Search:

Well, Thank you! Thank you! Thank you! :D

The Redhat.pst is another Outlook archive, so I need to be careful with it.

The MVPS Hosts file is a cool idea -- thanks! And I grabbed...

It's here! :) Some notes:

1) I said the PC has over a million files on it. That was based on what Panda was reporting. From the Kapersky scan, it appears that Panda was counting the files...

Yes it has, but I had not deleted anything between the last Panda scan and the Kaspersky scan, so it's hard to tell if there is anything new yet.

FYI, after nearly 20 hours the Kaspersky scan is reporting that it's 72% complete.

Sounds good. It will be awhile for the Kaspersky results. I accidentally closed the scan window when it was at 3%. I restarted it about an hour ago -- it is at 2% as I write. I'm guessing it will...

Panda's ActiveScan is below. In the meantime, another virus infected file was found during the scan:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Download.Trojan
File:...

Panda is almost half finished right now. I think I'll let it complete, then run the Kapersky scan. Stay tuned... ;)

I'm not out of the woods yet. During the Panda scan, my realtime virus scanner popped this message up on the screen:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name:...

Yay, you're back! I'm glad you found me again! :)

Here is the FindQool log. There are literally over a million files on this PC, so the Panda scan needs hours to run. I'll post back with it as...

:bigthumb: I did a regedit search and removed everything with 'brsags' in it, rebooted and all looks good. I hadn't noticed brsags in the HJT log before, but now it's gone... :)

Logfile of...

Progress! I was able to use Killbox.exe to get rid of the "super hidden" files. FYI, these included:

F:\WINNT\SYSTEM32\brsags.exe
F:\WINNT\SYSTEM32\dvqiqyw.exe
F:\WINNT\SYSTEM32\rbjef.exe...

Well, this just keeps getting more interesting! From the ActiveScan log it appears that QooLogic is still the culprit to be eliminated. So, I took a look at QLOCATE.BAT as provided with the...

Whew! Only a few hundred thousand files to scan.... here's the Activescan report:

Incident Status ...

Whoops, there should be a step 11)... I ran HJT and told it to fix ONLY the F2 entry for shell= line. The log I posted was generated after doing that.

This was interesting...

1) I imported your fix.reg file -- the entire contents of the WinLogon key were removed -- I hope this was what was intended!
2) Both the shell= and userinit= came back...

Here ya go... I hope this is good! :)

HAXFIX logfile - by Marckie
--------------
Mon 04/03/2006 9:23:16.37

Manual Haxdoorfix

Adding haxdoorkeys to delete...
winm

Here is the haxlog.txt file:

HAXFIX logfile - by Marckie
--------------
Mon 04/03/2006 6:41:58.48

checking for ps.a3d....
ps.a3d is present!

checking for matching notify keys....

I tried it using Safe Mode with Networking (sorry to be impatient, but I have all day to work on this today, and once I'm back to work tomorrow, it becomes more difficult). The resulting new log is...

Looks like about 80% success...

Logfile of HijackThis v1.99.1
Scan saved at 10:41:37 AM, on 4/2/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1...

Oh yeah... Explorer launches OK now after login! :) Also, I figured out why it was not launching. I copied and pasted this line as it was provided and imported it into the registry:
...

Here is the new HJT log. As you'll see, much of the stuff I removed is still present. I think this is due to logging in with different profiles. The infected profile is a domain account, and is...

And FWIW, I still have to run Explorer manually after logging in. :(

OK, here ya go...

Logfile of HijackThis v1.99.1
Scan saved at 2:50:17 PM, on 4/1/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running...

Sat 04/01/2006
Running from: F:\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.
Files found with locate com.

Re-check using dir...

OK, thanks. In the meantime...

1) Immediately after importing the killqoo.reg file, the settings are changed back to their pior values. Something is keeping a close watch on things, it seems.
...

Hi,

I have a question about the killqoo.reg file that you provided...

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"...

Here are the new log files. Looks like Look2Me Destroyer was successful this time! Thanks! :)

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 3/31/2006 4:06:09 PM...

No problem. I didn't see your message until after I got into work, so I was doing what I could remotely. Since the machine in question is at home, I won't be able to proceed until this evening, so...

Hoo boy! This is a tad embarassing... First, I found that there is no Seclogon or Secondary logon service listed. In looking further into it, I found that this PC is running W2K Pro SP2! I'm not...

Immediately after posting the hijackthis log in the previous message, I rebooted to Safe Mode and ran the ewido scanner. Here is its report:
...

I've run AdAware, Spybot, Look2Me Destroyer, and ewido (in safe mode) -- none of them are 100% successful. I'll post my hijackthis log in this message and my ewido in a reply to it. Thanks in...