Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Virus file and registry keys are locked down

Status
Not open for further replies.
chpicker

chpicker

Programmer
Apr 10, 2001
1,316
One of my clients has a WinXP machine that was infected with a version of the Pandex trojan. All of the research I've done leads me to a single file and a series of registry keys that all need to be deleted. The problem is, I can't.

The file (c:\windows\system32\drivers\ekp62.sys) gives me "Access Denied" when I try to delete it. No surprise there. What IS surprising is that, when I right click and select "Properties", there is only a General tab. No Security or Summary tabs. Every other file in the folder has a Security tab but this one.

The registry keys are even worse. I can bring up permissions on them; I have Full Control. But I cannot delete them, rename them, or change their values. I get an error message any time I try to do so. Any other registry keys or values can be changed just fine.

Safe Mode is not an option. One of the registry keys that it put in registers the file under the Minimal and Network configurations so it loads up at all times.

I'm curious, then. How can someone lock down registry keys like that? How can you hide the security tab from just one file? More importantly, how can I reverse these processes so I can delete the registry keys and the file? I am logged in to the computer as a local administrator.
 
Sort by date Sort by votes
Trojan.Pandex!inf (removal at bottom of the page)

as to your permission question, this can be done through the SYSTEM, as opposed to LOCAL, it has FULL access, where as LOCAL only has certain FULL access... a little wierdly worded but a service running as SYSTEM will have full access to ALL, where as an Admin will only have access to things NOT controlled by the SYSTEM... at least that is my understanding of the problem...

to delete that file, try the program UNLOCKER

also post a HiJackThis log, here for our perusal so that we may be able to tell you more...


Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."
 
Upvote 0 Downvote
Attacking your problem from outside the current Windows environment may be a way to go.

Something like BARTPE, or the Recovery Console may help you?

From BARTPE you would be able to load Registry Hives and amend entries and save the amendments.

Cannot logon to winxp...losing lots of valuable documents
thread779-975236

As an Administrator highlight one of the two following Keys, it will only be available for these Keys.

HKEY_LOCAL_MACHINE
HKEY_USERS

These two articles in the RegEdit Help are a good explanation of the process.

To load a hive into the registry
To unload a hive from the registry

How to edit the registry offline using BartPE boot CD

Many third party programs, that perform low level actions deep inside of Windows have the ability to protect there programs by removing the Security Tab, as to how that is done, I don't know.
 
Upvote 0 Downvote
Killbox - use it to whack a file upon reboot and use the "replace with dummy" option so that the malware thinks it's still in place and running so it won't try to reinstall itself. As mentioned above - Bart PE CD for remote registry editing and you can do what you want to do in the registry.

I'm not sure how anyone can live without a PE bootable disk. It has changed my life.
 
Upvote 0 Downvote
Thanks for the tips, guys.

I suppose it might have been beneficial to point out that I don't have physical access to this computer. It's not even in the same state.

That said, it looks like my best option is going to be either Unlocker or Killbox at this point. I had already tried running HijackThis and using the "Remove file on reboot" option. It didn't work. Are these programs different/better? I assume it didn't work because this file has attached itself to the kernel and is running as part of the system.

It may be that, because of this, it is impossible to remove from within the system and I'll have to try to talk someone on-site through the process with a boot disk. That doesn't sound like fun.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

dik
  • Locked
  • Question
Virus
Replies
15
Views
857
dik
dik
TrekBiker
  • Locked
  • Question
Version 23H2 preventing full shut down
Replies
5
Views
965
pjw001
pjw001
Flinx
  • Locked
  • Question
backup fails with error code 0x81000019 and possible fix 1
Replies
5
Views
2K
Flinx
Flinx
Edu_uy
  • Locked
  • Question
Inverted brightness keys on hp with windows10
Replies
3
Views
339
mikrom
mikrom
Flinx
  • Locked
  • Question
the SAGA of trying to get a computer to sleep and wake up on a schedule
Replies
1
Views
2K
Flinx
Flinx

Part and Inventory Search

Sponsor

Back
Top