Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popups, Rundll32.exe Failing On Startup - Help Required.


  • This topic is locked This topic is locked
10 replies to this topic

#1 onesikgypo

onesikgypo

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 30 July 2008 - 09:50 PM

A couple of days ago my brother used my computer to nstall something, looks like it had a nasty torjan in it, from then on i have been unable to access add/remove programs etc. and get a popup about rundll32.exe failing when i login to my account.

I also get several popups opening up.

Any help would be greatly appreciated.


Deckard's System Scanner v20071014.68
Run by Matt on 2008-07-31 12:39:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
97: 2008-07-31 02:39:43 UTC - RP105 - Deckard's System Scanner Restore Point
96: 2008-07-30 06:07:24 UTC - RP104 - Installed AVG Free 8.0
95: 2008-07-29 12:37:27 UTC - RP103 - Installed AVG 8.0
94: 2008-07-29 12:36:48 UTC - RP102 - Removed AVG 8.0
93: 2008-07-26 14:38:50 UTC - RP101 - System Checkpoint


-- First Restore Point --
1: 2008-07-21 07:08:36 UTC - RP9 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Matt.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:57 PM, on 7/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Rising\Rfw\rfwsrv.exe
C:\Program Files\Rising\Rfw\rfwstub.exe
C:\Program Files\Rising\Rfw\RfwMain.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sakora\Sakora.exe
C:\Program Files\VnrPack\VnrPack20.exe
C:\Program Files\GetPack\GetPack20.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgscanx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Matt.DAD2\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Matt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\Webtools\webtools.dll (file missing)
O2 - BHO: {c9558580-34b9-8df9-14b4-d80baf844071} - {170448fa-b08d-4b41-9fd8-9b430858559c} - C:\WINDOWS\system32\omdste.dll (file missing)
O2 - BHO: (no name) - {1FBF2022-042E-449E-BF3F-B1D0BD59DD88} - C:\WINDOWS\system32\hgGaaXnL.dll (file missing)
O2 - BHO: targetedbanner browser optimizer - {47e1641c-6c91-a94d-617e-ceeb01afc939} - C:\WINDOWS\system32\cklnnoddqb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: DrFlex IE Helper - {8EEB2711-9D21-4f9c-99A1-B7FC5A8CA56A} - C:\Program Files\QdrDrive\QdrDrive20.dll
O2 - BHO: mysidesearch search enhancer - {e72c09bf-cab1-f222-c8fc-90e65515d819} - C:\WINDOWS\system32\jnureoatngmnv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [{DA-A9-9D-D6-DW}] C:\windows\system32\rqwnw64l.exe DWram02
O4 - HKLM\..\Run: [{0efef7f0-4ca2-0f07-6cfc-809e6d4d7cd5}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\cklnnoddqb.dll" DllStart
O4 - HKLM\..\Run: [341da979] rundll32.exe "C:\WINDOWS\system32\hsmsphlw.dll",b
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sakora] C:\Program Files\Sakora\Sakora.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Matt.DAD2\Application Data\Microsoft\Windows\ypjppwcd.exe
O4 - HKCU\..\Run: [VnrPack20] "C:\Program Files\VnrPack\VnrPack20.exe"
O4 - HKCU\..\Run: [mjc] C:\Program Files\mjc\mjc.exe
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKCU\..\Run: [GetPack20] "C:\Program Files\GetPack\GetPack20.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\ocntptdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rqwnw64l.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/vwhpro/EN/install/gtdownlr.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0071708.dat
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SGFueSBZb3Vzc2Vm\command.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rfw\rfwsrv.exe

--
End of file - 7616 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 cmdService (Command Service) - c:\windows\sgfuesbzb3vzc2vm\command.exe (file missing)
S2 Network Monitor - c:\program files\network monitor\netmon.exe service (file missing)
S3 ose (Office Source Engine) - "c:\program files\common files\microsoft shared\source engine\ose.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\ATK0110\1010110
Manufacturer:
Name:
PNP Device ID: ACPI\ATK0110\1010110
Service:


-- Files created between 2008-06-30 and 2008-07-31 -----------------------------

2008-07-31 12:36:33 0 d-------- C:\Program Files\Trend Micro
2008-07-30 20:05:39 16 --a------ C:\WINDOWS\RSBDBACKUP.DLL
2008-07-30 19:59:32 0 d-------- C:\Program Files\Rising
2008-07-30 19:58:37 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Rising
2008-07-30 16:07:36 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-29 22:30:23 0 d-------- C:\Program Files\GetPack
2008-07-29 22:14:47 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY.000\Start Menu
2008-07-29 22:14:46 0 d-------- C:\Program Files\VAV
2008-07-29 22:12:49 101888 --a------ C:\WINDOWS\system32\mcgvyj.dll
2008-07-29 22:12:45 101888 --a------ C:\WINDOWS\system32\kcwohvrq.dll
2008-07-29 22:12:08 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\Macromedia
2008-07-29 22:12:08 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\Adobe
2008-07-29 22:11:54 0 dr------- C:\Documents and Settings\LocalService.NT AUTHORITY.000\Favorites
2008-07-29 22:10:01 0 d-------- C:\Program Files\mjc
2008-07-29 22:09:58 0 d-------- C:\Program Files\QdrDrive
2008-07-29 22:09:58 0 d-------- C:\Program Files\iCheck
2008-07-26 00:50:06 355840 --a------ C:\WINDOWS\b148.exe
2008-07-23 19:43:21 0 d-------- C:\Documents and Settings\Matt.DAD2\.housecall6.6
2008-07-23 19:41:40 101888 --a------ C:\WINDOWS\system32\saxdrk.dll
2008-07-23 19:41:37 101888 --a------ C:\WINDOWS\system32\ptitxcgn.dll
2008-07-23 19:39:24 93696 --a------ C:\WINDOWS\system32\gmmeawam.dll
2008-07-23 19:22:21 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\NetMon
2008-07-23 02:46:56 34816 --a------ C:\WINDOWS\b156.exe
2008-07-22 17:18:08 0 d-------- C:\Documents and Settings\Matt.DAD2\Application Data\SpeedRunner
2008-07-22 17:18:07 0 d-------- C:\Program Files\InetGet2
2008-07-22 17:13:07 0 d-------- C:\Program Files\Sakora
2008-07-22 17:13:03 0 d-------- C:\Program Files\Webtools
2008-07-22 17:13:02 0 d-------- C:\Program Files\Temporary
2008-07-22 05:14:38 51200 --a------ C:\WINDOWS\system32\__c0071708.dat
2008-07-22 05:11:35 81920 --a------ C:\WINDOWS\system32\jfcvschk.dll
2008-07-22 00:03:33 88961 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-07-22 00:03:31 298316 --a------ C:\WINDOWS\system32\gside.exe
2008-07-21 21:00:37 0 d-------- C:\Program Files\Sony
2008-07-21 20:59:43 0 d-------- C:\WINDOWS\system32\appmgmt
2008-07-21 18:54:41 0 d-------- C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Application Data\Adobe
2008-07-21 18:54:32 0 dr------- C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Favorites
2008-07-21 18:00:54 178616 --a------ C:\WINDOWS\plate611.exe <Not Verified; Plate; Plate>
2008-07-21 18:00:53 0 d-------- C:\Program Files\VnrPack
2008-07-21 18:00:53 0 d-------- C:\Program Files\ISM
2008-07-21 17:08:26 474746 --ahs---- C:\WINDOWS\system32\LnXaaGgh.ini2
2008-07-21 17:07:09 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-07-21 17:03:33 687592 --a------ C:\WINDOWS\system32\atmtd.dll
2008-07-21 17:03:31 859 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-07-21 17:03:29 0 d-------- C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Application Data\NetMon
2008-07-21 17:03:28 1989 --a------ C:\WINDOWS\uninstall_nmon.vbs
2008-07-21 17:03:28 0 d--hs---- C:\WINDOWS\SGFueSBZb3Vzc2Vm
2008-07-21 17:03:28 0 d-------- C:\Program Files\Network Monitor
2008-07-21 17:03:24 152268 --a------ C:\WINDOWS\system32\g75.exe
2008-07-21 17:03:23 64841 --a------ C:\WINDOWS\system32\gsrgdgscturw.exe
2008-07-21 17:03:20 0 d-------- C:\WINDOWS\system32\wnet
2008-07-21 17:03:20 0 d-------- C:\WINDOWS\system32\vdf1
2008-07-21 17:03:20 0 d-------- C:\WINDOWS\system32\jav2
2008-07-21 17:03:20 0 d-------- C:\WINDOWS\system32\confg
2008-07-21 17:03:17 0 d-------- C:\WINDOWS\system32\carH18
2008-07-21 17:03:17 0 d-------- C:\Temp
2008-07-21 17:02:07 0 d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-07-21 16:54:02 0 d-------- C:\Documents and Settings\Matt.DAD2\Application Data\LimeWire
2008-07-21 15:00:31 0 d-------- C:\Documents and Settings\Matt.DAD2\Application Data\Sony
2008-07-21 14:56:01 0 d-------- C:\Program Files\Sony Setup
2008-07-09 01:10:04 158208 --a------ C:\WINDOWS\system32\cklnnoddqb.dll
2008-07-04 00:45:24 364544 --a------ C:\WINDOWS\system32\jnureoatngmnv.dll


-- Find3M Report ---------------------------------------------------------------

2008-06-22 09:26:21 0 d-------- C:\Documents and Settings\Matt.DAD2\Application Data\Adobe
2008-06-12 20:25:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-12 20:25:35 0 d-------- C:\Program Files\CFM
2008-06-12 20:25:11 0 d-------- C:\Documents and Settings\Matt.DAD2\Application Data\InstallShield
2008-06-07 12:19:44 0 d-------- C:\Program Files\Java
2008-06-07 12:19:13 0 d-------- C:\Program Files\Common Files
2008-06-07 12:19:13 0 d-------- C:\Program Files\Common Files\Java
2008-06-07 12:18:58 0 d-------- C:\Program Files\Microsoft Analysis Services
2008-06-07 12:18:53 0 d-------- C:\Program Files\Microsoft SQL Server


-- Registry Dump ---------------------------------------------------------------



-- End of Deckard's System Scanner: finished at 2008-07-31 12:41:32 ------------

BC AdBot (Login to Remove)

 


#2 onesikgypo

onesikgypo
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 06 August 2008 - 09:28 PM

bump

#3 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:11 AM

Posted 09 August 2008 - 06:32 AM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


If you already preformed the steps above We still need to see the current state of the machine fresh scan and logs are still necessary

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt



Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back with dss reports main.txt, extra.txt and Kaspersky report.

Regards
Microsoft MVP Consumer Security
Posted Image

Posted Image

#4 onesikgypo

onesikgypo
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 12 August 2008 - 04:22 AM

Hi,

Sorry for the delay, the requested details are provided below.

Please note, that when i ran dss - no extra.txt came up, minimised or otherwise, nor is it in the folder in c:\ where th emain.txt log is.
Furthermore, whenever i tried to do the second part of using dss by first selecting "Check all" - it never finished to completion, i alays recieved the error that windows enocountered a problem....

Main.txt:

Deckard's System Scanner v20071014.68
Run by Matt on 2008-08-10 17:25:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Matt.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:24 PM, on 8/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rfw\rfwsrv.exe
C:\Program Files\Rising\Rfw\rfwstub.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sakora\Sakora.exe
C:\Program Files\VnrPack\VnrPack20.exe
C:\Program Files\GetPack\GetPack20.exe
C:\Program Files\VnrBlock\VnrBlock20.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\rdpclip.exe
C:\Documents and Settings\Matt.DAD2\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Matt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\Webtools\webtools.dll (file missing)
O2 - BHO: {c9558580-34b9-8df9-14b4-d80baf844071} - {170448fa-b08d-4b41-9fd8-9b430858559c} - C:\WINDOWS\system32\omdste.dll (file missing)
O2 - BHO: (no name) - {1FBF2022-042E-449E-BF3F-B1D0BD59DD88} - C:\WINDOWS\system32\hgGaaXnL.dll (file missing)
O2 - BHO: targetedbanner browser optimizer - {47e1641c-6c91-a94d-617e-ceeb01afc939} - C:\WINDOWS\system32\cklnnoddqb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: DrFlex IE Helper - {8EEB2711-9D21-4f9c-99A1-B7FC5A8CA56A} - C:\Program Files\QdrDrive\QdrDrive20.dll
O2 - BHO: mysidesearch search enhancer - {e72c09bf-cab1-f222-c8fc-90e65515d819} - C:\WINDOWS\system32\jnureoatngmnv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [{DA-A9-9D-D6-DW}] C:\windows\system32\rqwnw64l.exe DWram02
O4 - HKLM\..\Run: [341da979] rundll32.exe "C:\WINDOWS\system32\hsmsphlw.dll",b
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [{0efef7f0-4ca2-0f07-6cfc-809e6d4d7cd5}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\cklnnoddqb.dll" DllStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sakora] C:\Program Files\Sakora\Sakora.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Matt.DAD2\Application Data\Microsoft\Windows\ypjppwcd.exe
O4 - HKCU\..\Run: [VnrPack20] "C:\Program Files\VnrPack\VnrPack20.exe"
O4 - HKCU\..\Run: [mjc] C:\Program Files\mjc\mjc.exe
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKCU\..\Run: [GetPack20] "C:\Program Files\GetPack\GetPack20.exe"
O4 - HKCU\..\Run: [VnrBlock20] "C:\Program Files\VnrBlock\VnrBlock20.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\ocntptdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rqwnw64l.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/vwhpro/EN/install/gtdownlr.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0071708.dat
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SGFueSBZb3Vzc2Vm\command.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rfw\rfwsrv.exe

--
End of file - 8363 bytes

-- Files created between 2008-07-10 and 2008-08-10 -----------------------------

2008-08-09 21:50:00 0 d-------- C:\WINDOWS\Sun
2008-08-09 21:49:59 0 d-------- C:\Documents and Settings\Matt.DAD2\Application Data\Sun
2008-08-08 23:55:10 364544 --a------ C:\WINDOWS\system32\jnureoatngmnv.dll
2008-08-07 23:13:15 0 d-------- C:\Program Files\VnrBlock
2008-08-01 19:47:00 160768 --a------ C:\WINDOWS\system32\cklnnoddqb.dll
2008-07-31 13:03:50 0 d-------- C:\Program Files\SpywareBlaster
2008-07-31 12:57:56 0 d-------- C:\ie-spyad_zo
2008-07-31 12:51:45 0 d-------- C:\Program Files\Panda Security
2008-07-31 12:36:33 0 d-------- C:\Program Files\Trend Micro
2008-07-30 20:05:39 16 --a------ C:\WINDOWS\RSBDBACKUP.DLL
2008-07-30 19:59:32 0 d-------- C:\Program Files\Rising
2008-07-30 19:58:37 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Rising
2008-07-30 16:07:36 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-29 22:30:23 0 d-------- C:\Program Files\GetPack
2008-07-29 22:14:47 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY.000\Start Menu
2008-07-29 22:14:46 0 d-------- C:\Program Files\VAV
2008-07-29 22:12:49 101888 --a------ C:\WINDOWS\system32\mcgvyj.dll
2008-07-29 22:12:45 101888 --a------ C:\WINDOWS\system32\kcwohvrq.dll
2008-07-29 22:12:08 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\Macromedia
2008-07-29 22:12:08 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\Adobe
2008-07-29 22:11:54 0 dr------- C:\Documents and Settings\LocalService.NT AUTHORITY.000\Favorites
2008-07-29 22:10:01 0 d-------- C:\Program Files\mjc
2008-07-29 22:09:58 0 d-------- C:\Program Files\QdrDrive
2008-07-29 22:09:58 0 d-------- C:\Program Files\iCheck
2008-07-26 00:50:06 355840 --a------ C:\WINDOWS\b148.exe
2008-07-23 19:43:21 0 d-------- C:\Documents and Settings\Matt.DAD2\.housecall6.6
2008-07-23 19:41:40 101888 --a------ C:\WINDOWS\system32\saxdrk.dll
2008-07-23 19:41:37 101888 --a------ C:\WINDOWS\system32\ptitxcgn.dll
2008-07-23 19:39:24 93696 --a------ C:\WINDOWS\system32\gmmeawam.dll
2008-07-23 19:22:21 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\NetMon
2008-07-22 17:18:08 0 d-------- C:\Documents and Settings\Matt.DAD2\Application Data\SpeedRunner
2008-07-22 17:18:07 0 d-------- C:\Program Files\InetGet2
2008-07-22 17:13:07 0 d-------- C:\Program Files\Sakora
2008-07-22 17:13:03 0 d-------- C:\Program Files\Webtools
2008-07-22 17:13:02 0 d-------- C:\Program Files\Temporary
2008-07-22 05:11:35 81920 --a------ C:\WINDOWS\system32\jfcvschk.dll
2008-07-22 00:03:33 88961 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-07-22 00:03:31 298316 --a------ C:\WINDOWS\system32\gside.exe
2008-07-21 21:00:37 0 d-------- C:\Program Files\Sony
2008-07-21 20:59:43 0 d-------- C:\WINDOWS\system32\appmgmt
2008-07-21 18:54:41 0 d-------- C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Application Data\Adobe
2008-07-21 18:54:32 0 dr------- C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Favorites
2008-07-21 18:00:54 178616 --a------ C:\WINDOWS\plate611.exe <Not Verified; Plate; Plate>
2008-07-21 18:00:53 0 d-------- C:\Program Files\VnrPack
2008-07-21 18:00:53 0 d-------- C:\Program Files\ISM
2008-07-21 17:08:26 474746 --ahs---- C:\WINDOWS\system32\LnXaaGgh.ini2
2008-07-21 17:07:09 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-07-21 17:03:33 687592 --a------ C:\WINDOWS\system32\atmtd.dll
2008-07-21 17:03:31 859 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-07-21 17:03:29 0 d-------- C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Application Data\NetMon
2008-07-21 17:03:28 1989 --a------ C:\WINDOWS\uninstall_nmon.vbs
2008-07-21 17:03:28 0 d--hs---- C:\WINDOWS\SGFueSBZb3Vzc2Vm
2008-07-21 17:03:28 0 d-------- C:\Program Files\Network Monitor
2008-07-21 17:03:24 152268 --a------ C:\WINDOWS\system32\g75.exe
2008-07-21 17:03:23 64864 --a------ C:\WINDOWS\system32\gsrgdgscturw.exe
2008-07-21 17:03:20 0 d-------- C:\WINDOWS\system32\wnet
2008-07-21 17:03:20 0 d-------- C:\WINDOWS\system32\vdf1
2008-07-21 17:03:20 0 d-------- C:\WINDOWS\system32\jav2
2008-07-21 17:03:20 0 d-------- C:\WINDOWS\system32\confg
2008-07-21 17:03:17 0 d-------- C:\WINDOWS\system32\carH18
2008-07-21 17:03:17 0 d-------- C:\Temp
2008-07-21 17:02:07 0 d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-07-21 16:54:02 0 d-------- C:\Documents and Settings\Matt.DAD2\Application Data\LimeWire
2008-07-21 15:00:31 0 d-------- C:\Documents and Settings\Matt.DAD2\Application Data\Sony
2008-07-21 14:56:01 0 d-------- C:\Program Files\Sony Setup


-- Find3M Report ---------------------------------------------------------------

2008-08-09 21:42:42 0 d-------- C:\Program Files\Java
2008-06-22 09:26:21 0 d-------- C:\Documents and Settings\Matt.DAD2\Application Data\Adobe
2008-06-12 20:25:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-12 20:25:35 0 d-------- C:\Program Files\CFM
2008-06-12 20:25:11 0 d-------- C:\Documents and Settings\Matt.DAD2\Application Data\InstallShield


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}]
C:\Program Files\Webtools\webtools.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{170448fa-b08d-4b41-9fd8-9b430858559c}]
C:\WINDOWS\system32\omdste.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1FBF2022-042E-449E-BF3F-B1D0BD59DD88}]
C:\WINDOWS\system32\hgGaaXnL.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47e1641c-6c91-a94d-617e-ceeb01afc939}]
08/01/2008 07:47 PM 160768 --a------ C:\WINDOWS\system32\cklnnoddqb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EEB2711-9D21-4f9c-99A1-B7FC5A8CA56A}]
07/23/2008 11:02 PM 147456 --a------ C:\Program Files\QdrDrive\QdrDrive20.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e72c09bf-cab1-f222-c8fc-90e65515d819}]
08/08/2008 11:55 PM 364544 --a------ C:\WINDOWS\system32\jnureoatngmnv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/31/2006 06:35 AM]
"nwiz"="nwiz.exe" [10/31/2006 06:35 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/31/2006 06:35 AM]
"RTHDCPL"="RTHDCPL.EXE" [02/26/2007 03:03 PM C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [05/16/2006 06:04 PM C:\WINDOWS\SkyTel.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 06:43 PM C:\WINDOWS\Alcmtr.exe]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 12:47 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"{DA-A9-9D-D6-DW}"="C:\windows\system32\rqwnw64l.exe" []
"341da979"="C:\WINDOWS\system32\hsmsphlw.dll" []
"Antivirus"="C:\Program Files\VAV\vav.exe" []
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/30/2008 04:07 PM]
"RfwMain"="C:\Program Files\Rising\Rfw\rfwmain.exe" [07/30/2008 09:10 PM]
"{0efef7f0-4ca2-0f07-6cfc-809e6d4d7cd5}"="C:\WINDOWS\system32\cklnnoddqb.dll" [08/01/2008 07:47 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 10:00 PM]
"Sakora"="C:\Program Files\Sakora\Sakora.exe" [07/29/2008 10:20 PM]
"SfKg6wIP"="C:\Documents and Settings\Matt.DAD2\Application Data\Microsoft\Windows\ypjppwcd.exe" []
"VnrPack20"="C:\Program Files\VnrPack\VnrPack20.exe" [07/24/2008 07:39 PM]
"mjc"="C:\Program Files\mjc\mjc.exe" []
"Antivirus"="C:\Program Files\VAV\vav.exe" []
"GetPack20"="C:\Program Files\GetPack\GetPack20.exe" [07/22/2008 08:36 PM]
"VnrBlock20"="C:\Program Files\VnrBlock\VnrBlock20.exe" [08/05/2008 04:17 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"ShowDeskFix"=regsvr32 /s /n /i:u shell32

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Antiwpa]
antiwpa.dll 07/23/2006 08:49 AM 5376 C:\WINDOWS\system32\antiwpa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\__c0071708.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\hgGaaXnL


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-08-10 17:26:38 ------------


Kaspersky:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, August 12, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 10, 2008 08:09:43
Records in database: 1078192
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
C:\Documents and Settings\Matt.DAD2\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 21560
Threat name: 6
Infected objects: 12
Suspicious objects: 0
Duration of the scan: 00:13:38


File name / Threat name / Threats count
C:\WINDOWS\system32\cklnnoddqb.dll/C:\WINDOWS\system32\cklnnoddqb.dll Infected: Trojan-Clicker.Win32.Agent.bmy 4
C:\Program Files\Sakora\Sakora.exe/C:\Program Files\Sakora\Sakora.exe Infected: Trojan.Win32.Multis.cx 1
C:\Program Files\Sakora\Sakora.exe Infected: Trojan.Win32.Multis.cx 1
C:\WINDOWS\plate611.exe Infected: not-a-virus:AdWare.Win32.Rabio.x 1
C:\WINDOWS\system32\cklnnoddqb.dll Infected: Trojan-Clicker.Win32.Agent.bmy 1
C:\WINDOWS\system32\gside.exe Infected: not-a-virus:AdWare.Win32.BHO.cdk 1
C:\WINDOWS\system32\gsrgdgscturw.exe Infected: Trojan-Downloader.NSIS.Agent.av 1
C:\WINDOWS\system32\kcwohvrq.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bvx 1
C:\WINDOWS\system32\mcgvyj.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bvx 1

The selected area was scanned.

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:11 AM

Posted 13 August 2008 - 02:02 AM

Hello, onesikgypo.
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We need to run ComboFix.In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 onesikgypo

onesikgypo
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 13 August 2008 - 05:52 AM

Hi Billy,

Thanks for all your help thus far.

Ive provided the log as required, however one thing i should not (as i am not sure if this is related or not) - but during the running of combofix i got a RUNDLL error: Error Loading C:\Windows\system32\hsmsphlw.dll The Specified Module could not be found.

ComboFix 08-08-12.01 - Matt 2008-08-13 19:31:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1307 [GMT 10:00]
Running from: C:\Documents and Settings\Matt.DAD2\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Matt.DAD2\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Matt.DAD2\Application Data\SpeedRunner
C:\Documents and Settings\Matt.DAD2\Application Data\SpeedRunner\config.cfg
C:\Documents and Settings\Matt.DAD2\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Documents and Settings\Matt.DAD2\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\Matt.DAD2\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Matt.DAD2\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Matt.DAD2\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Matt.DAD2\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Matt.DAD2\Start Menu\Programs\Startup\DW_Start.lnk
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\NetMon
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\NetMon\log.txt
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Application Data\NetMon
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Application Data\NetMon\log.txt
C:\Program Files\GetPack
C:\Program Files\GetPack\GetPack20.exe
C:\Program Files\GetPack\trgtame.gz
C:\Program Files\iCheck
C:\Program Files\iCheck\iCheck.exe
C:\Program Files\iCheck\Uninstall.exe
C:\Program Files\inetget2
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\mjc
C:\Program Files\network monitor
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive20.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\Sakora
C:\Program Files\Sakora\Sakora.exe
C:\Program Files\Temporary
C:\Program Files\VAV
C:\Program Files\VAV\vav.ooo
C:\Program Files\VAV\vav0.dat
C:\Program Files\VAV\vav1.dat
C:\Program Files\VnrPack
C:\Program Files\VnrPack\trgts.gz
C:\Program Files\VnrPack\uhberupd.exe
C:\Program Files\VnrPack\VnrPack20.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\b148.exe
C:\WINDOWS\BM372e9ae5.txt
C:\WINDOWS\BM372e9ae5.xml
C:\WINDOWS\Fonts\'
C:\WINDOWS\pskt.ini
C:\WINDOWS\RSBDBACKUP.DLL
C:\WINDOWS\SGFueSBZb3Vzc2Vm\
C:\WINDOWS\SGFueSBZb3Vzc2Vm\\m3IRym1tvapWwZpA.vbs
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\cijikunf.ini
C:\WINDOWS\system32\gmmeawam.dll
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\jfcvschk.dll
C:\WINDOWS\system32\jnureoatngmnv.dll
C:\WINDOWS\system32\kcwohvrq.dll
C:\WINDOWS\system32\khcsvcfj.ini
C:\WINDOWS\system32\LnXaaGgh.ini
C:\WINDOWS\system32\LnXaaGgh.ini2
C:\WINDOWS\system32\lvtiabgv.ini
C:\WINDOWS\system32\mcgvyj.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ptitxcgn.dll
C:\WINDOWS\system32\saxdrk.dll
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\wlhpsmsh.ini
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService
-------\Service_Network Monitor


((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 )))))))))))))))))))))))))))))))
.

2008-08-11 17:27 . 2008-08-11 17:27 <DIR> d-------- C:\Program Files\BChanger
2008-08-09 21:50 . 2008-08-09 21:50 <DIR> d-------- C:\WINDOWS\Sun
2008-08-09 21:42 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-07 23:13 . 2008-08-08 07:31 <DIR> d-------- C:\Program Files\VnrBlock
2008-08-01 19:47 . 2008-08-01 19:47 160,768 --a------ C:\WINDOWS\system32\cklnnoddqb.dll
2008-07-31 13:03 . 2008-08-01 17:03 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-31 12:57 . 2008-07-31 12:57 <DIR> d-------- C:\ie-spyad_zo
2008-07-31 12:51 . 2008-07-31 12:51 <DIR> d-------- C:\Program Files\Panda Security
2008-07-31 12:51 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-31 12:39 . 2008-07-31 12:39 <DIR> d-------- C:\Deckard
2008-07-31 12:36 . 2008-07-31 12:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-30 20:01 . 2008-08-06 23:32 49 --a------ C:\WINDOWS\rav.ini
2008-07-30 20:00 . 2008-07-30 19:58 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-07-30 20:00 . 2008-07-30 19:58 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-07-30 20:00 . 2008-07-30 21:10 19,568 --a------ C:\WINDOWS\system32\drivers\rfwbase.sys
2008-07-30 19:59 . 2008-07-30 19:59 <DIR> d-------- C:\Program Files\Rising
2008-07-30 19:59 . 2008-08-06 16:29 90 --a------ C:\WINDOWS\Rfw.inf
2008-07-30 19:58 . 2008-07-30 19:58 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Rising
2008-07-30 19:58 . 2008-08-13 19:37 163 --a------ C:\WINDOWS\Rfw.ini
2008-07-30 16:07 . 2008-08-13 01:45 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-30 16:07 . 2008-07-30 16:07 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-30 16:07 . 2008-07-30 16:07 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-29 22:14 . 2008-07-29 22:14 582 --a------ C:\Vista Antivirus 2008.lnk
2008-07-23 19:43 . 2008-07-23 20:10 <DIR> d-------- C:\Documents and Settings\Matt.DAD2\.housecall6.6
2008-07-23 19:39 . 2008-07-23 19:40 43,521 --ahs---- C:\WINDOWS\system32\magvkjwq.ini
2008-07-22 17:13 . 2008-07-30 17:10 <DIR> d-------- C:\Program Files\Webtools
2008-07-22 06:51 . 2008-07-22 06:51 1,924 --a------ C:\WINDOWS\system32\fcasino.ico
2008-07-22 02:34 . 2008-07-22 02:34 1,706 --a------ C:\WINDOWS\system32\fpoker.ico
2008-07-22 00:21 . 2008-08-09 19:44 90,929 --a------ C:\WINDOWS\system32\jnureoatngmnv.dll-uninst.exe
2008-07-21 22:33 . 2008-07-21 22:33 13,942 --a------ C:\WINDOWS\system32\N90-002.ico
2008-07-21 21:00 . 2008-07-21 21:00 <DIR> d-------- C:\Program Files\Sony
2008-07-21 21:00 . 2001-10-19 15:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2008-07-21 21:00 . 2001-10-19 15:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2008-07-21 21:00 . 2002-10-09 13:21 566,272 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2008-07-21 21:00 . 2001-10-19 15:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2008-07-21 21:00 . 2001-10-19 03:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2008-07-21 21:00 . 2008-07-21 21:00 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2008-07-21 18:33 . 2008-07-21 18:33 9,662 --a------ C:\WINDOWS\system32\blackip.ico
2008-07-21 18:00 . 2008-07-21 18:00 178,616 --a------ C:\WINDOWS\plate611.exe
2008-07-21 17:07 . 2008-07-21 17:07 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-07-21 17:03 . 2008-07-30 17:44 <DIR> d-------- C:\WINDOWS\system32\wnet
2008-07-21 17:03 . 2008-07-30 17:44 <DIR> d-------- C:\WINDOWS\system32\vdf1
2008-07-21 17:03 . 2008-07-30 17:43 <DIR> d-------- C:\WINDOWS\system32\jav2
2008-07-21 17:03 . 2008-07-21 17:03 <DIR> d-------- C:\WINDOWS\system32\confg
2008-07-21 17:03 . 2008-07-30 17:41 <DIR> d-------- C:\WINDOWS\system32\carH18
2008-07-21 17:03 . 2008-07-21 17:03 <DIR> d-------- C:\Temp\btxv15
2008-07-21 17:03 . 2008-08-13 19:31 <DIR> d-------- C:\Temp
2008-07-21 17:03 . 2008-07-21 17:03 152,268 --a------ C:\WINDOWS\system32\g75.exe
2008-07-21 17:03 . 2008-08-02 22:13 64,864 --a------ C:\WINDOWS\system32\gsrgdgscturw.exe
2008-07-21 17:02 . 2008-08-01 17:03 <DIR> d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-07-21 16:54 . 2008-07-29 22:43 <DIR> d-------- C:\Documents and Settings\Matt.DAD2\Application Data\LimeWire
2008-07-21 15:00 . 2008-07-21 15:00 <DIR> d-------- C:\Documents and Settings\Matt.DAD2\Application Data\Sony
2008-07-21 14:56 . 2008-07-21 21:00 <DIR> d-------- C:\Program Files\Sony Setup

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 11:42 --------- d-----w C:\Program Files\Java
2008-07-30 06:20 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2008-04-20 06:09 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2008-04-20 06:09 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-04-20 06:09 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042020080421\index.dat
2008-04-20 06:09 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47e1641c-6c91-a94d-617e-ceeb01afc939}]
2008-08-01 19:47 160768 --a------ C:\WINDOWS\system32\cklnnoddqb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"VnrBlock20"="C:\Program Files\VnrBlock\VnrBlock20.exe" [2008-08-05 04:17 343552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-31 06:35 7634944]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-31 06:35 86016]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-30 16:07 1232152]
"RfwMain"="C:\Program Files\Rising\Rfw\rfwmain.exe" [2008-07-30 21:10 592496]
"{0efef7f0-4ca2-0f07-6cfc-809e6d4d7cd5}"="C:\WINDOWS\system32\cklnnoddqb.dll" [2008-08-01 19:47 160768]
"nwiz"="nwiz.exe" [2006-10-31 06:35 1622016 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 15:03 16125440 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

C:\Documents and Settings\Matt\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-04-20 22:48:08 546816]

C:\Documents and Settings\Matt.DAD2\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-04-20 22:48:08 546816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Antiwpa]
2006-07-23 08:49 5376 C:\WINDOWS\system32\antiwpa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-30 16:07]
R1 RsFwDrv;RsFwDrv;C:\Program Files\Rising\Rfw\RsFwDrv.sys [2008-07-30 21:10]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-30 16:07]
R2 RfwBase;Rising Rfwbase Driver;C:\WINDOWS\system32\DRIVERS\rfwbase.SYS [2008-07-30 21:10]
R2 RfwService;Rising Personal Firewall Service;C:\Program Files\Rising\Rfw\rfwsrv.exe [2008-07-30 21:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{170448fa-b08d-4b41-9fd8-9b430858559c} - C:\WINDOWS\system32\omdste.dll
BHO-{1FBF2022-042E-449E-BF3F-B1D0BD59DD88} - C:\WINDOWS\system32\hgGaaXnL.dll
HKCU-Run-Sakora - C:\Program Files\Sakora\Sakora.exe
HKCU-Run-VnrPack20 - C:\Program Files\VnrPack\VnrPack20.exe
HKCU-Run-mjc - C:\Program Files\mjc\mjc.exe
HKCU-Run-GetPack20 - C:\Program Files\GetPack\GetPack20.exe
HKLM-Run-Adobe Reader Speed Launcher - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
HKLM-Run-{DA-A9-9D-D6-DW} - C:\windows\system32\rqwnw64l.exe
HKLM-Run-341da979 - C:\WINDOWS\system32\hsmsphlw.dll
HKLM-Run-Antivirus - C:\Program Files\VAV\vav.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.ninemsn.com.au/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-13 19:36:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\logonui.exe
C:\Program Files\Rising\Rfw\rfwstub.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2008-08-13 19:38:31 - machine was rebooted [Matt]
ComboFix-quarantined-files.txt 2008-08-13 09:38:28

Pre-Run: 61,601,837,056 bytes free
Post-Run: 61,744,111,616 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

260

#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:11 AM

Posted 13 August 2008 - 09:34 AM

Hello, onesikgypo.
We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/160654/popups-rundll32exe-failing-on-startup-help-required/
    
    suspect::[54]
    C:\WINDOWS\system32\antiwpa.dll
    C:\WINDOWS\WMSysPr8.prx
    C:\WINDOWS\system32\drivers\pavboot.sys
    C:\Program Files\Rising\Rfw\RsFwDrv.sys
    
    folder::
    C:\Program Files\VnrBlock
    C:\Temp
    C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
    C:\WINDOWS\system32\carH18
    C:\WINDOWS\system32\wnet
    C:\WINDOWS\system32\vdf1
    C:\WINDOWS\system32\jav2
    
    file::
    C:\WINDOWS\system32\jnureoatngmnv.dll-uninst.exe
    C:\WINDOWS\system32\magvkjwq.ini
    C:\WINDOWS\system32\gsrgdgscturw.exe
    C:\WINDOWS\system32\g75.exe
    
    registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47e1641c-6c91-a94d-617e-ceeb01afc939}]
    
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VnrBlock20"=-
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "{0efef7f0-4ca2-0f07-6cfc-809e6d4d7cd5}"=-
    
    [-HKEY_CLASSES_ROOT\CLSID\{0efef7f0-4ca2-0f07-6cfc-809e6d4d7cd5}]
    
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "ShowDeskFix"=-
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 onesikgypo

onesikgypo
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 13 August 2008 - 09:44 AM

Hi Billy,

Here is the log as requested.

Further would like to point out that at the end of the scan i was asked to submit some malware for further analysis, which i did so successfully.

Thanks.

ComboFix 08-08-12.01 - Matt 2008-08-14 0:39:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1489 [GMT 10:00]
Running from: C:\Documents and Settings\Matt.DAD2\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Matt.DAD2\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\g75.exe
C:\WINDOWS\system32\gsrgdgscturw.exe
C:\WINDOWS\system32\jnureoatngmnv.dll-uninst.exe
C:\WINDOWS\system32\magvkjwq.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
C:\Program Files\VnrBlock
C:\Program Files\VnrBlock\VnrBlock20.exe
C:\Program Files\VnrBlock\xtarga.gz
C:\Temp
C:\Temp\btxv15\carH.log
C:\WINDOWS\system32\carH18
C:\WINDOWS\system32\g75.exe
C:\WINDOWS\system32\gsrgdgscturw.exe
C:\WINDOWS\system32\jav2
C:\WINDOWS\system32\jnureoatngmnv.dll-uninst.exe
C:\WINDOWS\system32\magvkjwq.ini
C:\WINDOWS\system32\vdf1
C:\WINDOWS\system32\wnet

.
((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 )))))))))))))))))))))))))))))))
.

2008-08-11 17:27 . 2008-08-11 17:27 <DIR> d-------- C:\Program Files\BChanger
2008-08-09 21:50 . 2008-08-09 21:50 <DIR> d-------- C:\WINDOWS\Sun
2008-08-09 21:42 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-01 19:47 . 2008-08-01 19:47 160,768 --a------ C:\WINDOWS\system32\cklnnoddqb.dll
2008-07-31 13:03 . 2008-08-01 17:03 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-31 12:57 . 2008-07-31 12:57 <DIR> d-------- C:\ie-spyad_zo
2008-07-31 12:51 . 2008-07-31 12:51 <DIR> d-------- C:\Program Files\Panda Security
2008-07-31 12:51 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-31 12:39 . 2008-07-31 12:39 <DIR> d-------- C:\Deckard
2008-07-31 12:36 . 2008-07-31 12:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-30 20:01 . 2008-08-06 23:32 49 --a------ C:\WINDOWS\rav.ini
2008-07-30 20:00 . 2008-07-30 19:58 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-07-30 20:00 . 2008-07-30 19:58 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-07-30 20:00 . 2008-07-30 21:10 19,568 --a------ C:\WINDOWS\system32\drivers\rfwbase.sys
2008-07-30 19:59 . 2008-07-30 19:59 <DIR> d-------- C:\Program Files\Rising
2008-07-30 19:59 . 2008-08-06 16:29 90 --a------ C:\WINDOWS\Rfw.inf
2008-07-30 19:58 . 2008-07-30 19:58 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Rising
2008-07-30 19:58 . 2008-08-13 19:37 163 --a------ C:\WINDOWS\Rfw.ini
2008-07-30 16:07 . 2008-08-13 01:45 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-30 16:07 . 2008-07-30 16:07 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-30 16:07 . 2008-07-30 16:07 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-29 22:14 . 2008-07-29 22:14 582 --a------ C:\Vista Antivirus 2008.lnk
2008-07-23 19:43 . 2008-07-23 20:10 <DIR> d-------- C:\Documents and Settings\Matt.DAD2\.housecall6.6
2008-07-22 17:13 . 2008-07-30 17:10 <DIR> d-------- C:\Program Files\Webtools
2008-07-22 06:51 . 2008-07-22 06:51 1,924 --a------ C:\WINDOWS\system32\fcasino.ico
2008-07-22 02:34 . 2008-07-22 02:34 1,706 --a------ C:\WINDOWS\system32\fpoker.ico
2008-07-21 22:33 . 2008-07-21 22:33 13,942 --a------ C:\WINDOWS\system32\N90-002.ico
2008-07-21 21:00 . 2008-07-21 21:00 <DIR> d-------- C:\Program Files\Sony
2008-07-21 21:00 . 2001-10-19 15:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2008-07-21 21:00 . 2001-10-19 15:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2008-07-21 21:00 . 2002-10-09 13:21 566,272 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2008-07-21 21:00 . 2001-10-19 15:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2008-07-21 21:00 . 2001-10-19 03:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2008-07-21 21:00 . 2008-07-21 21:00 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2008-07-21 18:33 . 2008-07-21 18:33 9,662 --a------ C:\WINDOWS\system32\blackip.ico
2008-07-21 18:00 . 2008-07-21 18:00 178,616 --a------ C:\WINDOWS\plate611.exe
2008-07-21 17:07 . 2008-07-21 17:07 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-07-21 17:03 . 2008-07-21 17:03 <DIR> d-------- C:\WINDOWS\system32\confg
2008-07-21 16:54 . 2008-07-29 22:43 <DIR> d-------- C:\Documents and Settings\Matt.DAD2\Application Data\LimeWire
2008-07-21 15:00 . 2008-07-21 15:00 <DIR> d-------- C:\Documents and Settings\Matt.DAD2\Application Data\Sony
2008-07-21 14:56 . 2008-07-21 21:00 <DIR> d-------- C:\Program Files\Sony Setup

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 11:42 --------- d-----w C:\Program Files\Java
2008-07-30 06:20 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2008-04-20 06:09 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2008-04-20 06:09 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-04-20 06:09 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042020080421\index.dat
2008-04-20 06:09 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-31 06:35 7634944]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-31 06:35 86016]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-30 16:07 1232152]
"RfwMain"="C:\Program Files\Rising\Rfw\rfwmain.exe" [2008-07-30 21:10 592496]
"nwiz"="nwiz.exe" [2006-10-31 06:35 1622016 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 15:03 16125440 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]

C:\Documents and Settings\Matt\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-04-20 22:48:08 546816]

C:\Documents and Settings\Matt.DAD2\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-04-20 22:48:08 546816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Antiwpa]
2006-07-23 08:49 5376 C:\WINDOWS\system32\antiwpa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-30 16:07]
R1 RsFwDrv;RsFwDrv;C:\Program Files\Rising\Rfw\RsFwDrv.sys [2008-07-30 21:10]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-30 16:07]
R2 RfwBase;Rising Rfwbase Driver;C:\WINDOWS\system32\DRIVERS\rfwbase.SYS [2008-07-30 21:10]
R2 RfwService;Rising Personal Firewall Service;C:\Program Files\Rising\Rfw\rfwsrv.exe [2008-07-30 21:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-14 00:40:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-14 0:41:23
ComboFix-quarantined-files.txt 2008-08-13 14:41:19
ComboFix2.txt 2008-08-13 09:38:31

Pre-Run: 61,736,910,848 bytes free
Post-Run: 61,731,901,440 bytes free

143

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:11 AM

Posted 13 August 2008 - 11:45 AM

Hello, onesikgypo.
We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Antiwpa]
    
    file::
    C:\WINDOWS\system32\antiwpa.dll
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use +A)
  • Right-click again and chose "Copy" (or +C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Your Microsoft Windows installation is out of date.
Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
Go here to check for & install updates to Microsoft applications.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.

Please let me know of any problems you may have encountered.

In your next reply, please include the following:
  • ComboFix.txt
  • ESET OnlineScan's Log
  • A New HiJack This log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:11 AM

Posted 17 August 2008 - 12:46 PM

Hello. Are you still here?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:11 AM

Posted 19 August 2008 - 09:31 AM

Hello, onesikgypo.
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users