Finally managed to carry out the trojan removal. The winner came up champs by the use of Kasperskys Rescue CD 10. It took a short while but I finally figured out why the virus kept recreating itself and attaching to the userinit registry key. I had to investigate further and look into the actual startups. There was a secondary older entry (that I had disabled but hadn’t noticed). The entry was hidden aswell.
Basically to remove the source of the virus. I booted up Kasperskys Rescue CD and then went into the registry editor. The values I updated were under HKLM/Software/Microsoft/WindowsNT/Winlogon/Shell. Made sure userinit was only setup as c:\WINDOWS\SYSTEM32\userinit.exe, (commma included)
After this I went to HKCU (under kasperkey it’s a hive key) \Software\Microsoft\Windows\CurrentVersion\Run
and made sure that I deleted the reference to the file.
After this I went into file manager and deleted the references that I couldn’t even find in safe mode even with hidden files and show system files were enabled. These were hidden under the administrator account local settings\app data and also the start menu\startup folders
After this I rebooted the computer and started cleaning, no issues since and clean. Just now boosting the performance to try and speed it up a little more. Something I’m also doing is password protecting the antivirus. You can circumvent these by deleting a .dat file, but it just makes it that little bit harder for the antivirus to be amended by the virus programs. I’ll be supplying the information to the customer to help them out
PREVIOUSLY ON BLOGS OF ANDREW………….
For the first time ever, I’ve actually came across a hard to remove computer trojan. Now, not to brag, but generally removing trojans and viruses are easy, they’re nothing more than a pain in the ass at times that just take over a couple of browsers or infect a couple of files that need cleaning.
THIS one, crikey. I recently accepted to take on a laptop and help to clean it, I had it removed within an hour. Thought that was it, then the computer started acting a bit weird, the antivirus was disabled and would no longer start up again. Low and behold the problems faced for me to remove this little bugger.
Currently from what I can understand this virus / trojan is a backdoor dropper. I’ve only found two copies detected so far, one is W32.Parite and another is Luhe.Msil.C there’s a couple of overrides in place aswell like the antivirus, browser hijacker and firewall which means it’s a bit pesky
I disabled the system restore and booted into safe mode to remove it. Went about the usual duties with malware bytes, it creates a registry entry for a random .exe key string in the application data. Removed it from the registry and set about deleting it, but this virus keeps itself present even in safe mode. Scan the PC and it isn’t detected, although there are a few random text file names appearing in the local settings / application data directory for the administrator account.
Needless to say it’s proving to be a complete pain in the ass to remove. I could just wipe the laptop and start from fresh but I want to retain the customers data and only use this as a last resort scenario. I’d rather clean it then post the solution for future references.
To data I’ve used a multitude of antiviruses, they detect it and remove it but the pesky little shit recreates itself. Currently cleaning at the moment and will update further. I may end up creating a virtual machine when I fix it, so I can infect the virtual machine and work on a proper removal solution. This would be a more long term fix however, short term I’ve got 2 laptops to fix with one of them being a right annoying sod.
I will persevere, just have to crack on and remove it