2 files infected with win32:patched-kj that I can't fix

Ok so this has been going on for about a week now I have to files that are infected with win32: patched-kj, they are c:\windows\system

32\WINNINET.dll and c:\windows\system 32\POWRPROF.dll. So far the virus seems to have not done anything except annoy me with the

constant alerts. I am not able to fix them or move them to the chest because it tells me they are read only. I looked it up online and

people were saying they are important files and it will mess up my pc if I delete them. I have no idea what to do so any help would be

appreciated, thanks. :slight_smile:

Run HJT, choose scan and save log file.Copy/paste the log

then download, install, update and run the following programs ( quick scans ).Copy/paste the log results.

http://filehippo.com/download_hijackthis/

http://filehippo.com/download_malwarebytes_anti_malware/

http://filehippo.com/download_superantispyware/

Here are the results…

Highjack This log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:11 AM, on 6/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper\DkService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
c:\progra~1\alwils~1\avast4\ashdisp.exe
c:\windows\soundman.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\ico.exe
c:\program files\common files\logitech\g-series software\lgdcore.exe
c:\program files\itunes\ituneshelper.exe
c:\program files\razer\deathadder\razerhid.exe
c:\windows\system32\FSRremoS.EXE
C:\WINDOWS\System32\svchost.exe
c:\program files\razer\deathadder\razerofa.exe
c:\program files\spybot - search & destroy\teatimer.exe
c:\program files\superantispyware\superantispyware.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\trend micro\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49A0833E-A03B-4884-B303-3146008C3C07} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [QuickTime Task] “c:\program files\quicktime\qttask.exe” -atboottime
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM..\Run: [Launch LGDCore] “C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe” /SHOWHIDE
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [DiskeeperSystray] “C:\Program Files\Diskeeper\DkIcon.exe”
O4 - HKLM..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - AppInit_DLLs: rnwmok.dll gdayce.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper\DkService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe


End of file - 6462 bytes

Malwarebytes Log
Malwarebytes’ Anti-Malware 1.37
Database version: 2190
Windows 5.1.2600 Service Pack 3

6/13/2009 11:48:22 AM
mbam-log-2009-06-13 (11-48-22).txt

Scan type: Quick Scan
Objects scanned: 82585
Time elapsed: 4 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

This is actually the logs after the second time scanning I accidentally restarted the computer while posting this so I lost the first one

where there was a few infected files. Superantispyware also came up with a few but after the restart it said I was clean of any infected

files but I couldn’t figure out how to post the log. Do you think I should replace Spbot S&D with superantispyware? It doesn’t seem to be

doing much.

To find the 1st scan,
Open MBAM, click on logs,double click on the relevant scan, copy/paste the results.
Open SAS, click on preferences,then statistics/logs,double click on relevant scan, copy/paste the results.

Run HJT, choose scan only, place a tick next to O20 - AppInit_DLLs: rnwmok.dll gdayce.dll, then choose fix selected

Go to Virustotal http://www.virustotal.com/,click browse,
Navigate to c:\windows\system32\FSRremoS.EXE, upload FSRremoS.EXE,and post the results please

Also run this web program,your Java is outdated

http://secunia.com/vulnerability_scanning/online/
Update any outdated programs


An analysis of your HJT log shows the following problems :

We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall.

O2 - BHO: (no name) - {49A0833E-A03B-4884-B303-3146008C3C07} - (no file)
Unknown application.Unnecessary (deactivated) entry that can be fixed.
In my research, I found no information about this entry. This makes this entry very suspicious.
This entry should be fixed.

O20 - AppInit_DLLs: rnwmok.dll gdayce.dll
In my research, no information was found about either of these 2 dll’s. This makes these 2 dll’s very suspicious. These dll’s load into memory when the user logs in, after which it stays in memory
until logoff. Very few legitimate programs use these entry. Most often it is used by trojans or agressive browser hijackers.
This entry should be fixed.

Overview of running tasks :

smss.exe
System task
Session Manager Subsystem

winlogon.exe
System task
Microsoft Windows Logon Process

services.exe
System task
Windows Service Controller

lsass.exe
System task
Local Security Authority Service

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

aswUpdSv.exe
Virusscan
Avast Anti-Virus Component

ashServ.exe
Virusscan
Avast

spoolsv.exe
System task
Microsoft Printer Spooler Service

AppleMobileDeviceService.exe
Backgroundtask
Apple Mobile Device Service

mDNSResponder.exe
Backgroundtask
Bonjour for Windows Component

DkService.exe
Backgroundtask
Executive Software

PnkBstrA.exe
Suspicious task (we know why it is running, right?)
pnkbstra.exe

PnkBstrB.exe
Backgroundtask
PunkBuster Software Process

svchost.exe
System task
Microsoft Service Host Process

ashMaiSv.exe
Virusscan
Avast Anti-Virus Component

ashWebSv.exe
Virusscan
avast! Web Scanner

wuauclt.exe
System task
AutoUpdate Client

wscntfy.exe
System task
Microsoft Windows Security Center

Explorer.EXE
System task
Microsoft Windows Explorer

ashdisp.exe
Virusscan
Avast AntiVirus

soundman.exe
Driver
Realtek Avance Logic Inc

rundll32.exe
System task
Microsoft Rundll32

ico.exe
Application
Mouse Suite 98 Daemon

lgdcore.exe
Driver
Logitech G-Series Profiler

ituneshelper.exe
Backgroundtask
Apple Itunes

razerhid.exe
Driver
Mouse Driver

FSRremoS.EXE
Driver
IBM Mouse Suite

svchost.exe
System task
Microsoft Service Host Process

razerofa.exe
Backgroundtask
Razer OFA - On-the-Fly Sensitivity Adjustment

teatimer.exe
Anti Add/Spyware software
Spybot S&D Realtime Scanner

superantispyware.exe
Anti Add/Spyware software
SUPERAntiSpyware

iPodService.exe
Backgroundtask
Apple iTunes

hijackthis.exe
Application
Merijn Hijackthis


Upload both of the dlls in this entry to virustotal:
O20 - AppInit_DLLs: rnwmok.dll gdayce.dll

Check the suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here in the topic, the URL in the Address bar of the VT results page. If multiple scanners find these infected send the samples to avast for analysis and inclusion in the virus database.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.