Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Look @@ All These .exe, .tmp, & .tlb's I Found In Sys32!


  • This topic is locked This topic is locked
2 replies to this topic

#1 Joedude

Joedude

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sutton Coldfield, West Midlands, England
  • Local time:03:56 PM

Posted 02 June 2006 - 02:17 PM

Before I get the "ARGH NEWB OMFG LOL!OL@!O@L!@O"

I have been to several forums about this (to include this one). I've downloaded the millions of spyware removal kits which now have manifested themselves into roughly 1 gig of my hard drive space. I have followed the directions of each one as well. I've tried removal through safe mode, dos and even that oh so frustrating, add/remove programs, get rid of all the suspicious stuff/stuff I don't remember putting on here. I've done several spyware, antivirus, and malware scans, registry fixers and cleaners...

I guess the point is, I must still be doing something wrong. Because I still get that annoying little warning sign with an exclamation mark in it, and the flashing green wheel chair that looks suspiciously highjacked from windows accessibilities features, that put these wonderful pop-ups telling me how much more spyware protection I need, My computer is infested, my antivirus sucks, would you like to meet not so single, horny women in your town and get lucky tonight, Gamble a million dollars, bla bla bla!

I have run smitrem, smitfraudfix, roguescanfix and have spybot s&d. All of these tell me it's fixed, none of them have fixed it. Generalization....Allow me to restate...

They have all cleaned to the point that when I reboot, they tell me how wonderfully clean and protected my system is, then about an hour later, a security vulnerability pop-up appears, then in a few minutes, a picture of some strange chick with huge boobs asking me if I would like to get lucky tonight...Then I go through the whole procedure again..

All right, by now your thinking, "ok, that's all well and good. However, if you don't adjust your firewall after going through all of that, it will continue to happen." You are correct. And, I have, several times. I even set Spybots kewl little feature to autoprotect me and make this sound of a screaming woman when a "spy" is detected. Heard no screaming women, have seen boobs....

Before I officially qualify as a rant...too late methinks...allow me to post you some details.

Here's the log from smitrem...

smitRem © log file
version 2.9
by noahdfear

Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: 2006-06-01
The current time is: 21:53:21.02

Running from
C:\Program Files\Roguescanfix
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
Online Security Guide.url
Online Security Guide.url
Security Troubleshooting.url
Security Troubleshooting.url
~~~ Favorites ~~~
Antivirus Test Online.url
~~~ system32 folder ~~~
regperf.exe
simpole.tlb
stdole3.tlb
atmclk.exe
dcomcfg.exe
1024 dir
ld****.tmp
hp***.tmp
~~~ Icons in System32 ~~~
ts.ico
ot.ico
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1944 'explorer.exe'
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
regperf.exe
stdole3.tlb
atmclk.exe
dcomcfg.exe
1024 dir
ld****.tmp
hp***.tmp
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN! :thumbsup:



and the rapport from smitfraudfix;

SmitFraudFix v2.53
Scan done at 19:10:07.26, 2006-06-02
Run from C:\Documents and Settings\Joey\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp???.tmp FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\1024\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Joey\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Joey\FAVORI~1
C:\DOCUME~1\Joey\FAVORI~1\Antivirus Test Online.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
C:\Program Files\SpywareQuake.com\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
»»»»»»»»»»»»»»»»»»»»»»»» Reboot
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp???.tmp Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
»»»»»»»»»»»»»»»»»»»»»»»» End



OK...what else would you like from me????
I'm sure you can see the files that absolutely refuse to stay off my computer :D

Thanx for the help in advance....

Edited by Joedude, 02 June 2006 - 02:19 PM.

If someone tells you to su rm -rf /
DON'T DO IT!!!!
Be in the know, Bash smart!

BC AdBot (Login to Remove)

 


#2 jgweed

jgweed

  • Members
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:09:56 AM

Posted 02 June 2006 - 02:23 PM

I would suggest your posting a HiJackThis! log so our volunteer team of experts can review it and then help you get rid of whatever malware it finds.
Please read carefully the instructions found here:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Regards,
John
Whereof one cannot speak, thereof one should be silent.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:10:56 AM

Posted 03 June 2006 - 04:24 AM

I've moved your HJT log to the proper forum.

You can find it here now > http://www.bleepingcomputer.com/forums/t/54417/look-all-these-exe-tmp-tlbs-i-found-in-sys32-yeahmore-help-spyware-crap/

Please be patient and wait for a reply from an HJT Tech.

This thread is now closed.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users