Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rundll32.exe : errors on shutdown, possibly infected/trojan/virus etc.


  • Please log in to reply
2 replies to this topic

#1 mbux

mbux

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 15 March 2009 - 03:10 PM

Hello and thanks in advance. I apologize if my post is messy or hard to understand, but I am new to this type of troubleshooting.

Recently I have been getting pop-under windows while browsing the web, which I thought was strange because it never happened before. I suspected I had been infected with spyware or something so I ran an ad-aware scan and nothing came up.

When I shut down my computer I noticed I was getting an error regarding rundll32.exe. So I did a quick google on rundll32.exe and read a few things saying it could be a problem because the real rundll32 has a capital R (Rundll32.exe). This lead me to believe it could be a source pf the problem so I searched some more and came across this page on this site
http://www.bleepingcomputer.com/forums/lof...hp/t204827.html

I followed the instructions in that thread and scanned with malwarebytes which gave me about 30 infections. Yikes! So I removed them all and for now everything seems to be working fine, but I am still worried naturally. My rundll32.exe inside the C/windows/system32 has a page icon which I read it is not supposed to be that.

Anyway here is the malwarebytes log and if anyone has some more information about rundll32 intrusions and such I would appreciate. As in, how do I tell if it is okay now?

Malwarebytes' Anti-Malware 1.34
Database version: 1852
Windows 5.1.2600 Service Pack 3

3/15/2009 2:58:52 PM
mbam-log-2009-03-15 (14-58-51).txt

Scan type: Quick Scan
Objects scanned: 59546
Time elapsed: 5 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 6
Registry Keys Infected: 11
Registry Values Infected: 5
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\sosazeri.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\duhavevo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\royomuya.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\yasatuji.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cispxs.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\duhifiho.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{12063faf-45fb-4ea8-800d-115cf036739f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{12063faf-45fb-4ea8-800d-115cf036739f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{26720680-3218-407f-aa67-362a5ebfb7e0} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{26720680-3218-407f-aa67-362a5ebfb7e0} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{26720680-3218-407f-aa67-362a5ebfb7e0} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{12063faf-45fb-4ea8-800d-115cf036739f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2070e00b (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gebogawuya (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm2343d397 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\sosazeri.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\sosazeri.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\sosazeri.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\yasatuji.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\yasatuji.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\cispxs.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\duhifiho.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ohifihud.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\royomuya.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\yasatuji.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\duhavevo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sosazeri.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\pegihoza.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kitehevu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:38 AM

Posted 15 March 2009 - 03:47 PM

After the required reboot to finish cleaning run another quick scan but run ATFCleaner first

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".
Chewy

No. Try not. Do... or do not. There is no try.

#3 mbux

mbux
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 15 March 2009 - 09:07 PM

Ok ran atf cleaner, rescanned with malwarebytes and nothing came up.

I am still concerned for my computer though, mostly because of what my rundll32 looks like. It matches the exact description described as a virus on this site http://recherche21.wordpress.com/2008/07/1...ng-rundll32exe/. It has a page icon and is 32.5 kb which both are apparently not the norm. Could it possibly have been changed or edited?

Also, if it is not too much to ask, if anyone could let me know how I might have been infected and what are some things I can do so it doesn't happen again I would appreciate it. This computer is just a netbook, so I am not looking to put a bunch of large programs on it, but I guess if I am getting infected like this some better anti-virus is needed? I run firefox and have an expired McAfee SecurityCenter firewall on. How much is needed to be safe?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users