Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backup Program Sees Spyware Found Earlier - Can't Read It


  • Please log in to reply
1 reply to this topic

#1 smileandwave

smileandwave

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 21 July 2007 - 01:50 AM

I have a follow-up question to a thread from May in the BC.com HijackThis forum.

Last week (July 12) I was starting a new backup of my system -- the first full "start from scratch" backup since my incident in the thread above. (I make a full backup, then do incremental backups to the core backup set.) I use Dantz Retrospect for backups.

Dantz Retrospect showed 1 execution error occurred during the July 12 full backup. Checking the Backup Operations Log for that backup showed:

File "C:\WINDOWS\system32\xydzyh.exe": can't read, error -1017 (insufficient permissions)

"xydzyh.exe" was the suspected culprit file that infected me originally (see the May thread). I was never able to upload it for forum members to examine (see May post #3).

Checking Retrospect's Properties for this July 12 error showed:

------------------------------------------------------
xydzyh.exe

Flags: Hidden, System
Type: Application
Size: 32 K total (30,208 bytes used)

Location: C:\WINDOWS\system32\

Created: Saturday, May 19, 2007, 8:59:35 AM
Modified: Saturday, May 19, 2007, 4:00:09 PM
Accessed: Tuesday, June 19, 2007, 3:39:55 PM
Backed up: Thursday, July 12, 2007, 12:55:46 AM
------------------------------------------------------

As in the past, when I use Windows Explorer to view the contents of C:\WINDOWS\system32 with "Show hidden files and folders" selected, I cannot see xydxyh.exe.

Is this anything to be concerned about? Or does it simply mean the executable file (xydxyh.exe) is present, but it can't run because HijackThis removed the registry entry that points to it (per msg #16 from random/random in May)?

What does it mean that Retrospect "can't read" the file due to "insufficient permissions?"

I have NOT had any of the system symptoms which I originally had since my dialog in the HijackThis forum with random/random in May.

I'm just being paranoid, I guess. But I want to make sure this isn't some keylogger or other nasty that continues to function on my system.

Thanks,
smileandwave

NOTE: I had first added a slightly different version of this post last Thursday as Post #17 to the earlier thread. Having not received any response there, I decided maybe I should have started a new thread.

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 AM

Posted 21 July 2007 - 06:45 PM

Hi smileandwave,

There are several ways a file can resist being deleted and it should no longer be active because of the reg pointer being removed. But if ti is still hidden you *might* still have a rootkit on your system.

I think random/random may have missed email notification that you had posted again in that HJT thread. Unfortunately he has just gone off on a vacation and won't be available. I've looked over the thread and will go ahead and take it over as I have some other things for you to try, but it will be later as I have a few other things to do first.

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users