Task Manager has multipal process of "rundll32.exe"?

dxbdxb2009
dxbdxb2009 used Ask the Experts™
on
In 3 of my PCs rundll32.exe processes are running.
One PC is installed with Windows Server 2000 & two are XP Pro with SP 3.
Kaspersky AV is the also installed with updated signature files.
Now when i look into task manager into both of 3 pcs almost 15-20 multi pal are running named rundll32.exe & when i restart the pc & see the task manager it removed but after 15-20 mints i can see the same nos of this application in task manager.
I can close these 20-25 applications but it again appears after 15 mints.
What can be the cause?
I have seen in HijackThis log but these processes are running from c:\windows\system32 in XP and in Windows 2000 in is running from C:\winnt\system32.
Pls help me regarding the same.
best regards.

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Download process explorer :
http://technet.microsoft.com/fr-fr/sysinternals/bb896653.aspx

Then find rundll32.exe in the list, double click, and check the command line. You will find what it is running.

Commented:
(sorry for the fr link)

Commented:
check msconfig to see what starts (Start -Run - Msconfig)
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Flob9 -  No prob..i installed English one and run the same.

Kraeven- no msconfig in windows 2000 server.
in xp pro i run process explorer under command line.I think it is running form c:\windows\system32 with the process line svchost.exe....i think so i am not in front of that system and can be tomorrow so once i go i will paste the hijack log again & the process explorer snap shot.
thank you both of you.

Commented:
double click on the rundll32 process, and check command line.

rundll32 is part of windows tools, and svchost too.

The revelant information in the command line is the arguments.

For example i have this running on my xp :

"C:\WINDOWS\system32\rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent

(this is normal since i have bluetooth installed)

 

Author

Commented:
sorry for the delay since i reach office now...!
i double click on the process rundll32.exe, in see command line its showing "rundll32.exe qbnzngc.rdn,ugfjzg"  what i see the path is " C:\WINDOWS\System32\rundll32.exe" & current directory is "c:\windows\system32"
In each rundll32.exe there is a different command line like below: -
rundll32.exe qbnzngc.rdn,ugfjzg
rundll32.exe qbnzngc.rdn,xpwdh
rundll32.exe qbnzngc.rdn,pilkcg

My Kaspersky is up to date.
Pls let me know what to do.
An earlier reply will be appreciated.
thanks

Commented:
This seems like spyware, do a spyware scan with ad-aware, spybot or one of the many others...
Also do a complete virus scan, who knows what it might have missed...

Commented:
Yes I agree this looks like random generated file name, probably virus / malware.

Try online virus scan (trendmicro).

Also, locate the file "qbnzngc.rdn" and check it with this : http://www.virustotal.com/

A Kaspersky Rescue Disk might be useful in this situation:

ftp://ftp.downloads1.kaspersky-labs.com/devbuilds/RescueDisk/

Download the ISO and burn it as an image on a CD and boot your PC from it to run the scanner. After the scanner is finished, boot your PC in normal mode and see if the problem still remains.

Hope it helps.

Commented:
Or do it online without installing with this one for instance : http://www.emsisoft.com/en/software/ax/

Author

Commented:
flob9 -
warturtle -
Kraeven -
Thanks for your support.
what all i found in my PCs, i went to the schedule tasks under programs------> accessories----> system tools. there are so many around 56 schedule jobs are running and when i end these jobs i found all rundll32.exe processes are closed in task manager.
but after 10-15 mints the schedule task is automatically full & running again  even i have deleted all task in schedule tasks & in can again find rundll32.exe processes in task manager.
I am not able to do any editing in these schedule jobs coz all are grade out & there is no option i can edit it.
All job's name are stared with A1, A2 like the same.
Now can you pls let me know how can i disable all schedule task?
Awaiting for your earlier reply.
Thanks!
DXB

Commented:
FYI You can check %systemroot%\SchedLgU.Txt to see what tasks have ran

If you want to remove all tasks, just delete everything in C:\windows\tasks

The security database for scheduled task may have gone corrupt. Try the
following steps

1) Stop Task scheduler service. Go to command prompt and do a
cd\
cd windows

2) Run the command
c:\windows>attrib -s tasks

3) Go tot the tasks folder type
cd tasks

C:\WINDOWS\Tasks>attrib -h sa.dat

C:\WINDOWS\Tasks>dir
you can (backup if you want) and delete all tasks and sa.dat file.
del *.*

4) do a cd.. to go to c:\windows folder

5) reset the system attribute on tasks folder by typing the following in the
command prompt window
c:\windows>attrib +s tasks

6) restart the scheduler service

You could check that the task sheduler works
by creating a new task


Hope this helps...

Commented:
go to control panel > Scheduled Tasks > delete any Scheduled Task start with "AT"
you will find alot of them with number
after delete all

restart, and that's all

this is worm type virus

regards

Commented:
As i said, you should locate the file, analyze it with virustotal.com to find out what virus it is, then find a tool to clean up.

Most Valuable Expert 2011
Top Expert 2011

Commented:
This would be great for the XP systems, not sure about the Server 2K box though... Never had a need to try it....
Can also use Combofix. (stolen from rpggamergirl's postings...)  :)

Here's the instructions, if it doesn't run at first, then redownload and rename before saving to your desktop.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Personally, I wouldnt install the recvovery console.

It could be a Conficker infection as well, I have seen questions on EE where a Conficker variant has started a lot of processes on a computer. It would be a good idea to check for this:

http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

If you find Conficker in your computer, then please use this tool to remove it:
http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99

Hope it helps

Author

Commented:
Kraeven -
Sorry for replying you late.
I did the same as discribed by you but the process again started & I am able to see the automatic task started in task scheduler. I am not able to change the schedule time and anything in this task everything is grayed out. (Find the attached snap shot).
I have noted one, this problem i am facing in 25% of my company pc after i uninstalled TrendMicro Office Scan & installed Kaspersky Total Space Security for XP workstation.
As i mentioned KS is updated and detecting virus & disinfecting too.  
Once I stop the Task Scheduler service in services.msc i can not see any new process being created in Task Scheduler, but as i started this service the process rundll32.exe can be shown in nos.
Any other process I can opt to get red of this same.
Awaiting for your earlier reply.
Thanks!
DXB
Task.JPG

Author

Commented:
Kraeven -
warturtle -
noralain -
johnb6767 -
flob9 -
Any comments from you experts!
Pls reply ASAP.
Awaiting for your earlier reply.
Thanks!
Hello,

What does KS say the name of the virus is? Secondly, could you send us a HijackThis log of your system? It can be downloaded from:

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

Author

Commented:
warturtle -
what all i found in all of my domain PC is that all of the pcs has the same problem they are running rundll32.exe by SYSTEM in each PC even each pc is installed with KS with updates.
tomorrow i will send you the hijack of one of the pc....but you really need to find a solution for me.
pls have a serious look into this matter.
thax.

Author

Commented:
warturtle - virus name is indicated by KS is the same name in the task is being run like:-
see the image i posted you can see in Run it is being run the name of app is "Run : rundll32.exe zxlfak.da.fxieeov" & Created by Run as : NT AUTHORITY\SYSTEM.
As I remember i did not see any suspected things in Hijack log eventhough i will post it after 2 hrs.
see and let me know asap.
thanks for your kind support.
Could you please run ComboFix as advised by johnb earlier? Make sure that you read the instructions carefully as any active antivirus application can stop ComboFix from working correctly.

Have you checked for Conficker infection as well from the link that I supplied to you?  

Author

Commented:
warturtle -

From where i can download ComboFix & what all need to be consider before running it, and do i need to uninstall KS in all PCs? Pls advise?

I am sending you the Hijackthis log here.

FInd the Hijackthis log of infected PC :-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:10 AM, on 8/2/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
D:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.emirates.net.ae:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ae;<local>
O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-21-299502267-1303643608-1417001333-1874\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background (User 'taldar')
O4 - HKUS\S-1-5-21-299502267-1303643608-1417001333-1874\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User 'taldar')
O4 - HKUS\S-1-5-21-299502267-1303643608-1417001333-1874\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe (User 'taldar')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://podgateway:808/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - http://podgateway:808/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://podgateway:808/officescan/console/ClientInstall/setup.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://podgateway:808/officescan/console/ClientInstall/RemoveCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mydomainname.ae
O17 - HKLM\Software\..\Telephony: DomainName = mydomainname.ae
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F147E20-8CF1-4DC7-9213-67366CBA30CB}: NameServer = 192.168.100.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mydomainname.ae
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mydomainname.ae
O20 - AppInit_DLLs: D:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
O23 - Service: Box Document Registration Scheduler (iW DM iR DR Scheduler) - Unknown owner - D:\Program Files\Canon\iW DM\Program\iRScheduler.exe
O23 - Service: Kaspersky Network Agent (klnagent) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe

--
End of file - 7669 bytes

Author

Commented:
Even many times this my KS detect & delete it the name of the virus KS shows is
"Virus Net-Worm.Win32.Kido.ih"     running in  C:\windows\system32\fhbrxpkp.dll
the last name fhbrxpkp.dll not remained same it is frequently changed and detected by the same virus name.
can you pls let me know which spyware / antivirus can clean my 50 pcs.
it is not easy to do manually, since we are running KS total space into our domain.
and it is not able to clean it.
pls help me out.
awaiting for your earlier reply.
Thanks!
Aha, thanks for sending the information to me. Kido is another name for Conficker. Yes, you do have Conficker on your PCs. Here's the official information from Kaspersky that you need to follow to remove it from the PCs. Please try the methods and let me know, if the problem is treatable or not.

http://www.kaspersky.com/support/wks6mp3/error?qid=208279973

You need to patch your computers with the Windows Update to not allow the code execution by Kido/Conficker.

Commented:
Sorry, I didn't back to you sooner, vacation ;-)
It indeed looks like a conficker infection...

I've uploaded Sophos remover tools, a standalone and network version :
Rename .txt to .exe and run or download them from the site.

You need to register a free account before you can download them from the site, so I've included them in my post :-)

http://www.sophos.com/support/knowledgebase/article/54457.html


sconftool-107-sfx.txt
ssconftool-107-sfx.txt

Author

Commented:
warturtle - Okay this is the same prob you search for me & thanks for that but you know when i run this tool the jobs are deleted from schulde tasks, but after 30 mints in schulde tasks the task AT1.jobs are automatically created any with in one hour more then 50 nos of  rundll32.exe can been seen.
& due to this i think my KS shows virus detected named as ""Virus Net-Worm.Win32.Kido.ih"" and some time it delete it & some time doesnot?
I tried it after installing windows patches as said by KS & you.
pls look for permanent solution which can be installed or updated with KS?
Thanks for your support?
******************************************************
Kraeven - Thanks for your post.
what is the different b/w both of the exe and any other effect on my network  if i run the network removal tool on my live network(like my network will become slow after i run it)?
If i run network version all my pc will be disinfected at at time? since as per warturtle suggestion i run the KS tool to remove the conficker but after 30 mints the pc again infected due to other pc, since i can not run it in all pcs  together...............any suggestion for removing at a time without loosing network performance?
Awaiting for your earlier reply.
thanks!
Top Expert 2007
Commented:
Combofix should be able to handle those AT*jobs with its script function.
Use this Combofix link
Please download ComboFix by sUBs:


You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..


Note:Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


Commented:
http://www.sophos.com/support/knowledgebase/article/51416.html

All you need to know can be found on the link above...
Don't forget after removing it, install MS Windows vulnerability MS08-067 on the disinfected pc.

What to do:

If your anti-virus solution does not have an on-access scanner that can detect and block Conficker from executing, your computers could be infected, and reinfected, if they remain connected to the network. Either:

remove your computers from the network by disconnecting them physically

or use a firewall to block file sharing on the network. For instructions on how to do this, please see Sophos Anti-Virus for Windows 2000+: removing W32/Confick and Mal/Conficker.

Once you have done this, follow step 2 or 3, depending on whether you use Active Directory on your network.

If you have a firewall product that is blocking access to your shared network folders, and you use Active Directory on your network, download the Sophos Conficker Cleanup Tool, configure it and then deploy it to your computers as a startup script using Active Directory Group Policy. Follow the instructions in these sections:

a. Download the Sophos Conficker Cleanup Tool
b. Edit the SCCT.vbs file to configure it for your network settings
c. Deploy the files to your computers using Active Directory Group Policy

If you have disconnected your computers from the network, or you do not use Active Directory on your network, download the Sophos Conficker Cleanup Tool and configure it, then burn it to CD or DVD. You will then have to go to each of your infected computers, load the CD/DVD and run the Sophos Conficker Cleanup Tool. NOTE, Conficker can infect removable drives, so do not use a USB pen drive for running the tool manually.
Follow the instructions in these sections:

a. Download the Sophos Conficker Cleanup Tool
b. Edit the SCCT.vbs file to configure it to use from a CD
c. Create a CD or DVD to be used on each infected computer

Hope this helps?
Top Expert 2007

Commented:
dxbdxb2009,

How is it going?
Which tool did you end up using?
I would've preferred using Combofix first and then AVZ IF after CF function the virus still persists.
If you went ahead for AVZ(via the Developers) then also attach here the compressed file "virusinfo_syscheck.zip" so we can see what's going on. Either attach the zip here or upload at EE.Stuff.com.

@ warturtle,
Please tell us, what's your reason for not posting the AVZ instruction here for the Asker?

Top Expert 2007

Commented:
No that's okay, we don't need to know any private info or the guide and I don't want to step on the AVZ developer's toes,
But in the future if we suggest the use of AVZ tool then we help the Askers here at EE and we analyze the automative "virusinfo_syscheck" report and we'll provide the script.

Author

Commented:
Dear Warturtle,

Pls find the attached AVZ log folder & combofix log file.( pls change the extension of the AVZ log to html)

I really appriciate if you can forward the same to KS & can advise me what i need to do next.

Awaiting for your earlier reply,

Thanks!

DXB
log.txt
lk-syscure.txt
Could you please do the scan with Kaspersky Rescue Disk as advised earlier (my first suggestion) and let us know? There are a couple of suspicious services loading the in background (visible from both AVZ and ComboFix logs). The Rescue Disk might help in this case.
Top Expert 2007

Commented:
I asked if we could look at the AVZ's virusinfo_syscheck.zip, but I guess you don't want us to look, oh well that's okay.


With the Combofix log,
You need to use CF function to remove one bad file and those bad services and netsvcs.


Run Combofix again using this script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::c:\windows\system32\wztgjbgn.dllDriver::bivagoeyfiyahfaixhimwolgijkzdpazNetSvc::zdpazfaixhibivagoeyfiyahorsrfuimwolgijkRegLock::[HKEY_USERS\S-1-5-21-854245398-861567501-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]

------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

Author

Commented:
rpggamergirl - I am sorry for not reply you on time. Its not that i dont want to solution from you.
I am really thankful to you, that you took you precious time for me.
My infected PC in which c:\windows\system32\wztgjbgn.dll was found, KS has deleted that one, but there are so many .dll which are created by the task scheduler jobs & these jobs's status are running shown in C:\windows\tasks.
Kindly let me know how can i remove this problem from my network & all PCs.
and I have so many pcs infected by the same problem, due to this my exchange server users are being locked out automatically.
I appreciate if you can let explain me how i can deal with this problem like "c:\windows\system32\wztgjbgn.dll"
Kindly suggest me for the best solution.
Awaiting for your earlier reply.
Thanks!
DXB
Top Expert 2007

Commented:
No problem.
Are those multiple jobs in the Tasks folder in a different system? They are not showing in the Combofix log that you posted here.
Can you please run the Combofix' CFScript and post the result of that one.
Did Kaspersky developers helped you with the AVZ?
You can attach the "virusinfo_syscheck.zip" here and I'll have a look at it and see if it's showing bad entries.
The virusinfo_syscheck.zip is what I want to look at not the lk_syscure.html.

It is very important to isolate each infected systems from the network to avoid re-infection. I know that's a hard task with numerous pcs. And I don't know  of easy solution to disinfect multiple pcs in one go. Maybe other experts can offer suggestions.
Can you attach the result of the combofix script pelase.

Author

Commented:
rpggamergirl - How can i get this "virusinfo_syscheck.zip" file from?

Thanks!
Top Expert 2007

Commented:
Sorry, I assumed warturtle gave you the instructions how to run the AVZ tool and how to find the log?
Navigate to the AVZ4 folder and locate the folder "LOG", inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip

Attach the Compressed file "virusinfo_syscheck.zip" back here and also I need you to attach the result of the Combofix script' run thanks.
 

Author

Commented:
rpggamergirl - sorry, i did not find anywhere the file name you specified "virusinfo_syscheck.zip" .
What all I found i am sending you attached here with.
Pls write how to create "virusinfo_syscheck.zip" using AVZ4.
This is what all can see in LOG folder of AVZ4 along with i am sending you the combofix log too.
Pls take some time to go through & let me know whall all left to do for me.
Awaiting for your earlier reply.
Thanks!
DXB

lk-syscure.txt
lk-syscureXML.txt
ComboFix.txt
log.txt
Top Expert 2007

Commented:
It has to be there... I just run AVZ4 tool in my pc to make sure the folder is there and it is.

Ran AVZ4 again please and follow this instructions carefully.

Download avz4.zip from here http://z-oleg.com/avz4.zip 
Unzip it to your desktop to a folder named avz4

1. Double click on AVZ.exe to run it.
2. Run an update by clicking the Auto Update button on the Right of the Log window:  
3. Click Start to begin the update

Note: If you receive an error message, chose a different source, then click Start again
 
After the update,
4. from the "File" menu, choose "Standard Scripts"
5. Put a check next to item 2: Advanced System Analysis
6. Click "Execute selected scripts"
7. At the next prompt, click the Yes button

8. Let the scan run and click "OK" when the completion prompt pops up
9. Now Close out of the Standard Scripts window, and exit AVZ
10. Navigate to the avz4 folder and locate the folder LOG
 
Inside the LOG folder you will find 3 items:
 virusinfo_syscheck.htm,
virusinfo_syscheck.xml
virusinfo_syscheck.zip
Attach the Compressed file, virusinfo_syscheck.zip, to your next reply.

Top Expert 2007

Commented:
DXB,

Sorry but both of the Combofix logs that you attached in your above post is not from the running of CFScript but from a normal run.

When running Combofix using the script (you don't run it by doubleclicking combofix.exe)
You need to  drag the CFScript.txt into ComboFix.exe
Drag the CFScript.txt and drop it over or drop it into the Combofix.exe
Top Expert 2007

Commented:
Okay, maybe this is the reason we have trouble running the script.
Since your Combofix.exe is also inside another folder, you need to save the CFSCript.txt in the same location as your Combofix.exe.

Please ask if my instruction is not very clear.

See here below? your Combofix.exe is inside the Combofix folder
 c:\documents and settings\Administrator\Desktop\ComboFix\ComboFix.exe

So when you save the CFScript you need to save it in the same location as your combofix.exe(which is inside the combofix folder on your desktop)

Author

Commented:
rpggamergirl - Thanks for being with me.
I am posting here combofix log & "virusinfo_syscheck.zip.
Pls note i am not able to attach "virusinfo_syscheck.zip file here thus i unzipped it and attached the contains in first two files. Kindly rename these as
1. avz-sysinfohtm.txt to avz-sysinfo.htm
2. avz-sysinfoxml.txt to avz-sysinfo.xml
And do the analysis.
I am waiting for your earlier reply since my almost PCs are infected with this kind of problem.
I will be grateful to you if you can help me out to resolve the issue asap.
Many thanks!
DXB

avz-sysinfohtm.txt
avz-sysinfoxml.txt
ComboFixlog.txt

Author

Commented:
rpggamergirl -

Any updatesssssssssssssssssssssssssssssssssssssssssssssssssssssss!
Awaiting for your earlier reply.
Thanks!
DXB
Top Expert 2007

Commented:
I am so sorry, I meant  to check back here, my apology.

Those bad services are still there they just respawned and I don't see their physical files in the AVZ report.

Can you please run these tools instead? thanks.
1.  Download RootRepeal from the following location and save it to your desktop.
Zip Mirrors (Recommended)
Primary Mirror
Secondary Mirror
 
Rar Mirrors - Only if you know what a RAR is and can extract it.
Primary Mirror:
Secondary Mirror:

Extract RootRepeal.exe from the archive.
Open RootRepeal on your desktop.
Click the "Report" tab.
Click the "Scan" button.
Check all seven boxes:
* Drivers
* Files
* Processes
* SSDT
* Stealth Objects
* Hidden Services
* Shadow SSDT

Push Yes
Check the box for your main system drive (Usually C:), and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the "Save Report" button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
 

2.  Download GMER from here:
Unzip it to the desktop.
Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for Show All.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.
 

Author

Commented:
rpggamergirl - sorry, i am a bit busy with other work will reply you with required log with in 2 days.
Thanks!
Top Expert 2007

Commented:
Okay, no problem.... when you come back.. we'll be here, :)

Author

Commented:
Finally I used Combofix,,,,,,can not be clean with KS tools or KS AV.
Thanks for your support.
Top Expert 2007

Commented:
Glad to know that it's resolved.

Thanks for the points, but actually it was johnb6767 that first suggested Combofix, you might want to split the points or award him all the points.
Let me know if you want this thread re-open.

Most Valuable Expert 2011
Top Expert 2011

Commented:
@rpg
No biggie, didnt really do much outside of a suiggestion.....  :)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial