Rustock.gen! C Thread and Problem

[strobelfamily]

Ok..I still seem to have a problem...activation is not happening with kaspersky....there is not activity showing on my modem lights but I have internet access...this is the same thing that happened with the free antivirus link you gave me earlier, I waited well over 30 minutes with that software and never got past the activation screen...with kaspersky I've now waited almost 7 minutes and I have a dsl internet connection...what amount of time is normal for the install process to connect with the activiation servers?

Laura

[sUBs]

Activation should not take a long time.

Do you have a firewall installed? That may be what's blocking it.

[strobelfamily]

No Firewall that I know of and windows security center says the firewall is off (not recommended).

I went to bed last night with it running a scan and just got up to it showing no viruses....I closed the window and it immediately said I need to run a full system scan.

[strobelfamily]

Ok...I went to Windows Update to see if I needed anything and the list only showed optional updates.

It said I needed updated for....
Peer Name Resoution Protocol v. 2
Net Framework 3.0
Terminal Service Client 6.0
Media Player 11
Root Certificate

Everyone of these has caused kaspersky to ask for an ok to run because they appear to be an intruder.

The system is incredibly slow but it appears to be working but it's been close to 25 minutes alredy. This seems like a long time considering I'm not doing anything else on that computer.

I am sharing a dsl modem with a wireless laptop connection though. Never had problems with that before so I can't imagine that is the issue.

Laura

[strobelfamily]

Let's try this again....sorry for the partial post.


Ok...now I have a new problem after trying to complete a uninstall of kaspersky (I was hoping to uninstall and reinstall to see if that corrected the problem)...now I have a winlogo.exe error and according to windows it's a trojan/worm...it is now in perpetual reboot mode. Powers up...reboots after less than 3 minutes and starts the process all over again...I can boot in Safe Mode but I am clueless after that.

What has happened is this....

While uninstalling kaspersky I got the following error message.

Uninstalling Error...while stopping utilities...Error 1921. Service Kaspersky AntiVirus 6.0 (AVP) could not be stopped. Verify that you have sufficient privileges to stop system services.

I choose to cancle instead of retry.

Next Message: Uninstall ended prematurely because of an error.

Restarted the computer (Start, Restart computer)

Next Message: ending AVP.exe...this program is not responding.

I choose end now. (probably where my problems started)

System Restarts

Kaspersky messages..
Activate - I ignore this for now
run System Scan - I ignore this for now
Web AntiVirus HTTP traffic scan failed - I close this message
Restart Computer Necessary

Please restart your computer to complete the installation of new or updated protection components.

Restart....It is necessary to restart the computer...Restart Now? - I choose yes.

System Restarting

Kaspersy messages...
Activate - I ignore this for now
Some compents have failed to start.

Winlogon.exe error...didn't catch it all

Reboots on it's own.

It continues to do this until I catch that I message from Windows that it's a trojan/worm.

I rebooted in safe mode and that's where it stands. I can't do anything with kaspersky in safe mode.

Sorry...guess I've messed this all up...you can give up on me now because I'm read to give up on the computer.

[sUBs]

Do you have Hijackthis on this machine. If so, please do a scan & post the log.

[strobelfamily]

guess I don't can I get that (HiJack) while running in safe mode?

Laura

[sUBs]

If you dont have it, it's okay. I shall need you to do this.

Go to this folder - C:\Windows\System32
Locate the file - Winlogon.exe
Right click on it & select`Rename'
Rename the file to winlogon_vir.exe

Then wait about 5-10 seconds before pressing F5 to refresh the page. Look around & see if Windows had regenerated a fresh copy of winlogon.exe. If it does, you can try rebooting to Normal mode.

If it doesn't regenerate a fresh copy, do a search of your computer for an alternate copy. Once found, copy it to the System32 folder & reboot.

[strobelfamily]

did what you asked and did not see a new file in the system 32 folder.

did a search and found a file in the C:\windows\serivicepackfiles\i386

copied to \windows\system32 folder

rebooted...no change...still getting the winlogon.exe error and it's still rebooting unless I switch to safe mode.

rebooted in safe mode...checked system based on your instructions again...no change..

now rebooted in safe mode again.

[strobelfamily]

ok...in safe mode the screen saver activated and when I moved the mouse I got the error that the winlogon.exe file was referencing memory that could not be read...I have now booted from my original windows disk which is the only way to stop the reboots (short of pulling the power)...I am in the recovery console (at the dos prompt) and I am running chkdsk. I think I have probably lost the computer at this point but I'm not sure.

Thanks for all your help. I'll check back to see if you have any suggestions but please, unless this is an easy fix, don't waste anymore time on this.

Laura

[sUBs]

Sounds like a botched winlogon notify entry. We shall need Hijackthis for this. Please download Hijackthis using a different machine & transfer it to the afflicted machine by using some form of removable media.

Logon to safe mode. Do a HijackThis scan & place a check next to these items and select "Fix checked":

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

If you see any other Kaspersky entries, fix them as well.

You shoud be able to get to Normal mode after this

[strobelfamily]

Quote:

Originally Posted by sUBs

Sounds like a botched winlogon notify entry. We shall need Hijackthis for this. Please download Hijackthis using a different machine & transfer it to the afflicted machine by using some form of removable media.

Logon to safe mode. Do a HijackThis scan & place a check next to these items and select "Fix checked":

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

If you see any other Kaspersky entries, fix them as well.

You shoud be able to get to Normal mode after this

Ok I can do this because my laptop is uneffected at this point but here's where I'm at now. I completed the chkdsk and it didn't solve any problems so I ended up going backwards to SP1 from my original CD. I did a re-install over the existing XP software and so far I still have been able to maintain the contents of my system and I can now boot in safe mode but I am at SP1 and not SP2. When I try to boot in normal mode I get errors for winlogon.exe and Spooler Substystem App to which MS says load SP2 but I can't get the system stable to do that.

Knowing all of this do I still proceed as you have instructed?

[sUBs]

Quote:

I ended up going backwards to SP1 from my original CD

Does this mean you did a repair install?

Please do a hijackthis scan & save the logfile to be posted here

[strobelfamily]

Yes......I did a repair install but it didn't repair anything as far as I can tell.

I am booted in safe mode on the computer that is screwed up and it's not recognizing the CD in the drive on that machine. The CD that I need it to recognize is the one with HIJACK on it. Do I need to put this HIJACK file on a USB drive or something?

This is so frustrating....this is why I never became a tech for all of this stuff.

[sUBs]

Try the usb drive then.

If that fails, we have to go the manual way & dig it out of the Registry

[strobelfamily]

I did manage to get it transfered but now I'm getting the message it's not a valid Win32 application so it won't run.

Did I get it from the wrong link? I got it from the Step 5 instructions page.

[sUBs]

Sigh* Nothing seems to be going your way.

I'll have to do a blind fix for it then. Open notepad and copy/paste the text in the quotebox below:
(don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]

Save this as fix.reg Choose to "Save type as - All Files"
It should look like this:
Double click on fix.reg & allow it to merge into the registry

This regfix should take out the Kaspersky winlogon entries so that you may get to Normal mode

[strobelfamily]

Registry update was successful. Restart computer manually (start, restart).

Now I seem to be in regular mode and it's wanting me to download SP2. Kaspersky is still showing but says components are not all loaded.
Control Panel is not responding so I can't turn on the firewall.
It's configuring Photo Gallery but I don't know why. I've cancled this for now.

Should I download SP2 now or run HijackThis and then download SP2?