Re: Unable to remove Packed.Generic.238

Jormungandr · ‎06-23-2009

Ok, ran RRT in safe and normal mode. Access to "regedit" is still blocked.

However, I was able to run "HiJackThis." Log is attached.

Quads · ‎07-21-2008

Hi

We are slowly getting there you still have other infections. I will weed out the bad ones in the hijackthis log now we can get that to run.

Plus still the rootkit, that's a different fish.

Quads

Quads · ‎07-21-2008

Ok, I have left the first bad one out as i am not sure yet if that will cause a login loop with userinit.exe

So Now start Hijackthis again and tick, check these entries only

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install (not need on startup)

O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\HP_ADM~1.MET\LOCALS~1\Temp\notepad.exe

O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\u0h72og.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\u0h72og.exe (User 'Default user')

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 (disabled regedit entry)

O15 - Trusted Zone: http://*.trymedia.com (HKLM)

And click "Fix Checked"

The PC may need to be restarted.

Quads

Quads · ‎07-21-2008

I will slowly keep breaking this down, and freeing it up.

You comment earlir on

"and restarted in normal Windows XP mode. Security Configuration appeared stating Windows was in Diagnostic or Selective Start up Mode. It asks me to choose Normal Windows startup and start Windows normally to stop the warning, "

Could be to do with

O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\HP_ADM~1.MET\LOCALS~1\Temp\notepad.exe

Which is a Rogue / Fake

Quads

Message Edited by Quads on 07-17-2009 10:22 PM

Jormungandr · ‎06-23-2009

What do I run on the main menu of "Hijack This" to do this?

Quads · ‎07-21-2008

Just click, "Do System Scan only"

Then when it finishes scanning like before to get the log you will see little tick boxes, Please only tick the entries I stated in the previous post with the list of entries to tick and fix checked.

Quads

Jormungandr · ‎06-23-2009

I don't see this entry:

"O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\HP_ADM~1.MET\LOCALS~1\Temp\notepad.exe"

Instead, it says,

"O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\HP_ADM~1.MET\LOCALS~1\Temp\mdm.exe"

Do I still check it?

Quads · ‎07-21-2008

Ok will have to think on that, why it changed.

Did you see the entry for disabled registry??

Just do the others

Quads

Quads · ‎07-21-2008

Jormungandr wrote:
I don't see this entry:

"O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\HP_ADM~1.MET\LOCALS~1\Temp\notepad.exe"

Instead, it says,

"O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\HP_ADM~1.MET\LOCALS~1\Temp\mdm.exe"

Do I still check it?