Just been hit by malware. D=

[TAKTAK]

as the title...

now i've managed to get rid of most of the effects and reg entrys and such (by investigating file sources and attributes), but... i've come a bit unstuck on one thing it has changed... (mainly via what it was trying to run at startup, i'm very protective of startup items so i know exactly what i want running... and what has freshly appeared)

as part of the program, it changed the desktop background to a fake 'infected piccy' (original )
but.. also, as part of that it removed the option to change the desktop background from the 'personalization' menu (it's evident that it has been removed as the line spacing is out of whack...)

so... how do i get it back?

or will the vista repair feature work?

also is there anything that will allow me to view reg entries by the date/time created and also all files on the system (i've tried vista searc functions but they just don't play ball in finding everything...)

[alsenior]

vista's repair feature should work. you could try using 'old' versions as it seams that the exe or dll has been replaced with a fake or patched version

[TAKTAK]

just found a suspicious file in sys32... 'lphcthsj0e1d5.exe'... now... i think that is to do with the malware... as it was recently made... and the processes running were along the same nameline

also google doesn't show any search results for it?

i shall try a repair tomorrow

i'm currently running a full system scan which is going to take yonks

[streetster]

I had to sort this issue out on a guys laptop running xp, the fix for XP is:

Code:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=hex:00,00,00,00
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"SetVisualStyle"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"ThemeActive"="1"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,72,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,\
  00,54,00,68,00,65,00,6d,00,65,00,73,00,5c,00,6c,00,75,00,6e,00,61,00,5c,00,\
  6c,00,75,00,6e,00,61,00,2e,00,6d,00,73,00,73,00,74,00,79,00,6c,00,65,00,73,\
  00,00,00

pasted into notepad, save as 'whatever.reg' and then run it... you may have to tweak it a bit for vista, im not sure.

[format]

Will this teach you to stop downloading all that russian midget donkey pr0n Taktak?

[TAKTAK]

Will this teach you to stop downloading all that russian midget donkey pr0n Taktak?

i think it came from a UT mod that I downloaded

well so far the system scan has managed to get to 12%, and so far has found 2 things, including fallingicons.exe

[listy]

antivirus 2008?

is so i used Malwarebytes' Anti-Malware to get rid of it

[[GSV]Trig]

Superantispyware seems a good free proggy to use.

[colmo]

Insert default smug Linux user post here > <

Edit: I used to use a combination of Firefox, Spyware Blaster, Spybot and CCleaner to keep my XP install spick and span. Don't know if they help in a Vista environment, though.

[TAKTAK]

Insert default smug Linux user post here > <

pity i wasn't on one of my linux boxes then eh?

[Lucio]

antivirus 2008?

is so i used Malwarebytes' Anti-Malware to get rid of it

Can confirm this is the best course of action, given the symptoms and the exe filename

http://www.malwarebytes.org/

Just cleaned up two of these infections on work machines (that'll teach the MD for not letting me deploy security patches when I want....)


Out of interest, did it get through Vista UAC, or don't you use it??

[TAKTAK]

Out of interest, did it get through Vista UAC, or don't you use it??

i turned it off, i just couldn't stand having to authorise things 3 times just to open a file...
just running malwarebytes now...

[colmo]

pity i wasn't on one of my linux boxes then eh?

I'm presuming the mod was for UT3? There isn't really a Linux option for that version, despite the protestations of these guys.

Original UT runs like a dream, and I believe UT2004 is Linux-friendly also. Regardless of it's excellence as an OS, gaming in Linux is an obscure form of masochism...

[streetster]

any joy on the reg script getting those tabs back?

[TAKTAK]

any joy on the reg script getting those tabs back?

yeah it seems to have worked perfectly, thanks very much

[Lucio]

i turned it off, i just couldn't stand having to authorise things 3 times just to open a file...
just running malwarebytes now...

three times?? I only get the prompt once, just after it's downloaded and it wants to cross from "Internet" to "Local"

I have to say that I find the Vista UAC occasionally annoying, but only when I've closed a window I hadn't finished with!


Still, was curious to know whether or not the UAC helps prevent this kind of attack, or whether these things will happen regardless.