BleepingComputer.com: Process with numbers (and a colon) that I can't kill

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 6 Pages +
  • 1
  • 2
  • 3
  • Last »
  • You cannot start a new topic
  • This topic is locked

Process with numbers (and a colon) that I can't kill

#1 User is offline   stangsdado 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 50
  • Joined: 16-August 11

Posted 17 August 2011 - 01:07 PM

Split from here: http://www.bleepingcomputer.com/forums/topic414688.html pasting in initial contextual information. ~ OB

Hey guys. I've got a process that I absolutely cannot kill and it's slowly taking away the executables I can run.

The process is called 3252348497:2920883518.exe. I've never seen a process with a colon.

It shows up whether I'm in regular boot, safe mode and safe mode with command prompt.

I've searched for this executable "file" everywhere and I cannot find it.

I've found two entries to it in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WOW
(Default) - REG_MULTI_SZ - \Device\HarddiskVolume1\WINDOWS\3252348497:2920883518.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\51e6dac1
ImagePath - REG_SZ - \systemroot\3252348497:2920883518.exe

Can anyone help?

Finally got DDS to run!!!

.
DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Dado at 14:05:21 on 2011-08-17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.2511 [GMT -4:00]
.
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: Immunet Protect *Enabled/Updated* {F1220F1F-7E2E-48CD-846D-B98C6F85CD37}
.
============== Running Processes ===============
.
C:\WINDOWS\3252348497:2920883518.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = darkspeed.info:80
uURLSearchHooks: H - No File
mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Somoto Toolbar: {652853ad-5592-4231-88c6-706613a52e61} - c:\program files\somototoolbar\vmntemplateX.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mi1933~1\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - c:\program files\styler\tb\StylerTB.dll
TB: Somoto Toolbar: {652853ad-5592-4231-88c6-706613a52e61} - c:\program files\somototoolbar\vmntemplateX.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\dado\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ipTray.exe] "c:\program files\intel\idu\iptray.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Immunet Protect] "c:\program files\immunet protect\2.0.17\iptray.exe"
mRun: [ISTray] "c:\program files\pc tools security\pctsGui.exe" /hideGUI
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\dado\startm~1\programs\startup\styler.lnk - c:\documents and settings\dado\application data\microsoft\installer\{e9ecf354-2422-4fdb-9abf-d8adac0ef941}\_585b207a.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2014E86B-5129-4156-BF0B-B4A56EEFD44E} : DhcpNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\dado\application data\mozilla\firefox\profiles\5i465mha.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.http - proxify
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\dado\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\dado\local settings\application data\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\progra~1\mi1933~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\mi1933~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google updater\2.4.2166.3772\npCIDetect14.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-8-16 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-8-16 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2011-8-16 656320]
S0 Spssys;Toshiba SPS Service;c:\windows\system32\drivers\spssys.sys --> c:\windows\system32\drivers\spssys.sys [?]
S1 ImmunetProtectDriver;ImmunetProtectDriver;c:\windows\system32\drivers\ImmunetProtect.sys [2011-8-16 41424]
S1 ImmunetSelfProtectDriver;ImmunetSelfProtectDriver;c:\windows\system32\drivers\ImmunetSelfProtect.sys [2011-8-16 31184]
S2 ImmunetProtect;Immunet Protect;c:\program files\immunet protect\2.0.17\agent.exe [2011-8-16 756680]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-27 374152]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-5-31 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-11-23 47640]
S2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [2011-6-22 99248]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-17 366640]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-8-16 366840]
S2 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-8-16 1150936]
S2 Start BT in service;Start BT in service;c:\program files\ivt corporation\bluesoleil\StartSkysolSvc.exe [2007-12-27 51816]
S2 statuscached;SmartSVN Status Cache;c:\program files\smartsvn 6.6\bin\statuscached.exe [2011-4-26 216576]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-5-2 22712]
S3 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\microsoft sql server\100\dts\binn\MsDtsSrvr.exe [2008-7-10 218136]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 PctvVirtualNdis;Pinnacle Virtual Miniport;c:\windows\system32\drivers\PctvVirtualNdis.sys [2009-1-8 13696]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2010-5-31 13408]
S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\microsoft sql server\msrs10.mssqlserver\reporting services\reportserver\bin\ReportingServicesService.exe [2008-7-10 1106968]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-3-3 176896]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);c:\program files\microsoft sql server\mssql10.mssqlserver\mssql\binn\fdlauncher.exe [2008-7-10 31256]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-9 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 tvnserver;TightVNC Server;c:\program files\tightvnc\tvnserver.exe [2010-7-8 815704]
.
=============== Created Last 30 ================
.
2011-08-16 21:02:52 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-08-16 21:02:52 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-08-16 21:02:51 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-08-16 21:02:44 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-08-16 21:02:44 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-08-16 21:02:26 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-08-16 21:02:13 -------- d-----w- c:\program files\PC Tools Security
2011-08-16 21:02:13 -------- d-----w- c:\program files\common files\PC Tools
2011-08-16 21:02:13 -------- d-----w- c:\documents and settings\dado\application data\PC Tools
2011-08-16 21:02:13 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-08-16 21:00:00 -------- d-----w- c:\documents and settings\dado\application data\Immunet
2011-08-16 19:16:18 -------- d-----w- c:\documents and settings\all users\Immunet
2011-08-16 19:15:59 31184 ----a-w- c:\windows\system32\drivers\ImmunetSelfProtect.sys
2011-08-16 19:15:40 41424 ----a-w- c:\windows\system32\drivers\ImmunetProtect.sys
2011-08-16 19:15:33 -------- d-----w- c:\program files\Immunet Protect
2011-08-16 19:07:30 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-08-16 19:07:30 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-16 16:22:39 -------- d-----w- c:\documents and settings\dado\application data\BPFTP
2011-08-16 16:22:36 -------- d-----w- c:\program files\BPFTP
2011-08-09 18:32:23 -------- d-----w- c:\documents and settings\dado\local settings\application data\CutePDF Writer
2011-08-09 18:32:08 -------- d-----w- c:\program files\GPLGS
2011-08-09 18:23:18 87552 ----a-w- c:\windows\system32\cpwmon2k.dll
2011-08-09 18:20:16 -------- d-----w- c:\program files\Acro Software
2011-08-09 17:12:48 -------- d-----w- c:\documents and settings\dado\application data\DDMSettings
2011-08-09 17:10:37 -------- d-----w- c:\program files\common files\DivX Shared
2011-08-09 17:09:42 -------- d-----w- c:\documents and settings\all users\application data\DivX
2011-08-08 03:01:31 -------- d-----w- c:\documents and settings\all users\Microsoft
2011-08-04 17:17:46 -------- d-----w- c:\documents and settings\dado\.eclipse
2011-08-03 23:18:43 -------- d-----w- C:\users
2011-08-03 23:09:35 -------- d-----w- c:\program files\Aimersoft
2011-08-03 23:00:28 -------- d-----w- c:\program files\BitTorrent
2011-08-03 22:59:43 -------- d-----w- c:\documents and settings\dado\application data\BitTorrent
2011-08-03 22:18:07 -------- d-----w- c:\documents and settings\dado\application data\vmntemplate
2011-08-03 22:17:44 -------- d-----w- c:\program files\Burn4Free FileBulldog Toolbar
2011-08-03 22:17:36 -------- d-----w- c:\program files\b4ficons
2011-07-26 21:30:55 -------- d-----w- c:\documents and settings\all users\application data\Blueberry
2011-07-26 21:29:49 -------- d-----w- c:\documents and settings\dado\application data\Blueberry
2011-07-26 21:29:37 -------- d-----w- c:\documents and settings\dado\application data\LogSys
2011-07-26 21:29:36 -------- d-----w- c:\documents and settings\all users\application data\LogSys
2011-07-26 21:21:51 -------- d-----w- c:\documents and settings\dado\local settings\application data\WMTools Downloaded Files
2011-07-26 21:10:19 -------- d-----w- c:\documents and settings\dado\application data\SMRecorder
2011-07-26 17:01:09 -------- d-----w- c:\documents and settings\dado\application data\AimOne
2011-07-26 16:51:21 -------- d-----w- c:\documents and settings\dado\application data\avidemux
2011-07-25 13:38:00 -------- d-----w- c:\documents and settings\dado\application data\FileHunter
2011-07-25 13:37:11 -------- d-----w- c:\program files\SAFCo Software
2011-07-22 20:51:50 94208 ----a-w- c:\windows\system32\dpl100.dll
2011-07-22 20:20:06 286720 ------w- c:\windows\Setup1.exe
2011-07-22 20:20:05 73216 ----a-w- c:\windows\ST6UNST.EXE
2011-07-22 16:09:07 35840 ----a-w- c:\windows\system32\comdlg32.oca
2011-07-21 17:00:39 -------- d-----w- c:\documents and settings\dado\.sshterm
2011-07-21 17:00:39 -------- d-----w- c:\documents and settings\dado\.ssh
.
==================== Find3M ====================
.
2011-08-11 00:49:13 73728 ----a-w- c:\windows\ALCFDRTM.VER
2011-07-22 16:09:07 64000 ----a-w- c:\windows\system32\richtx32.oca
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-08 11:55:36 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-08 11:55:36 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-07 18:00:12 64000 ----a-w- c:\windows\system32\ieframe.oca
2011-07-07 17:50:22 1652736 ----a-w- c:\windows\system32\mshtml.oca
2011-07-07 17:50:06 22016 ----a-w- c:\windows\system32\mswinsck.oca
2011-07-07 17:49:53 35328 ----a-w- c:\windows\system32\COMCT332.oca
2011-07-07 17:49:53 135168 ----a-w- c:\windows\system32\mscomct2.oca
2011-07-07 17:49:52 52224 ----a-w- c:\windows\system32\comct232.oca
2011-07-07 17:49:46 265728 ----a-w- c:\windows\system32\mscomctl.oca
2011-07-07 17:49:40 240128 ----a-w- c:\windows\system32\comctl32.oca
2011-07-06 20:53:01 121229 ----a-w- c:\windows\File Renamer - Basic Uninstaller.exe
2011-07-06 20:32:48 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-07-06 20:32:36 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-07-06 20:32:28 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-07-06 20:32:28 29568 ----a-w- c:\windows\system32\LMIport.dll
2011-07-04 18:36:59 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-04 18:36:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-29 17:31:33 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 14:24:32 7413248 ----a-w- c:\windows\system32\logonuiX.exe
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-16 14:55:13 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2011-06-16 14:55:12 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 14:06:28.43 ===============

This post has been edited by Orange Blossom: 17 August 2011 - 02:25 PM

#2 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 20 August 2011 - 09:29 PM

Hi

Please do the following:

On your keyboard, press the Windows logo key and the letter R to open a Run command box

enter the following two commands one at a time, hitting enter after each.


sc stop 51e6dac1
sc delete 51e6dac1

Reboot the machine.



Now do the following:

  • Double-click My Computer.
  • Click the Tools menu, and then click Folder Options.
  • Click the View tab.
  • Clear "Hide file extensions for known file types."
  • Click Apply, and then click OK.




Download Combofix from either of the links below. You must rename it to dado.com before saving it.
Save it directly to your C:\ drive > Change the save as file type to "all files"

**Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".


Link 1
Link 2

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------

  • NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.

    -----------------------------------------------------------

  • Double click c:\dado.com follow the prompts.
      When finished, it will produce a report for you.
    • Please post the C:\ComboFix.txt so we can continue cleaning the system.


-----------------------------------------------------------
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#3 User is offline   stangsdado 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 50
  • Joined: 16-August 11

Posted 21 August 2011 - 12:41 AM

I appreciate your response. Unfortunately the suggestion didn't work.

The stop/delete service told me it couldn't find the service and the dado.exe install got interrupted in the process and the permissions were changed to block me from running it again.

#4 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 21 August 2011 - 04:42 AM

OK, then please do the following:

Download the following program then boot into safe mode to run it:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now

  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)



To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account



NEXT

If you can't get TDSSKiller to run, please run the following:



We need to scan the system with this special tool.
  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:
    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.

The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#5 User is offline   stangsdado 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 50
  • Joined: 16-August 11

Posted 21 August 2011 - 04:24 PM

TDSSKiller failed the same way the other programs do.

Junction is still running after 20 minutes. Do you know how long it usually runs?

#6 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 21 August 2011 - 04:31 PM

It may take a while, it's searching through your entire computer, give it another half hour or so, or until there doesn't appear to be any activity.

I see where this thread is heading and we will likely need to do some work in the Recovery Console.

Do you have the recovery console already installed or have access to your installation CD? If not, we will be able to make one.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#7 User is offline   stangsdado 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 50
  • Joined: 16-August 11

Posted 21 August 2011 - 04:35 PM

Ok. I'll leave it running.

I've been looking for my Win XP SB Edition disk and it's nowhere to be found! I haven't had the need to reformat since I built this box 4 years ago.

OK. It just finished and Notepad popped up telling me "log.txt" could not be found, would I like to create a new one...

This post has been edited by stangsdado: 21 August 2011 - 04:35 PM

#8 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 21 August 2011 - 04:37 PM

OK, either do this on another computer if you have access or on your computer once junction completes > we should prepare a Recovery Console CD just in case we need it.


Please download ARCDC from Artellos.com.
  • Double click ARCDC.exe
  • Follow the dialog until you see 6 options. Please pick: Windows Professional SP2 & SP3
  • You will be prompted with a Terms of Use by Microsoft, please accept.
  • You will see a few dos screens flash by, this is normal.
  • Next you will be able to choose to add extra files. Select the Default Files.
  • The last window will allow you to burn the disk using BurnCDCC
Your ISO is located on your desktop.

Keep that disc nearby, but do not insert it yet, we'll be using it later, but now is the time to ensure your computer is set to boot from CD first, then HDD. Go into your BIOS usually by tapping F2 and change the boot order if necessary. Press F10 to save the changes and the machine will continue to boot.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#9 User is offline   stangsdado 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 50
  • Joined: 16-August 11

Posted 21 August 2011 - 04:41 PM

OK. It just finished and Notepad popped up telling me "log.txt" could not be found, would I like to create a new one...

I'm preparing the recovery CD. Might be difficult because one of the first things this malware did was disable Nero.

#10 User is offline   stangsdado 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 50
  • Joined: 16-August 11

Posted 21 August 2011 - 05:00 PM

Recovery CD prepared and system is bootable off CD.

#11 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 21 August 2011 - 05:36 PM

Hi,

Please do the following:

Please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once

The tool will prompt you to restart the machine and boot into the Recovery Console. Do not do that yet - insert the boot CD you created, then restart the computer.


===============================================================


1. Reboot your computer and press any key on the keyboard when prompted.

2. Press R to load the Recovery Console.

3. The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press enter.

4. It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter.

5. You should now be presented with a C:\Windows> prompt

At that prompt, type in the following bolded text and press Enter

batch look.bat

(Note - there is a space between the words batch and look.bat)


Posted Image

You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.

Once back in Windows, click Start > Run, and copy/paste the following then press Enter.

maxlook -sig

Follow the prompts, and attach the C:\looklog.txt in your next reply.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#12 User is offline   stangsdado 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 50
  • Joined: 16-August 11

Posted 21 August 2011 - 06:04 PM

Hey,

Here's the report:

Run from C:\Documents and Settings\Dado\Desktop\maxlook.exe on Sun 08/21/2011 at 19:01:15.98

--------- maxlook unsigned files ---------

c:\windows\maxdrive\AegisP.sys:
	Verified:	Unsigned
	File date:	7:47 PM 8/17/2008
	Publisher:	Meetinghouse Data Communications
	Description:	IEEE 802.1X Protocol Driver
	Product:	AEGIS Client 3.4.5.0
	Version:	3.4.5.0
	File version:	3.4.5.0
c:\windows\maxdrive\bcbthub.sys:
	Verified:	Unsigned
	File date:	6:18 PM 9/21/2004
	Publisher:	Broadcom Corporation
	Description:	USB Driver for Bluetooth Adapter
	Product:	USB Driver for Broadcom Blutonium Bluetooth Adapter
	Version:	3.3.6.0
	File version:	3.3.6.0
c:\windows\maxdrive\CVPNDRVA.sys:
	Verified:	Unsigned
	File date:	1:22 PM 5/7/2003
	Publisher:	Cisco Systems, Inc.
	Description:	Cisco Systems VPN Client IPSec Driver
	Product:	Cisco Systems VPN Client
	Version:	4.0.1 (Rel)
	File version:	4.0.1 (Rel)
c:\windows\maxdrive\fw203x.sys:
	Verified:	Unsigned
	File date:	6:18 PM 9/21/2004
	Publisher:	Broadcom
	Description:	BBTFW_2_15_007           
	Product:	n/a
	Version:	n/a
	File version:	2.15.7              
c:\windows\maxdrive\i8042prt.sys:
	Verified:	Unsigned
	File date:	8:00 AM 4/14/2008
	Publisher:	V x zityf owb x
	Description:	Kyfvojc teurrixl rjnpbaq kzk
	Product:	Vilxfoo yzivuz rgn at hobxao
	Version:	5.53
	File version:	5.53
c:\windows\maxdrive\intelsmb.sys:
	Verified:	Unsigned
	File date:	5:10 AM 3/12/2004
	Publisher:	Intel Corporation
	Description:	System Management Bus 2.0 (SMBus) Driver
	Product:	Intel(R) SMBus Controller
	Version:	SMBus 2.0
	File version:	6.0.1.23
c:\windows\maxdrive\mcdbus.sys:
	Verified:	Unsigned
	File date:	7:42 PM 2/24/2009
	Publisher:	MagicISO, Inc.
	Description:	MagicISO SCSI Host Controller
	Product:	MagicISO SCSI Host Controller
	Version:	2.7.106.519
	File version:	2.7.106.519
c:\windows\maxdrive\osaio.sys:
	Verified:	Unsigned
	File date:	7:12 PM 1/12/2004
	Publisher:	Windows (R) 2000 DDK provider
	Description:	Windows I/O Port Driver
	Product:	OSA I/O Port Driver Version 1.0.3
	Version:	5.00.2195.1620
	File version:	5.00.2195.1620
c:\windows\maxdrive\OXSER.SYS:
	Verified:	Unsigned
	File date:	1:31 AM 4/29/2003
	Publisher:	OEM
	Description:	OX16C95x Serial Device Driver
	Product:	OX16C95x
	Version:	3.0.4.001
	File version:	3.0.4.001
c:\windows\maxdrive\RtkHDAud.sys:
	Verified:	Unsigned
	File date:	8:27 PM 9/24/2004
	Publisher:	Realtek Semiconductor Corp.
	Description:	Realtek(r) High Definition Audio Function Driver
	Product:	Realtek(r) High Definition Audio Function Driver (HRTF data Copyright 1994 by MIT Media Lab)
	Version:	5.10.00.5032
	File version:	5.10.00.5032 built by: WinDDK
c:\windows\maxdrive\Sio9502k.sys:
	Verified:	Unsigned
	File date:	1:29 PM 2/11/2004
	Publisher:	Socket Communications, Inc. 
	Description:	 WDM serial port device driver
	Product:	SIO9502K 
	Version:	1, 0, 0, 1
	File version:	1, 0, 3, 5
c:\windows\maxdrive\SIODRV.SYS:
	Verified:	Unsigned
	File date:	10:30 PM 8/20/2008
	Publisher:	Intel Corporation
	Description:	SuperIO Driver for Windows NT(R)
	Product:	Intel(R) Active Monitor
	Version:	1, 0, 0, 0
	File version:	Unsupported 'Engineering Build'
c:\windows\maxdrive\SjyPkt.sys:
	Verified:	Unsigned
	File date:	9:57 AM 10/2/2002
	Publisher:	Windows (R) 2000 DDK provider
	Description:	Sample NDIS 5.0 Protocol Driver
	Product:	Windows (R) 2000 DDK driver
	Version:	5.00.2195.1
	File version:	5.00.2195.1
c:\windows\maxdrive\SktBt2k.sys:
	Verified:	Unsigned
	File date:	10:26 AM 3/23/2004
	Publisher:	Socket Communications, Inc. 
	Description:	 WDM serial port device driver
	Product:	SIO9502K 
	Version:	1, 0, 0, 1
	File version:	1, 0, 3, 7
c:\windows\maxdrive\SMBios.sys:
	Verified:	Unsigned
	File date:	11:43 PM 6/6/2004
	Publisher:	Intel Corporation
	Description:	Intel(R) System Management BIOS Driver
	Product:	Intel (R) System Management BIOS Driver
	Version:	1.0.0.14
	File version:	1.0.0.14
c:\windows\maxdrive\wg111nd5.sys:
	Verified:	Unsigned
	File date:	9:31 AM 1/7/2006
	Publisher:	NETGEAR, Inc.
	Description:	wg111 Wireless NDIS 5.1 Driver
	Product:	NETGEAR 802.11g Wireless LAN
	Version:	3.0.18.201
	File version:	3.0.18
c:\windows\maxdrive\wssbtr1f.sys:
	Verified:	Unsigned
	File date:	2:58 AM 7/4/2003
	Publisher:	National Semiconductor Sweden AB
	Description:	wssbt
	Product:	National Semiconductor Sweden AB BlueCard PCMCIA driver
	Version:	2, 0, 0, 57
	File version:	2, 0, 0, 57

--------- system32\drivers unsigned files ---------

c:\windows\system32\drivers\AegisP.sys:
	Verified:	Unsigned
	File date:	7:47 PM 8/17/2008
	Publisher:	Meetinghouse Data Communications
	Description:	IEEE 802.1X Protocol Driver
	Product:	AEGIS Client 3.4.5.0
	Version:	3.4.5.0
	File version:	3.4.5.0
c:\windows\system32\drivers\bcbthub.sys:
	Verified:	Unsigned
	File date:	6:18 PM 9/21/2004
	Publisher:	Broadcom Corporation
	Description:	USB Driver for Bluetooth Adapter
	Product:	USB Driver for Broadcom Blutonium Bluetooth Adapter
	Version:	3.3.6.0
	File version:	3.3.6.0
c:\windows\system32\drivers\CVPNDRVA.sys:
	Verified:	Unsigned
	File date:	1:22 PM 5/7/2003
	Publisher:	Cisco Systems, Inc.
	Description:	Cisco Systems VPN Client IPSec Driver
	Product:	Cisco Systems VPN Client
	Version:	4.0.1 (Rel)
	File version:	4.0.1 (Rel)
c:\windows\system32\drivers\fw203x.sys:
	Verified:	Unsigned
	File date:	6:18 PM 9/21/2004
	Publisher:	Broadcom
	Description:	BBTFW_2_15_007           
	Product:	n/a
	Version:	n/a
	File version:	2.15.7              
c:\windows\system32\drivers\intelsmb.sys:
	Verified:	Unsigned
	File date:	5:10 AM 3/12/2004
	Publisher:	Intel Corporation
	Description:	System Management Bus 2.0 (SMBus) Driver
	Product:	Intel(R) SMBus Controller
	Version:	SMBus 2.0
	File version:	6.0.1.23
c:\windows\system32\drivers\mcdbus.sys:
	Verified:	Unsigned
	File date:	7:42 PM 2/24/2009
	Publisher:	MagicISO, Inc.
	Description:	MagicISO SCSI Host Controller
	Product:	MagicISO SCSI Host Controller
	Version:	2.7.106.519
	File version:	2.7.106.519
c:\windows\system32\drivers\osaio.sys:
	Verified:	Unsigned
	File date:	7:12 PM 1/12/2004
	Publisher:	Windows (R) 2000 DDK provider
	Description:	Windows I/O Port Driver
	Product:	OSA I/O Port Driver Version 1.0.3
	Version:	5.00.2195.1620
	File version:	5.00.2195.1620
c:\windows\system32\drivers\OXSER.SYS:
	Verified:	Unsigned
	File date:	1:31 AM 4/29/2003
	Publisher:	OEM
	Description:	OX16C95x Serial Device Driver
	Product:	OX16C95x
	Version:	3.0.4.001
	File version:	3.0.4.001
c:\windows\system32\drivers\RtkHDAud.sys:
	Verified:	Unsigned
	File date:	8:27 PM 9/24/2004
	Publisher:	Realtek Semiconductor Corp.
	Description:	Realtek(r) High Definition Audio Function Driver
	Product:	Realtek(r) High Definition Audio Function Driver (HRTF data Copyright 1994 by MIT Media Lab)
	Version:	5.10.00.5032
	File version:	5.10.00.5032 built by: WinDDK
c:\windows\system32\drivers\Sio9502k.sys:
	Verified:	Unsigned
	File date:	1:29 PM 2/11/2004
	Publisher:	Socket Communications, Inc. 
	Description:	 WDM serial port device driver
	Product:	SIO9502K 
	Version:	1, 0, 0, 1
	File version:	1, 0, 3, 5
c:\windows\system32\drivers\SIODRV.SYS:
	Verified:	Unsigned
	File date:	10:30 PM 8/20/2008
	Publisher:	Intel Corporation
	Description:	SuperIO Driver for Windows NT(R)
	Product:	Intel(R) Active Monitor
	Version:	1, 0, 0, 0
	File version:	Unsupported 'Engineering Build'
c:\windows\system32\drivers\SjyPkt.sys:
	Verified:	Unsigned
	File date:	9:57 AM 10/2/2002
	Publisher:	Windows (R) 2000 DDK provider
	Description:	Sample NDIS 5.0 Protocol Driver
	Product:	Windows (R) 2000 DDK driver
	Version:	5.00.2195.1
	File version:	5.00.2195.1
c:\windows\system32\drivers\SktBt2k.sys:
	Verified:	Unsigned
	File date:	10:26 AM 3/23/2004
	Publisher:	Socket Communications, Inc. 
	Description:	 WDM serial port device driver
	Product:	SIO9502K 
	Version:	1, 0, 0, 1
	File version:	1, 0, 3, 7
c:\windows\system32\drivers\SMBios.sys:
	Verified:	Unsigned
	File date:	11:43 PM 6/6/2004
	Publisher:	Intel Corporation
	Description:	Intel(R) System Management BIOS Driver
	Product:	Intel (R) System Management BIOS Driver
	Version:	1.0.0.14
	File version:	1.0.0.14
c:\windows\system32\drivers\wg111nd5.sys:
	Verified:	Unsigned
	File date:	9:31 AM 1/7/2006
	Publisher:	NETGEAR, Inc.
	Description:	wg111 Wireless NDIS 5.1 Driver
	Product:	NETGEAR 802.11g Wireless LAN
	Version:	3.0.18.201
	File version:	3.0.18
c:\windows\system32\drivers\wssbtr1f.sys:
	Verified:	Unsigned
	File date:	2:58 AM 7/4/2003
	Publisher:	National Semiconductor Sweden AB
	Description:	wssbt
	Product:	National Semiconductor Sweden AB BlueCard PCMCIA driver
	Version:	2, 0, 0, 57
	File version:	2, 0, 0, 57

#13 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 21 August 2011 - 06:42 PM

I'm putting my money on this one being the bad driver:

c:\windows\maxdrive\i8042prt.sys:

let's see if we can find a replacement

please do the following:



Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
*i8042prt*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#14 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 21 August 2011 - 08:41 PM

double post

This post has been edited by CatByte: 21 August 2011 - 08:42 PM

The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#15 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 21 August 2011 - 08:42 PM

Can you please manually navigate to the following location

you will need to show hidden files and folders first



c:\windows\assembly\GAC_MSIL\desktop.ini

does that file exist?



to show hidden files and folders
  • Double-click My Computer.
  • Click the Tools menu, and then click Folder Options.
  • Click the View tab.
  • Clear "Hide file extensions for known file types."
  • Under the "Hidden files" folder, select "Show hidden files and folders."
  • Clear "Hide protected operating system files."
  • Click Apply, and then click OK.

The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

Share this topic:


  • 6 Pages +
  • 1
  • 2
  • 3
  • Last »
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users