Virus/Malware: win32/pacthed.L and ws2_32.dll

daltonredpath · Jan 21, 2010

Hi Everyone,

First off I'd like to thank MG for helping me fix my problem. I'm not sure if the issue is completely fixed, so I'm including log files. I'm also found this site from someone else who had a similar problem, so I'm going to write my story in-case someone else finds it that way too. (http://forums.majorgeeks.com/showthread.php?t=197231)

Trying to fix my parents computer. My dad he got something called the Internet Security 2010 virus. Not sure how he knew that - we had NOD32 installed as well as Spybot and MalwareBytes. He tried to fix the problem himself to no avail.

I took over, and tried all the go-tos I knew, and eventually ran Microsoft Security Essentials, and disabled Nod32. It found this issue trojan:win32/pacthed.L, and more details it gave c:windows/system32/ws2_32.dll . Then I found this site, but couldn't run the fixes suggested in your Readmes because I kept getting this error the application failed to initialize properly (0xc0000022). Click on OK to terminate the application. It took me a while to realize it was Microsoft Security Essentials which was causing some sort of loop. I uninstalled that, as well as Nod32 (leaving no protection) then ran the Readme files/instructions. I'm not sure if the problem is fixed but the comp is running a heck of a lot faster.

I understand there are people with higher priority problems on this site, just wanted to write my story so other people might find this site to help them as well.

daltonredpath · Jan 21, 2010

last log.

Thanks again for the community and service you provide!

Kestrel13! · Jan 23, 2010

1. Ad-Aware SE Personal <--- outdated and ineffective, I suggest you uninstall it.

2. It is a very bad idea to have so many users on one machine all with admin priviledges!

Users on this computer:
Is Admin? | Username
------------------
Yes | Administrator
Yes | Andrew
Yes | Dad
| Guest
Yes | HelpAssistant
Yes | Mom
Yes | Sara
| SUPPORT_388945a0 (Disabled)
Click to expand...

3. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O15 - Trusted Zone: *.lsac.org
Click to expand...

After clicking Fix exit HJT.

4. Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

5. Could you please get this: ws2_32.dllEC806495 into a zipped file and attach it for me in your next post? To do this, see the below:

Please go to start > Run and paste in the following:

%systemdrive%\MGTools\zip "%systemdrive%\collect.zip" C:\Windows\System32\ws2_32.dllEC806495
Click to expand...

log retrievable @ C:\collect.zip

6.

It took me a while to realize it was Microsoft Security Essentials which was causing some sort of loop. I uninstalled that, as well as Nod32 (leaving no protection)
Click to expand...

Reinstall your antivirus software now.

7. Attach the collect.zip into your next reply.

8. Let me know how things are running now.

daltonredpath · Jan 23, 2010

Hi Kestrel13! - thanks for the reply.

1. Uninstalled.
2. I'll demote some of my family =).
3. 015 wasn't on the list, I did this for 03.
4. This worked and I got a success message.
5. Done.
6. I installed Avira (lost faith in other 2) before you replied to this, thinking I should have some protection (read the how to prevent malware post).
7. Attached.
8. Things seem to be ok - strangely under the "Dad" login, I cannot open the recycle bin (right click open doesnt work either), and programs are not posting to the recently accessed programs in the start menu, even though the option is checked off in settings. Minor, but strange. I'll try again now since most recent changes.

Thanks again!!!

daltonredpath · Jan 23, 2010

Ah - just as a follow up re: #3 - I was logged in as a different user when running step 3. I ran step 3 for each user, and 015 was under one of them, so I ran the "fix" for that.

Kestrel13! · Jan 24, 2010

Things seem to be ok - strangely under the "Dad" login, I cannot open the recycle bin (right click open doesnt work either)
Click to expand...

I am going to need to see logs from running the malware removal procedures on the "Dad" account since we have been checking out logs from a different account. This is still more likely to be an issue for the Software Forum, but I need to check logs for the proper user account. Also whilst logged into the Dad account I need you to do the below:

Now download Registry Search (see the link titled RegSearch Download Link)

Extract the files from Regsearch.zip into a folder.

Doubleclick regsearch.exe to start the program.

In the top 3 boxes under the Enter search strings case independen) and click Ok... option, enter the below string (use copy and paste)

NoRecycleFiles
Click to expand...

Then click "OK".

Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well).

Attach this RegSearch.txt file.

Attach all of the requested logs into your next reply.

daltonredpath · Jan 25, 2010

I'm getting good at running all of these scans

I didn't run Combofix as per the message on MG about not running it. I think all the other scans came up empty, but they are included. On the plus side, they all took significantly less time to run than they did originally.

I zipped the logs so I wouldn't have to post 2 messages. Thanks for the help again!

whoa edit: when browsing to upload the files, I realized that I am in a TEMP user profile, not the "Dad" one I thought I was in. (Clicking Dad loads a TEMP user). Don't know how I didn't notice this before. I'm guessing Dad is corrupted?

Kestrel13! · Jan 25, 2010

when browsing to upload the files, I realized that I am in a TEMP user profile, not the "Dad" one I thought I was in. (Clicking Dad loads a TEMP user). Don't know how I didn't notice this before. I'm guessing Dad is corrupted?
Click to expand...

Not sure exactly how this happened. Perhaps someone gave the account the name Temp to begin with and then later renamed the account to Dad. Doing this will not change the folder names. It just changes the user account name. Your problems with the Recycle Bin may some how be related to what was done, but either way not a problem for the malware forum. I can however give you a fix to try for your recycle bin problem on the Dad account:

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}]
@="Recycle Bin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}]
@="Recycle Bin"
"InfoTip"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,53,00,48,00,45,00,4c,00,4c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,\
2d,00,32,00,32,00,39,00,31,00,35,00,00,00
"SortOrderIndex"=dword:00000060
"IntroText"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,53,00,48,00,45,00,4c,00,4c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,\
2d,00,33,00,31,00,37,00,34,00,38,00,00,00
"LocalizedString"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,\
6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,53,00,48,00,45,00,4c,00,4c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,\
2c,00,2d,00,38,00,39,00,36,00,34,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,\
65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,33,00,31,00,00,\
00
"Empty"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,\
68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,33,00,31,\
00,00,00
"Full"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,\
68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,33,00,32,\
00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32]
@="shell32.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\{645FF040-5081-101B-9F08-00AA002F954E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\PropertySheetHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\PropertySheetHandlers\{645FF040-5081-101B-9F08-00AA002F954E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder]
"Attributes"=hex:40,01,00,20
"CallForAttributes"=dword:00000040
Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

If you are not having any other malware problems it will be time for final steps. Remember to visit the software forum if you need help sorting out the account with the "Temp" name.

daltonredpath · Jan 25, 2010

Hey Kestrel13!

Got the success message. Didn't do much - I'm going to create a new user and delete the 'Dad' one. I think we are ready for the final steps. Thanks so much! Computer is running so smoothly now.

Kestrel13! · Jan 25, 2010

You're welcome!

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we used Pocket Killbox during your cleanup, do the below

Run Pocket Killbox and select File, Cleanup, Delete All Backups

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

If you are running Win 7, Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Log in or Sign up

Virus/Malware: win32/pacthed.L and ws2_32.dll

daltonredpath Private E-2

Attached Files:

SASlog.txt

mbam-log.txt

combofixlog.txt

RRlog.txt

daltonredpath Private E-2

Attached Files:

MGlogs.zip

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

daltonredpath Private E-2

Attached Files:

collect.zip

daltonredpath Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

daltonredpath Private E-2

Attached Files:

logs.zip

MGlogs.zip

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

daltonredpath Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member