I will be repeating some information that I’ve posted in other threads—there’s a lot of interwoven problems involved.

Dell Optiplex GX1 Pentium III 512 MB RAM 733MHz 12GB CD-ROM
Windows 2000 Professional, avast! Antivirus, Spybot
No Back-up capability; no back-up done
Dial-up internet connection
Use Firefox except for MS updates (some of which won’t install)

Without giving details at the moment, I don’t have the operating system CD that was used to install Windows 2000 on the pc.

I haven’t done the latest avast! program update because of the problem(s) that I will speak of.

Background: Nearly lost the pc to viruses twice this year. It has proven to be difficult to find out what the person who worked on it has done. When I got the pc back the second time, avast had been installed. I ran a thorough scan and literally hundreds of infected files were found, which I moved to the virus chest and subsequently deleted sometime later. Though there have been other virus/Trojan warnings, I’ve moved each to the virus chest. I’ve run a couple of thorough scans since the first one, and no infections were found during those scans.

Recently a message from Windows File Protection popped up on the screen:
“Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files.
Insert your Windows 2000 Professional CD now.”

As I said above, I don’t have the OS CD that was used to install the current OS system.

Question:
But that not withstanding, I ask: could viruses/spyware have caused these files to be replaced by “unrecognized versions”? (I would rather be tortured than go to the MS website and try to post or find out anything there about this—I always have a violent headache and severe depression after attempting to do so.)

Though I usually turn off my pc each night, I had left it on for a long period of time in case restarting would not be possible because of the “system instability” as a result of the WFP problem.

Then several days ago, I opened avast and as it ran the memory scan, I got a warning of “Win32:Patched-IT” that was infecting “C:\WINNT\system32\svchost.exe” file. However, when I tried to move it to the virus chest, it said it was a read-only file and that it couldn’t be processed.

I then did as avast suggested and let it run a boot-time scan. Of course, when the file was encountered during this scan, it couldn’t be touched then either!!

I mention this next problem in case it is related to these first two issues, though as I will explain, I don’t think it is—but then, what do I know? I need the experts’ advice: When I was in Spybot running an Immunization, I got a message entitled “Windows-Low on Registry Space.” It said that I needed to increase the maximum registry size. I subsequently read some online about this and discovered how to find out the specs on my pc. They were: (I don’t really understand all this.)
Drive C: 1152-2304 Paging File Size
Paging file size for selected drive
Drive C
Space available 8453MB
Initial size (MB) 1152
Maximum size (MB) 2304

Total Paging size for all drives
Minimum allowed 2MB
Recommended 1150MB
Currently allocated 1152MB

Registry Size
Current registry size 87MB
Maximum registry size (MB) 91

After discovering that changing the maximum registry size can be tricky, that if you increase it beyond a certain percentage relative to something else, you will screw things up—and I would not be able to knowledgeably go into the registry to make any needed adjustments—so I wisely decided not to try that.

What I did determine to do was uninstall a spyware program that was put on the pc the last time the person who attempted to fix my problems had it. I did not want this anyway. Also, I deleted files for another antivirus program that he had initially installed and then removed—though it would seem ineffectively, since there were still files for it hanging around (though the program was not listed in Add/Remove Programs). When I restarted after having removed these two programs, the “Current registry size” had decreased to 33MB. Yea!

So, I hope that this particular problem has been alleviated. Question: What do you think?

By the way, the Windows File Protection message has not come back up each time I’ve restarted the pc since the first shut down after having gotten the message initially. Question: That doesn’t mean it is “resolved” does it? How could it be, without having restored the system files it was referring to by putting in the OS CD?

Question: And if the OS CD were inserted for the WFP problem, what could I expect? Would Windows just take over and extract any needed files without any involvement on my part? I.e., what would happen?

Oh, and I used CCleaner’s Registry cleaner once. Could this have caused the WFP issue? I’ve read that you should never use a registry cleaner. Question: What is your opinion about that?

Question: Back to the Trojan as described above; how can I get rid of it since the file it has infected cannot be accessed? As you know by now, I’m not a computer wiz, and you’ve seen the limitations of my system and the lack of a backup as insurance.

Question: How do these viruses/Trojans infect the pc with avast running?
Question: Does avast scan the registry?

Question: Could the Trojan in the memory have caused the WFP problem and/or the registry size limit problem?

Question: I have used the pc some since being told the Trojan is there—I have to. I am at the library now to post this to the forum. How dangerous is it to run the pc with this particular Trojan? It is time-consuming, inconvenient, and costly to get to a library computer. Plus I so need to have computer problems resolved and move on to other areas that need to be addressed.

Question: Would doing things like updating the Adobe Reader cause additional harm while the Trojan is on the pc?

Do you know if this Trojan is a key-logger? I googled it, but didn’t get much clear info about it.

I have asked many questions. I have tried to label each one so that it is easier to answer each one. Please help, you guys. I really appreciate all you have done and will do for me.

I’m not expert enough to tackle this one for someone else (if it was my computer I’d give it a shot!) but what may help the more expert helpers here:

What I did determine to do was uninstall a spyware program that was put on the pc the last time the person who attempted to fix my problems had it. I did not want this anyway. Also, I deleted files for another antivirus program that he had initially installed and then removed—though it would seem ineffectively, since there were still files for it hanging around (though the program was not listed in Add/Remove Programs).

Name both these programs, please. Depending on the answer, it [i]may[/i] be advisable to re-install the old AV (with Avast removed) to have it able to be uninstalled correctly. For a lot of AV's, there are dedicated removal tools available. Wouldn't be surprised if this is largely the reason for the problems.

Tarq57,

I did not uninstall the two programs until AFTER I got the WFP message, was warned of the trojan, or got the registry size limit message. I only mentioned doing that to explain that by doing so the current size of the registry had decreased to 33MB from 87MB, and that, hopefully, that solved the need to increase the maximum size of the registry limit.

The spyware program was named StopZilla and I removed it via the Add/Remove Programs since it was listed in there. The antivirus program was Symantec. The person who had my computer several months ago to work on it had installed Symantec as the antivirus program. But when he saw how much it slowed down my system, he said he took it off. Obviously, he didn’t do so thoroughly. Though Symantec was not listed in Add/Remove Programs, when I did a Search for it, I found 4 files. I manually deleted 3 of them, but the fourth one said that it involved “common files,” and deleting it could cause some things not to work. So I left it alone.

I continue to hope someone will read through my post and answer the questions I’ve posed. I know they are many, but I am so in need of advice and help.

I would love to be able to shoot my computer. Unfortunately, I am struggling with these problems because I cannot afford to replace it or to have someone else work on it.

I am eagerly hoping for help from you guys.

Symantec acquired Norton AV some time ago. It’s one of the most popular AV’s (comes pre-installed a lot of the time) and can be a bear to remove. The debris it leaves behind can affect other AV’s subsequently installed. This is a common problem.
Try downloading and running the latest Norton Removal Tool:
http://service1.symantec.com/SUPPORT/norton2008.nsf/docid/2007082908475279?Open

Thank you for the information about uninstalling Symantec. Perhaps I can make use of the information in the future. However, my biggest need right now is to have help with the Win32:Patched IT trojan that I explained about in the first post.

As of two days ago, I cannot really use my Office programs. I get a message from avast now that the trojan is running. It halts any action I try to take. So, it is taking over my computer. Until it is eradicated, which is the main reason I asked for help, I can’t use the computer.

If asking about this malware in the avast virus forum is not the place to do so, can someone please tell me where I should ask?

I also asked other questions in the first post that are very important to me.

But unless I can remove this trojan or whatever it is, . . . my computer has been made useless. I am typing this at a library computer.

Please help. Thank you.

I recommend the general cleaning procedure, at least:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster.
8. Check if you have insecure applications with Secunia Software Inspector.

Tech,
Thank you so much for your advice. Though I need my computer, I have not tried to use it for several days since the trojan described in my first post is running, per avast, and won’t let me use MS Office programs.

I am responding specifically to your post by asking questions directly related to it.

1. I explained in the first post that I did a boot-time scan immediately after I was alerted to do so by avast when it found the trojan during a memory scan. It can’t “process” the file because it is read-only. So avast does detect the trojan, but it can’t remove it. Would the DrWeb CureIT–or any other such application–be able to “process” the infected file given the nature of it?

2. I don’t know that the computer will allow me to download the spyware you told me of because of the trojan’s running/control, and also I have a dial-up connection and everything takes so long. I would guess that given the trojan’s effect, it would take even longer to download anything???

3. Ditto for the anti-rootkit applications.

4. I believe that Hijack This is already installed on the computer–done by the person who had my computer twice to work on it, after which, each time, I still had malware. At any rate, I’ve never used Hijack This before, and I thought only techy people could handle it. At least, that’s what I’ve been led to believe.

5. I have Windows 2000 (though I wish I didn’t) and there is no System Restore. But I also don’t have a means to back up the computer, not even my document files, which would devastate me to lose them. As a reminder from my first post, the pc has a CD-ROM and I could only use floppies to backup–not feasible.

6. What is the difference between SUPERantispyware, MBAM, Spyware Terminator and Spyware Blaster, which you said should be used to immunized the system???

7. By insecure applications, do you mean because of my relating that the trojan is preventing me from using Word, etc.?

My delay in responding now and in the future is because I must go to a library to use a computer, and I can’t do that each day, etc.

avast should be able to process it at boot time…
Anyway, running DrWeb won’t be a bad idea.

Try at least MBAM.

These can wait a little.

Just generate a log and post the log here (dividing in two posts if needed).

Only the last is for immunization. The first three is for cleaning. The Spyware Terminator is also for protection (resident). Run at least MBAM.

It’s not a priority now.

No. The “File is read-only” error is basically avast! saying that this file is protected and shouldn’t be deleted/moved anywhere - as the system would get corrupted. The boot-time scanner would give a similar message.
So, the file is needed for the system to work - but it’s been patched by some malware to do something it’s not supposed to do; the original file should be restored from a clean copy / installation CD… something like that.

Thanks for the correction Igor.

Will the command
sfc /scannow
restore the original file?

Don’t know, didn’t try - but somebody (on the Czech forum) suggested to simply rename the affected file (e.g. from Windows Explorer) and let Windows create a fresh copy from the DllCache folder - it should occur automatically a few seconds after the rename, if the file is there.

The problem will be if the dll cache folder file is infected also :

tech and igor,

Thank you so much for your advice. As I explained earlier, it could be some time before I reply and continue the thread of this post due to extenuating circumstances, etc. Thus the time gap since I last posted.

Without details, I don’t have the OS CD that was used for my pc. Even if I could get it, which is iffy, it may actually be the main cause of the infections I have. I think my first post said that I have a Windows File Protection problem, in that it wants me to insert the OS CD to replace files that it says are “unrecognizable versions.”

Could the Win 32: Patched It Trojan I’ve described in the first post have caused the WFP problem?

Since I can’t even get the WFP problem fixed by inserting the OS CD, I also can’t restore the file infected by the Trojan (svchost.exe) by doing that.

As to renaming the infected file thus allowing Windows to create a fresh copy from the dll cache, I think this would loop back to the WFP problem—perhaps the WFP is there because it couldn’t find the files it needed to replace in the dll cache, ergo the same situation would arise with this Trojan-infected file???

But for my information, if I were able to rename the file, would avast then be able to delete it?

What if I renamed it and and the dll cache couldn’t replace the svchost.exe file needed in Memory, would the computer work?

Also, please remember that the computer is running Windows 2000, in case that has any bearing on any solutions.

I literally don’t know what to do, and so I’ve not touched my computer for several weeks. I go to the library for computer use, but that is not convenient, efficient, or doable forever.

igor and tech,

Please don’t be annoyed with me!! Please answer these questions.

Thanks.

I don’t know much the effects of this trojan, but yes, I do think it is the problem with the Windows File Protection, I mean, with the files itself that Windows seems to be complained that were altered by the malware.

If the virus infect both the dll cache and the file itself, only the Windows CD will help (or if you can get the file from another computer, but it will be a task for an advanced user, booting from a CD, replacing that file, etc.).

Sure. The file name is not the problem here.

Windows does not work without a svchost.exe file…

Thank you for your reply. It would seem then that my computer is as good as dead. I don’t know what I will do to obtain another computer. Also, I somehow will need to have my document files and some pictures rescued from this computer when I have a flashdrive to put them on and/or another computer.

I don’t know it I’ll be posting here for a while, or again, but I hope the post will remain just in case.

I had the exact same problem, and the solution is to rename it from windows explorer (Make sure to do it from explorer, avast can’t rename it it seems). svchost will come back, and I virus scanned it and it was clean! I virus scanned the renamed file and it was infected. From there I could move the renamed file into the chest.

I hope it works for you as well, this had me stumped for awhile.

justintime,

Thank you so much for relating your experience with me. But my concern is that the svchost file can’t be replaced from my dll cache–and I don’t have the OS CD (see my prior posts)–in which case, the computer couldn’t work without the file, . . . Whatever happens, I will need to retrieve–somehow–my document files at some point, but how could that be done if the system is defunct?

Your system (dll cache??) evidently had the needed file to replace the infected one, but because of my Windows File Protection problems (see prior posts), I don’t have the needed files to replace the “unrecognizable” ones. Did you have a Windows File Protection problem as well as this trojan?

Thank you so much for your help.

Hi you safetynut,

Download DrWebCureIT from here: ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe
Do a full scan and repair,

polonus

polonus,

The trojan is running when I boot up. It is “controlling things,” more or less. I don’t know if it would let me download the DrWeb scan. I am using a library computer to communicate with you.

Since I don’t have the means of replacing the infected file (see my prior posts), would this program miraculously be able to repair the file so that it doesn’t need to be replaced???

And, justintime, if you see this, can you tell me if you had a Windows File Protection problem along with this trojan? And also, can you tell me if the trojan was running when you were able to rename the file?? Because the trojan is running on my system, and I don’t know that it would let me rename the file.

Thank you, polonus and justintime.