Thank you so much for working this with me, Bruce!

8/23/2003 9:12:49 PM

-- Registry - HKEY_LOCAL_MACHINE RunOnce --
No Items Found

-- Registry - HKEY_LOCAL_MACHINE Run --
ccApp "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
ccRegVfy "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
HPDJ Taskbar Utility
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 3.exe
Iomega Automatic Backup 1.0.1 C:\Program Files\Iomega\Iomega Automatic
Backup\ibackup.exe
LVCOMS C:\Program Files\Common
Files\Logitech\QCDriver3\LVCOMS.EXE
QD FastAndSafe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 3.exe
QuickTime Task "C:\Program
Files\QuickTime\qttask.exe" -atboottime
TkBellExe "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
Winsock2 driver WINLODR.SCR
KernelFaultCheck

-- Registry - HKEY_CURRENT_USER RunOnce --
Winsock2 driver WINLODR.SCR

-- Registry - HKEY_CURRENT_USER Run --
Iomega Automatic Backup C:\Program Files\Iomega\Iomega Automatic
Backup\ibackup.exe
ctfmon.exe C:\WINDOWS\System32\ctfmon.exe
LTM2 C:\WINDOWS\Edit32\Edit32.exe
BySoft FreeRAM C:\Program Files\FreeRAM\freeram.exe
PIMOne C:\Program Files\PIMOne\PIMOne.EXE /AutoRun

-- Registry - HKEY_USERS\.DEFAULT Run --
No Items Found

-- Start Menu - Current User --
iexplore.exe.lnk
msimn.exe (2).lnk
Norton System Doctor.LNK
OUTLOOK.EXE.lnk

-- Start Menu - All Users --
ZoneAlarm.lnk

-- Disabled Items --
DirectCD
INSTAN~1
BackWeb-8876480
ISStart
LogiTray
mcalert
MotiveSB
Netscp
msmsgs
qttask
RealPlay
REGIST~1
realsched
XupiterToolbarLoader
Billminder
Logitech Desktop Messenger
Microsoft Office
Push Client
Quicken Startup
ScanPanel
Verizon Online Dialer
Verizon Online Support Center
PalNetaware
radio@netscape

-- Registry - Shell Value - HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon --
Explorer.exe

-- Running Processes --
System Idle Process
System
smss.exe \SystemRoot\System32\smss.exe
csrss.exe
winlogon.exe winlogon.exe
services.exe C:\WINDOWS\system32\services.exe
lsass.exe C:\WINDOWS\system32\lsass.exe
svchost.exe C:\WINDOWS\system32\svchost -k rpcss
svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
explorer.exe C:\WINDOWS\Explorer.EXE
spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
CCEVTMGR.EXE "C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe"
CCAPP.EXE "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
hpztsb03.exe
"C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 3.exe"
iBackup.exe "C:\Program Files\Iomega\Iomega Automatic
Backup\ibackup.exe"
LVComS.exe "C:\Program Files\Common
Files\Logitech\QCDriver3\LVCOMS.EXE"
realsched.exe "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
winlodr.scr "C:\WINDOWS\System32\WINLODR.SCR" /S
ctfmon.exe "C:\WINDOWS\System32\ctfmon.exe"
FreeRAM.exe "C:\Program Files\FreeRAM\freeram.exe"
zonealarm.exe "C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe"
iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"
msimn.exe "C:\Program Files\Outlook Express\msimn.exe"
SYSDOC32.EXE "C:\Program Files\Norton SystemWorks\Norton
Utilities\SYSDOC32.EXE" /startup
OUTLOOK.EXE "C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE"
inetinfo.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe
AppServices.exe "C:\PROGRA~1\Iomega\System32\AppServices.exe"
mdm.exe "C:\Program Files\Common Files\Microsoft
Shared\VS7Debug\mdm.exe"
NAVAPSVC.EXE "C:\Program Files\Norton SystemWorks\Norton
AntiVirus\navapsvc.exe"
NPROTECT.EXE "C:\Program Files\Norton SystemWorks\Norton
Utilities\NPROTECT.EXE"
snmp.exe C:\WINDOWS\System32\snmp.exe
NOPDB.EXE C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
svchost.exe C:\WINDOWS\System32\svchost.exe -k imgsvc
ups.exe C:\WINDOWS\System32\ups.exe
vsmon.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
fxssvc.exe C:\WINDOWS\system32\fxssvc.exe
WINWORD.EXE "C:\Program Files\Microsoft
Office\Office\WINWORD.EXE" -Embedding
explorer.exe "C:\WINDOWS\explorer.exe"
msmsgs.exe "C:\Program Files\Messenger\msmsgs.exe" -Embedding
StartupTracker3.exe "C:\Documents and Settings\Howie\Desktop\Startup
tracker\StartupTracker3.exe"
wmiprvse.exe

Stuff,

The virus file is WINLODR.SCR This is not a valid file. Open the renamed
Task Manager in C:\EmergencyUtils and go to the Processes tab. Highlight
this process and click End Process. Now, you can try closing the Task
Manager and opening it normally. If its works, you've pinpointed the virus,
and it was the only one.

Now, go to the Windows and Windows\System32 folder and look for the
WINLODR.SCR file. If found, delete it. If necessary, do a search of your
entire hard disk and delete the file, wherever its found.

Next, run REGEDIT (normal, if it will start, or the renamed copy if it
won't). Go to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

and delete the value in the right pane called Winsock2 Driver.

Then go to:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce

and delete the value in the right pane for Winsock2 Driver. Both of these
are references to run the virus file.

The only other two entries that I'm not familiar with are:

LTM2 C:\WINDOWS\Edit32\Edit32.exe
BySoft FreeRAM C:\Program Files\FreeRAM\freeram.exe

These entries are in:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run

They may be legitimate programs that you have installed, they may not. Only
you can answer that question. If, after killing the WINLODR.SCR process,
you still can't run Task Manager, MSConfig or REGEDIT, these two would be
where I would start next.

And last but not least, I don't recognize the entry for KernelFaultCheck
which is being loaded from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run. It
doesn't show a command line,
--
Doug Knox, MS-MVP Windows XP/ Windows Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Associate Expert
ExpertZone - http://www.microsoft.com/windowsxp/expertzone
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Stuff" > wrote in message
...
> Thank you so much for working this with me, Bruce!
>
> 8/23/2003 9:12:49 PM
>
> -- Registry - HKEY_LOCAL_MACHINE RunOnce --
> No Items Found
>
> -- Registry - HKEY_LOCAL_MACHINE Run --
> ccApp "C:\Program Files\Common Files\Symantec
> Shared\ccApp.exe"
> ccRegVfy "C:\Program Files\Common Files\Symantec
> Shared\ccRegVfy.exe"
> HPDJ Taskbar Utility
> C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 3.exe
> Iomega Automatic Backup 1.0.1 C:\Program Files\Iomega\Iomega Automatic
> Backup\ibackup.exe
> LVCOMS C:\Program Files\Common
> Files\Logitech\QCDriver3\LVCOMS.EXE
> QD FastAndSafe
> C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 3.exe
> QuickTime Task "C:\Program
> Files\QuickTime\qttask.exe" -atboottime
> TkBellExe "C:\Program Files\Common
> Files\Real\Update_OB\realsched.exe" -osboot
> Winsock2 driver WINLODR.SCR
> KernelFaultCheck
>
> -- Registry - HKEY_CURRENT_USER RunOnce --
> Winsock2 driver WINLODR.SCR
>
> -- Registry - HKEY_CURRENT_USER Run --
> Iomega Automatic Backup C:\Program Files\Iomega\Iomega Automatic
> Backup\ibackup.exe
> ctfmon.exe C:\WINDOWS\System32\ctfmon.exe
> LTM2 C:\WINDOWS\Edit32\Edit32.exe
> BySoft FreeRAM C:\Program Files\FreeRAM\freeram.exe
> PIMOne C:\Program Files\PIMOne\PIMOne.EXE /AutoRun
>
> -- Registry - HKEY_USERS\.DEFAULT Run --
> No Items Found
>
> -- Start Menu - Current User --
> iexplore.exe.lnk
> msimn.exe (2).lnk
> Norton System Doctor.LNK
> OUTLOOK.EXE.lnk
>
> -- Start Menu - All Users --
> ZoneAlarm.lnk
>
> -- Disabled Items --
> DirectCD
> INSTAN~1
> BackWeb-8876480
> ISStart
> LogiTray
> mcalert
> MotiveSB
> Netscp
> msmsgs
> qttask
> RealPlay
> REGIST~1
> realsched
> XupiterToolbarLoader
> Billminder
> Logitech Desktop Messenger
> Microsoft Office
> Push Client
> Quicken Startup
> ScanPanel
> Verizon Online Dialer
> Verizon Online Support Center
> PalNetaware
> radio@netscape
>
> -- Registry - Shell Value - HKLM\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Winlogon --
> Explorer.exe
>
> -- Running Processes --
> System Idle Process
> System
> smss.exe \SystemRoot\System32\smss.exe
> csrss.exe
> winlogon.exe winlogon.exe
> services.exe C:\WINDOWS\system32\services.exe
> lsass.exe C:\WINDOWS\system32\lsass.exe
> svchost.exe C:\WINDOWS\system32\svchost -k rpcss
> svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs
> svchost.exe
> svchost.exe
> explorer.exe C:\WINDOWS\Explorer.EXE
> spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
> CCEVTMGR.EXE "C:\Program Files\Common Files\Symantec
> Shared\ccEvtMgr.exe"
> CCAPP.EXE "C:\Program Files\Common Files\Symantec
> Shared\ccApp.exe"
> hpztsb03.exe
> "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 3.exe"
> iBackup.exe "C:\Program Files\Iomega\Iomega Automatic
> Backup\ibackup.exe"
> LVComS.exe "C:\Program Files\Common
> Files\Logitech\QCDriver3\LVCOMS.EXE"
> realsched.exe "C:\Program Files\Common
> Files\Real\Update_OB\realsched.exe" -osboot
> winlodr.scr "C:\WINDOWS\System32\WINLODR.SCR" /S
> ctfmon.exe "C:\WINDOWS\System32\ctfmon.exe"
> FreeRAM.exe "C:\Program Files\FreeRAM\freeram.exe"
> zonealarm.exe "C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe"
> iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"
> msimn.exe "C:\Program Files\Outlook Express\msimn.exe"
> SYSDOC32.EXE "C:\Program Files\Norton SystemWorks\Norton
> Utilities\SYSDOC32.EXE" /startup
> OUTLOOK.EXE "C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE"
> inetinfo.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe
> AppServices.exe "C:\PROGRA~1\Iomega\System32\AppServices.exe"
> mdm.exe "C:\Program Files\Common Files\Microsoft
> Shared\VS7Debug\mdm.exe"
> NAVAPSVC.EXE "C:\Program Files\Norton SystemWorks\Norton
> AntiVirus\navapsvc.exe"
> NPROTECT.EXE "C:\Program Files\Norton SystemWorks\Norton
> Utilities\NPROTECT.EXE"
> snmp.exe C:\WINDOWS\System32\snmp.exe
> NOPDB.EXE C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
> svchost.exe C:\WINDOWS\System32\svchost.exe -k imgsvc
> ups.exe C:\WINDOWS\System32\ups.exe
> vsmon.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
> fxssvc.exe C:\WINDOWS\system32\fxssvc.exe
> WINWORD.EXE "C:\Program Files\Microsoft
> Office\Office\WINWORD.EXE" -Embedding
> explorer.exe "C:\WINDOWS\explorer.exe"
> msmsgs.exe "C:\Program Files\Messenger\msmsgs.exe" -Embedding
> StartupTracker3.exe "C:\Documents and Settings\Howie\Desktop\Startup
> tracker\StartupTracker3.exe"
> wmiprvse.exe
>
>
>

I encountered a similar issue. It all started when I noticed task
manager disappeared and I was not able to start regedit. Using Norton
Anti-virus I updated my system (& dat file) and performed a full
system scan. This did not find any viruses or worms. After reading
about a similar issue on Symantec's site I then Turned off system
restore, Started-up in safe mode and ran a full scan. This also found
no viruses or worms.

I was able to troubleshoot that winlodr.scr was causing the issues so
I removed the file and removed the entries in the registry. After a
few minutes I noticed the file had returned and the registry entries
were back.

To work-around this issue I created a zero byte text file called
winlodr.scr in the appropriate location and set the properties to
hidden and read only. This appears to work but I think if I will
remove the file the mallicious winlodr.scr will be placed back.

I attemped to run an online virus scan form
www.housecall.antivirus.com
and it found SpyBot.Worm on the computer but it did not appear to
clean it and I was not able to verify this with any other virus
checking program.

Can someone shed light onto which virus/worm this is and how can I
remove it from my computer.

Thanks

It was likely a new variant of SpyBot. If the file is in use (running),
many times it won't be able to be removed or quarantined. You need to look
for a running process in Task Manager, that has the same name as the virus
checker found. Kill the process, then delete the file, just as you did with
the WINLODR.SCR file.

--
Doug Knox, MS-MVP Windows XP/ Windows Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Associate Expert
ExpertZone - http://www.microsoft.com/windowsxp/expertzone
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

> wrote in message
om...
> I encountered a similar issue. It all started when I noticed task
> manager disappeared and I was not able to start regedit. Using Norton
> Anti-virus I updated my system (& dat file) and performed a full
> system scan. This did not find any viruses or worms. After reading
> about a similar issue on Symantec's site I then Turned off system
> restore, Started-up in safe mode and ran a full scan. This also found
> no viruses or worms.
>
> I was able to troubleshoot that winlodr.scr was causing the issues so
> I removed the file and removed the entries in the registry. After a
> few minutes I noticed the file had returned and the registry entries
> were back.
>
> To work-around this issue I created a zero byte text file called
> winlodr.scr in the appropriate location and set the properties to
> hidden and read only. This appears to work but I think if I will
> remove the file the mallicious winlodr.scr will be placed back.
>
> I attemped to run an online virus scan form
> www.housecall.antivirus.com
> and it found SpyBot.Worm on the computer but it did not appear to
> clean it and I was not able to verify this with any other virus
> checking program.
>
> Can someone shed light onto which virus/worm this is and how can I
> remove it from my computer.
>
> Thanks