INFECTION of ldcore.dll with WIN32.small-IKY

[sdunford]

File df87173.exe received on 11.26.2007 03:21:46 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 2/32 (6.25%)

Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - TagASaurus
Symantec - - Trojan Horse
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional information
MD5: fbf9fea1b91ac32128ba3869f4f307c4

File df87173.exe received on 12.01.2007 04:04:52 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 5/32 (15.63%)
Loading server information...

Antivirus Version Last Update Result
AhnLab-V3 2007.12.1.0 2007.11.30 -
AntiVir 7.6.0.34 2007.11.30 -
Authentium 4.93.8 2007.12.01 -
Avast 4.7.1074.0 2007.11.30 -
AVG 7.5.0.503 2007.11.30 -
BitDefender 7.2 2007.12.01 -
CAT-QuickHeal 9.00 2007.11.30 -
ClamAV 0.91.2 2007.12.01 -
DrWeb 4.44.0.09170 2007.11.30 -
eSafe 7.0.15.0 2007.11.29 -
eTrust-Vet 31.3.5340 2007.11.30 -
Ewido 4.0 2007.11.30 -
FileAdvisor 1 2007.12.01 -
Fortinet 3.14.0.0 2007.11.30 -
F-Prot 4.4.2.54 2007.11.30 -
F-Secure 6.70.13030.0 2007.11.30 Trojan-Clicker.Win32.VB.vx
Ikarus T3.1.1.12 2007.12.01 Trojan-Clicker.Win32.VB.vx
Kaspersky 7.0.0.125 2007.12.01 Trojan-Clicker.Win32.VB.vx
McAfee 5175 2007.11.30 -
Microsoft 1.3007 2007.12.01 -
NOD32v2 2696 2007.11.30 -
Norman 5.80.02 2007.11.30 -
Panda 9.0.0.4 2007.12.01 -
Prevx1 V2 2007.12.01 -
Rising 20.20.42.00 2007.12.01 -
Sophos 4.23.0 2007.11.30 -
Sunbelt 2.2.907.0 2007.12.01 TagASaurus
Symantec 10 2007.12.01 Trojan Horse
TheHacker 6.2.9.146 2007.11.30 -
VBA32 3.12.2.5 2007.11.30 -
VirusBuster 4.3.26:9 2007.11.30 -
Webwasher-Gateway 6.6.2 2007.12.01 -
Additional information
File size: 53248 bytes
MD5: fbf9fea1b91ac32128ba3869f4f307c4
SHA1: 1a99af833a80e2e80a549ebaba96455f5e4cbb89
Sunbelt info: TagASaurus is an adware application that creates a search engine window on the desktop and may display advertising.


File hg173.exe received on 11.27.2007 02:18:31 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 2/32 (6.25%)

Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - Trojan-Downloader.Small.AAIT
Symantec - - Trojan Horse
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional information
MD5: 1b098e06bf0e2b7255607610023ef7ca


File io43mvuiw4kj.exe received on 11.29.2007 04:05:33 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 4/32 (12.5%)

Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - Adware:Win32/TagAsaurus
NOD32v2 - - -
Norman - - -
Panda - - Suspicious file
Prevx1 - - Heuristic: Suspicious Backdoor
Rising - - -
Sophos - - -
Sunbelt - - TagASaurus
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional information
MD5: 73849e6066d70628c17a55ed1c57ccef

[oldman]

Okay we'll start

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a DSS log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

[sdunford]

ComboFix 07-11-19.4C - SpenceJan 2007-11-30 20:37:17.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.186 [GMT -7:00]
Running from: C:\Documents and Settings\SpenceJan\Desktop\virus stuff\ComboFix.exe
 * Created a new restore point
.

((Other Deletions )))))))))))))
.

C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\ldcore.dll
C:\WINDOWS\system32\ldinfo.ldr

.
Files Created from 2007-11-01 to 2007-12-01  )))))))))))
.

2007-11-30 12:54   81,984   --a------   C:\WINDOWS\system32\bdod.bin
2007-11-30 12:48   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\BitDefender
2007-11-30 12:43   <DIR>   d--------   C:\Deckard
2007-11-28 21:14   <DIR>   d--------   C:\Program Files\Common Files\Panda Software
2007-11-28 20:24   51,200   --a------   C:\WINDOWS\system32\dumphive.exe
2007-11-28 20:24   25,600   --a------   C:\WINDOWS\system32\WS2Fix.exe
2007-11-28 20:03   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-28 20:03   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Sonic
2007-11-28 20:03   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2007-11-27 21:25   <DIR>   d--------   C:\Documents and Settings\SpenceJan\Application Data\Grisoft
2007-11-27 21:22   <DIR>   d--------   C:\Program Files\Lavasoft
2007-11-27 21:22   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-27 21:21   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-11-27 21:20   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-27 21:20   10,872   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-20 21:08   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-20 20:39   <DIR>   d--------   C:\Program Files\Cool
2007-11-16 10:20   208,896   --a------   C:\WINDOWS\io43mvuiw4kj.exe
2007-11-11 10:37   236   --a------   C:\Documents and Settings\SpenceJan\jobq.dat
2007-11-11 10:36   <DIR>   d--------   C:\Documents and Settings\SpenceJan\iArchives
2007-11-01 19:55   <DIR>   d--------   C:\Program Files\Netflix

.
Find3M Report   )))))))))))))
.
2007-12-01 02:06   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-12-01 02:06   ---------   d-----w   C:\Program Files\Radio Free Virgin
2007-11-30 02:17   3,500   ----a-w   C:\WINDOWS\system32\tmp.reg
2007-11-30 02:12   ---------   d-----w   C:\Documents and Settings\SpenceJan\Application Data\Smilebox
2007-11-11 17:35   ---------   d-----w   C:\Program Files\Java
2007-11-02 22:32   ---------   d-----w   C:\Program Files\Microsoft Digital Image 10
2007-10-26 03:34   8,460,288   ----a-w   C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-21 23:38   ---------   d-----w   C:\Program Files\GospeLink
2007-10-07 16:21   ---------   d--h--w   C:\Documents and Settings\SpenceJan\Application Data\Move Networks
2007-09-12 18:52   53,248   ----a-w   C:\WINDOWS\hg173.exe
2007-09-12 18:50   53,248   ----a-w   C:\WINDOWS\df87173.exe
2007-09-06 10:09   801,144   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00   95,608   ----a-w   C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 06:22   289,144   ----a-w   C:\WINDOWS\system32\VCCLSID.exe
.

((((((((   Reg Loading Points   ))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C2A9795-B130-4622-B036-BDCAD28602DC}]
2007-11-12 11:50   397312   --a------   C:\Program Files\Cool\Cool.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 19:44]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 17:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 18:12]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-06 23:01]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 03:06]
"Dell Photo AIO Printer 942"="C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe" [2004-08-31 07:18]
"DellMCM"="C:\Program Files\Dell Photo AIO Printer 942\memcard.exe" [2004-07-27 07:08]
"io43mvuiw4kj"="C:\WINDOWS\io43mvuiw4kj.exe" [2007-11-16 10:20]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= c:\windows\system32\ldcore.dll

R2 WUSB54Gv4SVC;WUSB54Gv4SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe"
R3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
S1 UdfReadr;UdfReadr;C:\WINDOWS\system32\drivers\UdfReadr.sys
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys

*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2007-11-30 20:40:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
***********

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 20:54:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**
.
Completion time: 2007-11-30 20:56:51 - machine was rebooted
.
   --- E O F ---

[oldman]

Hi and a belated welcome to the forum,

I'm just going over the logs.Give me a bit.

What do you know about this program?

C:\Program Files\Cool

[sdunford]

absolutely nothing. i tried removing it with the control panel, but it still remains.

i am going off-line now... got family to tend to. will check back later.

HAPPY FIRST OF DECEMBER TO YOU! 

[oldman]

Ok.I'll have something for you shortly. A happy one to you too. 

[oldman]

Pleas open hijackthis, run a system scan only and put a check mark next to these lines

O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
O20 - AppInit_DLLs:  c:\windows\system32\ldcore.dll

Close all browser and windows except HJT and click fix.


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File::
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\io43mvuiw4kj.exe
C:\WINDOWS\hg173.exe
C:\WINDOWS\df87173.exe

Folder::
C:\Program Files\Cool

This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DSS log.

Edit to add: It seems you are using an old version of Hijackthis, please delete it and download a new one from here

Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  
• Put a check by Create a desktop icon then click Next again.
  
• Continue to follow the rest of the prompts from there.

There where a lot of bugs fixed in the new version.



[/list]

[sdunford]

here are the files.  after running the combofix, the box appeared without any text in it. i then closed it and proceeded with the DSS log.

[oldman]

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop. Don't use it yet.


Ok, open HJT, run systems can only and place a check mark next to this line

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)


Turn system restore off

Steps to turn off System Restore
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.

Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.



Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\df87173.exe


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new DSS log
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



If OTMOVEIT doesn't reboot your computer, please reboot, turn system restore on, then do a DSS scan and post the results and the DSS log.

[oldman]

Sorry, this should have been

Ok, open HJT, run systems can only and place a check mark next to this line

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)

close all browsers, windows except hjt and click fix

close hjt

[sdunford]

here they are.

[oldman]

Ok. looks like we got it. Just a few things for you.

Your java is way out of date and is a source of infections. I also didn't see a thrd party firewall. Windows firewall doesn't provide outbout moniyoring. You may want to check this thread for a good free firewall.

http://forum.avast.com/index.php?topic=30808.0


To up date your java


Open an Internet Explorer (only) window and go to http://www.java.com/en/download/manual.jsp > In the middle of the page, click on the Download button to the right of Java Runtime Environment (JRE) 6u3 > If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

 You do not have to install the Java Web Start ActiveX Control


Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u3-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, close all browser windows and double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure  and reboot if not prompted to do so.

Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar except Java TM 6 Update 3 which you just installed.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders except the subfolder jre1.6.0_03 which was just created by the installation above.

 Do NOT delete C:\Program Files\JavaVM <=this folder, if found!
 
A bit of cleanup to do


Double-click OTMoveIt.exe to run it, then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

If you don't all ready have a good cleaner utility, you can use this one

CleanUp


When first run, it's in demo mode. It will show you what it is going to remove. You may have to restart it to get to the real mode.


How is everything?
  Just make sure you have re-enabled sytem restore (don't mind me) 

[sdunford]

hello. .... i am at a separate PC right now... the one at home is internet challeged at the moment (bad wireless).  can i download a java update (like all the other downloads i have done) and then jumpdrive it to my home PC?

[oldman]

Yes you can with the java and Steve Gould's cleanup program.

You won't be able to do the the OTMOVEIT routine, it needs internet access

But you can do this.

click ctart button, click run

in the box type Combofix /u

please note the space between Combofix and /u

OTmoveit may remain, but you can remove it when you get back on the net.

[sdunford]

i will try the combofix...  GOOD NEWS!!! i think the virus is eliminated!!   i ran a short scan with avast and no viruses were found. i again ran a separate scan just of the system 32 and nothing was found.  when the avast starts, it scans the memory. before, the virus would be triggered or the alert would be triggered; nothing now.

installed online-armor...working well.

however, i still have all the infected files in the avast's secure chest. do i delete the whole chest? or let them remain?

spybot ran a scan and found tagasaurus and some other one. i had it fix the problems...hope they won't come up again.

THANK YOU VERY MUCH!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!