Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What Does C:\windows\system32:dll32.exe Mean?


  • This topic is locked This topic is locked
6 replies to this topic

#1 br4n0

br4n0

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 18 April 2008 - 06:11 PM

Hi, I´ve recently assisted in malware removal and came across this: O4 - HKLM\..\Run: [WinDll32] C:\WINDOWS\system32:Dll32.exe.
I thought it´s some way to mask C:\WINDOWS\system32\Dll32.exe, but dll32.exe wasn´t there. Another one (from Combofix):
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F10681B5-CDB1-7ABD-813B-C0E3DA747CF6}]
C:\WINDOWS\system32:WoW.exe (wow.exe wasn´t in system32)

Could you please help in interpretation of these items?

BC AdBot (Login to Remove)

 


#2 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:15 AM

Posted 27 April 2008 - 10:40 AM

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Please post your HijackThis log and the Combofix log (C:\Combofix.txt) in your next reply.
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#3 br4n0

br4n0
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 28 April 2008 - 10:28 AM

This one is already solved, I just need to clarify the "C:\WINDOWS\system32:Dll32.exe" part.

ComboFix 08-04-16.5 - Tomáš a Radka 2008-04-17 12:35:24.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.585 [GMT 2:00]
Running from: C:\Documents and Settings\Tomáš a Radka\Plocha\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Tomáš a Radka\Local Settings\Temporary Internet Files\MAILTRAN.INI
C:\Documents and Settings\Tomáš a Radka\Local Settings\Temporary Internet Files\TRNCOM.INI

.
((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 )))))))))))))))))))))))))))))))
.

2008-04-17 12:27 . 2008-04-17 12:27 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Spyware Terminator
2008-04-17 12:26 . 2008-04-17 12:26 <DIR> d-------- C:\WINDOWS\system32\QVJGTGljZW5zZUluZm8=
2008-04-17 12:26 . 2008-04-17 12:26 <DIR> d-------- C:\Documents and Settings\Tomáš a Radka\Data aplikací\Ashampoo
2008-04-17 12:26 . 2008-04-17 12:26 <DIR> d-------- C:\Documents and Settings\Tomáš a Radka\Data aplikací\Agnitum
2008-04-17 12:26 . 2008-04-17 12:26 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\WinZip
2008-04-17 12:26 . 2008-04-17 12:26 <DIR> d-------- C:\Documents and Settings\Administrator\Plocha
2008-04-17 12:26 . 2008-04-17 12:26 <DIR> d--h----- C:\Documents and Settings\Administrator\Okolní tiskárny
2008-04-17 12:26 . 2008-04-17 12:26 <DIR> dr------- C:\Documents and Settings\Administrator\Nabídka Start
2008-04-17 10:03 . 2008-04-17 12:27 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-04-17 10:03 . 2008-04-17 10:03 <DIR> d-------- C:\Documents and Settings\Tomáš a Radka\Data aplikací\Spyware Terminator
2008-04-17 10:03 . 2008-04-17 10:03 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-04-16 23:54 . 2008-04-17 12:26 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-16 23:54 . 2008-04-17 12:26 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Spybot - Search & Destroy
2008-04-15 23:58 . 2008-04-15 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\ashampoo
2008-04-15 23:54 . 2007-04-16 17:25 7,168 --a------ C:\WINDOWS\system32\drivers\AshAvScan.sys
2008-04-15 23:54 . 2008-04-17 12:28 0 --a------ C:\log.tmp
2008-04-15 23:50 . 2008-04-17 12:25 <DIR> d-------- C:\Program Files\Ashampoo
2008-04-15 23:38 . 2008-04-17 12:26 <DIR> d-------- C:\Program Files\Atomic Alarm Clock
2008-04-15 23:21 . 2008-04-16 00:24 64,512 --ah----- C:\Documents and Settings\Tomáš a Radka\Data aplikací\dach100.dll
2008-04-15 23:14 . 2008-04-15 23:14 876,645 --a------ C:\WINDOWS\track.mus
2008-04-15 23:14 . 2008-04-15 23:14 98,304 --a------ C:\WINDOWS\system32\SoftAheadCert.dll
2008-04-15 21:05 . 2008-04-15 22:36 276 --ah----- C:\WINDOWS\wininf.dat
2008-04-15 18:33 . 2008-04-17 12:26 <DIR> d-------- C:\Program Files\MagicISO
2008-04-15 12:38 . 2008-04-15 12:38 <DIR> d-------- C:\Documents and Settings\Tomáš a Radka\Data aplikací\Astro Gemini Software
2008-04-15 00:43 . 2006-08-09 14:33 10,760,192 --a------ C:\WINDOWS\system32\Christmas Time 3D Screensaver.scr.BAK
2008-04-15 00:38 . 2008-04-17 12:25 <DIR> d-------- C:\Program Files\Astro Gemini Software
2008-04-15 00:38 . 2008-04-15 00:43 10,760,192 --a------ C:\WINDOWS\system32\Christmas Time 3D Screensaver.scr
2008-04-15 00:38 . 2006-08-09 14:33 3,241 --a------ C:\WINDOWS\system32\ChristmasTime3DScreensaver.html
2008-04-15 00:36 . 2008-04-15 00:36 <DIR> d-------- C:\Program Files\KellySoftware
2008-04-14 14:21 . 2008-04-14 14:21 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\URSoft
2008-04-14 14:20 . 2008-04-17 12:26 <DIR> d--h----- C:\Documents and Settings\Administrator\Šablony
2008-04-14 14:20 . 2008-04-17 12:26 <DIR> dr-h----- C:\Documents and Settings\Administrator\Data aplikací
2008-04-14 14:20 . 2008-04-17 12:26 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-14 01:22 . 2008-04-14 01:06 6,687,968 --a------ C:\WINDOWS\system32\Butterfly ScreenSaver Volume 2.scr
2008-04-14 01:20 . 2008-04-14 01:07 6,196,512 --a------ C:\WINDOWS\system32\Butterfly ScreenSaver Volume 1.scr
2008-04-14 01:20 . 2008-04-14 01:22 18,432 --a------ C:\WINDOWS\ss3unstl.exe
2008-04-14 01:17 . 2008-04-14 01:17 14,669,923 --a------ C:\WINDOWS\Angelina.scr
2008-04-14 01:17 . 2008-04-14 01:17 230,818 --a------ C:\WINDOWS\uninstall Angelina.exe
2008-04-14 00:25 . 2008-04-14 00:25 <DIR> d-------- C:\Program Files\Basta Computing
2008-04-14 00:03 . 2008-04-17 12:33 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-04-13 23:00 . 2008-04-15 22:45 918,045 --ah----- C:\DH Temp.tmp
2008-04-13 22:59 . 2008-04-13 22:59 0 --ah----- C:\miniex.ant
2008-04-13 22:23 . 2008-04-15 21:05 <DIR> d-------- C:\Program Files\Dachshund Software
2008-04-13 22:23 . 2008-04-16 00:09 233 --ah----- C:\WINDOWS\winshell.dat
2008-04-13 22:21 . 2008-04-17 12:26 <DIR> d-------- C:\Program Files\Advanced Registry Fix
2008-04-13 15:15 . 2008-04-13 15:15 <DIR> d-------- C:\Documents and Settings\Tomáš a Radka\Data aplikací\ABBYY
2008-04-13 15:14 . 2008-04-17 12:26 <DIR> d-------- C:\Program Files\ABBYY FineReader 8.0 Professional Edition
2008-04-13 15:00 . 2008-04-13 15:00 <DIR> d-------- C:\Program Files\Innovative Solutions
2008-04-13 15:00 . 2008-04-13 15:00 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Innovative Solutions
2008-04-13 15:00 . 2006-11-22 12:35 42,496 --a------ C:\WINDOWS\system32\AdvUninstCPL.cpl
2008-04-13 14:57 . 2008-04-13 14:59 <DIR> d-------- C:\WINDOWS\system32\3-D_Serengeti_Safari dir
2008-04-13 14:57 . 2008-04-13 14:57 <DIR> d-------- C:\Program Files\SNLBar
2008-04-13 14:57 . 2008-04-13 14:57 197,120 --a------ C:\WINDOWS\system32\3-D_Serengeti_Safari.scr
2008-04-13 14:28 . 2008-04-13 14:28 <DIR> d-------- C:\Program Files\Siber Systems
2008-04-13 14:28 . 2008-04-13 14:28 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\RoboForm
2008-04-13 14:23 . 2008-04-13 14:23 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2008-04-13 14:22 . 2008-04-13 15:07 <DIR> d-------- C:\Program Files\Tweak-XP Pro 4
2008-04-13 14:17 . 2008-04-13 14:17 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-13 14:17 . 2008-04-13 14:18 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Lavasoft
2008-04-13 13:38 . 2004-08-17 15:49 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-04-13 13:38 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-04-13 13:38 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-04-13 13:38 . 2001-10-24 12:25 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-04-13 02:17 . 2008-04-13 02:17 <DIR> d-------- C:\Program Files\Real Desktop
2008-04-13 02:01 . 2008-04-13 02:01 <DIR> d-------- C:\Program Files\3Deep Space
2008-04-13 02:01 . 2005-10-05 12:47 2,226,176 --a------ C:\WINDOWS\system32\3D Solar System.scr
2008-04-13 02:01 . 2006-07-09 11:54 291,776 --a------ C:\WINDOWS\system32\DealioKit97-stub-0.exe
2008-04-13 02:01 . 2008-04-13 02:03 1 --a------ C:\WINDOWS\system32\sav80231.sys
2008-04-13 00:38 . 2008-04-13 00:38 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Azureus
2008-04-12 23:51 . 2008-04-12 23:51 <DIR> d-------- C:\WINDOWS\system32\RegVac
2008-04-12 23:50 . 2008-04-12 23:50 <DIR> d-------- C:\Program Files\RegVac Registry Cleaner
2008-04-12 23:50 . 2008-04-12 23:50 <DIR> d-------- C:\Program Files\HtmlSnapshot
2008-04-12 23:47 . 2008-04-12 23:47 <DIR> d-------- C:\Program Files\HD Tune
2008-04-12 23:42 . 2008-04-12 23:42 40 --a------ C:\WINDOWS\iltwain.ini
2008-04-12 23:41 . 2008-04-12 23:45 <DIR> d-------- C:\Program Files\EzGenerator3
2008-04-10 18:52 . 2008-04-10 18:52 <DIR> d-------- C:\Program Files\MyPhoneExplorer
2008-04-10 18:52 . 2008-04-10 18:53 <DIR> d-------- C:\Documents and Settings\Tomáš a Radka\Data aplikací\MyPhoneExplorer
2008-04-06 22:25 . 2008-04-06 22:25 <DIR> d-------- C:\Program Files\TONDACH strechy 2007
2008-04-05 22:14 . 2008-04-05 22:24 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-05 22:14 . 2008-04-05 22:14 <DIR> d-------- C:\Documents and Settings\Tomáš a Radka\Data aplikací\PC Tools
2008-04-05 22:14 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-04-05 22:14 . 2007-08-02 10:49 82,248 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-05 22:14 . 2007-08-02 10:49 57,672 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-05 22:14 . 2007-08-02 10:49 38,728 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-05 22:14 . 2007-08-02 10:49 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-05 20:47 . 2008-04-05 20:47 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-04 14:16 . 2008-04-04 14:24 <DIR> d-------- C:\Program Files\AMD
2008-04-04 13:37 . 2008-04-04 13:37 2,322,176 --a------ C:\WINDOWS\system32\TUKernel.exe
2008-04-04 13:34 . 2008-04-04 13:36 <DIR> d--h----- C:\WINDOWS\Icons
2008-04-03 17:50 . 2008-04-03 17:50 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-03 17:50 . 2006-10-04 16:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-04-03 17:50 . 2006-10-04 16:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-04-03 17:50 . 2006-10-04 16:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-04-03 17:49 . 2008-04-03 17:50 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-03 17:49 . 2008-04-09 12:27 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-04-03 07:28 . 2008-04-03 07:28 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\ATI
2008-04-03 07:27 . 2008-04-03 07:27 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-04-03 07:26 . 2008-04-04 12:38 <DIR> d-------- C:\Program Files\Steam
2008-04-02 21:24 . 2008-04-15 23:18 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-04-02 17:24 . 2008-04-02 17:24 <DIR> d-------- C:\Program Files\Kodek CZ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 10:31 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 4
2008-04-13 12:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-12 22:52 --------- d-----w C:\Program Files\ESET
2008-04-09 10:28 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\Microsoft Help
2008-04-04 16:14 669,184 ----a-w C:\WINDOWS\system32\pbsvc.exe
2008-04-04 16:14 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-04 16:14 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-04 12:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-03 05:25 --------- d-----w C:\Program Files\ATI Technologies
2008-03-30 21:59 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-03-30 21:12 --------- d-----w C:\Program Files\MSBuild
2008-03-30 20:25 --------- d-----w C:\Program Files\Your Uninstaller 2008
2008-03-30 19:53 --------- d-----w C:\Program Files\Microsoft Works
2008-03-30 19:52 --------- d-----w C:\Program Files\Microsoft.NET
2008-03-30 19:50 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-03-30 19:39 223,128 ----a-w C:\WINDOWS\system32\drivers\vaxscsi.sys
2008-03-30 19:39 --------- d-----w C:\Program Files\Alcohol Soft
2008-03-30 19:38 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd9389.sys
2008-03-30 19:38 642,560 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-03-30 19:31 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-03-30 19:06 --------- d-----w C:\Documents and Settings\Tomáš a Radka\Data aplikací\URSoft
2008-03-30 19:06 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\TEMP
2008-03-30 19:05 306,432 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
2008-03-30 19:05 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-03-30 19:05 --------- d-----w C:\Documents and Settings\Tomáš a Radka\Data aplikací\TuneUp Software
2008-03-30 19:05 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\TuneUp Software
2008-03-30 19:01 --------- d-----w C:\Documents and Settings\Tomáš a Radka\Data aplikací\Teleca
2008-03-30 19:01 --------- d-----w C:\Documents and Settings\Tomáš a Radka\Data aplikací\ATI
2008-03-30 18:58 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-03-30 18:58 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2008-03-30 18:58 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2008-03-30 18:56 --------- d-----w C:\Program Files\Sony Ericsson
2008-03-30 18:56 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-03-30 18:56 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\Teleca
2008-03-30 18:56 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\Sony Ericsson
2008-03-30 18:55 6,176 ----a-w C:\WINDOWS\system32\drivers\w810cm.sys
2008-03-30 18:55 5,808 ----a-w C:\WINDOWS\system32\drivers\w810wh.sys
2008-03-30 18:49 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-30 18:49 --------- d-----w C:\Program Files\Common Files\ATI Technologies
2008-03-30 18:12 558,142 ----a-w C:\WINDOWS\java\Packages\S8EKTRVV.ZIP
2008-03-30 18:12 155,995 ----a-w C:\WINDOWS\java\Packages\KHJ7JVZB.ZIP
2008-03-30 18:12 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-20 08:09 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:02 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-26 05:51 2,863,616 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-02-26 03:12 372,736 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-02-26 03:10 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-02-26 03:10 299,520 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-02-26 03:02 172,032 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-02-26 03:02 126,976 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-02-26 03:01 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-02-26 03:01 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-02-26 03:01 126,976 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-02-26 03:00 520,192 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-02-26 02:59 9,797,632 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-02-26 02:58 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-02-26 02:49 3,176,480 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-02-26 02:41 1,755,264 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-02-26 02:29 46,080 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-02-26 02:25 393,216 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-02-26 02:23 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-02-26 02:22 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-02-26 02:19 167,936 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-02-26 02:16 520,192 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-02-25 19:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:49 15360]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]
"SkinClock"="C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2008-02-20 14:29 524800]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"WinDll32"="C:\WINDOWS\system32:Dll32.exe" [2008-04-17 12:36 13312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-17 15:49 15360]

C:\Documents and Settings\Tom ç a Radka\Nabˇdka Start\Programy\Po spuçtŘnˇ\
NOD.lnk - C:\Program Files\ESET\nod32kui.exe [2008-03-30 21:00:12 949376]

C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
SPEEDFUN.lnk - C:\Program Files\SpeedFan\speedfan.exe [2007-09-17 19:04:02 2902528]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"E:\\PES 2008\\PES2008.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"E:\\Strong\\StrongDC.exe"=
"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"E:\\Crysis\\Bin32\\Crysis.exe"=
"E:\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AASW2_Service;Ashampoo AntiSpyWare 2 Service;C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe [2007-08-14 09:28]
R2 AMDRAIDXpert;AMD RAIDXpert;"C:\Program Files\AMD\RAIDXpert\jetty\extra\win32\Wrapper.exe" -s raidxpert.wrapper.conf []
R2 avGuard;avGuard Service;C:\Program Files\Ashampoo\Ashampoo AntiVirus\ashAvSrv.exe [2007-08-29 14:48]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-17 15:49]
R3 AshAvScan;AshAvScan;C:\WINDOWS\system32\DRIVERS\AshAvScan.sys [2007-04-16 17:25]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-03-30 21:05]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CD100847-C7D4-744C-C8F6-0AE88ED79EF0}]
C:\WINDOWS\system32:Dll32.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-04 17:55:20 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 12:36:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WinDll32 = C:\WINDOWS\system32:Dll32.exe?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


C:\WINDOWS\system32:Dll32.exe 13312 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ASFWHide]
"ImagePath"="\??\C:\DOCUME~1\TOMARA~1\LOCALS~1\Temp\ASFWHide"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\vorbis.dll
-> C:\WINDOWS\system32\ogg.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\vorbis.dll
-> C:\WINDOWS\system32\ogg.dll
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-04-17 12:37:28
ComboFix-quarantined-files.txt 2008-04-17 10:37:24

Adresářů: 7, Volných bajtů: 5,661,900,800
Adresářů: 10, Volných bajtů: 6,381,727,744
.
2008-04-09 10:29:00 --- E O F ---

#4 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:15 AM

Posted 28 April 2008 - 10:41 AM

This one is already solved, I just need to clarify the "C:\WINDOWS\system32:Dll32.exe" part.

It means Dll32.exe is an ADS file. Please do the following -

Step 1

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Now close all open windows and programs, including all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

Posted Image

Reffering to the image above, drag the setup package onto ComboFix.exe and drop it.

Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

At the next prompt, click 'No'.

Posted Image

Step 2

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

KillAll::

File::

C:\log.tmp 
C:\WINDOWS\ss3unstl.exe
C:\DH Temp.tmp

Folder::

C:\WINDOWS\system32\QVJGTGljZW5zZUluZm8= 

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinDll32"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CD100847-C7D4-744C-C8F6-0AE88ED79EF0}] 

ADS::

C:\WINDOWS\system32

Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Close any open windows.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

Step 3

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.
Step 4

In your next reply, please post:
  • the Combofix log (C:\Combofix.txt)
  • the Malwarebytes' Anti-Malware log
  • a new HijackThis log

Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#5 br4n0

br4n0
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 28 April 2008 - 10:55 AM

Alternate data stream! :thumbsup: That´s what I wanted to know. As I said, the log is not mine, but I will follow the instructions at the next occurence of an ADS. Thanks a lot.

#6 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:15 AM

Posted 28 April 2008 - 11:37 AM

Alternate data stream! :thumbsup: That´s what I wanted to know. As I said, the log is not mine, but I will follow the instructions at the next occurence of an ADS. Thanks a lot.

These instructions are tailored to the situation and should not be used as a general cleaning procedure. You risk to loose computer access if you use these tools improperly. The computer is not yet clean, but as I understand it this can be closed.
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#7 br4n0

br4n0
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 28 April 2008 - 11:48 AM

I ment just the combofix "ADS" command. I´m not an UNITE member but I know how to use these tools.

Edited by br4n0, 28 April 2008 - 11:59 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users