Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Rundll32?


  • Please log in to reply
5 replies to this topic

#1 onevoid

onevoid

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:43 PM

Posted 11 March 2013 - 06:58 AM

My Rundll32 got infected by a virus from my flashdrive. The icon turned to a blue page icon rather than the regular exe icon. I managed to delete it and then used sfc/scannow to restore the backup however, the backup turned out to be another infected Rundll32. I tried downloading a zipped (a clean one)rundll32 from the net and what I observed was whenever I unzipped the file, it would become infected but when I use 'open archive', the rundll32 remains clean(no blue page icon, just the regular one).

 

I used malwarebytes but no threats were detected. Right now there are no major symptoms like random popups or whatever but I'm worried that this might become worse sooner or later.

 

I'm running Windows 7 professional 32 bit.

 

A bit of help please?

 

I got this from GMER by the way:

 

GMER 2.1.19155 - http://www.gmer.net
Rootkit quick scan 2013-03-11 21:13:55
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HM251JI rev.2SS00_03 232.89GB
Running: c2uo9106.exe; Driver: C:\Users\Rin\AppData\Local\Temp\uwldrpow.sys


---- Devices - GMER 2.1 ----

Device          \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0                   859831F8
Device          \Driver\atapi \Device\Ide\IdePort0                            859831F8
Device          \Driver\atapi \Device\Ide\IdePort1                            859831F8
Device          \Driver\atapi \Device\Ide\IdePort2                            859831F8
Device          \Driver\atapi \Device\Ide\IdePort3                            859831F8
Device          \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1                   859831F8
Device          \Driver\msahci \Device\Ide\PciIde0Channel0                    859841F8
Device          \Driver\msahci \Device\Ide\PciIde0Channel1                    859841F8
Device          \Driver\msahci \Device\Ide\PciIde0Channel4                    859841F8
Device          \Driver\msahci \Device\Ide\PciIde0Channel5                    859841F8
Device          \Driver\amyfn5pp \Device\Scsi\amyfn5pp1Port4Path0Target0Lun0  86E68500
Device          \Driver\amyfn5pp \Device\Scsi\amyfn5pp1                       86E68500
Device          \FileSystem\Ntfs \Ntfs                                        866471F8

AttachedDevice  \Driver\tdx \Device\Ip                                        kl1.sys
AttachedDevice  \Driver\tdx \Device\Tcp                                       kl1.sys
AttachedDevice  \Driver\tdx \Device\Udp                                       kl1.sys
AttachedDevice  \Driver\tdx \Device\RawIp                                     kl1.sys
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                       Wdf01000.sys
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                       Wdf01000.sys

---- EOF - GMER 2.1 ----
 


Edited by onevoid, 11 March 2013 - 08:15 AM.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:43 AM

Posted 11 March 2013 - 08:21 AM

rundll32.exe doesnt have a regular icon.Blue page is actual icon of it.



#3 onevoid

onevoid
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:43 PM

Posted 11 March 2013 - 09:08 AM

Really??? My mistake then.

 

then what about the GMER logs?



#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:43 AM

Posted 11 March 2013 - 09:13 AM

GMER log looks normal,nothing malicious.



#5 onevoid

onevoid
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:43 PM

Posted 11 March 2013 - 10:00 AM

WHEW. I guess I was just being really paranoid after all. Thanks a lot for your help!

 

And sorry for the bother :)

 

 



#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:43 AM

Posted 11 March 2013 - 10:01 AM

Happy to help :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users