Cannot read from memory xxxx [CLOSED]

Ack! Ive been having troubles executing some exes files today. My Antivirus updater isnt working because of this, as well as my IE, Gmail notifier, WM player, World of Warcraft (changed my pass via other PC, no worries)... This is a headache for me now.

My Antivirus and Microsoft AntSpyware software said I had a tool2.exe problem. I ran both scans and they proceded to clean the infection. This was 2 days ago and just today im having this rpoblem.

After reading some posts in this forums i downloaded the Hijackthis software and here is the log:
Logfile of HijackThis v1.99.1
Scan saved at 03:56:15 p.m., on 28/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Archivos de programa\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\system32\gearsec.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\CAP2RSK.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP2SWK.EXE
C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\ARCHIV~1\THEHAC~1\THD32.EXE
C:\ARCHIV~1\THEHAC~1\THSM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Archivos de programa\Analog Devices\SoundMAX\Smax4.exe
C:\Archivos de programa\Microsoft AntiSpyware\gcasServ.exe
C:\Archivos de programa\Lexmark X1100 Series\lxbkbmgr.exe
C:\Archivos de programa\Lexmark X1100 Series\lxbkbmon.exe
C:\ARCHIV~1\THEHAC~1\THAV.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Archivos de programa\Microsoft AntiSpyware\gcasDtServ.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\WINDOWS\regedit.exe
C:\ARCHIV~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrador\Configuración local\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Archivos de programa\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Archivos de programa\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: RepliGoIEHelperCtl Class - {91DE4477-9CDC-4806-9BCB-28A963988E94} - C:\Archivos de programa\Cerience\RepliGo\RepliGoIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\ARCHIV~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O3 - Toolbar: &RepliGo - {81F4066B-F330-4872-8094-3E9FBCCEC8C1} - C:\Archivos de programa\Cerience\RepliGo\RepliGoIEBar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Archivos de programa\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Archivos de programa\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WinDVRCtrl] C:\WINDOWS\WDVRCtrl.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Archivos de programa\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Archivos de programa\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [CAP2ON] C:\WINDOWS\system32\Spool\Drivers\w32x86\3\CAP2ONN.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Archivos de programa\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Archivos de programa\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Archivos de programa\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [THEHACKERCONSOLA] C:\ARCHIV~1\THEHAC~1\THAV.EXE /NOPRE
O4 - HKLM\..\RunServices: [T_H_S_M] C:\ARCHIV~1\THEHAC~1\THSM.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Archivos de programa\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Archivos de programa\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Archivos de programa\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Archivos de programa\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Archivos de programa\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095832439006
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12FE62B3-5A27-4405-BBFB-74F9DF529BED}: NameServer = 200.48.225.130,200.48.225.146
O17 - HKLM\System\CCS\Services\Tcpip\..\{D45FB660-6D2E-4977-AAA7-B83D7A487A8B}: NameServer = 200.48.225.130,200.48.225.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{12FE62B3-5A27-4405-BBFB-74F9DF529BED}: NameServer = 200.48.225.130,200.48.225.146
O17 - HKLM\System\CS2\Services\Tcpip\..\{12FE62B3-5A27-4405-BBFB-74F9DF529BED}: NameServer = 200.48.225.130,200.48.225.146
O17 - HKLM\System\CS3\Services\Tcpip\..\{12FE62B3-5A27-4405-BBFB-74F9DF529BED}: NameServer = 200.48.225.130,200.48.225.146
O17 - HKLM\System\CS4\Services\Tcpip\..\{12FE62B3-5A27-4405-BBFB-74F9DF529BED}: NameServer = 200.48.225.130,200.48.225.146
O17 - HKLM\System\CS5\Services\Tcpip\..\{12FE62B3-5A27-4405-BBFB-74F9DF529BED}: NameServer = 200.48.225.130,200.48.225.146
O17 - HKLM\System\CS6\Services\Tcpip\..\{12FE62B3-5A27-4405-BBFB-74F9DF529BED}: NameServer = 200.48.225.130,200.48.225.146
O17 - HKLM\System\CS7\Services\Tcpip\..\{12FE62B3-5A27-4405-BBFB-74F9DF529BED}: NameServer = 200.48.225.130,200.48.225.146
O17 - HKLM\System\CS8\Services\Tcpip\..\{12FE62B3-5A27-4405-BBFB-74F9DF529BED}: NameServer = 200.48.225.130,200.48.225.146
O17 - HKLM\System\CS9\Services\Tcpip\..\{12FE62B3-5A27-4405-BBFB-74F9DF529BED}: NameServer = 200.48.225.130,200.48.225.146
O17 - HKLM\System\CS10\Services\Tcpip\..\{12FE62B3-5A27-4405-BBFB-74F9DF529BED}: NameServer = 200.48.225.130,200.48.225.146
O20 - Winlogon Notify: pptp16 - C:\WINDOWS\SYSTEM32\pptp16.dll
O20 - Winlogon Notify: rainit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WB - C:\Archivos de programa\Stardock\Object Desktop\ThemeManager\fastload.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Archivos de programa\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: The Hacker Antivirus (The_Hacker_Antivirus) - Hacksoft s.r.l. - C:\ARCHIV~1\THEHAC~1\THD32.EXE
O23 - Service: The Hacker Service Manager (T_H_S_M) - Hacksoft - C:\ARCHIV~1\THEHAC~1\THSM.EXE

BTW, The Hacker is the name of a local, trusted Antivirus, so no worries there either.

I remember sometime ago there was a virus that modified registry entries so some exes files couldnt be executed if the spyware file was removed, i think this virus is from one and a half years ago, not sure tho. Id like to check that part in the registry but i can t remember the exact path.

Id truly appreciate some help on this matter, as Id hate to format my PC and Im keeping that as my last resort. Tyvm in advance

Edited by Felipe Chepote, 28 February 2006 - 03:11 PM.

-----------------------1

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\ARCHIV~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O20 - Winlogon Notify: pptp16 - C:\WINDOWS\SYSTEM32\pptp16.dll

Now close all windows and browsers other than HiJackThis, then click Fix Checked.
Close HijackThis.

-----------------------2

Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
- C:\WINDOWS\SYSTEM32\LMIinit.dll
Click on the submit button
Please post the results in your next reply.

-----------------------3

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

Click Download Now to download the program.
Install it. Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
- Sweep Memory
- Sweep Registry
- Sweep Cookies
- Sweep All User Accounts
- Enable Direct Disk Sweeping
- Sweep Contents of Compressed Files
- Sweep for Rootkits
- Please UNCHECK Do not Sweep System Restore Folder.
Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

-----------------------4

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post along with the SpySweeper Log, a fresh HJT Log and the Jotti Results..

#1
Felipe Chepote

Posted 28 February 2006 - 03:06 PM

Advertisements

#2
Antartic-Boy

Posted 28 February 2006 - 03:11 PM

#3
Felipe Chepote

Posted 28 February 2006 - 07:35 PM

#4
Antartic-Boy

Posted 01 March 2006 - 08:14 AM

#5
Antartic-Boy

Posted 19 March 2006 - 03:58 PM

Similar Topics

1 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us