W32/Lentin.H@mm infection - help!

Discussion in 'malware problems & news' started by loop, Mar 28, 2005.

Thread Status:
Not open for further replies.
  1. loop

    loop Guest

    Help! I'm telling you exactly what I did as it might help you solve my problem!

    OS = Windows 98 (original - 1st edition). I scanned my cousin's PC with F-Prot for DOS 3.16a and the latest defintions via a MS-DOS window within Windows and not in true DOS mode or F8 Command Prompt mode.

    I got 14 files (all size 34,304) infected with the W32/Lentin.H@mm virus (4 .exe and 10 .scr). Because Windows got messed up (read on) they were not being displayed in full (only the 8 char MS-DOS filename) but I remembered what some of them were in full.

    Best_Friend.scr
    funny.scr
    colour~1.scr
    shake.scr
    love.scr
    friend~2.scr
    sweet.scr
    be_happy.scr
    i_like_you.scr
    friend~1.scr

    nav32~1.exe
    hotmail_hack.exe
    winservices.exe
    tcpsvs32.exe

    When I did Ctrl-Alt-Del I got "winservices" as an application and closed it thinking it was the virus doing some background dangerous 'work'.

    I'm assuming the PC is already infected? I did right click on the Desktop > Properties and selected a few of these .scr as the Screensaver and the thumbnail picture you get was black (I was curious). I never actually though did OK on one of these as the screensaver...

    I was going to go to an AV site and get a virus removal tool and step by step instructions to follow but decided to do the following (I noticed f-prot with the "-rename" flag says that it will rename .exe to .vxe):-

    I then rescanned and as a *temporary precaution* I renamed the .scr files to .vcr and the first 3 .exe to .vxe. As it happened I didn't rename the last .exe. I quit the anti virus scanner and did a right click on the Desktop and selected Properties and got this message box titled Program not found

    Windows cannot find RUNDLL32.EXE"shell32, Control_RunDLL

    This program is needed for opening files of type 'application'

    Location of ........exe

    OK Cancel Locate


    Now whenever I try to run any program like Notepad.exe or my browser .exe file I get the same message but with the particular application name instead not found. I tried for example to go to Control Panel and then Add/Remove programs and get the same message above.

    In a MS-DOS window, dir run* in C:\windows gives

    rundll32.exe and rundll.exe though so what's the problem?

    I haven't dared to shut down and restart in case I can't get into the Windows desktop again. I was going to 'Locate' the rundll32.exe file as the message box recommended but wanted your input first.

    1) How to fix this rundll32 problem as Windows is virtually useless - maybe I shouldn't have renamed and just got the proper removal tool?
    2) Should I have renamed in true DOS or F8 Command Prompt?
    3) If I buy a proper Internet security suite (Norton/McAfee) do they take care of the removal without a specialist removal tool?
    4) How did this infection take place?

    Thanks.
     
  2. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    This is a w32.Yaha variant. Removal instructions from SARC.

    Here's Symantec's tool:

    http://securityresponse.symantec.com/avcenter/FixYaha.com

    I'd try this first, and be sure to run it in Safe Mode.

    Manual Removal Instructions:

    STEP 1:

    1. If the worm has run, you must do the following:

    Restart the computer in Safe mode.
    Copy Regedit.exe to Regedit.com.

    2. Restart the computer in Safe mode
    Shut down the computer, and turn off the power. Wait 30 seconds. Do not skip this step.
    All Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode.

    3. To copy Regedit.exe to Regedit.com:
    Because the worm modified the registry so that you cannot run .exe files, you must first make a copy of the Registry Editor as a file with a .com extension and then run that file.
    Do one of the following, depending on which operating system you are running:
    Windows 95/98: Click Start, point to Programs, and click MS-DOS Prompt. This opens a DOS window at the C:\Windows prompt. Proceed to step 2 of this section.

    STEP 2: Type the following, and then press Enter:

    copy regedit.exe regedit.com

    Type the following, and then press Enter:

    start regedit.com

    The Registry Editor opens in front of the DOS window. After you finish editing the registry, exit the Registry Editor, and then exit the DOS window.

    Proceed to the next section, "To edit the registry and reverse the changes that the worm made" only after you have accomplished the previous steps.

    STEP 3:

    To edit the registry and reverse the changes that the worm made:

    CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.

    Navigate to and select the following key:

    HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command

    CAUTION: The HKEY_LOCAL_MACHINE\Software\Classes key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure that you browse all the way along this path until you reach the \command subkey.

    Modify the HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command subkey

    In the right pane, double-click the (Default) value.
    Delete the current value data, and then type: "%1" %* (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk.)

    NOTES:
    On Windows 95/98/Me and Windows NT, the Registry Editor automatically encloses the value within quotation marks. When you click OK, the (Default) value should look exactly like this:

    ""%1" %*"

    Make sure that you completely delete all value data in the command key before you type the correct data. If you leave a space at the beginning of the entry, any attempt to run program files will result in the error message, "Windows cannot find .exe." If this happens to you, start over at the beginning of this document, and make sure that you completely remove the current value data.

    STEP 4: Navigate in turn to each of the following keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunService

    NOTE: The RunServices key may not exist on all systems.

    In the right pane, delete the value

    winReg C:\%system%\winReg.exe

    Restart the computer.
    ***********************

    Good luck!

    ;)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.