[Fidel Castro]

I don't know if there are other "empty" files in the computer, but I found 118 similar files in the same place [C:\]

Here is the report of RamFiles:

Volume in drive C is System disk
Volume Serial Number is 08FD-7BB9

Directory of C:\

Volume in drive C is System disk
Volume Serial Number is 08FD-7BB9

Directory of C:\

Volume in drive C is System disk
Volume Serial Number is 08FD-7BB9

Directory of C:\

02/16/2007 10:12 PM 0 2007-02-16 at 09
02/23/2007 04:44 PM 0 2007-02-23 at 03
02/24/2007 04:30 PM 0 2007-02-24 at 03
03/02/2007 05:24 PM 0 2007-03-02 at 04
03/03/2007 01:19 PM 0 2007-03-03 at 12
03/09/2007 04:52 PM 0 2007-03-09 at 03
03/09/2007 09:00 PM 0 2007-03-09 at 08
03/16/2007 05:06 PM 0 2007-03-16 at 04
03/16/2007 07:06 PM 0 2007-03-16 at 06
03/18/2007 02:13 AM 0 2007-03-18 at 01
03/22/2007 05:39 PM 0 2007-03-22 at 04
03/30/2007 04:26 PM 0 2007-03-30 at 04
04/01/2007 12:55 PM 0 2007-04-01 at 12
04/05/2007 06:49 PM 0 2007-04-05 at 06
04/09/2007 06:07 PM 0 2007-04-09 at 06
04/13/2007 04:26 PM 0 2007-04-13 at 04
04/14/2007 03:26 AM 0 2007-04-14 at 03
04/14/2007 08:34 PM 0 2007-04-14 at 08
05/06/2007 05:28 AM 0 2007-05-06 at 05
05/12/2007 03:10 AM 0 2007-05-12 at 03
05/19/2007 07:33 PM 0 2007-05-19 at 07
05/19/2007 09:51 PM 0 2007-05-19 at 09
05/20/2007 07:26 PM 0 2007-05-20 at 07
05/23/2007 04:23 AM 0 2007-05-23 at 04
05/26/2007 12:07 AM 0 2007-05-26 at 12
05/28/2007 01:24 AM 0 2007-05-28 at 01
05/29/2007 04:03 AM 0 2007-05-29 at 04
05/31/2007 01:43 AM 0 2007-05-31 at 01
06/01/2007 03:33 AM 0 2007-06-01 at 03
06/02/2007 03:46 AM 0 2007-06-02 at 03
06/03/2007 03:37 AM 0 2007-06-03 at 03
06/04/2007 02:21 AM 0 2007-06-04 at 02
06/04/2007 06:54 PM 0 2007-06-04 at 06
06/05/2007 03:07 AM 0 2007-06-05 at 03
06/07/2007 03:34 AM 0 2007-06-07 at 03
06/09/2007 02:47 AM 0 2007-06-09 at 02
06/11/2007 03:04 AM 0 2007-06-11 at 03
06/12/2007 03:38 AM 0 2007-06-12 at 03
06/14/2007 05:53 AM 0 2007-06-14 at 05
06/19/2007 09:28 PM 0 2007-06-19 at 09
06/20/2007 05:07 PM 0 2007-06-20 at 05
06/21/2007 03:55 PM 0 2007-06-21 at 03
06/21/2007 04:06 AM 0 2007-06-21 at 04
06/21/2007 08:05 PM 0 2007-06-21 at 08
06/23/2007 08:44 PM 0 2007-06-23 at 08
06/25/2007 04:02 AM 0 2007-06-25 at 04
06/25/2007 10:55 PM 0 2007-06-25 at 10
06/28/2007 07:11 PM 0 2007-06-28 at 07
06/28/2007 08:10 PM 0 2007-06-28 at 08
06/28/2007 11:57 PM 0 2007-06-28 at 11
06/29/2007 02:32 AM 0 2007-06-29 at 02
06/29/2007 07:19 PM 0 2007-06-29 at 07
07/01/2007 01:33 PM 0 2007-07-01 at 01
07/01/2007 03:56 AM 0 2007-07-01 at 03
07/03/2007 09:57 PM 0 2007-07-03 at 09
07/04/2007 05:57 PM 0 2007-07-04 at 05
07/05/2007 04:00 AM 0 2007-07-05 at 04
07/06/2007 04:14 AM 0 2007-07-06 at 04
07/07/2007 05:16 PM 0 2007-07-07 at 05
07/08/2007 01:14 AM 0 2007-07-08 at 01
07/11/2007 02:49 AM 0 2007-07-11 at 02
07/12/2007 09:01 PM 0 2007-07-12 at 09
07/14/2007 03:55 AM 0 2007-07-14 at 03
07/15/2007 03:06 AM 0 2007-07-15 at 03
07/16/2007 02:56 AM 0 2007-07-16 at 02
07/17/2007 02:34 AM 0 2007-07-17 at 02
07/25/2007 03:34 AM 0 2007-07-25 at 03
08/07/2007 04:44 AM 0 2007-08-07 at 04
08/08/2007 04:04 AM 0 2007-08-08 at 04
08/10/2007 03:17 AM 0 2007-08-10 at 03
08/12/2007 10:00 PM 0 2007-08-12 at 10
08/15/2007 12:55 PM 0 2007-08-15 at 12
08/18/2007 11:53 PM 0 2007-08-18 at 11
08/30/2007 04:10 AM 0 2007-08-30 at 04
09/02/2007 08:09 PM 0 2007-09-02 at 08
09/10/2007 11:22 PM 0 2007-09-10 at 11
09/25/2007 02:21 AM 0 2007-09-25 at 02
09/25/2007 04:48 AM 0 2007-09-25 at 04
10/07/2007 01:13 AM 0 2007-10-07 at 01
10/13/2007 08:33 PM 0 2007-10-13 at 08
10/15/2007 05:18 PM 0 2007-10-15 at 05
10/22/2007 04:33 AM 0 2007-10-22 at 04
11/26/2007 10:55 PM 0 2007-11-26 at 09
12/01/2007 04:53 AM 0 2007-12-01 at 03
12/04/2007 12:47 AM 0 2007-12-03 at 11
02/10/2007 11:40 AM 0 AUTOEXEC.BAT
02/12/2007 11:12 AM 211 boot.ini
02/21/2008 06:05 PM 3,222 cheaters.log
03/30/2008 06:49 PM 8,840,133 ComboFix.txt
02/10/2007 11:40 AM 0 CONFIG.SYS
02/21/2008 12:04 PM 28,672 file.datastore
03/31/2008 10:03 AM 536,203,264 hiberfil.sys
02/18/2007 04:42 PM 160 INSTALL.LOG
02/10/2007 11:40 AM 0 IO.SYS
05/10/2000 06:46 PM 129,078 logo.syd
05/10/2000 06:46 PM 129,078 logo.sys
02/10/2007 11:40 AM 0 MSDOS.SYS
12/31/2002 02:00 PM 47,564 NTDETECT.COM
12/31/2002 02:00 PM 250,032 ntldr
03/31/2008 10:03 AM 805,306,368 pagefile.sys
03/29/2008 09:29 PM 27,165 SAFEBOOT_REPAIR.TXT
09/15/2005 07:54 PM 696,320 StubInstaller.exe
04/04/2007 09:47 PM 32,768 t24o
02/17/2007 06:32 PM 178 Yahoo! Music.url
02/17/2007 06:32 PM 179 Yahoo! Photos.url
02/17/2007 06:31 PM 146 YServer.txt
106 File(s) 1,351,694,538 bytes
0 Dir(s) 6,256,594,944 bytes free

[Advertisements]

Hi, Fidel Castro

Those files were being created since february, 2007.

Please download the enclosed folder. [attachment=19562:RemFiles_2.zip]Save and extract its contents to the desktop. It is a batch file, RemFiles_2.bat. Once extracted doubleclick on it and post pack the report it will produce.

How is the computer doing?

[JSntgRvr]

Hi, Fidel Castro

Those files were being created since february, 2007.

Please download the enclosed folder. [attachment=19562:RemFiles_2.zip]Save and extract its contents to the desktop. It is a batch file, RemFiles_2.bat. Once extracted doubleclick on it and post pack the report it will produce.

How is the computer doing?

[Fidel Castro]

Here is the second report of RamFiles:

Volume in drive C is System disk
Volume Serial Number is 08FD-7BB9

Directory of C:\

Volume in drive C is System disk
Volume Serial Number is 08FD-7BB9

Directory of C:\

02/10/2007 11:40 AM 0 AUTOEXEC.BAT
02/12/2007 11:12 AM 211 boot.ini
02/21/2008 06:05 PM 3,222 cheaters.log
03/30/2008 06:49 PM 8,840,133 ComboFix.txt
02/10/2007 11:40 AM 0 CONFIG.SYS
02/21/2008 12:04 PM 28,672 file.datastore
03/31/2008 12:32 PM 536,203,264 hiberfil.sys
02/18/2007 04:42 PM 160 INSTALL.LOG
02/10/2007 11:40 AM 0 IO.SYS
05/10/2000 06:46 PM 129,078 logo.syd
05/10/2000 06:46 PM 129,078 logo.sys
02/10/2007 11:40 AM 0 MSDOS.SYS
12/31/2002 02:00 PM 47,564 NTDETECT.COM
12/31/2002 02:00 PM 250,032 ntldr
03/31/2008 12:32 PM 805,306,368 pagefile.sys
03/29/2008 09:29 PM 27,165 SAFEBOOT_REPAIR.TXT
09/15/2005 07:54 PM 696,320 StubInstaller.exe
04/04/2007 09:47 PM 32,768 t24o
02/17/2007 06:32 PM 178 Yahoo! Music.url
02/17/2007 06:32 PM 179 Yahoo! Photos.url
02/17/2007 06:31 PM 146 YServer.txt
21 File(s) 1,351,694,538 bytes
0 Dir(s) 6,323,556,352 bytes free


P.S. The computer is doing ok... I think so... But I think I had more disk memory [free memory on Disk C:] before this viruses and other "errors"...

[Fidel Castro]

EDIT : Oh, I just noticed... I have almost 6GB free on C: now so everything is ok with the memory now... Should I do something else or you think you solved everything?

You guys rock! Really...

[JSntgRvr]

Hi, Fidel Castro.

I believe you a good now, congratulations.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
  
  
  
  • 
  
  
• If the disclaimer notice is displayed, select "2" and press Enter

The above procedure will:

• Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

Create a Restore point (If the above process fails):

• Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
• In the System Restore dialog box, click Create a restore point, and then click Next.
• Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

• Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  
• AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  
• SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  
• ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  
• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  
• Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
  
• Read and follow the suggestions given at this web site by Miekiemoes http://users.telenet...prevention.html .

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

Best wishes!

[Fidel Castro]

I can't find that System Restore tab... I have full administrator access 100% because it's the only account on this computer.

Maybe the "problem" is that I use some Vista Plug-in for Win XP and maybe the position of the location of that option is different.. [maybe I should remove that plug-in].. The program I use is ViStart and you can find it here:

http://www.lee-soft.com/

[I'm giving you the link to see how it looks and maybe to tell me if I should remove it or I can keep it]

Here is the screenshot of my System Properties: [and as you can see there is no System Restore tab]

Edited by Fidel Castro, 31 March 2008 - 07:36 AM.

[JSntgRvr]

Go to Start / Run, type Services.msc and click OK.

Scroll down to System Restore service. Double click on it. Make sure the service is started and is set to Automatic.

[Fidel Castro]

I can't find System Restore service... This is a screenshot .. Only 1 "thing" with the starting word "system"...

Edited by Fidel Castro, 31 March 2008 - 10:01 AM.

[Fidel Castro]

P.S. I searched my PC and I found a shortcut "System Restore" of the original "rstrui" file...

I tried to open the file [the shortcut and the original too] but I saw this "error":



I restarted the computer and tried again but I encountered the same message...

[JSntgRvr]

Run Services.msc again. Scroll down to Remote Procedure Call. There should be two entries, the RPC and the Locator. Both entries must appear as an Automatic startup, and Started. The main entry (RPC) may not allow you to start or stop the service. The buttons will look faded.

If any of these services is stopped, start the service. Let me know any error message you may receive.

Please download the enclosed folder. [attachment=19569:QueryLSA.zip]Save and extract its contents to the desktop. It is a batch file, QueryLSA.bat. Once extracted doubleclick on it and post pack the report it will produce.

[Fidel Castro]

I'll be back on friday...

[Fidel Castro]

Ok, here is the report... without any problems...


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Bounds REG_BINARY 0030000000200000
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
ImpersonatePrivilegeUpgradeToolHasRun REG_DWORD 0x1
LsaPid REG_DWORD 0x3a4
SecureBoot REG_DWORD 0x1
auditbaseobjects REG_DWORD 0x0
crashonauditfail REG_DWORD 0x0
disabledomaincreds REG_DWORD 0x0
everyoneincludesanonymous REG_DWORD 0x0
fipsalgorithmpolicy REG_DWORD 0x0
forceguest REG_DWORD 0x1
fullprivilegeauditing REG_BINARY 00
limitblankpassworduse REG_DWORD 0x1
lmcompatibilitylevel REG_DWORD 0x0
nodefaultadminowner REG_DWORD 0x1
nolmhash REG_DWORD 0x0
restrictanonymous REG_DWORD 0x0
restrictanonymoussam REG_DWORD 0x1
Notification Packages REG_MULTI_SZ scecli\0\0
enabledcom REG_SZ y

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\AccessProviders

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Audit

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Data

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\GBG

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\JD

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Kerberos

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\MSV1_0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Skew1

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SSO

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SspiCache

[JSntgRvr]

Hi, Fidel Castro

All seems in place. You will need to reinstall System Restore. This is How:

http://windowsxp.mvps.org/repairsr.htm

Keep me posted.

[Fidel Castro]

I found the sr file but after I clicked install I don't have %Windir%\ServicePackFiles folder and neither Win XP software so I couldn't finish the installation...

Should I install the Service Pack 2? Or you have a folder that I need?

[JSntgRvr]

Download the enclosed folder. [attachment=19688:FindFiles.zip]Save and extract its contents to the desktop. Once extracted open the folder and double click on the FindFiles.bat file. A report should the produced, Results.txt. Post the contents of this report.

Edited by JSntgRvr, 05 April 2008 - 03:33 PM.