Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log, Believe Is Home Search / Cws Hijack


  • This topic is locked This topic is locked
20 replies to this topic

#1 ssrr

ssrr

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Queen City of the Plains (as it was once known)- Denver, Colorado
  • Local time:11:10 PM

Posted 24 June 2008 - 04:46 PM

Thank you in advance to anyone who can help.
This log is after I reformatted today. I did this as this computer would not allow me to download ANYTHING so I could not download anything to clean this machine up and would not allow me to turn off system restore or go into safe mode. The hijack or whatever this is had disabled all of the anti-spyware programs and antivirus. I have re-installed a firewall and antivirus.
I have now downloaded and run HSRemove, Malwarebytes Anti-malware, about:Buster and Rogue Remover (free version), none found anything. I have also downloaded but not run Combo Fix and SDFix and smitFraudFix, all of these are saved on my desktop.
All of these are saved on my desktop under different / phony names as I had seen that someplace for some of the programs to have different names before they go into the computer so is why I did this.
I discovered when I downloaded a hosts file just now, that the old one was still there, it should have went when I reformatted but it did not.
I found other files dated before today also, like other programs / applications that were previously on here so I think this thing is still in this computer.
I found files with res.dll and other fake files (.exe and .dll files affected), some are still in the registry as well.
I hope someone can instruct me on what to do now.
This has infected another computer (3 share the internet connection but none have file sharing enabled nor has a network been created) that I seemed to have 'caught' in time as far as I found this thing after I was familiar with it being in this computer.
The third computer is staying off right now but I did download & run the malware programs (listed above) into that one as well.
I have already turned off system restore in this machine in case whatever is in here does not allow me to do so later, turned it off from control panel and in 'services' also, already having problems getting into safe mode. The internet settings in the tools area already will not stay where I put them, I did check 'apply' before 'OK' to make sure I saved them.
Can't think of anymore details right now, I hope someone can help me and if this computer can be 'saved', could whatever it is in this machine have infected the OS disk (used for reformatting today) and what can I do about that if it did / if possible.
Thank you very much in advance







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:15:33 PM, on 6/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\PC Tools AntiVirus\PCTAV.exe
D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\system32\wpabaln.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [PCTAVApp] "D:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [WinPatrol] D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - D:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 2033 bytes

Edited by ssrr, 24 June 2008 - 05:16 PM.


BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:10 AM

Posted 17 July 2008 - 03:07 PM

Welcome to the BleepingComputer Forums. Since it has been a few days, please post a new Deckard's System Scanner which includes the HijackThis log. Please see Preparation Guide for use before posting about your potential Malware problem. Thank you for your patience.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:10 AM

Posted 23 July 2008 - 04:01 PM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:10 AM

Posted 23 July 2008 - 05:38 PM

Reopened at request of user.
Hi, suebaby41.

I did not get your reply until today July 23. I have been on this site alot and each time stated I had no messages, I log in every time I am here (though invisible) or I would have done as you asked immediately.
The problem is now on all 3 computers as all are doing the same thing even though all partitions are deleted.
Should I still post a HJT log and exactly what is going on as I have taken notes to what is happening (disabling firewall and antivirus, etc.).
Thank you so much for taking the time to write to me and I have learned more about computers and all this than I ever thought possible and maybe one day I can help others to rid their machine of this filth, I have no better way to describe it right now, fighting it on all 3 machines.
Thank you so much and I hope you are having a wonderful day and I am writing this as soon as I saw your reply (4:15PM Mountain Time).

Please post a new HijackThis log.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#5 ssrr

ssrr
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Queen City of the Plains (as it was once known)- Denver, Colorado
  • Local time:11:10 PM

Posted 23 July 2008 - 11:13 PM

There are 3 computers that share an internet connection and all 3 are doing the same thing all are Windows XP, 2 are professional and one is Home Edition.
res.dll is in ALOT of files to start with.
I am booted off the internet or hijacked like earlier when I tried to post thgis about 6 hours ago.
The res.dll files are found in Windows games, Outlook Express / WAB and in many i386 \ Driver Cab, Windows Movie Maker amoung many others.
I have tried deleting these files (search) and through the registry (find) in safe mode. The last time I did this I forgot one file as I was cleaning after removal, and booting back into safe mode to clean with something else and deleting each program as I went. I thought I had it all last time.
I used a secure file shredder.
I am going to end this and add more if this lets me post as I am having alot of trouble getting to this site, had to go through the registry (safe mode) just to be able to come back here so I don't know how much time I have....
Thank you very much for any assistance.
OK, it let me post that.
I am finding fake drivers (VFind.exe, tsd32.dll, etc.). As this progresses, the taskbar will disappear and anything to do with removing malware / spyware is gone and then nothing but a darkish-blue color screen, no icons, no taskbar, nothing.
The first thing it does is disable the firewall and antivirus, does not matter which one is used, they are disabled. Is why I have not bothered this time with an antivirus, will just be disabled the next day or same day.
The removal off malware / spyware programs is why I have re-named them after re-downloading them (usually after re-formatting), not on this machine yet as it was formatted July 16th, again. All have been re-formatted at least 3 times, deleting partitions for fresh install with OS disks. The same res.dll files and same problems start again. Eventually internet access is not possible. One of the computers has a printer that has "acted up" and this particular computer typing from will not accept disks at all (except OS disk), including for the printer. In the registry I found "AUTORUNALWAYSDENY" (for the printer)or something to that affect and the same for other programs and disks. I do realise some res.dll files are needed and aware of most of them but I am wondering if I am leaving a bad one or two for them to replicate and start this all over again.
I can not download some needed drivers like an Ethernet Controller for the machine I am writing from, I am using wireless for now, can not use cable.
All get re-directed browser-wise at times.
Going to see if it will let me post this far......
Some of the .exe files are also corrupt as well as some of the .sys files., the OS disks are not corrupt, checked on a computer away from these and the internet connection here. I always delete & clean in safe mode (not with command or networking, safe mode only)
Some come out .sy_.
Sometimes I can not down load anything at all as I am the only one who works on these machines in this way.
When I have unhidden devices, some of them come up with the yellow exclaimation mark, usually is the hidden non pnp drivers and then 'other devices' (the yellow question mark) is also there and I can not install them (one being Ethernet Controller).
Thank you very much for any assistance on this, I do not know what it is I am trying to get rid of or how to get rid of it for good on all the machines.
Thank you and I hope it lets me post this and sorry so long, want to explain what is happening and thank you again for your patience and for re-opening the topic, I don't know why I didn't get the emails or see it when I logged in which is everyday trying to find something to help rid these machines of whatever it is.....





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:17 PM, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\AcesHigh.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 2042 bytes

Edited by ssrr, 23 July 2008 - 11:45 PM.


#6 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:10 AM

Posted 24 July 2008 - 03:45 PM

Your HijackThis log is small. If you haven't done any of the following, please tell me in your next reply. If you have done any of the following, please follow the directions to correct the procedure and then post a new HijackThis log.
  • Have you already "fixed stuff" using HijackThis? If so, please restore all the backups and then post another log. Please do not do anything else until you get further instructions.
  • Have you used the following button in HJT: "Add checked to ignorelist" ?
    Such items would no longer appear in the HJT log ("ignored when scanning for hijacks") as they can only be viewed in Configuration>Ignorelist (button) unless you select the "Delete all" button for the Ignore list. Please start HijackThis in this method instead: hijackthis.exe /ihatewhitelists
  • Did you run the HijackThis scan in Safe Mode?
    Safe Mode starts Windows using only basic files and drivers (mouse, except serial mice; monitor; keyboard; mass storage; base video; default system services; and no network connections). If your computer does not start successfully using Safe Mode, you might need to use the Recovery Console feature to repair your system. Safe Mode loads a version of Windows that bypasses all but the most basic drivers and will not run any additional software. Windows XP Safe Mode provides you with a basic graphics driver (enough to display the user interface), access to your drives and windows configuration, and very little else. Safe Mode does not load auto loading software (browser hijackers for example) or device drivers. Malware may be hiding on your computer but scanning with HijackThis in Safe Mode will fail to show it. We need to be able to see everything that is loading in Normal Mode to detect the malware.
  • Are you using Selective Startup?
    This means that you may have selectively removed some items in the past from the startup procedure. This can be bad if they are malware, so we would like you to enable those startup entries by doing the following:
    Please go to:
  • Start > Run, and type: MSConfig . Press Enter
  • In the General tab, Startup Selection, choose: Normal Startup-load all device drivers and services
  • Press OK until you are out of the program.
  • Reboot and post a new HijackThis log.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#7 ssrr

ssrr
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Queen City of the Plains (as it was once known)- Denver, Colorado
  • Local time:11:10 PM

Posted 25 July 2008 - 10:04 AM

Good morning / afternoon / etc.....
The answers to all of the questions you asked were no. I have never added anything to ignore list (ha ha) and I have fixed nothing / had HJT fix anything since the "latest" re-formatting on all 3 machines. No safe mode (for once, seems like I live in safe mode, lol) but no safe mode and nothing has been removed from start up on any machine since the 'latest' re-format on any of them.
I am sorry for the bold font, I don't know how to get rid of it yet and wanting to post before I get booted off as sometimes happens.

This HJT log (the first log) is from the most badly infected machine and this one has 2 partitions, someone else had worked on this machine only and claimed all was fixed and all partitions were removed. They only put the NOD32 antivirus on it (which has been disabled by the filth as I say, lol) and all he did was system restore and thought it was fixed.
I did one search on here and knew it was not fixed, this guy more of a 'firmware / hardware' person as he calls himself a computer expert but was nice to have someone else try and I can learn hardware from him as he will not go near the registry or attempt malware removal so mutual teaching but I have lots to learn still.
This particular machine is connected directly to the modem by an ethernet cable (and is the only machine directly connected to the modem, other two are currently wireless), wireless is enabled on this one but using the cable, do not know if revelant but mentioning it as one never knows.

This machine is also 'booted' off the internet the most or 'redirected' (hijacked).

The res.dll files are in same places as the other 2 as is all of the other info previously mentioned as all 3 machines do share the internet connection.

File & printer sharing are disabled (on all 3 machines) and any services supporting NetWare / file and anything sharing are on manual or disabled. Nothing is shared but the internet connection. If on manual and no need for it to be ( I do check services often as whatever is in these sometimes changes some of the service status', I change them back) or I did not need it / use a program that needs it then it is disabled at a later time.
Also may / may not be revelant, none are ad hoc / share connection through another computer, each is set to connect through a residential gateway.
Sorry to be longwinded, here is the HJT for this machine, to be followed by another HJT log from the machine you and I have been working on from the start.
Thank you and any others who may be following this thread for bearing with me and I thought maybe a HJT log from another samely infected machine may be larger / longer / closer to way it should be and shed more light on was is going on malware-wise.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:46 AM, on 7/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
--
End of file - 1272 bytes


You did not ask for another log from the machine we work on and no offense / disrespect intended, posting another as all questions you had asked were a no and perhaps with the first log, could provide more insight into what is going on. Or not. Thank you again for helping me and I appreciate you using your time to volunteer to help me. Thank you. When I learn something about computers, I will MOST definitely be inquiring on how I can do what you and the other security experts do and help others get the filth out, I mean it. I want to learn more......

HJT log from the machine we have been working on.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:06:30 AM, on 7/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\AcesHigh.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 1926 bytes

Edit code tags for readability. ~ OB

Edited by Orange Blossom, 26 July 2008 - 11:50 PM.


#8 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:10 AM

Posted 25 July 2008 - 01:18 PM

Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Please download ComboFix save it to your desktop. **Note: It is important that it is saved directly to your desktop**.
  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  • Double click combofix.exe & follow the prompts.
  • A window will open with a warning. Type 1 and press Enter to begin the scan.
  • The scan will temporarily disable your desktop, and if interrupted, may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
  • Caution - do not touch your mouse/keyboard until the scan has completed. Touching your mouse/keyboard while the scan is running may cause it to stall.
  • When finished, ComboFix will produce a log for you and will automatically save the log file to C:\combofix.txt.
  • ComboFix will create a folder called QooBox in C: (C:\QooBox). It will contain any folders that were quarantined. When you are done, you can delete this folder - QooBox.
  • Note: ComboFix may reset a number of Internet Explorer's settings including making it the default browser. ComboFix resets some settings in IE in order to remove changes which may have been made by malware. It may also change the time format.
  • Please post the log from ComboFix and a new HijackThis log. Thanks.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#9 ssrr

ssrr
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Queen City of the Plains (as it was once known)- Denver, Colorado
  • Local time:11:10 PM

Posted 26 July 2008 - 01:42 AM

Wasn't positive in which mode to run each as I am used to running ComboFix in safe mode so I ran each application in safe and normal mode. I hope this will not mess up any readings.
And just to know for sure, these logs are from the computer we have been working with / on from the start and I did rename them before they were saved to be sure nothing will try to disable it as I am aware there is malware that does this.
Here are both logs, normal mode.

ComboFix, normal mode.

ComboFix 08-07-25.4 - Administrator 2008-07-26 0:19:10.1 - NTFSx86


Running from: C:\Documents and Settings\Administrator\Desktop\ColorfulLights.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.


((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.


2008-07-25 19:21 . 2008-07-25 19:21 <DIR> d-------- C:\WINDOWS\LastGood
2008-07-23 23:00 . 2008-07-23 23:00 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-07-23 21:56 . 2005-06-21 23:43 163,840 --a------ C:\WINDOWS\system32\igfxres.dll
2008-07-17 23:44 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-07-17 23:44 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-07-17 23:44 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-07-17 23:44 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-07-17 13:02 . 2008-07-17 13:02 <DIR> d-------- C:\WINDOWS\system32\color
2008-07-17 13:02 . 2008-07-17 13:02 <DIR> d-------- C:\WINDOWS\system32\BWKDLogs
2008-07-17 12:42 . 2008-07-17 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kodak
2008-07-17 12:40 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-07-17 12:40 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-07-17 12:40 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-07-17 12:40 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-07-16 16:19 . 2008-07-16 16:19 <DIR> d-------- C:\dell
2008-07-16 16:19 . 2005-06-22 00:04 61,440 --a------ C:\WINDOWS\system32\iAlmCoIn_v4342.dll
2008-07-16 15:42 . 2008-07-17 12:59 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-07-16 15:20 . 2008-06-13 07:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-16 15:20 . 2008-06-13 07:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-16 15:11 . 2008-07-20 17:47 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-07-16 15:11 . 2005-02-24 21:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-07-16 15:02 . 2008-07-16 15:02 <DIR> d-------- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2008-07-16 15:02 . 2008-07-16 15:02 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-07-16 15:02 . 2008-07-16 15:02 <DIR> d-------- C:\Program Files\Common Files\InstallShield


.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-16 21:02 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-07-16 20:44 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
.


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 23:48 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 23:44 126976]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=



*Newly Created Service* - CATCHME
*Newly Created Service* - GTNDIS5
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R1 -: HKCU-Internet Settings,ProxyOverride = localhost


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-26 00:20:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-26 0:22:15
ComboFix-quarantined-files.txt 2008-07-26 06:22:07

Pre-Run: 28,670,513,152 bytes free
Post-Run: 28,694,220,800 bytes free

78 --- E O F --- 2008-07-26 01:21:47


HJT log, normal mode, ran after ComboFix did (normal mode)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:25:53 AM, on 7/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\AcesHigh.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 2226 bytes





#10 ssrr

ssrr
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Queen City of the Plains (as it was once known)- Denver, Colorado
  • Local time:11:10 PM

Posted 26 July 2008 - 02:15 AM

Here are both programs run in safe mode. ComboFix first, then I booted right back into safe mode and then ran HJT. Will also note for all four logs I fixed nothing / did not have them fix anything. Just ran them. I hope I did this right, running in normal mode first. If not, I will do it the way you specify, I wasn't sure and I didn't think to ask until just now. Thank you again for your help and I hope I didn't mess any of the readings up by doing these the way I did them.

ComboFix log, safe mode (no networking or command script, just safe mode):

ComboFix 08-07-25.4 - Administrator 2008-07-26 0:46:14.2 - NTFSx86 MINIMAL


Running from: C:\Documents and Settings\Administrator\Desktop\ColorfulLights.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.


((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.


2008-07-25 19:21 . 2008-07-25 19:21 <DIR> d-------- C:\WINDOWS\LastGood
2008-07-23 23:00 . 2008-07-23 23:00 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-07-23 21:56 . 2005-06-21 23:43 163,840 --a------ C:\WINDOWS\system32\igfxres.dll
2008-07-17 23:44 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-07-17 23:44 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-07-17 23:44 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-07-17 23:44 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-07-17 13:02 . 2008-07-17 13:02 <DIR> d-------- C:\WINDOWS\system32\color
2008-07-17 13:02 . 2008-07-17 13:02 <DIR> d-------- C:\WINDOWS\system32\BWKDLogs
2008-07-17 12:42 . 2008-07-17 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kodak
2008-07-17 12:40 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-07-17 12:40 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-07-17 12:40 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-07-17 12:40 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-07-16 16:19 . 2008-07-16 16:19 <DIR> d-------- C:\dell
2008-07-16 16:19 . 2005-06-22 00:04 61,440 --a------ C:\WINDOWS\system32\iAlmCoIn_v4342.dll
2008-07-16 15:42 . 2008-07-17 12:59 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-07-16 15:20 . 2008-06-13 07:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-16 15:20 . 2008-06-13 07:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-16 15:11 . 2008-07-20 17:47 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-07-16 15:11 . 2005-02-24 21:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-07-16 15:02 . 2008-07-16 15:02 <DIR> d-------- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2008-07-16 15:02 . 2008-07-16 15:02 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-07-16 15:02 . 2008-07-16 15:02 <DIR> d-------- C:\Program Files\Common Files\InstallShield


.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-16 21:02 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-07-16 20:44 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
.


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 23:48 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 23:44 126976]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=



*Newly Created Service* - DCFS2K
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R1 -: HKCU-Internet Settings,ProxyOverride = localhost


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-26 00:47:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-26 0:49:23
ComboFix-quarantined-files.txt 2008-07-26 06:49:12
ComboFix2.txt 2008-07-26 06:22:16

Pre-Run: 28,702,429,184 bytes free
Post-Run: 28,694,511,616 bytes free

77 --- E O F --- 2008-07-26 01:21:47


HJT log, safe mode, ran after ComboFix's safe mode and booted immediately back into safe mode to run HJT. :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:26 AM, on 7/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\AcesHigh.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 1864 bytes



#11 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:10 AM

Posted 26 July 2008 - 11:20 PM

Please do not post a log from another computer until we finish cleaning the one we started with. I am confused with your posting logs from different computers. Decide which one you want us to work on and post a log from that one and let me know if you have run ComboFix on that computer. When we finish with that one, then we can start on another one.

I noticed you found out out to turn the "bold" off. Good for you!!
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#12 ssrr

ssrr
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Queen City of the Plains (as it was once known)- Denver, Colorado
  • Local time:11:10 PM

Posted 28 July 2008 - 08:53 AM

These logs are from the computer we have been working on

#13 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:10 AM

Posted 28 July 2008 - 08:25 PM

Thanks.

Step 1
  • Please download BootSafe and save it to your Desktop (or any location of your choice)
  • Double click the BootSafe icon to start the program
  • Select which Safe Mode you wish to boot - Minimal, Networking (typical), or Repair.
  • Click the Reboot button
  • After you have booted into Safe Mode, you can perform any actions needed, such as scanning for viruses, spyware, adware, malware or repairing a system component
  • When you have completed your tasks, simply run BootSafe.
  • Select the Normal Restart option
  • Click the Reboot button and your computer will reboot in Normal Mode.
Step 2

In Safe Mode, we need to do a search for the following files/folders:
  • Click Start > Search > All Files and Folders.
  • Under Search by any or all of the criteria below, in the All or part of the file name: dialog box, type res.dll.
  • At this point, you can click Search or scroll down until you see More Advanced Options.
  • Under More Advanced Options, click to place a check mark by
    • Search system folders.
    • Search hidden files and folders.
    • Search subfolders.
  • Click Search. In the right pane, you will see the file(s) listed if any are found.
  • If any of these files are found. please right click them and select Properties. Please record:
    • the date created
    • date modified
    • vendor
    • revision #
    • all other pertinent information
  • Post this information in your next reply.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#14 ssrr

ssrr
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Queen City of the Plains (as it was once known)- Denver, Colorado
  • Local time:11:10 PM

Posted 29 July 2008 - 10:17 PM

Hi, there. Thank you again for helping me, I appreciate you taking your time to help me, thank you.
I am not sure what to do.
I downloaded the program and used it to boot into safe mode under 'minimal'. I had it search in hidden files, system and sub folders.
There are 213 files with 'res.dll' and when I right clicked, most said 'copy', no properties or anything else offered, even tried in the upper left of the page as sometimes that will work (where it says 'file', 'edit', etc), no luck there, either. The search was just under 'My Computer', I did not search anywhere else at this time.
I tried to copy the files to notepad and then wordpad to post here as an attachment if was too much, was told 'access denied'.
Tried to copy into a zipped folder, was OK until one of them would not compress and then no more would go and lost what files it did take as it said 'access denied' there, too.
I saved the search and booted back to normal mode using the program as instructed, the search was not saved so I ran the search again in this mode (normal).
It found the same number, 213, in 'My Computer', no other place was searched.
I don't know what I should do now, this is the information I could get.

Most of the files are in C:\Windows\DriverCache\i386\driver.cab All of these were modified 8/17/2001 10:35 AM

More (alot, not as many as in the above but alot) in C:\Windows\system32\mui\and then various numbers / letters after the mui, all starting with what appears to be the number 0 (possible letter capital O) but looks like a zero after mui. All of these modified 8/04/2004 6:00AM

There is one in C:\Windows\$hf_mig$\KB950759\SP2QFE modified 4/17/2008 4:37 AM

There are 2 in C:\Windows\SoftwareDistribution\and then a long line of numbers-no room on the screen to list them all. These 2 were modified 4/17/2008 4:37 AM

There are six in C\Windows\system32 (nothing after system 32). Four of these were modied 8/04/2004 6:00AM. Another was modified 6/21/2005 11:43 PM and the sixth was modified 4/17/2008 4:37 AM.


#15 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:10 AM

Posted 30 July 2008 - 08:52 AM

Let's do this program:

Please download Silent Runners.
There is also a zipped version of Silent Runners.
  • If you used the zipped version, unzip/extract the file to its own folder:
    C:\Silent Runners.
  • Double-click the SilentRunners.vbs inside the folder or on your desktop
    to start.
  • A message box will appear asking if you want to skip the supplemental
    searches. Press Yes to skip [default] or No to include them.
  • Another message box will appear saying: Silent Runners has started. A
    message box like this will appear when it's done.
    The tool will scan your
    system and create a log by default, in the same directory as the script or
    on your desktop. The log is named Startup Programs (ComputerName)
    date/timestamp.txt.
  • When finished, the next message to appear will say: All Done! the
    results are in the file...
    (it will provide the full path location of the
    log.
  • Copy & paste the log in your next reply.
Note: If you have a script blocking program you may get a warning asking if you want to allow the script to run. Some will say "malicious script warning" or something to that effect. There is nothing malicious about this
script, you can click to allow it to execute.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users