Go Back   Computer Forums > General Computing > Hardware
Click Here to Login
Join Computer forums Today


Reply
 
Thread Tools Search this Thread Display Modes
 
Old 12-30-2008, 07:50 PM   #1
Baseband Member
 
Join Date: Jan 2005
Posts: 79
Default system restore, can't make CP, or disable SR

Any ideas wat this is, i've scanned and nothing has come up.. only the same rootkit problem(which doesn't go away, but its not this, as this is recent, and the problem has occured before this)

" Rootkit.TDss.Gen Rootkit more information...
Details: Rootkit.TDss.gen is a rootkit-protected, malicious backdoor program that opens compromised PCs to further infestation by malicious programs.
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TDSSDATA
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TDSSDATA
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TDSSDATA
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TDSSDATA
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TDSSDATA
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TDSSDATA
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TDSSDATA
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\connections
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\connections
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\injector
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\injector
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\versions
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\versions
"


and
"Worm.Win32.VB.ck Worm.Generic more information...
Status: Deleted

Processes detected
c:\WINDOWS\lsass.exe

Files detected
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MSconfig.exe
C:\New Folder.exe
c:\WINDOWS\system\lsass.exe"


which also doesn't go away, and has been there forever. I've quaruantined and deleted, comes back after every restart..


AND next problem is that system restore aint working, i cant make a restore point, it says that i should restart and try again, did it, doesnt work still. and i can't disable system restore

it says (in grey, meaning i can't click it) "Turn Off System Restore (disabled by Group Policy)"

I have no idea what group policy is.. SR used to work, now only recently it hasn't been working. Btw a lot of my things we disabled, such as task manager, folder options ETC, but i fixed those thanks to google :P

Also, my system restore exe was deleted, rstrui or something was deleted, and so i got my friend to send me the exe again. so yeah.
__________________

mykul is offline   Reply With Quote
Old 12-31-2008, 04:18 AM   #2
Jk
In Runtime
 
Jk's Avatar
 
Join Date: Jan 2006
Posts: 236
Default Re: cant access 'folder options', 'task manager' etc.

What Anti-Virus/Anti-Spyware programs are you running? How are you running them? (safe-mode, full scan, etc.) Removing system restore and "hiding" files seems like some stuff spyware likes to do.
__________________

__________________
Evga 680i SLI Mobo | C2d 6420 @ 3.2 | 2gb RAM | 9800gtx | Corsair 750w | Pioneer DVD Writer | 330gb | Antec 300
Ubuntu 9.04 | Windows 7

I miss my opty :c
Jk is offline   Reply With Quote
Old 12-31-2008, 09:23 PM   #3
Baseband Member
 
Join Date: Jan 2005
Posts: 79
Default Re: cant access 'folder options', 'task manager' etc.

Using AVG and Counter Spy
mykul is offline   Reply With Quote
Old 12-31-2008, 09:29 PM   #4
Omnipotent One
 
Atomic Rooster's Avatar
 
Join Date: Apr 2006
Location: USA
Posts: 11,161
Send a message via AIM to Atomic Rooster Send a message via Yahoo to Atomic Rooster
Default Re: cant access 'folder options', 'task manager' etc.

I would suggest giving Malwarebytes a shot. Boot into safe mode, disable system restore, and run your anti virus programs.
Atomic Rooster is offline   Reply With Quote
Old 12-31-2008, 11:21 PM   #5
Baseband Member
 
Join Date: Jan 2005
Posts: 79
Default Re: cant access 'folder options', 'task manager' etc.

Any help with system restore? i can't disable system restore 2 do a safe-mode scan..
mykul is offline   Reply With Quote
Old 01-02-2009, 05:53 AM   #6
Baseband Member
 
Join Date: Jan 2005
Posts: 79
Default Re: cant access 'folder options', 'task manager' etc.

bmp
mykul is offline   Reply With Quote
Old 01-02-2009, 03:07 PM   #7
Daemon Poster
 
netBooger's Avatar
 
Join Date: Nov 2007
Posts: 557
Send a message via AIM to netBooger Send a message via MSN to netBooger
Default Re: cant access 'folder options', 'task manager' etc.

I would suggest trying this to remove the rootkit Gmer as well as malware bytes like atomic rooster suggested.

and

here is a suggested way to remove the worm, but make sure you back up your registry and the files you delete before attempting this unless you don't care if you lose your system:

2. Temporarily Disable System Restore (Windows Me/XP).
3. Update the virus definitions. Reboot computer in SafeMode
4. Run a full system scan and clean/delete all Worm.Win32.VB.ck infected files and Delete/Modify any values added to the registry.
Navigate to the subkey and delete the valuesas following:

<Windows>\lsass.exe
<System>\lsass.exe

The following registry entries are changed to run lsass.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe <System>\lsass.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
userinit.exe,<System>\lsass.exe

W32/VB-CXI changes settings for Microsoft Internet Explorer by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

The following registry entries are set, disabling system software:

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System
DisableRegistryTools
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System
DisableTaskMgr
1

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer
NoFolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer
NoRun
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer
NoFolderOptions
1

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
Homepage
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Advanced
Hidden
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Advanced
HideFileExt
1

Registry entries are created under:

HKCU\Software\Yahoo\Pager\View\YMSGR_Launchcast
HKCU\Software\Yahoo\Pager\View\YMSGR_buzz

5. Exit registry editor .
6.delete the IE temp files or you may download ATF temp files cleaner to run a full cleaning.and restart the computer.
8. Now you may remove Worm.Win32.VB.ck successfully.
__________________
|| Cosmos 1000 || Asus Maximus Formula SE || Q6850 3.00GHz || Zalman 9700NT || BFG 8800GTX OC || 4GB Corsair Dominator 1066mhz || Enermax Galaxy 850W || Windows Vista Ultimate 64 || WD Raptor 150GB x2 + WD Caviar 350GB ||
netBooger is offline   Reply With Quote
Old 01-05-2009, 07:45 PM   #8
Baseband Member
 
Join Date: Jan 2005
Posts: 79
Default Re: cant access 'folder options', 'task manager' etc.

thanks man, that looks really helpful, i'll start on that when i get some time! thnks!

oh btw, on those regedit, what do i change the values to? 0 ?

for all of them? or what? or are those what the values are meant to be ? :S
__________________

mykul is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 11:32 PM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0