BleepingComputer.com: Rundll32.exe, Svchost, Trojan.Vundo

RUNDLL32.EXE, TROJAN.VUNDO, TASK MANAGER

There are 6 instances of Rundll32 running and then there are none - this also applies to SVCHOST in the task manager. Yesterday I had the Trojan.Vundo, eventually I got rid of it but then it messed up my being able to access the Internet. I restored the line item from the Malwarebytes log and it let me back on the Internet. Still had the spyware/virus. Ran Malwarebytes and rid the PC of the Vundo spyware again. The multiple instances of Rundll32 and SVCHOST running in Task manager was back. The useage is anywhere from 60 to 100% constantly (as of right now).......even if I am doing nothing or on the IE. This seems to have only started since I downloaded IE8 and its updates.

I ran Combofix as per instructed by another "help" website I go to. What happens next?

Quote

Please note the message text in blue at the top of this forum.

No one should be using ComboFix unless specifically instructed to do so by a Malware Removal Expert who can interpret the logs. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

Was the Helper at the other website a trained expert who is in the process of helping you now?

Quote

Most of the processes in Task Manager will be legitimate as shown in these links.

• List of common system processes found in XP's Task Manager
  
• Common system processes found in XP's Task Manager
  
• Top System Processes

Anytime you come across a suspicious file or one that you do not recognize, search the name using Google <- click here for an example.

RunDLL32.exe is a legitimate Windows file that executes/loads .dll (Dynamic Link Library) modules which too can be legitimate or sometimes malware related.

Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (DLLs) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from .dll's. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. It is not unusual for multiple instances of Svchost.exe running at the same time in Task Manager in order to optimize the running of the various services.

svchost.exe SYSTEM (there can be more than one listed)
svchost.exe LOCAL SERVICE
svchost.exe NETWORK SERVICE (there can be more than one listed)

Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process ID's (PID's) are not static and can change with each logon but generally they stay nearly the same because they are running services all the time. The PID's must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time.

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. Another techinique is for the process to alter the registry and add itself as a Startup program or service so that it can run automatically each time the computer is booted. In XP, the legitimate Svchost.exe file is located in your C:\WINDOWS\system32\ folder.

Other legitimate copies can be found in the following folders:
C:\I386
C:\WINDOWS\ServicePackFiles\i386\
C:\WINDOWS\$NtServicePackUninstall$\
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf

If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here and here. Make sure the spelling is correct. If it's scvhost.exe, then your dealing with a Trojan.

There are several ways to investigate and see what services a Svchost.exe process is controlling:

• How to determine what services are running under a Svchost.exe process
  
• What Services are running in Windows XP

Note: Process Explorer shows two panes by default: the upper pane is always a process list and the bottom pane either shows the list of DLLs loaded into the process selected in the upper pane, or the list of operating system resource handles (files, Registry keys, synchronization objects) the process has open. In the menu at the top select View > Lower Pane View to change between DLLs and Handles.

Tools to investigate running processes and gather additional information to identify them and resolve problems:

• AnVir TaskManager Free
  
• Process Explorer
  
• System Explorer
  
• ProcessHacker - (requires Microsoft .NET Framework 2.0 or above to use)
  
• Autoruns
  
• svchostViewer

These tools will provide information about each process, CPU usage, file description and its path location.

If you have XP Pro, you can use Tasklist /SVC to view the list of services processes that are running in Svchost. The /SVC switch shows the list of active services in each process.

Press the WINKEY + R keys on your keyboard or go to > Run..., and in the Open dialog box, type: cmd
Click OK or press Enter.
At the command prompt type: tasklist /svc >c:\taskList.txt
press Enter.

Press the WINKEY + R keys on your keyboard or go to > Run..., and in the Open dialog box, type: C:\taskList.txt
Click OK or press Enter to view the list of processes

For help and syntax information, type the following command, and then press ENTER:
tasklist /?
Also see Syntax options and Tasklist Syntax.

You can also use the WMI command-line utility to view and list processes.
Press the WINKEY + R keys on your keyboard or go to > Run..., and in the Open dialog box, type: cmd
Click OK or press Enter.
At the command prompt type:
WMIC /OUTPUT:C:\ProcessList.txt PROCESS get Caption,Commandline,Processid
press Enter.
Then go to > Run... and in the Open dialog box, type: C:\ProcessList.txt
press Ok to view the details of all the processes.