A co-worker of mine was just hit with the QQlaid Trojan and just as it is designed to do she started getting nailed with pop-ups and other crap. Our IT, to some extent has made enough fixes to her pc that allows her to continue to work with interruption, however there is still a sliver of it left as she got one single pop-up. I've gone into her IE properties and have disabled several oddball Add-ons and have taken a look at her registry and found the following under HKey_Current_ User / Software / Microsoft / Windows / Current Version / Run:
Axgxxij ( C:\DOCUME~1\TERRI~1.ROM\APPLIC~1\DOBE~1\HKNTFS~1.EXE )
irssyncd ( C:\WINDOWS\system32\irssyncd.exe
rasiav ( C:\WINDOWS\system32\rasiav.exe
Tair ( "C:\PROGRA~1\YMANTE~1\services.exe" -vt ndrv )
xxldg ( C:\WINDOWS\system32\cjakfq.exe reg_run )
I also checked her System32 folder and sorted everything by date modified and found about 30 entries at the time of her trojan attack. Do these need to be deleted? Any thoughts about what we can do about the above registry entries? Please remember that she cannot load any 3rd party software on her computer, because it is a company pc and they frown on that here.
Thanks,
Razorbacx
Virus Help
-
kenc51
- Legit Extremist
- Posts: 5167
- Joined: Thu Jun 23, 2005 1:56 pm
- Location: Dublin, Republic of Ireland
- Contact:
Since she can't install 3rd party software and the pc is needed for work.....I wouldn't touch the registry........not worth the risk!
Get her to contact ISG again and have the pc wiped.
My Company use a seperate partition to store a Ghost image.....she could backup her e-mails etc to her P:\ drive (network drive, if she has one) and the reinstall windoze. Explain to ISG that the virus is a security risk and could open a backdoor for hackers and or use a keylogger, ISG should then reinstall due to the risks!
If you try anything, and it makes things worse.....your responsible!!!!
Get her to contact ISG again and have the pc wiped.
My Company use a seperate partition to store a Ghost image.....she could backup her e-mails etc to her P:\ drive (network drive, if she has one) and the reinstall windoze. Explain to ISG that the virus is a security risk and could open a backdoor for hackers and or use a keylogger, ISG should then reinstall due to the risks!
If you try anything, and it makes things worse.....your responsible!!!!
I'm assuming you used hijack this right? If not- check with that. Then I'd search for anything you see as odd in google to see if and what virus it is connected to.
Compile a list of the malicious entries and if you're going to delete them, do it in safe mode. Then check to see if they're still there after reboot.
If they are, then you need to find and disable the registry key for that file (or just delete it). If it's a more serious rootkit problem, there are special softwares for dealing with that too.
However, if a search on google tells you that the file modified was a system file of some sort, then don't delete it or the keys for it. I'd try using regsvr32 to reregister that file.
--
To keep it brief. The first thing I'd check is to see if any of those registry keys are actually creating those files in the system folder. If they are, you need to delete both the reg key and the file.
Sometimes it won't work that smoothly, I'd keep track of things with hijack this. If you can get a log of her processes and post it, I'm sure one of us can check it for you.
Compile a list of the malicious entries and if you're going to delete them, do it in safe mode. Then check to see if they're still there after reboot.
If they are, then you need to find and disable the registry key for that file (or just delete it). If it's a more serious rootkit problem, there are special softwares for dealing with that too.
However, if a search on google tells you that the file modified was a system file of some sort, then don't delete it or the keys for it. I'd try using regsvr32 to reregister that file.
--
To keep it brief. The first thing I'd check is to see if any of those registry keys are actually creating those files in the system folder. If they are, you need to delete both the reg key and the file.
Sometimes it won't work that smoothly, I'd keep track of things with hijack this. If you can get a log of her processes and post it, I'm sure one of us can check it for you.