Bullguard Antivirus Forum Download A Free Copy Of Bullguard Antivirus Software
Free Antivirus Forum - Learn about antivirus, firewalls and personal security Free Antivirus Forum - Learn about antivirus, firewalls and personal security
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
RUNDLL error + Virus
   
BullGuard Antivirus Forum > Virus Removal > Removal Help > RUNDLL error + Virus  
Forum Quick Jump
 
New Topic Post reply to : RUNDLL error + Virus Printable version of : RUNDLL error + Virus
[ << Previous Thread | Next Thread >> ]

FerretyOne
New Member


Date Joined Jun 2008
Total Posts : 4
  		   Posted 7-8-2008 10:29 (GMT +2)    Quote: RUNDLL error + VirusAlert an admin about: RUNDLL error + Virus
Firstly, thanks for the help guys.  I usually can do this on my own, but this virus has been brutal and It's still out there - It keeps causing DLL errors, and every once in a while my virus scanner will popup with a trojan.  Here are my logs, any help with the virus would be GREATLY appreciated.
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:21 PM, on 7/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171149400717
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Installer) - http://t1.battlefield-heroes.com/patcher/westpatcher.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sslvpn.gamespy.com/dana-cached/setup/JuniperSetupSP1.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ÍøÂç·þÎñ (Network Services) - Unknown owner - C:\WINDOWS\MayaBaby\MayaBabyMain.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Procedure Call Locator (RpcUsnsvc) - Unknown owner - C:\WINDOWS\usnsvc.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 5501 bytes


ComboFix 08-07-07.3 - Ferret 2008-07-08 13:02:27.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1473 [GMT -7:00]
Running from: C:\Documents and Settings\Ferret\Desktop\ComboFix.exe
 * Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\t
C:\Documents and Settings\All Users\Application Data\t\a1749.dat
C:\Documents and Settings\All Users\Application Data\t\b1749.dat
C:\Documents and Settings\All Users\Application Data\t\k1749.dat
C:\Documents and Settings\All Users\Application Data\t\p1749.dat
C:\Documents and Settings\All Users\Application Data\t\r1749.dat
C:\Documents and Settings\Ferret\Local Settings\Application Data\MSData\bulidlist2.dat
C:\Documents and Settings\NetworkService\Local Settings\Application Data\MSData\bulidlist2.dat
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\matrix.dat
C:\WINDOWS\Downloaded Program Files\setup.inf
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_IPRIP
-------\Legacy_NWSAPAGENT
-------\Service_IPRIP
-------\Service_Nwsapagent

(((((((((((((((((((((((((   Files Created from 2008-06-08 to 2008-07-08  )))))))))))))))))))))))))))))))
.
2008-07-08 01:46 . 2008-07-08 01:52 <DIR> d-------- C:\Program Files\RegCure
2008-07-07 18:27 . 2008-07-07 18:27 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Juniper Networks
2008-07-07 17:23 . 2008-02-16 00:07 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-07-07 17:23 . 2008-02-16 00:07 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-07-07 17:23 . 2008-02-16 00:07 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-07-07 17:22 . 2008-07-07 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-07-07 17:09 . 2008-07-07 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-07-07 16:36 . 2008-07-07 17:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-06 21:44 . 2008-07-06 21:44 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-06 21:44 . 2003-03-18 14:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-07-06 20:35 . 2008-07-07 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-06 11:14 . 2008-07-06 12:07 <DIR> d-------- C:\Documents and Settings\Ferret\.housecall6.6
2008-07-06 10:32 . 2008-07-06 10:32 68 --a------ C:\WINDOWS\system32\568
2008-07-05 21:50 . 2008-07-05 21:50 68 --a------ C:\WINDOWS\system32\378
2008-07-05 21:31 . 2008-07-05 21:31 1,120 --a------ C:\WINDOWS\vapa.ini
2008-07-05 21:29 . 2008-07-05 21:29 <DIR> d-------- C:\WINDOWS\UP
2008-07-05 21:29 . 2008-07-05 21:29 <DIR> d-------- C:\WINDOWS\system32\UP
2008-07-05 21:26 . 2008-07-05 21:26 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-05 21:26 . 2008-07-05 21:26 <DIR> d-------- C:\Documents and Settings\Ferret\Application Data\SUPERAntiSpyware.com
2008-07-05 21:26 . 2008-07-05 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-05 21:26 . 2008-07-06 20:35 113 --a------ C:\WINDOWS\MsWino.dat
2008-07-05 21:24 . 2008-07-05 21:24 81 --a------ C:\WINDOWS\-127-12299112
2008-07-05 21:20 . 2008-07-05 21:20 68 --a------ C:\WINDOWS\system32\10f0ce
2008-07-05 21:20 . 2008-07-06 21:41 29 --a------ C:\WINDOWS\system32\-86-12299112
2008-07-05 21:18 . 2008-07-05 21:18 8 --a------ C:\WINDOWS\system32\-102-12299112
2008-07-05 21:08 . 2008-07-06 20:29 865 --a------ C:\WINDOWS\error2.ini
2008-07-05 21:07 . 2008-07-06 21:35 <DIR> d-------- C:\WINDOWS\system32\inf
2008-07-05 21:05 . 2008-07-07 09:24 <DIR> d-------- C:\WINDOWS\MayaBaby
2008-07-04 14:59 . 2008-07-04 14:59 <DIR> d-------- C:\Program Files\AirPort
2008-07-04 14:56 . 2008-07-04 14:56 <DIR> d-------- C:\Program Files\Bonjour
2008-07-03 03:57 . 2008-07-03 03:57 49,152 --a------ C:\WINDOWS\TElem32.dll
2008-07-03 03:56 . 2008-07-03 03:56 20 --a------ C:\WINDOWS\nmsvc.ini
2008-07-02 20:57 . 2008-07-02 20:57 36,864 --a------ C:\WINDOWS\icpb.dll
2008-06-19 19:21 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-06-19 19:21 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-06-19 19:21 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-06-19 19:21 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-06-19 19:21 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-06-19 19:21 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-06-15 21:26 . 2008-06-15 21:26 45,056 --a------ C:\WINDOWS\system32\usmsho.dll
2008-06-11 00:16 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 10:28 . 2008-06-08 10:28 <DIR> d-------- C:\Program Files\DiskInternals
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-08 08:55 --------- d-----w C:\Documents and Settings\Ferret\Application Data\Azureus
2008-07-08 08:42 --------- d-----w C:\Program Files\Trillian
2008-07-08 00:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-04 05:47 --------- d-----w C:\Documents and Settings\Ferret\Application Data\IGN_DLM
2008-06-14 06:54 --------- d-----w C:\Program Files\mIRC
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-28 04:55 --------- d-----w C:\Program Files\EA games
2008-05-11 01:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-11 01:08 --------- d-----w C:\Program Files\Common Files\AOL
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"RegistryMechanic"="C:\Program Files\Registry Mechanic\RegMech.exe" [2007-08-20 10:58 2483496]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-26 14:19 1398024]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.WMV3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Ferret^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\360
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavMonS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\usmsvc
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AirPort Base Station Agent]
--a------ 2008-03-06 17:40 733184 C:\Program Files\AirPort\APAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2007-03-05 14:57 1103480 C:\Program Files\IGN\Download Manager\dlm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-06-01 16:51 257088 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-09-17 01:07 8491008 C:\WINDOWS\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-09-17 01:07 81920 C:\WINDOWS\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
--a------ 2005-09-18 18:40 1421824 C:\Program Files\PeerGuardian2\pg2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 16:27 385024 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-01-10 22:25 1266936 C:\Program Files\Valve\Steam\steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-12-15 04:23 75520 C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-11 15:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-09-17 01:07 1626112 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PtiuPbmd]
--a------ 2003-01-15 12:41 24576 C:\WINDOWS\system32\ptipbm.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Valve\\Steam\\Steam.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\AirPort\\APAgent.exe"=
R2 LANPkt;Realtek LANPkt Protocol;C:\WINDOWS\system32\DRIVERS\LANPkt.sys [2003-09-17 16:57]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 14:38]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-04-10 16:05]
S0 z5t8zmv9;z5t8zmv9;C:\WINDOWS\system32\drivers\z5t8zmv9.sys []
S2 Network Services;ÍøÂç·þÎñ;C:\WINDOWS\MayaBaby\MayaBabyMain.exe []
S2 ProtectedStorager5;Protected Storage Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 00:56]
S2 RpcUsnsvc;Remote Procedure Call Locator;C:\WINDOWS\usnsvc.exe []
S2 WbWin;WbWin;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 Diag69xp;Diag69xp;C:\WINDOWS\system32\Drivers\Diag69xp.sys [2003-08-15 03:55]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
WbWin
ProtectedStorager5
.
Contents of the 'Scheduled Tasks' folder
"2008-07-08 20:04:04 C:\WINDOWS\Tasks\326ac.job"
- C:\WINDOWS\Downlo~1\326ac.dll,Always
"2008-07-08 20:14:42 C:\WINDOWS\Tasks\326b.job"
- C:\WINDOWS\Downlo~1\326b.dll,Run
"2008-07-08 20:14:42 C:\WINDOWS\Tasks\326dc.job"
- C:\WINDOWS\Downlo~1\326dc.dll,Always
"2008-07-08 20:15:01 C:\WINDOWS\Tasks\326sc.job"
- C:\WINDOWS\Downlo~1\326sc.dll,Always
"2008-06-12 15:21:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-08 20:09:55 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-07-08 08:46:42 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
- - - - ORPHANS REMOVED - - - -
ShellExecuteHooks-{ACADABAE-1101-0010-8000-00AA006D2EA8} - (no file)

**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-08 13:10:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ProtectedStorager5]
"ServiceDll"="c:\windows\system32\config\sam6.log"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-07-08 13:16:16 - machine was rebooted
ComboFix-quarantined-files.txt  2008-07-08 20:16:11
Pre-Run: 8,210,427,904 bytes free
Post-Run: 8,148,439,040 bytes free
225 --- E O F --- 2008-07-07 16:28:40


 
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 13070
  		   Posted 7-9-2008 6:57 (GMT +2)    Quote: RUNDLL error + VirusAlert an admin about: RUNDLL error + Virus
Hello smile
 
 
Please download Malwarebytes' Anti-Malware:
http://www.besttechie.net/tools/mbam-setup.exe
 
 to your desktop.
 
Double-click mbam-setup.exe and follow the prompts to install the program.
                     
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch

Malwarebytes' Anti-Malware, then click Finish.
                     
If an update is found, it will download and install the latest version.
                     
Once the program has loaded, select Perform full scan, then click Scan.
                     
When the scan is complete, click OK, then Show Results to view the results.
 
Be sure that everything is checked, and click Remove Selected.
 
When completed, a log will open in Notepad. Please save it to a convenient location.
 
 
 
Copy and Paste that log into your next reply, along with new combofix log

Do NOT post your problem in someone elses thread.
Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Back to Top
 

FerretyOne
New Member


Date Joined Jun 2008
Total Posts : 4
  		   Posted 7-9-2008 8:24 (GMT +2)    Quote: RUNDLL error + VirusAlert an admin about: RUNDLL error + Virus
Thank you Touch!

As requested, here are the logs. Mbam did seem to find several trojans and cleaned them, but I imagine they will be back before long. (still getting the DLL error). Oddly it says "no action taken" when I requested it clean - huh?

Malwarebytes' Anti-Malware 1.20
Database version: 935
Windows 5.1.2600 Service Pack 2

11:04:51 AM 7/9/2008
mbam-log-7-9-2008 (11-04-49).txt

Scan type: Full Scan (C:\|)
Objects scanned: 91817
Time elapsed: 1 hour(s), 13 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\thunderbhonew12.thunder5bho (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Services (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProtectedStorager5 (Spyware.OnlineGames) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{06926b30-424e-4f1c-8ee3-543cd96573dc} (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\MayaBaby (Trojan.Agent) -> No action taken.

Files Infected:
C:\System Volume Information\_restore{784FAFFF-9851-4550-81B6-1811C357FAEF}\RP387\A0063057.dll (Trojan.BHO) -> No action taken.



ComboFix 08-07-08.9 - Ferret 2008-07-09 11:08:28.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1525 [GMT -7:00]
Running from: C:\Documents and Settings\Ferret\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NETWORK_SERVICES


((((((((((((((((((((((((( Files Created from 2008-06-09 to 2008-07-09 )))))))))))))))))))))))))))))))
.

2008-07-09 09:43 . 2008-07-09 11:04 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-09 09:43 . 2008-07-09 09:43 <DIR> d-------- C:\Documents and Settings\Ferret\Application Data\Malwarebytes
2008-07-09 09:43 . 2008-07-09 09:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-09 09:43 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-09 09:43 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-08 19:21 . 2008-07-08 19:26 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-07-08 01:46 . 2008-07-08 01:52 <DIR> d-------- C:\Program Files\RegCure
2008-07-07 18:27 . 2008-07-07 18:27 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Juniper Networks
2008-07-07 17:23 . 2008-02-16 00:07 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-07-07 17:23 . 2008-02-16 00:07 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-07-07 17:23 . 2008-02-16 00:07 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-07-07 17:22 . 2008-07-07 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-07-07 17:09 . 2008-07-07 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-07-07 16:36 . 2008-07-07 17:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-06 21:44 . 2008-07-06 21:44 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-06 21:44 . 2003-03-18 14:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-07-06 20:35 . 2008-07-07 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-06 11:14 . 2008-07-06 12:07 <DIR> d-------- C:\Documents and Settings\Ferret\.housecall6.6
2008-07-06 10:32 . 2008-07-06 10:32 68 --a------ C:\WINDOWS\system32\568
2008-07-05 21:50 . 2008-07-05 21:50 68 --a------ C:\WINDOWS\system32\378
2008-07-05 21:31 . 2008-07-05 21:31 1,120 --a------ C:\WINDOWS\vapa.ini
2008-07-05 21:29 . 2008-07-05 21:29 <DIR> d-------- C:\WINDOWS\UP
2008-07-05 21:29 . 2008-07-05 21:29 <DIR> d-------- C:\WINDOWS\system32\UP
2008-07-05 21:26 . 2008-07-05 21:26 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-05 21:26 . 2008-07-05 21:26 <DIR> d-------- C:\Documents and Settings\Ferret\Application Data\SUPERAntiSpyware.com
2008-07-05 21:26 . 2008-07-05 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-05 21:26 . 2008-07-06 20:35 113 --a------ C:\WINDOWS\MsWino.dat
2008-07-05 21:24 . 2008-07-05 21:24 81 --a------ C:\WINDOWS\-127-12299112
2008-07-05 21:20 . 2008-07-05 21:20 68 --a------ C:\WINDOWS\system32\10f0ce
2008-07-05 21:20 . 2008-07-06 21:41 29 --a------ C:\WINDOWS\system32\-86-12299112
2008-07-05 21:18 . 2008-07-05 21:18 8 --a------ C:\WINDOWS\system32\-102-12299112
2008-07-05 21:08 . 2008-07-06 20:29 865 --a------ C:\WINDOWS\error2.ini
2008-07-05 21:07 . 2008-07-06 21:35 <DIR> d-------- C:\WINDOWS\system32\inf
2008-07-04 14:59 . 2008-07-04 14:59 <DIR> d-------- C:\Program Files\AirPort
2008-07-04 14:56 . 2008-07-04 14:56 <DIR> d-------- C:\Program Files\Bonjour
2008-07-03 03:57 . 2008-07-03 03:57 49,152 --a------ C:\WINDOWS\TElem32.dll
2008-07-03 03:56 . 2008-07-03 03:56 20 --a------ C:\WINDOWS\nmsvc.ini
2008-07-02 20:57 . 2008-07-02 20:57 36,864 --a------ C:\WINDOWS\icpb.dll
2008-06-20 10:41 . 2008-06-20 10:41 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 03:44 . 2008-06-20 03:44 138,368 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-19 19:21 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-06-19 19:21 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-06-19 19:21 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-06-19 19:21 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-06-19 19:21 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-06-19 19:21 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-06-15 21:26 . 2008-06-15 21:26 45,056 --a------ C:\WINDOWS\system32\usmsho.dll
2008-06-11 00:16 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-09 09:34 --------- d-----w C:\Documents and Settings\Ferret\Application Data\Azureus
2008-07-09 00:48 --------- d-----w C:\Program Files\Badder Adder
2008-07-08 08:42 --------- d-----w C:\Program Files\Trillian
2008-07-08 00:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-04 05:47 --------- d-----w C:\Documents and Settings\Ferret\Application Data\IGN_DLM
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 06:54 --------- d-----w C:\Program Files\mIRC
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-08 17:28 --------- d-----w C:\Program Files\DiskInternals
2008-05-28 04:55 --------- d-----w C:\Program Files\EA games
2008-05-11 01:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-11 01:08 --------- d-----w C:\Program Files\Common Files\AOL
.

((((((((((((((((((((((((((((( snapshot@2008-07-08_13.15.48.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-16 12:08:32 100,352 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\6to4svc.dll
+ 2008-06-20 10:44:08 138,368 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\afd.sys
+ 2008-06-20 17:36:11 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\dnsapi.dll
+ 2008-06-20 17:36:11 245,248 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\mswsock.dll
+ 2008-06-20 10:44:42 360,960 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
+ 2008-06-20 09:32:39 225,920 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip6.sys
+ 2008-06-20 11:40:08 138,496 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys
+ 2008-06-20 17:46:57 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\dnsapi.dll
+ 2008-06-20 17:46:57 245,248 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\mswsock.dll
+ 2008-06-20 11:51:12 361,600 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
+ 2008-06-20 11:08:27 225,856 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip6.sys
+ 2008-06-20 11:48:03 138,496 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys
+ 2008-06-20 17:43:05 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\dnsapi.dll
+ 2008-06-20 17:43:05 245,248 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\mswsock.dll
+ 2008-06-20 11:59:02 361,600 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
+ 2008-06-20 11:16:44 225,856 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip6.sys
+ 2007-11-30 12:39:22 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB951748\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB951748\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB951748\update\spcustom.dll
+ 2007-11-30 12:39:18 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB951748\update\update.exe
+ 2007-11-30 12:39:19 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB951748\update\updspapi.dll
+ 2008-07-09 02:22:12 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll
+ 2008-07-09 02:22:12 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll
+ 2008-07-09 02:22:12 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll
+ 2008-07-09 02:22:14 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2008-01-09 22:01:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2008-01-09 22:01:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
+ 2008-07-09 02:22:15 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll
+ 2008-07-09 02:22:12 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll
+ 2008-01-09 22:01:48 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
- 2008-07-08 20:09:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-09 18:13:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-01-09 22:01:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll
+ 2008-01-09 22:01:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll
- 2008-02-20 05:32:43 148,992 -c----w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
- 2007-10-30 17:20:55 360,064 -c----w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2008-06-20 10:45:13 360,320 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2006-08-16 09:37:30 225,664 -c----w C:\WINDOWS\system32\dllcache\tcpip6.sys
+ 2008-06-20 09:52:06 225,920 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
- 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2004-08-04 07:56:44 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
+ 2008-06-20 17:41:10 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
- 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"RegistryMechanic"="C:\Program Files\Registry Mechanic\RegMech.exe" [2007-08-20 10:58 2483496]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-26 14:19 1398024]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.WMV3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ferret^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\360
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavMonS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\usmsvc

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AirPort Base Station Agent]
--a------ 2008-03-06 17:40 733184 C:\Program Files\AirPort\APAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2007-03-05 14:57 1103480 C:\Program Files\IGN\Download Manager\dlm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-06-01 16:51 257088 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-09-17 01:07 8491008 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-09-17 01:07 81920 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
--a------ 2005-09-18 18:40 1421824 C:\Program Files\PeerGuardian2\pg2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 16:27 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shareaza]
--a------ 2007-02-05 04:05 4354048 C:\Program Files\Shareaza\Shareaza.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-01-10 22:25 1266936 C:\Program Files\Valve\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-12-15 04:23 75520 C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-11 15:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-09-17 01:07 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PtiuPbmd]
--a------ 2003-01-15 12:41 24576 C:\WINDOWS\system32\ptipbm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Valve\\Steam\\Steam.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\AirPort\\APAgent.exe"=

R2 LANPkt;Realtek LANPkt Protocol;C:\WINDOWS\system32\DRIVERS\LANPkt.sys [2003-09-17 16:57]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 14:38]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-04-10 16:05]
S0 z5t8zmv9;z5t8zmv9;C:\WINDOWS\system32\drivers\z5t8zmv9.sys []
S2 RpcUsnsvc;Remote Procedure Call Locator;C:\WINDOWS\usnsvc.exe []
S2 WbWin;WbWin;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 Diag69xp;Diag69xp;C:\WINDOWS\system32\Drivers\Diag69xp.sys [2003-08-15 03:55]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
WbWin
ProtectedStorager5

.
Contents of the 'Scheduled Tasks' folder
"2008-07-09 18:04:22 C:\WINDOWS\Tasks\326ac.job"
- C:\WINDOWS\Downlo~1\326ac.dll,Always
"2008-07-09 18:06:04 C:\WINDOWS\Tasks\326b.job"
- C:\WINDOWS\Downlo~1\326b.dll,Run
"2008-07-09 18:16:07 C:\WINDOWS\Tasks\326dc.job"
- C:\WINDOWS\Downlo~1\326dc.dll,Always
"2008-07-09 18:15:52 C:\WINDOWS\Tasks\326sc.job"
- C:\WINDOWS\Downlo~1\326sc.dll,Always
"2008-06-12 15:21:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-09 18:13:42 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-07-08 08:46:42 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-09 11:14:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
.
**************************************************************************
.
Completion time: 2008-07-09 11:19:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-09 18:19:46
ComboFix2.txt 2008-07-08 20:16:18

Pre-Run: 2,142,691,328 bytes free
Post-Run: 2,199,126,016 bytes free

267 --- E O F --- 2008-07-09 09:36:18
Back to Top
 

FerretyOne
New Member


Date Joined Jun 2008
Total Posts : 4
  		   Posted 7-9-2008 11:14 (GMT +2)    Quote: RUNDLL error + VirusAlert an admin about: RUNDLL error + Virus
I ran it again, just to be sure....

Malwarebytes' Anti-Malware 1.20
Database version: 935
Windows 5.1.2600 Service Pack 2

2:08:24 PM 7/9/2008
mbam-log-7-9-2008 (14-08-24).txt

Scan type: Full Scan (C:\|)
Objects scanned: 92330
Time elapsed: 1 hour(s), 14 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 13070
  		   Posted 7-10-2008 8:58 (GMT +2)    Quote: RUNDLL error + VirusAlert an admin about: RUNDLL error + Virus
Open notepad and copy/paste the text in the quote box below into it:
Quote:
-----------------------------------------------------
KILLALL::
 
Snapshot::
 
Folder::
C:\Program Files\RegCure
 
File::
C:\WINDOWS\Tasks\326ac.job
C:\WINDOWS\Downlo~1\326ac.dll
C:\WINDOWS\Tasks\326b.job
C:\WINDOWS\Downlo~1\326b.dll
C:\WINDOWS\Tasks\326dc.job
C:\WINDOWS\Downlo~1\326dc.dll
C:\WINDOWS\Tasks\326sc.job
C:\WINDOWS\Downlo~1\326sc.dll
C:\WINDOWS\Tasks\RegCure Program Check.job
C:\WINDOWS\Tasks\RegCure.job"

Driver::
z5t8zmv9
 
 
----------------------------------------------
 
Save this as CFScript.txt
 
http://www.fromsej.saknet.dk/billeder/cfscript.gif
 
At this point, You MUST EXIT ALL BROWSERS NOW before continuing!
Referring to the picture above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system.
It may reboot your system when it finishes. This is normal.
 
 
Post new hijackthis log along with fresh combofix log
 

Do NOT post your problem in someone elses thread.
Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Back to Top
 

FerretyOne
New Member


Date Joined Jun 2008
Total Posts : 4
  		   Posted 7-10-2008 7:57 (GMT +2)    Quote: RUNDLL error + VirusAlert an admin about: RUNDLL error + Virus
The DLL errors are gone! Could you look over the logs and let me know if you think I'm clean? Also, any recomendations on a virus scanner and whatnot? Thanks Touch, owe you a beer.

~J

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:05 AM, on 7/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171149400717
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Installer) - http://t1.battlefield-heroes.com/patcher/westpatcher.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sslvpn.gamespy.com/dana-cached/setup/JuniperSetupSP1.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Procedure Call Locator (RpcUsnsvc) - Unknown owner - C:\WINDOWS\usnsvc.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5731 bytes

ComboFix 08-07-08.9 - Ferret 2008-07-10 1:56:10.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1569 [GMT -7:00]
Running from: C:\Documents and Settings\Ferret\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ferret\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\Downlo~1\326ac.dll
C:\WINDOWS\Downlo~1\326b.dll
C:\WINDOWS\Downlo~1\326dc.dll
C:\WINDOWS\Downlo~1\326sc.dll
C:\WINDOWS\Tasks\326ac.job
C:\WINDOWS\Tasks\326b.job
C:\WINDOWS\Tasks\326dc.job
C:\WINDOWS\Tasks\326sc.job
C:\WINDOWS\Tasks\RegCure Program Check.job
C:\WINDOWS\Tasks\RegCure.job"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\RegCure
C:\Program Files\RegCure\0_days.htm
C:\Program Files\RegCure\1_days.htm
C:\Program Files\RegCure\15_days.htm
C:\Program Files\RegCure\2_days.htm
C:\Program Files\RegCure\30_days.htm
C:\Program Files\RegCure\5_days.htm
C:\Program Files\RegCure\Animated-Bar.gif
C:\Program Files\RegCure\AutoUpdate.dll
C:\Program Files\RegCure\buttonfill.jpg
C:\Program Files\RegCure\buttonfill_expire.jpg
C:\Program Files\RegCure\buttonfill_mo.jpg
C:\Program Files\RegCure\buttonfill_mo_expire.jpg
C:\Program Files\RegCure\config.xml
C:\Program Files\RegCure\contentwrapper.gif
C:\Program Files\RegCure\expire.css
C:\Program Files\RegCure\footerbar.gif
C:\Program Files\RegCure\help.chm
C:\Program Files\RegCure\info_bubble.jpg
C:\Program Files\RegCure\Logs\Regcure-08-07-08-01-52-49.zip
C:\Program Files\RegCure\Logs\SystemInfo.zip
C:\Program Files\RegCure\LogSettings.xml
C:\Program Files\RegCure\main.css
C:\Program Files\RegCure\process-animation.gif
C:\Program Files\RegCure\RegCure.exe
C:\Program Files\RegCure\settings.xml
C:\Program Files\RegCure\subtitlebar.gif
C:\Program Files\RegCure\tile_titlebar.jpg
C:\Program Files\RegCure\uninst.exe
C:\Program Files\RegCure\whitelist.dat
C:\Program Files\RegCure\zlibwapi.dll
C:\WINDOWS\Tasks\326ac.job
C:\WINDOWS\Tasks\326b.job
C:\WINDOWS\Tasks\326dc.job
C:\WINDOWS\Tasks\326sc.job
C:\WINDOWS\Tasks\RegCure Program Check.job
C:\WINDOWS\Tasks\RegCure.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_z5t8zmv9


((((((((((((((((((((((((( Files Created from 2008-06-10 to 2008-07-10 )))))))))))))))))))))))))))))))
.

2008-07-09 19:32 . 2008-07-09 19:32 <DIR> d-------- C:\illusion
2008-07-09 19:25 . 2008-07-09 19:26 <DIR> d-------- C:\Program Files\MagicDisc
2008-07-09 19:25 . 2008-05-27 12:11 96,896 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-07-09 09:43 . 2008-07-09 11:04 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-09 09:43 . 2008-07-09 09:43 <DIR> d-------- C:\Documents and Settings\Ferret\Application Data\Malwarebytes
2008-07-09 09:43 . 2008-07-09 09:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-09 09:43 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-09 09:43 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-08 19:21 . 2008-07-08 19:26 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-07-07 18:27 . 2008-07-07 18:27 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Juniper Networks
2008-07-07 17:23 . 2008-02-16 00:07 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-07-07 17:23 . 2008-02-16 00:07 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-07-07 17:23 . 2008-02-16 00:07 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-07-07 17:22 . 2008-07-07 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-07-07 17:09 . 2008-07-07 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-07-07 16:36 . 2008-07-07 17:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-06 21:44 . 2008-07-06 21:44 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-06 21:44 . 2003-03-18 14:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-07-06 20:35 . 2008-07-07 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-06 11:14 . 2008-07-06 12:07 <DIR> d-------- C:\Documents and Settings\Ferret\.housecall6.6
2008-07-06 10:32 . 2008-07-06 10:32 68 --a------ C:\WINDOWS\system32\568
2008-07-05 21:50 . 2008-07-05 21:50 68 --a------ C:\WINDOWS\system32\378
2008-07-05 21:31 . 2008-07-05 21:31 1,120 --a------ C:\WINDOWS\vapa.ini
2008-07-05 21:29 . 2008-07-05 21:29 <DIR> d-------- C:\WINDOWS\UP
2008-07-05 21:29 . 2008-07-05 21:29 <DIR> d-------- C:\WINDOWS\system32\UP
2008-07-05 21:26 . 2008-07-05 21:26 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-05 21:26 . 2008-07-05 21:26 <DIR> d-------- C:\Documents and Settings\Ferret\Application Data\SUPERAntiSpyware.com
2008-07-05 21:26 . 2008-07-05 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-05 21:26 . 2008-07-06 20:35 113 --a------ C:\WINDOWS\MsWino.dat
2008-07-05 21:24 . 2008-07-05 21:24 81 --a------ C:\WINDOWS\-127-12299112
2008-07-05 21:20 . 2008-07-05 21:20 68 --a------ C:\WINDOWS\system32\10f0ce
2008-07-05 21:20 . 2008-07-06 21:41 29 --a------ C:\WINDOWS\system32\-86-12299112
2008-07-05 21:18 . 2008-07-05 21:18 8 --a------ C:\WINDOWS\system32\-102-12299112
2008-07-05 21:08 . 2008-07-06 20:29 865 --a------ C:\WINDOWS\error2.ini
2008-07-05 21:07 . 2008-07-06 21:35 <DIR> d-------- C:\WINDOWS\system32\inf
2008-07-04 14:59 . 2008-07-04 14:59 <DIR> d-------- C:\Program Files\AirPort
2008-07-04 14:56 . 2008-07-04 14:56 <DIR> d-------- C:\Program Files\Bonjour
2008-07-03 03:57 . 2008-07-03 03:57 49,152 --a------ C:\WINDOWS\TElem32.dll
2008-07-03 03:56 . 2008-07-03 03:56 20 --a------ C:\WINDOWS\nmsvc.ini
2008-07-02 20:57 . 2008-07-02 20:57 36,864 --a------ C:\WINDOWS\icpb.dll
2008-06-20 10:41 . 2008-06-20 10:41 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 03:44 . 2008-06-20 03:44 138,368 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-19 19:21 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-06-19 19:21 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-06-19 19:21 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-06-19 19:21 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-06-19 19:21 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-06-19 19:21 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-06-15 21:26 . 2008-06-15 21:26 45,056 --a------ C:\WINDOWS\system32\usmsho.dll
2008-06-11 00:16 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-10 08:55 --------- d-----w C:\Documents and Settings\Ferret\Application Data\Azureus
2008-07-10 03:14 --------- d-----w C:\Program Files\Trillian
2008-07-09 00:48 --------- d-----w C:\Program Files\Badder Adder
2008-07-08 00:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-04 05:47 --------- d-----w C:\Documents and Settings\Ferret\Application Data\IGN_DLM
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 06:54 --------- d-----w C:\Program Files\mIRC
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-08 17:28 --------- d-----w C:\Program Files\DiskInternals
2008-05-28 04:55 --------- d-----w C:\Program Files\EA games
2008-05-11 01:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-11 01:08 --------- d-----w C:\Program Files\Common Files\AOL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"RegistryMechanic"="C:\Program Files\Registry Mechanic\RegMech.exe" [2007-08-20 10:58 2483496]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-26 14:19 1398024]

C:\Documents and Settings\Ferret\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-07-09 19:25:54 547840]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.WMV3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ferret^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\360
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavMonS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\usmsvc

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AirPort Base Station Agent]
--a------ 2008-03-06 17:40 733184 C:\Program Files\AirPort\APAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2007-03-05 14:57 1103480 C:\Program Files\IGN\Download Manager\dlm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-06-01 16:51 257088 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-09-17 01:07 8491008 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-09-17 01:07 81920 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
--a------ 2005-09-18 18:40 1421824 C:\Program Files\PeerGuardian2\pg2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 16:27 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shareaza]
--a------ 2007-02-05 04:05 4354048 C:\Program Files\Shareaza\Shareaza.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-01-10 22:25 1266936 C:\Program Files\Valve\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-12-15 04:23 75520 C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-11 15:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-09-17 01:07 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PtiuPbmd]
--a------ 2003-01-15 12:41 24576 C:\WINDOWS\system32\ptipbm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Valve\\Steam\\Steam.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\AirPort\\APAgent.exe"=

R2 LANPkt;Realtek LANPkt Protocol;C:\WINDOWS\system32\DRIVERS\LANPkt.sys [2003-09-17 16:57]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 14:38]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-04-10 16:05]
S2 RpcUsnsvc;Remote Procedure Call Locator;C:\WINDOWS\usnsvc.exe []
S2 WbWin;WbWin;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 Diag69xp;Diag69xp;C:\WINDOWS\system32\Drivers\Diag69xp.sys [2003-08-15 03:55]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
WbWin
ProtectedStorager5

.
Contents of the 'Scheduled Tasks' folder
"2008-06-12 15:21:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-10 02:03:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\system32\msi.dll
-> ?:\WINDOWS\system32\msi.dll
-> ?:\WINDOWS\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
.
**************************************************************************
.
Completion time: 2008-07-10 2:09:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-10 09:08:53
ComboFix2.txt 2008-07-09 18:19:53
ComboFix3.txt 2008-07-08 20:16:18

Pre-Run: 4,617,011,200 bytes free
Post-Run: 4,947,107,840 bytes free

262 --- E O F --- 2008-07-09 09:36:18
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 13070
  		   Posted 7-12-2008 6:08 (GMT +2)    Quote: RUNDLL error + VirusAlert an admin about: RUNDLL error + Virus
It looks like you have Trend Micro as virus scanner, is it updated ?

Do NOT post your problem in someone elses thread.
Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Back to Top
 
New Topic Post reply to : RUNDLL error + Virus Printable version of : RUNDLL error + Virus
 
Forum Information
Currently it is Monday, October 06, 2008 5:17 PM (GMT +2)
There are a total of 62.543 posts in 15.601 threads.
In the last 3 days there were 18 new threads and 44 reply posts. View Active Threads
Who's Online
This forum has 26660 registered members. Please welcome our newest member, bloat.
54 Guest(s), 1 Registered Member(s) are currently online.  Details
Touch
5 Latest Threads
CiD spyware!!cant get rid of it! (3)06-10-2008 15:15:42 (Touch)
Qhonsvc error probably caused by quick heal (1)06-10-2008 10:00:25 (Touch)
Pop Up when the System Starts - Suspecting Win32: Trojan-gen{Other} (3)06-10-2008 05:40:55 (Touch)
Trojan horse generic2.UWF (10)06-10-2008 05:07:26 (Touch)
Infostealer.Gampass (8)06-10-2008 03:22:32 (Touch)


Need Support? Write to: | Forum Help Manual

Download free trial version of Bullguard