Prev: Gmer run slow
Next: Wierd virus plays music
From: Cynanthis on 12 Jan 2010 10:04
Hi, I recently fought off some malware on my laptop pc. One of the steps I
had to do was rename (extension) some things in the Recovery Console. My
system now seems to be fine once again.
My questions are these....What do I need to do, if anything, with the few
files that I renamed in RC? I renamed, for examp, the userinit.exe file
extention.
So far my system is running ok. The only thing that I have had issues with
is that my internet keeps 'coming and going"; meaning my broswer (IE7 or
firefox), or anything randomly loses connectivity. It happens ONLY to my
laptop. And almost daily.

Yest I did a spybot search & destroy scan and says it found coolwebsearch
and it associates itself with the winlogon.old file. Not sure but I think
that was one of the ones I renamed. Should I delete all that my
virus/spyware scanners find, even if its one of these renames? Do malware
scanners typically 'find' and consider these renames threats?
Thanks in advance
Windows XP home edition sp2


From: "FromTheRafters" erratic on 12 Jan 2010 12:22
"Cynanthis" <nospam(a)nospam.com> wrote in message
news:OhFYli5kKHA.5820(a)TK2MSFTNGP06.phx.gbl...
> Hi, I recently fought off some malware on my laptop pc. One of the
> steps I had to do was rename (extension) some things in the Recovery
> Console. My system now seems to be fine once again.

Knowing what you had would be helpful, also exactly what actions were
taken to get to where you are now.

The need to use the recovery console to rectify the situation indicates
a fairly deep intrusion.

> My questions are these....What do I need to do, if anything, with the
> few files that I renamed in RC? I renamed, for examp, the userinit.exe
> file extention.

Nothing needs to be done with the 'renamed away' files.

> So far my system is running ok. The only thing that I have had issues
> with is that my internet keeps 'coming and going"; meaning my broswer
> (IE7 or firefox), or anything randomly loses connectivity. It happens
> ONLY to my laptop. And almost daily.

I suspect that you still have remnants of the unnamed affliction or some
changes it made to your system are still in place.

> Yest I did a spybot search & destroy scan and says it found
> coolwebsearch and it associates itself with the winlogon.old file. Not
> sure but I think that was one of the ones I renamed. Should I delete
> all that my virus/spyware scanners find, even if its one of these
> renames?

I would, but that is not what I would recommend to others. Always opt
for quarantine rather than delete just in case a needed file gets
falsely accused of being malware. Often when 'naming away' files, the
extension is changed to 'old' from whatever it was - but there are other
reasons that a file might have an 'old' extension. I typically rename an
'exe' to 'xex' or a 'com' to a 'moc' or similar so that I will know what
the extension used to be.

> Do malware scanners typically 'find' and consider these renames
> threats?

Scanners typically scan many non-executable filetypes, and as such can
alert to these files. They are not really threats (if they cannot run)
but can be easily made so by companion malware.


From: MEB on 12 Jan 2010 13:05
On 01/12/2010 10:04 AM, Cynanthis wrote:
> Hi, I recently fought off some malware on my laptop pc. One of the steps I
> had to do was rename (extension) some things in the Recovery Console. My
> system now seems to be fine once again.
> My questions are these....What do I need to do, if anything, with the few
> files that I renamed in RC? I renamed, for examp, the userinit.exe file
> extention.

Manually renaming files can help to get a system running again, however
it RARELY takes care of the whole issue or issues.
What is it EXACTLY that you thought you were correcting/removing [what
malware or malwares]?

> So far my system is running ok. The only thing that I have had issues with
> is that my internet keeps 'coming and going"; meaning my broswer (IE7 or
> firefox), or anything randomly loses connectivity. It happens ONLY to my
> laptop. And almost daily.

No, your system is NOT running okay. The Internet loss should have told
you that. You may have a DNS hijack or some other interference.

Internet loss can be caused by multiple issues. Please provide what you
supposedly removed AND what found them, also what you have used to
additionally check the system.

>
> Yest I did a spybot search & destroy scan and says it found coolwebsearch
> and it associates itself with the winlogon.old file. Not sure but I think
> that was one of the ones I renamed. Should I delete all that my
> virus/spyware scanners find, even if its one of these renames? Do malware
> scanners typically 'find' and consider these renames threats?
> Thanks in advance
> Windows XP home edition sp2
>
>

Any renamed files YOU created can be removed. I would question whether
you actually *completely* removed coolwebsearch, and what other malware
you may have.

The XP Service Pack level should be addressed once you get the system
completely cleaned.

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
From: diance via WindowsKB.com on 13 Jan 2010 03:44
"I recently fought off some malware on my laptop pc"

Hey, I get the easy way for you to get rid of Malware completely! All you
need to do is to click here: http://www.bestspywarescanner.net/

--
Message posted via WindowsKB.com
http://www.windowskb.com/Uwe/Forums.aspx/windows-virus/201001/1

From: Cynanthis on 13 Jan 2010 10:54
Thanks to all who replied.....Here is a bit of history up to a certain
point.
Pc was infected by lots of things including the fake antivirus programs,
maybe even vundo, lots of diff things that would e to long to list here.
Because of multi malware, and removing it by AVG (it removed I think a file
that has to do with loging into windows), I was not able to log on to
windows. Safe mode did not work. I would get stuck in the welcome screen
page...... here is some of the renaming and steps taken:
ren userinit.exe to userinit.old
ren winlogon.exe to winlogon.old

then I did this
expand d:\i386\userinit.ex_
expand d:\i386\winlogon.ex

I checked to see if there was a file in c:\windows\system32 called
wsaupdater.exe so that I could copy userinit.exe over
the top of wsaupdater.exe.....
BUT it was not there.Instead, I found this malware "winupdate86.exe", and
renamed it too to "winupdate86.old",
Since the problem persisted (not being able to log into windows), I did a
fixboot to write a new partition. Then lastly, I did a "system restore"
using Rec Console. That worked!!

*FINALLY the logon issue was resolved and I was able to log on windows and
start the clean up process.*
I did malwarebytes first then combo fix. Then did a Gmer scan. Then did the
Kaspersky virus removal tool. At this point the Gmer and kaspersky scans
came up clean.
So, now, the only issue I have now is the internet conection coming and
going. Only happening to this laptop. Qwest did what they could to trouble
shoot. All checks out ok on their end. But they are not able to help beyond
when it comes to virus stuff..
Thanks all for your help




"MEB" <MEB-not-here(a)hotmail.com> wrote in message
news:%23$cYMH7kKHA.5568(a)TK2MSFTNGP02.phx.gbl...
> On 01/12/2010 10:04 AM, Cynanthis wrote:
>> Hi, I recently fought off some malware on my laptop pc. One of the steps
>> I
>> had to do was rename (extension) some things in the Recovery Console. My
>> system now seems to be fine once again.
>> My questions are these....What do I need to do, if anything, with the few
>> files that I renamed in RC? I renamed, for examp, the userinit.exe file
>> extention.
>
> Manually renaming files can help to get a system running again, however
> it RARELY takes care of the whole issue or issues.
> What is it EXACTLY that you thought you were correcting/removing [what
> malware or malwares]?
>
>> So far my system is running ok. The only thing that I have had issues
>> with
>> is that my internet keeps 'coming and going"; meaning my broswer (IE7 or
>> firefox), or anything randomly loses connectivity. It happens ONLY to my
>> laptop. And almost daily.
>
> No, your system is NOT running okay. The Internet loss should have told
> you that. You may have a DNS hijack or some other interference.
>
> Internet loss can be caused by multiple issues. Please provide what you
> supposedly removed AND what found them, also what you have used to
> additionally check the system.
>
>>
>> Yest I did a spybot search & destroy scan and says it found coolwebsearch
>> and it associates itself with the winlogon.old file. Not sure but I think
>> that was one of the ones I renamed. Should I delete all that my
>> virus/spyware scanners find, even if its one of these renames? Do malware
>> scanners typically 'find' and consider these renames threats?
>> Thanks in advance
>> Windows XP home edition sp2
>>
>>
>
> Any renamed files YOU created can be removed. I would question whether
> you actually *completely* removed coolwebsearch, and what other malware
> you may have.
>
> The XP Service Pack level should be addressed once you get the system
> completely cleaned.
>
> --
> MEB
> http://peoplescounsel.org/ref/windows-main.htm
> Windows Info, Diagnostics, Security, Networking
> http://peoplescounsel.org
> The "real world" of Law, Justice, and Government
> ___---


 |  Next  |  Last
Pages: 1 2
Prev: Gmer run slow
Next: Wierd virus plays music