Unauthorized DLL Modifications...

ezsteve · 03-26-2008, 04:45 AM

I've recently noticed web pages on my computer do not load properly, they tend to half load and stick in certain places (like searches for example) although you can still see the information in the bottom left corner saying "Transferring data from... etc". I'm using firefox, but this happens in Internet Explorer too (both latest versions). I don't know if this is connected to the problem but it seems likely. Yesterday I got a series of about 5 or 6 "Registry Modificatio Detected" windows from Lavasoft Ad-watch, asking mne whether to allow or block the modification of the "Rundlll32" file, I cant remember exactly what it said but then after that it had something about "pxaxurky.dll" and "oaitufvh.dll". Stupidly, I allowed the first three of these windows, but blocked the rest. I had no installers running or anything that i would expect to provoke these modifications. Today, my system has been quite cranky, the mouse movements are jerky at times, the web page problems are still there, and I also got an online poker game tab come up in firefox. There's also been a few windows from Norton Antivirus claiming "A recent attack on your computer has been blocked", or something along those lines. I've just looked in my Norton Antivirus log from yesterday and found this: "Attempted Intrusion "HTTP Trojan Vundo Activity" from your machine against tamotua.com(82.98.235.152) was detected and blocked." I've also looked under the startup tab in the system config window and found these two dll's again:

pxaxurky rundll32.exe "C:\WINDOWS\system32\pxaxurky.dll",b
oaitufvh Rundll32.exe "C:\WINDOWS\system32\oaitufvh.dll",s

I'm not entirely sure whats going on, I've tried putting those dll's into google and found nothing. They seem as though theyre foreign to the windows system32 folder. I've also tried searching for other instances of rundll32.exe on my computer and found nothing except the other one in the service pack folder. Help!

johnwill · 03-26-2008, 07:04 AM

Well, that alone should raise red flags.

Please follow the instructions here (5 pages) and then post all the requested logs in a new thread here for the security analysts to look at. If you have any trouble running any of the scans, leave them and move onto the next.

The security forum is always busy, so please be patient and you will receive a reply as soon as possible. If you go to Thread Tools > Subscribe at the top of your new thread you will receive an email as soon as a reply is posted.

ezsteve · 03-26-2008, 08:31 AM

Thanks, my browser is still playing up at the moment so I'll have to try and do the scan again later.

03-26-2008, 04:45 AM	#1 (permalink)
ezsteve Registered User Join Date: Aug 2007 Posts: 27 OS: XP Home SP2	Unauthorized DLL Modifications... I've recently noticed web pages on my computer do not load properly, they tend to half load and stick in certain places (like searches for example) although you can still see the information in the bottom left corner saying "Transferring data from... etc". I'm using firefox, but this happens in Internet Explorer too (both latest versions). I don't know if this is connected to the problem but it seems likely. Yesterday I got a series of about 5 or 6 "Registry Modificatio Detected" windows from Lavasoft Ad-watch, asking mne whether to allow or block the modification of the "Rundlll32" file, I cant remember exactly what it said but then after that it had something about "pxaxurky.dll" and "oaitufvh.dll". Stupidly, I allowed the first three of these windows, but blocked the rest. I had no installers running or anything that i would expect to provoke these modifications. Today, my system has been quite cranky, the mouse movements are jerky at times, the web page problems are still there, and I also got an online poker game tab come up in firefox. There's also been a few windows from Norton Antivirus claiming "A recent attack on your computer has been blocked", or something along those lines. I've just looked in my Norton Antivirus log from yesterday and found this: "Attempted Intrusion "HTTP Trojan Vundo Activity" from your machine against tamotua.com(82.98.235.152) was detected and blocked." I've also looked under the startup tab in the system config window and found these two dll's again: pxaxurky rundll32.exe "C:\WINDOWS\system32\pxaxurky.dll",b oaitufvh Rundll32.exe "C:\WINDOWS\system32\oaitufvh.dll",s I'm not entirely sure whats going on, I've tried putting those dll's into google and found nothing. They seem as though theyre foreign to the windows system32 folder. I've also tried searching for other instances of rundll32.exe on my computer and found nothing except the other one in the service pack folder. Help!

03-26-2008, 07:04 AM	#2 (permalink)
johnwill Manager, Networking Forums Join Date: Sep 2002 Location: S.E. Pennsylvania, US Posts: 31,467 OS: XP-Pro, Vista, Linux Blog Entries: 1	Re: Unauthorized DLL Modifications... Well, that alone should raise red flags. Please follow the instructions here (5 pages) and then post all the requested logs in a new thread here for the security analysts to look at. If you have any trouble running any of the scans, leave them and move onto the next. The security forum is always busy, so please be patient and you will receive a reply as soon as possible. If you go to Thread Tools > Subscribe at the top of your new thread you will receive an email as soon as a reply is posted. __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! Microsoft MVP - Windows Desktop Experience

03-26-2008, 08:31 AM	#3 (permalink)
ezsteve Registered User Join Date: Aug 2007 Posts: 27 OS: XP Home SP2	Re: Unauthorized DLL Modifications... Thanks, my browser is still playing up at the moment so I'll have to try and do the scan again later.