0

I've been infected by a file (C:\windows\system32\adsldpw.dll) that I can't exterminate. I run all the usual suspects, but this guy seems particularly resistant to the tools I'm used to using. This one is more obnoxious than usual, primarily because it keeps respawning a new background version of Internet Explorer every minute or so if it doesn't find a copy already running. Here's what I've done so far:

1) HiJack_This (couldn't remove adsldpw.dll)
2) Security Task Manager (couldn't remove adsldpw.dll)
3) Adaware, AVG, CCleaner
4) Unlocker 1.8.5 (can unlock winlogon.exe and explorer.exe, but fails to delete or move adsldpw.dll
5) Avenger v1 (fails to remove adsldpw.dll, see log below)
6) VundoFix 6.5.6 using "Add more files" (fails to remove adsldpw.dll, see log below)
7) HiJack_This (see log below)

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:48:06 PM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\packages\VerminTools\JackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\JOHN\Application Data\Mozilla\Profiles\default\sh27cbaj.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\JOHN\Application Data\Mozilla\Profiles\default\sh27cbaj.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243D2809-6B85-4DF5-A1FB-F19618810A12} - C:\WINDOWS\system32\drmclienq.dll (file missing)
O2 - BHO: (no name) - {DFDBBDD6-1441-4715-B1BD-9D5540CCCA30} - c:\windows\system32\adsldpw.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O20 - Winlogon Notify: watfykcr - C:\WINDOWS\SYSTEM32\adsldpw.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 2615 bytes


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\dgwebmmj

*******************

Script file located at: \??\C:\Program Files\ikcwecrx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Could not open file C:\WINDOWS\SYSTEM32\adsldpw.dll for deletion
Deletion of file C:\WINDOWS\SYSTEM32\adsldpw.dll failed!

Could not process line:
C:\WINDOWS\SYSTEM32\adsldpw.dll
Status: 0xc0000022


Completed script processing.

*******************

Finished! Terminate.

VundoFix V6.5.6

Checking Java version...

Scan started at 11:33:17 AM 12/17/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete c:\windows\system32\adsldpw.dll
c:\windows\system32\adsldpw.dll Could not be deleted.

Attempting to delete c:\windows\system32\adsldpw.dll
c:\windows\system32\adsldpw.dll Could not be deleted.

Attempting to delete c:\windows\system32\drmclienq.dll
c:\windows\system32\drmclienq.dll Could not be deleted.

Attempting to delete c:\windows\system32\drmclienq.dll
c:\windows\system32\drmclienq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete c:\windows\system32\adsldpw.dll
c:\windows\system32\adsldpw.dll Could not be deleted.

Attempting to delete c:\windows\system32\adsldpw.dll
c:\windows\system32\adsldpw.dll Could not be deleted.

Attempting to delete c:\windows\system32\drmclienq.dll
c:\windows\system32\drmclienq.dll Could not be deleted.

Attempting to delete c:\windows\system32\drmclienq.dll
c:\windows\system32\drmclienq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\adsldpw.dll
C:\WINDOWS\SYSTEM32\adsldpw.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\adsldpw.dll
C:\WINDOWS\SYSTEM32\adsldpw.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\adsldpw.dll
C:\WINDOWS\SYSTEM32\adsldpw.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\adsldpw.dll
C:\WINDOWS\SYSTEM32\adsldpw.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Scan started at 2:09:40 PM 1/29/2008

Listing files found while scanning....

No infected files were found.

4
Contributors
7
Replies
8
Views
9 Years
Discussion Span
Last Post by crunchie
0

have you tried removing these from hijackthis
O2 - BHO: (no name) - {243D2809-6B85-4DF5-A1FB-F19618810A12} - C:\WINDOWS\system32\drmclienq.dll (file missing)

O2 - BHO: (no name) - {DFDBBDD6-1441-4715-B1BD-9D5540CCCA30} - c:\windows\system32\adsldpw.dll

0

how do you know that you are infected with that file? i just checked on it and it says its unclassified, meaning, that its not necessarily bad

0

ooh, I've just been overwhelmed :D. Sorry dude.

burnsy, while your at it;

Please download ComboFix by sUBs from HERE or HERE

  • Save it to your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.

    "%userprofile%\desktop\ComboFix.exe" /KillAll

    [IMG]http://i5.photobucket.com/albums/y153/crunchie1/thRunBox_KillAll.jpg[/IMG]

  • Click OK and this will start ComboFix.
  • When finished, it will produce a log. Please save that log to a Notepad File and include it in your next reply along with a fresh HJT log.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* Re-enable all the programs that were disabled prior to the running of ComboFix.

* Post the following logs/Reports:


  • ComboFix.txt
  • Fresh HijackThis log run after all the other tools have performed their cleanup.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

0

The latest version of ComboFix resolved the problem. Thanks gentlemen. I've attached the ComboFix and HJT logs.

Overwhelmed:
Yes, I had attempted to delete them with HJT and STM first... and I had run an older version of ComboFix. I probably should have been more anal in reporting my initial steps, but I had already moved on from the vermin sniffing phase to the vermin elimination phase. I only reported the steps related to file deletion problem.
And I was confident it was a nasty because 1) Security Task Manager reported it as 93% likely to be an infection, 2) it was a new file and couldn't be deleted through conventional means and 3) I watch the HJT log closely and ruthlessly prune detritus that turns up randomly.

Crunchie and Gerbil:
I guess I need to be more diligent about having up-to-date tools. I just updated everything in mid-December! I just got new versions of HJT, ComboFix, and VundoFix this morning and realized that my copies of Adaware, AVG, and Spybot are all outdated. Good grief. I think I need to give up my business and personal lives and spend more time caring for my computer.

Attachments
ComboFix 08-01-30.6 - John 2008-01-30  8:45:36.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.400 [GMT -7:00]
Running from: c:\packages\VerminTools\ComboFix.exe
Command switches used :: /KillAll
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\WINDOWS\system32\adsldpw.dll
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\doiomoas.dat
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drmclienq.dll
C:\WINDOWS\system32\katzppd.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\winshow.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_EFORGSVU
-------\LEGACY_OMCBGXRF
-------\eforgsvu
-------\omcbgxrf


(((((((((((((((((((((((((   Files Created from 2007-12-28 to 2008-01-30  )))))))))))))))))))))))))))))))
.

2008-01-30 08:26 . 2008-01-30 08:26	<DIR>	d--------	C:\Program Files\Trend Micro
2008-01-29 13:35 . 2008-01-29 14:06	<DIR>	d--------	C:\VundoFix Backups
2008-01-24 21:50 . 2008-01-24 21:50	741,632	--a------	C:\WINDOWS\SYSTEM32\dhrkgkbi.dat
2008-01-24 21:50 . 2008-01-24 21:50	120,576	--a------	C:\WINDOWS\SYSTEM32\cgnqoygq.dat
2008-01-24 21:50 . 2008-01-24 21:50	42,752	--a------	C:\WINDOWS\SYSTEM32\ejincezd.dat
2008-01-24 21:50 . 2008-01-24 21:50	36,608	--a------	C:\WINDOWS\SYSTEM32\yxcqnrcl.dat
2008-01-24 21:50 . 2008-01-24 21:50	35,072	--a------	C:\WINDOWS\SYSTEM32\raytijck.dat
2007-12-17 11:19 . 2008-01-24 21:47	<DIR>	d--------	C:\WINDOWS\SYSTEM32\AppCert
2007-12-17 11:19 . 2004-08-04 00:56	84,480	--a------	C:\WINDOWS\SYSTEM32\adsldpw.dll.bak

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-17 18:25	---------	d-----w	C:\Program Files\Security Task Manager2
2007-12-17 18:25	---------	d-----w	C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-02-08 18:06	417,792	----a-w	C:\Program Files\Video.exe
2007-02-08 18:06	417,792	----a-w	C:\Program Files\Track_03.exe
2007-02-08 18:06	25,214	----a-w	C:\Program Files\B.ico
2007-02-08 18:06	25,214	----a-w	C:\Program Files\A.ico
2007-02-08 18:06	218,606	----a-w	C:\Program Files\c.zip
2007-02-08 18:06	217,706	----a-w	C:\Program Files\b.zip
2007-02-08 18:06	201,627	----a-w	C:\Program Files\a.zip
2007-02-05 23:26	393,216	----a-w	C:\Program Files\Setup.exe
2006-10-11 06:05	84,640	----a-w	C:\Documents and Settings\John\Application Data\GDIPFONTCACHEV1.DAT
2007-02-07 02:09	974,781	--sh--w	C:\WINDOWS\SYSTEM32\tsrqr.bak1
2007-02-08 03:14	990,939	--sh--w	C:\WINDOWS\SYSTEM32\tsrqr.bak2
2007-02-08 21:39	1,006,205	--sh--w	C:\WINDOWS\SYSTEM32\tsrqr.ini2
2007-02-09 05:39	991,069	--sh--w	C:\WINDOWS\SYSTEM32\ttstv.bak1
2007-02-09 22:33	990,157	--sh--w	C:\WINDOWS\SYSTEM32\vvyxx.bak2
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-06-24 18:32 4800512]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
appsecdll	REG_EXPAND_SZ  	C:\WINDOWS\system32\AppCert\wsil32.dll

R3 Ich;Ich;C:\WINDOWS\system32\DRIVERS\Ich.sys [2002-01-13 01:25]
S3 mdxgthkn;mdxgthkn;C:\DOCUME~1\John\LOCALS~1\Temp\mdxgthkn.sys []
S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 03:53]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-23 05:00]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 08:55:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2008-01-30  9:00:10 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-30 16:00:05
ComboFix2.txt  2007-12-17 18:52:06
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:04, on 2008-01-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\JackThis2002.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\JOHN\Application Data\Mozilla\Profiles\default\sh27cbaj.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\JOHN\Application Data\Mozilla\Profiles\default\sh27cbaj.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 1867 bytes
0

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\SYSTEM32\tsrqr.bak1
C:\WINDOWS\SYSTEM32\tsrqr.bak2
C:\WINDOWS\SYSTEM32\tsrqr.ini2
C:\WINDOWS\SYSTEM32\ttstv.bak1
C:\WINDOWS\SYSTEM32\vvyxx.bak2

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.


7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

  • Combofix.txt
  • A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please do not attach the logs, just paste them into your reply.

Attachments CFScript.gif 27.09 KB
This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.