Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Keep Getting RunDll32.exe Error


  • This topic is locked This topic is locked
25 replies to this topic

#1 Ari Tanks

Ari Tanks

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 07 May 2011 - 12:50 PM

I encountered a virus called AntiMalware Doctor and ran a few anti-virus scan programs in an attempt to remove it. I also ran CC cleaner which I believe deleted a system file which is causing instability on my computer. I got the "blue screen of death" also but was able to start in safe mode and haven't got the screen since. I still get these RunDll32.exe error messages that pop-up without warning every so often. The error message says "Error in rundll32.exe missing entry: shell32.dll, activate_RunDLL. I'm unable to run some programs properly as well as shutting down my computer properly because of it. I attached the logs that your tutorial requested, any help would be GREATLY appreciated.


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Ari at 12:28:22.48 on Sat 05/07/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.362 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\ehome\RMSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
svchost.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\stsystra.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC .exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\UpdReg.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\ehome\ehtray .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon .exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Ari\Application Data\F60DAF18AC2B404BCEB9BCC915DB47B4\asecpp70.exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc .exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Documents and Settings\Ari\Application Data\F60DAF18AC2B404BCEB9BCC915DB47B4\asecpp70.exe
C:\WINDOWS\System32\svchost.exe -k itlsvc
C:\Documents and Settings\Ari\Application Data\F60DAF18AC2B404BCEB9BCC915DB47B4\asecpp70 .exe
C:\Program Files\Creative\VoiceCenter\AndreaVC .exe
C:\Documents and Settings\Ari\Application Data\F60DAF18AC2B404BCEB9BCC915DB47B4\asecpp70 .exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Ari\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
uRun: [Aim6]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [asecpp70.exe] c:\documents and settings\ari\application data\f60daf18ac2b404bceb9bcc915db47b4\asecpp70.exe
uRun: [asecpp70 .exe] c:\documents and settings\ari\application data\f60daf18ac2b404bceb9bcc915db47b4\asecpp70 .exe
uRun: [asecpp70 .exe] c:\documents and settings\ari\application data\f60daf18ac2b404bceb9bcc915db47b4\asecpp70 .exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC .exe" /tray
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [dlcdmon.exe] "c:\program files\dell photo aio printer 944\dlcdmon.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm .exe" -startup
mRun: [DLCDCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCDtime.dll,_RunDLLEntry@16
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [Rsixaqogu] rundll32.exe "c:\windows\ivitezivanomozo.dll",Startup
StartupFolder: c:\docume~1\ari\startm~1\programs\startup\antima~1.lnk - c:\documents and settings\ari\application data\f60daf18ac2b404bceb9bcc915db47b4\asecpp70.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\extend~1.lnk - c:\windows\ehome\RMSysTry.exe
IE: Free YouTube Download - c:\documents and settings\ari\application data\dvdvideosoftiehelpers\freeyoutubedownload.htm
IE: Free YouTube to MP3 Converter - c:\documents and settings\ari\application data\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: itlnfw32 - itlnfw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\ari\applic~1\mozilla\firefox\profiles\pbqgqfa7.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\ari\application data\mozilla\firefox\profiles\pbqgqfa7.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: SkipScreen: SkipScreen@SkipScreen - %profile%\extensions\SkipScreen@SkipScreen
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: vShare: vshare@toolbar - %profile%\extensions\vshare@toolbar
FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-10-25 207280]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-11-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-11-17 74480]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-1-24 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-1-24 108392]
R2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2005-8-16 14336]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-1-24 2477304]
R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-9-2 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110504.002\NAVENG.SYS [2011-5-4 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110504.002\NAVEX15.SYS [2011-5-4 1393144]
R3 NETwLx32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [2010-12-15 6609920]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-10-25 112592]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2009-9-6 29584]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-11-17 7408]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-22 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-4-7 24652]
.
=============== Created Last 30 ================
.
2011-05-07 16:10:37 221192 ----a-w- c:\windows\system32\VJDqhtY.com
2011-05-07 16:09:51 53248 ----a-w- c:\windows\system32\6to4v32.dll
2011-05-07 16:09:27 215552 ----a-w- c:\windows\system32\itlpfw32.dll
2011-05-07 16:09:26 34816 ----a-w- c:\windows\system32\itlnfw32.dll
2011-05-06 16:36:25 111618 ----a-w- c:\docume~1\alluse~1\applic~1\FCSv8I5q.exe
2011-05-05 17:07:45 0 ----a-w- c:\windows\Dyuboxo.bin
2011-05-05 17:07:43 -------- d-----w- c:\docume~1\ari\locals~1\applic~1\{580DCE85-DC3F-47F0-8B6A-479FB2972D1F}
2011-05-05 17:05:59 -------- d-----w- c:\docume~1\ari\applic~1\F60DAF18AC2B404BCEB9BCC915DB47B4
2011-05-04 16:32:43 -------- d-----w- c:\docume~1\ari\applic~1\MySQL
2011-05-04 16:32:03 -------- d-----w- c:\program files\MySQL
2011-05-04 16:30:17 -------- d-----w- c:\docume~1\ari\applic~1\GetRightToGo
2011-05-01 03:20:30 -------- d-----w- c:\program files\Veetle
2011-04-27 02:40:06 8704 ----a-w- c:\windows\system32\CNMVS78.DLL
2011-04-27 02:40:06 59392 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPP78.DLL
2011-04-27 02:40:06 20992 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPD78.DLL
2011-04-27 02:40:06 140288 ----a-w- c:\windows\system32\CNMLM78.DLL
2011-04-13 16:31:23 -------- d-----w- c:\program files\Bytescout XLS Viewer
2011-04-10 20:08:12 -------- d-----w- c:\docume~1\ari\applic~1\DVDVideoSoftIEHelpers
2011-04-10 20:06:44 -------- d-----w- c:\docume~1\ari\applic~1\DVDVideoSoft
2011-04-10 20:06:34 -------- d-----w- c:\program files\common files\DVDVideoSoft
2011-04-10 20:06:20 -------- d-----w- c:\program files\DVDVideoSoft
.
==================== Find3M ====================
.
2011-05-06 14:03:55 221188 ----a-w- c:\windows\system32\rundll32.exe
2011-05-06 14:03:50 221188 ----a-w- c:\windows\UpdReg.EXE
2011-04-27 03:05:50 5642 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-04-27 03:05:50 56 --sh--r- c:\windows\system32\418AB35A2A.sys
2011-04-10 21:16:12 89680 ----a-w- c:\documents and settings\ari\MSSSerif120.fon
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK8032GSX rev.AS112D -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll >>UNKNOWN [0x874C86F0]<<
c:\windows\system32\drivers\PCTCore.sys PC Tools Kernel Driver Suite
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x874cea10]; MOV EAX, [0x874cea8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x87560AB8]
3 CLASSPNP[0xF7652FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x87562920]
5 PCTCore[0xF741888F] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000007f[0x87511510]
7 ACPI[0xF74C9620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8757E940]
\Driver\atapi[0x875A40E8] -> IRP_MJ_CREATE -> 0x874C86F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x100; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSW ; JMP FAR 0x0:0x62c; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x874C853B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 12:31:40.44 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 07 May 2011 - 07:41 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Posted Image Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Post that log, please.
Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • TDSSKiller log
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 Ari Tanks

Ari Tanks
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 07 May 2011 - 10:26 PM

I ran the TDSS killer with no problems but when I ran the combofix it produced a warning message saying "The Master Boot Record is infected! Make sure your antivirus programs are disabled before clicking ok. I followed the directions to disable my symantic endpoint protection antivirus program so I know that it was disabled. I clicked Ok but then it froze at the combofix screen that said it was scanning for viruses. What do you suggest I do now?

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 07 May 2011 - 11:57 PM

Hello,

Open the Task Manager by right clicking on a blank spot in your taskbar and selecting "Start Task Manager" Click on the Processess tab and look for these (if they are not there, move on to the next instruction):

Pev.exe, sed.exe. grep.exe or cfxxx.exe

Right click on them and select "End Process"

Reboot and run another GMER scan for me, please.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 Ari Tanks

Ari Tanks
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 08 May 2011 - 02:30 PM

I didn't see any of the listed processes, but there were alot of rundll32.exe processes running as well as svchost.exe & asecpp70.exe. When I did the GMER scan it produced a warning messaged saying that GMER has found system modification, which might have been caused by ROOTKIT activity, do you want to fully scan your system? I pressed no and then ran the scan the way you requested. I attached the tdss log file as well as the gmerr log to this post. Thanks for helping.

Attached Files



#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 08 May 2011 - 03:53 PM

Ari Tanks:

Posted Image Download aswMBR.exe ( 511KB ) to your desktop.
  • Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply.
Please include the following in your next post:
  • aswMBR log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 Ari Tanks

Ari Tanks
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 08 May 2011 - 04:51 PM

I was able to complete that scan without any problems. The log is attached to this post.

Attached Files



#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 08 May 2011 - 05:03 PM

Ari Tanks:

Posted Image aswMBR place a file on your desktop called MBR.dat. Right click on that file and select Send to >> Compressed (zipped) folder. Add the newly created zipped folder as an attachment to your next post.

After you've posted that file, do this:

Posted Image Re-Run aswMBR

  • Click Scan
  • On completion of the scan, click the FIX button,
  • There is a slight pause after clicking the 'Fix' button.
  • Wait for the tool to report 'Infection fixed successfully', now reboot the machine.
  • Rebooting the machine prematurely, before seeing this line will result in an incomplete fix.

    Note:After the 'Infection fixed successfully' message appears, the machine may became unresponsive. You may have to do a hard boot of your machine. That may be a side effect from the fix. All will be well after the reboot.
  • Save the log as before and post in your next reply.
Please include the following in your next post:
  • Zipped MBR.dat file (first post)
  • aswMBR log (second post)

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 Ari Tanks

Ari Tanks
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 08 May 2011 - 07:26 PM

Now it won't load windows, it's stuck at the resuming windows screen after I had put it into hibernate. W/e is causing all this instability on my computer also won't allow me to properly shut my computer down either. I've had to hold the power button down to turn it off. What do you suggest I do now?

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 08 May 2011 - 07:32 PM

Your PC is infected with a rootkit, one that is attached to the Master Boot Record (MBR) of your hard disk. Just so I'm clear, did it become un-bootable before you attempted my last instructions or during/after doing them? Do you have your Windows XP install disk available?

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 Ari Tanks

Ari Tanks
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 08 May 2011 - 07:40 PM

before your last instructions, I only ran the aswMBR once. Yes, I have the CD that originally came with the laptop. It's a 2005 media center version.

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 08 May 2011 - 07:55 PM

Ari Tanks:

Posted Image We need to fix your MBR:

  • Restart your computer with the Windows XP Setup disk in the CDROMdrive.
  • If you are prompted to press a key to start the computer from CDROM, do so quickly. Otherwise it may try to boot from the hard drive.
  • After a few minutes, you'll see a prompt to press the R key to start the Recovery Console.
  • When Recovery Console starts, it will prompt you to enter a number corresponding to the Windows XP installation that you need to repair. In most cases, you'll enter "1" (which will be the only choice). ( If you press ENTER without typing a number, Recovery Console will quit and restart your computer.)
  • Enter your Administrator password. If you don't enter the correct password, you cannot continue. (If you did not set a password, just hit enter)
  • At the Recovery Console command prompt, type fixmbr and then verify that you want to proceed.
  • Type EXIT and reboot normally.
Your damaged MBR will be replaced with a new one, and you should then be able to boot your system normally. In some cases, you may need to repair the boot sector in addition to the MBR. If your system still doesn't boot properly, repeat the steps above, but issue the fixboot command instead.

Please include the following in your next post:
  • Let me know when you've completed these steps

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 Ari Tanks

Ari Tanks
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 08 May 2011 - 08:10 PM

I completed those steps and the computer was able to turn on. I'm still getting RunDll error messages when it's loading the desktop though.

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 08 May 2011 - 08:15 PM

Good! Please delete your existing version of ComboFix, download a new one and try running that again. We should have better luck with the MBR fixed.

Post the log when it's done, please.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 Ari Tanks

Ari Tanks
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 08 May 2011 - 09:16 PM

I downloaded a new version but it appears that it froze while it was scanning for infected files. I can still move the cursor but everything else is non-responsive and it's been about 20 minutes since I started the scan.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users