XP + MSN + Worm - System now unstable

[John Reinders]

Hi,

The other day (Monday) my son inadvertently (and I have warned him about
doing this) opened a file (zip containing a .scr) he received from
someone he's known for awhile on MSN and low and behold his system
became infected. AVG reported the offending worm as:

Trojan Horse Downloader Generic5.ETN and .SOZ Not sure of the actual
name of it...

Infected files, vnttgb.exe, notify.dll, printers.exe, 1(l)p6fw.sys,
DefLib.sys and oocmhxl.exe...

He ended up with multiple cascading MSN windows, he hit Ctrl Alt Del to
stop it, he momentarily saw the process that was running, but then all
processes disappeared from process manager? He no longer is able to use
Ctrl Alt Del or the manager, and depending on what he is doing will end
up with a BSOD because of a Stop Error... IRQL_Not_Less_Or_Equal

We have run AdAware, AVG multiple times - plus in safe mode and believe
we have cleaned out the offending worm. We were unable to run
HiJackThis, as it also caused the same BSOD? We have tried to do system
restores and have gone back to multiple checkpoints in the last two
weeks, but none were successful. The problem is his system is now unstable.

I'm assuming our best solution is to format the drive and reinstall XP?

Has any one else run across this one and is there a simpler solution to
fix what is broke?

I would appreciate any suggestions and help you can offer.

Thank you, John

 

[Jim C]

As a starting point you need to identify the loaded program causing the
problem. Run a program called msinfo32.exe. Select software environment,
then loaded modules. Sort the table by manufacturer. You should see
file(s) without a manufacturer name or the name "not available" is display.
These are the files that I would investigate as causing the problem. Some
files are legit so you need to be careful. There is a lot more involved to
remove the invection but this will get you pointed in the right direction.

 

[PA Bear]

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v1.99.1
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware with
assistance from an expert. **Post your log to
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert
analysis, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.

 

[duke]

As a starting point you need to identify the loaded program causing the
problem. Run a program called msinfo32.exe. Select software environment,
then loaded modules. Sort the table by manufacturer. You should see
file(s) without a manufacturer name or the name "not available" is display.
These are the files that I would investigate as causing the problem. Some
files are legit so you need to be careful. There is a lot more involved to
remove the invection but this will get you pointed in the right direction.

You will probably have to go to another computer and download a
program from Trend Micro called "sysclean package" available free for
non-customers at the link below:

http://www.trendmicro.com/download/dcs.asp

The program and the corresponding virus pattern file must be copied
into the same directory name of your choice. This can all be done by
booting the computer in safe mode to copy the these files and then
running the virus removal program. This of course assumes your
computer is alive enough to get into safe mode.

Good Luck

 

[Elmo]

Hi,

The other day (Monday) my son inadvertently (and I have warned him about
doing this) opened a file (zip containing a .scr) he received from
someone he's known for awhile on MSN and low and behold his system
became infected. AVG reported the offending worm as:

Trojan Horse Downloader Generic5.ETN and .SOZ Not sure of the actual
name of it...

Infected files, vnttgb.exe, notify.dll, printers.exe, 1(l)p6fw.sys,
DefLib.sys and oocmhxl.exe...

He ended up with multiple cascading MSN windows, he hit Ctrl Alt Del to
stop it, he momentarily saw the process that was running, but then all
processes disappeared from process manager? He no longer is able to use
Ctrl Alt Del or the manager, and depending on what he is doing will end
up with a BSOD because of a Stop Error... IRQL_Not_Less_Or_Equal

We have run AdAware, AVG multiple times - plus in safe mode and believe
we have cleaned out the offending worm. We were unable to run
HiJackThis, as it also caused the same BSOD? We have tried to do system
restores and have gone back to multiple checkpoints in the last two
weeks, but none were successful. The problem is his system is now unstable.

I'm assuming our best solution is to format the drive and reinstall XP?

Has any one else run across this one and is there a simpler solution to
fix what is broke?

I would appreciate any suggestions and help you can offer.

Thank you, John

Try running the AVG software from Safe Mode. With Avast! you can
schedule a bootscan which should run before any virus can disable the
software.

 

[John Reinders]

Hi,

The other day (Monday) my son inadvertently (and I have warned him about
doing this) opened a file (zip containing a .scr) he received from
someone he's known for awhile on MSN and low and behold his system
became infected. AVG reported the offending worm as:

Trojan Horse Downloader Generic5.ETN and .SOZ Not sure of the actual
name of it...

Infected files, vnttgb.exe, notify.dll, printers.exe, 1(l)p6fw.sys,
DefLib.sys and oocmhxl.exe...

He ended up with multiple cascading MSN windows, he hit Ctrl Alt Del to
stop it, he momentarily saw the process that was running, but then all
processes disappeared from process manager? He no longer is able to use
Ctrl Alt Del or the manager, and depending on what he is doing will end
up with a BSOD because of a Stop Error... IRQL_Not_Less_Or_Equal

We have run AdAware, AVG multiple times - plus in safe mode and believe
we have cleaned out the offending worm. We were unable to run
HiJackThis, as it also caused the same BSOD? We have tried to do system
restores and have gone back to multiple checkpoints in the last two
weeks, but none were successful. The problem is his system is now unstable.

I'm assuming our best solution is to format the drive and reinstall XP?

Has any one else run across this one and is there a simpler solution to
fix what is broke?

I would appreciate any suggestions and help you can offer.

Thank you, John

Hi everyone,

Thanks for all the tips, but this morning AVG found them all again. So
we did a reformat and clean install of XP...It has been about 2 years
since he got the PC, so probably about time. Everything running fine now...

Thanks again, John