January 17th, 2005 04:50 PM
can't stomp trojan.Tofger
So, there's a machine in the shop that was overrun with virii (350 instances of bagle, stuff like that). The machine is running xp home sp1 (not the latest updates, as you could guess). I have been able to kill 99% of all the problems... but there is constantly a problem with dltime.dll.
Here's what I've done so far:
note: all scanners were up-to-date
1. turn off system restore
2. cleaned out temps/cookies/prefetch/etc
3. booted into winpe and removed the final _restoreXXXXXXXX files
4. while in winpe I ran mcafee's command line scanner
· Found dltime.dll, but it couldn't remove the file
5. In winpe, attempted manual removal of dltime.dll, which sort of worked. But it returned on next boot
6. removed hard drive from machine, ran norton scan. Found, but removal and quarantine failed
7. played around with msconfig/regedit(hklm and hklu)/safemode/HJT/services to no avail
8. Went online and found info from norton and other places.
· learned of secondary file %windir%\svchost.dll
9. Followed norton's manual removal guide, no dice
I've repeated the above multiple times while manually removing both svchost.dll (the one in c:\windows) and dltime.dll. No matter what I do the files keep returning, keep executing, and look as though they are locked (all scans fail delete/quarantine). Is it possible for a virus to add itself to the winXP protected file list, so that it would be returned everytime I boot? There are no attributes on the files (not system or hidden) and this is just annoying me.
So, any ideas?
edit: yes, i also ran housecall from trendmicro
You are so bored that you are reading my signature?