Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ldcore.dll Infected, Scans Show Regenerating Trojans


  • Please log in to reply
2 replies to this topic

#1 johnshenry

johnshenry

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 23 November 2007 - 10:50 PM

Ok, I've done all of the things requested in the HT Guide.

Of note:

Adaware 2007 was run twice, and still showed suspicious files/reg entries. I will run it again after this posting and can post the logs.

Spybot appeared to find windows/system32/ldcore.dll and when I clicked remove, it locked up.

My virus SW (updated) is McAfee 8.0i, the scan log is pasted below the HT log.

The zonealarm firewall was instaleld but not enabled for these scans, but I will enable it now and can rescan if necessary.

I use Netscape 7.2 as a broswer and hardly ever use Explorer

I cannot delete ldcore.dll in windows/system32, my McAfee (8.1i) "On Access Scan" trips over it about every 10-15 seconds, I find 3-4 instances of it in the registry (haven't changed anything there... yet). If I disable my McAfee scan, my PC is somewhat useable.

THANKS FOR ANY HELP! Let me know if you need any other info.



Here is my HT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:41 PM, on 11/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
F:\temp\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=3448&clcid=0x0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3D3F2E81-7A05-4D1E-9BB9-396D6A61D11B} - C:\WINDOWS\system32\vtstq.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CPQEASYACC] "C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] "C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {C632E80F-3C4D-413E-B16F-988CC14953AD} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: yaywuuu - yaywuuu.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 6713 bytes


########################################


Here is the log from McAfee scan (8.0i)

11/23/2007 8:23:45 PM Engine version =5200
11/23/2007 8:23:45 PM DAT version =5170
11/23/2007 8:23:45 PM Number of virus signatures in EXTRA.DAT =None
11/23/2007 8:23:45 PM Names of viruses that EXTRA.DAT can detect =None
11/23/2007 8:23:32 PM Scan Started THEBUGSHOP\John Henry On-Demand Scan
11/23/2007 8:57:04 PM Deleted c:\System Volume Information\_restore{CEE2DA03-23AA-45A9-8C71-73081AB40406}\RP1775\A0112165.exe\A0112165.exe BackDoor-CKA(Trojan)
11/23/2007 8:58:25 PM Deleted c:\System Volume Information\_restore{CEE2DA03-23AA-45A9-8C71-73081AB40406}\RP1784\A0112476.dll Generic Downloader.z(Trojan)
11/23/2007 8:58:33 PM Deleted c:\System Volume Information\_restore{CEE2DA03-23AA-45A9-8C71-73081AB40406}\RP1784\A0113506.dll Generic Downloader.z(Trojan)
11/23/2007 9:00:28 PM Deleted c:\System Volume Information\_restore{CEE2DA03-23AA-45A9-8C71-73081AB40406}\RP1789\A0115563.dll Generic Downloader.z(Trojan)
11/23/2007 9:34:14 PM Deleted c:\WINDOWS\system32\ldcore.dll Generic Downloader.z(Trojan)
11/23/2007 9:34:23 PM Deleted c:\WINDOWS\system32\ldcore.dll.vir Generic Downloader.z(Trojan)
11/23/2007 9:34:36 PM Move failed (Clean failed) c:\WINDOWS\system32\ldcore.dll_old Generic Downloader.z(Trojan)
11/23/2007 10:35:02 PM Scan Summary THEBUGSHOP\John Henry Scan Summary
11/23/2007 10:35:02 PM Scan Summary THEBUGSHOP\John Henry Processes scanned : 39
11/23/2007 10:35:02 PM Scan Summary THEBUGSHOP\John Henry Processes detected : 0
11/23/2007 10:35:02 PM Scan Summary THEBUGSHOP\John Henry Processes cleaned : 0
11/23/2007 10:35:02 PM Scan Summary THEBUGSHOP\John Henry Boot sectors scanned : 3
11/23/2007 10:35:02 PM Scan Summary THEBUGSHOP\John Henry Boot sectors detected: 0
11/23/2007 10:35:02 PM Scan Summary THEBUGSHOP\John Henry Boot sectors cleaned : 0
11/23/2007 10:35:02 PM Scan Summary THEBUGSHOP\John Henry Files scanned : 145417
11/23/2007 10:35:02 PM Scan Summary THEBUGSHOP\John Henry Files with detections: 7
11/23/2007 10:35:02 PM Scan Summary THEBUGSHOP\John Henry File detections : 7
11/23/2007 10:35:02 PM Scan Summary THEBUGSHOP\John Henry Files cleaned : 0
11/23/2007 10:35:02 PM Scan Summary THEBUGSHOP\John Henry Files moved : 0
11/23/2007 10:35:02 PM Scan Summary THEBUGSHOP\John Henry Files deleted : 6
11/23/2007 10:35:02 PM Scan Summary THEBUGSHOP\John Henry Files not scanned : 29
11/23/2007 10:35:02 PM Scan Summary THEBUGSHOP\John Henry Run time : 2:11:30
11/23/2007 10:35:02 PM Scan Complete THEBUGSHOP\John Henry On-Demand Scan

BC AdBot (Login to Remove)

 


#2 johnshenry

johnshenry
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 24 November 2007 - 10:30 AM

Adaware run again, with zone alarm active and only one "privacy object" was found, and deleted.

When McAfee on Access scan is turned on, ldcore detections continue almost constantly.

ldcore.dll still exists in windows/system32/ and cannot be deleted.


????

#3 CalamityJane

CalamityJane

  • Security Colleague
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 AM

Posted 29 November 2007 - 09:28 PM

Hello johnshenry

Thanks for being so patient. I'm now subscribed to this topic and will receive an email notice from the board each time you reply so I can be here much more quickly than it has taken to get to you first post here.

Download ComboFix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.

2. Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Microsoft MVP Windows-Security 2003-2008
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users