Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rundll32 and userinit at startup


  • Please log in to reply
12 replies to this topic

#1 Nelva

Nelva

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 17 January 2011 - 01:57 AM

Hello.
I suspected my PC got infected because my browser would send me to random sites I wasn't aiming to go.
I did system restore and it didn't help, then I reinstalled Windows, and got rundll32 error.
Also I found 2 new entries in my start up, I didn't have before. Coping from windows defender:
The first one is

File Name: Rundll32.exe
Display Name: Microsoft Windows host process (Rundll32)
Description: Windows host process (Rundll32)
Publisher: Microsoft Corporation
Digitally Signed By: Microsoft Windows Verification PCA
File Type: Application
Startup Value: Rundll32 SPIRunE.dll,RunDLLEntry
File Path: C:\Windows\system32\Rundll32.exe
File Size: 44544
File Version: 6.0.6000.16386 (vista_rtm.061101-2205)
Date Installed: 11/2/2006 12:48:33 AM
Startup Type: Registry: Local Machine
Location: Software\Microsoft\Windows\CurrentVersion\Run
Classification: Permitted
Ships with Operating System: Yes


The second one:

File Name: userinit.exe
Display Name: Microsoft Userinit Logon Application
Description: Userinit Logon Application
Publisher: Microsoft Corporation
Digitally Signed By: Microsoft Windows Verification PCA
File Type: Application
File Path: C:\Windows\system32\userinit.exe
File Size: 25088
File Version: 6.0.6000.16386 (vista_rtm.061101-2205)
Date Installed: 1/20/2008 6:24:49 PM
Startup Type: Registry: Local Machine
Location: SOFTWARE\Microsoft\Windows NT\CurrentVersion\winlogon\userinit
Classification: Permitted
Ships with Operating System: Yes

As I learned they should not be at my startup, but I ran WindovsDefender scan for viruses and then DrWeb free version, they have found nothing.
However, the Spybot Search&Destroy shows me entries in cookies that are must be removed, every time I run it. I remove it and the next Scan they are back there.

What should I do to get help here, please?

Edited by boopme, 18 January 2011 - 12:30 PM.


BC AdBot (Login to Remove)

 


#2 Nelva

Nelva
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 17 January 2011 - 02:55 PM

Is my topic in a wrong section of the forum? Because, even after I reinstalled Windows Vista I still have problems. Probably the virus overwrites the files om disk D where the windows distributive being stored. How can I find out if it is so, and is there a cure for it at all? What scans do I have to run for presenting logs here?

Did MBAM scan this morinig:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5541

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

1/17/2011 11:21:36 AM
mbam-log-2011-01-17 (11-21-29).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 292393
Time elapsed: 41 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Nelva, 17 January 2011 - 02:57 PM.


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:44 AM

Posted 17 January 2011 - 03:26 PM

This may well be an MBR (Master Boot Rexord) rootkit.

To check for and confirm the MBR rootkit,

Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Nelva

Nelva
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 17 January 2011 - 03:34 PM

Thank you for your replay.
Here is the log:

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6001 Disk: ST375063 rev.HP21 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:44 AM

Posted 17 January 2011 - 03:47 PM

Ok, it not that. RunDLL32.exe is a legit Windows file that loads .dll files which too can be legit or malware related.

What was the exact error you received?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Nelva

Nelva
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 17 January 2011 - 04:01 PM

The first sign of infection was redirection to the wrong sites after clicking links on google or yahoo search. I reinstalled Windows, and the first time logged in got pop-up message which said - rundll32 stopped working (i'm not sure about wordings). I do not have this pop-up message now. But the Windows appearance looks not like it looked before under Windows Vista basic mode. When I press Start, the right side of pop-up menu is black. Also the Spybot Search&Destroy finds the same cookie trucking's every scan.


Following your link for Rundll32.exe I made a log:

Image Name PID Modules
========================= ======== ============================================
rundll32.exe 2636 ntdll.dll, kernel32.dll, USER32.dll,
GDI32.dll, ADVAPI32.dll, RPCRT4.dll,
msvcrt.dll, imagehlp.dll, ShimEng.dll,
apphelp.dll, AcLayers.DLL, SHELL32.dll,
SHLWAPI.dll, ole32.dll, OLEAUT32.dll,
USERENV.dll, Secur32.dll, WINSPOOL.DRV,
MPR.dll, IMM32.DLL, MSCTF.dll, LPK.DLL,
USP10.dll, comctl32.dll, SPIRunE.dll,
uxtheme.dll, CLBCatQ.DLL, MMDevApi.dll,
WTSAPI32.dll, WINSTA.dll, CmdRtr.dll,
APOMngr.dll, OemSpiE.dll, WINMM.dll,
OLEACC.dll, SHFOLDER.dll, audioses.dll,
audioeng.dll, PSAPI.DLL, AVRT.dll,
CTAPO32.dll, IPHLPAPI.DLL, dhcpcsvc.DLL,
DNSAPI.dll, WS2_32.dll, NSI.dll,
WINNSI.DLL, dhcpcsvc6.DLL, SETUPAPI.dll,
WINTRUST.dll, CRYPT32.dll, MSASN1.dll,
auCOLPwd.dll

Edited by Nelva, 17 January 2011 - 04:13 PM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:44 AM

Posted 18 January 2011 - 12:29 PM

Hello, sorry was out of town yesterday. I think I am moving this to the Vista foum so they can have a lookas I do not feel this is a Malware issue.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Allan

Allan

  • BC Advisor
  • 8,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:10:44 AM

Posted 18 January 2011 - 12:33 PM

You say you reinstalled Vista. Did you do a clean install (format and reinstall from scratch)? If so, did you then install the chipset driver followed by all other appropriate drivers?

#9 Nelva

Nelva
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 18 January 2011 - 04:37 PM

Hello. I believe I did instillation back to factory settings, without saving or back-uping my files
. Before re-instillation I went to System Utilities and chose Load Setup Defaults.

Edited by Nelva, 18 January 2011 - 04:38 PM.


#10 Nelva

Nelva
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 18 January 2011 - 06:42 PM

I'm not sure about drivers and chipsets. I'm not very familiar with it. If you can give me full instructions, I can try to reinstall Vista again.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:44 AM

Posted 18 January 2011 - 08:40 PM

If you don't mind I'll add this ..
Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.


2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.


If you're not sure how to reformat or need help with reformatting, please review:
Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning ask here and they will help you along.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 Nelva

Nelva
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 19 January 2011 - 11:36 AM

Thank you boopme.
Before reinstall windows fallowing your instructions, I would like to know, if there is any way to check if files in Vista distributive are not affected by virus? In my case (Costco bought HP PC) I do not have Vista on CD, all I need for reistallation is on disc D.

What would be suggestions for me, just go ahead and try reinstall again?
And I do not have anything important on this PC to back up, so it will be very clean reinstallation.

I just checked your links. All articles are about having DVD with Vista. My PC was shipped with preistalled Vista and I do not have any CD or DVD shipped with it.

Edited by Nelva, 19 January 2011 - 11:48 AM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:44 AM

Posted 19 January 2011 - 10:09 PM

What would be suggestions for me, just go ahead and try reinstall again?
And I do not have anything important on this PC to back up, so it will be very clean reinstallation


This would be my choice now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users