Guest dave xnet Posted December 6, 2008 Posted December 6, 2008 Hello, recently had a virus that caught me by surprise. (on XP SP3) It decided to "show" itsef at a time the computer was unattended. (according to the logs Ireviewed) . When I returned to the machne bad things had been happening for about 20 minutes. (Included screens and screens of gambling sites, and the shell stopping and starting every 10 seconds after rebooting. I was most surprised because Windows Defender and Avast both had resident protection running. With the help of avast, Spybot S&D, Windows Defender and Malwarebytes, the machine is bootable and malware scans are not picking up anything else. However, I see something suspicious in the Task Manager, it's a Rundll32 whose target I cannot find. There's two of them, one is related to Nvidia - In process Explorer I see CMD line "F:\WINDOWS\system32\RUNDLL32.EXE" F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit I think that's OK. But the other has this in the CMD line: F:\WINDOWS\system32\rundll32.exe "F:\WINDOWS\system32\efcYPiJb.dll",d What is efcYPiJb.dll ? A search of the HD fails to turn up this file. I'm all the more suspicious, as I have just spent 2 or 3 days cleaning up the xpre/xrun virus and possibly vundo. Any thoughts on this? TIA, Dave Quote
Guest 1PW Posted December 6, 2008 Posted December 6, 2008 On 12/05/2008 11:40 PM, dave xnet sent:<span style="color:blue"> > Hello, > recently had a virus that caught me by surprise. (on XP SP3) > It decided to "show" itself at a time the computer was unattended. > (according to the logs I reviewed) . > When I returned to the machine bad things had been happening for about > 20 minutes. (Included screens and screens of gambling sites, and > the shell stopping and starting every 10 seconds after rebooting. > I was most surprised because Windows Defender and Avast > both had resident protection running. > > With the help of avast, Spybot S&D, Windows Defender and Malwarebytes, > the machine is bootable and malware scans are not picking up anything > else. > > However, I see something suspicious in the Task Manager, it's a > Rundll32 whose target I cannot find. There's two of them, > one is related to Nvidia - In process Explorer I see CMD line > "F:WINDOWSsystem32RUNDLL32.EXE" > F:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit > I think that's OK. > > But the other has this in the CMD line: > F:WINDOWSsystem32rundll32.exe "F:WINDOWSsystem32efcYPiJb.dll",d > > What is efcYPiJb.dll ? A search of the HD fails to turn up this file. > I'm all the more suspicious, as I have just spent 2 or 3 days > cleaning up the xpre/xrun virus and possibly vundo. > > Any thoughts on this? > TIA, > Dave</span> Hello Dave: Download and execute HijackThis from: http://www.trendsecure.com/portal/en-US/to...ools/hijackthis Please, do _not_ post HJT logs to this newsgroup. Here is where you can get good advice for HijackThis logs: http://www.thespykiller.co.uk/index.php?board=3.0 http://www.spywarewarrior.com/viewforum.php?f=5 http://forums.tomcoyote.org/index.php?showforum=27 http://www.bleepingcomputer.com/forums/forum22.html http://www.malwarebytes.org/forums/index.php?showforum=7 http://www.5starsupport.com/ipboard/index.php?showforum=18 http://www.theeldergeek.com/forum/index.php?showforum=29 Note well: Registration is required in any of the above mentioned forums. Before posting a HJT log, read the 'stickies' (instructions/guidelines) for the respective HJT forum. Please post a follow-up with a summary as to what was found and any further action. Good luck to you. Pete -- 1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t] -- 1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t] Quote
Guest dave xnet Posted December 8, 2008 Posted December 8, 2008 On Sat, 06 Dec 2008 01:36:23 -0800, 1PW <barcrnahgjuvfgyr@nby.pbz> wrote: <span style="color:blue"> >On 12/05/2008 11:40 PM, dave xnet sent:<span style="color:green"> >> Hello, >> recently had a virus that caught me by surprise. (on XP SP3) >> It decided to "show" itself at a time the computer was unattended. >> (according to the logs I reviewed) . >> When I returned to the machine bad things had been happening for about >> 20 minutes. (Included screens and screens of gambling sites, and >> the shell stopping and starting every 10 seconds after rebooting. >> I was most surprised because Windows Defender and Avast >> both had resident protection running. >> >> With the help of avast, Spybot S&D, Windows Defender and Malwarebytes, >> the machine is bootable and malware scans are not picking up anything >> else. >> >> However, I see something suspicious in the Task Manager, it's a >> Rundll32 whose target I cannot find. There's two of them, >> one is related to Nvidia - In process Explorer I see CMD line >> "F:WINDOWSsystem32RUNDLL32.EXE" >> F:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit >> I think that's OK. >> >> But the other has this in the CMD line: >> F:WINDOWSsystem32rundll32.exe "F:WINDOWSsystem32efcYPiJb.dll",d >> >> What is efcYPiJb.dll ? A search of the HD fails to turn up this file. >> I'm all the more suspicious, as I have just spent 2 or 3 days >> cleaning up the xpre/xrun virus and possibly vundo. >> >> Any thoughts on this? >> TIA, >> Dave</span> > >Hello Dave: > >Download and execute HijackThis from: > > http://www.trendsecure.com/portal/en-US/to...ools/hijackthis > >Please, do _not_ post HJT logs to this newsgroup. > >Here is where you can get good advice for HijackThis logs: > >http://www.thespykiller.co.uk/index.php?board=3.0 >http://www.spywarewarrior.com/viewforum.php?f=5 >http://forums.tomcoyote.org/index.php?showforum=27 >http://www.bleepingcomputer.com/forums/forum22.html >http://www.malwarebytes.org/forums/index.php?showforum=7 >http://www.5starsupport.com/ipboard/index.php?showforum=18 >http://www.theeldergeek.com/forum/index.php?showforum=29 > >Note well: Registration is required in any of the above mentioned >forums. Before posting a HJT log, read the 'stickies' >(instructions/guidelines) for the respective HJT forum. > >Please post a follow-up with a summary as to what was found and any >further action. > >Good luck to you. > >Pete > >-- 1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]</span> This process, was not picked up by any of the malware scanners. The target dll didn't exist on the system. A Windows Sysinternals expert looked at the rundll32 stack trace and asked me if I had looked in Control Panel/Scheduled Tasks - perhaps something there could be kicking it off. Duh ! it was right there, hiding in plain sight. Seems as if it was added by the malware, but this one piece was not cleaned up. I'm doing a follow up with some of the malware forums to get their opinion. Thanks, Dave Quote
Guest 1PW Posted December 9, 2008 Posted December 9, 2008 On 12/08/2008 03:52 PM, dave xnet sent:<span style="color:blue"> > On Sat, 06 Dec 2008 01:36:23 -0800, 1PW <barcrnahgjuvfgyr@nby.pbz> > wrote: > <span style="color:green"> >> On 12/05/2008 11:40 PM, dave xnet sent:<span style="color:darkred"> >>> Hello, >>> recently had a virus that caught me by surprise. (on XP SP3) >>> It decided to "show" itself at a time the computer was unattended. >>> (according to the logs I reviewed) . >>> When I returned to the machine bad things had been happening for about >>> 20 minutes. (Included screens and screens of gambling sites, and >>> the shell stopping and starting every 10 seconds after rebooting. >>> I was most surprised because Windows Defender and Avast >>> both had resident protection running. >>> >>> With the help of avast, Spybot S&D, Windows Defender and Malwarebytes, >>> the machine is bootable and malware scans are not picking up anything >>> else. >>> >>> However, I see something suspicious in the Task Manager, it's a >>> Rundll32 whose target I cannot find. There's two of them, >>> one is related to Nvidia - In process Explorer I see CMD line >>> "F:WINDOWSsystem32RUNDLL32.EXE" >>> F:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit >>> I think that's OK. >>> >>> But the other has this in the CMD line: >>> F:WINDOWSsystem32rundll32.exe "F:WINDOWSsystem32efcYPiJb.dll",d >>> >>> What is efcYPiJb.dll ? A search of the HD fails to turn up this file. >>> I'm all the more suspicious, as I have just spent 2 or 3 days >>> cleaning up the xpre/xrun virus and possibly vundo. >>> >>> Any thoughts on this? >>> TIA, >>> Dave</span> >> Hello Dave: >> >> Download and execute HijackThis from: >> >> http://www.trendsecure.com/portal/en-US/to...ools/hijackthis >> >> Please, do _not_ post HJT logs to this newsgroup. >> >> Here is where you can get good advice for HijackThis logs: >> >> http://www.thespykiller.co.uk/index.php?board=3.0 >> http://www.spywarewarrior.com/viewforum.php?f=5 >> http://forums.tomcoyote.org/index.php?showforum=27 >> http://www.bleepingcomputer.com/forums/forum22.html >> http://www.malwarebytes.org/forums/index.php?showforum=7 >> http://www.5starsupport.com/ipboard/index.php?showforum=18 >> http://www.theeldergeek.com/forum/index.php?showforum=29 >> >> Note well: Registration is required in any of the above mentioned >> forums. Before posting a HJT log, read the 'stickies' >> (instructions/guidelines) for the respective HJT forum. >> >> Please post a follow-up with a summary as to what was found and any >> further action. >> >> Good luck to you. >> >> Pete >> >> -- 1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]</span> > This process, was not picked up by any of the malware scanners. > The target dll didn't exist on the system. A Windows Sysinternals > expert looked at the rundll32 stack trace and asked me if I had > looked in Control Panel/Scheduled Tasks - perhaps something there > could be kicking it off. > Duh ! it was right there, hiding in plain sight. Seems as if it was > added by the malware, but this one piece was not cleaned up. > > I'm doing a follow up with some of the malware forums to get > their opinion. > Thanks, > Dave</span> Hello Dave: If you hadn't already done so, you might consider downloading, updating and running the freeware version of: <http://www.malwarebytes.org/mbam/program/mbam-setup.exe> Please update this thread again when you're able. Pete -- 1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t] Quote
Guest dave xnet Posted December 9, 2008 Posted December 9, 2008 On Mon, 08 Dec 2008 21:23:30 -0800, 1PW <barcrnahgjuvfgyr@nby.pbz> wrote: <span style="color:blue"> >On 12/08/2008 03:52 PM, dave xnet sent:</span> <snipped for brevity><span style="color:blue"><span style="color:green"><span style="color:darkred"> >>> -- 1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]</span> >> This process, was not picked up by any of the malware scanners. >> The target dll didn't exist on the system. A Windows Sysinternals >> expert looked at the rundll32 stack trace and asked me if I had >> looked in Control Panel/Scheduled Tasks - perhaps something there >> could be kicking it off. >> Duh ! it was right there, hiding in plain sight. Seems as if it was >> added by the malware, but this one piece was not cleaned up. >> >> I'm doing a follow up with some of the malware forums to get >> their opinion. >> Thanks, >> Dave</span> > >Hello Dave: > >If you hadn't already done so, you might consider downloading, updating >and running the freeware version of: > > <http://www.malwarebytes.org/mbam/program/mbam-setup.exe> > >Please update this thread again when you're able. > >Pete</span> Hi Pete, I'm at the point where the Malewarebytes, and ESET online scanner say everything is clean. This is the first virus I had in over 10 years of being on the Internet. I've got to believe, that is was from a browser exploit of somekind. I've heard Java and PDF are getting hit because people forget to update them. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.