Tech Support Forum Redirecting Issues - rundll32.exe and System Restore.
 Site Map Posting Help Register Rules Search Today's Posts Mark Forums Read Advertise

# Redirecting Issues - rundll32.exe and System Restore.

This is a discussion on Redirecting Issues - rundll32.exe and System Restore. within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi All, I suspect that my computer has recently been infected with a virus etc. Over the past several days

08-13-2011, 02:36 PM   #2
Security Team
Analyst

Join Date: Jan 2008
Location: Queensland, Australia
Posts: 1,479
OS: XP SP3

Hi Thomas,

Welcome to TSF.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

-------
Quote:
 AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
The above indicates that you have 2 AntiVirus software installed on your computer.

While this may seem like greater protection, it can cause problems including slowdowns, system hangs or even crashes. This can happen if both AntiVirus applications attempt to access the same file at the same time. This may cause the applications to interfere with each other, or cause the system to lock up. It can also be a drain on system resources, making a machine run slower than it should.

Choose one to keep and uninstall the other via > Add/Remove program.

------

* IMPORTANT !!! Place combofix.exe on your Desktop

2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
You can get help on disabling your protection programs here

3. Double click on combofix.exe & follow the prompts.
Note: Windows Vista users will have to right-click on the file and select "Run as Administrator"

4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Click on Yes, to continue scanning for malware.
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------

 08-15-2011, 12:43 AM #5 Registered Member   Join Date: Aug 2011 Location: United Kingdon Posts: 26 OS: Windows XP Home Edition SP3 Hi Vick, Thanks again for your time, I've followed your instructions and copied the filepath into the "field" box on the Virustotal page and sent the file yesterday afternoon. I didn't get any response back by midnight so I repeated the process and sent it again. I got a "splash" screen momentarily which said that it had been sent. I left it running all night but there was still no response back when I got up this morning. Have I done something wrong? My computer doesn't appear to be redirecting me now and the "rundell32.exe" shutdown window is no longer there when I turn the computer off. The computer seems to be running OK, though a little slow with a bit of surging. Thanks once again for your time and help Vick. Kind Regards, Thomas
08-15-2011, 05:10 AM   #6
Security Team
Analyst

Join Date: Jan 2008
Location: Queensland, Australia
Posts: 1,479
OS: XP SP3

Hi Thomas,

We are not quite done yet.

Virustotal shouldn't take very long. Approx 5-15mins depending on the file size.

Let's use another scanner this time:

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

There is a field to add the filepath under "Upload a file". Please browse to this filepath:

c:\windows\system32\MFC42ENUJ.dll

Then hit " Submit File"

The scan will take a while before the result comes up so please be patient.
If you get a message saying File has already been analysed: click Reanalyse file now
Once the result is out, copy and paste the link to the results page in your next reply.

--------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:
 File:: c:\program files\common files\ajusyje.bat c:\program files\common files\yrogymu.exe
Save this as CFScript.txt, in the same location as ComboFix.exe

ComboFix may request an update; please allow it.
Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

--------

Go to Start > Run and copy/paste the following into the Run box and click OK:

--------

 08-15-2011, 01:31 PM #8 Security Team Analyst   Join Date: Jan 2008 Location: Queensland, Australia Posts: 1,479 OS: XP SP3 Hi Thomas, What you mean by 2 loose non highlighted files? You mean you can't open the files? ------- I am not sure why Jotti's Scan came up with empty files. ------- Go to Start > Run and copy/paste the following into the Run box and click OK: C:\Qoobox\ComboFix-quarantined-files.txt A text file should open. Please post the contents of that file in your next reply.
 08-15-2011, 05:23 PM #9 Registered Member   Join Date: Aug 2011 Location: United Kingdon Posts: 26 OS: Windows XP Home Edition SP3 Hi Vick, Sorry - initial panic over, the two files that I was referring to only appeared on the desktop after following your instructions regarding changing the settings for "hidden files and folders" and unchecking "hide file extension for known file types". I was unsure as to whether or not the above should stay "unticked" after carrying out your last instructions for the jotti scan and Combofix scan, so I returned them to their original settings just in case. It was only then that I realised that they had dissapeared and all went back to normal. They do reappear, but only if or when the settings are changed. Sorry if I didn't explain the situation very well regarding the un-highlighted files, it was just that they remained dull in appearance to everything else on the desktop. Yes they can be opened, one is an just an engineering diagnotic fuse chart and the other one just gives a message window explained in my last post. I'm a bit puzzled too regarding the jotti zero scan result, but it does say if you hover the cursor over the file that it contains (67.0 KB) I have checked the file again for confirmation. Please find attached the attached text file as requested. Thanks again Vick, Kind Regards, Thomas TEXT FILE 2011-08-15 14:22:32 . 2011-08-15 14:22:32 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt 2011-08-14 12:05:02 . 2011-08-14 12:05:02 550 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-twpR32.sys.reg.dat 2011-08-14 12:05:02 . 2011-08-14 12:05:02 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-TDSSpqlt.sys.reg.dat 2011-08-14 12:04:45 . 2011-08-14 12:04:45 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-YeppStudioAgent.reg.dat 2011-08-14 11:49:42 . 2011-08-14 11:49:42 868 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_TDSSSERV.reg.dat 2011-08-14 11:49:28 . 2011-08-15 14:32:21 7,669 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2011-08-14 11:41:54 . 2011-08-15 14:21:22 153 ----a-w- C:\Qoobox\Quarantine\catchme.log 2008-10-23 12:48:51 . 2008-10-23 12:48:51 4,600 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp.reg.vir 2008-10-21 10:23:53 . 2008-10-21 10:23:53 16,479 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\ajusyje.bat.vir 2008-10-21 10:23:53 . 2008-10-21 10:23:53 12,979 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\yrogymu.exe.vir 2007-12-13 19:53:31 . 2008-10-15 13:25:00 61,224 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\THOMAS DAVIES\GoToAssistDownloadHelper.exe.vir 2006-11-19 04:41:37 . 2001-11-26 18:14:00 24,576 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\rnaph.dll.vir 1998-01-12 08:00:00 . 1998-01-12 08:00:00 40,448 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\regobj.dll.vir
08-16-2011, 03:07 AM   #10
Security Team
Analyst

Join Date: Jan 2008
Location: Queensland, Australia
Posts: 1,479
OS: XP SP3

Hi Thomas,

Quote:
 Sorry - initial panic over
No more panic

------

I asked you to unhide the file setting because the file we were uploading had a hidden attribute which means you can't see it unless you unhide it. So, that's the reason I asked to unhide. One way or other, when we uninstall Combofix, it will automatically hides all files with hidden attributes.

------

About the Virustotal / jotti scan, it appears that the file is malware related and thus blocking the scanner to avoid getting scan. In another word, simply trying to escape from getting nailed
We will remove the file shortly.

------

P2P - I see you have P2P software ( SoulSeek 157 NS 13e ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
References for the risk of these programs are here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

-------

Click > Start > Control Panel > Add or Remove Programs and uninstall the following programs (if they exist):

Viewpoint Media Player---Refer here
Ask Toolbar for Internet Explorer - Refer to here

-------

Open notepad and copy/paste the text in the quotebox below into it:

Code:
https://www.techsupportforum.com/forums/f50/redirecting-issues-rundll32-exe-and-system-restore-594059.html#post3394497

Collect::
c:\windows\system32\MFC42ENUJ.dll
Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
• Ensure you are connected to the internet and click OK on the message box.

 08-16-2011, 12:57 PM #12 Security Team Analyst   Join Date: Jan 2008 Location: Queensland, Australia Posts: 1,479 OS: XP SP3 Hi Thomas, Let's use Revo Uninstaller to remove the Ask Toolbar. Please download 30days trial version of Revo Uninstaller and save to your desktop. Double click on the saved file to install the program. Double click the program to run and it will list all the programs from Add/Remove Programs. Select: Ask Toolbar for Internet Explorer Click Uninstall and follow the prompts. Remove all the left over files, folders and registry items. Note: If you still can't uninstall, you may need to download the toolbar and then uninstall the program. ------- The file that McAfee quarantine is from system restore where Windows keeps old system restore points. It won't infect your system unless you run a system restore. We shall delete it when we uninstall Combofix later. -------- Next, we will need to run MBAM, it is a quick scanner which scan for active infection. Please double click Malwarebytes' Anti-Malware icon and launch the program. Go to Update tab, check for updates and download it. Once the updates is completed, go to scanner tab and select "Perform Quick Scan", then click Scan. The scan may take some time to finish, so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. <-- very important When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. ------- I am still concern about 2 files on your system. Please download SystemLook from one of the links below and save it to your Desktop. Download Mirror #1 Download Mirror #2Double-click SystemLook.exe to run it. Copy the content of the following codebox into the main textfield: Code: :filefind *twpR64.sys* *twpR32.dll* Click the Look button to start the scan. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Note: The log can also be found at on your Desktop entitled SystemLook.txt
 08-19-2011, 08:12 AM #17 Registered Member   Join Date: Aug 2011 Location: United Kingdon Posts: 26 OS: Windows XP Home Edition SP3 Hi Vick, The file: c:\documents and settings\thomas davies\local settings\Temp\WERecf9.dir00\appcompat.txt I have searched everywhere manually to find the above file, but to no avail. I have also tried the computers search facility but this also turns up no results. I have even searched the "ClickFree" backup drive, again no result. Regarding the "Autorun" facility, I have followed your instructions, but unfortunately this does'nt appear to be able to fix the problem. I have also noticed that autorun does not work on the CD/DVD players either. It does appear that the autorun facility on everything is no longer working. Please find below the links to the VirusTotal results:- https://www.virustotal.com/file-scan/report.html?id=b4cfb1d61f6aecde499558ebb7b2026ff2bc66518fc39cac8875eaed9e4095bf-1313762594 https://www.virustotal.com/file-scan/report.html?id=bf0d3a16efcb25b80e0488353b3c3ddbaff6ba5689714637514ba5cc0af99188-1313762398 I am so sorry to be taking up so much of your time Vick, it really is very much appreciated. Kind Regards, Thomas
08-19-2011, 01:52 PM   #18
Security Team
Analyst

Join Date: Jan 2008
Location: Queensland, Australia
Posts: 1,479
OS: XP SP3

Hi Thomas,

Nothing to be sorry

------

Regarding the autoplay, let me find another method. Otherwise, I might direct you to XP department.

------

Quote:
 DELIVERY MANAGER SERVICE. Error Signature. sZAppName:KService.exe sZAppVer.5.12.707.160 sZModName:KService.exe sZModVer:5.12.707.160offset:0021215a ERROR REPORT CONTENTS. C:\DOCUME~1\THOMAS~1\LOCALS~1\Temp\WERecf9.dir00\KService.exe.mdmp C:\DOCUME~1\THOMAS~1\LOCALS~1\Temp\WERecf9.dir00\appcompat.txt
Are you still having the problem above?
Do you get the error each time you turn the computer on?

I don't think the above issue is a malware related but let me consult my colleagues.

----

 08-19-2011, 02:11 PM #19 Security Team Analyst   Join Date: Jan 2008 Location: Queensland, Australia Posts: 1,479 OS: XP SP3 Hi Thomas, Please follow the instruction below: Double-click SystemLook.exe to run it. Copy the content of the following codebox into the main textfield: Code: :filefind *Iplayer* Click the Look button to start the scan. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Note: The log can also be found at on your Desktop entitled SystemLook.txt
 08-19-2011, 04:33 PM #20 Registered Member   Join Date: Aug 2011 Location: United Kingdon Posts: 26 OS: Windows XP Home Edition SP3 Hi Vick, Please find the results of the scan as requested. Kind Regards, Thomas SystemLook 30.07.11 by jpshortstuff Log created at 00:20 on 20/08/2011 by THOMAS DAVIES Administrator - Elevation successful ========== filefind ========== Searching for "*Iplayer*" C:\Documents and Settings\THOMAS DAVIES\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1\Local Store\iPlayer.log --a---- 5128 bytes [15:56 12/05/2009] [22:52 20/02/2010] F8EF67CF8DBDFFF26D354D11E819CA11 C:\Documents and Settings\THOMAS DAVIES\Favorites\BBC TV PROGRAMMES\BBC iPlayer - Home.url --a---- 232 bytes [15:00 07/03/2009] [22:51 15/07/2011] 61C67E91B84CDB9D0990EF81AFFE56B9 C:\Program Files\iTunes\iTunesMiniPlayer.dll --a---- 124200 bytes [14:33 07/03/2011] [14:33 07/03/2011] A2DA1222FA7C5D921CE34E691AF4E7BB C:\Program Files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll --a---- 134944 bytes [14:33 07/03/2011] [14:33 07/03/2011] 333B93558909FF4B5FC90A3F2658B604 C:\Program Files\iTunes\iTunesMiniPlayer.Resources\da.lproj\iTunesMiniPlayerLocalized.dll --a---- 48416 bytes [14:34 07/03/2011] [14:34 07/03/2011] 0C376CAA03486C6C2F14AB96FFDF73E4 C:\Program Files\iTunes\iTunesMiniPlayer.Resources\de.lproj\iTunesMiniPlayerLocalized.dll --a---- 48928 bytes [14:34 07/03/2011] [14:34 07/03/2011] 146F117576769A3A82FB326F71990F10 C:\Program Files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll --a---- 48416 bytes [14:33 07/03/2011] [14:33 07/03/2011] 368B9D2A2DF8EA48BCCFE6D1CCA1B0EE C:\Program Files\iTunes\iTunesMiniPlayer.Resources\en_GB.lproj\iTunesMiniPlayerLocalized.dll --a---- 48416 bytes [14:34 07/03/2011] [14:34 07/03/2011] C813F5154936B3209FBE213843CDB108 C:\Program Files\iTunes\iTunesMiniPlayer.Resources\es.lproj\iTunesMiniPlayerLocalized.dll --a---- 48928 bytes [14:34 07/03/2011] [14:34 07/03/2011] 5165D092DACEB334D481C45942143D4D C:\Program Files\iTunes\iTunesMiniPlayer.Resources\fi.lproj\iTunesMiniPlayerLocalized.dll --a---- 48928 bytes [14:34 07/03/2011] [14:34 07/03/2011] 999FBA1B44DC20E5C3B63517919D4F24 C:\Program Files\iTunes\iTunesMiniPlayer.Resources\fr.lproj\iTunesMiniPlayerLocalized.dll --a---- 48928 bytes [14:34 07/03/2011] [14:34 07/03/2011] 79C52FBCFC386B7182AB56A525DB1E13 C:\Program Files\iTunes\iTunesMiniPlayer.Resources\it.lproj\iTunesMiniPlayerLocalized.dll --a---- 48928 bytes [14:34 07/03/2011] [14:34 07/03/2011] 527AFF188755DA380DB8BB40BC11F98A C:\Program Files\iTunes\iTunesMiniPlayer.Resources\ja.lproj\iTunesMiniPlayerLocalized.dll --a---- 48416 bytes [14:34 07/03/2011] [14:34 07/03/2011] 5340796739B5DACB22FFAC5E49A76599 C:\Program Files\iTunes\iTunesMiniPlayer.Resources\ko.lproj\iTunesMiniPlayerLocalized.dll --a---- 48416 bytes [14:34 07/03/2011] [14:34 07/03/2011] 7918FF23653E3F074605F1000710F7D0 C:\Program Files\iTunes\iTunesMiniPlayer.Resources\nb.lproj\iTunesMiniPlayerLocalized.dll --a---- 48416 bytes [14:34 07/03/2011] [14:34 07/03/2011] 3C83DF1CF9018B2F645678020FEC8F22 C:\Program Files\iTunes\iTunesMiniPlayer.Resources\nl.lproj\iTunesMiniPlayerLocalized.dll --a---- 48928 bytes [14:34 07/03/2011] [14:34 07/03/2011] 0C588D8D80E4373E37F333A323FF5249 C:\Program Files\iTunes\iTunesMiniPlayer.Resources\pl.lproj\iTunesMiniPlayerLocalized.dll --a---- 48928 bytes [14:34 07/03/2011] [14:34 07/03/2011] 91C7E3DB854AD7915638CF02C15D2B90 C:\Program Files\iTunes\iTunesMiniPlayer.Resources\pt.lproj\iTunesMiniPlayerLocalized.dll --a---- 48928 bytes [14:34 07/03/2011] [14:34 07/03/2011] E3B24A64DF25CD6F59046DE44DA3A2A7 C:\Program Files\iTunes\iTunesMiniPlayer.Resources\pt_PT.lproj\iTunesMiniPlayerLocalized.dll --a---- 48928 bytes [14:34 07/03/2011] [14:34 07/03/2011] 629B9B2A784BE83985280DEEBABB7B4B C:\Program Files\iTunes\iTunesMiniPlayer.Resources\ru.lproj\iTunesMiniPlayerLocalized.dll --a---- 48928 bytes [14:34 07/03/2011] [14:34 07/03/2011] 1C43A159D540158299C38C04FDB2A320 C:\Program Files\iTunes\iTunesMiniPlayer.Resources\sv.lproj\iTunesMiniPlayerLocalized.dll --a---- 48928 bytes [14:34 07/03/2011] [14:34 07/03/2011] 565AAF775AB0375EB78146C280AF9AB1 C:\Program Files\iTunes\iTunesMiniPlayer.Resources\zh_CN.lproj\iTunesMiniPlayerLocalized.dll --a---- 48416 bytes [14:34 07/03/2011] [14:34 07/03/2011] 666943705F5861911D9815EE2632E433 C:\Program Files\iTunes\iTunesMiniPlayer.Resources\zh_TW.lproj\iTunesMiniPlayerLocalized.dll --a---- 48416 bytes [14:34 07/03/2011] [14:34 07/03/2011] 4D3C0D47EC77AB893492138DA6C5A580 -= EOF =-

 Similar Threads Thread Thread Starter Forum Replies Last Post Frankly I'm a bit stumped, what I've done up to this point was pointless so I'd like to start fresh in finding out what's wrong with my hardware/software. Firstly, the problem at hand is that I'm randomly facing BSODS often times while I'm playing games but I don't think the games have much to... Devilize BSOD, App Crashes And Hangs 15 08-25-2011 04:42 AM I'm a bit of a noob, so I hope I did the correctly. I'm running windows 7. 64 bit. This computer has always had Windows7 on it, and it came with the computer. The computer is 1.5 years old and has always done this. Intel(r) Core(tm)2 Quad CPU [email protected] 2.66GHz 2.67GHz Video Card: Nvidia... sasarai1987 BSOD, App Crashes And Hangs 4 06-15-2011 11:46 PM hello i need some pro help here. i deleted some files out of my vault in my antivirus and now the computer is running slow and sometimes freezes. what can i do? and im new to the world of computers erionracing Virus/Trojan/Spyware Help 2 04-17-2011 03:46 PM As requested, I have made a new post containing the Performance run, and the System Dump files. Also, I'm running Windows 7 32 bit I originally had XP on my machine. Then a while back I switched to Windows 7 Ultimate, after that messed up, I went down to a version of Windows 7 Professional... Arbiterjim BSOD, App Crashes And Hangs 5 02-23-2011 12:14 AM I don't know much about the pain in the bum Blue Screen but i have it. I was told to get the info from the Blue screen when it came up. Here it is - 0x00000077 (0xc000009d, 0xc000009d, 0x00000000, 0x289f4000) I just don't know where i got go from here lol. Can anyone help? Please :P Death Keeper 34 BSOD, App Crashes And Hangs 4 02-02-2011 07:44 AM

 Posting Rules You may not post new threads You may not post replies You may not post attachments You may not edit your posts BB code is on Smilies are on [IMG] code is on HTML code is OffTrackbacks are Off Pingbacks are Off Refbacks are Off Forum Rules

 » Recent Discussions