Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winnxl32.dll, Rundll32 And Other New Things Opening On Startup


  • This topic is locked This topic is locked
2 replies to this topic

#1 Lanimilbus

Lanimilbus

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 06 December 2006 - 12:55 PM

This morning when I turned on my computer SpySweeper told me that I have two new programs running on startup, and asked me whether to keep or remove them. The two programs are:

Microsoft Office.lnk
and
winnxl32

I googled both entries and found mixed results for what to do; some people said they're trojans and should be removed immediately, and others say they're neccessary files. Since I had very bad results the last time I tried removing a .DLL file uninformed, I thought I'd ask here before I did anything with either of them.

Also, when I run msconfig and look at the startup tab, there are several new boxes checked that I don't remember ever having been checked before. Here they are, exactly as seen in msconfig (minus the ":" in between the program name and the file):

  • LoadPowerProfile: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
  • CriticalUpdate: c:\windows\SYSTEM\wucrtupd.exe -startup
  • mcspy.exe: C:\WINDOWS\SYSTEM\mcspy.exe
  • winnxl32: rundll32 winnxl32.dll,run
  • LoadPowerProfile: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
  • SchedulingAgent: mstask.exe
  • MDM7: "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
  • systemtools
  • Microsoft Office StartUp: C:\PROGRA~1\MICROS~2\OFFICE10\OSA.EXE


I wouldn't be so worried about these if it weren't for the fact that I just had several nasty viruses the other day which, after running SpySweeper and Norton Anti-Virus, seem to have been eliminated...but now I'm not so sure. Also, today my computer seems to be extremely slow (i.e. clicking on a program on my taskbar and the icon remaining pressed in, frozen, for 3 minutes before the actual program opens) so I'm not entirely convinced that those viruses are completely gone from my computer.

Here's my HijackThis log from just now:

Logfile of HijackThis v1.99.1
Scan saved at 12:45:40 PM, on 12/6/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTS.SCR
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [mcspy.exe] C:\WINDOWS\SYSTEM\mcspy.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [winnxl32] rundll32 winnxl32.dll,run
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ALU Scheduler Service] C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: Microsoft Office.lnk = c:\WINDOWS\Installer\{913D0409-6000-11D3-8CFE-0050048383C9}\misc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O21 - SSODL: JwvVKnM - {3219160E-98B3-BCA4-34F4-337C62A28DD9} - C:\WINDOWS\SYSTEM\GXA.DLL

Thanks in advance for any and all help!
-Alec

BC AdBot (Login to Remove)

 


#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:07:31 AM

Posted 16 December 2006 - 04:47 PM

Hi Lanimilbus,

Sorry for the delay, this forum is very busy.

If you still need help, please do the following:

Step 1. Download and install Ad-Aware

Download Ad-AwareSE Personal from this location. Save the file to your desktop. Double click on the icon to begin installation. Accept the defaults. When installation is complete you will be presented with a checkbox menu screen. Leave the option Check for Updates now checked, but uncheck Run a full system scan. The readme file is your choice, you can read it now or wait until later. After the program has updated, close it. Do not run it yet.

Step 2. Boot into Safe Mode
  • Restart your computer.
  • When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a menu.
  • When you have the menu on the screen. Use the arrow keys to move to the line that says Safe Mode.
  • Then press <Enter> on your keyboard to boot into Safe Mode.
Step 3. Run Ad-Aware

Double-click the desktop icon to open the program, then click the Scan Now bar and select the radio button Perform full system scan. Leave Check for low-risk threats selected (green) and Check for negligible risk entries unselected (red). Click Next. When the scan is finished, allow the program to fix any problems it finds, then click Show logfile, then right click on the report and select Save. Name the file and note where you save it -- the default is C:\Program Files\Lavasoft\Ad-Aware SE Personal. You may want to put it someplace easier to find, such as your desktop. Then close the program.

Step 4. Reboot into Normal Mode

Your computer should go into normal mode automatically when you restart.

Step 4. Update Your Java

You need to update your Java. Earlier versions have serious security vulnerabilities. Click Start, Control Panel, then double click Add/Remove Programs. When the list is populated look for any and all entries starting with J2SE or JRE with the little Java icon (a coffee cup). Remove them all, one by one. Then open your browser and go to this web page to get the latest version. Scroll dow to the middle of the page where you will find Java Runtime Environment (JRE) 6. Click Download which will take you to the secure download page. At the top, select the Accept License Agreement button. Then look to the first block for the J2SE downloads for the Windows Platform. You can choose either the Online or Offline installation version; unless you have several computers you need to upgrade, I suggest the Online version.

Download the file to your desktop, and double click the icon. You must be connected to the internet in order to run the online version.

If you have trouble with the Online installation, you can download the big Offline file and install it with your browser closed.

Step 5. Get back to me

First thing, you mentioned MSConfig. If you are using it to disable itemsfrom starting at bootup, it is important that you re-enable all disabled items so that the system is set to start normally with the full contingent of programs. Then reboot before continuing.

Open HijackThis and run a fresh scan. Save that log and post it to a reply here, along with the Ad-Aware report, and answers to these questions:

Do you now or have you in the past had McAfee security suite or McAfee antispyware installed on this computer?

Do you have Norton personal firewall or another software firewall installed on this computer? I don't see a firewall in your log. If not, are you connected to the internet through a router? Do you have a high-speed connection or are you on dialup?

Dave

#3 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:07:31 AM

Posted 27 December 2006 - 10:04 PM

Due to lack of feedback, this topic is now closed. If you want it re-opened, please PM me and put the url in your request.

This applies to the original poster only. Everyone else please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users