PDA

View Full Version : Rundll32.exe Infected with Virus



mask_kishore
2008-09-04, 17:56
I was earlier using AVG Free.I remove it and upgraded to Kaspersky Internet Security. Between these two installations,I suspect that my computer was infested by lots of Viruses.During this time,my explorer.exe process started crashing repeatedly.I thought it was and error and consulted Microsoft support.They advised me to remove Kaspersky. I followed their troubleshooting steps but to no avail.Then suddenly,One day I discovered a rogue program disguised as rundll32.exe.I used Tuneup Process Manager and found that this program was fake,i.e it ran under diff. names eg. "uffegg.dll" and "dccyXPJ".This program loads itself at startup and terminating it causes explorer.exe to crash,too,causing great inconvenience to me.Please help.Here's a log of HijackThis :


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:34 PM, on 9/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
D:\Program Files-2\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
D:\Program Files-2\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\Program Files-2\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Animesh.FERRARI\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Animesh.FERRARI\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Animesh.FERRARI\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Animesh.FERRARI\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [AVP] "D:\Program Files-2\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1547161642-2025429265-682003330-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Shin Chan')
O4 - HKUS\S-1-5-21-1547161642-2025429265-682003330-1006\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe (User 'Shin Chan')
O4 - HKUS\S-1-5-21-1547161642-2025429265-682003330-1007\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe (User 'AKP')
O4 - HKUS\S-1-5-21-1547161642-2025429265-682003330-1015\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Mask')
O4 - HKUS\S-1-5-21-1547161642-2025429265-682003330-500\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe (User 'Administrator')
O4 - S-1-5-21-1547161642-2025429265-682003330-1006 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = D:\Program Files-2\Microsoft Office\Office12\ONENOTEM.EXE (User 'Shin Chan')
O4 - S-1-5-21-1547161642-2025429265-682003330-1006 User Startup: OneNote 2007 Screen Clipper and Launcher.lnk = D:\Program Files-2\Microsoft Office\Office12\ONENOTEM.EXE (User 'Shin Chan')
O4 - Global Startup: Firefox Preloader.lnk = D:\Program Files-2\FirefoxPreloader\FirefoxPreloader.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - D:\Program Files-2\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files-2\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - D:\Program Files-2\Flash2X\Flash Hunter\save.htm (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - D:\Program Files-2\Flash2X\Flash Hunter\save.htm (HKCU)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/oas/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212138580500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205499308780
O17 - HKLM\System\CCS\Services\Tcpip\..\{C86B090E-38B9-4FF0-995A-5F90C9413511}: NameServer = 202.56.215.6,202.56.215.54
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,D:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,D:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,D:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - D:\Program Files-2\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - D:\Program Files-2\MozyHome\mozybackup.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - D:\Program Files-2\NetLimiter 2 Pro\nlsvc.exe

--
End of file - 6499 bytes

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


I'll be thankful If you can Help me.

Shaba
2008-09-06, 12:45
Hi mask_kishore

Rename HijackThis.exe to mask_kishore.exe and post back a fresh HijackThis log, please :)

Shaba
2008-09-11, 11:46
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.