Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winnt Suspect Files In C:temp, No Symptoms Yet


  • Please log in to reply
8 replies to this topic

#1 Steve_Nos

Steve_Nos

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:N.E Illinois
  • Local time:12:36 PM

Posted 10 March 2008 - 11:31 PM

Brand new member here,

Now that I read your intro & the basic Don'ts... Forgive me, for I have sinned.

Overview of what may be important...

Half knowlingly, I downloaded from a crack site (a ".zip" of a short text file). This was probably the cause. Unrelated (having limited C: drive space) I decided to remove much from the Temp directory then saw some new/unusual things.
Freeked out -- Sin # Two = Googled a suspect filename then found and tried SpyBotS&D. Took about 1/2 hour to "scan". It claimed to remove all but 3 things, but wouldn't remove the rest after re-start. Now, I see new .exe files [ possibly from SpyBotS&D] in the C:Temp directory and all are ZeroK in size:
rasesnet.exe - 0k
snapsnet.exe - 0k
wavvsnet.exe - 0k
winvsnet.exe - 0k
removalfile.bat - 1k
Haven't tried Trashing any of these yet.


~DF76D3.tmp > all unreadable as text. (using notepad)

This file might be ok:
svf16.tmp
It contains mostly unreadable as text, but also this readable part:
"...SMS Client [my computer's name] ... Client Component Installation Manager...clifiles.box..."

I believe these are also new C:Temp folders, but not 100% sure:
Folders:
sanR24 - contains filename: lDii.log = non text
1cb - contains syscheck.log = non text


Tried to trash SpyBotS&D, but some of the many files got a violation error message. A bit later, I was able to trash the remaining SpyBotS&D files.
When trashing the empty SpybotS&T folder I got dialog:
"This change may affect one or more registered programs. Do you want to continue."

ADD/DELETE control panel couldn't delete it either:
" Uninstall Error An error occurred while trying to remove Spybot - Search & Destroy.
Uninstallation has been cancelled."
Perhaps i deleted the install log or something...

I haven't removed the Spybot S&D shortcuts in the Start menu yet.

SYMPTOMS SO FAR - NONE, other than feeling stupid and worried, waiting for the crash.

Watching Task Mmanager Performance, I see no unusual activity level. It sits at zero with ocassopnal blips. - only when web content is requested or I do something. I did see and kill Spybot S&D's TeaTimer.exe process with Task Manager.

I don't know how to see inappropriate connections to IP addresses.


So whacha think?


This is a company supplied lap top I was allowed to keep when computers were retired and intranet changed to XP, thus it is unsupported now. I am not admin, but my IT type Brother-in-law says he can make me the admin if necessary. I have the NT workstation CD. but not the applications' CDs (Office)

I only read forums on web, but have an email registered.

Oh yea. May be unimportant, but FYI I ran Steve Gibson's (Gibson Research - http://www.grc.com/intro.htm) ShieldsUp scan a week ago and again just now. This computer showed no ports on the net. That is, this "system ignored and refused to reply to repeated Pings (ICMP Echo Requests)" on ports 0 thru 1055. It's still completely in stealth mode.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,009 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:36 PM

Posted 15 March 2008 - 09:42 PM

Hello Steve_Nos and welcome to BC :flowers:

In order to assist you, we need some additional information. What is your operating system: Windows XP, VISTA, etc.?

What security programs do you have installed? Please name them.

Did you install Spybot Search and Destroy starting from this site: http://www.safer-networking.org/en/index.html? If so, you have the legitimate software. If not, please let us know the site you got it from, but change a letter in the http or www part so it is not a live link.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:36 PM

Posted 15 March 2008 - 10:56 PM

I downloaded from a crack site

If you use those kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen and pirated software sites. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling Windows.

Not only is the practice of using crack or keygen tools a security risk, it is considered illegal activity and a violation of our BC Discussion/Message Boards Rules.

No subject matter will be allowed whose purpose is to defeat existing copyright or security measures. If a user persists and/or the activity is obviously illegal the staff reserves the right to remove such content and/or ban the user. This would also mean encouraging the use or continued use of pirated software is not permitted, and subject to the same consequences.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Steve_Nos

Steve_Nos
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:N.E Illinois
  • Local time:12:36 PM

Posted 16 March 2008 - 02:10 AM

Orange & quiet,

Thanks for the replys.
I may have really stepped in it on this one. Opened a Google result without paying attention where i was. Dumb. Didn't know there even was such a thing as a "crack site". Should have. Anyway... No need to chastize. I've already spanked myself many times. (:-(

This board is a bit foreign, so please excuse mistakes. Also, Netscape seems to have problem with login, so I'm using IE and I'm not used to it.

OS is NT (See my subject line - also my profile)
Machine has Norton AntiVirus NT 5.0 , but the virus defs haven't been updated since 2001. I ran it anyway and it found nothing.

Where I got Spybot:
I was Googling some of the newly-appeared strange files and got to the site (among many other 'anti spywear' sites) where I got Spybot, but, unfortunately, now I can't find any reference to either Spybot or Safer-computing in either browser History. Therefore, I Googled Spybot in hopes something would look familiar and the Safer-computing site looks familiar, so chances are "high" I got it from there. Sorry to have so many loose ends.


New potentially related info:
1 - During only one boot, several boots afterward, one corrupt file was found. I don't remember the application's name that reported it. . Something I had never seen before. It was _very_ early in the boot sequence - it looked more like a DOS level App before Windows load got very far at all. It may even have been right before or after the 'load-the-Last-known-good-configuration" screen. It recommended running the scan and fix, so I did and it hasn't reoccured. It reported repairing it.
2 - Now, on boot, a Windows dialog appears saying that the file named simply "-", or one of it's components, can't be found (on C: drive). This could be because I moved all the Spybot files to Recycle.
Still no identifiable symptoms. (:-)

Regards, Steve

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:36 PM

Posted 16 March 2008 - 07:44 AM

Its not unusual to receive such an error after using specialized fix tools.

The "Cannot find...", "Could not run..." or "Error loading..." message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if your not sure how to do this.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file(s) in the error message.
  • Right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Steve_Nos

Steve_Nos
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:N.E Illinois
  • Local time:12:36 PM

Posted 22 March 2008 - 10:07 PM

quiteman7,

Thanks, that's what I thought, but I'm not very knowledgeable about the Registry. I can do autoruns, but I have these questions.

My C: is rather full and I want to limit unnecessary files. Can I run Autoruns from my D partition?

I moved all SpybotS&D files to trash when I thought it might be bogus. I saved a Find log so I know where they were) I also did a text search in the registry for "Spybot" and found many entries.
Now, The control panel Add/Delete can't delete Spybot now - it errors with no explanaiton. Do I need to put all Spybot files back, or can I just put the file that Add/Delet needs to work to remove all the registry entries. I realize Add/Delete can't delete files in the recycle bin and may error when it can't find them, but will this remove the Registry entries. If it can, what file or files does Add/Delete need? Does Add/Delete keep track of what got loaded or does it rely on the application to supply that data?
The entry in the Add/Delete for Spybot is probably a Registry entry, right?

I see Spybot folder files which appear to be for removal:
unins000.exe
unins000.dat
unins000.msg ( a text file of all removal error messages)


Unrelated question RE: Event Viewer
For a long time I have been getting an startup message that some unnamed (I think process) failed to load and to check Event Viewer, but I can't figure out the Event Viewer log info.. Is there a resource on the web that can help me better interpret Event viewer? I regularly use MSDN for my VBA work.

Your assistance it appreciated.

Steve.

P.S. If your previous is a copy Paste, you have a typo:

Create a new folder ... (click here if your not sure [ if _you're_ not sure]

Now if I can just find that darn post button...I guess it is the "Add Reply" button.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:36 PM

Posted 23 March 2008 - 07:51 AM

Can I run Autoruns from my D partition?

Yes.

You can use a program's uninstall file but the proper way to remove Spybot is via Add/Remove. I suggest you reinstall it, then uninstall if you no longer want it. How to Uninstall Spybot S&D.

"How to view and manage event logs in Event Viewer"
"How To Use the Event Viewer Applet"

You can then gather more information doing a search of the Event ID number at:
"EventID.Net".
"MonitorWare EventID Database"
"Top 50 Viewed Events"
"Events and Errors Message Center".

A tool you can use to view your event logs is WinAudit.
  • After download, double-click WinAudit.exe to launch.
  • Under "To audit your computer...", click the Here link.
  • WinAudit will start examining your computer and generate a System Overview Profile.
  • Under Categories in the left pane, select Error Logs.
  • There will be three sub-categories: Application Errors, Security Errors and System Errors.
  • From there, scroll down the list to view the logs.
  • You can click the "Save" button at the top to save a report in .html format.
Also see Event Log Explorer.
Free tools you can use to view your event logs are Event Log Explorer and WinAudit. In WinAudit, under Categories in the left pane, select Error Logs.
There will be three sub-categories: Application Errors, Security Errors and System Errors.
From there, scroll down the list to view the logs. You can click the "Save" button at the top to save a report in .html format.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Steve_Nos

Steve_Nos
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:N.E Illinois
  • Local time:12:36 PM

Posted 22 April 2008 - 10:53 PM

Boy! I can not get the hang of this forum's operation. Some may be due to Netscape. IE seems to work a little better. Anyway...

Thanks. I removed all the strange stuff and Spybot using Add/Remove sucessfully. I'm normally VERY cautious, but jumped before I looked in a weaker moment and learned my lesson.
I also think I figured out the EventViewer issue, and will save the links you provided.
Also, I haven't been getting emails for bleepincomputer replys consistently - I think I only got one, so I have to just check here and that hasn't been very often.

Well, I believe my current problem is resolved, so thank you again. Steve N.

Now if I can just find the send/post button I'll be on my way...

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:36 PM

Posted 23 April 2008 - 07:48 AM

Glad to hear your problem is resolved.

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"Best Practices - Internet Safety for 2008".
"Hardening Windows Security - Part 1 & Part 2".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users