Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page rundll32 related malware crashing system and calling up explorer windows
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 04-28-2009, 08:21 PM   #1 (permalink)
Registered User
 
Join Date: Apr 2009
Location: Michigan
Posts: 7
OS: Windows XP service pack 3


rundll32 related malware crashing system and calling up explorer windows
Hello to all of you wonderful tech types,

I'll start by thanking you for taking a look at my system issues, and for using your vast and superior knowledge to combat the dark side of the internet.

I have two systems in various stages of FUBAR, a desktop and a laptop. I'll start with the desktop because it is at least usable; hopefully I can get it cleaned and protected and then work on the laptop.

This system used to belong to my wife. One day she was using Firefox and got a pop-up window warning of system virus infections, which looked a lot like the Windows security center. Before I could stop her, she clicked the button on the popup and downloaded who knows what. The system was really dodgy for a while, main problems being constant explorer pop-ups and extreme slowness, with assorted blank screens and system crashes. My computer knowledge is limited, but even to me it seems like there are processes running that should not be there. I get periodic rundll32.exe error messages. So far, I've run adaware several times and ccleaner.

I have created the following logs per the instructions for this forum:

DDS Log --

DDS (Ver_09-03-16.01) - NTFSx86
Run by Michelle Grimsley at 19:26:46.31 on Tue 04/28/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2111 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\windows\ld08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\DOCUME~1\MICHEL~1\LOCALS~1\Temp\1863405434.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\javaws.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Documents and Settings\Michelle Grimsley\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twext.exe,
BHO: : {2da1d4c8-cd3d-4eb4-92df-71459cd14c96} - c:\windows\system32\uygofks.dll
BHO: c:\windows\system32\sjg9s8guigjs.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\sjg9s8guigjs.dll
BHO: {ffe1945c-582c-499a-ac65-0c1df0dbd174} - c:\windows\system32\dudipore.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [DriverUpdaterPro] c:\program files\ixi tools\driver updater pro\DriverUpdaterPro.exe -t
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CTRegRun] c:\windows\CTRegRun.EXE
uRun: [Eraser] c:\program files\eraser\Eraser.exe -hide
uRun: [dll32] dll32
uRun: [Diagnostic Manager] c:\docume~1\michel~1\locals~1\temp\1863405434.exe
mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [lijufedewu] Rundll32.exe "c:\windows\system32\vowayore.dll",s
mRun: [50bfab85] rundll32.exe "c:\windows\system32\makatulo.dll",b
mRun: [CPM538c9819] Rundll32.exe "c:\windows\system32\vinomisu.dll",a
mRun: [sysldtray] c:\windows\ld08.exe
mRun: [pp] c:\windows\pp06.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [iLike] c:\program files\ilike\1.2.13\ilikesidebar.exe /checkforupdate
dRun: [<NO NAME>] c:\windows\temp\sytnx3t.exe
dRun: [Windows Resurections] c:\windows\temp\sytnx3t.exe
dRun: [Diagnostic Manager] c:\windows\temp\2486911966.exe
dRun: [dll32] dll32
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
IE: Backward &Links - c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
IE: Translate Page - c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {cafeefac-0016-0000-0013-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su2/ocx/15106/CTPID.cab
Notify: xpahguma - uygofks.dll
AppInit_DLLs: zvslmq.dll c:\windows\system32\tikutove.dll c:\windows\system32\vinomisu.dll
SSODL: MGI_PHOTOSUITE_V806 - {1A6F8E3C-6EA8-B2DC-1589-EEC14A8C992D} - c:\program files\mgi\photosuite 8.1\sendmaild.dll
SSODL: Ad-aware 6 Personal - {A211C7E2-80D9-C485-2F98-A8F572088007} - c:\progra~1\lavasoft\ad-awa~1\winmdwd32.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vinomisu.dll
STS: c:\windows\system32\sjg9s8guigjs.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\sjg9s8guigjs.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\vinomisu.dll
LSA: Notification Packages = scecli c:\windows\system32\tikutove.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michel~1\applic~1\mozilla\firefox\profiles\ijf020gf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-24 64160]
R2 cwiixovg;Floppy Disk Controller Support;c:\windows\system32\svchost.exe -k netsvcs [2003-4-30 14336]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 953168]
S3 FXDRV;FXDRV;D:\Fxdrv.sys [2006-11-15 13440]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

=============== Created Last 30 ================

2009-04-28 18:43 <DIR> --d----- c:\docume~1\michel~1\applic~1\scclipnm
2009-04-28 18:16 <DIR> --d----- c:\program files\Trend Micro
2009-04-28 18:12 20,539 a------- c:\windows\system32\AAWService_2009_04_28_18_12_52.dmp
2009-04-28 17:10 0 a------- c:\windows\mqcd.dbt
2009-04-28 17:09 28,672 a------- c:\windows\system32\inqby.sr
2009-04-28 17:09 32,768 a------- c:\windows\system32\ferryl.cbv
2009-04-28 17:09 32,768 a------- c:\windows\system32\fairy.an
2009-04-28 17:09 28,672 a------- c:\windows\system32\dolman.zt
2009-04-28 17:09 79,360 a------- c:\windows\system32\ashl.nq
2009-04-28 17:05 115,712 a------- C:\kggi.exe
2009-04-28 17:05 15,000 a------- c:\windows\system32\sjg9s8guigjs.dll
2009-04-27 22:15 <DIR> --d----- c:\program files\CCleaner
2009-04-27 21:41 121 ---sh--- c:\windows\system32\olutakam.ini
2009-04-27 21:39 21,504 ac------ c:\windows\system32\dllcache\hidserv.dll
2009-04-27 21:39 21,504 a------- c:\windows\system32\hidserv.dll
2009-04-27 21:39 14,592 ac------ c:\windows\system32\dllcache\kbdhid.sys
2009-04-27 21:39 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-04-25 16:59 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-04-25 16:46 1,419,232 a------- c:\windows\system32\WdfCoInstaller01005.dll
2009-04-25 16:46 581,192 a------- c:\windows\system32\WinusbCoInstaller.dll
2009-04-25 16:46 <DIR> --d----- c:\program files\Microsoft
2009-04-25 15:52 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-04-25 15:52 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-04-25 15:52 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-04-25 15:52 10,368 a------- c:\windows\system32\drivers\hidusb.sys

==================== Find3M ====================

2009-04-28 19:27 109,308 a------- c:\windows\system32\drivers\51de0a10.sys
2009-04-28 18:15 15,360 a------- c:\windows\system32\dll32.exe
2009-04-28 17:43 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-28 17:42 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-28 17:06 10,752 ----h--- c:\windows\pp06.exe
2009-04-28 17:06 16,384 ----h--- c:\windows\ld08.exe
2009-04-28 17:06 101,888 a------- C:\wwmeoblk.exe
2009-04-28 17:06 205,824 a------- C:\pdtivk.exe
2009-04-28 17:06 578,560 a------- c:\windows\system32\user32.DLL
2009-04-28 17:06 262,144 a------- c:\windows\system32\nvrsk.dll
2009-04-28 17:05 105,472 a--sh--- c:\windows\system32\vinomisu.dll
2009-04-28 17:05 98,816 a--sh--- c:\windows\system32\nomifeyi.dll
2009-04-27 21:39 98,816 a--sh--- c:\windows\system32\makatulo.dll
2009-04-27 21:39 104,960 a--sh--- c:\windows\system32\gavurane.dll.vir
2009-04-27 21:39 59,904 a--sh--- c:\windows\system32\dayevino.exe
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 10:02 71,680 a--sh--- c:\windows\system32\jodilose.dll
2009-03-06 10:02 79,872 a--sh--- c:\windows\system32\fetepevo.dll
2009-03-06 10:02 129,024 a--sh--- c:\windows\system32\zvslmq.dll
2009-03-06 10:02 129,024 a--sh--- c:\windows\system32\lamukepa.dll
2009-03-06 10:02 84,992 a--sh--- c:\windows\system32\penitoro.dll
2009-03-05 13:20 2,713 ---sh--- c:\windows\system32\pafiloha.dll
2009-03-05 13:20 2,713 ---sh--- c:\windows\system32\lutazipu.dll
2009-03-03 20:07 79,872 a--sh--- c:\windows\system32\dipitiwo.dll
2009-03-03 20:07 129,024 a--sh--- c:\windows\system32\rusavewo.dll
2009-03-03 20:07 129,024 a--sh--- c:\windows\system32\hgglaa.dll
2009-03-03 20:07 84,992 a--sh--- c:\windows\system32\dedisuri.dll
2009-03-03 08:07 129,024 a--sh--- c:\windows\system32\wszodb.dll
2009-03-03 08:07 129,024 a--sh--- c:\windows\system32\piwagali.dll
2009-03-03 08:07 84,992 a--sh--- c:\windows\system32\hozirave.dll
2009-03-02 06:55 129,024 a--sh--- c:\windows\system32\vitisazu.dll
2009-03-02 06:55 129,024 a--sh--- c:\windows\system32\jntqwl.dll
2009-03-02 06:55 79,872 a--sh--- c:\windows\system32\juteruno.dll
2009-03-01 18:55 129,024 a--sh--- c:\windows\system32\zomisula.dll
2009-03-01 18:55 129,024 a--sh--- c:\windows\system32\lwufhy.dll
2009-03-01 10:56 1,665,505 ---sh--- c:\windows\system32\eyojotov.tmp
2009-03-01 06:55 129,024 a--sh--- c:\windows\system32\hcenmu.dll
2009-03-01 06:55 129,024 a--sh--- c:\windows\system32\dinibafi.dll
2009-02-28 13:12 84,992 a--sh--- c:\windows\system32\jeribejo.dll
2009-02-28 13:12 129,024 a--sh--- c:\windows\system32\yozezuna.dll
2009-02-28 13:12 129,024 a--sh--- c:\windows\system32\eyvhik.dll
2009-02-28 13:12 79,872 a--sh--- c:\windows\system32\hizupoye.dll
2009-02-27 11:17 84,992 a--sh--- c:\windows\system32\juliyowe.dll
2009-02-27 11:17 129,024 a--sh--- c:\windows\system32\zikedama.dll
2009-02-27 11:17 129,024 a--sh--- c:\windows\system32\yyspyc.dll
2009-02-27 11:17 79,872 a--sh--- c:\windows\system32\penigusa.dll
2009-02-26 10:49 84,992 a--sh--- c:\windows\system32\ligutafo.dll
2009-02-26 10:49 129,024 a--sh--- c:\windows\system32\lawakuwi.dll
2009-02-26 10:49 129,024 a--sh--- c:\windows\system32\davuqe.dll
2009-02-26 10:49 79,872 a--sh--- c:\windows\system32\bubefiya.dll
2009-02-24 21:03 129,024 a--sh--- c:\windows\system32\zuterolo.dll
2009-02-24 21:03 129,024 a--sh--- c:\windows\system32\lcusoy.dll
2009-02-24 21:03 79,872 a--sh--- c:\windows\system32\hahakege.dll
2009-02-24 21:03 84,992 a--sh--- c:\windows\system32\keneluga.dll
2009-02-24 09:08 84,992 a------- c:\windows\system32\miliyepa.dll
2009-02-24 09:02 129,024 a--sh--- c:\windows\system32\ztzxok.dll
2009-02-24 09:02 129,024 a--sh--- c:\windows\system32\saduyaya.dll
2009-02-23 07:04 129,024 a--sh--- c:\windows\system32\pihuzura.dll
2009-02-23 07:04 129,024 a--sh--- c:\windows\system32\opiaro.dll
2009-02-23 07:04 84,992 a--sh--- c:\windows\system32\ludoyuja.dll
2009-02-23 07:04 79,872 a--sh--- c:\windows\system32\wirijepi.dll
2009-02-22 18:17 84,992 a--sh--- c:\windows\system32\pefitaru.dll
2009-02-22 18:17 129,024 a--sh--- c:\windows\system32\titugivo.dll
2009-02-22 18:17 129,024 a--sh--- c:\windows\system32\blxqwx.dll
2009-02-22 18:17 79,872 a--sh--- c:\windows\system32\noyijoyo.dll
2006-10-09 21:46 14,101 ac--h--- c:\docume~1\alluse~1\applic~1\index0.dat
2005-12-03 22:22 25,280 ac------ c:\docume~1\michel~1\applic~1\GDIPFONTCACHEV1.DAT
2004-08-19 12:06 64,048 ac------ c:\program files\common files\SpeechEngines.dll
2004-08-08 18:24 63,836 ac------ c:\program files\common files\Services.dll
2004-07-21 08:06 65,760 ac------ c:\program files\common files\xing shared.dll
2004-04-16 22:10 65,304 ac------ c:\program files\common files\xing shareda.dll
2004-01-23 04:16 62,164 ac------ c:\program files\common files\InstallShield.dll
2003-12-05 22:13 63,792 ac------ c:\program files\common files\InstallShieldg.dll
0000-00-00 00:00 71,680 a--sh--- c:\windows\system32\dudipore.dll
0000-00-00 00:00 71,680 a--sh--- c:\windows\system32\tikutove.dll
0000-00-00 00:00 71,680 a--sh--- c:\windows\system32\vowayore.dll

============= FINISH: 19:28:21.07 ===============

I have also attached the ark.zip and attach.zip logs.

If anyone deigns to assist me, I would highly appreciate it.

Thanks again for taking the time to help hapless folk like myself!

Nairobi
Attached Files
File Type: zip ark.zip (827 Bytes, 2 views)
File Type: zip Attach.zip (2.7 KB, 2 views)
Nairobi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 04-29-2009, 03:54 PM   #2 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: rundll32 related malware crashing system and calling up explorer windows
Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-01-2009, 08:18 AM   #3 (permalink)
Registered User
 
Join Date: Apr 2009
Location: Michigan
Posts: 7
OS: Windows XP service pack 3


Re: rundll32 related malware crashing system and calling up explorer windows
Angelfire,

Thanks for the response and for looking over my computer issues.

I downloaded Combofix, followed all of the instructions, and ran the program, generating the following log:

ComboFix 09-04-30.05 - Michelle Grimsley 04/30/2009 21:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2127 [GMT -5:00]
Running from: c:\documents and settings\Michelle Grimsley\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\ld08.exe
c:\windows\mqcd.dbt
c:\windows\pp06.exe
c:\windows\Readme.txt
c:\windows\system32\796525
c:\windows\system32\796525\796525.dll
c:\windows\system32\ashl.nq
c:\windows\system32\azton.mt
c:\windows\system32\blxqwx.dll
c:\windows\system32\davuqe.dll
c:\windows\system32\dinibafi.dll
c:\windows\system32\dl32.exe
c:\windows\system32\dll32.exe
c:\windows\system32\dolman.zt
c:\windows\system32\dudipore.dll
c:\windows\system32\eyvhik.dll
c:\windows\system32\fairy.an
c:\windows\system32\ferryl.cbv
c:\windows\system32\gijoyeri.dll
c:\windows\system32\hcenmu.dll
c:\windows\system32\hgglaa.dll
c:\windows\system32\ibefodak.ini
c:\windows\system32\inqby.sr
c:\windows\system32\izijugor.ini
c:\windows\system32\jntqwl.dll
c:\windows\system32\jodilose.dll
c:\windows\system32\kadofebi.dll
c:\windows\system32\kisijegu.dll
c:\windows\system32\KVIF_7.dll
c:\windows\system32\lamukepa.dll
c:\windows\system32\lawakuwi.dll
c:\windows\system32\lcusoy.dll
c:\windows\system32\ludoyuja.dll
c:\windows\system32\lutazipu.dll
c:\windows\system32\lwufhy.dll
c:\windows\system32\nomifeyi.dll
c:\windows\system32\noyijoyo.dll
c:\windows\system32\nvrsk.dll
c:\windows\system32\olutakam.ini
c:\windows\system32\opiaro.dll
c:\windows\system32\ovepetef.ini
c:\windows\system32\owitipid.ini
c:\windows\system32\pafiloha.dll
c:\windows\system32\pefitaru.dll
c:\windows\system32\pihuzura.dll
c:\windows\system32\piwagali.dll
c:\windows\system32\ravoruna.dll
c:\windows\system32\rogujizi.dll
c:\windows\system32\rusavewo.dll
c:\windows\system32\saduyaya.dll
c:\windows\system32\sjg9s8guigjs.dll
c:\windows\system32\tikutove.dll
c:\windows\system32\titugivo.dll
c:\windows\system32\twain_32
c:\windows\system32\ugejisik.ini
c:\windows\system32\vinomisu.dll
c:\windows\system32\vitisazu.dll
c:\windows\system32\vowayore.dll
c:\windows\system32\wirijepi.dll
c:\windows\system32\wszodb.dll
c:\windows\system32\Xcite.dll
c:\windows\system32\yozezuna.dll
c:\windows\system32\yyspyc.dll
c:\windows\system32\zikedama.dll
c:\windows\system32\zomisula.dll
c:\windows\system32\zotokohu.dll
c:\windows\system32\ztzxok.dll
c:\windows\system32\zuterolo.dll
c:\windows\system32\zvslmq.dll
c:\windows\Tasks\At1.job
c:\windows\Temp\160509516.exe
c:\windows\Temp\2216599466.exe
c:\windows\Temp\2254099466.exe
c:\windows\Temp\2279099466.exe
c:\windows\Temp\2486911966.exe
c:\windows\Temp\2622162858.exe
c:\windows\Temp\651475920.exe
c:\windows\system32\ktwlsfki.dll . . . . failed to delete
c:\windows\system32\uygofks.dll . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://82.98.235.208
hxxp://82.98.235.205
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_cwiixovg
-------\Service_cwiixovg


((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 )))))))))))))))))))))))))))))))
.

2009-05-01 02:12 . 2009-05-01 02:12 -------- d-----w c:\documents and settings\NetworkService\Application Data\scclipnm
2009-05-01 02:12 . 2009-05-01 02:12 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\scclipnm
2009-04-30 12:42 . 2009-04-30 12:42 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\scclipnm
2009-04-29 00:47 . 2009-04-29 00:47 -------- d-----w c:\documents and settings\Michelle Grimsley\Application Data\scclipnm
2009-04-29 00:47 . 2009-04-29 00:47 -------- d-----w c:\documents and settings\Michelle Grimsley\Local Settings\Application Data\scclipnm
2009-04-28 23:16 . 2009-04-28 23:16 -------- d-----w c:\program files\Trend Micro
2009-04-28 22:06 . 2009-04-28 22:06 2 ---h--w c:\windows\t55ft2692f44.dat
2009-04-28 22:06 . 2009-04-28 22:06 101888 ----a-w C:\wwmeoblk.exe
2009-04-28 22:06 . 2009-05-01 03:01 109308 ----a-w c:\windows\system32\drivers\51de0a10.sys
2009-04-28 22:06 . 2009-04-28 22:06 205824 ----a-w C:\pdtivk.exe
2009-04-28 22:06 . 2009-05-01 02:56 578560 -c--a-w c:\windows\system32\dllcache\user32.dll
2009-04-28 22:05 . 2009-04-28 22:06 115712 ----a-w C:\kggi.exe
2009-04-28 03:15 . 2009-04-28 03:15 -------- d-----w c:\program files\CCleaner
2009-04-28 02:39 . 2008-04-14 00:11 21504 -c--a-w c:\windows\system32\dllcache\hidserv.dll
2009-04-28 02:39 . 2008-04-14 00:11 21504 ----a-w c:\windows\system32\hidserv.dll
2009-04-28 02:39 . 2008-04-13 18:39 14592 -c--a-w c:\windows\system32\dllcache\kbdhid.sys
2009-04-28 02:39 . 2008-04-13 18:39 14592 ----a-w c:\windows\system32\drivers\kbdhid.sys
2009-04-25 21:54 . 2009-04-25 23:20 -------- d-----w c:\documents and settings\Michelle Grimsley\Local Settings\Application Data\MigWiz
2009-04-25 21:46 . 2006-11-02 12:07 581192 ----a-w c:\windows\system32\WinusbCoInstaller.dll
2009-04-25 21:46 . 2006-11-02 13:09 1419232 ----a-w c:\windows\system32\WdfCoInstaller01005.dll
2009-04-25 21:46 . 2009-04-25 21:46 -------- d-----w c:\program files\Microsoft
2009-04-25 20:52 . 2001-08-17 18:48 12160 -c--a-w c:\windows\system32\dllcache\mouhid.sys
2009-04-25 20:52 . 2001-08-17 18:48 12160 ----a-w c:\windows\system32\drivers\mouhid.sys
2009-04-25 20:52 . 2008-04-13 18:45 10368 -c--a-w c:\windows\system32\dllcache\hidusb.sys
2009-04-25 20:52 . 2008-04-13 18:45 10368 ----a-w c:\windows\system32\drivers\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 02:56 . 2003-04-30 23:28 143872 ----a-w c:\windows\system32\ktwlsfki.dll
2009-05-01 02:56 . 2003-04-30 23:28 578560 ----a-w c:\windows\system32\user32.dll
2009-05-01 02:55 . 2003-04-30 23:28 104448 ----a-w c:\windows\system32\ojkcysb.dll
2009-05-01 02:09 . 2009-02-01 02:09 62464 --sha-w c:\windows\system32\wowijohi.exe
2009-04-30 12:40 . 2009-01-30 12:40 60416 --sha-w c:\windows\system32\dijuzihi.exe
2009-04-29 00:25 . 2007-05-07 01:34 -------- d-----w c:\program files\Java
2009-04-28 22:43 . 2009-02-24 21:48 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-28 22:42 . 2009-02-24 20:29 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-28 02:39 . 2009-01-28 02:39 59904 --sha-w c:\windows\system32\dayevino.exe
2009-04-28 02:39 . 2009-01-28 02:39 104960 --sha-w c:\windows\system32\gavurane.dll.vir
2009-04-25 21:59 . 2009-04-25 21:59 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-03-09 10:19 . 2009-01-04 18:19 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 15:02 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\fetepevo.dll
2009-03-06 15:02 . 1601-01-01 00:12 84992 --sha-w c:\windows\system32\penitoro.dll
2009-03-04 01:07 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\dipitiwo.dll
2009-03-04 01:07 . 1601-01-01 00:12 84992 --sha-w c:\windows\system32\dedisuri.dll
2009-03-03 13:07 . 1601-01-01 00:12 84992 --sha-w c:\windows\system32\hozirave.dll
2009-03-02 11:55 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\juteruno.dll
2009-03-02 03:44 . 2007-03-20 01:55 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-01 15:56 . 2009-03-01 15:56 1665505 --sh--w c:\windows\system32\eyojotov.tmp
2009-02-28 18:12 . 1601-01-01 00:12 84992 --sha-w c:\windows\system32\jeribejo.dll
2009-02-28 18:12 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\hizupoye.dll
2009-02-27 16:17 . 1601-01-01 00:12 84992 --sha-w c:\windows\system32\juliyowe.dll
2009-02-27 16:17 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\penigusa.dll
2009-02-26 15:49 . 1601-01-01 00:12 84992 --sha-w c:\windows\system32\ligutafo.dll
2009-02-26 15:49 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\bubefiya.dll
2009-02-25 02:03 . 1601-01-01 00:12 79872 --sha-w c:\windows\system32\hahakege.dll
2009-02-25 02:03 . 1601-01-01 00:12 84992 --sha-w c:\windows\system32\keneluga.dll
2009-02-24 14:08 . 2009-02-24 14:00 84992 ----a-w c:\windows\system32\miliyepa.dll
2004-08-19 17:06 . 2003-11-12 02:14 64048 -c--a-w c:\program files\Common Files\SpeechEngines.dll
2004-08-08 23:24 . 2004-06-02 15:59 63836 -c--a-w c:\program files\Common Files\Services.dll
2004-07-21 13:06 . 2003-07-17 18:45 65760 -c--a-w c:\program files\Common Files\xing shared.dll
2004-04-17 03:10 . 2003-10-23 14:30 65304 -c--a-w c:\program files\Common Files\xing shareda.dll
2004-01-23 09:16 . 2003-03-25 05:03 62164 -c--a-w c:\program files\Common Files\InstallShield.dll
2003-12-06 03:13 . 2003-06-09 07:31 63792 -c--a-w c:\program files\Common Files\InstallShieldg.dll
.
Infected c:\windows\system32\user32.dll hex repaired


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2da1d4c8-cd3d-4eb4-92df-71459cd14c96}]
2002-08-29 12:00 104448 ----a-w c:\windows\system32\uygofks.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DL32"="DL32" [X]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"DriverUpdaterPro"="c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe" [2008-12-24 2878464]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\System32\\NeroCheck.exe" [2001-07-09 155648]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2006-12-12 366400]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-29 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-28 516440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"BluetoothAuthenticationAgent"="irprops.cpl" - c:\windows\system32\irprops.cpl [2008-04-14 380416]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2005-05-03 64512]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-03 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"dll32"="dll32" [X]
"iLike"="c:\program files\iLike\1.2.13\ilikesidebar.exe" [2008-09-10 63024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"MGI_PHOTOSUITE_V806"= {1A6F8E3C-6EA8-B2DC-1589-EEC14A8C992D} - c:\program files\MGI\PhotoSuite 8.1\sendmaild.dll [2004-07-08 63360]
"Ad-aware 6 Personal"= {A211C7E2-80D9-C485-2F98-A8F572088007} - c:\progra~1\lavasoft\ad-awa~1\winmdwd32.dll [2005-05-13 123380]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Weather"=c:\progra~1\AWS\WEATHE~1\Weather.exe 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

R3 FXDRV;FXDRV;D:\Fxdrv.sys [2006-11-16 13440]
R3 SetupNTGLM7X;SetupNTGLM7X; [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-04-28 64160]
S0 vzqujwfy;vzqujwfy;c:\windows\system32\drivers\vzqujwfy.sys [2002-08-29 23424]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-04-28 953168]

.
Contents of the 'Scheduled Tasks' folder

2009-03-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 22:42]

2009-02-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{ffe1945c-582c-499a-ac65-0c1df0dbd174} - c:\windows\system32\dudipore.dll
HKU-Default-Run-Windows Resurections - c:\windows\TEMP\sytnx3t.exe
HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\160509516.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
IE: &Google Search - c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
IE: Backward &Links - c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
IE: Translate Page - c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Michelle Grimsley\Application Data\Mozilla\Firefox\Profiles\ijf020gf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 22:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1292)
c:\program files\MGI\PhotoSuite 8.1\sendmaild.dll
c:\progra~1\lavasoft\ad-awa~1\winmdwd32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-01 22:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-01 03:06

Pre-Run: 5,478,588,416 bytes free
Post-Run: 5,617,819,648 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

307 --- E O F --- 2009-02-12 00:48


However, now that Combofix has run, I can no longer connect to the internet on my desktop. I tried to reboot, and I tried to repair the internet connection, but I cannot view any pages on my browser and I am receiving a message that the proxy server is refusing connection to the internet. I am posting this response from a different machine.

Thanks again for your assistance, I greatly appreciate it.

-Nairobi
Nairobi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-01-2009, 12:26 PM   #4 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: rundll32 related malware crashing system and calling up explorer windows
Hi,

You will be able to view webpages after this pass of combofix. Let me know if that's not the case.


*Please uninstall these older versions of Java as they just use up unnecessary space and are security vulnerabilities.

Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1


*Open notepad.
Copy and paste the text inside the code box below to notepad
Code:
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/371394-rundll32-related-malware-crashing-system-calling-up-explorer-windows.html
File::
c:\windows\system32\dipitiwo.dll
c:\windows\system32\dedisuri.dll
c:\windows\system32\hozirave.dll
c:\windows\system32\juteruno.dll
c:\windows\system32\jeribejo.dll
c:\windows\system32\hizupoye.dll
c:\windows\system32\juliyowe.dll
c:\windows\system32\penigusa.dll
c:\windows\system32\ligutafo.dll
c:\windows\system32\bubefiya.dll
c:\windows\system32\hahakege.dll
c:\windows\system32\keneluga.dll
c:\windows\system32\miliyepa.dll
Folder::
c:\documents and settings\NetworkService\Application Data\scclipnm
c:\documents and settings\NetworkService\Local Settings\Application Data\scclipnm
c:\windows\system32\config\systemprofile\Application Data\scclipnm
c:\documents and settings\Michelle Grimsley\Application Data\scclipnm
c:\documents and settings\Michelle Grimsley\Local Settings\Application Data\scclipnm
Driver::
SetupNTGLM7X
vzqujwfy
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2da1d4c8-cd3d-4eb4-92df-71459cd14c96}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DL32"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"dll32"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
Collect::
c:\windows\t55ft2692f44.dat
C:\wwmeoblk.exe
c:\windows\system32\drivers\51de0a10.sys
C:\pdtivk.exe
C:\kggi.exe
c:\windows\system32\ktwlsfki.dll
c:\windows\system32\ojkcysb.dll
c:\windows\system32\wowijohi.exe
c:\windows\system32\dijuzihi.exe
c:\windows\system32\dayevino.exe
c:\windows\system32\gavurane.dll.vir
c:\windows\system32\fetepevo.dll
c:\windows\system32\penitoro.dll
c:\windows\system32\eyojotov.tmp
c:\windows\system32\uygofks.dll
c:\windows\system32\drivers\vzqujwfy.sys
Filelook::
c:\windows\system32\dllcache\user32.dll
c:\progra~1\lavasoft\ad-awa~1\winmdwd32.dll
Firefox::
FF - ProfilePath - c:\documents and settings\Michelle Grimsley\Application Data\Mozilla\Firefox\Profiles\ijf020gf.default\
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
DDS::
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
  • Save and Name it as "CFScript"
  • Drag and drop CFScript.txt to your copy of combofix.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

If you do not get a message box, please do the following:

There should be a file named [4]-Submit_date@time.zip with today's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

Please let me know if you successfully submitted the file. Thanks.

-----------------------------

*One reason why you were infected is because you have no antivirus running onboard. Having no antivirus these days is an open invitation for malware to enter your system.

You are basically vulnerable to all sorts of malware. Cleaning will be useless if you have no active protection because you'll only be infected again immediately.

That's why before we continue further, I want you to install, update, and scan with an antivirus -

Avira Antivir: http://www.free-av.com

-----------------------------

I would like you to scan a file for me.

Please go HERE. Copy and paste the following file path in to the box.

c:\program files\Common Files\Services.dll

Then click submit.

do the same for these files:

c:\program files\Common Files\SpeechEngines.dll
c:\program files\Common Files\xing shareda.dll
c:\program files\Common Files\InstallShield.dll
c:\program files\Common Files\InstallShieldg.dll

Please post the results to your next reply.

-----------------------------

*Next, it's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply


On your next reply, please include a
  • kaspersky scan log
  • combofix log
  • virustotal scan results
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Last edited by Angelfire777; 05-01-2009 at 12:29 PM.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-02-2009, 01:04 PM   #5 (permalink)
Registered User
 
Join Date: Apr 2009
Location: Michigan
Posts: 7
OS: Windows XP service pack 3


Re: rundll32 related malware crashing system and calling up explorer windows
Whew! Finally finished with all of the assignments, but the machine seems to be running better already. Here are the requested logs:

Kaspersky:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, May 2, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, May 02, 2009 16:38:06
Records in database: 2120851
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 65519
Threat name: 2
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 02:31:08


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\sjg9s8guigjs.dll.vir Infected: Trojan.Win32.Agent.cdbr 1
C:\System Volume Information\_restore{B6461F21-6F5F-40F6-B06E-5EFF51F5536E}\RP8\A0000137.dll Infected: Trojan.Win32.Agent.cdbr 1
C:\System Volume Information\_restore{B6461F21-6F5F-40F6-B06E-5EFF51F5536E}\RP9\A0000528.dll Infected: Trojan-Downloader.Win32.Murlo.a 1
C:\System Volume Information\_restore{B6461F21-6F5F-40F6-B06E-5EFF51F5536E}\RP9\A0000529.dll Infected: Trojan-Downloader.Win32.Murlo.a 1
C:\System Volume Information\_restore{B6461F21-6F5F-40F6-B06E-5EFF51F5536E}\RP9\A0000530.dll Infected: Trojan-Downloader.Win32.Murlo.a 1

The selected area was scanned.

During this scan, Avira found numerous dll files that were reported as viruses, most of which I deleted and a few of which I quarantined.

Here is the new combofix log:

ComboFix 09-05-02.4 - Michelle Grimsley 05/01/2009 19:29.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2164 [GMT -5:00]
Running from: c:\documents and settings\Michelle Grimsley\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michelle Grimsley\Desktop\CFScript.txt

FILE ::
c:\windows\system32\bubefiya.dll
c:\windows\system32\dedisuri.dll
c:\windows\system32\dipitiwo.dll
c:\windows\system32\hahakege.dll
c:\windows\system32\hizupoye.dll
c:\windows\system32\hozirave.dll
c:\windows\system32\jeribejo.dll
c:\windows\system32\juliyowe.dll
c:\windows\system32\juteruno.dll
c:\windows\system32\keneluga.dll
c:\windows\system32\ligutafo.dll
c:\windows\system32\miliyepa.dll
c:\windows\system32\penigusa.dll

file zipped: C:\wwmeoblk.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Michelle Grimsley\Application Data\scclipnm
c:\documents and settings\Michelle Grimsley\Application Data\scclipnm\profiles.ini
c:\documents and settings\Michelle Grimsley\Application Data\scclipnm\Profiles\93ahu9ef.default\cert8.db
c:\documents and settings\Michelle Grimsley\Application Data\scclipnm\Profiles\93ahu9ef.default\compatibility.ini
c:\documents and settings\Michelle Grimsley\Application Data\scclipnm\Profiles\93ahu9ef.default\compreg.dat
c:\documents and settings\Michelle Grimsley\Application Data\scclipnm\Profiles\93ahu9ef.default\cookies.sqlite
c:\documents and settings\Michelle Grimsley\Application Data\scclipnm\Profiles\93ahu9ef.default\formhistory.sqlite
c:\documents and settings\Michelle Grimsley\Application Data\scclipnm\Profiles\93ahu9ef.default\key3.db
c:\documents and settings\Michelle Grimsley\Application Data\scclipnm\Profiles\93ahu9ef.default\localstore.rdf
c:\documents and settings\Michelle Grimsley\Application Data\scclipnm\Profiles\93ahu9ef.default\permissions.sqlite
c:\documents and settings\Michelle Grimsley\Application Data\scclipnm\Profiles\93ahu9ef.default\places.sqlite-journal
c:\documents and settings\Michelle Grimsley\Application Data\scclipnm\Profiles\93ahu9ef.default\places.sqlite
c:\documents and settings\Michelle Grimsley\Application Data\scclipnm\Profiles\93ahu9ef.default\pluginreg.dat
c:\documents and settings\Michelle Grimsley\Application Data\scclipnm\Profiles\93ahu9ef.default\prefs.js
c:\documents and settings\Michelle Grimsley\Application Data\scclipnm\Profiles\93ahu9ef.default\secmod.db
c:\documents and settings\Michelle Grimsley\Application Data\scclipnm\Profiles\93ahu9ef.default\webappsstore.sqlite
c:\documents and settings\Michelle Grimsley\Application Data\scclipnm\Profiles\93ahu9ef.default\xpti.dat
c:\documents and settings\Michelle Grimsley\Local Settings\Application Data\scclipnm
c:\documents and settings\Michelle Grimsley\Local Settings\Application Data\scclipnm\Profiles\93ahu9ef.default\urlclassifier3.sqlite
c:\documents and settings\Michelle Grimsley\Local Settings\Application Data\scclipnm\Profiles\93ahu9ef.default\XPC.mfl
c:\documents and settings\NetworkService\Application Data\scclipnm
c:\documents and settings\NetworkService\Application Data\scclipnm\profiles.ini
c:\documents and settings\NetworkService\Application Data\scclipnm\Profiles\drd4ala4.default\cert8.db
c:\documents and settings\NetworkService\Application Data\scclipnm\Profiles\drd4ala4.default\compatibility.ini
c:\documents and settings\NetworkService\Application Data\scclipnm\Profiles\drd4ala4.default\compreg.dat
c:\documents and settings\NetworkService\Application Data\scclipnm\Profiles\drd4ala4.default\cookies.sqlite
c:\documents and settings\NetworkService\Application Data\scclipnm\Profiles\drd4ala4.default\formhistory.sqlite
c:\documents and settings\NetworkService\Application Data\scclipnm\Profiles\drd4ala4.default\key3.db
c:\documents and settings\NetworkService\Application Data\scclipnm\Profiles\drd4ala4.default\localstore.rdf
c:\documents and settings\NetworkService\Application Data\scclipnm\Profiles\drd4ala4.default\permissions.sqlite
c:\documents and settings\NetworkService\Application Data\scclipnm\Profiles\drd4ala4.default\places.sqlite-journal
c:\documents and settings\NetworkService\Application Data\scclipnm\Profiles\drd4ala4.default\places.sqlite
c:\documents and settings\NetworkService\Application Data\scclipnm\Profiles\drd4ala4.default\pluginreg.dat
c:\documents and settings\NetworkService\Application Data\scclipnm\Profiles\drd4ala4.default\prefs.js
c:\documents and settings\NetworkService\Application Data\scclipnm\Profiles\drd4ala4.default\secmod.db
c:\documents and settings\NetworkService\Application Data\scclipnm\Profiles\drd4ala4.default\webappsstore.sqlite
c:\documents and settings\NetworkService\Application Data\scclipnm\Profiles\drd4ala4.default\xpti.dat
c:\documents and settings\NetworkService\Local Settings\Application Data\scclipnm
c:\documents and settings\NetworkService\Local Settings\Application Data\scclipnm\Profiles\drd4ala4.default\urlclassifier3.sqlite
c:\documents and settings\NetworkService\Local Settings\Application Data\scclipnm\Profiles\drd4ala4.default\XPC.mfl
C:\kggi.exe
C:\pdtivk.exe
c:\windows\system32\bubefiya.dll
c:\windows\system32\config\systemprofile\Application Data\scclipnm
c:\windows\system32\config\systemprofile\Application Data\scclipnm\profiles.ini
c:\windows\system32\config\systemprofile\Application Data\scclipnm\Profiles\bjo02snt.default\cert8.db
c:\windows\system32\config\systemprofile\Application Data\scclipnm\Profiles\bjo02snt.default\compatibility.ini
c:\windows\system32\config\systemprofile\Application Data\scclipnm\Profiles\bjo02snt.default\compreg.dat
c:\windows\system32\config\systemprofile\Application Data\scclipnm\Profiles\bjo02snt.default\cookies.sqlite
c:\windows\system32\config\systemprofile\Application Data\scclipnm\Profiles\bjo02snt.default\formhistory.sqlite
c:\windows\system32\config\systemprofile\Application Data\scclipnm\Profiles\bjo02snt.default\key3.db
c:\windows\system32\config\systemprofile\Application Data\scclipnm\Profiles\bjo02snt.default\localstore.rdf
c:\windows\system32\config\systemprofile\Application Data\scclipnm\Profiles\bjo02snt.default\permissions.sqlite
c:\windows\system32\config\systemprofile\Application Data\scclipnm\Profiles\bjo02snt.default\places.sqlite-journal
c:\windows\system32\config\systemprofile\Application Data\scclipnm\Profiles\bjo02snt.default\places.sqlite
c:\windows\system32\config\systemprofile\Application Data\scclipnm\Profiles\bjo02snt.default\pluginreg.dat
c:\windows\system32\config\systemprofile\Application Data\scclipnm\Profiles\bjo02snt.default\prefs.js
c:\windows\system32\config\systemprofile\Application Data\scclipnm\Profiles\bjo02snt.default\secmod.db
c:\windows\system32\config\systemprofile\Application Data\scclipnm\Profiles\bjo02snt.default\webappsstore.sqlite
c:\windows\system32\config\systemprofile\Application Data\scclipnm\Profiles\bjo02snt.default\xpti.dat
c:\windows\system32\dayevino.exe
c:\windows\system32\dedisuri.dll
c:\windows\system32\dijuzihi.exe
c:\windows\system32\dipitiwo.dll
c:\windows\system32\drivers\51de0a10.sys
c:\windows\system32\drivers\vzqujwfy.sys
c:\windows\system32\eyojotov.tmp
c:\windows\system32\fetepevo.dll
c:\windows\system32\gavurane.dll.vir
c:\windows\system32\hahakege.dll
c:\windows\system32\hizupoye.dll
c:\windows\system32\hozirave.dll
c:\windows\system32\jeribejo.dll
c:\windows\system32\juliyowe.dll
c:\windows\system32\juteruno.dll
c:\windows\system32\keneluga.dll
c:\windows\system32\ktwlsfki.dll
c:\windows\system32\ligutafo.dll
c:\windows\system32\miliyepa.dll
c:\windows\system32\ojkcysb.dll
c:\windows\system32\penigusa.dll
c:\windows\system32\penitoro.dll
c:\windows\system32\uygofks.dll
c:\windows\system32\wowijohi.exe
c:\windows\t55ft2692f44.dat
C:\wwmeoblk.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SETUPNTGLM7X
-------\Legacy_vzqujwfy
-------\Service_SetupNTGLM7X
-------\Service_vzqujwfy
-------\Service_51de0a10


((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.

2009-05-01 23:32 . 2009-05-01 23:32 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-05-01 23:31 . 2009-05-01 23:31 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2009-04-28 23:16 . 2009-04-28 23:16 -------- d-----w c:\program files\Trend Micro
2009-04-28 22:06 . 2009-05-01 02:56 578560 -c--a-w c:\windows\system32\dllcache\user32.dll
2009-04-28 03:15 . 2009-04-28 03:15 -------- d-----w c:\program files\CCleaner
2009-04-28 02:39 . 2008-04-14 00:11 21504 -c--a-w c:\windows\system32\dllcache\hidserv.dll
2009-04-28 02:39 . 2008-04-14 00:11 21504 ----a-w c:\windows\system32\hidserv.dll
2009-04-28 02:39 . 2008-04-13 18:39 14592 -c--a-w c:\windows\system32\dllcache\kbdhid.sys
2009-04-28 02:39 . 2008-04-13 18:39 14592 ----a-w c:\windows\system32\drivers\kbdhid.sys
2009-04-25 21:54 . 2009-04-25 23:20 -------- d-----w c:\documents and settings\Michelle Grimsley\Local Settings\Application Data\MigWiz
2009-04-25 21:46 . 2006-11-02 12:07 581192 ----a-w c:\windows\system32\WinusbCoInstaller.dll
2009-04-25 21:46 . 2006-11-02 13:09 1419232 ----a-w c:\windows\system32\WdfCoInstaller01005.dll
2009-04-25 21:46 . 2009-04-25 21:46 -------- d-----w c:\program files\Microsoft
2009-04-25 20:52 . 2001-08-17 18:48 12160 -c--a-w c:\windows\system32\dllcache\mouhid.sys
2009-04-25 20:52 . 2001-08-17 18:48 12160 ----a-w c:\windows\system32\drivers\mouhid.sys
2009-04-25 20:52 . 2008-04-13 18:45 10368 -c--a-w c:\windows\system32\dllcache\hidusb.sys
2009-04-25 20:52 . 2008-04-13 18:45 10368 ----a-w c:\windows\system32\drivers\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 00:34 . 2003-02-05 02:29 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 00:29 . 2003-04-30 23:28 23424 ----a-w c:\windows\system32\drivers\qbzktawp.sys
2009-05-01 02:56 . 2003-04-30 23:28 578560 ----a-w c:\windows\system32\user32.dll
2009-04-29 00:25 . 2007-05-07 01:34 -------- d-----w c:\program files\Java
2009-04-28 22:43 . 2009-02-24 21:48 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-28 22:42 . 2009-02-24 20:29 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-25 21:59 . 2009-04-25 21:59 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-03-09 10:19 . 2009-01-04 18:19 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-03 20:46 . 2009-02-24 20:29 472 ----a-w c:\windows\Tasks\Ad-Aware Update (Weekly).job
2009-02-09 18:18 . 2008-06-28 00:58 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2004-08-19 17:06 . 2003-11-12 02:14 64048 -c--a-w c:\program files\Common Files\SpeechEngines.dll
2004-08-08 23:24 . 2004-06-02 15:59 63836 -c--a-w c:\program files\Common Files\Services.dll
2004-07-21 13:06 . 2003-07-17 18:45 65760 -c--a-w c:\program files\Common Files\xing shared.dll
2004-04-17 03:10 . 2003-10-23 14:30 65304 -c--a-w c:\program files\Common Files\xing shareda.dll
2004-01-23 09:16 . 2003-03-25 05:03 62164 -c--a-w c:\program files\Common Files\InstallShield.dll
2003-12-06 03:13 . 2003-06-09 07:31 63792 -c--a-w c:\program files\Common Files\InstallShieldg.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~1\lavasoft\ad-awa~1\winmdwd32.dll -- Unable to find Resource table header.
File Size: 123380
Created Time: 2005-05-08 19:46
Modified Time: 2005-05-13 19:46
Accessed Time: 2009-05-02 00:17
MD5: 414B58F49B7B25142D631A5B4C6266AB
SHA: B0A9A00F767E457C5DE506ADF1B92E2657D95454


---- c:\windows\system32\dllcache\user32.dll ----
Company: Microsoft Corporation
File Description: Windows XP USER API Client DLL
File Version: 5.1.2600.5512 (xpsp.080413-2105)
Product Name: Microsoftr Windowsr Operating System
Copyright: c Microsoft Corporation. All rights reserved.
Original file name: user32
File Size: 578560
Created Time: 2009-04-28 22:06
Modified Time: 2009-05-01 02:56
Accessed Time: 2009-05-02 00:29
MD5: B26B135FF1B9F60C9388B4A7D16F600B
SHA: 08FE9FF1FE9B8FD237ADEDB10D65FB0447B91FE5


((((((((((((((((((((((((((((( SnapShot@2009-05-01_03.00.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-02 00:34 . 2009-05-02 00:34 16384 c:\windows\Temp\Perflib_Perfdata_d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"DriverUpdaterPro"="c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe" [2008-12-24 2878464]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\System32\\NeroCheck.exe" [2001-07-09 155648]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2006-12-12 366400]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-29 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-28 516440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"BluetoothAuthenticationAgent"="irprops.cpl" - c:\windows\system32\irprops.cpl [2008-04-14 380416]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2005-05-03 64512]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-03 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"iLike"="c:\program files\iLike\1.2.13\ilikesidebar.exe" [2008-09-10 63024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"MGI_PHOTOSUITE_V806"= {1A6F8E3C-6EA8-B2DC-1589-EEC14A8C992D} - c:\program files\MGI\PhotoSuite 8.1\sendmaild.dll [2004-07-08 63360]
"Ad-aware 6 Personal"= {A211C7E2-80D9-C485-2F98-A8F572088007} - c:\progra~1\lavasoft\ad-awa~1\winmdwd32.dll [2005-05-13 123380]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Weather"=c:\progra~1\AWS\WEATHE~1\Weather.exe 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

--- Other Services/Drivers In Memory ---

*NewlyCreated* - VZQUJWFY
.
Contents of the 'Scheduled Tasks' folder

2009-03-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 22:42]

2009-02-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Google Search - c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
IE: Backward &Links - c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
IE: Translate Page - c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Michelle Grimsley\Application Data\Mozilla\Firefox\Profiles\ijf020gf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 21:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3628)
c:\program files\MGI\PhotoSuite 8.1\sendmaild.dll
c:\progra~1\lavasoft\ad-awa~1\winmdwd32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\AAWService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2009-05-02 21:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-02 02:36
ComboFix2.txt 2009-05-01 03:06

Pre-Run: 5,600,276,480 bytes free
Post-Run: 5,584,261,120 bytes free

303 --- E O F --- 2009-02-12 00:48


I checked out all of the requested dll files on virustotal.com and all of the reports were very similar. Here is the first one, for services.dll:

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.01 Trojan-Downloader.Win32.Murlo!IK
AhnLab-V3 5.0.0.2 2009.05.01 -
AntiVir 7.9.0.160 2009.04.30 W32/Palored.A.2
Antiy-AVL 2.0.3.1 2009.04.30 Trojan/Win32.Murlo
Authentium 5.1.2.4 2009.05.01 W32/Downloader.KZD
Avast 4.8.1335.0 2009.05.01 Win32:Trojan-gen {Other}
AVG 8.5.0.327 2009.05.01 Downloader.Small.21.BE
BitDefender 7.2 2009.05.02 Trojan.Downloader.Murlo.A
CAT-QuickHeal 10.00 2009.04.30 -
ClamAV 0.94.1 2009.05.02 Trojan.Murlo-1
Comodo 1146 2009.05.01 -
DrWeb 4.44.0.09170 2009.05.02 Trojan.DownLoader.1434
eSafe 7.0.17.0 2009.04.30 Suspicious File
eTrust-Vet 31.6.6487 2009.05.02 Win32/Palored.A
F-Prot 4.4.4.56 2009.05.01 W32/Downloader.KZD
F-Secure 8.0.14470.0 2009.05.01 Trojan-Downloader.Win32.Murlo.a
Fortinet 3.117.0.0 2009.05.02 W32/Murlo.D!tr
GData 19 2009.05.02 Trojan.Downloader.Murlo.A
Ikarus T3.1.1.49.0 2009.05.01 Trojan-Downloader.Win32.Murlo
K7AntiVirus 7.10.721 2009.05.01 -
Kaspersky 7.0.0.125 2009.05.01 Trojan-Downloader.Win32.Murlo.a
McAfee 5602 2009.05.01 Generic Downloader.m
McAfee+Artemis 5602 2009.05.01 Generic Downloader.m
McAfee-GW-Edition 6.7.6 2009.04.30 Win32.Palored.A.2
Microsoft 1.4602 2009.05.01 VirTool:Win32/Obfuscator.EK
NOD32 4049 2009.05.01 -
Norman 6.01.05 2009.04.30 W32/Suspicious_N.gen
nProtect 2009.1.8.0 2009.05.01 -
Panda 10.0.0.14 2009.05.01 -
PCTools 4.4.2.0 2009.05.01 Trojan.DL.Murlo.CZ
Prevx1 3.0 2009.05.02 -
Rising 21.27.41.00 2009.05.01 AdWare.Win32.ConHook.c
Sophos 4.41.0 2009.05.02 Troj/Dloader-JM
Sunbelt 3.2.1858.2 2009.05.02 -
Symantec 1.4.4.12 2009.05.02 Trojan Horse
TheHacker 6.3.4.1.317 2009.05.02 Trojan/Downloader.Murlo.a
TrendMicro 8.950.0.1092 2009.05.01 Cryp_Morphine
VBA32 3.12.10.4 2009.05.01 Trojan-Downloader.Win32.Murlo.a
ViRobot 2009.5.1.1717 2009.05.01 -
VirusBuster 4.6.5.0 2009.05.01 Trojan.DL.Murlo.CZ
Additional information
File size: 63836 bytes
MD5...: 0c5decc740394b8cb2b2de4c6a68d9f3
SHA1..: 101a8554d4e9d6f6834a9786fc02fb2ddf6e4a5c
SHA256: c8815a4f2180c89714e0133760f5eadc8ac7d36af604437df7ba597f8032773e
SHA512: fdc034f10596b15f59ab36775fe48cad96eb0fb900e6962a100748179cfb5af1
84d0f999ddc5ee12d6dd45442428d2f06fe27ff8aa330bb63a9414a3efec90fd
ssdeep: 1536:r9ViArD4ZkrUpFUHCFw5xb7niAynfwSyljrw0:r9V9rDMFpuCQhGLydw0
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.1%)
Win16/32 Executable Delphi generic (9.3%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x162e
timedatestamp.....: 0x265fcd51 (Sun May 27 12:51:29 1990)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x12000 0xe600 7.99 1d28f3352b74c0bfe658c77e939b8726
.idata 0x13000 0x1000 0x200 3.25 b1074513f0d15d4d0f5c6280c3307ded
.edata 0x14000 0x1000 0x200 1.00 c28ce76b996bbf28e258b0b7be53d699

( 5 imports )
> kernel32.dll: GetProcAddress, LoadLibraryA
> WININET.dll: InternetSetOptionA
> USER32.dll: RegisterClassA
> GDI32.dll: GetStockObject
> ADVAPI32.dll: RegCreateKeyExA

( 2 exports )
Preload, _DllMain@12
PDFiD.: -
RDS...: NSRL Reference Data Set
-
packers (Kaspersky): PE_Patch.Morphine, Morphine


I can post the other dll reports from virustotal if necessary, but they were all nearly identical to the above.

I really appreciate the help, things are already looking up!
Nairobi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-04-2009, 10:49 AM   #6 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: rundll32 related malware crashing system and calling up explorer windows
Hi,

What kaspersky found were mostly files inside system restore's cache. They're harmless unless we use the feature. We shall purge it later.


*Open notepad.
Copy and paste the text inside the code box below to notepad
Code:
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/371394-rundll32-related-malware-crashing-system-calling-up-explorer-windows.html
File::
c:\program files\Common Files\Services.dll
c:\program files\Common Files\SpeechEngines.dll
c:\program files\Common Files\xing shared.dll
c:\program files\Common Files\xing shareda.dll
c:\program files\Common Files\InstallShield.dll
c:\program files\Common Files\InstallShieldg.dll
c:\windows\system32\drivers\qbzktawp.sys
Driver::
VZQUJWFY
Suspect::[55]
c:\progra~1\lavasoft\ad-awa~1\winmdwd32.dll
  • Save and Name it as "CFScript"
  • Drag and drop CFScript.txt to your copy of combofix.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

If you do not get a message box, please do the following:

There should be a file named [4]-Submit_date@time.zip with today's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm...php?channel=55

Please let me know if you successfully submitted the file. Thanks.
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Last edited by Angelfire777; 05-04-2009 at 10:52 AM.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-04-2009, 07:51 PM   #7 (permalink)
Registered User
 
Join Date: Apr 2009
Location: Michigan
Posts: 7
OS: Windows XP service pack 3


Re: rundll32 related malware crashing system and calling up explorer windows
I ran the new ComboFix script as requested, and here is the log:

ComboFix 09-05-03.6 - Michelle Grimsley 05/04/2009 20:42.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2187 [GMT -5:00]
Running from: c:\documents and settings\Michelle Grimsley\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michelle Grimsley\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated)

FILE ::
c:\program files\Common Files\InstallShield.dll
c:\program files\Common Files\InstallShieldg.dll
c:\program files\Common Files\Services.dll
c:\program files\Common Files\SpeechEngines.dll
c:\program files\Common Files\xing shared.dll
c:\program files\Common Files\xing shareda.dll
c:\windows\system32\drivers\qbzktawp.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VZQUJWFY


((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2009-05-02 22:20 . 2009-05-02 22:20 -------- d-----w c:\program files\Microsoft Silverlight
2009-05-02 02:51 . 2009-03-24 21:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-02 02:51 . 2009-05-02 02:51 -------- d-----w c:\program files\Avira
2009-05-02 02:51 . 2009-05-02 02:51 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-05-01 23:32 . 2009-05-01 23:32 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-05-01 23:31 . 2009-05-01 23:31 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2009-04-28 23:16 . 2009-04-28 23:16 -------- d-----w c:\program files\Trend Micro
2009-04-28 22:06 . 2009-05-01 02:56 578560 -c--a-w c:\windows\system32\dllcache\user32.dll
2009-04-28 03:15 . 2009-04-28 03:15 -------- d-----w c:\program files\CCleaner
2009-04-28 02:39 . 2008-04-14 00:11 21504 -c--a-w c:\windows\system32\dllcache\hidserv.dll
2009-04-28 02:39 . 2008-04-14 00:11 21504 ----a-w c:\windows\system32\hidserv.dll
2009-04-28 02:39 . 2008-04-13 18:39 14592 -c--a-w c:\windows\system32\dllcache\kbdhid.sys
2009-04-28 02:39 . 2008-04-13 18:39 14592 ----a-w c:\windows\system32\drivers\kbdhid.sys
2009-04-25 21:54 . 2009-04-25 23:20 -------- d-----w c:\documents and settings\Michelle Grimsley\Local Settings\Application Data\MigWiz
2009-04-25 21:46 . 2006-11-02 12:07 581192 ----a-w c:\windows\system32\WinusbCoInstaller.dll
2009-04-25 21:46 . 2006-11-02 13:09 1419232 ----a-w c:\windows\system32\WdfCoInstaller01005.dll
2009-04-25 21:46 . 2009-04-25 21:46 -------- d-----w c:\program files\Microsoft
2009-04-25 20:52 . 2001-08-17 18:48 12160 -c--a-w c:\windows\system32\dllcache\mouhid.sys
2009-04-25 20:52 . 2001-08-17 18:48 12160 ----a-w c:\windows\system32\drivers\mouhid.sys
2009-04-25 20:52 . 2008-04-13 18:45 10368 -c--a-w c:\windows\system32\dllcache\hidusb.sys
2009-04-25 20:52 . 2008-04-13 18:45 10368 ----a-w c:\windows\system32\drivers\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 16:07 . 2007-05-07 01:34 -------- d-----w c:\program files\Java
2009-05-02 16:04 . 2008-08-04 20:29 -------- d-----w c:\program files\iTunes
2009-05-02 04:03 . 2005-01-30 19:15 -------- d-----w c:\program files\TaxCut04
2009-05-02 04:03 . 2003-08-19 20:24 -------- d-----w c:\program files\Real
2009-05-02 04:03 . 2003-08-19 20:24 -------- d-----w c:\program files\Common Files\Real
2009-05-02 04:03 . 2003-08-19 21:19 -------- d-----w c:\program files\Common Files\Adobe
2009-05-02 04:03 . 2003-05-16 16:59 -------- d-----w c:\program files\Ahead
2009-05-01 02:56 . 2003-04-30 23:28 578560 ----a-w c:\windows\system32\user32.dll
2009-04-28 22:43 . 2009-02-24 21:48 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-28 22:42 . 2009-02-24 20:29 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-25 21:59 . 2009-04-25 21:59 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-03-09 10:19 . 2009-01-04 18:19 410984 ----a-w c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-01_03.00.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2009-05-05 01:46 . 2009-05-05 01:46 16384 c:\windows\Temp\Perflib_Perfdata_124.dat
+ 2009-05-02 02:51 . 2009-02-13 17:50 28376 c:\windows\system32\drivers\ssmdrv.sys
+ 2009-05-02 02:51 . 2009-03-30 15:33 96104 c:\windows\system32\drivers\avipbb.sys
+ 2009-05-02 02:51 . 2009-02-13 17:29 22360 c:\windows\system32\drivers\avgntmgr.sys
+ 2009-05-02 02:51 . 2009-02-13 17:17 45416 c:\windows\system32\drivers\avgntdd.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"DriverUpdaterPro"="c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe" [2008-12-24 2878464]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\System32\\NeroCheck.exe" [2001-07-09 155648]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2006-12-12 366400]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-29 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-28 516440]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"BluetoothAuthenticationAgent"="irprops.cpl" - c:\windows\system32\irprops.cpl [2008-04-14 380416]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2005-05-03 64512]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-03 1630208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Weather"=c:\progra~1\AWS\WEATHE~1\Weather.exe 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-04-28 953168]
R3 FXDRV;FXDRV;D:\Fxdrv.sys [2006-11-16 13440]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-04-28 64160]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-01 108289]

.
Contents of the 'Scheduled Tasks' folder

2009-03-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 22:42]

2009-05-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]
.
- - - - ORPHANS REMOVED - - - -

SSODL-MGI_PHOTOSUITE_V806-{1A6F8E3C-6EA8-B2DC-1589-EEC14A8C992D} - c:\program files\MGI\PhotoSuite 8.1\sendmaild.dll
SSODL-Ad-aware 6 Personal-{A211C7E2-80D9-C485-2F98-A8F572088007} - c:\progra~1\lavasoft\ad-awa~1\winmdwd32.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Google Search - c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
IE: Backward &Links - c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
IE: Translate Page - c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Michelle Grimsley\Application Data\Mozilla\Firefox\Profiles\ijf020gf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 20:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-05 20:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-05 01:55
ComboFix2.txt 2009-05-02 02:36
ComboFix3.txt 2009-05-01 03:06

Pre-Run: 5,231,308,800 bytes free
Post-Run: 5,107,462,144 bytes free

184 --- E O F --- 2009-02-12 00:48


However, I did not have a pop-up window after ComboFix finished, and there was not a file named [4]-Submit-date@time.zip in the "Quarantine" folder under QooBox. ComboFix did cause the machine to reboot, which then resulted in start-up programs beginning to run in the background until I could shut them down. Let me know if I need to run the script again.

Thanks for the help!
Nairobi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-05-2009, 12:05 AM   #8 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: rundll32 related malware crashing system and calling up explorer windows
You're welcome.

That's alright, no need for a re-run. It seems that the file doesn't exist anymore.

how is it running?
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-05-2009, 06:14 PM   #9 (permalink)
Registered User
 
Join Date: Apr 2009
Location: Michigan
Posts: 7
OS: Windows XP service pack 3


Re: rundll32 related malware crashing system and calling up explorer windows
Well, I'm not getting the explorer pop-ups anymore and I'm not getting the rundll32 error messages. Overall, the system seems to be moving more quickly, though I fear I have a few too many programs opening at start-up and running in the background - but that's another issue altogether!

I've got the Avira software installed for now and am looking at some other anti-virus software, probably eset nod32.

Is my desktop "cured" (or at least as much as is possible)?

Thanks for the timely and effective help!
Nairobi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-05-2009, 10:07 PM   #10 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: rundll32 related malware crashing system and calling up explorer windows
This can help you manage those startup programs: http://www.windowsstartup.com/startupinspector.php

Click start > run > copy and paste:

combofix /u

That will hide your system files, clear your system restore cache and uninstall combofix.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Read TonyKlein's How Did I Get Infected In The First Place?.

Please check out miekiemoes' "How to Prevent Malware"

Happy safe surfing!

Note: Please reply to this thread one last time so I could mark it as resolved.
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-06-2009, 08:47 PM   #11 (permalink)
Registered User
 
Join Date: Apr 2009
Location: Michigan
Posts: 7
OS: Windows XP service pack 3


Re: rundll32 related malware crashing system and calling up explorer windows
Angelfire777, you rule! Thanks for the help - my desktop is running free and faster than ever! I'm about to donate in your honor, especially since my laptop is in much worse shape than my desktop was, so I'll be taking up substantially more forum time over the next several weeks...much appreciated!
Nairobi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 07:38 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85