Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Delete Failed on Norton Antivirus [resolved]


  • This topic is locked This topic is locked

#1
goateez

goateez

    New Member

  • Member
  • Pip
  • 9 posts
I'm trying to delete the following files, highlighted as spyware threats in Norton SystemWorks Pro 2004:
abasa5jrp_.exe
hochkaod3_.exe

I can see the files in explorer by viewing the hidden/ system files, but cannot delete them.

I've also looked on the Norton site at how to remove these threats. I checked the registry as directed and found no references to those files.

But when I do a full scan using Norton - I get these two files.

Have followed all the steps in the pinned post.

I'm running Norton System Works Pro 2004.
Also have:
Ad-aware SE
Spybot S&D
SpywareBlaster

My Log of HijackThis is below.

Thanks for any help I receive!

J.

Logfile of HijackThis v1.99.1
Scan saved at 20:00:56, on 12/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\2.2.2.2\InstallStub.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Common Files\Symantec Shared\Nmain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file:\\CastleDC\ECI\Index.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ylgs.org.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CPQHotkeys] hotkeysvc.exe
O4 - HKCU\..\Run: [CTHelper] cthelper.exe
O4 - HKCU\..\Run: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.2.2.2\InstallStub.exe -a
O4 - HKCU\..\RunServices: [CPQHotkeys] hotkeysvc.exe
O4 - HKCU\..\RunServices: [CTHelper] cthelper.exe
O4 - HKCU\..\RunServices: [PcSync] PCsync.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file:\\CastleDC\ECI\Index.htm
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101920755214
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements


#2
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Copy the text from the box to an empty file in Notepad:
%systemdrive%
cd \
dir /s abasa5jrp*.* > c:\log.txt
start log.txt

Save the file
on your desktop
as find.bat
save as type: all files
End Notepad.

Go to your desktop. Doubleclick the file find.bat.

Post the content of the notapadfile log.txt here in your answer.
  • 0

#3
goateez

goateez

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Here are the contents of my log file from running that batch file:

Volume in drive C has no label.
Volume Serial Number is 30F3-FC19
  • 0

#4
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Copy the text in the box to an empty Notepad file.

%systemdrive%
cd C:\windows\Downlo~1
echo %CD% > c:\log.txt
dir >> C:\log.txt
attrib -r -s -h abasa~1.exe
if Exist C:\windows\Downlo~1\abasa~1.exe echo "File is present" >> c:\log.txt
del abasa~1.exe
if Exist C:\windows\Downlo~1\abasa~1.exe echo "File not deleted" >> c:\log.txt
start c:\log.txt
exit

Save it as clear.bat to your desktop. Choose save as type:" all types *.* '
Close Notepad.
Doubleclick clear.bat.

Post the content of the file log.txt here in your answer.
  • 0

#5
goateez

goateez

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks for your help btw!

Here's my log file again:



C:\WINDOWS\DOWNLO~1
Volume in drive C has no label.
Volume Serial Number is 30F3-FC19

Directory of C:\WINDOWS\DOWNLO~1

18/02/2005 15:11 202,352 avsniff.dll
18/02/2005 15:09 773 avsniff.inf
18/02/2005 15:11 198,256 avsniffdlgs.dll
07/10/2004 22:16 815 bitdefender.inf
07/10/2004 23:05 327,680 bitdefender.ocx
18/02/2005 15:09 241 CabSA.inf
09/03/2005 01:00 2,390 catalog.dat
09/03/2005 01:00 6,899 ecbootil.vxd
09/03/2005 01:00 210,552 ecmsvr32.dll
12/07/2000 03:02 36,864 fxfileop.dll
15/02/2005 17:05 227 istactivex.inf
08/10/2004 16:01 372,736 MsnPUpld.dll
08/10/2004 16:13 587 MSNPupld.inf
18/02/2005 15:07 6,850 navapi.vxd
18/02/2005 15:07 201,896 navapi32.dll
09/03/2005 01:00 124,576 naveng32.dll
09/03/2005 01:00 685,728 navex32a.dll
22/08/2003 21:10 226 opuc.inf
23/02/2005 18:29 165,976 PlaxoInstall.dll
23/02/2005 18:09 874 PlaxoInstall.inf
22/09/2004 15:59 110,592 PURen-us.dll
09/10/2003 10:32 144 QTPlugin.inf
18/02/2005 15:14 161,432 rufsi.dll
09/03/2005 01:00 87,360 scrauth.dat
01/02/2005 10:41 556 setup4002b.ini
08/12/2003 13:58 3,759 swflash.inf
09/03/2005 01:00 8,137 symaveng.cat
09/03/2005 01:00 900 symaveng.inf
09/03/2005 01:00 10,205 tcdefs.dat
09/03/2005 01:00 473,847 tcscan7.dat
09/03/2005 01:00 73,597 tcscan8.dat
09/03/2005 01:00 265,113 tcscan9.dat
09/03/2005 01:00 453 tinf.dat
09/03/2005 01:00 148 tinfidx.dat
09/03/2005 01:00 1,957 tinfl.dat
09/03/2005 01:00 38,417 tscan1.dat
09/03/2005 01:00 1,237 tscan1hd.dat
31/10/2001 11:37 118 uninst.bat
09/03/2005 01:00 5,516 v.grd
09/03/2005 01:00 2,225 v.sig
09/03/2005 01:00 106,244 virscan.inf
09/03/2005 01:00 918,064 virscan1.dat
09/03/2005 01:00 551,322 virscan2.dat
09/03/2005 01:00 144,740 virscan3.dat
09/03/2005 01:00 316,532 virscan4.dat
09/03/2005 01:00 244,862 virscan5.dat
09/03/2005 01:00 381,366 virscan6.dat
09/03/2005 01:00 1,950,027 virscan7.dat
09/03/2005 01:00 1,255,186 virscan8.dat
09/03/2005 01:00 2,037,993 virscan9.dat
09/03/2005 01:00 32 virscant.dat
12/03/2005 17:30 2,072 vscanmsx.dat
03/08/2004 14:51 293 wuweb.inf
09/03/2005 15:28 2,144 xscan60.inf
09/03/2005 15:31 450,614 xscan60.ocx
26/01/2004 18:42 856 yinst.inf
26/01/2004 18:40 133,120 yinsthelper.dll
09/03/2005 01:00 224 zdone.dat
58 File(s) 12,287,902 bytes
0 Dir(s) 29,602,467,840 bytes free
  • 0

#6
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Copy the text from the box to an empty file in Notepad:
%systemdrive%
cd \
dir /s hochka*.* > c:\log.txt
start log.txt

Save the file
on your desktop
as find.bat
save as type: all files
End Notepad.

Go to your desktop. Doubleclick the file find.bat.

Post the content of the notepadfile log.txt here in your answer.

BTW, we just enjoy helping!

Edited by g2i2r4, 17 March 2005 - 05:01 PM.

  • 0

#7
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
I just found another one you really need to get rid of.

Copy the text in the box to an empty Notepad file.

%systemdrive%
cd C:\windows\Downlo~1
echo %CD% > c:\log1.txt
dir >> C:\log1.txt
attrib -r -s -h istac~1.inf
if Exist C:\windows\Downlo~1\istac~1.inf echo "File is present" >> c:\log1.txt
del istac~1.inf
if Exist C:\windows\Downlo~1\istac~1.inf echo "File not deleted" >> c:\log1.txt
start c:\log1.txt
exit


Save it as clear1.bat to your desktop. Choose save as type:" all types *.* '
Close Notepad.
Doubleclick clear1.bat.

Post the content of the file log1.txt here in your answer.

Edited by g2i2r4, 17 March 2005 - 05:07 PM.

  • 0

#8
goateez

goateez

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
It's good to know you enjoy helping!

Here's log.txt

Volume in drive C has no label.
Volume Serial Number is 30F3-FC19


Here's log1.txt

C:\WINDOWS\DOWNLO~1
Volume in drive C has no label.
Volume Serial Number is 30F3-FC19

Directory of C:\WINDOWS\DOWNLO~1

18/02/2005 15:11 202,352 avsniff.dll
18/02/2005 15:09 773 avsniff.inf
18/02/2005 15:11 198,256 avsniffdlgs.dll
07/10/2004 22:16 815 bitdefender.inf
07/10/2004 23:05 327,680 bitdefender.ocx
18/02/2005 15:09 241 CabSA.inf
09/03/2005 01:00 2,390 catalog.dat
09/03/2005 01:00 6,899 ecbootil.vxd
09/03/2005 01:00 210,552 ecmsvr32.dll
12/07/2000 03:02 36,864 fxfileop.dll
15/02/2005 17:05 227 istactivex.inf
08/10/2004 16:01 372,736 MsnPUpld.dll
08/10/2004 16:13 587 MSNPupld.inf
18/02/2005 15:07 6,850 navapi.vxd
18/02/2005 15:07 201,896 navapi32.dll
09/03/2005 01:00 124,576 naveng32.dll
09/03/2005 01:00 685,728 navex32a.dll
22/08/2003 21:10 226 opuc.inf
23/02/2005 18:29 165,976 PlaxoInstall.dll
23/02/2005 18:09 874 PlaxoInstall.inf
22/09/2004 15:59 110,592 PURen-us.dll
09/10/2003 10:32 144 QTPlugin.inf
18/02/2005 15:14 161,432 rufsi.dll
09/03/2005 01:00 87,360 scrauth.dat
01/02/2005 10:41 556 setup4002b.ini
08/12/2003 13:58 3,759 swflash.inf
09/03/2005 01:00 8,137 symaveng.cat
09/03/2005 01:00 900 symaveng.inf
09/03/2005 01:00 10,205 tcdefs.dat
09/03/2005 01:00 473,847 tcscan7.dat
09/03/2005 01:00 73,597 tcscan8.dat
09/03/2005 01:00 265,113 tcscan9.dat
09/03/2005 01:00 453 tinf.dat
09/03/2005 01:00 148 tinfidx.dat
09/03/2005 01:00 1,957 tinfl.dat
09/03/2005 01:00 38,417 tscan1.dat
09/03/2005 01:00 1,237 tscan1hd.dat
31/10/2001 11:37 118 uninst.bat
09/03/2005 01:00 5,516 v.grd
09/03/2005 01:00 2,225 v.sig
09/03/2005 01:00 106,244 virscan.inf
09/03/2005 01:00 918,064 virscan1.dat
09/03/2005 01:00 551,322 virscan2.dat
09/03/2005 01:00 144,740 virscan3.dat
09/03/2005 01:00 316,532 virscan4.dat
09/03/2005 01:00 244,862 virscan5.dat
09/03/2005 01:00 381,366 virscan6.dat
09/03/2005 01:00 1,950,027 virscan7.dat
09/03/2005 01:00 1,255,186 virscan8.dat
09/03/2005 01:00 2,037,993 virscan9.dat
09/03/2005 01:00 32 virscant.dat
12/03/2005 17:30 2,072 vscanmsx.dat
03/08/2004 14:51 293 wuweb.inf
09/03/2005 15:28 2,144 xscan60.inf
09/03/2005 15:31 450,614 xscan60.ocx
26/01/2004 18:42 856 yinst.inf
26/01/2004 18:40 133,120 yinsthelper.dll
09/03/2005 01:00 224 zdone.dat
58 File(s) 12,287,902 bytes
0 Dir(s) 29,588,717,568 bytes free
  • 0

#9
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
At the bottom of log1.txt it should state
file is present or
file not deleted.
Can you tell me which one you have?

Can you tell me where Norton states to have found the two malware files? Should be somewhere in the logs.

Edit: I'll get back to you tomorrow, I really need my sleep now ;-)

Edited by g2i2r4, 17 March 2005 - 06:01 PM.

  • 0

#10
goateez

goateez

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hmm...

There was no statement at the bottom of log1.txt !

Here is a copy of the two warnings from my Norton Log:

Source: hochkaod3_.exe
Description: The compressed file hochkaod3_.exe within C:\Documents and Settings\James D'Souza\Local Settings\Temp\setup4002b.cab is a Adware threat.

Source: abasa5jrp_.exe
Description: The compressed file abasa5jrp_.exe within C:\Documents and Settings\James D'Souza\Local Settings\Temp\setup4002b.cab is a Adware threat.

Both files are in this directory. I can see them when I 'view system files' in explorer.

Hope this helps.

J.

PS I needed my sleep too! It's early morning now!
  • 0

Advertisements


#11
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Log in to your computer using the account James D'Souza.

Go to start - this computer.
Click right on the symbol for your C drive. Go to the tab proporties - general.
Click the button Disk Cleanup.

Put a check to:
Downloaded Program Files
Temporary Internet Files/tijdelijke internet bestanden
Recycle Bin/prullenbak

Scan only C:\Documents and Settings\ and see how things are now.

Edit: great those timezones; it 8 o'clock in the evening here :tazz:

Edited by g2i2r4, 18 March 2005 - 01:13 PM.

  • 0

#12
goateez

goateez

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Right...

I did what you said: logged in as James D'Souza, gone to my computer, properties etc.

I then scanned the C:\Documents and Settings directory with the a2 scanner...and came back with nothing...

I then scanned it with Norton Anti Virus, and came up with the same 2 files...

...have I missed something? :tazz:

J.
  • 0

#13
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
These files are on some kind of DOS level. NAV is able to see them and points it out to you. Many other scanners don't see them. The problem is that it cannot clean them.

Oke, this method worked for someone else. Let's try if it works for you too.

first step
Let's clean out the temp files first.

Download CleanUp!.
Doubleclick the file cleanup312. Than open the program.

Go to options
set the level to custom
put a check to:* prefetch
* cookies
* temp files
* all users
Run the program.
It can take a while.
When its done, it will tell you how many files were deleted and how many space it cleared.
Then logoff and logon again with your useraccount to get rid of files that were in use at the time of the scan.

second step
Download Pocket Killbox.and unzip it; save it to your Desktop.

Run it, and click the radio button that says Delete a file on reboot. Copy the text from the box and paste it into the 'full path of file to delete' box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say Yes.
Let the system reboot.

c:\Documents and Settings\James D'Souza\Local Settings\Temp\setup4002b.cab

Let's scan again. How are things now?
  • 0

#14
goateez

goateez

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
g2i2r4!

The url to the cleanup prog doesn't work!

Have got the pocket killbox zip ok.

One other point:
The .cab directory with the infected files has other files in it (I'm assuming they're not relevant to anything):
u6f6uftuc_.exe
lkir8l2gm_.dll
websinstaller.dll
hochkaod3_.ini
setup4002b.ini
u6f6uftuc_.ini
set.inf

Could I just delete the whole .cab directory? Do I need the other files? It allows me to select 'delete' when I right click so I think I could do it.

J.

PS I have to say, I'm really impressed with this forum and the level of response - I'm going to recommend it to everyone I know, and make a small donation to you. It won't be much (I'm a part time teacher) but I will do so once this problem is solved (I'm sure it will be!)
  • 0

#15
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
I would recommend getting rid of the whole cab. But if you are unsure; put it on a disk and keep it there.

I'll check on the cleanup program.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP