cant access 'folder options', 'task manager' etc.

mykul

Baseband Member
Messages
79
system restore, can't make CP, or disable SR

Any ideas wat this is, i've scanned and nothing has come up.. only the same rootkit problem(which doesn't go away, but its not this, as this is recent, and the problem has occured before this)

" Rootkit.TDss.Gen Rootkit more information...
Details: Rootkit.TDss.gen is a rootkit-protected, malicious backdoor program that opens compromised PCs to further infestation by malicious programs.
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TDSSDATA
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TDSSDATA
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TDSSDATA
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TDSSDATA
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TDSSDATA
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TDSSDATA
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TDSSDATA
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\connections
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\connections
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\injector
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\injector
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\versions
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\versions
"


and
"Worm.Win32.VB.ck Worm.Generic more information...
Status: Deleted

Processes detected
c:\WINDOWS\lsass.exe

Files detected
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MSconfig.exe
C:\New Folder.exe
c:\WINDOWS\system\lsass.exe"


which also doesn't go away, and has been there forever. I've quaruantined and deleted, comes back after every restart..


AND next problem is that system restore aint working, i cant make a restore point, it says that i should restart and try again, did it, doesnt work still. and i can't disable system restore

it says (in grey, meaning i can't click it) "Turn Off System Restore (disabled by Group Policy)"

I have no idea what group policy is.. SR used to work, now only recently it hasn't been working. Btw a lot of my things we disabled, such as task manager, folder options ETC, but i fixed those thanks to google :p

Also, my system restore exe was deleted, rstrui or something was deleted, and so i got my friend to send me the exe again. so yeah.
 
What Anti-Virus/Anti-Spyware programs are you running? How are you running them? (safe-mode, full scan, etc.) Removing system restore and "hiding" files seems like some stuff spyware likes to do.
 
Any help with system restore? i can't disable system restore 2 do a safe-mode scan..
 
I would suggest trying this to remove the rootkit Gmer as well as malware bytes like atomic rooster suggested.

and

here is a suggested way to remove the worm, but make sure you back up your registry and the files you delete before attempting this unless you don't care if you lose your system:

2. Temporarily Disable System Restore (Windows Me/XP).
3. Update the virus definitions. Reboot computer in SafeMode
4. Run a full system scan and clean/delete all Worm.Win32.VB.ck infected files and Delete/Modify any values added to the registry.
Navigate to the subkey and delete the valuesas following:

<Windows>\lsass.exe
<System>\lsass.exe

The following registry entries are changed to run lsass.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe <System>\lsass.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
userinit.exe,<System>\lsass.exe

W32/VB-CXI changes settings for Microsoft Internet Explorer by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

The following registry entries are set, disabling system software:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
Homepage
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

Registry entries are created under:

HKCU\Software\Yahoo\Pager\View\YMSGR_Launchcast
HKCU\Software\Yahoo\Pager\View\YMSGR_buzz

5. Exit registry editor .
6.delete the IE temp files or you may download ATF temp files cleaner to run a full cleaning.and restart the computer.
8. Now you may remove Worm.Win32.VB.ck successfully.
 
thanks man, that looks really helpful, i'll start on that when i get some time! thnks!

oh btw, on those regedit, what do i change the values to? 0 ?

for all of them? or what? or are those what the values are meant to be ? :S
 
Back
Top Bottom