Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Worms in my work


  • This topic is locked This topic is locked
2 replies to this topic

#1 Cat van Rosmalen

Cat van Rosmalen

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 03 August 2010 - 05:30 PM

Hello everyone, I'm a noob to this forum, so please remain nice when I show my lack of know how..

I am running XP and on start up the machine ALWAYS plops open the Win32 folder. That's just annayong, but I have this nagging feeling that its tied to other problems. Like sudden crashes and loss of system resources.

To date I'vedone the following steps:
1. Run Malware, full scan:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4368

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/3/2010 9:54:25 AM
mbam-log-2010-08-03 (09-54-25).txt

Scan type: Full scan (C:|)
Objects scanned: 190366
Time elapsed: 42 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

2. ComboFix ran, turned up some stuff:
ComboFix 10-08-03.01 - user8 08/03/2010 11:45:15.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.548 [GMT -7:00]
Running from: c:documents and settingsUser3DesktopComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:documents and settingsUser3g2mdlhlpx.exe
c:windowssystem32gotomon.log . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------Legacy_6TO4
-------Service_6to4


((((((((((((((((((((((((( Files Created from 2010-07-03 to 2010-08-03 )))))))))))))))))))))))))))))))
.

2010-08-03 20:05 . 2010-08-03 20:05 -------- d-----w- c:windowsLastGood
2010-08-03 16:23 . 2010-08-03 16:24 -------- d-----w- c:documents and settingsNetworkServiceLocal SettingsApplication DataAdobe
2010-07-30 19:05 . 2010-07-30 19:05 -------- d-----w- c:documents and settingsLocalServiceLocal SettingsApplication DataAdobe
2010-07-30 15:24 . 2010-07-30 15:24 -------- d-----w- c:documents and settingsLocalServiceApplication DataMcAfee
2010-07-26 17:56 . 2010-07-26 17:56 -------- d-----w- c:program filesCommon FilesAdobe AIR
2010-07-26 17:55 . 2010-07-26 17:55 -------- d-----w- c:documents and settingsAll UsersApplication DataMcAfee
2010-07-26 17:55 . 2010-07-26 17:55 -------- d-----w- c:documents and settingsAll UsersApplication DataMcAfee Security Scan
2010-07-26 17:55 . 2010-07-30 15:24 -------- d-----w- c:program filesMcAfee Security Scan
2010-07-26 17:54 . 2010-07-30 19:03 77184 ----a-w- c:documents and settingsAll UsersApplication DataNOSAdobe_Downloadsarh.exe
2010-07-23 15:22 . 2010-07-26 15:00 -------- d-----w- c:documents and settingsUser3Application DataBitrix Security
2010-07-23 15:21 . 2010-07-23 15:22 -------- d-----w- c:documents and settingsNetworkServiceApplication DataBitrix Security
2010-07-23 15:21 . 2010-07-23 15:21 51712 ----a-w- c:documents and settingsNetworkServiceApplication DataBitrix Securitydepto.dll
2010-07-14 15:03 . 2010-06-14 14:31 744448 ------w- c:windowssystem32dllcachehelpsvc.exe
2010-07-07 22:35 . 2010-07-21 16:03 664 ----a-w- c:windowssystem32d3d9caps.dat
2010-07-06 16:41 . 2010-07-06 16:41 2568656 ----a-w- c:documents and settingsAll UsersApplication DataNOSAdobe_Downloadsinstall_flash_player.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-03 15:01 . 2007-05-25 16:51 64760 ----a-w- c:documents and settingsUser3Local SettingsApplication DataGDIPFONTCACHEV1.DAT
2010-08-02 15:40 . 2008-10-29 21:29 848 --sha-w- c:documents and settingsAll UsersApplication DataKGyGaAvL.sys
2010-08-02 15:40 . 2008-10-29 21:29 848 --sha-w- c:documents and settingsAll UsersApplication DataKGyGaAvL.sys
2010-08-02 14:59 . 2009-12-08 22:05 -------- d-----w- c:documents and settingsAll UsersApplication DataNOS
2010-07-30 19:15 . 2007-06-01 19:52 -------- d-----w- c:program filesCommon FilesAdobe
2010-07-29 21:39 . 2009-12-01 17:46 -------- d-----w- c:program filesAnti-Malware
2010-07-29 21:37 . 2008-10-29 19:53 -------- d-----w- c:documents and settingsAll UsersApplication Dataavg8
2010-07-13 21:55 . 2007-06-07 16:15 -------- d-----w- c:documents and settingsUser3Application DataCoreFTP
2010-07-01 18:55 . 2008-04-22 23:07 -------- d-----w- c:documents and settingsUser3Application DataAdobeUM
2010-06-15 22:06 . 2008-10-16 17:51 -------- d-----w- c:program filesDYMO Label
2010-06-14 14:31 . 2004-08-11 22:12 744448 ----a-w- c:windowspchealthhelpctrbinarieshelpsvc.exe
2010-05-17 18:17 . 2004-08-04 03:59 95360 ----a-w- c:windowssystem32driversatapi.sys
2010-05-06 10:41 . 2004-08-11 22:00 916480 ----a-w- c:windowssystem32wininet.dll
.

------- Sigcheck -------

[-] 2010-05-17 18:17 . DE0C33706147D7D67F74F2256E3BC84F . 95360 . . [------] . . c:windowssystem32driversatapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:windowsServicePackFilesi386atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:windowssystem32dllcacheatapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:windowssystem32ReinstallBackups0011DriverFilesi386atapi.sys


c:windowsSystem32driversbeep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerURLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:program filesAVGAVG8ToolbarIEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOTclsid{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:program filesAVGAVG8ToolbarIEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOTclsid{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerToolbarWebbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:program filesAVGAVG8ToolbarIEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOTclsid{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"SpybotSD TeaTimer"="c:program filesSpybot - Search & DestroyTeaTimer.exe" [2009-03-05 2260480]
"run_pbnext"="c:program filesDelTelPBNextPBNext.exe" [2010-07-07 528384]
"Aim"="c:program filesAIMaim.exe" [2010-04-19 3972440]
"ctfmon.exe"="c:windowssystem32ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"NvCplDaemon"="c:windowssystem32NvCpl.dll" [2006-03-21 7204864]
"Logitech Hardware Abstraction Layer"="c:program filesCommon FilesLogitechkhalsharedKHALMNPR.EXE" [2007-01-12 101136]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]
"IAAnotif"="c:program filesIntelIntel Matrix Storage ManagerIaanotif.exe" [2006-07-06 151552]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-12 101136]
"GoToMyPC"="c:program filesCitrixGoToMyPCg2svc.exe" [2007-06-20 258856]
"AVG8_TRAY"="c:progra~1AVGAVG8avgtray.exe" [2010-07-08 2048352]
"Adobe Reader Speed Launcher"="c:program filesAdobeReader 9.0ReaderReader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:program filesCommon FilesAdobeARM1.0AdobeARM.exe" [2010-06-09 976832]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifyavgrsstarter]
2009-08-31 17:59 11952 ----a-w- c:windowssystem32avgrsstx.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifyGoToMyPC]
2007-06-20 18:09 10536 ----a-w- c:program filesCitrixGoToMyPCG2WinLogon.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifyLBTWlgn]
2007-02-20 18:57 65536 ----a-w- c:program filesCommon FilesLogitechBluetoothLBTWlgn.DLL

[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrolsession manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:C *

[HKLM~startupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:documents and settingsAll UsersStart MenuProgramsStartupAcrobat Assistant.lnk
backup=c:windowspssAcrobat Assistant.lnkCommon Startup

[HKLM~startupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:documents and settingsAll UsersStart MenuProgramsStartupBluetooth.lnk
backup=c:windowspssBluetooth.lnkCommon Startup

[HKLM~startupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^SetPoint.lnk]
path=c:documents and settingsAll UsersStart MenuProgramsStartupSetPoint.lnk
backup=c:windowspssSetPoint.lnkCommon Startup

[HKLM~startupfolderC:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^SideACT!.lnk]
path=c:docume~1ALLUSE~1Start MenuProgramsStartupSideACT!.lnk
backup=c:windowspssSideACT!.lnkCommon Startup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregLogitech BT Wizard]
LBTWiz.exe -silent [X]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAct! Preloader]
2008-08-01 04:02 393216 ----a-w- c:program filesACTAct for WindowsActSage.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAct.Outlook.Service]
2008-08-01 04:02 28672 ----a-w- c:program filesACTAct for WindowsAct.Outlook.Service.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregMalwarebytes Anti-Malware (reboot)]
2010-04-29 22:39 1090952 ----a-w- c:program filesAnti-Malwarembam.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregrun_pbnext]
2010-07-07 22:09 528384 ----a-w- c:program filesDelTelPBNextPBNext.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSunJavaUpdateSched]
2005-11-10 18:03 36975 ----a-w- c:program filesJavajre1.5.0_06binjusched.exe

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%system32sessmgr.exe"=
"%windir%Network Diagnosticxpnetdiag.exe"=
"c:Program FilesCommon FilesAOLLoaderaolload.exe"=
"c:Program FilesACTAct for WindowsActSage.exe"=
"c:Program FilesAVGAVG8avgupd.exe"=
"c:Documents and SettingsAdministratorLocal SettingsTemporary Internet FilesContent.IE52XCDIHADNTRsupport[1].exe"=
"c:Program FilesAIMaim.exe"=

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [10/29/2008 12:53 PM 335240]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:program filesBroadcomASFIPMonAsfIpMon.exe [3/17/2006 3:25 PM 65536]
R2 avg8wd;AVG Free8 WatchDog;c:progra~1AVGAVG8avgwdsvc.exe [6/24/2009 9:27 AM 297752]
R2 MSSQL$ACT7;SQL Server (ACT7);c:program filesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe [2/10/2007 5:29 AM 29178224]
S2 ACT! Scheduler;ACT! Scheduler;c:program filesACTAct for WindowsAct.Scheduler.exe [7/31/2008 9:02 PM 81920]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:program filesMcAfee Security Scan2.0.181McCHSvc.exe [1/15/2010 5:49 AM 227232]
S3 Viewpoint Manager Service;Viewpoint Manager Service;c:program filesViewpointCommonViewpointService.exe [4/4/2008 10:34 AM 24652]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components{760B8973-48F7-40B2-B360-F7ABD8785E50}]
2010-07-23 15:21 51712 ----a-w- c:documents and settingsNetworkServiceApplication DataBitrix Securitydepto.dll
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:progra~1MICROS~2OFFICE11EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:program filesWIDCOMMBluetooth Softwarebtsendto_ie_ctx.htm
DPF: {03A89EFD-E023-A200-A22D-45F77558EB4C} - hxxps://content9.mitel-nhwc.com/download/AXCltInstall.dll
FF - ProfilePath - c:documents and settingsUser3Application DataMozillaFirefoxProfilesek525569.default
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=100000000000000002&tb_oid=18-05-2010&tb_mrud=18-05-2010
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=100000000000000002&tb_oid=18-05-2010&tb_mrud=18-05-2010&query=
FF - component: c:documents and settingsUser3Application DataMozillaFirefoxProfilesek525569.defaultextensions{c2f863cd-0429-48c7-bb54-db756a951760}componentsMailUtil.dll
FF - plugin: c:program filesJavajre1.5.0_06binNPJPI150_06.dll
FF - plugin: c:program filesMozilla Firefoxpluginsnpdnupdater2.dll
FF - plugin: c:program filesViewpointViewpoint Media PlayernpViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsMicrosoft.NETFrameworkv3.5Windows Presentation FoundationDotNetAssistantExtension

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false
c:program filesMozilla Firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.IDN.whitelist.lu", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.IDN.whitelist.nu", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.IDN.whitelist.nz", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.IDN.whitelist.tel", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.proxy.type", 5);
c:program filesMozilla Firefoxgreprefsall.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:program filesMozilla Firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:program filesMozilla Firefoxgreprefsall.js - pref("accelerometer.enabled", true);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-xgukxzrvux.exe - c:xgukxzrvux.exexgukxzrvux.exe
HKLM-Run-fuzakehur - c:windowssystem32wekenopo.dll
MSConfigStartUp-Aim6 - c:program filesAIM6aim6.exe
MSConfigStartUp-fuzakehur - c:windowssystem32wekenopo.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-03 13:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:program filesCitrixGoToMyPCG2WinLogon.dll
c:program filescommon fileslogitechbluetoothLBTWlgn.dll
c:program filescommon fileslogitechbluetoothLBTServ.dll

- - - - - - - > 'explorer.exe'(3268)
c:windowssystem32WININET.dll
c:windowssystem32ieframe.dll
c:windowssystem32webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:program filesWIDCOMMBluetooth Softwarebinbtwdins.exe
c:program filesCommon FilesLogitechBluetoothLBTSERV.EXE
c:program filesIntelIntel Matrix Storage ManagerIaantmon.exe
c:program filesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
c:program filesCitrixGoToMyPCg2comm.exe
c:program filesCitrixGoToMyPCg2pre.exe
c:program filesCitrixGoToMyPCg2tray.exe
c:windowssystem32nvsvc32.exe
c:program filesCommon FilesProtexisLicense ServicePsiService_2.exe
c:program filesMicrosoft SQL Server90Sharedsqlbrowser.exe
c:progra~1AVGAVG8avgrsx.exe
c:program filesMicrosoft SQL Server90Sharedsqlwriter.exe
c:windowsstsystra.exe
c:program filesMcAfee Security Scan2.0.181SSScheduler.exe
c:program filesMozilla Firefoxplugin-container.exe
c:windowssystem32dwwin.exe
.
**************************************************************************
.
Completion time: 2010-08-03 13:32:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-03 20:32

Pre-Run: 61,908,082,688 bytes free
Post-Run: 62,055,899,136 bytes free

- - End Of File - - 164FA4BA6AA5F397071917FF600376B7

3. Hijack This - set to remove all 'extra' items, as well as the accursed problem child file - c:windowssystem32wekenopo.dll",asdf. It comes up saying that it is Missing Startup software and references HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun. (I've tried the fix and delete options, it is not removeable even at the registry level when I've found it there)

4. CCleaner - No further luck on getting this to take the wekenopo.dll file that I belive is the sulprit behind everything.. It was able to fix all registry issues, but keeps this dll file on no matter what.

Help?!?!? I hate to be defeated by data, no matter how noble it is to be thwarted by numbers - it just is frustrating. If *anyone* has some feedback - areas I've overlooked, recommendations or options (short of a complete wipe) I am really interested in your comments. Any similar experiences would also go a long way to ferret out this terrible piece of code.

Thank you in advance, and happy hunting to the rest!

Cat

Hello everyone, I'm a noob to this forum, so please remain nice when I show my lack of know how..

I am running XP and on start up the machine ALWAYS plops open the Win32 folder. That's just annayong, but I have this nagging feeling that its tied to other problems. Like sudden crashes and loss of system resources.

To date I'vedone the following steps:
1. Run Malware, full scan:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4368

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/3/2010 9:54:25 AM
mbam-log-2010-08-03 (09-54-25).txt

Scan type: Full scan (C:|)
Objects scanned: 190366
Time elapsed: 42 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

2. ComboFix ran, turned up some stuff: (I had previously posted this and then realized it would cause my post to be ignored, sorry peeps!) That waas deleted and made no further impact on the system for the items I waas looking for.


3. Hijack This - set to remove all 'extra' items, as well as the accursed problem child file - c:windowssystem32wekenopo.dll",asdf. It comes up saying that it is Missing Startup software and references HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun. (I've tried the fix and delete options, it is not removeable even at the registry level when I've found it there)

4. CCleaner - No further luck on getting this to take the wekenopo.dll file that I belive is the sulprit behind everything.. It was able to fix all registry issues, but keeps this dll file on no matter what.

Help?!?!? I hate to be defeated by data, no matter how noble it is to be thwarted by numbers - it just is frustrating. If *anyone* has some feedback - areas I've overlooked, recommendations or options (short of a complete wipe) I am really interested in your comments. Any similar experiences would also go a long way to ferret out this terrible piece of code.

Thank you in advance, and happy hunting to the rest!

Cat

Edited by Budapest, 05 August 2010 - 05:12 PM.
Posts merged ~BP


BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:17 AM

Posted 12 August 2010 - 06:56 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:17 AM

Posted 19 August 2010 - 08:43 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users