Windows XP SP3 Explorer CMD Regedit all blocked

arashjahn

Distinguished
Sep 27, 2010
3
0
18,510
It may be time to reopen this discussion (http://www.tomshardware.com/forum/86497-45-windows-find-explorer). I got nailed by this Malware. It does everything listed above and blocks out more programs. Like mentioned before, you log into Windows XP (SP3) and you have nothing pop up but the wall paper. The only thing I can get running is task manager via ctrl + shift + esc. Running a new task (e.g. Explorer, msconfig, cmd, regedit, *.msc, etc.) all fail. Tried to boot using BartPE, blue screen of death while trying to boot past the windows start up banner. I ended up using ISOLinux 3.11 to boot, got into the registry, but the shell is so weak I can't search for the debugger keys. I looked in the places mentioned above:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image Execution Options\

But on my system, \Image Execution Options\ was called \Image File Execution Options\
Nonetheless, the debugger keys were not there for explorer.exe. Also, looked for these keys related to a Malware called SLURK that does similar things to XP:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"alligt" = "%System%\severe.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"nkurls" = "%System%\alligt.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe %System%\drivers\conime.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.com\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOD32.exe\"Debugger" = "%System%\drivers\nkruls.exe"
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\"Checked Value" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoDriveTypeAutoRun" = "b5"

NONE of these keys were present. So, I'm stuck. Does anyone have any suggestions, (can't reformat OS)? :pfff:

Thanks,
///A



 

arashjahn

Distinguished
Sep 27, 2010
3
0
18,510
OK, solution:

1. Take hard drive out and put in enclosure. Run Malware Bytes AntiMalware on the drive from your other computer via USB/esata connection to the enclosure.

2. You'll find some problems with your registry. It will give you an option to repair or delete-if it can't repair.

3. Put hard drive back in the computer. Boot with Windows XP SP3 disk that you used to installed the OS. If you changed from SP2 to SP3, then get a Windows XP SP3 disk. Let it load and go to windows setup, and choose the repair option. This will take about an hour or so.

4. Windows will boot up, but not quite there yet. However, all your EXE files should work. You'll need to re-associate a bunch of your files, and perhaps reinstall some lost associations that were deleted from step 2. (You'll definitely need to reinstall your Office 2007.)

5. Run Malware Bytes again. :bounce: