Tech Support Forum - View Single Post - The worst of all: hldrrr.exe -don't know what to do

arda21 · 06-30-2008, 01:31 PM

Few Complications has had occured:

1-I was able to start the process after I have downloaded the windows recovery boot, and drag it on to combofix. However after the reboot, it got locked up, and computer froze.

2-After a second reboot, I went in to add/remove programs and deleted anything to do with virus protection programs (although they have been stopped working since the infection occured) then rebooted.

3-then when I tried dragging again, this time combofix said that "reboot recovery has already been installed in this machine, aborting process"

however I still have no reports being produced.

so this time I just started combofix itself without dragging reboot recovery, and it gave me the following log;

ComboFix 08-06-30.1 - Arda Yucel 2008-06-30 15:24:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1261 [GMT -4:00]
Running from: C:\Documents and Settings\Arda Yucel\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\downld
.
---- Previous Run -------
.
C:\WINDOWS\system32\ACER.exe
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\kmd.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SROSA

((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-30 12:07 . 2008-06-30 12:07 <DIR> d-------- C:\Program Files\AVG8
2008-06-30 12:07 . 2008-06-30 12:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-30 11:09 . 2008-06-30 11:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-30 11:07 . 2008-06-30 11:08 <DIR> d-------- C:\Combo-Fix
2008-06-30 11:02 . 2008-06-30 11:02 4,150 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-30 11:01 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-30 11:01 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-30 11:01 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-30 01:30 . 2008-06-30 01:30 507 --a------ C:\WINDOWS\system32\drivers\Shortcut to drivers.lnk
2008-06-17 15:09 . 2008-06-17 15:09 <DIR> d-------- C:\Program Files\TVAnts
2008-06-07 12:59 . 2008-06-07 12:59 <DIR> d-------- C:\Program Files\SopCast
2008-05-09 17:48 . 2008-05-09 17:48 <DIR> d-------- C:\Documents and Settings\Arda Yucel\Application Data\Viewpoint

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-30 05:19 --------- d-----w C:\Program Files\eMule047c
2008-06-18 23:07 --------- d-----w C:\Documents and Settings\Arda Yucel\Application Data\Skype
2008-05-28 23:39 --------- d-----w C:\Program Files\Launch Manager
2008-05-19 01:27 --------- d-----w C:\Documents and Settings\Arda Yucel\Application Data\AdobeUM
2008-02-23 21:40 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-02-18 21:12 100 ----a-w C:\Documents and Settings\Arda Yucel\drvkeys.bat
.

((((((((((((((((((((((((((((( snapshot@2008-06-30_15.19.10.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-30 19:15:30 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-30 19:21:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-30 19:21:40 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_974.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00 15360]
"Aim6"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Preload"="C:\Windows\RUNXMLPL.exe" [2007-04-20 20:56 20480]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 02:03 704512]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 22:51 53248]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 23:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 23:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 23:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 23:00 455168]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-08 23:26 68640]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 23:17 52256]
"Acer ePresentation HPD"="C:\Acer\Empowering Technology\ePresentation\ePresentation.exe" [2007-03-02 12:25 208896]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2007-05-24 13:18 475136]
"Boot"="C:\Acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 23:12 579584]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-03-30 13:52 342528]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2007-07-11 15:07 421888]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2007-06-07 13:17 850704]
"NetLimiter"="C:\Program Files\NetLimiter\NetLimiter.exe" [2004-03-31 09:23 823296]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 19:32 16132608 C:\WINDOWS\RTHDCPL.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytoosl"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AWinNotifyVitaKey MC3000]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2007-04-03 13:04]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2007-04-02 19:11]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S3 P1171VID;Creative WebCam Notebook #2;C:\WINDOWS\system32\DRIVERS\P1171Vid.sys [2004-03-19 02:00]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 15:25:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\NetLimiter\nl_lsp.dll
-> C:\WINDOWS\system32\nl_msgc.dll
.
Completion time: 2008-06-30 15:26:43
ComboFix-quarantined-files.txt 2008-06-30 19:26:28

Pre-Run: 17,666,678,784 bytes free
Post-Run: 17,644,134,400 bytes free

128 --- E O F --- 2008-06-03 12:02:59

I am kind of suspicious about this report log since I didn't get it right after the first boot when I did the dragging action. But I still wanted to show it to you if there could be a help for the next step, perhaps?

Thanks I am awaiting.

06-30-2008, 01:31 PM	#14 (permalink)
arda21 Registered User Join Date: Jun 2008 Posts: 33 OS: XP Service Pack 2	Re: The worst of all: hldrrr.exe -don't know what to do Few Complications has had occured: 1-I was able to start the process after I have downloaded the windows recovery boot, and drag it on to combofix. However after the reboot, it got locked up, and computer froze. 2-After a second reboot, I went in to add/remove programs and deleted anything to do with virus protection programs (although they have been stopped working since the infection occured) then rebooted. 3-then when I tried dragging again, this time combofix said that "reboot recovery has already been installed in this machine, aborting process" however I still have no reports being produced. so this time I just started combofix itself without dragging reboot recovery, and it gave me the following log; ComboFix 08-06-30.1 - Arda Yucel 2008-06-30 15:24:07.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1261 [GMT -4:00] Running from: C:\Documents and Settings\Arda Yucel\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\drivers\downld . ---- Previous Run ------- . C:\WINDOWS\system32\ACER.exe C:\WINDOWS\system32\drivers\downld C:\WINDOWS\system32\kmd.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SROSA ((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 ))))))))))))))))))))))))))))))) . 2008-06-30 12:07 . 2008-06-30 12:07 <DIR> d-------- C:\Program Files\AVG8 2008-06-30 12:07 . 2008-06-30 12:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8 2008-06-30 11:09 . 2008-06-30 11:09 <DIR> d-------- C:\Program Files\Trend Micro 2008-06-30 11:07 . 2008-06-30 11:08 <DIR> d-------- C:\Combo-Fix 2008-06-30 11:02 . 2008-06-30 11:02 4,150 --a------ C:\WINDOWS\system32\tmp.reg 2008-06-30 11:01 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2008-06-30 11:01 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe 2008-06-30 11:01 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2008-06-30 01:30 . 2008-06-30 01:30 507 --a------ C:\WINDOWS\system32\drivers\Shortcut to drivers.lnk 2008-06-17 15:09 . 2008-06-17 15:09 <DIR> d-------- C:\Program Files\TVAnts 2008-06-07 12:59 . 2008-06-07 12:59 <DIR> d-------- C:\Program Files\SopCast 2008-05-09 17:48 . 2008-05-09 17:48 <DIR> d-------- C:\Documents and Settings\Arda Yucel\Application Data\Viewpoint . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-30 05:19 --------- d-----w C:\Program Files\eMule047c 2008-06-18 23:07 --------- d-----w C:\Documents and Settings\Arda Yucel\Application Data\Skype 2008-05-28 23:39 --------- d-----w C:\Program Files\Launch Manager 2008-05-19 01:27 --------- d-----w C:\Documents and Settings\Arda Yucel\Application Data\AdobeUM 2008-02-23 21:40 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat 2008-02-18 21:12 100 ----a-w C:\Documents and Settings\Arda Yucel\drvkeys.bat . ((((((((((((((((((((((((((((( snapshot@2008-06-30_15.19.10.12 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-30 19:15:30 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-30 19:21:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-30 19:21:40 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_974.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00 15360] "Aim6"="" [BU] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Preload"="C:\Windows\RUNXMLPL.exe" [2007-04-20 20:56 20480] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 02:03 704512] "AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 22:51 53248] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 23:00 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 23:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 23:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 23:00 455168] "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-08 23:26 68640] "LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 23:17 52256] "Acer ePresentation HPD"="C:\Acer\Empowering Technology\ePresentation\ePresentation.exe" [2007-03-02 12:25 208896] "ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2007-05-24 13:18 475136] "Boot"="C:\Acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 23:12 579584] "eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-03-30 13:52 342528] "eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2007-07-11 15:07 421888] "LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2007-06-07 13:17 850704] "NetLimiter"="C:\Program Files\NetLimiter\NetLimiter.exe" [2004-03-31 09:23 823296] "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496] "RTHDCPL"="RTHDCPL.EXE" [2007-05-28 19:32 16132608 C:\WINDOWS\RTHDCPL.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "disableregistrytoosl"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AWinNotifyVitaKey MC3000] [BU] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.YV12"= yv12vfw.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2007-04-03 13:04] R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2007-04-02 19:11] R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38] S3 P1171VID;Creative WebCam Notebook #2;C:\WINDOWS\system32\DRIVERS\P1171Vid.sys [2004-03-19 02:00] . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-30 15:25:41 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\lsass.exe -> C:\Program Files\NetLimiter\nl_lsp.dll -> C:\WINDOWS\system32\nl_msgc.dll . Completion time: 2008-06-30 15:26:43 ComboFix-quarantined-files.txt 2008-06-30 19:26:28 Pre-Run: 17,666,678,784 bytes free Post-Run: 17,644,134,400 bytes free 128 --- E O F --- 2008-06-03 12:02:59 I am kind of suspicious about this report log since I didn't get it right after the first boot when I did the dragging action. But I still wanted to show it to you if there could be a help for the next step, perhaps? Thanks I am awaiting.