Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Cannot read from memory xxxx [CLOSED]


  • This topic is locked This topic is locked

#1
Felipe Chepote

Felipe Chepote

    New Member

  • Member
  • Pip
  • 2 posts
Ack! Ive been having troubles executing some exes files today. My Antivirus updater isnt working because of this, as well as my IE, Gmail notifier, WM player, World of Warcraft (changed my pass via other PC, no worries)... This is a headache for me now.

My Antivirus and Microsoft AntSpyware software said I had a tool2.exe problem. I ran both scans and they proceded to clean the infection. This was 2 days ago and just today im having this rpoblem.

After reading some posts in this forums i downloaded the Hijackthis software and here is the log:
Logfile of HijackThis v1.99.1
Scan saved at 03:56:15 p.m., on 28/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Archivos de programa\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\system32\gearsec.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\CAP2RSK.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP2SWK.EXE
C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\ARCHIV~1\THEHAC~1\THD32.EXE
C:\ARCHIV~1\THEHAC~1\THSM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Archivos de programa\Analog Devices\SoundMAX\Smax4.exe
C:\Archivos de programa\Microsoft AntiSpyware\gcasServ.exe
C:\Archivos de programa\Lexmark X1100 Series\lxbkbmgr.exe
C:\Archivos de programa\Lexmark X1100 Series\lxbkbmon.exe
C:\ARCHIV~1\THEHAC~1\THAV.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Archivos de programa\Microsoft AntiSpyware\gcasDtServ.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\WINDOWS\regedit.exe
C:\ARCHIV~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrador\Configuración local\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Archivos de programa\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Archivos de programa\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: RepliGoIEHelperCtl Class - {91DE4477-9CDC-4806-9BCB-28A963988E94} - C:\Archivos de programa\Cerience\RepliGo\RepliGoIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\ARCHIV~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O3 - Toolbar: &RepliGo - {81F4066B-F330-4872-8094-3E9FBCCEC8C1} - C:\Archivos de programa\Cerience\RepliGo\RepliGoIEBar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Archivos de programa\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Archivos de programa\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WinDVRCtrl] C:\WINDOWS\WDVRCtrl.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Archivos de programa\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Archivos de programa\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [CAP2ON] C:\WINDOWS\system32\Spool\Drivers\w32x86\3\CAP2ONN.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Archivos de programa\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Archivos de programa\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Archivos de programa\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [THEHACKERCONSOLA] C:\ARCHIV~1\THEHAC~1\THAV.EXE /NOPRE
O4 - HKLM\..\RunServices: [T_H_S_M] C:\ARCHIV~1\THEHAC~1\THSM.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Archivos de programa\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Archivos de programa\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Archivos de programa\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Archivos de programa\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Archivos de programa\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095832439006
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12FE62B3-5A27-4405-BBFB-74F9DF529BED}: NameServer = 200.48.225.130,200.48.225.146
O17 - HKLM\System\CCS\Services\Tcpip\..\{D45FB660-6D2E-4977-AAA7-B83D7A487A8B}: NameServer = 200.48.225.130,200.48.225.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{12FE62B3-5A27-4405-BBFB-74F9DF529BED}: NameServer = 200.48.225.130,200.48.225.146
O17 - HKLM\System\CS2\Services\Tcpip\..\{12FE62B3-5A27-4405-BBFB-74F9DF529BED}: NameServer = 200.48.225.130,200.48.225.146
O17 - HKLM\System\CS3\Services\Tcpip\..\{12FE62B3-5A27-4405-BBFB-74F9DF529BED}: NameServer = 200.48.225.130,200.48.225.146
O17 - HKLM\System\CS4\Services\Tcpip\..\{12FE62B3-5A27-4405-BBFB-74F9DF529BED}: NameServer = 200.48.225.130,200.48.225.146
O17 - HKLM\System\CS5\Services\Tcpip\..\{12FE62B3-5A27-4405-BBFB-74F9DF529BED}: NameServer = 200.48.225.130,200.48.225.146
O17 - HKLM\System\CS6\Services\Tcpip\..\{12FE62B3-5A27-4405-BBFB-74F9DF529BED}: NameServer = 200.48.225.130,200.48.225.146
O17 - HKLM\System\CS7\Services\Tcpip\..\{12FE62B3-5A27-4405-BBFB-74F9DF529BED}: NameServer = 200.48.225.130,200.48.225.146
O17 - HKLM\System\CS8\Services\Tcpip\..\{12FE62B3-5A27-4405-BBFB-74F9DF529BED}: NameServer = 200.48.225.130,200.48.225.146
O17 - HKLM\System\CS9\Services\Tcpip\..\{12FE62B3-5A27-4405-BBFB-74F9DF529BED}: NameServer = 200.48.225.130,200.48.225.146
O17 - HKLM\System\CS10\Services\Tcpip\..\{12FE62B3-5A27-4405-BBFB-74F9DF529BED}: NameServer = 200.48.225.130,200.48.225.146
O20 - Winlogon Notify: pptp16 - C:\WINDOWS\SYSTEM32\pptp16.dll
O20 - Winlogon Notify: rainit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WB - C:\Archivos de programa\Stardock\Object Desktop\ThemeManager\fastload.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Archivos de programa\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: The Hacker Antivirus (The_Hacker_Antivirus) - Hacksoft s.r.l. - C:\ARCHIV~1\THEHAC~1\THD32.EXE
O23 - Service: The Hacker Service Manager (T_H_S_M) - Hacksoft - C:\ARCHIV~1\THEHAC~1\THSM.EXE

BTW, The Hacker is the name of a local, trusted Antivirus, so no worries there either.

I remember sometime ago there was a virus that modified registry entries so some exes files couldnt be executed if the spyware file was removed, i think this virus is from one and a half years ago, not sure tho. Id like to check that part in the registry but i can t remember the exact path.

Id truly appreciate some help on this matter, as Id hate to format my PC and Im keeping that as my last resort. Tyvm in advance

Edited by Felipe Chepote, 28 February 2006 - 03:11 PM.

  • 0

Advertisements


#2
Antartic-Boy

Antartic-Boy

    Visiting Staff

  • Visiting Consultant
  • 1,120 posts
Hi Felipe Chepote, and welcome to Geeks to Go.

I'm currently analyzing your log, and will post instructions to start with the clean up soon :tazz: .
  • 0

#3
Felipe Chepote

Felipe Chepote

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Hello Antartic, Ty for your quick reply. Ive been looking deeper into the matter and Ive found that there a 2 files that could be possibly the source of the problems: pptp24.sys and pptp16.dll

Ive searched for this files and they are identified as malware, even Ewido identifies them as such.

It seems pptp16.dll load along with winlogon.exe and writes several registry keys to keep a neverending loop if pptp24.sys is deleted. Pptp16.dll cant be deleted as its loaded in memory as part of winlogon.exe. This occurs in Safe Mode as well.

Ive tried deleting the registry keys, but 2 of them cant be deleted LEGACY_PPTP24.SYS and LEGACY_PPTP16

My HD is NTFS so I cant use a boot disk to manually delete the files via command prompt.

Is there a way to stop this cycle? Ewido isnt able to delete them, as I stated before, as one of them is being used as part of winlogon. And of course if I kill Winlogon... the pc reboots.

I hope Im not rambling too much =)
  • 0

#4
Antartic-Boy

Antartic-Boy

    Visiting Staff

  • Visiting Consultant
  • 1,120 posts
-----------------------1

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\ARCHIV~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O20 - Winlogon Notify: pptp16 - C:\WINDOWS\SYSTEM32\pptp16.dll


Now close all windows and browsers other than HiJackThis, then click Fix Checked.
Close HijackThis.

-----------------------2

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\SYSTEM32\LMIinit.dll
  • Click on the submit button
  • Please post the results in your next reply.
-----------------------3

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click Download Now to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
-----------------------4

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post along with the SpySweeper Log, a fresh HJT Log and the Jotti Results..

  • 0

#5
Antartic-Boy

Antartic-Boy

    Visiting Staff

  • Visiting Consultant
  • 1,120 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP