreciated.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/920213

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice