[Excal]

lol, sorry about that. Guess we will skip activescan.

Download rkfiles http://skads.org/special/rkfiles.zip and unzip the contents to a new folder on your desktop


Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

REBOOT TO SAFE MODE. This tool MUST be run in safe mode!

Once in safe mode, double click rkfiles.bat file to run it. It will scan for a while, so please be patient. Wait until the DOS window closes. The log file will be C:\log.txt

Reboot back to normal mode and post the contents of log.txt in your next post.

[Advertisements]

Hi

Here is the result from running the rkfiles.

Thank you.

LLevison
+++++++++++++++

C:\Documents and Settings\ll\Desktop

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\RMAgentOutput.dll: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye

[llevison]

Hi

Here is the result from running the rkfiles.

Thank you.

LLevison
+++++++++++++++

C:\Documents and Settings\ll\Desktop

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\RMAgentOutput.dll: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye

[Excal]

Open Pocket Killbox and Copy & Paste the entries below into the "Full Path of File to Delete"

C:\WINDOWS\RMAgentOutput.dll

As you Paste each entry into Killbox,place a tick by any of these Selections available

"Delete on Reboot"
"Unregister .dll before Deleting"

Click the Red Circle with the White X in the Middle to Delete!


Hows the computer running?

Can you try this online scan:

Kaspersky


Thanks,



Excal

[llevison]

Hi Excal

I've used KillBox to remove the .dll.
The computer - I think it's running better, but I haven't been using it much. For the past couple of days I've had access to another computer, so I've been using that one. But mine seems to be running faster.

Here is the log from Kapersky.

What do we do next? Thank you.

LLevison

++++++++++++++++++++++

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, August 13, 2005 16:33:24
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 13/08/2005
Kaspersky Anti-Virus database records: 134997
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 76090
Number of viruses found: 6
Number of infected objects: 19
Number of suspicious objects: 0
Duration of the scan process: 7246 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP137\A0047419.sys Infected: Rootkit.Win32.Agent.p
C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP137\A0047432.sys Infected: Rootkit.Win32.Agent.p
C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP138\A0047471.exe Infected: Trojan-Proxy.Win32.Ranky.bu
C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP138\A0047536.sys Infected: Rootkit.Win32.Agent.p
C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP138\A0047540.exe Infected: Trojan-Proxy.Win32.Ranky.bu
C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP138\A0048650.sys Infected: Rootkit.Win32.Agent.p
C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP138\A0048666.sys Infected: Rootkit.Win32.Agent.p
C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP138\A0048680.exe Infected: Trojan-Clicker.Win32.Small.hh
C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP138\A0048685.sys Infected: Rootkit.Win32.Agent.p
C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP138\A0049213.exe Infected: Trojan-Clicker.Win32.Small.hh
C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP140\A0051411.sys Infected: Rootkit.Win32.Agent.p
C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP140\A0051424.exe Infected: Trojan-Clicker.Win32.Small.hh
C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP140\A0051441.exe Infected: Backdoor.Win32.Agent.mo
C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP144\A0055791.exe Infected: Backdoor.Win32.Rbot.gen
C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP144\A0055991.exe Infected: Trojan-Clicker.Win32.Small.hh
C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP149\A0057313.exe Infected: Trojan-Proxy.Win32.Ranky.bu
C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP150\A0057361.exe Infected: Trojan-Proxy.Win32.Agent.fy
C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP150\A0057388.exe Infected: Trojan-Clicker.Win32.Small.hh
C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP150\A0057415.exe Infected: Trojan-Clicker.Win32.Small.hh

Scan process completed.

[Excal]

All those found are in system restore and as soon as you set new points they will be gone...see below on instructions

Great job, it appears your computer is clean

Ensure you rehide your “hidden files and folders” back to the way they were.

Now that your system is Malware Free, it is important to reset your system Restore. Click Here to learn how to.

Might I suggest the following Free Spyware programs, if you don't already have them, for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE
Spybot S&D
Microsoft Anti-Spyware


If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.

AVG
Avast
AntiVir


The following free programs are great for prevention:

SpywareBlaster 3.4
Spywareguard
IE/Spyad

A Firewall is a must! Here are 3 good free versions:
(do not have more than one firewall running on your system)

Sygate
Kerio
ZoneLabs

There are other options other than Internet Explorer for a browser, which some say have better security. Two of them are:

Firefox
Opera

If you decide to keep Internet Explorer, This site is a great source for tightening up security on It's settings.

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month.

Included in those updates is Windows XP Service Pack 2. Click Here
Since you're junkware free, the time to get it is NOW. Service Pack 2 is a MAJOR upgrade for XP. It adds numerous security and software patches, as well as new features and functionality. You will also be adding another layer of protection against future threats.

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program:

Cleanup
Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided. Also read How I got Infected

[llevison]

Hi Excal

Thanks so much! Already have SP2 on USB stick waiting to be installed, as well as a firewall. Adaware I installed last week, and might switch to AVG. I only ever use Opera -- until I hit a website that insists on IE.

Thanks very, very much. No new weird files either. Can't wait to get back to work!

LLevison

[Excal]

Your welcome!

Good luck and safe surfing



Excal

[Excal]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.