Virus file and registry keys are locked down

[chpicker]

One of my clients has a WinXP machine that was infected with a version of the Pandex trojan. All of the research I've done leads me to a single file and a series of registry keys that all need to be deleted. The problem is, I can't.

The file (c:\windows\system32\drivers\ekp62.sys) gives me "Access Denied" when I try to delete it. No surprise there. What IS surprising is that, when I right click and select "Properties", there is only a General tab. No Security or Summary tabs. Every other file in the folder has a Security tab but this one.

The registry keys are even worse. I can bring up permissions on them; I have Full Control. But I cannot delete them, rename them, or change their values. I get an error message any time I try to do so. Any other registry keys or values can be changed just fine.

Safe Mode is not an option. One of the registry keys that it put in registers the file under the Minimal and Network configurations so it loads up at all times.

I'm curious, then. How can someone lock down registry keys like that? How can you hide the security tab from just one file? More importantly, how can I reverse these processes so I can delete the registry keys and the file? I am logged in to the computer as a local administrator.

 

[BadBigBen]

Trojan.Pandex!inf (removal at bottom of the page)

http://www.precisesecurity.com/computer-virus/tpinf-feb0732.htm

as to your permission question, this can be done through the SYSTEM, as opposed to LOCAL, it has FULL access, where as LOCAL only has certain FULL access... a little wierdly worded but a service running as SYSTEM will have full access to ALL, where as an Admin will only have access to things NOT controlled by the SYSTEM... at least that is my understanding of the problem...

to delete that file, try the program UNLOCKER

http://ccollomb.free.fr/unlocker/

also post a HiJackThis log, here for our perusal so that we may be able to tell you more...

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[linney]

Attacking your problem from outside the current Windows environment may be a way to go.

Something like BARTPE, or the Recovery Console may help you?

From BARTPE you would be able to load Registry Hives and amend entries and save the amendments.

Cannot logon to winxp...losing lots of valuable documents
thread779-975236

As an Administrator highlight one of the two following Keys, it will only be available for these Keys.

HKEY_LOCAL_MACHINE
HKEY_USERS

These two articles in the RegEdit Help are a good explanation of the process.

To load a hive into the registry
To unload a hive from the registry

How to edit the registry offline using BartPE boot CD

http://windowsxp.mvps.org/peboot.htm

Many third party programs, that perform low level actions deep inside of Windows have the ability to protect there programs by removing the Security Tab, as to how that is done, I don't know.

 

[BadBigBen]

Also Avira (AntiVir makers) are offering a bootable System Rescue CD, with an updated Viral Scanner, which you could use to scan the HDD of the PC...

http://www.free-av.de/en/tools/12/avira_antivir_rescue_system.html

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[goombawaho]

Killbox - use it to whack a file upon reboot and use the "replace with dummy" option so that the malware thinks it's still in place and running so it won't try to reinstall itself. As mentioned above - Bart PE CD for remote registry editing and you can do what you want to do in the registry.

I'm not sure how anyone can live without a PE bootable disk. It has changed my life.

 

[chpicker]

Thanks for the tips, guys.

I suppose it might have been beneficial to point out that I don't have physical access to this computer. It's not even in the same state.

That said, it looks like my best option is going to be either Unlocker or Killbox at this point. I had already tried running HijackThis and using the "Remove file on reboot" option. It didn't work. Are these programs different/better? I assume it didn't work because this file has attached itself to the kernel and is running as part of the system.

It may be that, because of this, it is impossible to remove from within the system and I'll have to try to talk someone on-site through the process with a boot disk. That doesn't sound like fun.