Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

constant pop ups and rcntotdl.exe virus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

constant pop ups and rcntotdl.exe virus

Unread postby tequesta » October 25th, 2008, 1:09 pm

IE was constantly popping up even when closed, and Avast found rcntotdl.exe and win32trojan-gen. I virus scanned ran ad aware in safe mode and then ran combo fix. Will you please evaluate my HJT log and advise for further action.

Thank you,

John
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:25:05 PM, on 10/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\windows\system32\rlwnw64o.exe
C:\Program Files\ppcbooster\ppcb_32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rcuniverse.com/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [{DF-F7-7C-CB-DW}] C:\windows\system32\rlwnw64o.exe DWrvgXX
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: ppcb_32.lnk = C:\Program Files\ppcbooster\ppcb_32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1360571921
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6359 bytes
tequesta
Regular Member
 
Posts: 893
Joined: October 25th, 2008, 12:29 pm
Advertisement
Register to Remove

Re: constant pop ups and rcntotdl.exe virus

Unread postby Bob4 » October 26th, 2008, 4:46 pm

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!


  • Save and quit any work your doing before beginning the fix.
  • All hijackthis logs I ask for should be done in normal mode ( not safe mode)
  • These logs should be done last after you have followed my instructions in the previous post.


Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!






_____________________________________
I see your using googles chrome.
Please have a read here and decide weather ot not you want to keep it.
I think it has some vunerabilities I wouldn't want it on my machine.

http://news.cnet.com/8301-13860_3-10031 ... ag=nl.e433

If you decide you don't want to keep it go to
"Add/remove programs" and uninstall it.



_____________________________
Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste this filepath in there.
If theres is more than one file to scan, insert them 1 at a time.


C:\windows\system32\rlwnw64o.exe


Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

You may receive a message stating "
"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

Just let me know if that is what you saw.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html




_______________________________________


Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post the contents of that log.

    If you accidently close it you may find it here.
    Start -> All Programs -> Malwarebytes' Anti-Malware -> Logs




    _______________________________________

    PPCBOOSTER (C:\Program Files\ppcbooster\ppcb_32.exe)
    I can't find enough on this program.
    • Can you tell me where you have gotten it from ?
    • What does it do exactly ?



    _________________________
    In your next reply I would like to see:
    • A new HJT log
    • The report from Malwarebytes
    • The report from Jottis/Virus Total
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: constant pop ups and rcntotdl.exe virus

Unread postby tequesta » October 27th, 2008, 7:59 pm

Bob4,

Thank you for your help. I will follow your advice about Chrome. I do not know what ppcbooster is.

I was able to run the report on Jottis, it said no file found.


Malwarebytes' Anti-Malware 1.30
Database version: 1329
Windows 5.1.2600 Service Pack 3

10/27/2008 7:51:36 PM
mbam-log-2008-10-27 (19-51-36).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 83873
Time elapsed: 47 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\drflex.band.1 (Adware.DrFlex) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\drflex.bho.1 (Adware.DrFlex) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\agadoo (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Dad\Application Data\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Qoobox\Quarantine\C\Program Files\iCheck\iCheck.exe.vir (Adware.ISM) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\QdrDrive\QdrDrive20.dll.vir (Adware.DrFlex) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\QdrDrive\qdrloader.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1DDBAAF7-3B73-4997-ABCA-A56524074DB6}\RP70\A0009328.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1DDBAAF7-3B73-4997-ABCA-A56524074DB6}\RP72\A0009457.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1DDBAAF7-3B73-4997-ABCA-A56524074DB6}\RP72\A0009459.dll (Adware.DrFlex) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1DDBAAF7-3B73-4997-ABCA-A56524074DB6}\RP72\A0009460.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1DDBAAF7-3B73-4997-ABCA-A56524074DB6}\RP72\A0009515.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cllezzwnrf.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Application Data\GetModule\dicik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Application Data\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Application Data\GetModule\ofadik.gz (Trojan.Agent) -> Quarantined and deleted successfully.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:39 PM, on 10/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ppcbooster\ppcb_32.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rcuniverse.com/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ppcb_32.lnk = C:\Program Files\ppcbooster\ppcb_32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1360571921
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6942 bytes
tequesta
Regular Member
 
Posts: 893
Joined: October 25th, 2008, 12:29 pm

Re: constant pop ups and rcntotdl.exe virus

Unread postby Bob4 » October 27th, 2008, 8:33 pm

What happened to this line in HJT ?
O4 - HKLM\..\Run: [{DF-F7-7C-CB-DW}] C:\windows\system32\rlwnw64o.exe DWrvgXX
Did you fix it yourself ?


________________________________
If your going to uninstall Chrome please do so .




_________________________________
I see you have had combofix on this computer .
Was it recommended you use this from another forum ?
How long ago did you use it ?

Navigate to C:\ComboFix.txt

Post the contents of that log.


_________________________________________

Are the pop ups still there or gone now ?


_______________________
Open HJT

this time click on
Misc tools section

then:
Open uninstall Manager
click on save list.
Post that for me.



_________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from combofix
  • The report from HJT uninstall list
  • Please answer my questions before we continue
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: constant pop ups and rcntotdl.exe virus

Unread postby tequesta » October 28th, 2008, 11:15 am

Bob,

Before I posted my troubles here, I googled, ZenoSearch, and rcntotdl.exe. I found the Combo fix page and gave it a try. They recommended to have the log file analyzed, and that led me to you. I have the original file if you would like to see it.

I have know idea what happen to O4 - HKLM\..\Run: [{DF-F7-7C-CB-DW}] C:\windows\system32\rlwnw64o.exe DWrvgXX. I did run Spy Bot several times while waiting for your reply. This seemed to help. The popups seemed to be gone, but I could hear the sounds of the popup blocker in action. It seems much better after doing the things from your first post.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:47 AM, on 10/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ppcbooster\ppcb_32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rcuniverse.com/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ppcb_32.lnk = C:\Program Files\ppcbooster\ppcb_32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1360571921
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6234 bytes




ComboFix 08-10-27.05 - Dad 2008-10-28 10:39:55.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.102 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\Desktop\New Briefcase\core programs\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-28 )))))))))))))))))))))))))))))))
.

2008-10-27 22:54 . 2008-10-27 22:54 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-10-27 22:54 . 2008-10-27 23:00 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\CVS
2008-10-27 18:21 . 2008-10-27 18:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-27 18:21 . 2008-10-27 18:21 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\Malwarebytes
2008-10-27 18:21 . 2008-10-27 18:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-27 18:21 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-27 18:21 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-25 18:42 . 2008-10-25 20:37 683 --a------ C:\WINDOWS\wininit.ini
2008-10-25 17:55 . 2008-10-25 17:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-25 17:55 . 2008-10-26 07:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-25 12:24 . 2008-10-25 12:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-24 17:46 . 2008-10-24 17:46 <DIR> d-------- C:\Documents and Settings\Administrator.OFFICE
2008-10-23 20:03 . 2008-10-15 12:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-22 22:58 . 2008-10-22 22:58 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-22 22:57 . 2008-10-22 22:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-22 22:57 . 2008-10-22 23:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-21 21:22 . 2008-10-21 21:22 <DIR> d-------- C:\Program Files\Astonsoft
2008-10-21 21:22 . 2008-10-21 22:12 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\DeepBurner
2008-10-21 20:17 . 2008-10-21 20:17 78,649 --a------ C:\WINDOWS\system32\ytrewfgyzd.exe
2008-10-21 20:16 . 2008-10-21 20:16 <DIR> d-------- C:\Program Files\ppcbooster
2008-10-21 20:16 . 2008-10-21 20:16 190,775 --a------ C:\WINDOWS\bdtb3452.exe
2008-10-21 20:16 . 2008-10-21 20:16 153,512 --a------ C:\WINDOWS\system32\g41.exe
2008-10-21 20:16 . 2008-10-21 20:16 70,599 --a------ C:\WINDOWS\pptb1948.exe
2008-10-21 19:17 . 2008-10-21 20:44 <DIR> d-------- C:\Program Files\321Studios
2008-10-16 21:32 . 2008-10-16 21:32 <DIR> d-------- C:\WINDOWS\Sun
2008-10-15 18:01 . 2008-08-14 06:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 18:01 . 2008-08-14 06:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 18:01 . 2008-08-14 05:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 18:01 . 2008-08-14 05:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 18:01 . 2008-09-15 08:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 18:01 . 2008-09-08 06:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-13 20:47 . 2008-10-13 20:47 40,096 --a------ C:\Documents and Settings\Dad\Application Data\GDIPFONTCACHEV1.DAT
2008-10-06 22:17 . 2008-10-21 20:33 <DIR> d-------- C:\Incomplete
2008-10-06 22:16 . 2008-10-21 20:33 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\LimeWire
2008-10-06 22:15 . 2008-10-06 22:15 <DIR> d-------- C:\Program Files\Java
2008-10-06 22:15 . 2008-10-06 22:15 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-10-06 22:15 . 2008-10-06 22:15 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-06 22:09 . 2008-10-06 22:10 <DIR> d-------- C:\Program Files\LimeWire
2008-10-05 09:28 . 2008-10-23 21:49 <DIR> d-------- C:\music

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-01 01:14 27,262,976 ----a-w C:\VIRTPART.DAT
2008-09-27 12:47 --------- d-----w C:\Program Files\Symantec
2008-09-27 12:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-27 12:46 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-27 12:46 --------- d-----w C:\Documents and Settings\Dad\Application Data\Symantec
2008-09-16 02:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-16 02:35 --------- d-----w C:\Program Files\Creative
2008-09-16 02:17 --------- d-----r C:\Documents and Settings\Dad\Application Data\Brother
2008-09-16 02:12 --------- d-----w C:\Program Files\Brother
2008-09-16 02:11 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-16 02:09 --------- d-----w C:\Program Files\ScanSoft
2008-09-16 02:09 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2008-09-16 02:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-09-16 02:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-09-16 02:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Brother
2008-09-16 01:58 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-09-16 01:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-15 02:23 --------- d-----w C:\Documents and Settings\Dad\Application Data\Ulead Systems
2008-09-14 22:52 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-09-14 22:44 --------- d-----w C:\Program Files\Ulead Systems
2008-09-14 22:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-09-14 22:42 --------- d-----w C:\Program Files\Windows Media Components
2008-09-14 22:33 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2008-09-14 22:29 --------- d-----w C:\Program Files\Digital Line Detect
2008-09-14 22:28 --------- d-----w C:\Program Files\Dell Modem-On-Hold
2008-09-14 22:27 --------- d-----w C:\Program Files\UIU
2008-09-14 22:27 --------- d-----w C:\Program Files\CONEXANT
2008-09-14 22:05 --------- d-----w C:\Program Files\CyberLink
2008-09-14 21:57 --------- d-----w C:\Program Files\Sonic
2008-09-14 21:46 --------- d-----w C:\Program Files\MGI
2008-09-14 21:46 --------- d-----w C:\Program Files\Common Files\MGI Shared
2008-09-14 21:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\MGI
2008-09-14 21:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2008-09-14 20:37 57,344 ----a-w C:\WINDOWS\uneng.exe
2008-09-14 20:37 --------- d-----w C:\Program Files\Roxio
2008-09-14 20:37 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
2008-09-14 19:46 --------- d-----w C:\Program Files\Alwil Software
2008-09-14 02:44 155,995 ----a-w C:\WINDOWS\java\Packages\KODB1J7V.ZIP
2008-09-14 02:31 --------- d-----w C:\Program Files\microsoft frontpage
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( snapshot@2008-10-25_11.51.26.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-28 14:26:19 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4b8.dat
+ 2008-10-28 14:26:34 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 5058560]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-05-20 679936]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
"GhostStartTrayApp"="C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2003-12-17 94208]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-10-06 140696]
"nwiz"="nwiz.exe" [2003-10-06 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Dad\Start Menu\Programs\Startup\
ppcb_32.lnk - C:\Program Files\ppcbooster\ppcb_32.exe [2008-10-15 24576]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.dvsd"= dvc.dll
"msacm.ctmp3"= C:\WINDOWS\system32\ctmp3.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 GhPciScan;GhostPciScanner;C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys [2003-12-17 5632]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-06 152984]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.rcuniverse.com/index.cfm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-28 10:41:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\Dad\LOCALS~1\Temp\RGI21.tmp 7075 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\System32\CSCDLL.dll
.
Completion time: 2008-10-28 10:44:08
ComboFix-quarantined-files.txt 2008-10-28 14:44:04
ComboFix2.txt 2008-10-28 14:02:38
ComboFix3.txt 2008-10-25 15:51:52

Pre-Run: 27,582,226,432 bytes free
Post-Run: 27,572,731,904 bytes free

166 --- E O F --- 2008-10-24 07:01:12


############UNINSTALL LIST################

Acrobat.com
Acrobat.com
Ad-Aware
Adobe AIR
Adobe AIR
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 9
avast! Antivirus
Brother MFL-Pro Suite
Conexant HSF V92 56K RTAD Speakerphone PCI Modem
DeepBurner v1.8.0.224
Dell Modem-On-Hold
Dell ResourceCD
Digital Line Detect
Easy CD Creator 5 Basic
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Java(TM) 6 Update 10
LimeWire 4.18.8
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Malwarebytes' Anti-Malware
MGI VideoWave 4
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
MyDVD
Norton Ghost
NVIDIA Display Driver
PaperPort
PowerDVD
PPC Booster
RON Tool Bannerstyles15
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
Sound Blaster Live!
Spybot - Search & Destroy
Ulead CD & DVD PictureShow 3
Ulead Photo Explorer 8.5
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Windows Internet Explorer 7
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows XP Service Pack 3
tequesta
Regular Member
 
Posts: 893
Joined: October 25th, 2008, 12:29 pm

Re: constant pop ups and rcntotdl.exe virus

Unread postby Bob4 » October 28th, 2008, 12:54 pm

Hello again tequesta,
A couple of things. You have some files that need removing but first you need to read a policy we have about peer to peer programs.
We have found a vast majority of infected machines have a peer to peer program on them like Lime Wire as you have.


_______________________________________
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

Lime Wire

I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).





_________________________________________
tequesta wrote: I have the original file if you would like to see it.


Yes please.
Here is where you should find it.


Navigate to C:\Qoobox\ComboFix2.txt

where combofix2.txt save itself here each time you run the program.
I would like to see the log from the first time you ran Combofix.
That file may be ComboFix3.txt by now. ( Look for the highest number and post that.


DO NOT RUN COMBOFIX AGAIN.
This is a very powerful tool and should only be used with some supervision from someone trained to use it.



_________________________
In your next reply I would like to see:

  • The oldest report from Combofix
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: constant pop ups and rcntotdl.exe virus

Unread postby tequesta » October 28th, 2008, 2:27 pm

Lime Wire is gone.
The log file is the first combo fix run on my computer.


ComboFix 08-10-24.02 - Dad 2008-10-25 11:45:17.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.52 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dad\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\Dad\LOCALS~1\Temp\install_flash_player.exe
C:\Documents and Settings\Dad\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\GetModule
C:\Program Files\GetModule\GetModule25.exe
C:\Program Files\iCheck
C:\Program Files\iCheck\iCheck.exe
C:\Program Files\iCheck\Uninstall.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive20.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\VnrPack
C:\Program Files\VnrPack\dicts.gz
C:\Program Files\VnrPack\trgts.gz
C:\Program Files\VnrPack\VnrPack20.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\nvsvc32.exe

.
((((((((((((((((((((((((( Files Created from 2008-09-25 to 2008-10-25 )))))))))))))))))))))))))))))))
.

2008-10-24 17:46 . 2008-10-24 17:46 <DIR> d-------- C:\Documents and Settings\Administrator.OFFICE
2008-10-23 20:03 . 2008-10-15 12:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-22 22:58 . 2008-10-22 22:58 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-22 22:57 . 2008-10-22 22:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-22 22:57 . 2008-10-22 23:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-22 21:43 . 2008-10-22 21:43 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\GetModule
2008-10-22 21:42 . 2008-10-22 21:42 262,178 --a------ C:\WINDOWS\system32\rlwnw64o.exe
2008-10-21 21:22 . 2008-10-21 21:22 <DIR> d-------- C:\Program Files\Astonsoft
2008-10-21 21:22 . 2008-10-21 22:12 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\DeepBurner
2008-10-21 20:17 . 2008-10-21 20:17 78,649 --a------ C:\WINDOWS\system32\ytrewfgyzd.exe
2008-10-21 20:17 . 2008-10-21 20:17 64,859 --a------ C:\WINDOWS\system32\cllezzwnrf.exe
2008-10-21 20:16 . 2008-10-21 20:16 <DIR> d-------- C:\Program Files\ppcbooster
2008-10-21 19:17 . 2008-10-21 20:44 <DIR> d-------- C:\Program Files\321Studios
2008-10-16 21:32 . 2008-10-16 21:32 <DIR> d-------- C:\WINDOWS\Sun
2008-10-15 18:01 . 2008-08-14 06:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 18:01 . 2008-08-14 06:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 18:01 . 2008-08-14 05:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 18:01 . 2008-08-14 05:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 18:01 . 2008-09-15 08:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 18:01 . 2008-09-08 06:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-13 20:47 . 2008-10-13 20:47 40,096 --a------ C:\Documents and Settings\Dad\Application Data\GDIPFONTCACHEV1.DAT
2008-10-06 22:17 . 2008-10-21 20:33 <DIR> d-------- C:\Incomplete
2008-10-06 22:16 . 2008-10-21 20:33 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\LimeWire
2008-10-06 22:15 . 2008-10-06 22:15 <DIR> d-------- C:\Program Files\Java
2008-10-06 22:15 . 2008-10-06 22:15 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-10-06 22:15 . 2008-10-06 22:15 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-06 22:09 . 2008-10-06 22:10 <DIR> d-------- C:\Program Files\LimeWire
2008-10-05 09:28 . 2008-10-23 21:49 <DIR> d-------- C:\music
2008-09-27 08:49 . 2008-09-30 21:14 27,262,976 --a------ C:\VIRTPART.DAT
2008-09-27 08:47 . 2003-12-17 15:30 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-09-27 08:47 . 2003-12-17 15:30 17,005 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-09-27 08:47 . 2003-12-17 15:30 5,600 --a------ C:\WINDOWS\system\WINASPI.DLL
2008-09-27 08:47 . 2003-12-17 15:30 4,672 --a------ C:\WINDOWS\system\WOWPOST.EXE
2008-09-27 08:46 . 2008-09-27 08:47 <DIR> d-------- C:\Program Files\Symantec
2008-09-27 08:46 . 2008-09-27 08:46 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-09-27 08:46 . 2008-09-27 08:46 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\Symantec
2008-09-27 08:46 . 2008-09-27 08:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-16 02:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-16 02:35 --------- d-----w C:\Program Files\Creative
2008-09-16 02:17 --------- d-----r C:\Documents and Settings\Dad\Application Data\Brother
2008-09-16 02:12 --------- d-----w C:\Program Files\Brother
2008-09-16 02:11 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-16 02:09 --------- d-----w C:\Program Files\ScanSoft
2008-09-16 02:09 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2008-09-16 02:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-09-16 02:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-09-16 02:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Brother
2008-09-16 01:58 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-09-16 01:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-15 02:23 --------- d-----w C:\Documents and Settings\Dad\Application Data\Ulead Systems
2008-09-14 22:52 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-09-14 22:44 --------- d-----w C:\Program Files\Ulead Systems
2008-09-14 22:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-09-14 22:42 --------- d-----w C:\Program Files\Windows Media Components
2008-09-14 22:33 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2008-09-14 22:29 --------- d-----w C:\Program Files\Digital Line Detect
2008-09-14 22:28 --------- d-----w C:\Program Files\Dell Modem-On-Hold
2008-09-14 22:27 --------- d-----w C:\Program Files\UIU
2008-09-14 22:27 --------- d-----w C:\Program Files\CONEXANT
2008-09-14 22:05 --------- d-----w C:\Program Files\CyberLink
2008-09-14 21:57 --------- d-----w C:\Program Files\Sonic
2008-09-14 21:46 --------- d-----w C:\Program Files\MGI
2008-09-14 21:46 --------- d-----w C:\Program Files\Common Files\MGI Shared
2008-09-14 21:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\MGI
2008-09-14 21:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2008-09-14 20:37 57,344 ----a-w C:\WINDOWS\uneng.exe
2008-09-14 20:37 --------- d-----w C:\Program Files\Roxio
2008-09-14 20:37 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
2008-09-14 19:46 --------- d-----w C:\Program Files\Alwil Software
2008-09-14 02:44 155,995 ----a-w C:\WINDOWS\java\Packages\KODB1J7V.ZIP
2008-09-14 02:31 --------- d-----w C:\Program Files\microsoft frontpage
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"Google Update"="C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-14 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 5058560]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-05-20 679936]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
"GhostStartTrayApp"="C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2003-12-17 94208]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-10-06 140696]
"{DF-F7-7C-CB-DW}"="C:\windows\system32\rlwnw64o.exe" [2008-10-22 262178]
"nwiz"="nwiz.exe" [2003-10-06 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Dad\Start Menu\Programs\Startup\
ppcb_32.lnk - C:\Program Files\ppcbooster\ppcb_32.exe [2008-10-15 24576]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.dvsd"= dvc.dll
"msacm.ctmp3"= C:\WINDOWS\system32\ctmp3.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 GhPciScan;GhostPciScanner;C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys [2003-12-17 5632]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-06 152984]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-10-25 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job
- C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-14 19:44]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-VnrPack20 - C:\Program Files\VnrPack\VnrPack20.exe
HKCU-Run-GetModule25 - C:\Program Files\GetModule\GetModule25.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.rcuniverse.com/index.cfm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-25 11:49:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-25 11:51:50
ComboFix-quarantined-files.txt 2008-10-25 15:51:47

Pre-Run: 27,220,705,280 bytes free
Post-Run: 27,530,842,112 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

187 --- E O F --- 2008-10-24 07:01:12
tequesta
Regular Member
 
Posts: 893
Joined: October 25th, 2008, 12:29 pm

Re: constant pop ups and rcntotdl.exe virus

Unread postby Bob4 » October 28th, 2008, 7:14 pm

I can see now where combo did some work for you.



PLease delete the combofix you have now and download a newer version from the following links.


Link 1
Link 2
Link 3

Do NOT use it yet

!! PLACE IT ON THE DESKTOP !!




________________________________________
Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
 
File:: 
C:\WINDOWS\system32\ytrewfgyzd.exe
C:\WINDOWS\bdtb3452.exe
C:\WINDOWS\system32\g41.exe
C:\WINDOWS\pptb1948.exe
C:\WINDOWS\system32\ytrewfgyzd.exe
 


NOTE: This script was done for this user specifically.
DO NOT ATTEMPT TO USE IT IF YOU ARE NOT THIS USER
YOU WILL HURT THE WORKINGS OF YOUR COMPUTER !!
.

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt which I will need in your next reply.


_______________________________________




Download and install CCleaner from here


If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.

  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Reset Temp File Removal for Regular Use.
    Click on the Options block on the left. Select the Advanced button.
    Check "Only delete files in Windows Temp folders older than 48 hours".


    Now run the program and click on Run Cleaner
    ( Do not use the Registry function to clean anything with this program. Having anything auto clean your regisrty is risky).


_________________________________

Please go to Kaspersky website and perform an online antivirus scan. This scan will take a while . I wouldn't plan on watching it ;)

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.



_________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from ComboFix
  • The report from Kasperskys
  • Things still running OK ?
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: constant pop ups and rcntotdl.exe virus

Unread postby tequesta » October 28th, 2008, 11:38 pm

Thing seem to be better.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:17 PM, on 10/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ppcbooster\ppcb_32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Dad\Local Settings\temp\jkos-Dad\binaries\ScanningProcess.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rcuniverse.com/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ppcb_32.lnk = C:\Program Files\ppcbooster\ppcb_32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1360571921
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6435 bytes


ComboFix 08-10-28.01 - Dad 2008-10-28 20:30:02.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.74 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dad\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\bdtb3452.exe
C:\WINDOWS\pptb1948.exe
C:\WINDOWS\system32\g41.exe
C:\WINDOWS\system32\ytrewfgyzd.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\bdtb3452.exe
C:\WINDOWS\pptb1948.exe
C:\WINDOWS\system32\g41.exe
C:\WINDOWS\system32\ytrewfgyzd.exe

.
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-29 )))))))))))))))))))))))))))))))
.

2008-10-27 22:54 . 2008-10-27 22:54 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-10-27 22:54 . 2008-10-27 23:00 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\CVS
2008-10-27 18:21 . 2008-10-27 18:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-27 18:21 . 2008-10-27 18:21 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\Malwarebytes
2008-10-27 18:21 . 2008-10-27 18:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-27 18:21 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-27 18:21 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-25 18:42 . 2008-10-25 20:37 683 --a------ C:\WINDOWS\wininit.ini
2008-10-25 17:55 . 2008-10-25 17:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-25 17:55 . 2008-10-26 07:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-25 12:24 . 2008-10-25 12:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-24 17:46 . 2008-10-24 17:46 <DIR> d-------- C:\Documents and Settings\Administrator.OFFICE
2008-10-23 20:03 . 2008-10-15 12:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-22 22:58 . 2008-10-22 22:58 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-22 22:57 . 2008-10-22 22:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-22 22:57 . 2008-10-22 23:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-21 21:22 . 2008-10-21 21:22 <DIR> d-------- C:\Program Files\Astonsoft
2008-10-21 21:22 . 2008-10-21 22:12 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\DeepBurner
2008-10-21 20:16 . 2008-10-21 20:16 <DIR> d-------- C:\Program Files\ppcbooster
2008-10-21 19:17 . 2008-10-21 20:44 <DIR> d-------- C:\Program Files\321Studios
2008-10-16 21:32 . 2008-10-16 21:32 <DIR> d-------- C:\WINDOWS\Sun
2008-10-15 18:01 . 2008-08-14 06:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 18:01 . 2008-08-14 06:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 18:01 . 2008-08-14 05:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 18:01 . 2008-08-14 05:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 18:01 . 2008-09-15 08:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 18:01 . 2008-09-08 06:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-13 20:47 . 2008-10-13 20:47 40,096 --a------ C:\Documents and Settings\Dad\Application Data\GDIPFONTCACHEV1.DAT
2008-10-06 22:17 . 2008-10-21 20:33 <DIR> d-------- C:\Incomplete
2008-10-06 22:16 . 2008-10-21 20:33 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\LimeWire
2008-10-06 22:15 . 2008-10-06 22:15 <DIR> d-------- C:\Program Files\Java
2008-10-06 22:15 . 2008-10-06 22:15 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-10-06 22:15 . 2008-10-06 22:15 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-05 09:28 . 2008-10-23 21:49 <DIR> d-------- C:\music

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-01 01:14 27,262,976 ----a-w C:\VIRTPART.DAT
2008-09-27 12:47 --------- d-----w C:\Program Files\Symantec
2008-09-27 12:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-27 12:46 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-27 12:46 --------- d-----w C:\Documents and Settings\Dad\Application Data\Symantec
2008-09-16 02:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-16 02:35 --------- d-----w C:\Program Files\Creative
2008-09-16 02:17 --------- d-----r C:\Documents and Settings\Dad\Application Data\Brother
2008-09-16 02:12 --------- d-----w C:\Program Files\Brother
2008-09-16 02:11 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-16 02:09 --------- d-----w C:\Program Files\ScanSoft
2008-09-16 02:09 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2008-09-16 02:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-09-16 02:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-09-16 02:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Brother
2008-09-16 01:58 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-09-16 01:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-15 02:23 --------- d-----w C:\Documents and Settings\Dad\Application Data\Ulead Systems
2008-09-14 22:52 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-09-14 22:44 --------- d-----w C:\Program Files\Ulead Systems
2008-09-14 22:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-09-14 22:42 --------- d-----w C:\Program Files\Windows Media Components
2008-09-14 22:33 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2008-09-14 22:29 --------- d-----w C:\Program Files\Digital Line Detect
2008-09-14 22:28 --------- d-----w C:\Program Files\Dell Modem-On-Hold
2008-09-14 22:27 --------- d-----w C:\Program Files\UIU
2008-09-14 22:27 --------- d-----w C:\Program Files\CONEXANT
2008-09-14 22:05 --------- d-----w C:\Program Files\CyberLink
2008-09-14 21:57 --------- d-----w C:\Program Files\Sonic
2008-09-14 21:46 --------- d-----w C:\Program Files\MGI
2008-09-14 21:46 --------- d-----w C:\Program Files\Common Files\MGI Shared
2008-09-14 21:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\MGI
2008-09-14 21:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2008-09-14 20:37 57,344 ----a-w C:\WINDOWS\uneng.exe
2008-09-14 20:37 --------- d-----w C:\Program Files\Roxio
2008-09-14 20:37 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
2008-09-14 19:46 --------- d-----w C:\Program Files\Alwil Software
2008-09-14 02:44 155,995 ----a-w C:\WINDOWS\java\Packages\KODB1J7V.ZIP
2008-09-14 02:31 --------- d-----w C:\Program Files\microsoft frontpage
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( snapshot@2008-10-25_11.51.26.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-14 22:53:19 167,936 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2008-10-28 16:11:53 167,936 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2008-09-14 22:53:19 2,560 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2008-10-28 16:11:53 2,560 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2008-09-14 22:53:19 34,304 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2008-10-28 16:11:53 34,304 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2008-09-14 22:53:20 8,192 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2008-10-28 16:11:53 8,192 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2008-09-14 22:53:20 3,584 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-10-28 16:11:53 3,584 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2008-09-14 22:53:20 114,688 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2008-10-28 16:11:53 114,688 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2008-09-14 22:53:19 16,384 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2008-10-28 16:11:53 16,384 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2008-09-14 22:53:19 30,720 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2008-10-28 16:11:53 30,720 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2008-09-14 22:53:20 22,528 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2008-10-28 16:11:53 22,528 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2008-09-14 22:53:19 45,056 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2008-10-28 16:11:52 45,056 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2008-09-14 22:53:19 90,112 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-10-28 16:11:52 90,112 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-10-28 14:26:19 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4b8.dat
+ 2008-10-28 14:26:34 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 5058560]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-05-20 679936]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
"GhostStartTrayApp"="C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2003-12-17 94208]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-10-06 140696]
"nwiz"="nwiz.exe" [2003-10-06 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Dad\Start Menu\Programs\Startup\
ppcb_32.lnk - C:\Program Files\ppcbooster\ppcb_32.exe [2008-10-15 24576]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.dvsd"= dvc.dll
"msacm.ctmp3"= C:\WINDOWS\system32\ctmp3.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 GhPciScan;GhostPciScanner;C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys [2003-12-17 5632]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-06 152984]

*Newly Created Service* - CATCHME
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-28 20:31:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-28 20:34:19
ComboFix-quarantined-files.txt 2008-10-29 00:34:15
ComboFix2.txt 2008-10-28 14:44:10
ComboFix3.txt 2008-10-28 14:02:38
ComboFix4.txt 2008-10-25 15:51:52

Pre-Run: 27,577,524,224 bytes free
Post-Run: 27,578,134,528 bytes free

185 --- E O F --- 2008-10-24 07:01:12


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, October 28, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, October 29, 2008 00:04:12
Records in database: 1354891
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 40815
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 00:58:15


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Program Files\GetModule\GetModule25.exe.vir Infected: Trojan.Win32.Agent.akgc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\g41.exe.vir Infected: Trojan-Clicker.Win32.Agent.bsu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gside.exe.vir Infected: Trojan-Downloader.Win32.Zlob.ymu 1

The selected area was scanned.

Thanks
tequesta
Regular Member
 
Posts: 893
Joined: October 25th, 2008, 12:29 pm

Re: constant pop ups and rcntotdl.exe virus

Unread postby Bob4 » October 29th, 2008, 7:04 am

This program.
C:\Program Files\ppcbooster
http://pc-booster-software-shareware.qarchive.org/
Looks as if this is a program to help sort out registry problems. If you didn't install it and no one else used this computer I would uninstall it.
through add/remove programs.
I am personaly very leary of anything auto fixing my registry. One mistake and it could be reformat time. :evil:

___________________________
Only If you do uninstall it do this also.
Fix this line with HJT

O4 - Startup: ppcb_32.lnk = C:\Program Files\ppcbooster\ppcb_32.exe

Navigate to and remove if present:
C:\Program Files\ppcbooster
Just the folder listed in red.


________________________________




Great news ! Image

Your log now appears to be clean.

Lets do a few things to tidy up.
Please do these in the order I suggest!



________________________________
Go to start > run and copy and paste this in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the
system/hidden files and resets System Restore again.




________________________________
A few things to help with possible threats

These are optional . But will help protect you further.
___________________________________

SpywareBlaster

Install SpywareBlaster

SpywareBlaster will add a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs.
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.





___________________________________
Download and Install a HOSTS File
A Hosts file is a plain text file which prevents your computer from connecting to malware and spyware sites by redirecting the connection request to 127.0.0.1, which is your local address. If you use a proxy server, or if you are on AOL, be sure to read the special instructions.
You can download the MVPS Hosts File and see a HOSTS file tutorial here :
This website also contains useful tips, and links to other resources and utilities.


___________________________________
Make your Internet Explorer more secure
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click on the Security tab
3. Click the Internet icon so it becomes highlighted.
4. Click on Default Level and click Ok
5. Click on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

6. Next press the Apply button and then the OK to exit the Internet Properties page.


Here's a site with great advise on how to AVOID malware. Much easier to do than removing it.





Safe and Happy Surfing. :)
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: constant pop ups and rcntotdl.exe virus

Unread postby tequesta » October 29th, 2008, 7:59 am

:bounce: Thank you so much!!

This has inspired me to enroll in the university.
tequesta
Regular Member
 
Posts: 893
Joined: October 25th, 2008, 12:29 pm

Re: constant pop ups and rcntotdl.exe virus

Unread postby Gary R » October 29th, 2008, 6:31 pm

This topic is now closed.

If you are the originator of this topic, and you need it re-opened please send an email to 'admin at malwareremoval.com', including a link to this topic.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Gary R
User avatar
Gary R
Administrator
Administrator
 
Posts: 21866
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 54 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware