0

I am getting an error that sais: The instruction at "0x636e315e" refrenced memory at "0x00c6c0b0". The memory could not be "read".

Click on OK to terminate the program and a message like that comes 6 times for every time i close somthing.

I need help on fixing this error please help me. :D

2
Contributors
14
Replies
15
Views
9 Years
Discussion Span
Last Post by gerbil
0

I'm guessing that you have some malware in your sys. Maybe you could give us a glimpse of some things...
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

0

here is the combofix log

ComboFix 08-08-04.01 - Owner 2008-08-04 14:10:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.120 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\LBDDJXMD\interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\LBDDJXMD\interclick.com\ud.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\BMd3e981d3.txt
C:\WINDOWS\BMd3e981d3.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\DefLib.sys
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\drivers\ntndis.exe
C:\WINDOWS\system32\drivers\ntndis.sys
C:\WINDOWS\system32\gdiwxp.dll
C:\WINDOWS\system32\icdnvjvp.dll
C:\WINDOWS\system32\logon16x.dll
C:\WINDOWS\system32\mmlogon.sys
C:\WINDOWS\system32\MSplg7.dll
C:\WINDOWS\system32\ntio256.sys
C:\WINDOWS\system32\omdtcjcj.dll
C:\WINDOWS\system32\rAJkknpo.ini
C:\WINDOWS\system32\rAJkknpo.ini2
C:\WINDOWS\system32\rsdapi.dll
C:\WINDOWS\system32\sefuydav.dll
C:\WINDOWS\system32\utonlpnj.ini
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 )))))))))))))))))))))))))))))))
.

2008-08-04 05:01 . 2008-08-04 05:01 <DIR> d-------- C:\aa0019f0269a2bb7fa4d45
2008-08-04 05:00 . 2008-08-04 05:00 1,137 --a------ C:\WINDOWS\system32\msexcr.ini
2008-08-03 17:53 . 2008-08-03 17:53 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-08-01 05:30 . 2007-03-25 19:01 39,208 --a------ C:\WINDOWS\system32\drivers\amonlwlh.sys
2008-08-01 04:39 . 2008-08-04 04:25 5,947,903 --a------ C:\WINDOWS\system32\AhnSZds.szd
2008-08-01 04:39 . 2008-08-04 04:29 4,687,354 --a------ C:\WINDOWS\system32\AhnSZhs.szd
2008-08-01 04:39 . 2008-08-04 04:24 2,469,430 --a------ C:\WINDOWS\system32\AhnSZns.szd
2008-08-01 04:39 . 2008-08-04 05:34 1,484,032 --a------ C:\WINDOWS\system32\drivers\v3engine.sys
2008-08-01 04:39 . 2008-07-28 01:49 70,528 --a------ C:\WINDOWS\system32\drivers\AhnSZE.sys
2008-08-01 04:39 . 2007-03-19 20:28 24,667 --a------ C:\WINDOWS\system32\V3W32SE2.dll
2008-08-01 04:38 . 2008-08-01 04:40 <DIR> d-------- C:\Program Files\Common Files\AhnLab
2008-08-01 04:38 . 2008-08-01 04:39 <DIR> d-------- C:\Program Files\AhnLab
2008-08-01 04:38 . 2008-01-11 11:57 86,278 --a------ C:\WINDOWS\system32\drivers\AMonTDnt.sys
2008-08-01 04:38 . 2008-01-11 11:57 78,336 --a------ C:\WINDOWS\system32\drivers\AMonTDLH.sys
2008-08-01 04:38 . 2008-01-09 11:53 47,327 --a------ C:\WINDOWS\system32\drivers\AhnFltNt.sys
2008-08-01 04:38 . 2008-04-07 11:30 46,438 --a------ C:\WINDOWS\system32\drivers\AMonHKnt.sys
2008-08-01 04:38 . 2008-01-09 11:53 45,824 --a------ C:\WINDOWS\system32\drivers\AhnFlt2k.sys
2008-08-01 04:38 . 2008-01-09 11:54 28,672 --a------ C:\WINDOWS\system32\drivers\AhnRghNt.sys
2008-08-01 04:38 . 2007-03-19 20:08 13,696 --a------ C:\WINDOWS\system32\drivers\AhnRec2k.sys
2008-08-01 04:38 . 2007-03-19 20:08 13,599 --a------ C:\WINDOWS\system32\drivers\AhnRecNt.sys
2008-08-01 04:38 . 2007-10-01 10:39 12,893 --a------ C:\WINDOWS\system32\drivers\CdmDrvNT.sys
2008-08-01 04:36 . 2008-08-01 04:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2008-08-01 04:35 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-08-01 04:35 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-08-01 04:35 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-08-01 04:35 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-08-01 04:34 . 2008-08-04 02:35 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-01 04:34 . 2008-08-01 04:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-08-01 04:29 . 2008-08-01 04:30 <DIR> d-------- C:\Program Files\Google
2008-08-01 04:29 . 2008-08-04 08:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-01 04:18 . 2008-08-01 04:18 <DIR> d-------- C:\Program Files\PSTRUH
2008-07-31 21:35 . 2008-07-31 22:44 <DIR> d-------- C:\Program Files\Norton 360
2008-07-31 21:32 . 2008-07-31 22:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-31 21:25 . 2008-07-31 22:42 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-31 21:22 . 2008-07-31 22:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2008-07-27 13:12 . 2008-07-27 13:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-07-27 13:09 . 2008-07-27 13:09 <DIR> d-------- C:\Program Files\GALA-NET
2008-07-27 13:09 . 2005-08-11 15:29 73,728 --a------ C:\WINDOWS\system32\ISUSPM.cpl
2008-07-24 21:54 . 2008-07-25 01:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\NCH Swift Sound
2008-07-24 21:54 . 2008-07-24 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-07-16 09:33 . 2008-07-16 09:33 <DIR> d-------- C:\Program Files\Red Kawa
2008-07-15 20:57 . 2008-07-15 20:57 <DIR> d-------- C:\ConverterOutput
2008-07-15 20:56 . 2008-07-15 20:56 <DIR> d-------- C:\Program Files\Cucusoft
2008-07-15 20:56 . 2007-03-25 00:51 3,049,984 --a------ C:\WINDOWS\system32\libavcodec.dll
2008-07-15 20:56 . 2007-03-25 21:40 2,174,976 --a------ C:\WINDOWS\system32\ffdshow.ax
2008-07-15 20:56 . 2007-03-25 00:51 404,480 --a------ C:\WINDOWS\system32\libmplayer.dll
2008-07-15 20:56 . 2007-01-01 05:30 200,704 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2008-07-15 20:56 . 2007-03-25 00:51 114,688 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2008-07-15 20:56 . 2004-09-10 13:50 34,820 --a------ C:\WINDOWS\system32\ffdshow.reg
2008-07-15 16:09 . 2008-07-15 16:09 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-07-15 00:40 . 2008-07-15 00:40 <DIR> d-------- C:\Program Files\Advanced Batch Converter
2008-07-14 13:44 . 2008-07-14 13:44 360,320 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-07-13 22:26 . 2008-07-13 22:26 <DIR> d-------- C:\WINDOWS\Sun
2008-07-12 20:27 . 2008-07-31 20:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-07-12 20:26 . 2008-07-12 20:27 <DIR> d-------- C:\Program Files\LimeWire
2008-07-12 15:34 . 2008-07-12 15:34 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-07-09 17:01 . 2008-07-09 21:08 <DIR> d-------- C:\Program Files\Armadillo Run Demo
2008-07-08 14:22 . 2008-07-14 16:02 <DIR> d-------- C:\Fraps
2008-07-08 11:05 . 2008-07-08 11:05 336 --a------ C:\DVD.cue
2008-07-08 10:41 . 2008-07-08 10:41 <DIR> d-------- C:\Program Files\Smart Projects
2008-07-06 16:27 . 2008-07-06 16:27 <DIR> d--h----- C:\BJPrinter
2008-07-06 16:27 . 1998-10-30 00:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-07-06 16:27 . 2001-07-25 21:00 94,720 --a------ C:\WINDOWS\system32\CNMLM38.DLL
2008-07-06 16:27 . 2001-07-25 21:00 94,720 --a------ C:\WINDOWS\system32\CNMLM38(2).DLL
2008-07-06 16:27 . 2001-08-01 15:46 36,864 --a------ C:\WINDOWS\system32\CNMCP38.EXE
2008-07-06 16:27 . 2001-07-25 21:00 5,632 --a------ C:\WINDOWS\system32\CNMVS38.DLL
2008-07-06 16:27 . 2008-07-06 16:27 260 --a------ C:\WINDOWS\_delis32.ini
2008-07-06 16:24 . 2008-07-06 16:24 <DIR> d-------- C:\Program Files\uTorrent
2008-07-06 16:24 . 2008-07-31 22:42 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-07-06 16:11 . 2008-07-06 16:11 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-07-06 12:26 . 2008-07-06 12:26 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-07-06 11:47 . 2008-07-06 11:48 <DIR> d-------- C:\Program Files\BannedStory
2008-07-04 01:17 . 2008-07-04 10:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NexonUS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 21:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-04 05:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\Xfire
2008-07-31 19:45 --------- d-----w C:\Program Files\Xfire
2008-07-27 20:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-27 20:09 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-14 20:44 360,320 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-06-30 09:29 --------- d-----w C:\Program Files\Java
2008-06-30 09:26 --------- d-----w C:\Program Files\Common Files\Java
2008-06-29 20:02 --------- d-----w C:\Documents and Settings\Nevenka\Application Data\Gtek
2008-06-28 17:17 --------- d-----w C:\Documents and Settings\Owner\Application Data\Nexon
2008-06-28 17:16 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-06-28 06:09 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2008-06-28 06:09 --------- d--h--w C:\Documents and Settings\Owner\Application Data\GTek
2008-06-28 06:09 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2008-06-28 05:30 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-06-26 01:10 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
.

------- Sigcheck -------

2007-10-30 09:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 03:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 04:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 04:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2004-08-04 05:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 10:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2008-07-14 13:44 360320 3adce4790f591bf160a94f6f08039577 C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-07-14 13:44 360320 3adce4790f591bf160a94f6f08039577 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 17:16 454784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-01 04:29 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 05:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-01 22:05 344064]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2006-04-18 10:32 405504]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 17:22 794713]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AhnLab Session Process"="C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe" [2007-11-20 03:10 54862]
"AHNSD"="C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe" [2008-01-28 18:23 199368]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 15:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30 81920]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2008-07-15 16:09:02 3050832]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="%windir%\\Resources\\LogonUI\\playin-catch\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\Nexon\Combat Arms\CombatArms.exe"= C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"C:\Nexon\Combat Arms\Engine.exe"= C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"C:\\Nexon\\Combat Arms\\NMService.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 AMonTDnt;AMonTDnt;C:\WINDOWS\system32\Drivers\AMonTDnt.sys [2008-01-11 11:57]
R2 AhnLab Application Service;AhnLab Application Service;C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe [2007-09-09 17:25]
R2 AhnLab Guarantee Service;AhnLab Guarantee Service;C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe [2007-11-22 10:56]
R2 AhnLab Information Service;AhnLab Information Service;C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe [2007-09-09 17:26]
R2 AhnLab Log Service;AhnLab Log Service;C:\Program Files\Common Files\AhnLab\ACA\ACALS.exe [2007-08-10 10:55]
R2 AhnLab Task Scheduler;AhnLab Task Scheduler;C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe [2008-01-28 18:23]
R2 AMonHKnt;AMonHKnt;C:\WINDOWS\system32\Drivers\AMonHKnt.sys [2008-04-07 11:30]
R3 AhnFlt2k;AhnFlt2k;C:\WINDOWS\system32\Drivers\AhnFlt2k.sys [2008-01-09 11:53]
R3 AhnRec2k;AhnRec2k;C:\WINDOWS\system32\Drivers\AhnRec2k.sys [2007-03-19 20:08]
R3 AhnRghNt;AhnRghNt;C:\WINDOWS\system32\Drivers\AhnRghNt.sys [2008-01-09 11:54]
R3 AhnSZE;AhnSZE;C:\WINDOWS\system32\drivers\AhnSZE.sys [2008-07-28 01:49]
R3 ASZFltNt;ASZFltNt;C:\PROGRA~1\AhnLab\V3IS2007\ASZFltNt.sys [2008-01-09 12:10]
R3 CdmDrvNt;CdmDrvNt;C:\WINDOWS\system32\Drivers\CdmDrvNt.sys [2007-10-01 10:39]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 15:06]
R3 ISFWEnt;ISFWEnt;C:\Program Files\AhnLab\V3IS2007\ISFWEnt.sys [2008-01-09 12:10]
R3 ISIPSEnt;ISIPSEnt;C:\Program Files\AhnLab\V3IS2007\ISIPSEnt.sys [2008-02-18 23:38]
R3 ISPIBEnt;ISPIBEnt;C:\Program Files\AhnLab\V3IS2007\ISPIBEnt.sys [2007-10-05 11:42]
R3 ISPrxEnt;ISPrxEnt;C:\Program Files\AhnLab\V3IS2007\ISPrxEnt.sys [2007-10-03 23:39]
R3 ISTrkEnt;ISTrkEnt;C:\Program Files\AhnLab\V3IS2007\ISTrkEnt.sys [2007-03-19 20:28]
R3 v3engine;v3engine;C:\WINDOWS\system32\drivers\v3engine.sys [2008-08-04 05:34]
R3 V3Flt2K;V3Flt2K;C:\PROGRA~1\AhnLab\V3IS2007\V3Flt2K.sys [2008-02-18 23:39]
R3 V3IFt2K;V3IFt2K;C:\PROGRA~1\AhnLab\V3IS2007\V3IFt2K.sys [2008-01-09 12:11]
S3 ArfMonNt;ArfMonNt;C:\Program Files\AhnLab\V3IS2007\ArfMonNt.sys [2008-02-18 23:39]
S3 ATICDSDr;ATICDSDr;C:\Program Files\ATI Technologies\ATI Control Panel\atiicdxx.sys [2005-12-02 02:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8dfecb6-c0e7-11db-a10c-806d6172696f}]
\Shell\AutoRun\command - E:\bit.exe -S "LTFT.bits"
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WinampAgent - C:\Program Files\Winamp\winampa.exe
HKLM-Run-BMd3e981d3 - C:\WINDOWS\system32\sefuydav.dll
Notify-nnnkKcyy - nnnkKcyy.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://basilmarket.com/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 14:14:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\AhnLab\V3IS2007\MSProxy.ahn
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
.
**************************************************************************
.
Completion time: 2008-08-04 14:17:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-04 21:17:45

Pre-Run: 30,634,532,864 bytes free
Post-Run: 30,761,857,024 bytes free

242 --- E O F --- 2008-08-04 12:06:44

0

here is the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:23, on 8/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe
C:\Program Files\Common Files\AhnLab\ACA\ACALS.exe
C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe
C:\Program Files\AhnLab\V3IS2007\MSProxy.ahn
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe
C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Xfire\xfire.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\abcd\imabunny.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://basilmarket.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AhnLab Session Process] "C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe"
O4 - HKLM\..\Run: [AHNSD] "C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AhnLab Application Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe
O23 - Service: AhnLab Guarantee Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe
O23 - Service: AhnLab Information Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe
O23 - Service: AhnLab Log Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACALS.exe
O23 - Service: AhnLab Task Scheduler - AhnLab, Inc. - C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5824 bytes

0

Ah, that was a nice cleanup.
Navigate to and drag this file into an open notepad:
C:\WINDOWS\_delis32.ini
- attach that notepad to your next post.
Delete these files:

C:\aa0019f0269a2bb7fa4d45
C:\WINDOWS\system32\msexcr.ini
C:\WINDOWS\_delis32.ini

Start hijackthis, open the Misc Tools section, choose the Open ADS Spy button, then uncheck Quick Scan box, and finally press Scan.
Please save and post the log file.

**When this is done with, go to the Symantec site, find the tool suited to the removal of your version of their AV, dl and run it.

0

this is _delis32.ini

[file0]
main=C:\DOCUME~1\Owner\LOCALS~1\Temp\_ISTMP1.DIR\_INS5576._MP
dir=C:\DOCUME~1\Owner\LOCALS~1\Temp\_ISTMP1.DIR
exeostype=2
alt0=C:\DOCUME~1\Owner\LOCALS~1\Temp\_ISTMP1.DIR\ZDataI51.dll
alt1=C:\DOCUME~1\Owner\LOCALS~1\Temp\_ISTMP1.DIR\_WUTL951.DLL

0

this is the hijackthis log. question: was i supose to select all and remove secected because i didn't.

C:\Documents and Settings\All Users\Application Data\TEMP : 05EE1EEF (498 bytes)
C:\Documents and Settings\All Users\Application Data\TEMP : DFC5A2B2 (98 bytes)
C:\Documents and Settings\All Users\Application Data\TEMP : 05EE1EEF (498 bytes)
C:\Documents and Settings\All Users\Application Data\TEMP : DFC5A2B2 (98 bytes)
C:\Documents and Settings\Owner\Favorites\EUdict Rust English-Japanese dictionary Options.url : favicon (1406 bytes)
C:\Documents and Settings\Owner\Favorites\http--www.daniweb.com-forums-post662403.html#post662403.url : favicon (3128 bytes)
C:\Documents and Settings\Owner\Favorites\IP Address Locator - Enter an IP address to find its location - Lookup Country Region City etc.url : favicon (766 bytes)
C:\Documents and Settings\Owner\Favorites\Mininova The ultimate BitTorrent source!.url : favicon (318 bytes)
C:\Documents and Settings\Owner\Favorites\Search results for higurashi no naku koro ni kai sub - Mininova.url : favicon (318 bytes)
C:\Documents and Settings\Owner\Favorites\[download] Higurashi no Naku Koro ni - HongFire Anime Network.url : favicon (3638 bytes)

0

Good work. Okay, navigate to this directory:
C:\DOCUMENTS & SETTINGS\Owner\LOCAL SETTINGS \Temp\_ISTMP1.DIR\
Delete these 3 files, and then the directory _ISTMP1.DIR :

_INS5576._MP
ZDataI51.dll
_WUTL951.DLL

Only if the files prove difficult to find or delete, use this Killbox deletion tool:
==Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip -unzip it onto your desktop.
Dclick killbox to start it.
>Highlight the pathnames in the following block and copy them into clipboard [press Ctrl+C] [ or rclick, copy...]:-

C:\DOCUME~1\Owner\LOCALS~1\Temp\_ISTMP1.DIR\_INS5576._MP
C:\DOCUME~1\Owner\LOCALS~1\Temp\_ISTMP1.DIR\ZDataI51.dll
C:\DOCUME~1\Owner\LOCALS~1\Temp\_ISTMP1.DIR\_WUTL951.DLL
C:\DOCUME~1\Owner\LOCALS~1\Temp\_ISTMP1.DIR

-in killbox, go File menu, choose Paste from clipboard.

Select "Delete on reboot", "Unregister dll before deleting" if available, click the "all files" button.
Click the red and white X button, click Yes on the reboot prompt, click OK if a pendingfilerenameoperation box opens. [do not be concerned if it says it cannot find a file...]
If your computer does not reboot please restart it manually.

Good. Now run the ADS scan again and place checkmarks against these four for deletion:
C:\Documents and Settings\All Users\Application Data\TEMP : 05EE1EEF (498 bytes)
C:\Documents and Settings\All Users\Application Data\TEMP : DFC5A2B2 (98 bytes)
C:\Documents and Settings\All Users\Application Data\TEMP : 05EE1EEF (498 bytes)
C:\Documents and Settings\All Users\Application Data\TEMP : DFC5A2B2 (98 bytes)

Repeat the ADS scan to see that they, or similarly named files, do not re-occur. And then please say how things are, now.

0

Ok got the rest but I don't know what the ADS scan is please tell me wich program that is.

0

This one, again: "Start hijackthis, open the Misc Tools section, choose the Open ADS Spy button, then uncheck Quick Scan box, and finally press Scan."

0

i don't think i have gotten that error since i ran the combofix program and i think the steps at the end fixed my (not specifyed problem) where i couldn't press the back button on my browser. thank you.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.