[kelkay]

It says it cannot find the file specified. When notepad comes up, nothing is on it. I just put seek.bat as the name of the file...not seek.bat.txt It was saved on desktop as you requested.

[Advertisements]

Nevermind that, probably been cleared anyway.

Download OTCleanit then save it to your Desktop.

• Double-click on OTCleanIt.exe to run
• Click on the CleanUp! button
• Click Yes to begin the Cleanup process and remove these components, including this application.
• You may be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Then,

We'll run a deep scan to be sure we didn't miss any.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Next,

Please download Rootkit Revealer (It should be part of the Top 10 Downloads list)

• Unzip it to your desktop.
• Open the rootkitrevealer folder and double-click rootkitrevealer.exe
• Close ALL windows and programs and do nothing on the pc while the scan runs. This includes games, browser windows, email clients, etc.
• Click the Scan button (bottom right)
• It may take a while to scan (don't do anything while it's running)
• When it's done, go up to File > Save. Choose to save it to your desktop.
• Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

Finally,

Please do an online scan with Kaspersky WebScanner

Temporarily disable your resident Antivirus software before proceeding.

Welcome Information page will open. Click on Accept

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded, click on Scan
  • Now under that section select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save Report as button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Enable resident Antivirus protection once done.

Please post back with the following logs.

- Rootkitrevealer log
- Kaspersky log

[koko_crunch]

Nevermind that, probably been cleared anyway.

Download OTCleanit then save it to your Desktop.

• Double-click on OTCleanIt.exe to run
• Click on the CleanUp! button
• Click Yes to begin the Cleanup process and remove these components, including this application.
• You may be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Then,

We'll run a deep scan to be sure we didn't miss any.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Next,

Please download Rootkit Revealer (It should be part of the Top 10 Downloads list)

• Unzip it to your desktop.
• Open the rootkitrevealer folder and double-click rootkitrevealer.exe
• Close ALL windows and programs and do nothing on the pc while the scan runs. This includes games, browser windows, email clients, etc.
• Click the Scan button (bottom right)
• It may take a while to scan (don't do anything while it's running)
• When it's done, go up to File > Save. Choose to save it to your desktop.
• Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

Finally,

Please do an online scan with Kaspersky WebScanner

Temporarily disable your resident Antivirus software before proceeding.

Welcome Information page will open. Click on Accept

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded, click on Scan
  • Now under that section select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save Report as button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Enable resident Antivirus protection once done.

Please post back with the following logs.

- Rootkitrevealer log
- Kaspersky log

[kelkay]

I was on the Rootkit Revealer, and the scan completed. It showed 83,335 discrepancies. But it won't let me save the file...when I click file a black box shows up with nothing to choose from. Options is the same way.

[kelkay]

scratch that, NOW it is letting me...strange

[koko_crunch]

Just attach the log please.

[kelkay]

I clicked it to save to desktop. When I did that it started acting like the computer would freeze up. When I looked on the desktop I do not see that file. I saw Eula.txt but that was not the right one. If I go to rootkitrevealer.txt it has a shortcut for it, but it wants me to browse to find it. Very strange.

[kelkay]

I guess I should add that when I clicked save to desktop, Rootkit Revealer closed itself, I did not close it. I thought no big deal, I would just save another file, but when I went to look for it at the windows, it was gone.

[kelkay]

Should I try to run the thing again? I looked under search for the file...it is not there. Like I said, only a shortcut is there for it.

[kelkay]

Ok well I am too tired to do anymore tonight. Just leave a note for what you want me to do. Thanks for your help.

[koko_crunch]

Let's use a different tool.

Please download and unzip IceSword to its own folder on your desktop


If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.


Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.


Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.


Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.


Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.



Now post all of the data collected under the headings for :

Processes
Win32 Services
Startup
SSDT
Message Hooks

[kelkay]

Processes 0
Win32 Services 0
Startup 0
SSDT There were 28 instances in red on this one. \SystemRoot\System32\vsdatant.sys
Message Hooks= I am not really sure what you meant by this one. There were no items in red. I will list ten entries that were under this.
WH_Mouse C:\Program Files\Updates from HP\9972322\Updates from...
WH_CBT Same as above
WH_GetMessage C:\Program Files\Zone Labs\Zone Alarm\zlclient.exe
Wh_GetMessage C:\Program Files\Zone Labs\Zone Alarm\zlclient.exe
Wh_GetMessage C:\Program Files\Zone Labs\Zone Alarm\zlclient.exe
Wh_GetMessage C:\Program Files\Zone Labs\Zone Alarm\zlclient.ext
Wh_CBT C:\Documents and Settings\Kelly\Desktop\IceSword\IceSword122e...
Wh_GetMessage C:\Documents and Settings\Kelly\Desktop\IceSword\IceSword122e...
Wh_CBT C:\Documents and Settings\Kelly\Desktop\IceSword\IceSword122e...
Wh_MsgFilter C:\Documents and Settings\Kelly\Desktop\IceSword\IceSword122e...

Edited by kelkay, 25 June 2008 - 10:42 AM.

[kelkay]

The ten I listed were under the Wh_Keyboard They were not a Wh_Keyboard though, they were just UNDER it. I wrote down their type to try and help avoid any confusion.

[koko_crunch]

Hey,

We'll have to repeat this.

Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labeled WH_KEYBOARD. Write down the full Process Path of these entries if present.


Also, could you write the full path of these files.
I really need to find out what files are running under WH_KEYBOARD.

WH_Mouse C:\Program Files\Updates from HP\9972322\Updates from...
WH_CBT Same as above
WH_GetMessage C:\Program Files\Zone Labs\Zone Alarm\zlclient.exe
Wh_GetMessage C:\Program Files\Zone Labs\Zone Alarm\zlclient.exe
Wh_GetMessage C:\Program Files\Zone Labs\Zone Alarm\zlclient.exe
Wh_GetMessage C:\Program Files\Zone Labs\Zone Alarm\zlclient.ext
Wh_CBT C:\Documents and Settings\Kelly\Desktop\IceSword\IceSword122e...
Wh_GetMessage C:\Documents and Settings\Kelly\Desktop\IceSword\IceSword122e...
Wh_CBT C:\Documents and Settings\Kelly\Desktop\IceSword\IceSword122e...
Wh_MsgFilter C:\Documents and Settings\Kelly\Desktop\IceSword\IceSword122e...

[kelkay]

I went back just now and there is no Wh_Keyboard entries at all.

[kelkay]

What I typed in was everything that was listed under path name...I ran the mouse over it to see if it said more, but nothing else came up. This was on the stuff in red, not under the Wh_KEYBOARD. As I said previously, nothing was listed as Wh_KEYBOARD this time at all.