I am running Windows Xp Pro and When I start Windows my Norton Finds a File called A.Bat in C:\ but I go to my C drive and nothing is there and I go to tools and view hidden files and nothing is still there. Norton Corp does it everytime windows starts and Norton quarantines everytime and I deleted it a few times but it keeps coming up. What can I do any ideas?
Startup
- Thread starter kpbradley
- Start date
- Status
Blind Dragon
Posts: 3,774 +4
Highjackthis Instructions
- Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
- Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
- After installing, the program launches automatically, select Scan now and save a log
- After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
Blind Dragon
Posts: 3,774 +4
Very nice, I can tell you keep your system protected/ organized
Combofix
Combofix will automatically save the log file to C:\combofix.txt
Combofix
- Download Combofix to your desktop.
- Close all browsers/windows including this one.
- Double click combofix.exe & follow the prompts.
- A window will sometimes open with a warning.
- When the scan completes it will open a text window. Please attach that log back here.
Combofix will automatically save the log file to C:\combofix.txt
Blind Dragon
Posts: 3,774 +4
Let's try what symantec says to do as I don't see the infection in your logs.
Download the FxKiman.exe file to your desktop from: http://securityresponse.symantec.com/avcenter/FixKiman.exe
copy and paste from here down into a notepad file and save to your desktop for access while you are disconnected.
Close all running programs/windows
disconnect the computer from the network and the Internet.
Double-click the FxKiman.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
NOTE: If you have any problems when you run the tool, or it does nor appear to remove the threat, restart the computer in Safe mode and run the tool again.
Restart the computer.
Run the removal tool again to ensure that the system is clean.
reconnect the computer to the network or to the Internet connection.
Post the result back here
Download the FxKiman.exe file to your desktop from: http://securityresponse.symantec.com/avcenter/FixKiman.exe
copy and paste from here down into a notepad file and save to your desktop for access while you are disconnected.
Close all running programs/windows
disconnect the computer from the network and the Internet.
Double-click the FxKiman.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
NOTE: If you have any problems when you run the tool, or it does nor appear to remove the threat, restart the computer in Safe mode and run the tool again.
Restart the computer.
Run the removal tool again to ensure that the system is clean.
reconnect the computer to the network or to the Internet connection.
Post the result back here
Blind Dragon
Posts: 3,774 +4
Let me know if it pops back up again, but hopefully it is gone.
For now I am going to suggest we clear all restore points and clean up a bit.
Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.
* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
-----------------------------------------------------------------------
Cleanup using OTMoveit2 by OldTimer
Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.
Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.
1. Double click OTMoveIt2.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
* When finished exit out of OTMoveIt2
---------------------------------------------------------------------------
I recommend you keep
1 anti virus program
1 firewall
Combo of Anti-Spyware (Spybot S&D and MBAM, or your choice)
For Spybot you can download the latest version from HERE.
keep them updated.
You can also turn on tea timer in Spybot:
Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.
And just to be sure
Set correct settings for files
clear system restore points
For now I am going to suggest we clear all restore points and clean up a bit.
Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.
* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
-----------------------------------------------------------------------
Cleanup using OTMoveit2 by OldTimer
Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.
Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.
1. Double click OTMoveIt2.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
* When finished exit out of OTMoveIt2
---------------------------------------------------------------------------
I recommend you keep
1 anti virus program
1 firewall
Combo of Anti-Spyware (Spybot S&D and MBAM, or your choice)
For Spybot you can download the latest version from HERE.
keep them updated.
You can also turn on tea timer in Spybot:
- Click on Mode at the top and make sure that Advanced is checked
- Expand the Tools tab in the left pane
- Single click on the Resident Icon also in the left pane
- check Resident "TeaTimer" (Protection of over-all system settings) Active
- Close spybot
Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.
And just to be sure
Set correct settings for files
- Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
- Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
- If unchecked please check Hide protected operating system files (Recommended)
- If necessary check "Display content of system folders"
- If necessary Uncheck Hide file extensions for known file types.
- Click OK
clear system restore points
This is a good time to clear your existing system restore points and establish a new clean restore point:- Go to Start > All Programs > Accessories > System Tools > System Restore
- Select Create a restore point, and Ok it.
- Next, go to Start > Run and type in cleanmgr
- Select the More options tab
- Choose the option to clean up system restore and OK it.
Blind Dragon
Posts: 3,774 +4
About 90% of our threads in last 2 weeks have been the same infection
I believe that file was a left-over from this other infection that has been going around, I have studied it quite a bit over last 2 weeks and I need you to check for some additional files to see if we have more to do, can you check if some of these are listed on your system.
I have noticed less and less of these files in the logs since the infection first showed up, but it should be easy to check these out.
C:\Documents and Settings\your user name\Desktopblackbird.jpg
C:\Documents and Settings\your user name\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\your user name\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\your user name\Desktopfilemanagerclient.exe
C:\Documents and Settings\your user name\Desktopfkwp1.5.exe
C:\Documents and Settings\your user name\Desktopfkwp2.0.exe
C:\Documents and Settings\your user name\Desktopfwebd.exe
C:\Documents and Settings\your user name\DesktopFWebdEditor.exe
C:\Documents and Settings\your user name\DesktopTrojan.Win32.BlackBird.exe
C:\WINDOWS\a.bat
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
I believe that file was a left-over from this other infection that has been going around, I have studied it quite a bit over last 2 weeks and I need you to check for some additional files to see if we have more to do, can you check if some of these are listed on your system.
I have noticed less and less of these files in the logs since the infection first showed up, but it should be easy to check these out.
C:\Documents and Settings\your user name\Desktopblackbird.jpg
C:\Documents and Settings\your user name\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\your user name\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\your user name\Desktopfilemanagerclient.exe
C:\Documents and Settings\your user name\Desktopfkwp1.5.exe
C:\Documents and Settings\your user name\Desktopfkwp2.0.exe
C:\Documents and Settings\your user name\Desktopfwebd.exe
C:\Documents and Settings\your user name\DesktopFWebdEditor.exe
C:\Documents and Settings\your user name\DesktopTrojan.Win32.BlackBird.exe
C:\WINDOWS\a.bat
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
Blind Dragon
Posts: 3,774 +4
Is norton still finding the file every time you boot? or is that gone now?
- Status
Similar threads
Latest posts
-
Logitech thinks the computer mouse needs an AI upgrade- Dimitrios replied
-
Lenovo is first to announce LPCAMM2 memory-equipped laptop- Shawn Knight replied
