WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93125 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
machine acting strange
Started by
Gator
, Nov 05 2008 03:27 PM
This topic is locked
209 replies to this topic
#76
Gator
-
- Authentic Member
-
- 121 posts
Authentic Member
Posted 09 November 2008 - 12:18 PM
Register to Remove
#77
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 09 November 2008 - 12:26 PM
That should be fine. I feel the infection is gone.Yes have second computer. Can use flashdrive that is attached to infected unit if you think that is wise. No floppy drive on the infected laptop.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to 
for the help you received.
Proud graduate of TC/WTT Classroom
#78
Gator
-
- Authentic Member
-
- 121 posts
Authentic Member
Posted 09 November 2008 - 12:55 PM
Ok placed flashdrive in non infected computer and ran scan with norton internet security. It found W32.Sality.AE virus. cleaned drive.
Copied Shdocvw.dll and tried to copy into the Windows\System32 folder on the infected computer but got the following error.
Cannot copy it is being used by another person or program.
Tried to run the command given. But got the Windows File Protection dialog box stating that I needed to insert the Windows XP Proffessional Service Pack 3 CD.
I do not have such a cd. Service pack 3 was downloaded online.
What next ?? Seems we are stopped at every turn.
#79
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 09 November 2008 - 12:59 PM
Do you have a Windows XP cd.
Try that.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#80
Gator
-
- Authentic Member
-
- 121 posts
Authentic Member
Posted 09 November 2008 - 01:04 PM
All I have is the dell reinstallation cd for windows xp home edition including service pk 2 that came with the desktop unit I have.
#81
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 09 November 2008 - 01:09 PM
go to the Windows\System32 folder and right click on Shdocvw.dll
check to make sure it's not read only, then rename it to Shdocvw.old
Now see if you can copy the one you transfered.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#82
Gator
-
- Authentic Member
-
- 121 posts
Authentic Member
Posted 09 November 2008 - 02:50 PM
Found both a Shdocvw.bak and Shdocvw.dll in the folder. Changed the .dll to .old and then was able to copy the Shdocvw.dll from the flashdrive to the folder
#83
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 09 November 2008 - 02:52 PM
And please follow these steps:
1. Quit all programs that are running.
2. Click Start, and then click Run.
3. Type regsvr32 Shdocvw.dll (note the space), and then click OK.
4. When you receive the "DllRegisterServer in urlmon.dll succeeded" message, click OK.
Please try opening a page that previously didn't open.
1. Quit all programs that are running.
2. Click Start, and then click Run.
3. Type regsvr32 Shdocvw.dll (note the space), and then click OK.
4. When you receive the "DllRegisterServer in urlmon.dll succeeded" message, click OK.
Please try opening a page that previously didn't open.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#84
Gator
-
- Authentic Member
-
- 121 posts
Authentic Member
Posted 09 November 2008 - 03:05 PM
Typed in regsvr32 Shdocvw.dll and clicked ok and got the same file error as before.
Went back to the Windows\System32 folder and found the Shdocvw.dll and renamed it againg. Then clicked on refresh at the top and the Shdocvw.dll was regenerated without copying it from the flashdrive. It is being regenerated by whatever junk is on this unit.
#85
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 09 November 2008 - 03:17 PM
Have you tried Windows updates?
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
Register to Remove
#86
Gator
-
- Authentic Member
-
- 121 posts
Authentic Member
Posted 09 November 2008 - 03:22 PM
Not since was prompted when setting prompted me that there were updates available.
#87
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 09 November 2008 - 03:24 PM
Get the updates and see if that helps. I'm about out of ideas.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#88
Gator
-
- Authentic Member
-
- 121 posts
Authentic Member
Posted 09 November 2008 - 03:44 PM
Ok got 2 updates that were made available since the last update done.
Exe files still being generated in the Windows\temp folder.
Shdocvw.dll still being replicated in the Windows/System32 folder.
Know how you feel I was out of ideas long ago.
If I could get this machine to go into safe mode, would try again to restore to an earlier date but don's know if all the programs we have run wiped the earlier restore points out.
#89
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 09 November 2008 - 03:48 PM
Combofix creates a new restore point when it's run.
I'm going to go through what we've done and see if I missed anything.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#90
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 09 November 2008 - 03:53 PM
I find it interesting that the temp files are listed here under the firewall policy:
Is your firewall working?
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Common Files\\WRAL DESKTOP WEATHER\\TrueWeather.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=
"c:\\WINDOWS\\system32\\WLTRAY.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Dell\\QuickSet\\quickset.exe"=
"c:\\Program Files\\Dell Support\\DSAgnt.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe"=
"c:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe"=
"c:\\WINDOWS\\stsystra.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security 14\\TMAS_OE\\TMAS_OEMon.exe"=
"c:\\WINDOWS\\TEMP\\winveus.exe"=
"c:\\WINDOWS\\TEMP\\winlrgjh.exe"=
Is your firewall working?
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Common Files\\WRAL DESKTOP WEATHER\\TrueWeather.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=
"c:\\WINDOWS\\system32\\WLTRAY.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Dell\\QuickSet\\quickset.exe"=
"c:\\Program Files\\Dell Support\\DSAgnt.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe"=
"c:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe"=
"c:\\WINDOWS\\stsystra.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security 14\\TMAS_OE\\TMAS_OEMon.exe"=
"c:\\WINDOWS\\TEMP\\winveus.exe"=
"c:\\WINDOWS\\TEMP\\winlrgjh.exe"=
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
