Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

strange .dll loading at start-up

Started by nok32 , Apr 12 2008 02:43 AM

  • Please log in to reply

#1
nok32
Posted 12 April 2008 - 02:43 AM

nok32

    New Member

  • Member
  • Pip
  • 2 posts
here is a detailed description of what is going on, hijackthis log is at the end:
1) first thing is kaspersky caught some sort of trojan and was able to delete all but two .dll files located in the system32 directory. i ended up having to delete them offline using dos from a bootcd. :)
2) after that, kaspersky scanned clean.
3) but then i noticed in process explorer that a 'rundll.exe' was still appearing at start-up. when i hover the mouse pointer over it in the process explorer window, it says that the file is actually a .dll in system32. searching this filename on google, i get nothing. now that's pretty suspicious, eh? whenever i reboot (which is rare) i just kill this process immediately and it never comes back during the session and my system seems to be running well enough (no pop-ups or system hangs, etc.).
4) but i am pretty sure this must be some kind of virus, right? here is the 'hijackthis' log, hopefully it can shed some light on what's going on?? oh, and please don't be confused-- i changed the names of some of my system directories using winlite. so, 'program files' is 'applications', 'windows' is 'wondoes', 'docs & settings' is 'users'.. i just liked those names better and why not? :) call me precocious!:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:33 AM, on 4/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WONDOES\System32\smss.exe
C:\WONDOES\system32\winlogon.exe
C:\WONDOES\system32\services.exe
C:\WONDOES\system32\lsass.exe
C:\WONDOES\system32\svchost.exe
C:\WONDOES\System32\svchost.exe
C:\WONDOES\system32\spoolsv.exe
C:\applications\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
C:\WONDOES\Explorer.EXE
C:\WONDOES\system32\ctfmon.exe
C:\WONDOES\system32\hkcmd.exe
C:\WONDOES\system32\igfxpers.exe
C:\applications\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\WONDOES\RTHDCPL.EXE
C:\applications\Synaptics\SynTP\SynTPEnh.exe
C:\applications\Notebook Hardware Control\nhc.exe
C:\applications\D-Tools\daemon.exe
C:\applications\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\applications\Fingerprint Sensor\ATSwpNav.exe
C:\applications\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\applications\Active Desktop Calendar\ADC.exe
C:\applications\CFi\ShellToys\CFiShlMan.exe
C:\applications\CFi\ShellToys\cliphook.exe
C:\applications\Weather Watcher\ww.exe
C:\applications\RocketDock\RocketDock.exe
C:\applications\GPSoftware\Directory Opus\DOpus.exe
C:\applications\Bonjour\mDNSResponder.exe
C:\WONDOES\system32\DRIVERS\CDANTSRV.EXE
C:\applications\allSnap\allSnap.exe
C:\WONDOES\system32\gearsec.exe
C:\applications\process explorer\procexp.exe
C:\applications\Raxco\PerfectDisk\PDAgent.exe
C:\applications\Last.fm\LastFMHelper.exe
C:\WONDOES\system32\svchost.exe
C:\applications\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WONDOES\system32\wscntfy.exe
C:\applications\Mozilla Firefox\firefox.exe
C:\applications\Mozilla Thunderbird\thunderbird.exe
C:\applications\Internet Download Manager\IDMan.exe
C:\WONDOES\system32\notepad.exe
C:\applications\ABBYY FineReader 9.0\FineReader.exe
c:\applications\abbyy finereader 9.0\FineExec.exe
c:\applications\abbyy finereader 9.0\FineExec.exe
C:\applications\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 129.143.13.82:3128
O1 - Hosts: 127.255.255.255 www.get-right.com
O1 - Hosts: 127.255.255.255 www.getright.com
O1 - Hosts: 127.255.255.255 pro.getright.com
O1 - Hosts: 127.255.255.255 www.headlightinc.com
O1 - Hosts: 127.255.255.255 www.get-right.com
O2 - BHO: (no name) - {24E9519B-3F70-429B-99BC-4B2B49B96F66} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\applications\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {D10F0F11-55C3-4338-8B07-2F39FA24BFA3} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\applications\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WONDOES\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WONDOES\system32\igfxpers.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\applications\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\applications\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\applications\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [NotebookHardwareControl] "C:\applications\Notebook Hardware Control\nhc.exe" -quiet
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\applications\D-Tools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [Babylon Client] C:\applications\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\applications\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [ATSwpNav] "C:\applications\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [AVP] "C:\applications\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [BMd70706a7] Rundll32.exe "C:\WONDOES\system32\mlfdvcnu.dll",s
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\applications\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [CFi ShellToys Utility Manager] "C:\applications\CFi\ShellToys\CFiShlMan.exe" -start
O4 - HKCU\..\Run: [CFi ShellToys Clipboard History] "C:\applications\CFi\ShellToys\cliphook.exe" -start
O4 - HKCU\..\Run: [WeatherWatcher] C:\applications\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [RocketDock] "C:\applications\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [DOpus] C:\applications\GPSoftware\Directory Opus\DOpus.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WONDOES\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_08] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_09] cmd.exe /c md "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_12] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_14] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_15] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_08] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'NETWORK SERVICE')
O4 - Startup: Last.fm Helper.lnk = C:\applications\Last.fm\LastFMHelper.exe
O4 - Global Startup: allSnap.lnk = C:\applications\allSnap\allSnap.exe
O4 - Global Startup: procexp.lnk = C:\applications\process explorer\procexp.exe
O4 - Global Startup: RocketDock.lnk = C:\applications\RocketDock\RocketDock.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\applications\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\applications\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Append to existing PDF - res://C:\applications\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\applications\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\applications\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\applications\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\applications\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\applications\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\applications\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\applications\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\applications\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\applications\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download all links with IDM - C:\applications\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\applications\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download FLV videos with IDM from 10 last requested - C:\applications\Internet Download Manager\IEGetVL2.htm
O8 - Extra context menu item: Download with IDM - C:\applications\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Translate with &Babylon - res://C:\applications\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\applications\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\applications\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\APPLIC~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WONDOES\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WONDOES\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199911937468
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: byXNdbYS - byXNdbYS.dll (file missing)
O23 - Service: ABBYY FineReader 9.0 PE Licensing Service (ABBYY.Licensing.FineReader.Professional.9.0) - ABBYY (BIT Software) - C:\applications\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\applications\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\applications\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WONDOES\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\applications\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: gearsec - GEAR Software - C:\WONDOES\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\applications\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LEC TranslateDotNet Server - Unknown owner - C:\applications\Power Translator\LogoMedia TranslateDotNet Server.exe (file missing)
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\applications\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: PDAgent - Raxco Software, Inc. - C:\applications\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\applications\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\applications\CyberLink\Shared files\RichVideo.exe (file missing)
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\applications\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)

--
End of file - 11716 bytes

  • 0

Advertisements

#2
nok32
Posted 12 April 2008 - 11:07 PM

nok32

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
i did another kaspersky scan today on my 'critical objects' and the same trojan was back again. :) i guess i just need to locate where it is coming from and delete that?? aaargh.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP