I have downloaded AVG anti virus and it detected the backdoor virus so
removed the system32.exe file. Now on reboot I get an error message
saying it cannot find the system.exe file. I did not see anything
linking to it in either
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run or
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
However, in the latter, I did find a %systemroot%\system32\dumprep 0 -k
but I read this was just an office system file (?).

Also, the report from AVG said that it could not access the following
files:

C:\Documents and Settings\All Users\Application
Data\Microsoft\NETWORK\Downloader\QMGR0.DAT Cannot open; not checked!
C:\Documents and Settings\All Users\Application
Data\Microsoft\NETWORK\Downloader\QMGR1.DAT Cannot open; not checked!
C:\Documents and Settings\LocalService\NTUSER.DAT Cannot open; not
checked!
C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Cannot open; not
checked!
C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Documents and Settings\NetworkService\NTUSER.DAT Cannot open; not
checked!
C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Cannot open; not
checked!
C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Documents and Settings\xxx\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\xxx\NTUSER.DAT.LOG Cannot open; not checked!
C:\Documents and Settings\xxx\Application Data\Kazaa
Lite\DB\DATA1024.DBB Cannot open; not checked!
C:\Documents and Settings\xxx\Application Data\Kazaa Lite\DB\DATA256.DBB
Cannot open; not checked!
C:\Documents and Settings\xxx\Local Settings\Application
Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\xxx\Local Settings\Application
Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Cannot open; not checked!

I did not have System Restore activated at the time of scan. I have
Windows XP Home and Office 2002.

Help - not very computer savvy and cannot make sense of all of this!

Hi,

Look for a registry string referencing it here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Windows
Windows isn't rocket science! That's my other hobby!
http://mvp.support.microsoft.com/
Associate Expert - WinXP - Expert Zone
www.microsoft.com/windowsxp/expertzone
Win98 Help - www.rickrogers.org

"FJDx" <(E-Mail Removed)> wrote in message
news:c8q5b0$6ie$(E-Mail Removed)...
>I have downloaded AVG anti virus and it detected the backdoor virus so
> removed the system32.exe file. Now on reboot I get an error message
> saying it cannot find the system.exe file. I did not see anything
> linking to it in either
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run or
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
> However, in the latter, I did find a %systemroot%\system32\dumprep 0 -k
> but I read this was just an office system file (?).
>
> Also, the report from AVG said that it could not access the following
> files:
>
> C:\Documents and Settings\All Users\Application
> Data\Microsoft\NETWORK\Downloader\QMGR0.DAT Cannot open; not checked!
> C:\Documents and Settings\All Users\Application
> Data\Microsoft\NETWORK\Downloader\QMGR1.DAT Cannot open; not checked!
> C:\Documents and Settings\LocalService\NTUSER.DAT Cannot open; not
> checked!
> C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Cannot open; not
> checked!
> C:\Documents and Settings\LocalService\Local Settings\Application
> Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
> C:\Documents and Settings\LocalService\Local Settings\Application
> Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
> C:\Documents and Settings\NetworkService\NTUSER.DAT Cannot open; not
> checked!
> C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Cannot open; not
> checked!
> C:\Documents and Settings\NetworkService\Local Settings\Application
> Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
> C:\Documents and Settings\NetworkService\Local Settings\Application
> Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
> C:\Documents and Settings\xxx\NTUSER.DAT Cannot open; not checked!
> C:\Documents and Settings\xxx\NTUSER.DAT.LOG Cannot open; not checked!
> C:\Documents and Settings\xxx\Application Data\Kazaa
> Lite\DB\DATA1024.DBB Cannot open; not checked!
> C:\Documents and Settings\xxx\Application Data\Kazaa Lite\DB\DATA256.DBB
> Cannot open; not checked!
> C:\Documents and Settings\xxx\Local Settings\Application
> Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
> C:\Documents and Settings\xxx\Local Settings\Application
> Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
> C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Cannot open; not checked!
>
> I did not have System Restore activated at the time of scan. I have
> Windows XP Home and Office 2002.
>
> Help - not very computer savvy and cannot make sense of all of this!
>
>

"Rick "Nutcase" Rogers" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> Look for a registry string referencing it here:
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

Hi, there was nothign referring to it in there either.

Hi,

You may try this VBS from MVP Doug Knox.

Clean KWBot Worm Registry and File Remnants:
http://www.dougknox.com/xp/scripts_d...lean_kwbot.htm

In addition, download Autoruns utility to manage your startup effectively:
http://www.spychecker.com/program/autoruns.html

--
Ramesh - Microsoft MVP
Windows XP Shell
http://www.mvps.org/sramesh2k

The Antivirus Defense-in-Depth Guide
http://go.microsoft.com/fwlink/?LinkId=28734

"FJDx" <(E-Mail Removed)> wrote in message news:c8qa5j$gbt$(E-Mail Removed)...
"Rick "Nutcase" Rogers" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> Look for a registry string referencing it here:
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

Hi, there was nothign referring to it in there either.