Malware

Question

Locked

pant32.exe pop up messages

By philsedda ·
I've got this pop-up from the command prompt [C:\Document-1.MAS\pant32.exe] every time on my desktop whenever I just log-in my PC..its been over a week already and is just so annoying..I'v searched through google and found out that it was a Malware worm attacking the registry of my PC..I tried scanning using TuneUp utility, RegCure, spyware doctor but to no success..I really appreciate ur help here..

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Try this and let us know how you get on

by Jacky Howe In reply to pant32.exe pop up message ...

Follow the steps below with the System started and restarted in Safe Mode with Networking. Running in Safe Mode loads a minimal set of drivers for the Operating System. You can use these options to start Windows so that you can modify the registry or load or remove drivers. If you can access the Internet use it to download the files.

If you can't access the internet to update MBAM try the instructions below to clear a path to the internet to be able to run MBAM. You can also download the updates for MBAM and run them from the USB.

From another System download and install Spybot, update it and copy the the installed folders to a USB Stick. Copy MBAM and the Update as well.

Removing malware from System Restore points
To remove the malware, you must first disable System Restore, then scan the system with up-to-date antivirus software - allowing it to clean, delete, or quarantine any viruses found. After the system has been disinfected, you may then re-enable System Restore. The steps for disabling System Restore vary, depending on whether the default Start Menu or the Classic Start Menu is being used.

Default Start Menu XP
If using the default Start Menu, click Start | Control Panel | Performance and Maintenance | System. Select the System Restore tab and check "Turn off System Restore".

Classic Start Menu XP
If using the Classic Start Menu, click Start | Settings | Control Panel and double-click the System icon. Select the System Restore tab and check "Turn off System Restore".

Vista
Start, right mouse click Computer and select Properties. Select Advanced System Properties, click contine and then System Protection. Untick the box nect to Local Disk C: and click on Turn System Restore off.


After scanning the system and removing the offending malware, re-enable System Restore by repeating the steps, this time removing the check from "Turn off System Restore".

Once you have restarted the Infected System in Safe Mode, navigate to the USB stick and run Spybot.

Download Spybot - Search & Destroy and install it. Update it. http://www.safer-networking.org/en/download/index.html

Download Malwarebytes Anti-Malware, install it and update it.

<a href="http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe" target="_blank"><u>Malwarebytes</u></a>

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.

If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
<a href="http://malwarebytes.gt500.org/mbam-rules.exe" target="_blank"><u>mbam-rules</u></a>

I would keep scanning with it until it is clean by closing out and rebooting and running it again.

Run this Rootkit Revealer GMer
<a href="http://www.gmer.net/index.php" target="_blank"><u>Gmer</u></a>

FAQ
<a href="http://www.gmer.net/faq.php" target="_blank"><u>FAQ</u></a>

Tip! If you want to write protect the USB drive/stick while you are working on an infected System.
In the recent release of Windows XP Service Pack 2 (SP2), a new feature was added by Microsoft to allow the write protection of USB block storage devices. This entails a simple Registry modification that requires no hardware devices to write protect thumb drives.

If the USB drive has no small switch for write protection you can turn it on through the Registry via Command Line.

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /v WriteProtect /t REG_DWORD /d 1 /f

and one to turn it off but a System restart is required. Place the Batch file on the USB to turn it off.

reg delete HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /f


If TaskManager has been disabled this will enable TaskManager to allow access to the Registry.

Command line removal or create Batch files.

Click Start Run and type cmd and then press Enter.

Execute the following commands in the command line in order to activate the registry editor and Task Manager:

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /f

With the new strains of Virus that have been created you may find it necessary to rename the executable files so that they will work. Rename mbam-setup.exe and then navigate to the install folder and rename mbam.exe. Do not change the files extension from .exe. Do the same with Spybot.


If you are still having problems try this.

Download Combofix and rename the executable Combofix.exe to cfix.exe before running it.

http://www.combofix.org/


http://www.combofix.org/download.php

When all is clear you may need to tidy up the Registry.

Registry:

Download and install CCleaner to tidy up your Registry. Backup the Registry as you go along, rescan again and again saving as you go until there are no errors left.

Cleaner: Windows

When you first open Ccleaner you will have an option to Analyze or Run Cleaner, after checking the left Pane and making your choices. Delete all Temp Files. If you scroll down you will see a greyed out box that has Advanced next to it. Left click on it and keep pressing OK to all of the responses. I normally Untick Windows Log Files and Memory Dumps as they may come in handy.

You don't have to install all of the add ons or shortcuts just the one to the Desktop.

http://www.ccleaner.com/download

Collapse -

Working on it!!

by philsedda In reply to Try this and let us know ...

Hey thanks alot for the help, actually im kinda confused when it comes to the registry part..coz i tried removing some of the files in tuneup utility in the registry but still its the same..I managed to download a software for that which is prevx3.0 however after full scan it requires a license key..damn!! anymore tip for this software? Really appreciate your help again..

Collapse -

What were the results from the scans ?

by Jacky Howe In reply to Working on it!!

what are you trying to remove from the registry ? Forget tuneup and prevex.

Click on Start, Run and type in msconfig and press Enter. Click on the startup Tab.

Check the list to find the item that you are looking for, expand the "Location" column to see where it is loading from in the registry.

Click on Start, Run, type "regedt32" and click OK. Browse to the key listed in the "Location" column for Msconfig.

Delete the key on the right hand side only, that specifically matches that startup item. See example below.

Note the "Command" folder in Msconfig. Browse to this folder, and delete the .exe file itself. See example below.

:::::EXAMPLE:::::

In this example, the Startup Tab of Msconfig indicates that:

pant32.exe loads from Command "C:\WINDOWS\pant32.exe" and Location is "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Now go to the registry editor and find that Run key on the left window. On the right hand Window pane you'll see each item in that Run key, specifically "pant32.exe" in this case. Delete the entry for "pant32.exe".

Browse to the C:\WINDOWS folder, and manually delete the pant32.exe file that resides there if it is still there.

Repeat these steps for each item that you want to remove.

Collapse -

Results from the scan..

by philsedda In reply to What were the results fro ...

The PC im working on is connected to 2 other PC in LAN and is connected to the Internet..So i guess its something to do with the software downloads..well the scan results showed several threats identified:
like here i have something as: Registry\user\S-1-S-21-527237240-573735546-1801674531\software\Microsoft\windows\currentVersion\Run
threat identified to that is "infected entry" and the other is:
system3_.exe in c:windows\system32 and the threat identified is "High risk worm"
There are some other similar ones identified like for the system3_.exe and i managed to delete them from the directory as instructed earlier..however, when i restart the PC it has the folder system3_.exe in place again..even some new pop-ups like "windows - No Disk" Exception Processing message parameter..with commands like cancel, Try again, continue..it just couldn't close, keeps appearing everytime I click the close button..Im just fade up with all this..still need your help..and thanks bro.

Collapse -

You should disconnect

by Jacky Howe In reply to Results from the scan..

the System from the LAN until you have this under control. See if you can work through these instructions to remove all of the references to it.

http://www.threatexpert.com/report.aspx?md5=9c5b147287dc1f05e620c5bd6016f2ea

Collapse -

Thanks

by philsedda In reply to You should disconnect

Hey thanks alot, I finally managed to get rid of those pop-up messages when disconnecting from LAN..it kinda help when its a standalone, will have to make sure its under control..thanks.

Collapse -

Let us know how you get on

by Jacky Howe In reply to Thanks

<i>If you think that any of the posts that have been made by all TechRepublic Members, have solved or contributed to solving the problem, please Mark them as <b>Helpful</b> so that others may benefit from the outcome. </i> :-bd
<HR>
<b>How do I rate the answers to my posted Question?</b>
Click on the answer. Click the Mark "Helpful" button displayed below the post. You may mark more than one answer as "Helpful."
The answers only have to be Helpful and don't necessarily have to be a definitive answer.

Collapse -

pant32

by defender128 In reply to pant32.exe pop up message ...

you have a conmgr.exe on C:\RECYCLER that it
doesn't appear even if you turn on show hidden
file and folder in windows explorer after remove pant32.exe you need to go in safe mode and delete C:\RECYCLER folder

Related Discussions

Related Forums