can't find file.

[cb49747]

I have xp pro sp2 running on machine, Norton Antivirus which is fully updated found w32.spybot.worm and Download.Trojan in four files. Norton than says can not quarentine or delete the files as access is denied. I'm logged in as administrator. I looked for the file manually but could not see them.

Is there a way to find these files or to boot the xp machine to a dos prompt?

3 of the files are in c:\windows\system32 dir and one is in c:\windows

any help would be greatly appreciated.

 

[electronicsfreak]

Load in safe mode and run norton. That should take care of it.

 

[cb49747]

I get the same problem. Can't delete file do not have access and I can not find them in safe mode either.

 

[electronicsfreak]

Ok well first off give this antivirus a try then if it dont work follow my next step.

http://www.ewido.net/en/(full

system scan in safe mode)

If this does not work and you are comfortable with registry editing do this. Go to start, run , then type regedit. Go to edit, then find, and type in the file name. Delete all entries you find that go to that file. If they are redirecting a system file then just change it back to the system file name. Other than that delete the keys and hopefully this things not smart enough to put the keys back. If they dont come back then you can restart and kill the file. Also you might get lucky and hit ctrl alt delete and then task manager and then processes and see the file running. If so end it. As of for finding it use safe mode with command prompt and navigate to the location norton or ewido says its at if you cant get either of them to remove it and then just delete it.

 

[cb49747]

Thanks I will give it a try

 

[cb49747]

Ok doing the above I managed to delete 3 of the 4 files.

The last file is c:\windows\system32\jkheb.dll and contains the download.trojan

after deleteing all the registery pieces pointing to this file they were back when I rebooted.

It seems to be the winlogon process that is calling this file. I tried to end this process but was told it was a critical process and could not end it.

Any suggestions.

 

[electronicsfreak]

Give this a try for the stubborn file.

http://www.bleepingcomputer.com/files/killbox.php

 

[cb49747]

ok tried this to no avail. I was able to boot to a dos promt with some software of the internet but was not able to delete the file. However I could rename the file, so I did, and would you know when I rebooted all the registry pieces were now changed to use the the new file.

wtf

This is killing me. If I find the son of a gun that built this damn thing.

any other suggestions on how to delete this file?

 

[cb49747]

Ok I renamed the dll file to .txt using this ntfs to dos software, and the whole thing crashed. Rebooted and the file was gone.

Yippie

Thanks for all your help, learned about some new tools.

Thanks again.

 

[electronicsfreak]

n/p glad to hear you got it sorted out. By the way your windows is still operating right? Just wondering since you mentioned it crashed lol.

 

[cb49747]

It did crash but after the reboot it was fine.

ran some spyware software and antivirus again and everything evil seemed to have been wiped of the computer.

however with my last reboot the computer gets to the windows screen and then shuts down. I think I may have messed uup something in the registry while messing with it.

I'm going to look at the boot log and see what I can see there, but I'm hoping I can fix this with wiping the pc clean. It also does the same in safe mode. I had the system restore turned off while I did all this so there is no last good configuration either.

any ideas?

 

[electronicsfreak]

Load into recovery mode of the cd and try running sfc/scannow. Also run scandisc(chkdisk) and defrag from there if you can.

Let me know what happens

 

[cb49747]

I loaded the cd in recovery mode but did not have sfc or scandisc command

Do you know how I can get them

 

[electronicsfreak]

Here you go

http://support.microsoft.com/default.aspx?scid=kb;en-us;315265