Guest John Reinders Posted July 25, 2007 Posted July 25, 2007 Hi, The other day (Monday) my son inadvertently (and I have warned him about doing this) opened a file (zip containing a .scr) he received from someone he's known for awhile on MSN and low and behold his system became infected. AVG reported the offending worm as: Trojan Horse Downloader Generic5.ETN and .SOZ Not sure of the actual name of it... Infected files, vnttgb.exe, notify.dll, printers.exe, 1(l)p6fw.sys, DefLib.sys and oocmhxl.exe... He ended up with multiple cascading MSN windows, he hit Ctrl Alt Del to stop it, he momentarily saw the process that was running, but then all processes disappeared from process manager? He no longer is able to use Ctrl Alt Del or the manager, and depending on what he is doing will end up with a BSOD because of a Stop Error... IRQL_Not_Less_Or_Equal We have run AdAware, AVG multiple times - plus in safe mode and believe we have cleaned out the offending worm. We were unable to run HiJackThis, as it also caused the same BSOD? We have tried to do system restores and have gone back to multiple checkpoints in the last two weeks, but none were successful. The problem is his system is now unstable. I'm assuming our best solution is to format the drive and reinstall XP? Has any one else run across this one and is there a simpler solution to fix what is broke? I would appreciate any suggestions and help you can offer. Thank you, John -- John Reinders Hubley, NS Please remember to remove -removetoreply- when emailing me.
Guest Jim C Posted July 25, 2007 Posted July 25, 2007 Re: XP + MSN + Worm - System now unstable As a starting point you need to identify the loaded program causing the problem. Run a program called msinfo32.exe. Select software environment, then loaded modules. Sort the table by manufacturer. You should see file(s) without a manufacturer name or the name "not available" is display. These are the files that I would investigate as causing the problem. Some files are legit so you need to be careful. There is a lot more involved to remove the invection but this will get you pointed in the right direction. "John Reinders" <johnreinders@hfx.eastlink-removetoreply-.ca> wrote in message news:46A7542D.6020008@hfx.eastlink-removetoreply-.ca... > Hi, > > The other day (Monday) my son inadvertently (and I have warned him about > doing this) opened a file (zip containing a .scr) he received from someone > he's known for awhile on MSN and low and behold his system became > infected. AVG reported the offending worm as: > > Trojan Horse Downloader Generic5.ETN and .SOZ Not sure of the actual name > of it... > > Infected files, vnttgb.exe, notify.dll, printers.exe, 1(l)p6fw.sys, > DefLib.sys and oocmhxl.exe... > > He ended up with multiple cascading MSN windows, he hit Ctrl Alt Del to > stop it, he momentarily saw the process that was running, but then all > processes disappeared from process manager? He no longer is able to use > Ctrl Alt Del or the manager, and depending on what he is doing will end up > with a BSOD because of a Stop Error... IRQL_Not_Less_Or_Equal > > We have run AdAware, AVG multiple times - plus in safe mode and believe we > have cleaned out the offending worm. We were unable to run HiJackThis, as > it also caused the same BSOD? We have tried to do system restores and have > gone back to multiple checkpoints in the last two weeks, but none were > successful. The problem is his system is now unstable. > > I'm assuming our best solution is to format the drive and reinstall XP? > > Has any one else run across this one and is there a simpler solution to > fix what is broke? > > I would appreciate any suggestions and help you can offer. > > Thank you, John > -- > John Reinders > Hubley, NS > > Please remember to remove -removetoreply- when emailing me.
Guest PA Bear Posted July 25, 2007 Posted July 25, 2007 Re: XP + MSN + Worm - System now unstable Run a /thorough/ check for hijackware, including posting your hijackthis log to an appropriate forum. Checking for/Help with Hijackware http://aumha.org/a/parasite.htm http://aumha.org/a/quickfix.htm http://aumha.net/viewtopic.php?t=5878 http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction http://mvps.org/winhelp2002/unwanted.htm http://inetexplorer.mvps.org/data/prevention.htm http://inetexplorer.mvps.org/tshoot.html http://www.mvps.org/sramesh2k/Malware_Defence.htm http://defendingyourmachine2.blogspot.com/ http://www.elephantboycomputers.com/page2.html#Removing_Malware When all else fails, HijackThis v1.99.1 (http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use. It will help you to both identify and remove any hijackware/spyware with assistance from an expert. **Post your log to http://forums.spybot.info/forumdisplay.php?f=22, http://castlecops.com/forum67.html, http://forums.subratam.org/index.php?showforum=7, http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert analysis, not here.** If the procedures look too complex - and there is no shame in admitting this isn't your cup of tea - take the machine to a local, reputable and independent (i.e., not BigBoxStoreUSA) computer repair shop. -- ~Robear Dyer (PA Bear) MS MVP-Windows (IE, OE, Security, Shell/User) AumHa VSOP & Admin; DTS-L.org John Reinders wrote: > Hi, > > The other day (Monday) my son inadvertently (and I have warned him about > doing this) opened a file (zip containing a .scr) he received from > someone he's known for awhile on MSN and low and behold his system > became infected. AVG reported the offending worm as: > > Trojan Horse Downloader Generic5.ETN and .SOZ Not sure of the actual > name of it... > > Infected files, vnttgb.exe, notify.dll, printers.exe, 1(l)p6fw.sys, > DefLib.sys and oocmhxl.exe... > > He ended up with multiple cascading MSN windows, he hit Ctrl Alt Del to > stop it, he momentarily saw the process that was running, but then all > processes disappeared from process manager? He no longer is able to use > Ctrl Alt Del or the manager, and depending on what he is doing will end > up with a BSOD because of a Stop Error... IRQL_Not_Less_Or_Equal > > We have run AdAware, AVG multiple times - plus in safe mode and believe > we have cleaned out the offending worm. We were unable to run > HiJackThis, as it also caused the same BSOD? We have tried to do system > restores and have gone back to multiple checkpoints in the last two > weeks, but none were successful. The problem is his system is now > unstable. > > I'm assuming our best solution is to format the drive and reinstall XP? > > Has any one else run across this one and is there a simpler solution to > fix what is broke? > > I would appreciate any suggestions and help you can offer. > > Thank you, John
Guest duke Posted July 25, 2007 Posted July 25, 2007 Re: XP + MSN + Worm - System now unstable On Jul 25, 9:54 am, "Jim C" <jec12...@earthlink.net> wrote: > As a starting point you need to identify the loaded program causing the > problem. Run a program called msinfo32.exe. Select software environment, > then loaded modules. Sort the table by manufacturer. You should see > file(s) without a manufacturer name or the name "not available" is display. > These are the files that I would investigate as causing the problem. Some > files are legit so you need to be careful. There is a lot more involved to > remove the invection but this will get you pointed in the right direction. > > "John Reinders" <johnreind...@hfx.eastlink-removetoreply-.ca> wrote in > messagenews:46A7542D.6020008@hfx.eastlink-removetoreply-.ca... > > > Hi, > > > The other day (Monday) my son inadvertently (and I have warned him about > > doing this) opened a file (zip containing a .scr) he received from someone > > he's known for awhile on MSN and low and behold his system became > > infected. AVG reported the offending worm as: > > > Trojan Horse Downloader Generic5.ETN and .SOZ Not sure of the actual name > > of it... > > > Infected files, vnttgb.exe, notify.dll, printers.exe, 1(l)p6fw.sys, > > DefLib.sys and oocmhxl.exe... > > > He ended up with multiple cascading MSN windows, he hit Ctrl Alt Del to > > stop it, he momentarily saw the process that was running, but then all > > processes disappeared from process manager? He no longer is able to use > > Ctrl Alt Del or the manager, and depending on what he is doing will end up > > with a BSOD because of a Stop Error... IRQL_Not_Less_Or_Equal > > > We have run AdAware, AVG multiple times - plus in safe mode and believe we > > have cleaned out the offending worm. We were unable to run HiJackThis, as > > it also caused the same BSOD? We have tried to do system restores and have > > gone back to multiple checkpoints in the last two weeks, but none were > > successful. The problem is his system is now unstable. > > > I'm assuming our best solution is to format the drive and reinstall XP? > > > Has any one else run across this one and is there a simpler solution to > > fix what is broke? > > > I would appreciate any suggestions and help you can offer. > > > Thank you, John > > -- > > John Reinders > > Hubley, NS > > > Please remember to remove -removetoreply- when emailing me. You will probably have to go to another computer and download a program from Trend Micro called "sysclean package" available free for non-customers at the link below: http://www.trendmicro.com/download/dcs.asp The program and the corresponding virus pattern file must be copied into the same directory name of your choice. This can all be done by booting the computer in safe mode to copy the these files and then running the virus removal program. This of course assumes your computer is alive enough to get into safe mode. Good Luck
Guest Elmo Posted July 25, 2007 Posted July 25, 2007 Re: XP + MSN + Worm - System now unstable John Reinders wrote: > Hi, > > The other day (Monday) my son inadvertently (and I have warned him about > doing this) opened a file (zip containing a .scr) he received from > someone he's known for awhile on MSN and low and behold his system > became infected. AVG reported the offending worm as: > > Trojan Horse Downloader Generic5.ETN and .SOZ Not sure of the actual > name of it... > > Infected files, vnttgb.exe, notify.dll, printers.exe, 1(l)p6fw.sys, > DefLib.sys and oocmhxl.exe... > > He ended up with multiple cascading MSN windows, he hit Ctrl Alt Del to > stop it, he momentarily saw the process that was running, but then all > processes disappeared from process manager? He no longer is able to use > Ctrl Alt Del or the manager, and depending on what he is doing will end > up with a BSOD because of a Stop Error... IRQL_Not_Less_Or_Equal > > We have run AdAware, AVG multiple times - plus in safe mode and believe > we have cleaned out the offending worm. We were unable to run > HiJackThis, as it also caused the same BSOD? We have tried to do system > restores and have gone back to multiple checkpoints in the last two > weeks, but none were successful. The problem is his system is now unstable. > > I'm assuming our best solution is to format the drive and reinstall XP? > > Has any one else run across this one and is there a simpler solution to > fix what is broke? > > I would appreciate any suggestions and help you can offer. > > Thank you, John Try running the AVG software from Safe Mode. With Avast! you can schedule a bootscan which should run before any virus can disable the software. -- Joe =o)
Guest John Reinders Posted July 25, 2007 Posted July 25, 2007 Re: XP + MSN + Worm - System now unstable John Reinders wrote: > Hi, > > The other day (Monday) my son inadvertently (and I have warned him about > doing this) opened a file (zip containing a .scr) he received from > someone he's known for awhile on MSN and low and behold his system > became infected. AVG reported the offending worm as: > > Trojan Horse Downloader Generic5.ETN and .SOZ Not sure of the actual > name of it... > > Infected files, vnttgb.exe, notify.dll, printers.exe, 1(l)p6fw.sys, > DefLib.sys and oocmhxl.exe... > > He ended up with multiple cascading MSN windows, he hit Ctrl Alt Del to > stop it, he momentarily saw the process that was running, but then all > processes disappeared from process manager? He no longer is able to use > Ctrl Alt Del or the manager, and depending on what he is doing will end > up with a BSOD because of a Stop Error... IRQL_Not_Less_Or_Equal > > We have run AdAware, AVG multiple times - plus in safe mode and believe > we have cleaned out the offending worm. We were unable to run > HiJackThis, as it also caused the same BSOD? We have tried to do system > restores and have gone back to multiple checkpoints in the last two > weeks, but none were successful. The problem is his system is now unstable. > > I'm assuming our best solution is to format the drive and reinstall XP? > > Has any one else run across this one and is there a simpler solution to > fix what is broke? > > I would appreciate any suggestions and help you can offer. > > Thank you, John Hi everyone, Thanks for all the tips, but this morning AVG found them all again. So we did a reformat and clean install of XP...It has been about 2 years since he got the PC, so probably about time. Everything running fine now... Thanks again, John -- John Reinders Hubley, NS Please remember to remove -removetoreply- when emailing me.
Recommended Posts