By kpbradley ยท 10 replies
Apr 9, 2008
  1. I am running Windows Xp Pro and When I start Windows my Norton Finds a File called A.Bat in C:\ but I go to my C drive and nothing is there and I go to tools and view hidden files and nothing is still there. Norton Corp does it everytime windows starts and Norton quarantines everytime and I deleted it a few times but it keeps coming up. What can I do any ideas?
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
  3. kpbradley

    kpbradley TS Enthusiast Topic Starter Posts: 114

    Attached is the file
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Very nice, I can tell you keep your system protected/ organized

    • Download Combofix to your desktop.
    • Close all browsers/windows including this one.
    • Double click combofix.exe & follow the prompts.
    • A window will sometimes open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
  5. kpbradley

    kpbradley TS Enthusiast Topic Starter Posts: 114


    Combofix log attached
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Let's try what symantec says to do as I don't see the infection in your logs.

    Download the FxKiman.exe file to your desktop from:

    copy and paste from here down into a notepad file and save to your desktop for access while you are disconnected.

    Close all running programs/windows

    disconnect the computer from the network and the Internet.

    Double-click the FxKiman.exe file to start the removal tool.
    Click Start to begin the process, and then allow the tool to run.

    NOTE: If you have any problems when you run the tool, or it does nor appear to remove the threat, restart the computer in Safe mode and run the tool again.

    Restart the computer.
    Run the removal tool again to ensure that the system is clean.

    reconnect the computer to the network or to the Internet connection.

    Post the result back here
  7. kpbradley

    kpbradley TS Enthusiast Topic Starter Posts: 114


    When the test is finished both safe and regular mode it says that Kiman was not found on the system but when I restated Auto Protection Results pops up for Norton saing that it is qurenteened.
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Let me know if it pops back up again, but hopefully it is gone.

    For now I am going to suggest we clear all restore points and clean up a bit.

    Uninstall Combofix
    * Click START then RUN
    * Now type Combofix /u in the runbox
    * Make sure there's a space between Combofix and /u
    * Then hit Enter.

    * The above procedure will:
    * Delete the following:
    * ComboFix and its associated files and folders.
    * Reset the clock settings.
    * Hide file extensions, if required.
    * Hide System/Hidden files, if required.
    * Set a new, clean Restore Point.

    Cleanup using OTMoveit2 by OldTimer
    Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

    Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

    1. Double click OTMoveIt2.exe to launch it.
    If using Vista Right-Click OTMoveIt and choose Run As Administrator
    2. Click on the CleanUp! button.
    3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
    4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

    * When finished exit out of OTMoveIt2

    I recommend you keep
    1 anti virus program
    1 firewall
    Combo of Anti-Spyware (Spybot S&D and MBAM, or your choice)

    For Spybot you can download the latest version from HERE.

    keep them updated.

    You can also turn on tea timer in Spybot:
    • Click on Mode at the top and make sure that Advanced is checked
    • Expand the Tools tab in the left pane
    • Single click on the Resident Icon also in the left pane
    • check Resident "TeaTimer" (Protection of over-all system settings) Active
    • Close spybot

    Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.

    And just to be sure
    Set correct settings for files
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
    • If unchecked please check Hide protected operating system files (Recommended)
    • If necessary check "Display content of system folders"
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK

    clear system restore points

    • This is a good time to clear your existing system restore points and establish a new clean restore point:
      • Go to Start > All Programs > Accessories > System Tools > System Restore
      • Select Create a restore point, and Ok it.
      • Next, go to Start > Run and type in cleanmgr
      • Select the More options tab
      • Choose the option to clean up system restore and OK it.
      This will remove all restore points except the new one you just created.
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    About 90% of our threads in last 2 weeks have been the same infection

    I believe that file was a left-over from this other infection that has been going around, I have studied it quite a bit over last 2 weeks and I need you to check for some additional files to see if we have more to do, can you check if some of these are listed on your system.

    I have noticed less and less of these files in the logs since the infection first showed up, but it should be easy to check these out.

    C:\Documents and Settings\your user name\Desktopblackbird.jpg
    C:\Documents and Settings\your user name\DesktopEditorFKWP1.5.exe
    C:\Documents and Settings\your user name\DesktopEditorFKWP2.0.exe
    C:\Documents and Settings\your user name\Desktopfilemanagerclient.exe
    C:\Documents and Settings\your user name\Desktopfkwp1.5.exe
    C:\Documents and Settings\your user name\Desktopfkwp2.0.exe
    C:\Documents and Settings\your user name\Desktopfwebd.exe
    C:\Documents and Settings\your user name\DesktopFWebdEditor.exe
    C:\Documents and Settings\your user name\DesktopTrojan.Win32.BlackBird.exe
  10. kpbradley

    kpbradley TS Enthusiast Topic Starter Posts: 114


    I was unable to find any of the listed files on my pc
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Is norton still finding the file every time you boot? or is that gone now?
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...