Other > Viruses and worms
Win32:Patched-IT found in C:\WINNT\system32\svchost.exe
(1/5) > >>
safetynut:
I will be repeating some information that I’ve posted in other threads—there’s a lot of interwoven problems involved.

Dell Optiplex GX1  Pentium III  512 MB RAM   733MHz  12GB  CD-ROM
Windows 2000 Professional, avast! Antivirus, Spybot
No Back-up capability; no back-up done
Dial-up internet connection
Use Firefox except for MS updates (some of which won’t install)

Without giving details at the moment, I don’t have the operating system CD that was used to install Windows 2000 on the pc.

I haven’t done the latest avast! program update because of the problem(s) that I will speak of.

Background: Nearly lost the pc to viruses twice this year. It has proven to be difficult to find out what the person who worked on it has done. When I got the pc back the second time, avast had been installed. I ran a thorough scan and literally hundreds of infected files were found, which I moved to the virus chest and subsequently deleted sometime later. Though there have been other virus/Trojan warnings, I’ve moved each to the virus chest. I’ve run a couple of thorough scans since the first one, and no infections were found during those scans.

Recently a message from Windows File Protection popped up on the screen:
“Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files.
Insert your Windows 2000 Professional CD now.”

As I said above, I don’t have the OS CD that was used to install the current OS system.

Question:
But that not withstanding, I ask: could viruses/spyware have caused these files to be replaced by “unrecognized versions”? (I would rather be tortured than go to the MS website and try to post or find out anything there about this—I always have a violent headache and severe depression after attempting to do so.)

Though I usually turn off my pc each night, I had left it on for a long period of time in case restarting would not be possible because of the “system instability” as a result of the WFP problem.

Then several days ago, I opened avast and as it ran the memory scan, I got a warning of “Win32:Patched-IT” that was infecting “C:\WINNT\system32\svchost.exe” file. However, when I tried to move it to the virus chest, it said it was a read-only file and that it couldn’t be processed.

I then did as avast suggested and let it run a boot-time scan. Of course, when the file was encountered during this scan, it couldn’t be touched then either!!

I mention this next problem in case it is related to these first two issues, though as I will explain, I don’t think it is—but then, what do I know? I need the experts’ advice: When I was in Spybot running an Immunization, I got a message entitled “Windows-Low on Registry Space.” It said that I needed to increase the maximum registry size. I subsequently read some online about this and discovered how to find out the specs on my pc. They were: (I don’t really understand all this.)
Drive C: 1152-2304 Paging File Size
Paging file size for selected drive
Drive C
Space available 8453MB
Initial size (MB) 1152
Maximum size (MB) 2304

Total Paging size for all drives
Minimum allowed  2MB
Recommended     1150MB
Currently allocated  1152MB

Registry Size
Current registry size     87MB
Maximum registry size (MB)  91

After discovering that changing the maximum registry size can be tricky, that if you increase it beyond a certain percentage relative to something else, you will screw things up—and I would not be able to knowledgeably go into the registry to make any needed adjustments—so I wisely decided not to try that.

What I did determine to do was uninstall a spyware program that was put on the pc the last time the person who attempted to fix my problems had it. I did not want this anyway. Also, I deleted files for another antivirus program that he had initially installed and then removed—though it would seem ineffectively, since there were still files for it hanging around (though the program was not listed in Add/Remove Programs). When I restarted after having removed these two programs, the “Current registry size” had decreased to 33MB. Yea!

So, I hope that this particular problem has been alleviated. Question: What do you think?

By the way, the Windows File Protection message has not come back up each time I’ve restarted the pc since the first shut down after having gotten the message initially. Question: That doesn’t mean it is “resolved” does it? How could it be, without having restored the system files it was referring to by putting in the OS CD?

Question: And if the OS CD were inserted for the WFP problem, what could I expect? Would Windows just take over and extract any needed files without any involvement on my part? I.e., what would happen?

Oh, and I used CCleaner’s Registry cleaner once. Could this have caused the WFP issue? I’ve read that you should never use a registry cleaner. Question: What is your opinion about that?

Question: Back to the Trojan as described above; how can I get rid of it since the file it has infected cannot be accessed? As you know by now, I’m not a computer wiz, and you’ve seen the limitations of my system and the lack of a backup as insurance.

Question: How do these viruses/Trojans infect the pc with avast running?
Question: Does avast scan the registry?

Question: Could the Trojan in the memory have caused the WFP problem and/or the registry size limit problem?

Question: I have used the pc some since being told the Trojan is there—I have to. I am at the library now to post this to the forum. How dangerous is it to run the pc with this particular Trojan? It is time-consuming, inconvenient, and costly to get to a library computer. Plus I so need to have computer problems resolved and move on to other areas that need to be addressed.

Question: Would doing things like updating the Adobe Reader cause additional harm while the Trojan is on the pc?

Do you know if this Trojan is a key-logger? I googled it, but didn’t get much clear info about it.

I have asked many questions. I have tried to label each one so that it is easier to answer each one. Please help, you guys. I really appreciate all you have done and will do for me.


Tarq57:
I'm not expert enough to tackle this one for someone else (if it was my computer I'd give it a shot!) but what may help the more expert helpers here:

--- Quote ---What I did determine to do was uninstall a spyware program that was put on the pc the last time the person who attempted to fix my problems had it. I did not want this anyway. Also, I deleted files for another antivirus program that he had initially installed and then removed—though it would seem ineffectively, since there were still files for it hanging around (though the program was not listed in Add/Remove Programs).
--- End quote ---
Name both these programs, please.
Depending on the answer, it may be advisable to re-install the old AV (with Avast removed) to have it able to be uninstalled correctly. For a lot of AV's, there are dedicated removal tools available.
Wouldn't be surprised if this is largely the reason for the problems.
safetynut:
Tarq57,

I did not uninstall the two programs until AFTER I got the WFP message, was warned of the trojan, or got the registry size limit message. I only mentioned doing that to explain that by doing so the current size of the registry had decreased to 33MB from 87MB, and that, hopefully, that solved the need to increase the maximum size of the registry limit.

The spyware program was named StopZilla and I removed it via the Add/Remove Programs since it was listed in there. The antivirus program was Symantec. The person who had my computer several months ago to work on it had installed Symantec as the antivirus program. But when he saw how much it slowed down my system, he said he took it off. Obviously, he didn't do so thoroughly. Though Symantec was not listed in Add/Remove Programs, when I did a Search for it, I found 4 files. I manually deleted 3 of them, but the fourth one said that it involved "common files," and deleting it could cause some things not to work. So I left it alone.

I continue to hope someone will read through my post and answer the questions I've posed. I know they are many, but I am so in need of advice and help.


I would love to be able to shoot my computer. Unfortunately, I am struggling with these problems because I cannot afford to replace it or to have someone else work on it.

I am eagerly hoping for help from you guys.
Tarq57:
Symantec acquired Norton AV some time ago. It's one of the most popular AV's (comes pre-installed a lot of the time) and can be a bear to remove. The debris it leaves behind can affect other AV's subsequently installed. This is a common problem.
Try downloading and running the latest Norton Removal Tool:
http://service1.symantec.com/SUPPORT/norton2008.nsf/docid/2007082908475279?Open
safetynut:
Thank you for the information about uninstalling Symantec. Perhaps I can make use of the information in the future. However, my biggest need right now is to have help with the Win32:Patched IT trojan that I explained about in the first post.

As of two days ago, I cannot really use my Office programs. I get a message from avast now that the trojan is running. It halts any action I try to take. So, it is taking over my computer. Until it is eradicated, which is the main reason I asked for help, I can't use the computer.

If asking about this malware in the avast virus forum is not the place to do so, can someone please tell me where I should ask?

I also asked other questions in the first post that are very important to me.

But unless I can remove this trojan or whatever it is, . . . my computer has been made useless. I am typing this at a library computer.

Please help. Thank you.
Navigation
Message Index
Next page

Go to full version