Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected rundll32 file?

  • Please log in to reply
3 replies to this topic

#1 doublespinner


  • Members
  • 10 posts
  • Local time:05:59 PM

Posted 11 July 2014 - 07:48 PM

Hi, I'm having a problem with my Windows 7 computer. It's a bit of a long story:

Last week, I installed Alcohol 52% Free Edition with a setup from filefacts.net. The program installed "Smart File Advisor" without my consent. I uninstalled both programs afterwards with Revo Uninstaller. A few days later, I started receiving popups to update Firefox, and I accidentally clicked Yes, which updated my Firefox to the latest version. The next time I started my computer, Avast detected a virus and let me do a boot-time scan on the computer. it found these files:
C:\Users\Isabel&Joshua\AppData\Local\UnityWebPlayer\Uninstall.exe (Threat: Win32:Malware-gen; moved to chest and deleted)
C:\Windows\PAExec.exe (Threat: Win32:Dropper-gen [Drp]; moved to chest and deleted)
Afterwards, I did more scans with Avast and Malwarebytes, which found more files:
Avast: Another "paexec.exe" under the folder for Display Driver Uninstaller; same properties as the one in the Windows folder.
Malwarebytes: Registry Key: PUP.Optional.SuperFish.A, HKU\S-1-5-21-251994250-2471517454-546149888-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOMSTORAGE\superfish.com, Quarantined, [fdeb7823255695a11833724236cc3dc3], 
PUP.Optional.Installcore, C:\Users\Isabel\AppData\Local\Temp\ICReinstall_Firefox Setup 30.0.exe, Quarantined, [2cbc5546cdae999de37afe6854b0fe02], 
PUP.Optional.Installcore, C:\Users\Isabel\AppData\Local\Temp\Firefox Setup 30.0.exe, Quarantined, [4f99b7e4b5c642f472eb9fc79c6847b9], 
A scan with Hitman Pro also found another setup for Alcohol 52% in the Appdata\Local\Temp folder, also beginning with "ICReinstall".
Google Chrome Canary was also installed for some reason. I had that browser in the past, but I removed it a while ago.
I looked through Process Explorer for any suspicious looking processes and found two strange rundll32 processes. Their icons were changed to this page icon. Here are their command lines:
C:\Windows\system32\rundll32.exe "C:\Windows\SysWOW64\mfc100korh.dll",Axqjfnlr
This one always runs at startup. "mfc100korh.dll" is an infected file I quarantined in my avast chest a long time ago, but for some reason was still in my virus chest.
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
This one occasionally runs at startup. I'm not sure why its chance of running is random.
Also, very rarely, my computer's startup will be very slow, and before the wallpaper and explorer.exe load, there will be a message in the lower right corner saying that my copy of windows isn't genuine.
Am I still infected or am I just being paranoid? I've done scans with Avast, Malwarebytes, Adwcleaner, Rkill, and TDSSKiller, and none of them find anything wrong with this file, or any traces of a virus, but I still want to know.
Also, after configuring Avast to run a full scan for rootkits, it found the file C:\ADSM_PData_0150\DragWait.exe as a hidden rootkit file. Given that this is an ASUS laptop, and this seems to be ASUS software, I'm not sure if this is a false positive, or related to the problem I'm having.

BC AdBot (Login to Remove)


#2 noknojon


  • Banned
  • 10,871 posts
  • Gender:Not Telling
  • Local time:10:59 AM

Posted 11 July 2014 - 08:19 PM

Hello -
Sorry to tell you, but you did install the problem programs mentioned when you clicked on I Agree, as these are written in the "fine print" as extras that you accept with your download.


Download all tools to Desktop, and Copy and Paste any logs.


First - This is a "basic clean-up" and we will go further depending on your answers.


Please download and run RKill by Grinler.
 A black DOS box will appear for a short time and then disappear.
 This is normal and indicates the tool ran successfully.
 At most the tool will usually run for about 2 minutes
 Please Copy / Paste the small log back here.


Important: Do not reboot your computer until you complete the next step.


* NOW :
 Please download AdwCleaner by Xplode and save to your Desktop.
 * Double-click on AdwCleaner.exe to run the tool.
 * Vista/Windows 7/8 users right-click and select Run As Administrator.
 * Click on the Scan button (only once)
 * AdwCleaner will begin...be patient as the scan may take some time to complete.
 * After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
* Check the removals and see if you are OK with the list.

* Now
 * Click on the Clean button (only once)
 * Press OK when asked to close all programs and follow the onscreen prompts.
 * Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
 * After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
 * Copy and Paste the contents of that logfile in your next reply.

* A copy of all logfiles are also saved in the C:\AdwCleaner folder which was created when running the tool.



Next -

Please download Junkware Removal Tool by Thisisu to desktop

To avoid potential conflicts, Temporarily Disable your Antivirus

You may want to be offline when you do this.

Click on Run to initiate the installation.

To avoid potential conflicts, temporarily disable your antivirus and firewall.  You will want to be offline when you do this.

Run the tool by double-clicking it.

If you are using Windows Vista, 7, or 8; right-mouse click JRT.exe and select Run as Administrator.

The tool will open and start scanning your system.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open. 
Copy and this in your next post..


Please report on  the current problem after you run these programs.

#3 doublespinner

  • Topic Starter

  • Members
  • 10 posts
  • Local time:05:59 PM

Posted 17 July 2014 - 04:13 PM

Hi, here are the logs:


RKill log: http://pastebin.com/2Yd2bQu5

AdwCleaner log: http://pastebin.com/6Re92e9n

JRT log: http://pastebin.com/zwK6u5h2

#4 noknojon


  • Banned
  • 10,871 posts
  • Gender:Not Telling
  • Local time:10:59 AM

Posted 17 July 2014 - 07:15 PM

.Checking for processes to terminate:
 * C:\Windows\SysWOW64\ACEngSvr.exe (PID: 4004) [WD-HEUR]
 * C:\Users\Isabel\Downloads\chromium\chrome-win32\chrome.exe (PID: 1504) [FI]
* C:\Users\Isabel\Downloads\chromium\chrome-win32\chrome.exe (PID: 1504) [UP-HEUR]
 * C:\Users\Isabel\Downloads\chromium\chrome-win32\chrome.exe (PID: 884) [FI]
* C:\Users\Isabel\Downloads\chromium\chrome-win32\chrome.exe (PID: 3160) [FI]
* C:\Users\Isabel\Downloads\chromium\chrome-win32\chrome.exe (PID: 3160) [UP-HEUR]
 * C:\Users\Isabel\Downloads\chromium\chrome-win32\chrome.exe (PID: 5084) [FI]
 * C:\Users\Isabel\Downloads\chromium\chrome-win32\chrome.exe (PID: 5084) [UP-HEUR]
* C:\Users\Isabel\Downloads\chromium\chrome-win32\chrome.exe (PID: 6092) [FI]
* C:\Users\Isabel\Downloads\chromium\chrome-win32\chrome.exe (PID: 6092) [UP-HEUR]
* C:\Users\Isabel\Downloads\chromium\chrome-win32\chrome.exe (PID: 2252) [FI]
 * C:\Users\Isabel\Downloads\chromium\chrome-win32\chrome.exe (PID: 2252) [UP-HEUR]
12 proccesses terminated!



  • As you need more assistance, please fully read and follow follow the instructions in the Preparation Guide starting at Step #6.



  • When you have done that, start a new topic and post the required logs to  Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts.
  • NOTE If you are unable to complete any step, just post the topic and leave a full description of your problems



  • Please Use Copy / Paste for your responses, and Do Not Attach them unless your helper requests this.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users