Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RUNDLL Error Message, Malware Infection?


  • This topic is locked This topic is locked
2 replies to this topic

#1 greenisorabracadabra

greenisorabracadabra

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, WI
  • Local time:04:17 AM

Posted 09 December 2010 - 10:48 AM

Hello,

I almost certainly have a malware infection on my computer. I have been getting pop-ups and google redirects, and last night the programs "Antimalware Doctor" and "Whitesmoke Translator" downloaded themselves onto my computer. Also, when I started my computer this morning I received a message that read: "RUNDLL: Error loading C:\WINDOWS\kbclen.dll The specified module could not be found."

I would be very thankful for any help anyone can lend me. I will paste a copy of my DDS.txt log below, and I've attached my Attach.txt file to this post. If there is anything else I can do to help anyone diagnose my computer, please just let me know what I can do and I will do it. Thank you again.

Cordially,
XXX




DDS (Ver_10-12-05.01) - NTFSx86
Run by xxxx at 9:18:22.09 on Thu 12/09/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.760.80 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Malware\mbam.exe.exe
C:\Program Files\Outlook Express\wab.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
C:\Documents and Settings\xxxx\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\xxxx\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
mDefault_Page_URL = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101111091746.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [Google Update] "c:\documents and settings\xxxx\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [khywttaq] c:\docume~1\dougla~1\locals~1\temp\iqhwqbbkt\idgrsyotsbl.exe
uRun: [Oluli] rundll32.exe "c:\windows\kbclen.dll",Startup
uRun: [delfix70700cssupdt.exe] c:\documents and settings\xxxx\application data\256fb4219da36a57c96e4af4777b1750\delfix70700cssupdt.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malware\mab.exe.exe" /runcleanupscript
mRun: [lsdefrag] c:\docume~1\dougla~1\locals~1\temp\exasomcnwr.tmp
mRun: [Dkisoju] rundll32.exe "c:\windows\ogalixaqabezaxe.dll",Startup
StartupFolder: c:\docume~1\dougla~1\startm~1\programs\startup\antima~1.lnk - c:\documents and settings\xxxx\application data\256fb4219da36a57c96e4af4777b1750\delfix70700cssupdt.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\program files\whitesmoke translator\WSTrayDictMode.exe
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_4_0_03-win.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 64.208.176.57 download.mcafee.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dougla~1\applic~1\mozilla\firefox\profiles\x9h7l1a9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\documents and settings\xxxx\application data\mozilla\firefox\profiles\x9h7l1a9.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - component: c:\documents and settings\xxxx\application data\mozilla\firefox\profiles\x9h7l1a9.default\extensions\radiobar@toolbar\components\toolbarhomewmp.dll
FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\xxxx\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\xxxx\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\xxxx\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {3D440FF0-D70B-4CE4-BC0F-C7B7A955CBC0} - c:\documents and settings\xxxx\local settings\application data\{3D440FF0-D70B-4CE4-BC0F-C7B7A955CBC0}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: XULRunner: {3D440FF0-D70B-4CE4-BC0F-C7B7A955CBC0} - c:\documents and settings\xxxx\local settings\application data\{3D440FF0-D70B-4CE4-BC0F-C7B7A955CBC0}
FF - Extension: Winamp Toolbar: {0b38152b-1b20-484d-a11f-5e04a9b0661f} - c:\docume~1\dougla~1\applic~1\mozilla\firefox\profiles\x9h7l1a9.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}
FF - Extension: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\docume~1\dougla~1\applic~1\mozilla\firefox\profiles\x9h7l1a9.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Extension: Veoh Video Compass: searchrecs@veoh.com - c:\docume~1\dougla~1\applic~1\mozilla\firefox\profiles\x9h7l1a9.default\extensions\searchrecs@veoh.com
FF - Extension: RadioBar Toolbar: radiobar@toolbar - c:\docume~1\dougla~1\applic~1\mozilla\firefox\profiles\x9h7l1a9.default\extensions\radiobar@toolbar
FF - Extension: SearchHotKeys: {1a5e5840-5531-11da-8cd6-0800200c9a66} - c:\docume~1\dougla~1\applic~1\mozilla\firefox\profiles\x9h7l1a9.default\extensions\{1a5e5840-5531-11da-8cd6-0800200c9a66}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\dougla~1\applic~1\mozilla\firefox\profiles\x9h7l1a9.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-13 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-11-11 84072]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-11-11 55840]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-11-12 38224]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-4 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-4 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-11-11 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-11-11 88544]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\8d.tmp --> c:\windows\system32\8D.tmp [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-11-11 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-11-11 84264]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-4 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-4 40552]

=============== Created Last 30 ================

2010-12-09 14:06:07 -------- d-----w- c:\docume~1\dougla~1\applic~1\whitesmoketoolbar
2010-12-09 13:52:00 -------- d-----w- c:\program files\whitesmoketoolbar
2010-12-09 13:50:56 -------- d-----w- c:\program files\WhiteSmoke Translator
2010-12-09 13:50:04 -------- d-----w- c:\windows\system32\%APPDATA%
2010-12-09 02:54:50 0 ----a-w- c:\windows\Xkaleqozu.bin
2010-12-09 02:54:45 -------- d-----w- c:\docume~1\dougla~1\locals~1\applic~1\{3D440FF0-D70B-4CE4-BC0F-C7B7A955CBC0}
2010-12-09 02:50:50 -------- d-----w- c:\docume~1\dougla~1\applic~1\256FB4219DA36A57C96E4AF4777B1750
2010-11-30 01:08:08 -------- d-----w- c:\program files\Sophos
2010-11-12 14:47:16 -------- d-----w- c:\docume~1\dougla~1\applic~1\Malwarebytes
2010-11-12 14:45:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-12 14:45:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-12 14:45:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-12 14:45:50 -------- d-----w- c:\program files\Malware
2010-11-11 14:17:46 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2010-11-11 14:17:44 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-11-11 14:17:35 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-11-11 14:17:35 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-11-11 14:17:35 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-11-11 14:17:35 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-11-11 14:17:34 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-11-11 14:17:21 -------- d-----w- c:\program files\common files\Mcafee
2010-11-11 14:16:10 -------- d-----w- c:\program files\McAfee
2010-11-11 14:02:19 141792 ----a-w- c:\windows\system32\mfevtps.exe
2010-11-11 03:31:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Citrix
2010-11-11 03:22:05 -------- d-----w- c:\docume~1\dougla~1\locals~1\applic~1\Citrix
2010-11-11 03:21:58 103784 ----a-w- c:\documents and settings\xxxx\GoToAssistDownloadHelper.exe

==================== Find3M ====================

2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 00:19:46 72080 ----a-w- c:\documents and settings\xxxx\g2mdlhlpx.exe
2008-11-30 15:56:37 7508624 -c--a-w- c:\program files\Firefox Setup 3.0.4.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380020A rev.5.38 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x83B25555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x83b2b7b0]; MOV EAX, [0x83b2b82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x83BD5AB8]
3 CLASSPNP[0xF7636FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\0000006b[0x83BCB1E0]
5 ACPI[0xF758D620] -> nt!IofCallDriver[0x804E13B9] -> [0x83BC9D98]
\Driver\atapi[0x83BCEF38] -> IRP_MJ_CREATE -> 0x83B25555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV SI, 0x7be; MOV CL, 0x4; CMP [SI], CH; JL 0x2d; JNZ 0x3b; }

Hello,

I wanted to write with a quick update: Last night I reinstalled Windows XP (Home Edition) on my computer (Sony VAIO pcv-2222) because I was getting too many pop-ups which said "RUNDLL: Error loading C:\WINDOWS\kbclen.dll The specified module could not be found." In any event, I reinstalled Windows and logged online, only to find that I'm still getting Google redirects. There don't appear to be any other symptoms of malware; my computer is running very smoothly and quickly, and I'm quite happy with its performance. But the redirects are making me worried that something wicked may be festering in my computer. If anyone can take a look at the tests I ran this morning I would be very thankful for any feedback or suggestions anyone can give.

Sincerely,
Doug

DDS (Ver_10-12-05.01) - NTFSx86
Run by xxxx at 10:11:29.56 on Sat 12/11/2010
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.760.479 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\xxxx\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sony.com/vaiopeople
mDefault_Page_URL = hxxp://www.sony.com/vaiopeople
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: CheckHO Class: {576eb0ad-6980-11d5-a9cd-0001032fee17} - c:\program files\yahoo!\common\ycheckh.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [Mozilla Quick Launch] "c:\program files\netscape\netscape\Netscp.exe" -turbo
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [VAIOSurvey] c:\program files\sony\vaio survey\surveysa.exe
mRun: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
mRun: [CreateCD_Reminder] c:\windows\sonysys\vaio recovery\reminder.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_4_0_03-win.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dougla~1\applic~1\mozilla\firefox\profiles\5bonvh3h.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-12-11 16:11:38 186136 ----a-w- c:\windows\system32\wuaueng1.dll
2010-12-11 16:11:38 167704 ----a-w- c:\windows\system32\wuaucpl.cpl
2010-12-11 16:11:38 167704 ----a-w- c:\windows\system32\wuauclt1.exe
2010-12-11 15:42:11 -------- d-----w- c:\program files\MSXML 4.0
2010-12-11 05:13:46 16074 ----a-w- c:\windows\system32\drivers\FA312nd5.sys
2010-12-11 04:41:59 -------- d-----w- c:\program files\GPLGS
2010-12-11 04:41:04 87552 ----a-w- c:\windows\system32\cpwmon2k.dll
2010-12-11 04:40:59 -------- d-----w- c:\program files\Acro Software
2010-12-11 04:39:03 -------- d-----w- c:\program files\OpenOffice.org 2.3
2010-12-11 04:38:50 69632 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-11 04:35:26 21760 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-12-11 04:28:18 -------- d-----w- c:\program files\Encarta Online
2010-12-11 04:22:01 182880 -c--a-w- c:\windows\system32\dllcache\iuengine.dll
2010-12-11 04:22:01 182880 ----a-w- c:\windows\system32\iuengine.dll

==================== Find3M ====================


============= FINISH: 10:12:23.43 ===============

EDIT: Posts merged ~BP

Attached Files



BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:17 AM

Posted 16 December 2010 - 09:51 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 AM

Posted 21 December 2010 - 09:28 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users