Jump to content

Rundll Exe Read Error (2)


JPS

Recommended Posts

Hi,

Sorry, have heard nothing from last post in Sept, so thought best send again!!

Please find attached updated logs. I have set up new internet virus protector which does not pick up the Malware.

Can you please confirm this is a read error by Malware as the scan continues to show Trojan.agent & Backdor.bot and deletes these files but they allways reappear next scan.

Thanks,

Justin

Malwarebytes' Anti-Malware 1.41

Database version: 3045

Windows 5.1.2600 Service Pack 3

28/10/2009 4:40:21 PM

mbam-log-2009-10-28 (16-40-21).txt

Scan type: Quick Scan

Objects scanned: 138259

Time elapsed: 11 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

D:\WINDOWS\rundll.exe (Trojan.Agent) -> Quarantined and deleted successfully.

D:\WINDOWS\rundll32.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

and

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:41:34 PM, on 28/10/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Boot mode: Normal

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\Program Files\Java\jre6\bin\jqs.exe

D:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

D:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe

D:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\wanmpsvc.exe

D:\WINDOWS\Explorer.EXE

D:\Program Files\Java\jre6\bin\jusched.exe

D:\WINDOWS\system32\hkcmd.exe

D:\WINDOWS\system32\igfxpers.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\LTMSG.exe

D:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

D:\WINDOWS\System32\keyhook.exe

D:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe

D:\WINDOWS\system32\ctfmon.exe

D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

D:\Program Files\Windows Live\Messenger\msnmsgr.exe

D:\WINDOWS\system32\sistray.exe

D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

D:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

D:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.iprimus.com.au;*.primustel.com.au;*.primus.com.au;192.*;172.*;127.*;<local>

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll

O2 - BHO: SearchHelperBho - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - D:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [igfxhkcmd] D:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxtray] D:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxpers] D:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7

O4 - HKLM\..\Run: [MaxtorOneTouch] D:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

O4 - HKLM\..\Run: [siS Windows KeyHook] D:\WINDOWS\System32\keyhook.exe

O4 - HKLM\..\Run: [siSUSBRG] D:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [mxomssmenu] "D:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"

O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - Global Startup: Utility Tray.lnk = D:\WINDOWS\system32\sistray.exe

O8 - Extra context menu item: Add to Anti-Banner - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm

O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - D:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - D:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: MaxBackServiceInt - Unknown owner - D:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

O23 - Service: MaxSyncService (NTService1) - - D:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - D:\WINDOWS\wanmpsvc.exe

--

End of file - 6962 bytes

Link to post
Share on other sites

  • 2 weeks later...

Hello and welcome to Malwarebytes.

I Apologize for the late response.

If you still require assistance, we would like to see the latest state of your system. So, please post a New Hijackthis log. In your reply, I would also like to know any symptoms you may still have and how your computer is running at the moment.

Take a read in this thread on instructions on how to post a Hijackthis log and other further instructions:

http://www.malwarebytes.org/forums/index.php?showtopic=9573

Please note that the forum is very busy and if I don

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.