Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"switch User" Not Working Since Malware Infection


  • Please log in to reply
15 replies to this topic

#1 mortod

mortod

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 24 September 2008 - 04:05 PM

I have a problem where if I try to 'switch user' the welcome user screen just sits there for a minute until it times out and then returns to the main Logon screen where all users are listed. If I log out and log into each user in turn, then it is fine.

The event viewer does record an error event ID 1036, 'Terminal Server session creation failed. The relevant status code was 0x102'. I have checked that both the Terminal services and Fast User Switching services are started.

The problem started after a popup infected my computer - symptons included a rogue iexplorer process. I used 'Anti-Malware' to fix that, but it has not resolved the switch user problem.

I have tried disabling fast user switching and then re-enabling it. I have tried upgrading to SP3. What else can I try?

BC AdBot (Login to Remove)

 


m

#2 perr

perr

  • Members
  • 151 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 24 September 2008 - 04:21 PM

I believe there is a fix here somewhere.

http://www.kellys-korner-xp.com/xp_tweaks.htm

#3 mortod

mortod
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 25 September 2008 - 04:42 AM

Thanks, but no joy. Any other thoughts?

#4 perr

perr

  • Members
  • 151 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 25 September 2008 - 10:42 AM

Maybe here.
http://www.pctools.com/forum/showthread.php?p=186601

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:29 AM

Posted 25 September 2008 - 11:23 AM

Would you post the last MBAM log showing the infection?

http://www.bleepingcomputer.com/forums/ind...mp;#entry944365

I would suggest running another updated scan also, I doubt you removed all the infection
Chewy

No. Try not. Do... or do not. There is no try.

#6 mortod

mortod
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 26 September 2008 - 04:24 AM

I think you are right - infection not completely removed. I also see some other errors in the event viewer, eg:

Service Control Manager, ID 7023
The Norton AntiVirus Client service terminated with the following error:
The environment is incorrect.

I ran MBAM immediately after the first time and it give the all clear, but running it again today it found another two files. I have copied both logs below:

Malwarebytes' Anti-Malware 1.28
Database version: 1201
Windows 5.1.2600 Service Pack 2

24/09/2008 10:21:46
mbam-log-2008-09-24 (10-21-46).txt

Scan type: Quick Scan
Objects scanned: 122733
Time elapsed: 31 minute(s), 2 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 2
Registry Keys Infected: 47
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\soxpeca.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\dcbdcatys32_080921a.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\wftadfi16_080921a.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{f5f779a9-24e5-4bcd-9ae5-6313d4b5ac24} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8f4e5661-f99e-4b3e-8d85-0ea71c0748e4} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dyfuca_bh.sinkobj.1 (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0985c112-2562-46f2-8da6-92648ba4630f} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\comload.loader.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dctl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WSEM Update (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\comload.loader (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eee4a2e5-9f56-432f-a6ed-f6f625b551e0} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{386a771c-e96a-421f-8ba7-32f1b706892f} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dyfuca_bh.sinkobj (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aa4939c3-deca-4a48-a454-97cd587c0ef5} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\noytcyr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\noytcyr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\noytcyr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ad7fafb0-16d6-40c3-af27-585d6e6453fd} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\roytctm (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\roytctm (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\roytctm (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\comload.loader2 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\comload.loader2.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\soxpeca (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\soxpeca (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\soxpeca (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{19e91d82-7ad7-419f-866a-58c122db1459} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdydowkc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tdydowkc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdydowkc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9e1089bc-1ae8-4685-8d77-6721e5c318a8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wsldoekd (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wsldoekd (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wsldoekd (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cea206e8-8057-4a04-ace9-ff0d69a92297} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{266f948a-3dee-4270-8f55-e79accd569fa} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{67907b3c-a6ef-4a01-99ad-3fcd5f526429} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{0be10b0d-b4db-4693-9b1f-9aead54d17dc} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{ad7fafb0-16d6-40c3-af27-585d6e6453fd} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{386a771c-e96a-421f-8ba7-32f1b706892f} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8f4e5661-f99e-4b3e-8d85-0ea71c0748e4} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\AMeOpt (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout (Adware.NetOptimizer) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\minyust (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\roytctm.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\dcbdcatys32_080921a.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\inf\sppdcrs080921.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\soxpeca.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inf\scsys16_080921.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\sgcxcxxaspf080921.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\noytcyr.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\wftadfi16_080921a.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdydowkc.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wsldoekd.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inf\svchoct.exe (Trojan.Agent) -> Delete on reboot.


AND:

Malwarebytes' Anti-Malware 1.28
Database version: 1201
Windows 5.1.2600 Service Pack 2

26/09/2008 10:04:20
mbam-log-2008-09-26 (10-04-20).txt

Scan type: Full Scan (C:\|G:\|)
Objects scanned: 135013
Time elapsed: 32 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{3F7437B1-DD65-4CA8-8F72-F5A4119D11A4}\RP1\A0000011.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3F7437B1-DD65-4CA8-8F72-F5A4119D11A4}\RP1\A0000020.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:29 AM

Posted 26 September 2008 - 07:05 AM

I would suggest running another updated scan


that looked like a nasty rootkit/backdoor trojan, it's so new I couldn't find a lot on it

the 2 files in restore are not a real problem tho

http://www.malwareremoval.com/tutorials/safemodeboot.php

Have you tried any scans from safe mode
Chewy

No. Try not. Do... or do not. There is no try.

#8 mortod

mortod
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 26 September 2008 - 10:55 AM

Running MBAM in safe mode was clean.

Are there any alternative tools to MBAM worth trying? Or is my only option to do a repair install of XP? And would a repair install leave all non OS apps and files intact?

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:29 AM

Posted 26 September 2008 - 11:25 AM

http://www.bleepingcomputer.com/forums/ind...mp;#entry948894

ATFCleaner and SAS are good suplements to MBAM
Chewy

No. Try not. Do... or do not. There is no try.

#10 mortod

mortod
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 27 September 2008 - 08:18 AM

That did find some additional files, but only adware stuff withing firefox, which I never use:

Adware.Tracking Cookie
.pro-market.net [ C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\v9pe9o7p.default\cookies.txt ]

My original problem still persists. Worringly I have also noticed this warning in the event viewer:

Disk, Id52: The driver has detected that device \Device\Harddisk1\DR1 has predicted that it will fail. Immediately back up your data and replace your hard disk drive. A failure may be imminent.

And I am also seeing this fairly frequently:

DCOM, ID 10010: The server {66B093B7-B5E3-4CFE-B32B-FEB55F172481} did not register with DCOM within the required timeout.

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:29 AM

Posted 27 September 2008 - 12:15 PM

Those windows possible hardware errors are disconcerting, I suspect some damage to windows, what are your options regarding repair disk, what kind of cd do you have?

I am sorry to take so long to search out those infections in the MBAM log, I found 2 rather nasty rootkit/backdoor trojans

One or more of the identified infections is a backdoor trojan.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System. Please read these for more information:


http://www.dslreports.com/faq/10451

http://www.dslreports.com/faq/10063

If you choose to continue would you run SDFix

http://www.bleepingcomputer.com/forums/ind...mp;#entry948242

Edited by DaChew, 27 September 2008 - 12:31 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#12 mortod

mortod
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 28 September 2008 - 04:11 AM

Oh dear sounds ominous. Why is the CD drive model relevant - I have both a Samsung and Pioneer (DV108) DVD writers. I only have the XP SP1 disc. I would rather do a repair install than a full reformat/install - is that acceptable, or worth a try in the first instance? I also have a second non system disk - should I be thinking about reformatting that?

#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:29 AM

Posted 28 September 2008 - 05:08 AM

only have the XP SP1 disc


that's a little too old for a repair disk, the malware would be still left intact and windows repaired to a very vulnerable state

Run SDFix
Chewy

No. Try not. Do... or do not. There is no try.

#14 mortod

mortod
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 28 September 2008 - 01:07 PM

Thanks Chewy for your ongoing help.

Have run SDFix - not much to report - see log below, though no removed processes, etc. Original problem persists. Also saw some odd behaviour earlier where ~25% cpu was being used but no processes accounted for it in task mgr. So I'm sure there is an infection. A thought though - gmer scans for hidden processes, but if they only run some time after reboot, then it wouldn't trap them??

I do have SP2 update on CD as well as the SP1 install disk, but from your comments it sounds like a repair install would not be sufficient?

SDFix: Version 1.229
Run by Admin on 28/09/2008 at 18:46

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-28 18:54:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:utorrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"="C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe:*:Enabled:WinDVD"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Sat 27 Sep 2008 24 ..SH. --- "C:\WINDOWS\SF62DD9BB.tmp"
Sun 21 Sep 2008 15,360 A..H. --- "C:\WINDOWS\system32\adubes.dll"
Tue 5 Sep 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 7 May 2008 25,088 ...H. --- "C:\Documents and Settings\Annabel\My Documents\~WRL3447.tmp"
Wed 7 May 2008 25,088 ...H. --- "C:\Documents and Settings\Annabel\My Documents\~WRL3465.tmp"
Fri 11 May 2007 25,088 ...H. --- "C:\Documents and Settings\Debbie\Desktop\~WRL0249.tmp"
Fri 11 May 2007 25,088 ...H. --- "C:\Documents and Settings\Debbie\Desktop\~WRL0392.tmp"
Fri 11 May 2007 25,088 ...H. --- "C:\Documents and Settings\Debbie\Desktop\~WRL0737.tmp"
Fri 11 May 2007 25,088 ...H. --- "C:\Documents and Settings\Debbie\Desktop\~WRL1725.tmp"
Fri 11 May 2007 25,600 ...H. --- "C:\Documents and Settings\Debbie\Desktop\~WRL1989.tmp"
Fri 11 May 2007 24,576 ...H. --- "C:\Documents and Settings\Debbie\Desktop\~WRL2168.tmp"
Fri 11 May 2007 25,088 ...H. --- "C:\Documents and Settings\Debbie\Desktop\~WRL3298.tmp"
Fri 11 May 2007 25,600 ...H. --- "C:\Documents and Settings\Debbie\Desktop\~WRL3501.tmp"
Sat 15 Apr 2006 635 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti4.tmp"
Fri 2 Feb 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 15 Jan 2008 31,232 ...H. --- "C:\Documents and Settings\David\My Documents\Docs\~WRL0001.tmp"
Sat 22 May 2004 1,206 ...HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Sat 22 May 2004 12,368 ...HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Wed 12 Mar 2008 65,024 ...H. --- "C:\Documents and Settings\Debbie\Desktop\Debbie\2008\~WRL3315.tmp"
Fri 10 Dec 2004 8 ...H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"

Finished!

#15 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:29 AM

Posted 28 September 2008 - 01:23 PM

It's a close call but you may have gotten all the significant malware

If you want to run a repair disk it should work but there would be a few essential steps

I would disconnect from the internet

then I would disable and security program from loading at bootup

http://www.michaelstevenstech.com/XPrepairinstall.htm

Your xp sp1 disk will wipe out all the sp2 updates

Apply the sp2 update disk

Optional apply sp3

http://www.bleepingcomputer.com/forums/t/146857/windows-xp-service-pack-3-sp3-information/

http://www.microsoft.com/downloads/details...;displaylang=en

Now you can see why I integrated both sp2 and sp3 into a new cd
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users