Tech Support banner

Status
Not open for further replies.
1 - 20 of 28 Posts

·
Registered
Joined
·
348 Posts
Discussion Starter #1
I have a virus on my computer that seems to be names rundll32 in the taskbar. I have norton anti-virus 2002, full updated (21/10/03 last update), and it cant find the virus. I have searched about this on the internet too, and found a couple of viruses that hide in the rundll32 file in windows folder. After checking my system with what the sites say, i dont have any of the known viruses.
I need help identifying the exact virus i have, or stoping it from turning on (removing rundll32.exe from the startup, if posible) and getting the original rundll32.exe file for windows me back.

If anyone can help plz try, as not even anti-virus sites have this virus listed on them.

Jamie.
 

·
Registered
Joined
·
139 Posts
:winkgrin: rundll32 is part of Windows! Don't mess with it!:no: I don't know how it got on your taskbar, but you seem to have a problem. I don't think you have a virus.

I'll let someone else step in to help.
 

·
Registered
Joined
·
348 Posts
Discussion Starter #3
I know that rundll32.exe is an important part of windows, otherwise i would have just deleted it and finished with all this mess :p
 

·
ID10T Circuit replacement
Joined
·
1,038 Posts
Run msconfig and look through the startup items. Find out what it is.

Go to http://www.f-secure.com and download the trial version of f-secure. If your problem is a virus, it will detect and remove or tell you how to remove it.
 

·
Registered
Joined
·
348 Posts
Discussion Starter #5
Well i thought of msconfig allready, nothing seems to be out of normal on there. The only active stuff i dont know or dont want was some stupid uptade for real player.

The problem seems to be getting worse now, as i think i was hacked last night. Everything i had on internet lost connections, even though internet was still up, and the icon in the systray shows that it was still very active. Suddenly i couldnt open msconfig anymore. I tried to open msconfig and it clsoed, i did this 3 times and each time it clsoed after 2 seconds. At the same time my anti-virus paused the system to delete a virus (cant remember what one) so i did that, still couldnt use msconfig. 5 seconds later a second virus was detected, i deleted that one and then dissconected from the net. Suddenly msconfig works again.

I need help to fix this very soon, before this gets worse, plz plz help me!!

By the way, i have anti-virus on the pc so i dont need to download a trial version one, and i have done a full scan on the system with NAV2002, add-aware, McAfee online scanner, and NAV2003 from my other pc, all but add-aware came up with nothing. Add-aware found 3 infected files (not sure if viruses or just add stuff) all in the _restore\temp folder. After doing a little research i found its safe to delete this folder, so i booted up in dos and cleared the folder, not only have the 3 files gone, but i have now got an extra 4.20gb back to my pc :D
I have also tried to reduce the alowed space for system restore, but it wont let me move the bar to low, so it will just build up in size again :( so i need help with this soo.

Lol i have been talking for a while now, but my pc has loads of problems, thanks to anyone who can help me.
 

·
Registered
Joined
·
348 Posts
Discussion Starter #6
Ok i just did a HijackThis scan to see all my background apps and startups running on windows, this is what i got:

Logfile of HijackThis v1.97.3
Scan saved at 2:23:25 PM, on 10/22/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\SYSTEM\KERNEL32.DLL
D:\WINDOWS\SYSTEM\MSGSRV32.EXE
D:\WINDOWS\SYSTEM\SPOOL32.EXE
D:\WINDOWS\SYSTEM\MPREXE.EXE
D:\WINDOWS\SYSTEM\mmtask.tsk
D:\WINDOWS\SYSTEM\MSTASK.EXE
D:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
D:\WINDOWS\EXPLORER.EXE
D:\WINDOWS\SYSTEM\STIMON.EXE
D:\WINDOWS\SYSTEM\INTERNAT.EXE
D:\WINDOWS\SYSTEM\SYSTRAY.EXE
D:\WINDOWS\TASKMON.EXE
D:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\WINDOWS\SYSTEM\CNXDSLTB.EXE
D:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
D:\WINDOWS\SYSTEM\MAPISVC32.EXE
D:\WINDOWS\SYSTEM\ICSMGR.EXE
D:\WINDOWS\SYSTEM\DDHELP.EXE
D:\WINDOWS\RUNDLL32.EXE
D:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
D:\WINDOWS\SYSTEM\RNAAPP.EXE
D:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\PROGRAM FILES\TEAMSPEAK2_RC2\TEAMSPEAK.EXE
D:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] D:\Windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] D:\Windows\taskmon.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] D:\Windows\SYSTEM\CnxDslTb.exe
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\Windows\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mapisvc32] D:\WINDOWS\SYSTEM\MAPISVC32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PCDRealtime] D:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MessengerPlus2] "D:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "D:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [MessengerPlus2] "D:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "D:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O8 - Extra context menu item: &Google Search - res://D:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://D:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://D:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://D:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Turbo Memory Charger (HKLM)
O9 - Extra 'Tools' menuitem: Turbo Memory Charger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1057918649350
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.nana.co.il/Cabs/launcher.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc/opuc.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll

If anyone knows about this, can you help me find stuff thats not supposed to be in windows startup, coz the only thing i know about the virus i got in rundll32.exe is that it turns on a startup.
 

·
ID10T Circuit replacement
Joined
·
1,038 Posts
The nvidia nview appears to be running your rundll32 for display propeties.

I could be wrong, but I would recommend turning off system restore if you have windows me. This will prevent the virus from coming back. (Can you look through the Norton log to see which virus was detected and removed?)
 

·
Registered
Joined
·
348 Posts
Discussion Starter #8
Well system restore is allready off, as i know it needs to be off to delete some viruses.
The viruses i had last night were:

-C:\WINDOWS\marco!.scr
is infected with the W32.Opaserv.G.Worm virus
Couldnt repair so i pressed delete.
-C:\WINDOWS\speedy.scr
was infected with the W32.FunLove.4099 virus
Deleted that one too.
Both these viruses were detected at the same of the other problems that seemed like i was beeing hacked.
 

·
Registered
Joined
·
348 Posts
Discussion Starter #9
Oh one thing i forgot to ask, can rundll32.exe be replaced with a copy from a differnet computer running the same windows, or is the file unique in each computer?
If it can, is there anywhere i can download this file for my windows (ME) and then replace the current one from DOS?
 

·
Registered
Joined
·
348 Posts
Discussion Starter #11
As i said when i mentioned those 2 viruses, i have deleted them both allready, there was no problem getting rid of them. The problem seems to be something hidden within the windows rundll32.exe that cant be deleted.
 

·
Registered
Joined
·
126 Posts
Just one thing more, read the instructions carefully just removing the viruses is not good enough. There are normally register changes and other things that may be altered when you have a virus land on your machine. Also it’s best to run the anti-virus or the removal tool twice after any virus attack using Safe Mode

SuperCub
 

·
Registered
Joined
·
348 Posts
Discussion Starter #13
The 2 viruses were deleted before they turned on, they were not found by scanning, they were found by atuo-scan, meaning the moment they got to the computer the hole system was paused till i give the command of what to do with the files, that was delete in this case. Anyway i have done a nother scan since then and all is clear.
 

·
ID10T Circuit replacement
Joined
·
1,038 Posts
It is difficult to run an AV scan in safe mode.

From a clean computer, make a bootable floppy with cdrom drivers for you computer.

Before you start - delete all temp internet and temp files. (helps shorten the scanning time)

Download f-prot for dos from fsecure.
ftp://ftp.f-secure.com/anti-virus/free/

Scan the system from a cold boot booting with the floppy. I recommend burning f-prot to cd and then using the files from the cd. (You could also use the bootable floppy to make a boot cd)
at command prompt change to the cd drive

type:
f-prot (or f_prot, depends on burner software) /hard /dumb /auto /disinf

Once this has removed the virus(es) then reboot your computer. It is possible that the funlove virus infected your rundll32.exe file. Not 100 percent sure on that, but could've.

A dos scan from cold boot will be the most reliable method for virus removal.
 

·
Registered
Joined
·
348 Posts
Discussion Starter #15
Well i have run a virus scan from my other computer that isnt infected and it wont find a virus on my computer. Also about what infected my rundll32.exe, i dont think it was that virus because i got that last night and the rundll32.exe has been infected for more than a week now. So far i have run NAV, add-aware, McAfee, and a few more scanners on my computer, and i have run all of the same scanner from my other computer to scan over network, nothing from any of them.
 

·
ID10T Circuit replacement
Joined
·
1,038 Posts
Ok.

I dont' have any more suggestions. I do know that if you have an active virus running in windows that they can shut down or hide from an AV program.

I was simply suggesting that a cold boot with a clean floppy into a command prompt would eliminate the possibilities of a "stealth" type virus.

Good luck.
 

·
Registered
Joined
·
348 Posts
Discussion Starter #17
Well ill give it a try tronight.
Anyway does no one know about the hijackthis report i posted before? I dont know whats windows and what is no supposed to be there, can no one help me check it out?
 

·
Registered
Joined
·
126 Posts
First I do not agree that it is difficult to run AV software in safe mode. Norton will run a manual scan without any problem and this is the recommended way by Symantec when looking for most of the current viruses (not talking routine scans). Each tool that Symantec offer has different requirements and the instructions should be followed to the letter. I quote from the Symantec instructions “If you continue to be reinfected with the W32.FunLove.4099 virus, you will have to restart Windows in Safe Mode to remove the virus” A cold reboot is the correct way to enter your safe mode for this purpose.

Back to your problem:

It does sound from what you say that you do not have a virus at this time but just one other thing you could have a look at B4 you rule it out:

In Norton look inside the Options, Norton Anti-Virus, Manual scan, Exclusions and see if you have any unusual files or folders that have been excluded. You could also look in the auto protect Exclusions for the same thing.
SuperCub
 

·
Registered
Joined
·
348 Posts
Discussion Starter #19
Well the only exclusions i have is 2 file types and the _restore/ folder, removed them both and will try to scan again. _restore is empty anyway, just deleted over 4gb of junk from it last night.
 

·
Registered
Joined
·
5,955 Posts
Yep, you've got the Lovegate virus.


D:\WINDOWS\RUNDLL32.EXE
O4 - HKLM\..\Run: [mapisvc32] D:\WINDOWS\SYSTEM\MAPISVC32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab


The first 04, MAPISVC32.exe) is still under investigation. I would fix it if this was my log, but I will leave that one up to you.

Open a HJT log and check all of these (one at your discretion), then, with all browser and explorer windows closed, tell HJT to fix it.

Reboot

Fine the file D:\WINDOWS\RUNDLL32.EXE and delete it.

Post another HJT log so that we can make sure we got it all.
 
1 - 20 of 28 Posts
Status
Not open for further replies.
Top