Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Everything automatically closes [RESOLVED]


  • This topic is locked This topic is locked

#16
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,965 posts
Hi, sonicshadow :)

Please remove the GDISearch folders from your desktop. Then download the enclosed folder. It contains a folder similar to the GDISearch folder. Once extracted, double click on the FileSearch.bat file and post the resulting report.

Please go to VirusTotal and scan the following files:

C:\Program Files\StormII\StormSet.dll
C:\Windows\System32\gdi32.dll


Post the results in your next reply.
  • 0

Advertisements


#17
sonicshadow

sonicshadow

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Hello,

The results from "FileSearch" are here:

----a-w 296,448 2008-02-21 04:43:35 C:\Windows\System32\gdi32.dll
----a-w 296,448 2006-11-02 09:46:05 C:\Windows\winsxs\x86_microsoft-windows-gdi32_31bf3856ad364e35_6.0.6000.16386_none_5747e8004c667a97\gdi32.dll
----a-w 296,448 2008-02-21 04:43:35 C:\Windows\winsxs\x86_microsoft-windows-gdi32_31bf3856ad364e35_6.0.6000.16643_none_57702c844c48b643\gdi32.dll
----a-w 296,448 2008-02-22 04:49:18 C:\Windows\winsxs\x86_microsoft-windows-gdi32_31bf3856ad364e35_6.0.6000.20777_none_57dd5ab3657b0f3c\gdi32.dll
----a-w 295,936 2008-02-22 04:57:23 C:\Windows\winsxs\x86_microsoft-windows-gdi32_31bf3856ad364e35_6.0.6001.18023_none_596c0b02495f0f52\gdi32.dll
----a-w 295,936 2008-02-22 04:48:18 C:\Windows\winsxs\x86_microsoft-windows-gdi32_31bf3856ad364e35_6.0.6001.22120_none_59f2a6ef627f6317\gdi32.dll

Entries: 6 (6)
Directories: 0 Files: 6
Bytes: 1,777,664 Blocks: 3,472

And here are the Results from VirusTotal. Through the first scan, it said that it had "already been analyzed", but I chose to "reanalyze" since i figured there was no harm in that. For StormSet.dll, the scan had 2 results:

Authentium 5.1.0.4 2008.06.29 W32/Boran.A.gen!Eldorado
F-Prot 4.4.4.56 2008.06.29 W32/Boran.A.gen!Eldorado

The other anti-viruses had no result.

Additional information
File size: 76712 bytes
MD5...: cca204ab5c711ad9b5636314af07f30b
SHA1..: 839da5f4c89e21bd9a6f218992aabb251a126430
SHA256: ee8a90666160de3180fb73ed99ff8f460336b0c500c479d79f921f3b856c4922
SHA512: b41547da8e8ba58930be59aef30735b3502b57d47dc44ebc5ba964e054f62466
3c2064c8a0c20eae00785ab7614649eddf3e8baac4133de632cca404cd630987
PEiD..: Armadillo v1.xx - v2.xx
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10002c3e
timedatestamp.....: 0x466cfb35 (Mon Jun 11 07:35:17 2007)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x88b2 0x9000 6.40 8c8cfb4814323ac5bf59fa8557e4d813
.rdata 0xa000 0x1192 0x2000 3.48 c59c3c3ce55e871b2823504c6e5cde0a
.data 0xc000 0x4660 0x3000 1.16 c0ab4a563bf2e315f0746ed5da8579f9
.rsrc 0x11000 0x368 0x1000 0.99 3290f8ff73620120ff42832a92f0d865
.reloc 0x12000 0x105c 0x2000 2.42 4400d46968f5d6c221917c2529b5961e

( 4 imports )
> SHLWAPI.dll: StrStrIA, SHSetValueA, PathRemoveFileSpecA, SHDeleteValueA, SHGetValueA
> WININET.dll: InternetGetConnectedState, InternetCrackUrlA
> WS2_32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -
> KERNEL32.dll: TlsFree, LCMapStringW, LCMapStringA, ReadFile, GetStringTypeW, GetStringTypeA, SetStdHandle, LoadLibraryA, GetProcAddress, GetOEMCP, GetACP, GetCPInfo, MultiByteToWideChar, CloseHandle, FlushFileBuffers, WriteFile, CreateFileA, lstrlenA, SetFilePointer, GetLocalTime, SystemTimeToFileTime, DeleteFileA, lstrcpyA, GetShortPathNameA, GetFileAttributesA, WritePrivateProfileSectionA, GetPrivateProfileSectionA, lstrcatA, GetWindowsDirectoryA, lstrcpynA, MoveFileExA, CopyFileA, GetTempFileNameA, GetVersionExA, Sleep, GetModuleFileNameA, GetSystemDirectoryA, InterlockedExchange, GetTickCount, RtlUnwind, GetLastError, GetCommandLineA, GetVersion, GetCurrentThreadId, TlsSetValue, TlsAlloc, SetLastError, TlsGetValue, HeapFree, HeapAlloc, ExitProcess, TerminateProcess, GetCurrentProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, GetModuleHandleA, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadWritePtr, IsBadCodePtr, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, VirtualAlloc, HeapReAlloc, InterlockedDecrement, InterlockedIncrement

( 3 exports )
CheckEnv, DllRegisterServer, DllUnregisterServer

For GDI32.dll, the antiviruses found nothing. 0 results.

Additional Information for GDI32.dll is attached, because it's quite lengthy.

Attached File  Results_gdi32dll.txt   14.86KB   132 downloads
  • 0

#18
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,965 posts
The File search report is wrong. The folder I requested you to download searches for the following files instead gdi32.dll:

svchost.exe
msdtc.exe


And the results for StormSet.dll are not included.

Please check this and post the results.
  • 0

#19
sonicshadow

sonicshadow

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Oh, I'm sorry. The FileSearch error was due to my forgetting to "Run as Administrator." Here are the results:

----a-w 22,016 2006-11-02 09:45:47 C:\Windows\System32\svchost.exe
----a-w 22,016 2006-11-02 09:45:47 C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6000.16386_none_b38497a50862ad11\svchost.exe

Entries: 2 (2)
Directories: 0 Files: 2
Bytes: 44,032 Blocks: 86

----a-w 106,496 2006-11-02 09:45:26 C:\Windows\System32\msdtc.exe
----a-w 106,496 2006-11-02 09:45:26 C:\Windows\winsxs\x86_microsoft-windows-com-dtc-runtime_31bf3856ad364e35_6.0.6000.16386_none_171c40e96317eaae\msdtc.exe

Entries: 2 (2)
Directories: 0 Files: 2
Bytes: 212,992 Blocks: 416

Total Entries: 4 (4)
Total Directories: 0 Files: 4
Total Bytes: 257,024 Blocks: 502
.
Contents of System.ini
.
; for 16-bit app support
[386Enh]
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]


I did include the results for StormSet.dll in the last post; it just wasn't attached. here it is attached:

Attached File  Results_stormsetdll.txt   2.56KB   58 downloads
  • 0

#20
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,965 posts
Hi, sonicshadow :)

I have my doubts concerning the gdi32.dll, especially when Windows finds it as an invalid .dll file. The winsxs folder shows two files present with different sizes. We may be able to replace the copy in the System32 folder with the file showing a different size in the winsxs folder, but first lets scan that file.

Go back to VirusTotal. Copy and paste the following path and send it:

C:\Windows\winsxs\x86_microsoft-windows-gdi32_31bf3856ad364e35_6.0.6001.18023_none_596c0b02495f0f52\gdi32.dll

Post the results in your next reply.
  • 0

#21
sonicshadow

sonicshadow

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
It found no results. :)

Here is the additional information.

Attached File  results_gdi32dll_2.txt   14.9KB   260 downloads
  • 0

#22
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,965 posts
It does not say if there was any findings by the virus scanners. Was it?
  • 0

#23
sonicshadow

sonicshadow

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
the virus scanners didn't find a thing.
  • 0

#24
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,965 posts
I find no reason for this behavior. I would suggest you run the System File Checker. You will need your Vista DVD CD.

The System File Checker is an important application which scans the integrity of all the protected system files on your PC. Should it locate an incorrect version of a specific protected file SFC automatically replaces it with the correct Microsoft version.

To check your Windows protected files, proceed as follows:
  • Click the Start button
  • From the Start Menu, Click All programs followed by Accessories
  • In the Accessories menu, Right Click on the Command Prompt option
  • From the drop down menu that appears, Click on the 'Run as administrator' option
  • If you have the User Account Control (UAC) enabled you will be asked for authorisation prior to the command prompt opening. You may simply need to press the Continue button if you are the administrator or insert the administrator password etc.
  • In the Command Prompt window, type: sfc /scannow and then press Enter
  • A message will appear stating that 'the system scan will begin'
  • Be patient because the scan may take some time
  • If any files require replacing SFC will replace them. You may be asked to insert your Vista DVD for this process to continue
  • If everything is okay you should, after the scan, see the following message "Windows resource protection did not find any integrity violations"
  • After the scan has completed, Close the command prompt window

  • 0

#25
sonicshadow

sonicshadow

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Actually, somewhere in the middle of all that scanning and such, it's working again. I guess whatever the last fix was did the trick.

Sorry if i wasted your time starting in between. I'm guessing it was that OT thing that fixed it, if it actually did anything. I actaully thought most of these programs only scanned for problems rather than fix.

But anyway, Thank you for your help.

I appreciate your services :).
  • 0

Advertisements


#26
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,965 posts
Hi, sonicshadow :)

You are Welcome.

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click on the Vista START button
  • Now type Combofix /u in the search option and click OK. Note the space between the X and the U, it needs to be there.
Please download OTCleanIT by OldTimer.
  • Save it to your desktop.
  • Please double-click OTCleanIT.exe to run it. (Vista users, please right click on OTCleanIT.exe and select "Run as an Administrator")
  • This will delete the fix tools, including this program, that we used
  • If you are asked to reboot to complete the removal process then please do so

Remove any remaining tools we used

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
  • Read and follow the suggestions given at this web site by Miekiemoes http://users.telenet...prevention.html .
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

Best wishes! Posted Image
  • 0

#27
sonicshadow

sonicshadow

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Hi

Uhh.. false alarm. It worked about once or twice. I restarted the computer and the problem is back again. And I have no clue why. I'll try your latest advice.

:) :)
  • 0

#28
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,965 posts
Let me know the outcome.
  • 0

#29
sonicshadow

sonicshadow

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
The scan said that everything was fine, or to be specific, "Windows resource protection did not find any integrity violations".
  • 0

#30
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,965 posts
Hi, sonicshadow :)

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • For information click Here
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply along with a fresh Hijackthis log.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP