Discussion in 'malware problems & news' started by keke, Oct 28, 2010.

  keke

    keke

    Oct 28, 2010
    Sry for my bad english.
    Today I was also infected whit ltzqai worm.
    But ive spent one day to figer it out why no anti-virus can clean the virus I have until i figure its about the ltzqai worm that spread many other infections in my system.

    I started looking at win task manager there was runing this two new proceses : cfdrive32.exe and msvmiode.exe.You can end the processes but they have keys in registry.

    My Avg free has done only to delete the files created in C:\Documents and Setings\Network Services\Local Setings\Temporary Internet Files\ "strange random character names"(created by the ltzqai.exe worm).

    I've downloaded few others free anti-viruses and anti-spyware programs,but they :detect,try to clean and never get done whit it,they start all over after reboot.

    My solution was,disconect the cable net,I have a good firewall(Zone Alarms,free edition)nothing gets out and also blocks files to not transmit on internet whit out my permision,the ltzqai file its used by windows so you have two choices to delete from : C:\Documents and Settings\Keke\Application Data\ltzqai.exe, in normal windows mode you need a good program that can kill any file even those that are curently use,after reboot they will clean it(I've tried and worked) or I've seen hier on forum someone try it in safe mode(never try,but i gues its working also).If you can't delete the file on the hard you can not erase the key from registry for this file in : HKLM\software\microsoft\windows NT\CurentVersion\Winlogon ->Taskman ->REG_SZ -> "a path to ltzqai.exe or a long number",if you try to erase this it will not erase and it will recopiate after you exit regedit or if you go to another directory and return to Winlogon again ("I've tried and not worked until I've deleted the file on Documents and Settings").

    Before trying to delete ltzqai.exe,delete all references from registry about cfdrive32.exe,msvmiode.exe,syscr.exe,just go in regedit.exe to edit menu and press "find",after you find one reference press "find next" until no references about this names or maybe you have other viruses or malware spread in your system from this ltzqai.exe file.Then kill the processes from task manager,install a progam to kill ltzqai.exe file from computer after reboot,enter to see if the file exists on Documnets and Settings if there is,then your kill program is not good (mine was erasing ltzqai.exe right after first boot),then go regedit HKLM\software\microsoft\windows NT\CurentVersion\Winlogon ->Taskman ->REG_SZ -> and delete all the line/path(for ltzqai.exe).And your done.

    My Avg still don't see any threat for this file,even if I've updated today or yesterday.

    There are many files created by this worm,only few of them wrighted in registry,i had only three of them except the path for ltzqai.exe,there is a big list of posible name of malware this worm create in hard drive on other sites,you should try search also whit windows search for files in Windows directory and windows/system32 directory.

    Hope that will work.
  Rmus

    Rmus

    Mar 16, 2005
    Hello, keke,

    ltzqai.exe was probaby created by the dropper that infected your computer. See:

    Submission received: 20 October 2010, 05:54:16
    There are many reasons why a normal AntiVirus program cannot clean a computer, so if you still cannot solve your problem, post to this forum:

    I've heard about this worm but have not found what types of exploits infect the computer with the worm.

    Do you know how you got infected?


  Franklin

    Franklin

    May 12, 2005
    West Aussie
    An O.exe I downloaded ran as a syscr.exe and dropped the others.

    Malwarebytes takes em out.
  egomoo

    egomoo

    Aug 28, 2007
    Do a scan with Safe Returner,you will get rid of it in 3 minutes

    You do not need to use regedit.exe to edit and find " ltzqai.exe"

    It will help to find out the startup item which created by " ltzqai.exe"
