Virus leftovers !

jbarker · 2006/04/18

Ok, we got a virus way back.
Norton Anti Virus found it and asked if we wanted to delete it.
We said yes.
So,Norton got rid of it.
However, reference to it is still somewhere.
We found it in the regisestry and removed that.
But it must be some place else.

Some amswered and said there are about 53 places it could be stored.
And there may be another file that will reginerate the reference on reboot etc.

Must be something like that.
Because we get this message each time we boot up.

"Windows cannot find C/Windows/System32/Tools/LostRun.exe. Make sure you typed the name correctly, and try again. "

And Windows just stops. That computer is usless until we can get past the blockage.

Only thing left is to have a LostRun.exe program available!

So, as we can't delete the reference, can some of you DOS fans genereate me a little "basic" file that the boot up finds (Named LostRun.exe) and when it runs it will then will let the Windows load process continue ?

I can then load it into the proper directory.

This will let us move on.

To reformat the drive is not an option - we got lots of stuff on it.
And have been using the drive as a slave in order to get to to some of
those files.
The drive really needs to be returned to the original machine because
of the hardware configuration - sound card, graphics card etc.

Thanks

TonyT · 2006/04/18

Start the computer in Safe Mode with Networking (press F8 during restart).
Download HijackThis & post a scan log here.
hijackthis:
http://www.spywareinfo.com/~merijn/downloads.html
OR download it to another comp & put on a floppy and move to other troublesome comp started in Safe Mode W/OUT networking.

jbarker · 2006/04/19

Log file

Logfile of HijackThis v1.99.1
Scan saved at 3:34:49 PM, on 4/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Parsons Technology\Screen Shot\SSHOT.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\LWB\Local Settings\Temp\wz353a\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [Execute] C:\WINDOWS\system32\Tools\LostRun.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Reboot.exe
O4 - Startup: Screen Shot.lnk = C:\Program Files\Parsons Technology\Screen Shot\SSHOT.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk572DUUS
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

PeteC · 2006/04/19

Rescan in Safe Mode with HJT and check these items to fix ....

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O4 - HKLM\..\RunOnce: [Execute] C:\WINDOWS\system32\Tools\LostRun.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxmk572DUUS

Hopefully that will sort out the problem.

jbarker · 2006/04/19

What the .......

To Pete c

Thanks.

But to be honest, we don't have any idea of what you are saying !

Sorry, we ain't computer savy - them terms you use is usless.

Anybody got plain English answers ?

PeteC · 2006/04/19

When you run an HJT scan there is a small check box to the left of each entry. Check those items that I have noted and then hit the Fix Checked button and reboot.

jbarker · 2006/04/20

Problem solved !

The problem file is now gone.
Computer back up and running.

Thanks

PeteC · 2006/04/20

Excellent news - thanks for the update.

jbarker · 2006/04/24

We talked too soon !

We did have sucess at removing the items you suggested.

And when we rebooted the problem was gone.

But not for long !!!!

On the next bootup it came right back.

We did the safe mode again.
Run a hikack this and one of the lines suggested for removal was back.

That O4 - HKLM\.. \RunOnce: [Execute] C:\Windows\system32\Tools\LostRun.exe

_______________________________________________________

We checked it for deletion - worked - for one bootup.

Then it came back on the next bootup.

________________________________________________________

Did this for three more times - same problem.

Somewhere there must be a small program (unknown) that keeps renewing this message.

Any suggestions.

Note: The hijack data is the same as listed above except the R3, O2 and the O8 we removed the first time are gone, and did not return.

TonyT · 2006/04/24

repeat the same cleanup steps but this time first do this:
go to control panel & open folder options, then click the view tab, then put check next to:
- show hidden files & folders
- UNhide protected operasting system files

then:

1. start in safe mode
2. delete ALL folders & files in:
c:\documents & settings/your-username/local settings/temp
c:\documents & settings/your-username/local settings/temporary internet files

rt click my computer icon on desktop & select "properties ".
click system restore tab
disable system restore

then do cleaning using hijackthis

next:
reboot again & this time choose safe mode with networking &
download Adaware, install it & do a scan to remove spyware leftovers:
get it here:
http://www.download.com/3000-2144-10045910.html

after done, restart normal mode & if all ok for a day or two then re-enable system restore.

Log in or Sign up

Virus leftovers !

jbarker Inactive Thread Starter

TonyT SuperGeek Staff

jbarker Inactive Thread Starter

PeteC SuperGeek Staff

jbarker Inactive Thread Starter

PeteC SuperGeek Staff

jbarker Inactive Thread Starter

PeteC SuperGeek Staff

jbarker Inactive Thread Starter

TonyT SuperGeek Staff

Share This Page

Log in or Sign up

Virus leftovers !

jbarker Inactive Thread Starter

TonyT SuperGeek Staff

jbarker Inactive Thread Starter

PeteC SuperGeek Staff

jbarker Inactive Thread Starter

PeteC SuperGeek Staff

jbarker Inactive Thread Starter

PeteC SuperGeek Staff

jbarker Inactive Thread Starter

TonyT SuperGeek Staff

Share This Page

Useful Searches