Just downloaded a screensaver recently and enjoying the great 3d solar system view but after a couple of second a balloon pop-up notifying me that my Windows Firewall and Windows Update was disabled! So it got me thinking that the screensaver I've just downloaded was a trojan!! (stupid-stupid-stupid!)
A bit lucky i got my Windows Firewall back but ... I couldn't turn Windows Update on! its like something's monitoring it and keeping it disabled! hmmm.... tricky situation...
After a half hour of hunting ... I thought of using Autoruns to look more deeply in Windows autoruns and saw some weird dll filenames in:
- Logon
- Explorer - HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
- Internet Explorer - HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
- LSA Providers - HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
----- deltroj.bat -----
@echo off
cls
echo deleting stupid trojans
echo deleting
echo d:\windows\system32\tptdclih.dll
del d:\windows\system32\tptdclih.dll
echo deleting
echo d:\windows\system32\pmnkkcsl.dll
del d:\windows\system32\pmnkkcsl.dll
echo deleting
echo d:\windows\system32\pmnmklbb.dll
del d:\windows\system32\pmnmklbb.dll
echo deleting
echo d:\windows\system32\jmvqbh.dll
del d:\windows\system32\jmvqbh.dll
echo done
pause
---- end ----
oh and btw, those are locked! means you can't delete them while WindowsXP is running or download Unlocker - that should help you delete those files ... or you can boot up in DOS mode ... errrrr .... how? I used BootCD from Hiren
hmmm... so after those stuff, I rebooted and bootup in normal WindowsXP, got some notifications about missing files... that means my OS is clean but I should do some manual clean up ... run Autoruns again and look on the tabs where I found the trojan files and deleted the entry!
and that's it!! :P stupid-me .... and dump-ass-a-hole trojan creator *wink*
