0

Eh, attempted to fix another comp heavily infested with a worm.
Ran McAfee AV. It cleaned some files, I quaranteed others, and deleted the rest.
It told me to reboot so I did.
I ran every thing on the Rescue Disk and it found nothing.

After I choose a user and enter Windows XP (home) everything appears to be fine but then all the desktop icons disappear, the taskbar disappears, but there are processes running. What the hell did I do? :(

Edit ~ Here are some error messages

rundll32.exe
The instruction at 0x61002958 referenced memory at 0x00a7088c. The memory could not be "read".

McAfee VirusScan
Some components of ActiveShield are either missing or might not have been installed properly. Please reinstall ActiveShield.
(i think i installed this in safe mode with networking)
x2

System Configuration Utility window pops up and says something, but I can't read it :\

2
Contributors
10
Replies
11
Views
12 Years
Discussion Span
Last Post by swatkat
1

Hi,
Do you get icons and taskbar in safe mode?

Let's try this one, open NotePad, and copy the contents of the below "Code" box:-

regedit /e test1.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" 
regedit /e test2.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" 
regedit /e test3.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices" 
regedit /e test4.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices" 
regedit /e test5.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" 
regedit /e test6.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
regedit /e test7.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"

copy test1.txt + test2.txt + test3.txt + test4.txt + test5.txt + test6.txt + test7.txt = info.txt

del test1.txt
del test2.txt
del test3.txt
del test4.txt
del test5.txt
del test6.txt
del test7.txt

Go to File Menu > Save As, and save the file with the name Test.bat and exit from NotePad.

Double-Click on the file Test.bat, a small DOS type window should open and close immediately. After this, there would be a file called Info.txt in the same location where Test.bat was present. Open the Info.txt and post it's contents here.

Votes + Comments
Hey, thanks for your help lately :) -- dlh
0

yeah everything is fine in safe mode. i will try this and report back. thanks!

0

here are the results....

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"LTSMMSG"="LTSMMSG.exe"
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"Share-to-Web Namespace Daemon"="D:\\HP Share-to-Web\\hpgs2wnd.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb06.exe"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.2\\THGuard.exe\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1120928620\\EE\\AOLHostManager.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"lrtt"="C:\\WINDOWS\\System32\\lrtt.exe"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"lmi"="C:\\WINDOWS\\System32\\lmi.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"AOL Fast Start"="\"D:\\Program Files\\America Online 9.0\\AOL.EXE\" -b"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

~

I've been working on this comp from 3:30am (PST) and still working on it... it's 1:16pm lol. I don't give up. I ran Ewido, HJT, Killbox (can't get rid of svchost.exe), trendmicro housecall, mcafee antivirus, and trojan hunter. The computer is infected with W32/Pate.b and no matter how many times I run mcafee it doesn't get it all. I even got the worm killer thing from the microsoft website (supposed to remove sasser and others) and that didn't work. When I went to "end task" on 4 running instances of svchost.exe, one of them made the comp shutdown with a 45sec timer.

0

File: lrtt.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 c5d1bd0c682106929f3fb2efbebc7f48
Packers detected: PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT
Scanner results
AntiVir Found TR/Dldr.Lastad.P
ArcaVir Found Trojan.Downloader.Lastad.P
Avast Found nothing
AVG Antivirus Found Downloader.Generic.YH
BitDefender Found Trojan.Downloader.Lastad.P
ClamAV Found Worm.Mytob.FJ
Dr.Web Found Trojan.DownLoader.2905
F-Prot Antivirus Found nothing
Fortinet Found W32/Lastad.P-tr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Lastad.p
NOD32 Found Win32/TrojanDownloader.Lastad.P
Norman Virus Control Found W32/Lastad.P
UNA Found nothing
VBA32 Found Trojan-Downloader.Win32.Lastad.p

and

File: lmi.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 bc6e9fb694c51177a22071705c1a9b43
Packers detected: PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT
Scanner results
AntiVir Found TR/Dldr.Lastad.h.1
ArcaVir Found Trojan.Downloader.Lastad.H
Avast Found Win32:Trojano-1516
AVG Antivirus Found Downloader.Generic.RE
BitDefender Found Trojan.Downloader.Lastad.H
ClamAV Found Worm.Mytob.FJ
Dr.Web Found Trojan.DownLoader.2991
F-Prot Antivirus Found W32/Downloader.CRT
Fortinet Found W32/Lastad.H-tr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Lastad.h
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found W32/Lastad.H
UNA Found TrojanDownloader.Win32.Lastad
VBA32 Found Trojan-Downloader.Win32.Lastad.h

Hmm, this folder is caked with this stuff. Almost every single *.exe file on this comp is infected with whatever worm this is. Er, that's what McAfee is pointing to as well.

0

Hi,
:D To remove these file's registry entry, follow these steps, Open NotePad, and copy the contents of the below "Code" box:-

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"lrtt"=-
"lmi"=-

Go to File Menu > Save As, and save the file with the name Remove.reg and exit from NotePad.
Double-Click on the file Remove.reg, and choose "Yes" to merge it with Registry.

There may be some more viruses, try HouseCall or/and Panda Scan.

0

The first time around when I did house call, it found well over 2K infected files. When it went to the Recover process, it didn't list any of the 2K+ and it wouldn't let me do anything. Every time I open something a window pops open for a brief sec, a Windows Installer window.... I'm about to toss this heap out the window even though it's not mine.

0

Hi,
IT seems that there are a lot of infected files. Try to perform the scans in Saf mode with networking option. You can go to "Safe Mode with Networking" mode, by doing this:-
1] Restart (or switch ON) the PC.
2] Then, keep tapping the F8 Key.
3] From the menu that will be displayed, out of which choose Safe Mode with Networking and press Enter.

0

Well, after many hours, 18+ with no breaks, I finally managed to completely rid this computer of all the junk and crud. Thanks very much for your help! I clicked around, manually deleted 276kb size files in c:\windows\system32 folder, downloaded AOL 9.0SE for the free McAfee AntiVirus (have an account), ran that a few times, uninstalled AOL and McAfee, ran every other program I had available at least twice to make sure I got every thing out. Online virus scan wasn't showing me any results. Something was bugged with Internet Explorer. Oh well, I got to job done though I made it harder than it was.

0

Glad that the PC is coming back to track ;-)
If you are having any problems with Internet Explorer, try this, open IE, go to Tools Menu > Advanced. Here click "Programs" tab, and click "Reset Web Settings" button to reset IE to default settings.

And to remove obslete registry entries that could have been done by those malwares, you can use CCleaner. Click the "Issues" button, and click "Scan for issues", and delete all the entries it may show up.

You can use SpywareBlaster to prevent the installation of bad ActiveX or BHO components. Just install SpywareBlaster, run it, click "Enable All Protection" and close it.

Sometimes, spywares mess up Hosts file to redirect to bad IE to unwanted websites. To restore the original Hosts file of Windows, you can use Hoster, and unzip it a folder. Then run Hoster, click "Restore Original Hosts" and click "OK". Exit the program.

To reset the Trusted Zones ad other settings of IE, you can use DelDomains. Right-Click on the below link, and click "Save As" or "Save Target As", and save it with the default filename (that would be deldomains.inf). Then right-click on the DelDomains.inf and click "Install".
http://www.mvps.org/winhelp2002/DelDomains.inf

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.