| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 96315 | 2009-01-06 09:45:00 | Hi - Problem w/ potential virus. please help | Petercola (14492) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 735546 | 2009-01-06 09:45:00 | Hi, I have been having problems with a virus which hit me a few days ago, i reformatted completely and all was fine, but it seems i got it again. I am Outpost Security Suite Pro 2009 and it cannot find anything but my rundll32.exe changed the icon to a sheet of paper, and all the dates in my system32 folder got changed to August, 4th 2004. It's really frustrating because i just got this all set up again and i run outpost, noscript etc. Here is my hijackthis log, i hope someone can please help me. ------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:22:57 AM, on 1/6/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe C:\WINDOWS\CTHELPER.EXE C:\WINDOWS\system32\CTXFIHLP.EXE C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\Program Files\Creative\Shared Files\CTSched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\uTorrent\uTorrent.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Ventrilo\Ventrilo.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Security Suite Pro\feedback.exe" /dump:os_startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\RunOnce: [LogiSPSetupNeedReboot] rundll32.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O9 - Extra button: Outpost Security Suite Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Security Suite Pro\ie_bar.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - www.update.microsoft.com O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe -- End of file - 4152 bytes |
Petercola (14492) | ||
| 735547 | 2009-01-06 09:52:00 | Did you do a clean install or install over windows (which wont remove it) You can tick these entries then ticked fix checked Close browsers Disable system restore O4 - HKLM\ . . \Run: [UpdReg] C:\WINDOWS\UpdReg . EXE O4 - HKLM\ . . \Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask . exe" -atboottime O4 - HKLM\ . . \RunOnce: [LogiSPSetupNeedReboot] rundll32 . exe Then reboot, then get malwarebytes and trojan remover below . Update both then scan . Then select all options under utilities in trojan remover |
Speedy Gonzales (78) | ||
| 735548 | 2009-01-06 10:25:00 | i had reformatted my 3 hard drives, and did a clean install on one of my drives after doing a full NTFS format. Trojan Remover found nothing and Malwarebytes is currently scanning. What are the chances that it is something that wouldn't be detected by either? I'll post what malwarebytes says. thanks again for the help |
Petercola (14492) | ||
| 735549 | 2009-01-06 10:31:00 | No probs. Welcome to PF1 BTW Scan the system with trojan remover see if it finds anything (open my computer / click on C / right mouse) Umm thats a possibility, nothing may pick it up (whatever it is) Dont forget to disable system restore then tick the entries above |
Speedy Gonzales (78) | ||
| 735550 | 2009-01-06 10:52:00 | Thanks for the welcome :P ok i removed the entries that you listed, i ran malwarebytes and trojan remover and rogue remover . I got a rundll32 from my original windows xp pro cd and extracted it to the system32 folder, the dllcache and overwrote . However, the rundll32 . exe is still being overwritten everytime i copy it over by one of a different file size of 32 . 5kb (36kb on disk) and modified August, 4th 2004 . The results of Malwarebytes were: - Backdoor . Bot - Heuristic . Reserved . Word . Exploit Hopefully fixing that will make this all go away Thanks EDIT: the rundll32 . exe got created again, so I'm not sure whats making that happen . Any ideas? Here's my new hijackthis ------------- Logfile of Trend Micro HijackThis v2 . 0 . 2 Scan saved at 5:50:39 AM, on 1/6/2009 Platform: Windows XP SP2 (WinNT 5 . 01 . 2600) MSIE: Internet Explorer v6 . 00 SP2 (6 . 00 . 2900 . 2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss . exe C:\WINDOWS\system32\winlogon . exe C:\WINDOWS\system32\services . exe C:\WINDOWS\system32\lsass . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\System32\svchost . exe C:\WINDOWS\system32\spoolsv . exe C:\WINDOWS\Explorer . EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService . exe C:\Program Files\Bonjour\mDNSResponder . exe C:\WINDOWS\System32\nvsvc32 . exe C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu . exe C:\Program Files\Creative\Shared Files\Module Loader\DLLML . exe C:\WINDOWS\CTHELPER . EXE C:\WINDOWS\system32\CTXFIHLP . EXE C:\Program Files\Creative\Shared Files\CTSched . exe C:\WINDOWS\SYSTEM32\CTXFISPI . EXE C:\Program Files\iTunes\iTunesHelper . exe C:\Program Files\Logitech\SetPoint\SetPoint . exe C:\Program Files\iPod\bin\iPodService . exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR . EXE C:\Program Files\Malwarebytes' Anti-Malware\mbam . exe C:\Program Files\Mozilla Firefox\firefox . exe C:\Program Files\Trend Micro\HijackThis\HijackThis . exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = * . local O4 - HKLM\ . . \Run: [NvCplDaemon] RUNDLL32 . EXE C:\WINDOWS\System32\NvCpl . dll,NvStartup O4 - HKLM\ . . \Run: [nwiz] nwiz . exe /install O4 - HKLM\ . . \Run: [NvMediaCenter] RUNDLL32 . EXE C:\WINDOWS\System32\NvMcTray . dll,NvTaskbarInit O4 - HKLM\ . . \Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu . exe" /r O4 - HKLM\ . . \Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML . exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm . dll" O4 - HKLM\ . . \Run: [CTHelper] CTHELPER . EXE O4 - HKLM\ . . \Run: [CTxfiHlp] CTXFIHLP . EXE O4 - HKLM\ . . \Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched . exe" /logon O4 - HKLM\ . . \Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon . exe /tray /noservice O4 - HKLM\ . . \Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Security Suite Pro\feedback . exe" /dump:os_startup O4 - HKLM\ . . \Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper . exe" O4 - HKLM\ . . \Run: [Kernel and Hardware Abstraction Layer] KHALMNPR . EXE O4 - HKLM\ . . \Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan . exe /boot O4 - HKLM\ . . \RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui . exe /install /silent O4 - Global Startup: Logitech SetPoint . lnk = C:\Program Files\Logitech\SetPoint\SetPoint . exe O9 - Extra button: Outpost Security Suite Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Security Suite Pro\ie_bar . dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - . update . microsoft . com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site . cab?1231198494077" target="_blank">www . update . microsoft . com O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook . dll O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd . - C:\PROGRA~1\Agnitum\OUTPOS~1\acs . exe O23 - Service: Apple Mobile Device - Apple Inc . - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService . exe O23 - Service: Bonjour Service - Apple Inc . - C:\Program Files\Bonjour\mDNSResponder . exe O23 - Service: iPod Service - Apple Inc . - C:\Program Files\iPod\bin\iPodService . exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc . - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ . exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32 . exe -- End of file - 4465 bytes |
Petercola (14492) | ||
| 735551 | 2009-01-06 10:58:00 | The log looks OK now, remember to click on remove the selected entry / entries. Then reboot if it wants to reboot | Speedy Gonzales (78) | ||
| 735552 | 2009-01-06 11:08:00 | Thanks, if it looks ok any idea why my rundll32 keeps getting overwritten? thanks |
Petercola (14492) | ||
| 735553 | 2009-01-06 11:15:00 | XP uses Windows file protection (support.microsoft.com), so if you replace a file, (if its a system file), it'll probably replace it after you reboot Thats probably what youre seeing And that rundll32 file (if SP2 isnt slipstreamed on the CD), is probably older than whats on the hard drive And unless you install an hotfix / update or go through windowsupdate, (as stated on the MS site), XP will probably change / reinstall the version that was on the hdd So, the only way it'll probably update, is if you install SP3 (which may have an updated version of rundll32 in it) |
Speedy Gonzales (78) | ||
| 735554 | 2009-01-06 11:37:00 | oh ok i see well ive run the scans a few times each after reboots and all seems clear thank you so much for your help, very much appreciated! |
Petercola (14492) | ||
| 1 | |||||