Metallica

If you like to play around with a fairly basic rootkit type of infection, install mailskinner. It will install the invisible variant of EGDACCESS The effect on a computer without a phone modem is not too bad, so you can play around with it. The 'r' is a command parameter. You may have seen other examples of those in lines like these: O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticati

Can you post a new HijackThis log? I have never seen it without Startup entries, so it should show up in the log. Regards, Pieter

Good job. That is a clean log. How is the computer behaving? Regards, Pieter

You not being able to find it does not necessarily mean it is not there. Check your running processes. Regards, Pieter

Not as good as I thought, that tool. Please go to http://www.bleepingcomputer.com/files/killbox.php and download Killbox from there. Unzip the folder to your desktop. Double-click on the Killbox.exe icon/ Select the Delete on reboot option. In the field labeled "Full path of file to delete" enter: C:\WINNT\Fonts\keyinfo.exe Then press the button that looks like a red circle with a white X in it. When it asks if you would like to Reboot now, press the YES button. Make sure it reboots into safe mode and try emptying the Temp folders again. Regards, Pieter

Hi dknoppix, Thanks for trying that. Looks like it only got part of it. (But the worst part, so that'got to be worth something) Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.naupoint.com/toolbar/ie.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.naupoint.com/toolbar/ie.html O2 - BHO: 1096922178 - {262277EC-5BB5-4849-8BF2-1824330C9CAC} - (no file) O2 - BHO: CATLEvents Object - {446CF8A5-617E-4D91-95AE-AE78CE0D06AF} - c:\temp

OK Thanks. dknoppix, There is a tool I'd like you to try. 1. Download the FixVundo.exe file from: http://securityresponse.symantec.com/avcenter/FixVundo.exe 2. Save the file to a convenient location, such as your Windows desktop. 3. Optional: To check the authenticity of the digital signature, refer to the "Digital signature" section later in this writeup.(No need for this step, I've authenticated it already) 4. Close all the running programs. 5. If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet. 6. If you a

I would like to help this person. At least try to. Can I? Regards, Pieter