Hello,

I am facing a problem for a couple of days now that seems impossible to resolve...

WinXP SP2 machine

I was using outlook and had the preview pane enabled. as soon as I opened my inbox folder the first email appeared. for my bad luck, it contained a virus which my Symantec Antivirus (full version: 10.0.0.359, with updates on 20/5/09) detected. I deleted the email, unfortunately it seems my system has been compromised.

The problems:
Keep getting reports from my antivirus that it found and successfully deleted files like "hacktool.rootkit", or "downloader".
Apart from that, there was a file in one of my folders in Docs&Settings under a folder named "nameOfFolder.exe" which I could not get rid of - I turned to safe mode and removed it, but it came back up on restart to normal mode. I finally managed to remove it today by first renaming and then deleting (!).
Moreover, there is a file in my system32 folder with the name bootok.exe which from what i read is a virus/trojan - which again I cannot get rid of: i can delete it, but it keeps coming back.
Finally, I cannot go to my registry editor.

I have updated my antivirus but in every scan my machine appears clean...
I also scanned with malwarebytes' antimalware: clean.
also with rootkit.reavealer: clean.
tried also to run HiJackThis, but it cannot run...

Please HELP...

Heya, natasha...
This file, c:\windows\system32\bootok.exe, is okay. It is in the dllcache, also, from which the copy came: c:\windows\system32\dllcache\bootok.exe
Event Viewer log records your deletion attempt and the replacement, it is verified M$.
You have your very own executable!!? c:\documents and settings\natasha\natasha.exe
Do this now:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg to your desktop.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"lphc3tnj0et9p"=-

Right, into Safe Mode...
=dclick fixkey.reg to run it... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
=delete this file:
c:\windows\system32\lphc3tnj0et9p.exe
Still in safe mode, rename MBAM.exe to MAMBO.exe, run it.
Rename hijackthis.exe and try to run it.
Post your results.
[56kb of GMER... too much!!]

Heya, natasha...
This file, c:\windows\system32\bootok.exe, is okay. It is in the dllcache, also, from which the copy came: c:\windows\system32\dllcache\bootok.exe
Event Viewer log records your deletion attempt and the replacement, it is verified M$.
You have your very own executable!!? c:\documents and settings\natasha\natasha.exe
Do this now:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg to your desktop.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"lphc3tnj0et9p"=-

Right, into Safe Mode...
=dclick fixkey.reg to run it... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
=delete this file:
c:\windows\system32\lphc3tnj0et9p.exe
Still in safe mode, rename MBAM.exe to MAMBO.exe, run it.
Rename hijackthis.exe and try to run it.
Post your results.
[56kb of GMER... too much!!]

Hey,

Thank you for your Help

The Reg file does not open - which is also the case with the RegEdit command in the Run option. If I dbclick it simply does not do anything - the same if I "open with registry editor".

I have scanned with hijackthis and I am attaching the log file (as a .txt file).
I had scanned with mbam and had attached the log file (although by mistake i mentioned that it was clean), but I am attaching also a new scan.

I hope this helps.. :/

Heya, natasha... I took a couple of days off.

Use hijackthis to fix these entries, in Safe Mode if you will [the first 3 are benign, but orphans]

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O4 - HKLM\..\Run: [lphc3tnj0et9p] C:\WINDOWS\system32\lphc3tnj0et9p.exe

Now delete this file:C:\WINDOWS\system32\lphc3tnj0et9p.exe

This one... I don't recall Sysinternals applications renaming themselves to run...? PPYDG.exe is not a pgm I can find. I am not familiar with all their tools.. does their rootkit scanner rename itself?
O23 - Service: PPYDG - Sysinternals - www.sysinternals.com - C:\DOCUME~1\natasha\LOCALS~1\Temp\PPYDG.exe
Tell me if you recognise it, or ran a tool of theirs.
Now, from the MBAM log, Registry Keys Created section... in registry this key- Image File Execution Options - can be used to redirect operations from the named exe to another of choice....ie it can block these exes from running. But MBAM does not show the complete value for each key it lists. I do see in there many of the usual AV and firewall executables, as well as Hijackthis.exe, regedit.exe.
Did you allow MBAM to quarantine and delete those objects upon reboot? Below are the instructions that you should follow to get MBAM to fix problems. Rerun it accordingly, please.
=ensure that it is set to update.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].