Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
This topic is locked
Win XP home, NOD32 3.0.650.0 antivirus. I got infected with Win32/Alman.NAB virus. My antivirus show some executable files where infected, plus when browse web with Internet Explorer, system periodically popup error mesages called RUNDLL:
"Error loading C:\Windows\AppPatch\Jview.dll
The specified module could not be found."
(by default I use Firefox).
After running whole computer scan, NOD32 isolated the infected files in a Quarantine folder. I removed the Jview.dll
As far I know, Win32/Alman.NAD is infector, downloader and it has got his own driver. If it sit inside some legit process (IE), then it will add new registry key again. Then removing will be harder.
Then I downloaded and run DSS utility, and got the following report, I browsed though logfile, but not sure which processess and keys are legitimate.
Deckard's System Scanner v20071014.68
Run by User on 2008-06-26 12:28:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
51: 2008-06-26 09:28:42 UTC - RP650 - Deckard's System Scanner Restore Point
50: 2008-06-20 09:36:28 UTC - RP649 - Software Distribution Service 3.0
49: 2008-06-18 14:40:47 UTC - RP648 - System Checkpoint
48: 2008-06-16 14:22:43 UTC - RP647 - System Checkpoint
47: 2008-06-11 09:32:32 UTC - RP646 - Software Distribution Service 3.0
-- First Restore Point --
1: 2008-03-25 07:01:53 UTC - RP600 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as User.exe) ------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:44, on 2008.06.26.
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\User\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\User.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 84.252.140.138:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NetMeter] C:\Program Files\HooTech\NetMeter\HooNetMeter.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 3553 bytes
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
All drivers whitelisted.
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
All services whitelisted.
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Files created between 2008-05-26 and 2008-06-26 -----------------------------
2008-06-25 12:52:34 148 --a------ C:\WINDOWS\system32\unxxx.bat
2008-06-17 19:07:04 0 d-------- C:\Documents and Settings\User\Application Data\NCH Swift Sound
2008-06-02 12:19:01 0 d-------- C:\Program Files\xmplay342
-- Find3M Report ---------------------------------------------------------------
2008-06-19 14:57:39 0 d-------- C:\Documents and Settings\User\Application Data\Mozilla
2008-06-02 17:07:14 0 d-------- C:\Program Files\Star Downloader
2008-05-26 20:38:02 0 d-------- C:\Documents and Settings\User\Application Data\Orbit
2008-04-24 13:19:56 1160192 --a------ C:\WINDOWS\system32\Gareks.scr <Not Verified; Xara Group Ltd.; Xara3D Screen Saver>
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003.04.06. 19:19]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003.04.06. 19:07]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001.07.09. 10:50]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008.01.11. 23:16]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008.03.13. 16:48]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004.08.04. 00:56]
"NetMeter"="C:\Program Files\HooTech\NetMeter\HooNetMeter.exe" [2006.10.09. 02:23]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007.03.28. 19:13:36]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"JavaView"= {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll [ ]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
-- End of Deckard's System Scanner: finished at 2008-06-26 12:30:30 ------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel® Celeron® CPU 2.66GHz
Percentage of Memory in Use: 29%
Physical Memory (total/avail): 1015.48 MiB / 713.79 MiB
Pagefile Memory (total/avail): 1294.38 MiB / 1114.73 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.29 MiB
A: is Removable (No Media)
C: is Fixed (NTFS) - 76.32 GiB total, 34.36 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 149.04 GiB total, 144.99 GiB free.
\\.\PHYSICALDRIVE0 - Maxtor 6Y080L0 - 76.33 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 76.32 GiB - C:
\\.\PHYSICALDRIVE1 - ST3160815A - 149.05 GiB - 1 partition
\PARTITION0 - Extended w/Extended Int 13 - 149.04 GiB - E:
-- Security Center -------------------------------------------------------------
AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.
AntivirusOverride is set.
FirewallOverride is set.
AV: ESET NOD32 Antivirus 3.0 v3.0 (ESET, spol. s r. o.)
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\system32\\ftp.exe:*:Enabled:File Transfer Program"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\FileZilla\\FileZilla.exe"="C:\\Program Files\\FileZilla\\FileZilla.exe:*:Enabled:FileZilla"
"C:\\Program Files\\WM Recorder 10.2\\WMR.exe"="C:\\Program Files\\WM Recorder 10.2\\WMR.exe:*:Enabled:WM Recorder 10.2"
"C:\\Documents and Settings\\User\\SuperScan\\SuperScan4.exe"="C:\\Documents and Settings\\User\\SuperScan\\SuperScan4.exe:*:Enabled:SuperScan 4 Beta 1"
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\User\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ALEXANDER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\User
LOGONSERVER=\\ALEXANDER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
SDImgTemp=C:\Program Files\Sharp\Sharpdesk\Imaging\Temp
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\User\LOCALS~1\Temp
TMP=C:\DOCUME~1\User\LOCALS~1\Temp
USERDOMAIN=ALEXANDER
USERNAME=User
USERPROFILE=C:\Documents and Settings\User
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
User (admin)
Guest (guest)
-- Add/Remove Programs ---------------------------------------------------------
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop 7.0.1 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
C-Media 3D Audio --> C:\WINDOWS\CMIUnInstall.exe
ESET NOD32 Antivirus --> MsiExec.exe /I{86A6E235-C08F-4A14-B14C-793C7D8844A0}
EVEREST Home Edition v2.20 --> "C:\Program Files\Lavalys\EVEREST Home Edition\unins000.exe"
FileZilla (remove only) --> "C:\Program Files\FileZilla\uninstall.exe"
HijackThis 2.0.2 --> "C:\Documents and Settings\User\HijackThis.exe" /uninstall
HTMLPad 2004 Pro v5.2 --> "C:\Program Files\HTMLPad 2004 Pro\unins000.exe"
ImgBurn (Remove Only) --> "C:\Program Files\ImgBurn\uninstall.exe"
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Flash 8 --> MsiExec.exe /I{2BD5C305-1B27-4D41-B690-7A61172D2FEB}
Macromedia Flash 8 Video Encoder --> MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Net Meter v3.1 build 267 --> "C:\Program Files\HooTech\NetMeter\unins000.exe"
Star Downloader Free --> C:\PROGRA~1\STARDO~1\UNWISE.EXE C:\PROGRA~1\STARDO~1\INSTALL.LOG
SWFText --> C:\PROGRA~1\SWFText\UNWISE.EXE C:\PROGRA~1\SWFText\INSTALL.LOG
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Xara3D6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3783869-5D14-4838-A042-910DF816D070}\setup.exe" -l0x9
-- Application Event Log -------------------------------------------------------
Event Record #/Type5213 / Error
Event Submitted/Written: 06/19/2008 11:51:26 AM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 126637809.
Event Record #/Type5212 / Error
Event Submitted/Written: 06/19/2008 11:51:23 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Event Record #/Type5211 / Error
Event Submitted/Written: 06/19/2008 11:51:09 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module flash9e.ocx, version 9.0.115.0, fault address 0x001b48a0.
Processing media-specific event for [iexplore.exe!ws!]
Event Record #/Type5188 / Error
Event Submitted/Written: 06/09/2008 06:09:20 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application acrord32.exe, version 8.1.0.137, faulting module acrord32.dll, version 8.1.2.86, fault address 0x00078434.
Processing media-specific event for [acrord32.exe!ws!]
Event Record #/Type5182 / Error
Event Submitted/Written: 06/05/2008 00:18:08 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module js3250.dll, version 4.0.0.0, fault address 0x0001ecc6.
Processing media-specific event for [firefox.exe!ws!]
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type25452 / Error
Event Submitted/Written: 06/26/2008 11:47:36 AM
Event ID/Source: 23 / Print
Event Description:
Printer Auto Sharpdesk Composer on JURISB failed to initialize because a suitable Sharpdesk Composer driver could not be found.
Event Record #/Type25432 / Error
Event Submitted/Written: 06/25/2008 03:46:35 PM
Event ID/Source: 23 / Print
Event Description:
Printer Auto Sharpdesk Composer on JURISB failed to initialize because a suitable Sharpdesk Composer driver could not be found.
Event Record #/Type25400 / Error
Event Submitted/Written: 06/25/2008 11:55:40 AM
Event ID/Source: 23 / Print
Event Description:
Printer Auto Sharpdesk Composer on JURISB failed to initialize because a suitable Sharpdesk Composer driver could not be found.
Event Record #/Type25336 / Error
Event Submitted/Written: 06/20/2008 00:39:49 PM
Event ID/Source: 23 / Print
Event Description:
Printer Auto Sharpdesk Composer on JURISB failed to initialize because a suitable Sharpdesk Composer driver could not be found.
Event Record #/Type25313 / Error
Event Submitted/Written: 06/20/2008 00:29:36 PM
Event ID/Source: 23 / Print
Event Description:
Printer Auto Sharpdesk Composer on JURISB failed to initialize because a suitable Sharpdesk Composer driver could not be found.
-- End of Deckard's System Scanner: finished at 2008-06-26 12:30:30 ------------
Back to top
