Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: msvcp60.dll malware?

  1. #1
    Member
    Join Date
    Apr 2006
    Posts
    56

    Default msvcp60.dll malware?

    Hi

    Could you please help me search for and delete what appears to be a malicious file - msvcp60.dll? MBAM quarantined this file but I restored it after experiencing boot-up problems. Now the file has gone missing from the location I restored it to without affecting booting of the PC.

    I only noticed it missing after I carried out an online PandaActiveScan, which seems to suggest that MBAM had previously been able to track down the file in safe mode because the file was caught off-guard.

    Is this a malicious file mimicking the properties of a genuine msvcp60.dll by affecting the boot-up process of the PC when deleted, only to go on the run when restored?

    MBAM staff say that such files identified by the scanner appear to be modified.

    My MBAM and HJT logs are below.

    Thanks.

    Malwarebytes' Anti-Malware 1.44
    Database version: 3666
    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    01/02/2010 07:36:24
    mbam-log-2010-02-01 (07-35-58).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 152078
    Time elapsed: 31 minute(s), 29 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Program Files\Common Files\SupportSoft\bin\msvcp60.dll (Malware.Packer.Gen) -> No action taken.
    C:\System Volume Information\_restore{8F8585E0-D240-4989-A439-018CEC98E9A4}\RP18\A0369691.dll (Malware.Packer.Gen) -> No action taken.
    C:\System Volume Information\_restore{8F8585E0-D240-4989-A439-018CEC98E9A4}\RP18\A0371710.dll (Malware.Packer.Gen) -> No action taken.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 01:52:35, on 03/02/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
    C:\Program Files\TalkTalk\bin\sprtsvc.exe
    C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\TalkTalk\bin\sprtcmd.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: TrendProtect - {E3578B37-6346-4EC1-A82B-38273A100DCF} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Rvsystem] C:\PROGRA~1\Returnil\Returnil.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
    O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\TalkTalk\bin\sprtsvc.exe
    O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
    O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 5429 bytes

  2. #2
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi,

    Your log is a few days old. If you still need help simply reply to my post.
    How Can I Reduce My Risk?

  3. #3
    Member
    Join Date
    Apr 2006
    Posts
    56

    Default

    Hi

    Yes, I would very much appreciate your help.

  4. #4
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    You can post a DDS log that will provide a closer look. Are you having any signs of malware on your machine?
    You can try running System File checker:

    http://www.helpwithwindows.com/WindowsXP/howto-24.html

    Please download DDS and save it to your desktop.
    Double click dds.scr to run the tool. When done, DDS.txt will open.
    Save both reports to your desktop.
    Copy/paste both logs in your reply.
    How Can I Reduce My Risk?

  5. #5
    Member
    Join Date
    Apr 2006
    Posts
    56

    Default

    Here's the DDS logs....I haven't got my CD so I will try the Registry Editor fix asap. I suppose I took the unexplained vanishing of the said file as the sign of malware, and I have been worried it could be a keylogger.


    DDS (Ver_09-12-01.01) - NTFSx86
    Run by LNC4 at 22:33:42.32 on 11/02/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2038.1679 [GMT 0:00]

    AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
    C:\Program Files\TalkTalk\bin\sprtsvc.exe
    C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\LNC4\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.co.uk/
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: BhoMisc Class: {e3578b37-6346-4ec1-a82b-38273a100dcf} - c:\program files\trend micro\trendprotect\msie\wrs.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: TrendProtect: {f83be649-1cc3-48ee-b2e2-0826cef3822a} - c:\program files\trend micro\trendprotect\msie\wrs.dll
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [TalkTalk] "c:\program files\talktalk\bin\sprtcmd.exe" /P TalkTalk
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [Rvsystem] c:\progra~1\returnil\Returnil.exe
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    Handler: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - c:\program files\trend micro\trendprotect\msie\WRS.dll
    Notify: igfxcui - igfxsrvc.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\lnc4\applic~1\mozilla\firefox\profiles\7rmndnuv.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.mytalktalk.co.uk
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

    ============= SERVICES / DRIVERS ===============

    R0 RVSDISK;RVSDISK;c:\windows\system32\drivers\RVSDISK.sys [2010-1-20 11904]
    R0 RVSYSTEM;RVSYSTEM;c:\windows\system32\drivers\RVSYSTEM.sys [2010-1-20 38272]
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-13 11608]
    R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-1-24 353672]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-13 108289]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-13 185089]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-13 56816]
    R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\talktalk\bin\sprtsvc.exe [2007-10-12 202016]
    R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\common files\supportsoft\bin\tgsrvc.exe [2007-8-2 148768]
    S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
    S3 U2KG54L;BUFFALO WLI-U2-KG54L Wireless LAN Driver;c:\windows\system32\drivers\U2KG54L.SYS [2006-8-24 477696]

    =============== Created Last 30 ================

    2010-01-20 21:58:10 11904 ----a-w- c:\windows\system32\drivers\RVSDISK.sys
    2010-01-20 21:58:09 38272 ----a-w- c:\windows\system32\drivers\RVSYSTEM.sys
    2010-01-20 21:58:06 0 d--h--w- C:\RETURNIL
    2010-01-20 21:58:06 0 d-----w- c:\program files\Returnil
    2010-01-16 11:54:50 0 d-----w- c:\windows\system32\NtmsData

    ==================== Find3M ====================

    2010-01-07 16:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-07 16:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
    2009-12-16 03:16:31 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2009-04-24 12:42:58 451928 ----a-w- c:\program files\setup.exe
    2009-04-24 12:42:46 133492859 ----a-w- c:\program files\openofficeorg1.cab
    2009-04-24 12:42:20 9815040 ----a-w- c:\program files\openofficeorg31.msi
    2009-04-23 22:36:08 336 ----a-w- c:\program files\setup.ini
    2002-03-11 09:06:30 1822520 ----a-w- c:\program files\instmsiw.exe
    2002-03-11 08:45:04 1708856 ----a-w- c:\program files\instmsia.exe
    2009-01-24 18:46:54 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012420090125\index.dat

    ============= FINISH: 22:34:16.07 ===============


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-12-01.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 27/04/2008 11:03:52
    System Uptime: 02/11/2010 22:26:47 (-6336 hours ago)

    Motherboard: Dell Inc. | | 0FG112
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 37 GiB total, 31.164 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1: 01/02/2010 17:09:41 - System Checkpoint
    RP2: 01/02/2010 17:10:23 - testing

    ==== Installed Programs ======================

    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9.1
    Avira AntiVir Personal - Free Antivirus
    Broadcom Gigabit Integrated Controller
    Critical Update for Windows Media Player 11 (KB959772)
    Dell ResourceCD
    HijackThis 2.0.2
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Intel(R) Graphics Media Accelerator Driver
    Java(TM) 6 Update 13
    Java(TM) 6 Update 17
    Malwarebytes' Anti-Malware
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Mozilla Firefox (3.0.10)
    OpenOffice.org 3.1
    PowerDVD
    Returnil Virtual System Personal Edition
    Revo Uninstaller 1.83
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    SoundMAX
    Spelling Dictionaries Support For Adobe Reader 9
    Spybot - Search & Destroy
    SpywareBlaster 4.2
    TalkTalk Assist & Go
    Trend Micro TrendProtect for Internet Explorer
    Update for Windows Internet Explorer 8 (KB968220)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VC 9.0 Runtime
    WebFldrs XP
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    ZoneAlarm

    ==== Event Viewer Messages From Past Week ========

    07/02/2010 20:59:54, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    07/02/2010 20:52:37, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT OMCI RasAcd Rdbss ssmdrv Tcpip vsdatant
    07/02/2010 20:52:37, error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the vsdatant service which failed to start because of the following error: A device attached to the system is not functioning.
    07/02/2010 20:52:37, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    07/02/2010 20:52:37, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    07/02/2010 20:52:37, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    07/02/2010 20:52:37, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    07/02/2010 20:51:33, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

    ==== End Of File ===========================

  6. #6
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi,

    I dont recognize any malware. Is your antivirus up to date:
    AntiVir Desktop *On-access scanning disabled* (Outdated)
    Its possible that a modified (Windows OS file) file was the result of a Windows update.

    You can do a online scan for another opinion:

    ESET online scanner:

    http://www.eset.com/onlinescan/

    uses Internet Explorer only
    check "YES" to accept terms
    click start button
    allow the ActiveX component to install
    click the start button. the Scanner will update.
    check both "Remove found threats" and "Scan unwanted applications"
    click scan
    when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
    please copy/paste that log in next reply.
    How Can I Reduce My Risk?

  7. #7
    Member
    Join Date
    Apr 2006
    Posts
    56

    Default

    Sorry about the delay; here's the log.....

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=7a0e91a23784a6489c0fb9fa2701e5e6
    # end=finished
    # remove_checked=true
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-02-14 10:11:23
    # local_time=2010-02-14 10:11:23 (+0000, GMT Standard Time)
    # country="United Kingdom"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 22084661 22084661 0 0
    # compatibility_mode=1797 16775141 100 100 11125 42072362 7720 0
    # compatibility_mode=8192 67108863 100 0 3762 3762 0 0
    # compatibility_mode=9217 16777214 100 77 27863348 50545824 0 0
    # scanned=30939
    # found=0
    # cleaned=0
    # scan_time=2147

    My antivirus is programmed to flag a warning after 3 days but I have opted to update weekly.

  8. #8
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    looks good to me. Did you try System File Checker?
    The file in question (msvcp60.dll) should be located @
    C:\Windows\System32.

    in order for all of the files to show in explorer you can try this first;

    on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok

    See if that helps finding the file.
    How Can I Reduce My Risk?

  9. #9
    Member
    Join Date
    Apr 2006
    Posts
    56

    Default

    I found 4 msvcp60.dll files (Microsoft C+ Runtime Library), average size 400kb, in Safe Mode -

    1. C/Windows/system32
    2. C/Windows/ServicePackFiles/i386
    3. C/Windows/WinS*S/*86_Microsoft_Tools...
    4. C/Windows/WinS*S/*86_Microsoft_Tools...

    I have tried System File Checker via Registry Editor, but it has not resulted in the replacement of the file. What I know about this file is that it can also be installed by 3rd party applications for their own purposes, and one suggestion has been that I could copy the file from say, System_32, to the location it went missing from. However, since I'm not currently experiencing any OS instability by its absence, maybe its best to leave things as they are for now.

    I will continue to scan regularly, and if such a file is identified again I will quarantine it and send a zipped copy to your labs if permissible.

  10. #10
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    thanks for the info. System file checker would attempt to replace a file only if it found a 'bad corrupt or damaged' protected Windows file. You could if you wanted upload the files to virus total where they would be checked out by running them through many scanners. I agree; if all is well then I would leave as is.
    You can delete the DDS file from your desktop.
    Virustotal

    If all is good: some tips to help you remain malware free:

    10 Tips that should help *Reduce and Prevent* your risk To Malware:


    1) It is essential to keep your OS,(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here.

    2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. Use the Alt+F4 key to close your browser. See also the signs that you may have malware on your computer.

    3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If these are constantly finding malware on your computer then its time to review your computer habits.

    4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. Do you trust the source?

    5) Don't click on ads/pop ups or any offer from websites requesting that you need to install software to your computer--*for any reason.* Use the Alt+f4 key to close your browser.

    6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

    7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.*

    8) Install and understand the *limitations* of a software firewall.

    9) A tool for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's.

    10) Warez, cracks etc are very popular for carrying all kinds of malware payloads. Using them will cause you all kinds of problems. If you download/install files via p2p networks then you are also much more likely to encounter malicious code. Do you really trust the source of the file? Do you really need another malware source?

    A longer version in link below.

    Happy Safe Surfing.
    How Can I Reduce My Risk?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •