Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rundll32.exe, virus/spyware?


  • This topic is locked This topic is locked
8 replies to this topic

#1 fawn

fawn

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 20 February 2009 - 10:34 PM

Referred to from here: http://www.bleepingcomputer.com/forums/t/204827/rundll32exe-virusspyware/ ~ OB

Hi, recently i found this rundll32.exe process under my username in taskmanager. Normally or well, system files is listed under SYSTEMS at least for me. So i went into system32 and rundll32.exe turned into a pagefile. I thought it was an application icon and it was approximately 32.5kb. The backup in dllcache was a pagefile icon and the same size too.

I was wondering, if this is a virus/spyware that adds some "L337 artwork" or bunch of codes into the rundll32.exe itself.

I get svchost error randomly, sometimes it doesn't even happens. My firewall is also being crippled after i found this out. Seems to me my services.msc is going haywire sometimes. Windows audio being turned off, automatic updates being turned off and some other services getting turned off.

Anyways, this is my HJT log

DDS (Ver_09-02-01.01) - NTFSx86
Run by 72685 at 11:28:14.78 on 21-Feb-09
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2503 [GMT 8:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
D:\DTPro\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\72685.RP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://myrp.sg
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [DAEMON Tools Pro Agent] "d:\dtpro\daemon tools pro\DTProAgent.exe"
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "c:\windows\system32\nwiz.exe" /install
mRun: [NvMediaCenter] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nvtemp~1.lnk - d:\nvtemp\NvTempLogger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utagen~1.lnk - c:\program files\republic poly\utclient\UTAgent.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://download.microsoft.com/download/7/4/9/749b0dc5-2175-4d5b-a6dd-9c4bc923683e/Selfhelpcontrol.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-SG/a-UNO1/GAME_UNO1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234567517218
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234567690531
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - hxxp://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\72685.rp\applic~1\mozilla\firefox\profiles\flpe21qz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.sg/

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-7-1 34312]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-7-1 468224]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2007-10-30 2368]
S3 XDva037;XDva037;\??\c:\windows\system32\xdva037.sys --> c:\windows\system32\XDva037.sys [?]
S3 XDva039;XDva039;\??\c:\windows\system32\xdva039.sys --> c:\windows\system32\XDva039.sys [?]
S3 XDva104;XDva104;\??\c:\windows\system32\xdva104.sys --> c:\windows\system32\XDva104.sys [?]
S3 XDva121;XDva121;\??\c:\windows\system32\xdva121.sys --> c:\windows\system32\XDva121.sys [?]
S3 XDva132;XDva132;\??\c:\windows\system32\xdva132.sys --> c:\windows\system32\XDva132.sys [?]
S3 XDva170;XDva170;\??\c:\windows\system32\xdva170.sys --> c:\windows\system32\XDva170.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe" /service msvsmon80 --> c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [?]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-02-21 11:18 --d----- c:\program files\ESET
2009-02-20 16:36 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-20 16:36 --d----- c:\program files\SUPERAntiSpyware
2009-02-20 16:36 --d----- c:\docume~1\72685.rp\applic~1\SUPERAntiSpyware.com
2009-02-20 08:47 --d----- c:\docume~1\72685.rp\applic~1\Malwarebytes
2009-02-20 04:20 775,168 a------- c:\windows\is-492UK.exe
2009-02-20 04:20 10,194 a------- c:\windows\is-492UK.msg
2009-02-20 04:20 220 a------- c:\windows\is-492UK.lst
2009-02-20 04:02 --d----- c:\windows\system32\NtmsData
2009-02-20 03:59 --d----- c:\windows\pss
2009-02-19 17:51 11,853 a------- c:\windows\system32\RUNDLL32.EX_
2009-02-19 15:30 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-02-19 15:03 3,636,864 a------- c:\windows\system32\drivers\NETw5x32.sys
2009-02-19 15:03 2,756,608 a------- c:\windows\system32\NETw5r32.dll
2009-02-19 15:03 663,552 a------- c:\windows\system32\NETw5c32.dll
2009-02-14 07:26 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-02-13 02:56 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-13 00:43 --d----- c:\docume~1\72685.rp\applic~1\URSoft
2009-02-13 00:43 --d----- c:\program files\Your Uninstaller 2008
2009-02-03 19:18 --d----- c:\program files\PowerISO
2009-02-02 01:35 682,280 a------- c:\windows\system32\pbsvc.exe
2009-02-02 01:00 45,984 a------- c:\windows\system32\ins2.exe
2009-01-31 20:12 --d----- c:\docume~1\72685.rp\applic~1\WildTangent
2009-01-31 19:11 --d----- c:\program files\WildGames

==================== Find3M ====================

2009-02-19 15:43 33,280 a------- c:\windows\system32\rundll32.exe
2008-12-11 23:19 31 a------- c:\documents and settings\72685.rp\jagex_runescape_preferences.dat
2008-12-04 21:46 180,224 a------- c:\windows\system32\xvidvfw.dll
2008-12-04 21:42 815,104 a------- c:\windows\system32\xvidcore.dll
2008-10-13 22:27 81,920 a------- c:\docume~1\72685.rp\applic~1\ezpinst.exe
2008-10-13 22:27 47,360 a------- c:\docume~1\72685.rp\applic~1\pcouffin.sys
2007-04-17 19:36 32 a----r-- c:\documents and settings\all users\hash.dat

============= FINISH: 11:28:49.15 ===============

Edited by Orange Blossom, 21 February 2009 - 12:30 AM.


BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:07:47 PM

Posted 03 March 2009 - 05:34 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 fawn

fawn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 04 March 2009 - 12:47 AM

Rundll32.exe still lingers in my task manager with around 3000kb of space everytime. Sometimes my anti virus catches some attacks BY svchost.exe creating conflicker virus or something like that.

Here's my log


DDS (Ver_09-02-01.01) - NTFSx86
Run by 72685 at 13:39:11.26 on 04-Mar-09
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2442 [GMT 8:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
D:\DTPro\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\NVTray\NVTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
D:\NvTemp\NvTempLogger.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\72685.RP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://myrp.sg
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [DAEMON Tools Pro Agent] "d:\dtpro\daemon tools pro\DTProAgent.exe"
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
uRun: [NVTray] c:\program files\nvtray\NVTray.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nvtemp~1.lnk - d:\nvtemp\NvTempLogger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utagen~1.lnk - c:\program files\republic poly\utclient\UTAgent.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://download.microsoft.com/download/7/4/9/749b0dc5-2175-4d5b-a6dd-9c4bc923683e/Selfhelpcontrol.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-SG/a-UNO1/GAME_UNO1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234567517218
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234567690531
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - hxxp://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {D2A33FF0-AB83-43D7-B314-A44180A9101D} = 192.169.34.181,203.120.90.40
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\72685.rp\applic~1\mozilla\firefox\profiles\flpe21qz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.sg/

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-7-1 34312]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-7-1 468224]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2007-10-30 2368]
S3 XDva037;XDva037; [x]
S3 XDva039;XDva039; [x]
S3 XDva104;XDva104; [x]
S3 XDva121;XDva121; [x]
S3 XDva132;XDva132; [x]
S3 XDva170;XDva170; [x]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe" /service msvsmon80 --> c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [?]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-02-25 13:55 <DIR> --d----- c:\program files\NVTray
2009-02-25 12:19 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-02-24 21:19 <DIR> --d-h--- c:\docume~1\alluse~1\applic~1\{0E8E33D8-193A-414A-A909-0F101A142D26}
2009-02-21 11:18 <DIR> --d----- c:\program files\ESET
2009-02-20 16:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-20 16:36 <DIR> --d----- c:\docume~1\72685.rp\applic~1\SUPERAntiSpyware.com
2009-02-20 08:47 <DIR> --d----- c:\docume~1\72685.rp\applic~1\Malwarebytes
2009-02-20 04:20 775,168 a------- c:\windows\is-492UK.exe
2009-02-20 04:20 10,194 a------- c:\windows\is-492UK.msg
2009-02-20 04:20 220 a------- c:\windows\is-492UK.lst
2009-02-20 04:02 <DIR> --d----- c:\windows\system32\NtmsData
2009-02-20 03:59 <DIR> --d----- c:\windows\pss
2009-02-19 17:51 11,853 a------- c:\windows\system32\RUNDLL32.EX_
2009-02-19 15:31 49,152 a------- c:\windows\system32\nvsysrot.dll
2009-02-19 15:31 <DIR> --d----- c:\windows\nview
2009-02-19 15:03 3,636,864 a------- c:\windows\system32\drivers\NETw5x32.sys
2009-02-19 15:03 2,756,608 a------- c:\windows\system32\NETw5r32.dll
2009-02-19 15:03 663,552 a------- c:\windows\system32\NETw5c32.dll
2009-02-14 07:26 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-02-13 02:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-13 00:43 <DIR> --d----- c:\docume~1\72685.rp\applic~1\URSoft
2009-02-13 00:43 <DIR> --d----- c:\program files\Your Uninstaller 2008
2009-02-03 19:18 <DIR> --d----- c:\program files\PowerISO

==================== Find3M ====================

2009-02-19 15:43 33,280 a------- c:\windows\system32\rundll32.exe
2009-02-02 01:35 682,280 a------- c:\windows\system32\pbsvc.exe
2009-02-02 01:00 45,984 a------- c:\windows\system32\ins2.exe
2008-12-11 23:19 31 a------- c:\documents and settings\72685.rp\jagex_runescape_preferences.dat
2008-12-04 21:46 180,224 a------- c:\windows\system32\xvidvfw.dll
2008-12-04 21:42 815,104 a------- c:\windows\system32\xvidcore.dll
2008-10-13 22:27 81,920 a------- c:\docume~1\72685.rp\applic~1\ezpinst.exe
2008-10-13 22:27 47,360 a------- c:\docume~1\72685.rp\applic~1\pcouffin.sys
2007-04-17 19:36 32 a----r-- c:\documents and settings\all users\hash.dat

============= FINISH: 13:39:47.29 ===============

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 04 March 2009 - 05:45 PM

Hello.

That log looks clean. However, there are a couple files that look suspicious.

3000k isn't very much for rundll32.exe. You can expect it to take up as much as other processes depending on what dll it is hosting.

Submit File to Online Scanner

There is a file that I would like you to check out for me using VirusTotal/VirSCAN
  • Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).
  • c:\windows\is-492UK.exe
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.
Update Java to Version 6 Update 12
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer here. Choose "Windows"

Delete the installer after use.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.
With Regards,
The Panda

#5 fawn

fawn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 07 March 2009 - 04:45 AM

From Virus Total,


File has already been analysed:

MD5: 9bd0dc2d4c0ddda3d37733e3d45a3aaa
First received: 09.22.2008 19:01:42 (CET)
Date: 02.18.2009 22:50:50 (CET) [>16D]
Results: 0/37
Permalink: analisis/c2995dbba36ed5fb72b6b331c9045edb



Have updated my Java to Version 6 Update 12



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, March 7, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, March 07, 2009 06:49:11
Records in database: 1876400
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 155329
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:43:33


File name / Threat name / Threats count
D:\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
D:\Zion\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 1

The selected area was scanned.

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 07 March 2009 - 11:21 AM

Hello.

It all looks clean.

There doesn't appear to be any issues.

With Regards,
The Panda

#7 fawn

fawn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 08 March 2009 - 12:30 AM

Hmm.. ok so i guess the rundll32 isn't really a virus or anything. Anyways, thanks for your help! Really appreciate it.

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 08 March 2009 - 10:12 AM

Nope. It's a legit windows file.

Here's what was running under it:
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

With Regards,
The Panda

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 18 March 2009 - 09:04 AM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users