[Resolved] Hijack this log. Comres.dll corrupted
-
re: [Resolved] Hijack this log. Comres.dll corrupted
Dr web and hijack log files....
tcpz-x86d.sys;C:\WINDOWS\system32\drivers;Tool.TcpZ;Del eted.;
J002.exe;C:\WINDOWS\system32\G4IQR7RLKY;Trojan.Mul Drop.origin;Incurable.Moved.;
G001.exe;C:\WINDOWS\system32\z;Trojan.MulDrop.3554 0;Deleted.;
bdffg.exe;c:\windows;BackDoor.ClDdos.origin;Incura ble.Moved.;
dsfs.exe;c:\windows;BackDoor.ClDdos.3;Deleted.;
tcpz-x86d.sys;c:\windows\system32\drivers;Tool.TcpZ;Inv alid path to file ;
hijackthis..
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:17:49 PM, on 11/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{19AF6587-396E-4235-A78F-9389BF2CC595}: NameServer = 202.78.97.41 210.4.2.61
O20 - AppInit_DLLs: c:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: 88549A90 - Unknown owner - C:\WINDOWS\system32\4E47A5E8.EXE
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
--
End of file - 3861 bytes
Thanks.
-
Download, and run LSP-Fix: LSP-Fix - a free program to repair damaged Winsock 2 stacks
Next, double-click on LSPFix.exe to start the application. Place a check in the box for "I know what I am doing", then highlight the file:
mswsock32.dll
Move that file from "Keep" to "Remove" box using the >> arrow. Click the finish button, then OK to close.
================================================== =============
Go Start>Run (Vista users - "Start search"), type in:
cmd
Click OK (Vista users - hold CTRL, and SHIFT keys, press Enter).
Command Prompt window will open.
Type in:
sc stop 88549A90
Press Enter.
Wait for the service to be stopped.
Type in:
sc delete 88549A90
Press Enter.
Wait for confirmation.
================================================== ==========
Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Delete following files/folders (if present):
- C:\WINDOWS\system32\4E47A5E8.EXE
Note. If deletion doesn't work, attempt it in Safe Mode - restart computer, and keep tapping F8 key, until menu appears.
Restart computer.
Post fresh HJT log.
-
Hi I followed the steps you said but after that i can't connect to the internet.. I ended up using system restore.. What should I do?
Thanks..
-
Using system restore, while cleaning an infection is a very bad idea, because right now, we have no idea how much of previously existing infection is back.
Post fresh HJT log, please.
-
Sorry. but I don't have a second computer to use just to reply to you. After I deleted the mwsock32.dll I can't access. the internet.
Here's the new Hijack this
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:31:17 PM, on 11/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{19AF6587-396E-4235-A78F-9389BF2CC595}: NameServer = 202.78.97.41 210.4.2.61
O20 - AppInit_DLLs: c:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: 88549A90 - Unknown owner - C:\WINDOWS\system32\4E47A5E8.EXE
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
--
End of file - 3861 bytes
Thanks.
-
Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to VirusTotal - Free Online Virus and Malware Scan for security check:
c:\windows\system32\mswsock32.dll
Post scan results.
-
Is this the log file??
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.20 Trojan-Dropper.Agent!IK
AhnLab-V3 5.0.0.2 2009.11.19 -
AntiVir 7.9.1.72 2009.11.20 TR/Dldr.Agent.culv
Antiy-AVL 2.0.3.7 2009.11.20 Trojan/Win32.Agent.gen
Authentium 5.2.0.5 2009.11.19 -
Avast 4.8.1351.0 2009.11.20 Win32:Malware-gen
AVG 8.5.0.425 2009.11.20 -
BitDefender 7.2 2009.11.20 Trojan.Downloader.Agent.AAUX
CAT-QuickHeal 10.00 2009.11.20 TrojanDownloader.Agent.culv
ClamAV 0.94.1 2009.11.20 -
Comodo 2983 2009.11.19 -
DrWeb 5.0.0.12182 2009.11.20 Trojan.AVKill.1102
eSafe 7.0.17.0 2009.11.19 Win32.Downloader
eTrust-Vet 35.1.7132 2009.11.20 -
F-Prot 4.5.1.85 2009.11.19 -
F-Secure 9.0.15370.0 2009.11.20 -
Fortinet 3.120.0.0 2009.11.20 -
GData 19 2009.11.20 Trojan.Downloader.Agent.AAUX
Ikarus T3.1.1.74.0 2009.11.20 Trojan-Dropper.Agent
Jiangmin 11.0.800 2009.11.20 Backdoor/Delf.qaz
K7AntiVirus 7.10.900 2009.11.19 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.11.20 Trojan-Downloader.Win32.Agent.culv
McAfee 5807 2009.11.19 -
McAfee+Artemis 5807 2009.11.19 Artemis!EB75BCC8E6D7
McAfee-GW-Edition 6.8.5 2009.11.20 Trojan.Dldr.Agent.culv
Microsoft 1.5302 2009.11.20 -
NOD32 4624 2009.11.20 Win32/Agent.QHY
Norman 6.03.02 2009.11.20 Malware.JVKO
nProtect 2009.1.8.0 2009.11.20 -
Panda 10.0.2.2 2009.11.20 Trj/CI.A
PCTools 7.0.3.5 2009.11.20 Downloader.Generic
Prevx 3.0 2009.11.20 Medium Risk Malware
Rising 22.22.04.07 2009.11.20 Trojan.Win32.Generic.51F13C72
Sophos 4.47.0 2009.11.20 Troj/DwnLdr-HXX
Sunbelt 3.2.1858.2 2009.11.19 -
Symantec 1.4.4.12 2009.11.20 Downloader
TheHacker 6.5.0.2.074 2009.11.19 Trojan/Downloader.Agent.culv
TrendMicro 9.0.0.1003 2009.11.20 -
VBA32 3.12.12.0 2009.11.20 -
ViRobot 2009.11.20.2047 2009.11.20 -
VirusBuster 5.0.21.0 2009.11.19 -
Additional information
File size: 53248 bytes
MD5...: eb75bcc8e6d7213c8f89c882c16f15b0
SHA1..: 631733b96a71dbf2cabbd8b8b661267f4db2d83e
SHA256: 38c0fdb20c78ddca4c0337d11c1eea99b9ee88b4bdeefb22fe 183b4299c6cce7
ssdeep: 768:6911P5FilrTxZK5lwQYIh5STwyDCy4olTGD:qPWrT7K59h 5W4ols
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
sigcheck:
publisher....: Microsoft Corporation
copyright....: (C) Microsoft Corporation. All rights reserved.
product......: Microsoft(R) Windows(R) Operating System
description..: Microsoft Windows____
original name: mswsock32.dll
internal name: mswsock32.dll
file version.: 5, 0, 0, 0
comments.....:
signers......: -
signing date.: -
verified.....: Unsigned
packers (Antiy-AVL): CrypToCrackPeProtector0.93
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=E6BAEE2700E2F593D038000E1 CB8ED00370557C4' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=E6BAEE2700E2F593D038000E1 CB8ED00370557C4</a>
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
Thanks
-
Yes and the file is definitely malicious.
You have to re-run LSP-Fix from my post #42even, if it causes lost connection.
If the connection is lost again.....
Turn off computer. Disconnect router, and modem from power source for 30 seconds.
Power them back on.
Restart computer.
If that doesn't work, bypass router, and connect computer straight to the modem.
If that doesn't work...
Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).
In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
Restart computer.
If that doesn't work...
Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).
At Command Prompt, type in:
netsh int ip reset reset.log
Hit Enter.
Type in:
netsh winsock reset catalog
Hit Enter.
Restart computer.
If that doesn't work...
Download, install, and run WinSockFix: Download WinSockFix 1.1.0.13 - WinSockFix - A free Winsock/Tcp repair utility - Softpedia (doesn't work in Vista)
Restart computer, and check again.
If that doesn't work...
Download Dial-A-Fix (DAF) (doesn't work in Vista):
http://wiki.lunarsoft.net/wiki/Dial-...C_and_articles
Have XP CD available in case DAF needs a file. Likely not!
Check all boxes on the screen (clear any restrictions if it shows any)
Then click GO!
When the entire page is finished click the HammerHead at bottom to go to the second DAF page.
Here, one at a time, do the below:
Reinstall BITS
Reinstall Windows Firewall
Repair Permissions
Reset networking
Watch for any File not found or other errors and make note as this may lead to the fix!
Restart computer.
-
The internet connection is restored after the 2nd step
.. By the way when i see the properties of the service 88549A90 it has a description of 6F0B3D00. which is a dll file at my windows/system32. 6F0B3D00.DLL. I hope this helps..
Here is the new Hijack this log..Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:49 AM, on 11/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{19AF6587-396E-4235-A78F-9389BF2CC595}: NameServer = 202.78.97.41 210.4.2.61
O20 - AppInit_DLLs: c:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: 88549A90 - Unknown owner - C:\WINDOWS\system32\4E47A5E8.EXE (file missing)
--
End of file - 2348 bytes
Thanks..
-
You still need to do this:
Go Start>Run (Vista users - "Start search"), type in:
cmd
Click OK (Vista users - hold CTRL, and SHIFT keys, press Enter).
Command Prompt window will open.
Type in:
sc stop 88549A90
Press Enter.
Wait for the service to be stopped.
Type in:
sc delete 88549A90
Press Enter.
Wait for confirmation.
What happened to Comodo? It disappeared from HJT log.
