Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RUNDLL32.EXE in task manager


  • Please log in to reply
9 replies to this topic

#1 louise123

louise123

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 10 December 2009 - 08:01 AM

Ive read you shouldnt see rundll32.exe in the task manager processes but I seem to, could it be because im running several real time malware checkers.... its there when I first log in and these are the only progs running....... Is this normal or is it malware, ive run lots of scans and had trojans in last few days and cant be sure theyre gone

BC AdBot (Login to Remove)

 


#2 azfreetech

azfreetech

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:03:11 AM

Posted 10 December 2009 - 01:25 PM

Here's what I found on rundll32.exe.

The Windows XP tool Tasklist can be used to determine what program modules are currently being executed by rundll32.exe. To create a list of running tasks, open a Command Prompt window and enter the following command:

tasklist /m /fi "IMAGENAME eq rundll32.exe" >C:\rundll32.txt

This will create a text file rundll32.txt on the C: drive that lists the running modules. If you prefer a different location for the text file, modify the command accordingly. Also, to simply view the running tasks in the command window, omit the part of the command that does file redirection, >C:\rundll32.txt.

This should allow you to see what process are using the rundll32.exe.
DJ Digital Gem

I gave up on computers and now I just DJ!

#3 louise123

louise123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 11 December 2009 - 11:48 AM

What comes up is a list of maybe 30 .dll names... ive googled just about all of them and they all seem to be genuine files.... Have just found a copy of rundll32 just in my c drive outise of all the usual folders..... it had the normal .exe icon and wasnt just a page, it said it had only been created yesterday!! I deleted it given the creation date and where it was and its had no detrimental effects ive noticed so far. Was I right to delete this, sounds dodgy from the creation date.... my scans keep coming up clean though......... Need help to determine if I still have any hidden trojans/viruses.... not sure how to find out??

#4 azfreetech

azfreetech

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:03:11 AM

Posted 11 December 2009 - 08:54 PM

What scans have you already run and what, if anything, did they find?
DJ Digital Gem

I gave up on computers and now I just DJ!

#5 louise123

louise123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 12 December 2009 - 08:55 AM

Ive run quite a few scans, AVAST (which found something called win 32:jifas-cd, which ive googled and it seems is known elsewhere as alureon possibly, but my AVAST scan is now clean), Ive run Malware Bytes (which found a rootkit infection and rogue antimalware, 4 kinds, umm antiviruspro2009 among others), Ive run Spybot (which found another rogue antimalware package) and Superantispyware (which also found tracking cookies and rogue anti-malware). IOBIT 36 Security also found a files called richtx64.exe in temp folder which I deleted manually. All my scans are now coming up clean but still worried! Plus IOBIT Security asks me if I wasnt to block ctfmon.exe moments after ive first logged on about every 4 or 5th time I boot up but not everyy time, though im thinking this might be a false positive maybe as it also asks me if I want to block some .exe files I know belong to superantispyware. All the things that were found, were found quite a few days ago before I found the rundll32.exe (normal exe application icon) in my c drive.

Last week when I logged on what I thought was windows defender came on and started saying you're infected with X, X and X but thenn asked me to download virus software which thinking this was legit I did! But having googled the exact message I was getting informing me of the infection I now know this was a manifestation of an infection encourgaing me to download stuff so this is how I got infected. For a while none of my antimalware or virus packages would work, then AVAST managed to removed Jifas and then all the others started to work and then found as ive listed above. This is why im now concerned theyre maybe not working properly and that I must have hiding infections, plus I have an odd file in my temp folder called IPADRSET.log which im worried could be someone hijacking my IP, as ive read if you've had alureon you might have to re-set your DNS as it tries to steal data....how do I do this and make sure no one is hacking into my comp via DNS or IP address. Plus there are two folders called CFXFER_CASH and WPDNSE which are empty, keylogging perhaps? Then that strange rundll32.exe file in my c drive, and the fact that sites ive been on say that your rundll32.exe file shouldnt be a page icon (im sceptical of that though as all the comps we have show rundll32.exe as a page file so clarification on that would be great, all the comps cant be infected, one is almost brand new).

Sorry that was long and im not more precise about exact names, know that probs makes things so much harder, just wish had a way to work out if im infected! Any help is greatly appreciated because im losing days of my life just sitting trying to find a solution, thanks!

Edited by louise123, 12 December 2009 - 10:04 AM.


#6 azfreetech

azfreetech

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:03:11 AM

Posted 12 December 2009 - 11:06 AM

Well there are a couple of things I can suggest here. First, update MBAM and SAS and run the scans. Post the logs in your next response.

You can explore the prosesses running on your computer with a free tool called Process Explorer. It would be particularly handy in your case because Process Explorer shows you information about which handles and DLLs processes have opened or loaded. You can get it HERE more info on it....

"The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded."

Posted Image

Posted Image


The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.


There are also free network monitoring tools which can monitor your computers connection to the internet. I use Networx which is a free utility. It doesn't show you ports or programs but if something is connecting to your internet you will be able to see the traffic using this tool.

Edited by azfreetech, 12 December 2009 - 11:28 AM.

DJ Digital Gem

I gave up on computers and now I just DJ!

#7 louise123

louise123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 12 December 2009 - 06:35 PM

Hi

My first malwarebytes scan ran on the 8th Dec came up with the following, it found a rootkit, I think that AVAST also deleted files with the h8srt at the start so assuming was part of same infection:

Malwarebytes' Anti-Malware 1.42
Database version: 3322
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

08/12/2009 18:39:19
mbam-log-2009-12-08 (18-39-19).txt

Scan type: Quick Scan
Objects scanned: 116093
Time elapsed: 14 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\h8srtd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\h8srtcfg.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTuxvknqjibc.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.


I then ran another 5 scans over the last few days which all came back clear, apart from the one I ran tonight which found the rootkit again so im v confused as def not been on any dodgy sites, hardly been on google in last week:

Malwarebytes' Anti-Malware 1.42
Database version: 3350
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/12/2009 20:49:44
mbam-log-2009-12-12 (20-49-44).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 185886
Time elapsed: 56 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



My latest SAS scan tonight was clean apart from a tracking cookie. My original one with infections on is below:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/09/2009 at 10:22 PM

Application Version : 4.31.1000

Core Rules Database Version : 4352
Trace Rules Database Version: 2199

Scan type : Complete Scan
Total Scan Time : 01:36:27

Memory items scanned : 680
Memory threats detected : 0
Registry items scanned : 6124
Registry threats detected : 0
File items scanned : 90602
File threats detected : 10

Adware.Tracking Cookie
C:\Documents and Settings\Lisa Monkhouse\Cookies\lisa_monkhouse@collective-media[1].txt
C:\Documents and Settings\Lisa Monkhouse\Cookies\lisa_monkhouse@2o7[1].txt
C:\Documents and Settings\Lisa Monkhouse\Cookies\lisa_monkhouse@content.yieldmanager[3].txt
C:\Documents and Settings\Lisa Monkhouse\Cookies\lisa_monkhouse@chitika[2].txt
C:\Documents and Settings\Lisa Monkhouse\Cookies\lisa_monkhouse@ad.yieldmanager[1].txt
C:\Documents and Settings\Lisa Monkhouse\Cookies\lisa_monkhouse@content.yieldmanager[2].txt
C:\Documents and Settings\Lisa Monkhouse\Cookies\lisa_monkhouse@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Lisa Monkhouse\Cookies\lisa_monkhouse@westwickfarrow.122.2o7[1].txt
C:\Documents and Settings\Lisa Monkhouse\Cookies\lisa_monkhouse@ads.techguy[2].txt

Rogue.SmartProtector
C:\WINDOWS\system32\srcr.dat



rundll32.exe still seems to be in my processes. AVAST did find another virus last week though win32jifas-cd and there was as I mentioned other antimalware progs found. I


l download the process package you mentioned and get back to you with what it finds and also the network package you mention.

Edited by louise123, 12 December 2009 - 06:37 PM.


#8 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:11 AM

Posted 12 December 2009 - 08:26 PM

I am just going to chime in and say that the infection that MBAM found (the TDSS rootkit) is a very nasty infection that will probably require a post in the HijackThis area of the forums.

#9 louise123

louise123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 13 December 2009 - 05:23 AM

Should I post a hijack this log and if so where? Im getting scared now that im being hacked, I online bank on here and alll manner of stuff (cant remember half of what i do- though not done anything since realised was infected bar log on here)

Sorry to be an idiot but also dont know how to use process explorer, it downloads as a zip file, what do I do from there??

Also, I have no idea what any of networx means, can you help me interpret it?

Edited by louise123, 13 December 2009 - 05:38 AM.


#10 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:11 AM

Posted 13 December 2009 - 08:43 AM

To use process explorer, right click on the ZIP file and choose "Extract" or something to that nature (it will be different depending on which unzipping software you use) then open the new folder that appears and run process explorer.

Edited by xblindx, 13 December 2009 - 08:44 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users