Stuff
December 5th 03, 08:31 PM
Hi Doug,
My system is now clean!
It was the WINLODR.SCR file that was the culprit, as you highly suspected.
I followed your steps precisely; I deleted the file, and deleted the two
entries in the registry.
The original msconfig, regedit, and task manager all work now after
rebooting!
Your remaining concerns with other log entries are not a problem.
Appreciate your thoroughness here, too!
THANX so very much, Bruce! I will be acting on your suggestion real soon
you make on your web site.
So very grateful,
Howie Adams
"Doug Knox MS-MVP" > wrote in message
...
> Stuff,
>
> The virus file is WINLODR.SCR This is not a valid file. Open the
renamed
> Task Manager in C:\EmergencyUtils and go to the Processes tab. Highlight
> this process and click End Process. Now, you can try closing the Task
> Manager and opening it normally. If its works, you've pinpointed the
virus,
> and it was the only one.
>
> Now, go to the Windows and Windows\System32 folder and look for the
> WINLODR.SCR file. If found, delete it. If necessary, do a search of your
> entire hard disk and delete the file, wherever its found.
>
> Next, run REGEDIT (normal, if it will start, or the renamed copy if it
> won't). Go to:
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
>
> and delete the value in the right pane called Winsock2 Driver.
>
> Then go to:
>
> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce
>
> and delete the value in the right pane for Winsock2 Driver. Both of these
> are references to run the virus file.
>
> The only other two entries that I'm not familiar with are:
>
> LTM2 C:\WINDOWS\Edit32\Edit32.exe
> BySoft FreeRAM C:\Program Files\FreeRAM\freeram.exe
>
> These entries are in:
> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run
>
> They may be legitimate programs that you have installed, they may not.
Only
> you can answer that question. If, after killing the WINLODR.SCR process,
> you still can't run Task Manager, MSConfig or REGEDIT, these two would be
> where I would start next.
>
> And last but not least, I don't recognize the entry for KernelFaultCheck
> which is being loaded from
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run. It
> doesn't show a command line,
> --
> Doug Knox, MS-MVP Windows XP/ Windows Smart Display
> Win 95/98/Me/XP Tweaks and Fixes
> http://www.dougknox.com
> --------------------------------
> Associate Expert
> ExpertZone - http://www.microsoft.com/windowsxp/expertzone
> --------------------------------
> Please reply only to the newsgroup so all may benefit.
> Unsolicited e-mail is not answered.
>
> "Stuff" > wrote in message
> ...
> > Thank you so much for working this with me, Bruce!
> >
> > 8/23/2003 9:12:49 PM
> >
> > -- Registry - HKEY_LOCAL_MACHINE RunOnce --
> > No Items Found
> >
> > -- Registry - HKEY_LOCAL_MACHINE Run --
> > ccApp "C:\Program Files\Common Files\Symantec
> > Shared\ccApp.exe"
> > ccRegVfy "C:\Program Files\Common Files\Symantec
> > Shared\ccRegVfy.exe"
> > HPDJ Taskbar Utility
> > C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 3.exe
> > Iomega Automatic Backup 1.0.1 C:\Program Files\Iomega\Iomega Automatic
> > Backup\ibackup.exe
> > LVCOMS C:\Program Files\Common
> > Files\Logitech\QCDriver3\LVCOMS.EXE
> > QD FastAndSafe
> > C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 3.exe
> > QuickTime Task "C:\Program
> > Files\QuickTime\qttask.exe" -atboottime
> > TkBellExe "C:\Program Files\Common
> > Files\Real\Update_OB\realsched.exe" -osboot
> > Winsock2 driver WINLODR.SCR
> > KernelFaultCheck
> >
> > -- Registry - HKEY_CURRENT_USER RunOnce --
> > Winsock2 driver WINLODR.SCR
> >
> > -- Registry - HKEY_CURRENT_USER Run --
> > Iomega Automatic Backup C:\Program Files\Iomega\Iomega Automatic
> > Backup\ibackup.exe
> > ctfmon.exe C:\WINDOWS\System32\ctfmon.exe
> > LTM2 C:\WINDOWS\Edit32\Edit32.exe
> > BySoft FreeRAM C:\Program Files\FreeRAM\freeram.exe
> > PIMOne C:\Program Files\PIMOne\PIMOne.EXE
/AutoRun
> >
> > -- Registry - HKEY_USERS\.DEFAULT Run --
> > No Items Found
> >
> > -- Start Menu - Current User --
> > iexplore.exe.lnk
> > msimn.exe (2).lnk
> > Norton System Doctor.LNK
> > OUTLOOK.EXE.lnk
> >
> > -- Start Menu - All Users --
> > ZoneAlarm.lnk
> >
> > -- Disabled Items --
> > DirectCD
> > INSTAN~1
> > BackWeb-8876480
> > ISStart
> > LogiTray
> > mcalert
> > MotiveSB
> > Netscp
> > msmsgs
> > qttask
> > RealPlay
> > REGIST~1
> > realsched
> > XupiterToolbarLoader
> > Billminder
> > Logitech Desktop Messenger
> > Microsoft Office
> > Push Client
> > Quicken Startup
> > ScanPanel
> > Verizon Online Dialer
> > Verizon Online Support Center
> > PalNetaware
> > radio@netscape
> >
> > -- Registry - Shell Value - HKLM\SOFTWARE\Microsoft\Windows
> > NT\CurrentVersion\Winlogon --
> > Explorer.exe
> >
> > -- Running Processes --
> > System Idle Process
> > System
> > smss.exe \SystemRoot\System32\smss.exe
> > csrss.exe
> > winlogon.exe winlogon.exe
> > services.exe C:\WINDOWS\system32\services.exe
> > lsass.exe C:\WINDOWS\system32\lsass.exe
> > svchost.exe C:\WINDOWS\system32\svchost -k rpcss
> > svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs
> > svchost.exe
> > svchost.exe
> > explorer.exe C:\WINDOWS\Explorer.EXE
> > spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
> > CCEVTMGR.EXE "C:\Program Files\Common Files\Symantec
> > Shared\ccEvtMgr.exe"
> > CCAPP.EXE "C:\Program Files\Common Files\Symantec
> > Shared\ccApp.exe"
> > hpztsb03.exe
> > "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 3.exe"
> > iBackup.exe "C:\Program Files\Iomega\Iomega Automatic
> > Backup\ibackup.exe"
> > LVComS.exe "C:\Program Files\Common
> > Files\Logitech\QCDriver3\LVCOMS.EXE"
> > realsched.exe "C:\Program Files\Common
> > Files\Real\Update_OB\realsched.exe" -osboot
> > winlodr.scr "C:\WINDOWS\System32\WINLODR.SCR" /S
> > ctfmon.exe "C:\WINDOWS\System32\ctfmon.exe"
> > FreeRAM.exe "C:\Program Files\FreeRAM\freeram.exe"
> > zonealarm.exe "C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe"
> > iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"
> > msimn.exe "C:\Program Files\Outlook Express\msimn.exe"
> > SYSDOC32.EXE "C:\Program Files\Norton SystemWorks\Norton
> > Utilities\SYSDOC32.EXE" /startup
> > OUTLOOK.EXE "C:\Program Files\Microsoft
Office\Office\OUTLOOK.EXE"
> > inetinfo.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe
> > AppServices.exe "C:\PROGRA~1\Iomega\System32\AppServices.exe"
> > mdm.exe "C:\Program Files\Common Files\Microsoft
> > Shared\VS7Debug\mdm.exe"
> > NAVAPSVC.EXE "C:\Program Files\Norton SystemWorks\Norton
> > AntiVirus\navapsvc.exe"
> > NPROTECT.EXE "C:\Program Files\Norton SystemWorks\Norton
> > Utilities\NPROTECT.EXE"
> > snmp.exe C:\WINDOWS\System32\snmp.exe
> > NOPDB.EXE C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
> > svchost.exe C:\WINDOWS\System32\svchost.exe -k imgsvc
> > ups.exe C:\WINDOWS\System32\ups.exe
> > vsmon.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
> > fxssvc.exe C:\WINDOWS\system32\fxssvc.exe
> > WINWORD.EXE "C:\Program Files\Microsoft
> > Office\Office\WINWORD.EXE" -Embedding
> > explorer.exe "C:\WINDOWS\explorer.exe"
> > msmsgs.exe "C:\Program Files\Messenger\msmsgs.exe" -Embedding
> > StartupTracker3.exe "C:\Documents and Settings\Howie\Desktop\Startup
> > tracker\StartupTracker3.exe"
> > wmiprvse.exe
> >
> >
> >
>
>
My system is now clean!
It was the WINLODR.SCR file that was the culprit, as you highly suspected.
I followed your steps precisely; I deleted the file, and deleted the two
entries in the registry.
The original msconfig, regedit, and task manager all work now after
rebooting!
Your remaining concerns with other log entries are not a problem.
Appreciate your thoroughness here, too!
THANX so very much, Bruce! I will be acting on your suggestion real soon
you make on your web site.
So very grateful,
Howie Adams
"Doug Knox MS-MVP" > wrote in message
...
> Stuff,
>
> The virus file is WINLODR.SCR This is not a valid file. Open the
renamed
> Task Manager in C:\EmergencyUtils and go to the Processes tab. Highlight
> this process and click End Process. Now, you can try closing the Task
> Manager and opening it normally. If its works, you've pinpointed the
virus,
> and it was the only one.
>
> Now, go to the Windows and Windows\System32 folder and look for the
> WINLODR.SCR file. If found, delete it. If necessary, do a search of your
> entire hard disk and delete the file, wherever its found.
>
> Next, run REGEDIT (normal, if it will start, or the renamed copy if it
> won't). Go to:
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
>
> and delete the value in the right pane called Winsock2 Driver.
>
> Then go to:
>
> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce
>
> and delete the value in the right pane for Winsock2 Driver. Both of these
> are references to run the virus file.
>
> The only other two entries that I'm not familiar with are:
>
> LTM2 C:\WINDOWS\Edit32\Edit32.exe
> BySoft FreeRAM C:\Program Files\FreeRAM\freeram.exe
>
> These entries are in:
> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run
>
> They may be legitimate programs that you have installed, they may not.
Only
> you can answer that question. If, after killing the WINLODR.SCR process,
> you still can't run Task Manager, MSConfig or REGEDIT, these two would be
> where I would start next.
>
> And last but not least, I don't recognize the entry for KernelFaultCheck
> which is being loaded from
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run. It
> doesn't show a command line,
> --
> Doug Knox, MS-MVP Windows XP/ Windows Smart Display
> Win 95/98/Me/XP Tweaks and Fixes
> http://www.dougknox.com
> --------------------------------
> Associate Expert
> ExpertZone - http://www.microsoft.com/windowsxp/expertzone
> --------------------------------
> Please reply only to the newsgroup so all may benefit.
> Unsolicited e-mail is not answered.
>
> "Stuff" > wrote in message
> ...
> > Thank you so much for working this with me, Bruce!
> >
> > 8/23/2003 9:12:49 PM
> >
> > -- Registry - HKEY_LOCAL_MACHINE RunOnce --
> > No Items Found
> >
> > -- Registry - HKEY_LOCAL_MACHINE Run --
> > ccApp "C:\Program Files\Common Files\Symantec
> > Shared\ccApp.exe"
> > ccRegVfy "C:\Program Files\Common Files\Symantec
> > Shared\ccRegVfy.exe"
> > HPDJ Taskbar Utility
> > C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 3.exe
> > Iomega Automatic Backup 1.0.1 C:\Program Files\Iomega\Iomega Automatic
> > Backup\ibackup.exe
> > LVCOMS C:\Program Files\Common
> > Files\Logitech\QCDriver3\LVCOMS.EXE
> > QD FastAndSafe
> > C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 3.exe
> > QuickTime Task "C:\Program
> > Files\QuickTime\qttask.exe" -atboottime
> > TkBellExe "C:\Program Files\Common
> > Files\Real\Update_OB\realsched.exe" -osboot
> > Winsock2 driver WINLODR.SCR
> > KernelFaultCheck
> >
> > -- Registry - HKEY_CURRENT_USER RunOnce --
> > Winsock2 driver WINLODR.SCR
> >
> > -- Registry - HKEY_CURRENT_USER Run --
> > Iomega Automatic Backup C:\Program Files\Iomega\Iomega Automatic
> > Backup\ibackup.exe
> > ctfmon.exe C:\WINDOWS\System32\ctfmon.exe
> > LTM2 C:\WINDOWS\Edit32\Edit32.exe
> > BySoft FreeRAM C:\Program Files\FreeRAM\freeram.exe
> > PIMOne C:\Program Files\PIMOne\PIMOne.EXE
/AutoRun
> >
> > -- Registry - HKEY_USERS\.DEFAULT Run --
> > No Items Found
> >
> > -- Start Menu - Current User --
> > iexplore.exe.lnk
> > msimn.exe (2).lnk
> > Norton System Doctor.LNK
> > OUTLOOK.EXE.lnk
> >
> > -- Start Menu - All Users --
> > ZoneAlarm.lnk
> >
> > -- Disabled Items --
> > DirectCD
> > INSTAN~1
> > BackWeb-8876480
> > ISStart
> > LogiTray
> > mcalert
> > MotiveSB
> > Netscp
> > msmsgs
> > qttask
> > RealPlay
> > REGIST~1
> > realsched
> > XupiterToolbarLoader
> > Billminder
> > Logitech Desktop Messenger
> > Microsoft Office
> > Push Client
> > Quicken Startup
> > ScanPanel
> > Verizon Online Dialer
> > Verizon Online Support Center
> > PalNetaware
> > radio@netscape
> >
> > -- Registry - Shell Value - HKLM\SOFTWARE\Microsoft\Windows
> > NT\CurrentVersion\Winlogon --
> > Explorer.exe
> >
> > -- Running Processes --
> > System Idle Process
> > System
> > smss.exe \SystemRoot\System32\smss.exe
> > csrss.exe
> > winlogon.exe winlogon.exe
> > services.exe C:\WINDOWS\system32\services.exe
> > lsass.exe C:\WINDOWS\system32\lsass.exe
> > svchost.exe C:\WINDOWS\system32\svchost -k rpcss
> > svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs
> > svchost.exe
> > svchost.exe
> > explorer.exe C:\WINDOWS\Explorer.EXE
> > spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
> > CCEVTMGR.EXE "C:\Program Files\Common Files\Symantec
> > Shared\ccEvtMgr.exe"
> > CCAPP.EXE "C:\Program Files\Common Files\Symantec
> > Shared\ccApp.exe"
> > hpztsb03.exe
> > "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 3.exe"
> > iBackup.exe "C:\Program Files\Iomega\Iomega Automatic
> > Backup\ibackup.exe"
> > LVComS.exe "C:\Program Files\Common
> > Files\Logitech\QCDriver3\LVCOMS.EXE"
> > realsched.exe "C:\Program Files\Common
> > Files\Real\Update_OB\realsched.exe" -osboot
> > winlodr.scr "C:\WINDOWS\System32\WINLODR.SCR" /S
> > ctfmon.exe "C:\WINDOWS\System32\ctfmon.exe"
> > FreeRAM.exe "C:\Program Files\FreeRAM\freeram.exe"
> > zonealarm.exe "C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe"
> > iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"
> > msimn.exe "C:\Program Files\Outlook Express\msimn.exe"
> > SYSDOC32.EXE "C:\Program Files\Norton SystemWorks\Norton
> > Utilities\SYSDOC32.EXE" /startup
> > OUTLOOK.EXE "C:\Program Files\Microsoft
Office\Office\OUTLOOK.EXE"
> > inetinfo.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe
> > AppServices.exe "C:\PROGRA~1\Iomega\System32\AppServices.exe"
> > mdm.exe "C:\Program Files\Common Files\Microsoft
> > Shared\VS7Debug\mdm.exe"
> > NAVAPSVC.EXE "C:\Program Files\Norton SystemWorks\Norton
> > AntiVirus\navapsvc.exe"
> > NPROTECT.EXE "C:\Program Files\Norton SystemWorks\Norton
> > Utilities\NPROTECT.EXE"
> > snmp.exe C:\WINDOWS\System32\snmp.exe
> > NOPDB.EXE C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
> > svchost.exe C:\WINDOWS\System32\svchost.exe -k imgsvc
> > ups.exe C:\WINDOWS\System32\ups.exe
> > vsmon.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
> > fxssvc.exe C:\WINDOWS\system32\fxssvc.exe
> > WINWORD.EXE "C:\Program Files\Microsoft
> > Office\Office\WINWORD.EXE" -Embedding
> > explorer.exe "C:\WINDOWS\explorer.exe"
> > msmsgs.exe "C:\Program Files\Messenger\msmsgs.exe" -Embedding
> > StartupTracker3.exe "C:\Documents and Settings\Howie\Desktop\Startup
> > tracker\StartupTracker3.exe"
> > wmiprvse.exe
> >
> >
> >
>
>