Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent malware, ld08.exe keeps reappearing along with others


  • This topic is locked This topic is locked
2 replies to this topic

#1 sideyr

sideyr

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 08 May 2009 - 01:22 AM

I've tried to get rid of the malware and spyware, but every time I run a scan with Malwarebytes and Spybot, the same things keep reappearing. One of those is the ld08.exe along with a pp06.exe and others. It also changes firefox to connect through a proxy local host at port 7171 and adds a firewall exception to SYS32DLL connecting to the same port. Here is the DDS text file:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Patrick at 23:10:43.87 on Thu 05/07/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.474 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\program files\google\update\googleupdate.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
c:\program files\intel\intel application accelerator\iaanotif.exe
c:\windows\soundman.exe
c:\windows\alcwzrd.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\program files\cryptoexpert 2007 lite\cexpert.exe
c:\program files\spybot - search & destroy\teatimer.exe
c:\program files\microsoft activesync\wcescomm.exe
c:\program files\skype\phone\skype.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
svchost
c:\program files\skype\plugin manager\skypepm.exe
c:\windows\system32\wuauclt.exe
c:\program files\mozilla firefox\firefox.exe
c:\documents and settings\patrick\desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: IeCatch2 Class: {a5366673-e8ca-11d3-9cd9-0090271d075b} - c:\progra~1\flashget\jccatch.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Adobe PDF Reader Link Helper: {b42bf63c-5354-4c5c-a789-66efeec5e1b0} - c:\program files\mcafee.com\vso\AcroIEHelpe9.dll
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} -
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} -
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [cryptoexpert] "c:\program files\cryptoexpert 2007 lite\cexpert.exe" /T
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY
mRun: [nwiz] nwiz.exe /install
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm
IE: Download using FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {3253344D-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/mpg4sax.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: dbbin - dbbin.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\patrick\applic~1\mozilla\firefox\profiles\v2xtqkvc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - plugin: c:\documents and settings\patrick\application data\mozilla\firefox\profiles\v2xtqkvc.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\patrick\application data\mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npagent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 cc_4g;cc_4g;c:\windows\system32\drivers\cc_4g.sys [2007-2-24 189856]
R3 AteksoftAudio;WebCamera Plus Audio;c:\windows\system32\drivers\ateksoftaudio.sys [2008-8-16 11776]
S1 dbbin;SQL-T Database Driver;c:\windows\system32\dbbin.sys --> c:\windows\system32\dbbin.sys [?]
S1 pnicml;pnicml;\??\c:\docume~1\patrick\locals~1\temp\pnicml.sys --> c:\docume~1\patrick\locals~1\temp\pnicml.sys [?]
S2 gupdate1c9a1c2964743f0;Google Update Service (gupdate1c9a1c2964743f0);c:\program files\google\update\GoogleUpdate.exe [2009-3-10 133104]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-3-10 114464]
S4 Darenu;Darenu; [x]
S4 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2006-3-10 126976]
S4 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2006-3-10 221184]
S4 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2006-3-10 122368]
S4 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2006-3-10 245760]
S4 Webcamera Plus Service;Webcamera Plus Service;c:\program files\ateksoft\webcamera plus\WebCamPlusSrv.exe [2009-3-24 46592]

=============== Created Last 30 ================

2009-05-07 23:00 10,752 ----h--- c:\windows\pp06.exe
2009-05-07 23:00 2 ----h--- c:\windows\t55ft2692f44.dat
2009-05-07 23:00 17,408 a------- c:\windows\system32\SYS32DLL.exe
2009-05-07 23:00 27,648 ----h--- c:\windows\ld08.exe
2009-05-07 15:39 <DIR> --d----- c:\program files\Trend Micro
2009-05-05 22:30 <DIR> --d----- c:\windows\system32\KB905474
2009-05-04 16:54 9 a------- c:\windows\system32\urhtps.dat
2009-05-01 11:31 1 a------- c:\windows\9g2234wesdf3dfgjf23
2009-05-01 11:31 <DIR> --d----- c:\windows\system32\796525
2009-04-30 19:06 <DIR> --d----- c:\windows\system32\userdata
2009-04-30 19:05 <DIR> --d----- c:\windows\system32\appcache
2009-04-28 16:29 <DIR> --d----- c:\program files\SecondLife
2009-04-28 16:29 112 a------- c:\windows\system32\srvblck2.tmp
2009-04-28 16:29 <DIR> --d----- c:\windows\system32\xmldm
2009-04-28 16:29 <DIR> --d----- c:\windows\system32\cock
2009-04-28 06:59 <DIR> --d----- c:\windows\system32\UAs
2009-04-28 04:58 6,407 a------- c:\windows\system32\krncode.dat
2009-04-28 04:58 1,575 a------- c:\windows\system32\pwrcode.dat
2009-04-28 04:58 993,792 a------- c:\windows\system32\nsysk.ini
2009-04-28 04:58 989,696 a------- c:\windows\system32\osysk.dat
2009-04-28 04:58 21,504 a------- c:\windows\system32\nsysp.ini
2009-04-28 04:58 19,434 a------- c:\windows\system32\wincode.dat
2009-04-28 04:58 17,408 a------- c:\windows\system32\osysp.dat
2009-04-28 04:58 830,464 a------- c:\windows\system32\nsysw.ini
2009-04-28 04:58 826,368 a------- c:\windows\system32\osysw.dat
2009-04-28 04:58 42,704 a------- c:\windows\system32\ldshyf1.old
2009-04-27 15:30 <DIR> --d----- c:\docume~1\patrick\applic~1\Malwarebytes
2009-04-27 15:30 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-27 15:30 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-27 15:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-27 15:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-27 14:09 <DIR> --d----- c:\program files\ESET
2009-04-27 13:53 7 a------- c:\windows\system32\nar.bin
2009-04-27 13:48 4,707 a------- c:\windows\system32\z98a.bin
2009-04-27 11:38 <DIR> --d----- c:\docume~1\patrick\applic~1\.purple
2009-04-27 11:37 <DIR> --d----- c:\program files\Pidgin
2009-04-27 11:36 <DIR> --d----- c:\program files\common files\GTK

==================== Find3M ====================

2009-05-04 13:38 21,504 a------- c:\windows\system32\powrprof.dll
2009-05-04 13:38 830,464 a------- c:\windows\system32\wininet.dll
2009-05-03 09:33 993,792 a------- c:\windows\system32\sysk.tmp
2009-05-03 09:33 21,504 a------- c:\windows\system32\sysp.tmp
2009-05-03 09:33 830,464 a------- c:\windows\system32\sysw.tmp
2009-03-21 07:06 397,568 a------- c:\windows\system32\apphelpf2.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-20 11:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 05:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-03 20:18 23,048 a------- c:\docume~1\patrick\applic~1\GDIPFONTCACHEV1.DAT
2008-11-11 11:38 22,328 a------- c:\docume~1\patrick\applic~1\PnkBstrK.sys
2006-11-01 18:15 1 a------- c:\documents and settings\patrick\SI.bin
2005-05-24 20:59 2,858,009 a------- c:\program files\2bitmap.zip
2008-09-06 22:14 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat

============= FINISH: 23:11:20.26 ===============


Thanks in advance for whenever someone can get to this!

Attached Files


Edited by sideyr, 08 May 2009 - 01:27 AM.


BC AdBot (Login to Remove)

 


#2 sideyr

sideyr
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 08 May 2009 - 11:10 PM

Actually, nevermind. I think I fixed it, but thanks! This can get closed now.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:55 PM

Posted 14 May 2009 - 10:05 PM

Thank you for letting us know. This topic shall now be closed. ~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users