Back again, and still having problems.
Seems like maybe I do have this W32 Prefetch virus as the Symantec article...
http://securityresponse.symantec.com/avcenter/venc/data/w32.petch.html
..states in parts...
"Damage - Deletes files: Deletes critical system files. The number and type of files that may be deleted vary among viruses."...
I am seeing what I believe are deleted registry entries as listed below.
The article goes on saying...
"Modifies files: Changes the Internet Explorer home page."
Don't recall this regularly happening, but it seems to have happened a few times, but to only sites that seemed default or somehow previously entered. As for 'pornographic homepages' that the article indicates the worm sometimes does that, this hasn't happened to my IE6 homepage.
And the article also says...
Causes system instability: Removes critical registry keys.
I certainly am experiencing an unstable system. So many, it's pointless to try and list them (crashes, errors, inoperability, disfunctions, etc.).
Also the article says...
"Compromises security settings: Terminates firewall and antivirus processes."
For some time now I've been regularily experiencing my internet security and antiviruses/anti-malware programs being shut down.
Note: I also used to see SpyBot Search & Destroy scan notices that my firewall was shutdown. Having attributed them to my not using Windows firewall and instead using my Norton one, I eventually ticked SpyBot to ignore the firewall shutdown matters.
The article goes on to say...
"Deletes the following registry keys:", when I use regedit and navigate thru the explorer window for the referenced keys (and then I highlight each key's last located explorer's folder), I see the following, but when I see 'entries' with "(no value set)", I'm uncertain if the 'key' is/has been deleted. Some of the article's mentioned keys are clearly gone as I find no explorer folder(s) for the key's latter identified folder(s).
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Desktop\SafeMode
mine shows:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\
but thereafter, no "Desktop" folder is found listed in the explorer window.
That key is "missing" right?
Note: I recently lost my entire desktop, but I had been contributing that to my having ticked "Let Windows choose what's best for my computer" ( i.e.; start>control panel>system>advanced>performance (settings)>visual effects ), that after previously ticking the "Adjust for best performance" (in line with my
DVGate program's recommended settings). I did those things towards trying to figure out why my add/remove programs window's four option icons were missing their text labeling).
While that restored their labeling, it also changed my personal settings for the desktop (which reverted to 'Windows XP' as opposed to the 'Classic' which I'd previously set my desktop for). And I have completely lost important files I'd kept on the desktop, plus the restore point was deleted!
While programs such as "EaseUs DataRecoveryWizard 2.0" and "PC Inspector File Recovery", both seem to have located the restore file, I don't know where to restore/insert it towards allowing me to use the restore point to recover my lost files! I'd be tickled just to get the one important folder back from the lost desktop.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot
mine shows:
Name - ab (Default) Type - REG_SZ Data - (value not set)
Name - ab AlternateShell Type - REG_SZ Data - cmd.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot
mine shows:
no listing for ControlSet003 (only 001 & 002)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
mine shows:
Name - ab (Default) Type - REG_SZ Data - (value not set)
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
mine shows:
Name - ab (Default) Type - REG_SZ Data - (value not set)
Then lists below a bunch of Names with Type being REG_BINARY and Data being bunches of letter/numbers
HKEY_LOCAL_MACHINE\SYSTEM\LastKnownGoodRecovery
mine shows:
Name - ab Default Type - Reg_SZ Data - (value not set)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ContentIndex\Catalogs\System
mine shows...
Name - ab Default Type - Reg_SZ Data - (value not set)
Name - Isindexing NNTPSvc Type - Reg_DWord Data - 0x00000000 (0)
Name - Isindexing W3Svc Type - Reg_DWord Data - 0x00000000 (0
Name - ab Location Type - Reg_SZ Data - D:\System Volume Information
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Biosinfo
mine shows...
Name - ab (Default) Type - REG_SZ Data - (value not set)
Name - ab InfName Type - REG_SZ Data - biosinfo.inf
Name - ab SystemBiosDate Type - REG_SZ Data - 05/19/04
The article also says...
When W32.Petch runs, it performs the following actions:
"Copies itself as C:\Windows\System32\Userinit32.exe"
I do not seem to have that file on my OS. Is this normal?
"Copies itself as C:\Windows\System32\Dllhost32.exe"
I do not seem to have that file on my OS. Is this normal?
"Copies itself as C:\Windows\Notepad.exe"
I do have this file on my OS, and I'm having issues with notepad as at times my typing in quote marks fails produce them. And when I re-type another quote mark (in the 2nd attempt at producing it) it then produces two quote marks.
"Copies itself as C:\Windows\Regedit.exe"
I do not seem to have that file on my OS. Is this normal?
As for the article's mentioning of these last 4 files, it adds...
"Note: These values are hard-coded and do not depend on system variables."
As for what that means, I'm clueless.
As the article previously mentioned (above), the worm "changes a registry key"
(although this may or may not be happening to all those infected with W32.Petch) value to:
"Userinit32.exe"="C:\Windows\system32\userinit32.exe" in the registry key
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
mine shows:
Name - ab (Default) Type - REG_SZ Data - (value not set)
There are a number of other named entries and these all have actual "Data" entries of 'C:\Program Files\etc. and C:\WINDOWS\etc.'
When it says "(value not set)", is this normal or might that mean the registry key been 'deleted'?
Note: When I try using my regedit's find function and search for this and other subject keys, it most always fails at finding it, despite the keys being there when I search manually! Maybe this has something to do with the article having
mentioned that the worm can copy itself as regedit.exe (which I do have on my OS).
At this point, not being absolutely certain I have w32.Petch on my OS, in that I sure need that lost folder restored, I'm holding out on that because the article also offers removal instructions "if the worm has not been executed". And if it has, I left to formatting.
As the instructions include removing restore points by disabling my system restore, I'm concerned that doing so will nix any chances I have at recovering the lost folder by using either of the file recovery programs to maybe find the "Top Drawer" folder (or in unable to find that deleted folder and it's files, then to perhaps restore the delted restore point). But the latter is assuming someone can tell me what directory to place the restore point files into.
Regards and hap-e-trails, Steve Hopper
