Ok, got a fix for this…
First, I got the file when I downloaded AnyDVD+serial+crack from Morpheus. I did this because a)I’m thrifty (ok, cheap) and b)I have like 30 tools that each have 1 extra feature I need, and didn’t want to shell out the money for another. Anyhoo, lesson learned, lets move on.
This trojan does several things. For one, it deletes every MP3 on your computer. It also deletes every copy of NTDETECT.COM which prevents your system from rebooting. It then adds three registry keys that locks you out as administrator. one is NoControlPanel, another is DisableRegistryTools, the last is DisableTaskMgr. Finally it breaks the executable file association so you can’t run any .exe files (directly, more on this in a sec). The program also seems to use a virus as a vector to keep itself installed, although this wasn’t a huge problem compared with everything else. Pretty nasty, but fixable.
Ok, by the time you realize you have a problem, your computer probably doesn’t restart. I booted off my WinXp CD, did the repair console thing. I issued the FIXMBR command (don’t know if this actually had any effect, but it didn’t hurt) and then copied NTDETECT.COM from the D:\i386\ folder in to C:. Now I could boot.
Luckily, I have my textfiles associated with textpad (Helios Software solutions). This meant when I doubleclicked on a text file, textpad opened up. Textpad very handily has a run command which bypasses the .exe’s file association. The point is you need some sort of way of executing commands directly.
Now, first thing we need to do is get task manager back under our control. Issue this command:
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
(in textpad, the reg goes in the command, everything else goes in the parameters). This basicly changes the DisableTaskMgr key to 0, letting you ctrl alt delete. There’s a program in the processes (sorry forgot the name, just try to execute an exe and you’ll see it pop up) that seems to be from the virus. Just kill it when it comes up. Now we need to run our virus scanners, ad-awares, etc… F-Prot with the most recently updated file (dated today, 3-18-05) found the virus called W32/Killfiles.H in the trojan program. I’m guessing this infects the MBR and then reinfects it each time the program is running, but that is just conjecture. Delete the file, let it clean everything. Oh yeah, to run it, just copy/paste the shortcut in your start menu into the command line of whatever you are using to issue commands.
Now we just fix the other three problems. To get control of our registry editor, run the following:
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
Now, go to get this: http://home.earthlink.net/~rmbox/Reticulated/4IE_Only/EXEfix08.reg and apply it by just running it in your command issue-er thing. This fixes your exe problem.
ah, almost there. Now just run regedit, and do a search for NoControlPanel. There should be only one that has a value, but if not, change those too. Set it’s value to 0. This requires a reboot to make active. Cross your fingers and restart.
Ok, so that should be it (I think, it was like 3 in the morning when I finally finished.) Just for fun you should re-run all your virus scanners, etc. Everything except my MP3s are back and normal (I Hope)
A comment from me: Ok, so piracy is wrong, but is it really worse than destroying someone’s whole computer without any way to back up pictures of their daughter or whatever? Malicious “hackers” suck. I hope they burn in the bottom layers of hell with Jon Tesh.