Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible infection A?.exe or dll files


  • This topic is locked This topic is locked
3 replies to this topic

#1 zhaul-san

zhaul-san

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 21 October 2008 - 09:00 PM

I have been trying to figure out this problem:

1. No weird behavior so far except a mild problem with svchost and dnsrslvr.dll which slows my connection each time I click on a link, or open a new tab or window.
2. When I open a picture (large size picture in one tab or window) the cursor goes slow and clumsy.
3. When I defrag partition D: I read moving files A00????.exe or A00?????.dll which are files that are invisible to any program I have tried to use to see them. This files use Disk space and I have had up to 2 gb of invisible files. Where Disk space reporter tells me I have certain amount of disk space used, and the explorer properties gives me a larger reading.
I have reformatted partition d: three time under my technicians advice.

I hope this thread will help me find and understand what is happening.

Status of my computer today:

Partition C: Real files space usage is 4.22 gb. (Disk space reporter log) Explorer properties read: 5.17 gb. almost 1 GB of disk space lost ???
Partition D: Recently reformatted, no problem so far. 299 mb of used space (disk space reporter log) Explorer properties
is 358 mbs. and I understand formatting used 60 mbs so it is ok, for now.
My hd is in all 40 GB.

Here are all the steps I did suggested in this thread:

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/


step3.Clean out your temporary internet files and temp files.

I did as suggested

Step 4. Scan your computer with Ad-Aware and Spybot - Search and Destroy

Done, (not posting the logs, dunno if you need them)

Step 5. scan with any of this antivirus I used Housecall on line scan.

Done, (found one Joke-agent and one Adware ADWARE_FASTERXP both were deleted)

Step 6. Run Macfee stinger

Done

Step 7. Install firewall. I haven't done this. I don't use any financial info on my laptop do I really need to do this?
But I will install it, if really needed.

Step 8. Windows update, it is on.

Step 9. Highjack this, here is the log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:43 PM, on 10/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\program files\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Eset\nod32krn.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe
C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\program files\Mozilla Firefox\firefox.exe
C:\program files\highjack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\program files\FlashGet\jccatch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\program files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] "C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Archivos de programa\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\program files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\program files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\program files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\program files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\program files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\program files\Ad-Aware\aawservice.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe

--
End of file - 4436 bytes

BC AdBot (Login to Remove)

 


#2 zhaul-san

zhaul-san
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 01 November 2008 - 11:23 PM

Looks like nobody can help me. I did defrag to partition C: and saw several A00*.* files. I have lost 1 GB of disk space due to this files. Does anybody know what to do?

#3 zhaul-san

zhaul-san
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 03 November 2008 - 11:25 AM

I HAVE FOUND THE PROBLEM, WHICH IS NOT A MALEWARE. THANK GOD.

THE A00*.* FILES ARE BACKUPS THAT NTFS SYSTEM AND RESTORE SYSTEM CREATE FOR RESTORE POINTS.

I found this article in Microsoft:

http://support.microsoft.com/kb/309531

I followed the instructions and I did checked the restore folders. I left the last 3 and deleted the rest. My disk space is back.

Thanks for your disposition to help me. *I am happy*

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:34 AM

Posted 07 November 2008 - 06:21 PM

Hello.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users