Jump to content


Photo

C:\WINDOWS\system32\rundll32.exe


  • Please log in to reply
25 replies to this topic

#1 ModestNovice

ModestNovice

    Member

  • Members
  • PipPip
  • 18 posts

Posted 01 September 2006 - 09:16 PM

HELP PLEASE!

I think I know where this problem has come from. I recently downloaded something that turned out to be useless from Torrent and I think I've inadvertently let a Trojan or something worse via the backdoor!! I know something quite serious is wrong because I cannot access a number of folders in the Control Panel - namely Add/Remove Programs, System, Security Centre etc etc. A critical stop message appears saying "C:\WINDOWS\system32\rundll32.exe - Another program is currently using this file". Also when I attempt to click on OK, it disappears and avoids the cursor. Also my PC appears to be running a little slower than usual.

I have McAfee, Ewido, AdAware, Spybot S&D, Spyware Guard, Spyblaster and CCleaner yet this has slipped through and I'm getting worried. I have run a scan on Ewido and it captured a Trojan called "Trojan.IcqSmiley.c". I have deleted this but the problem hasn't gone away. I have also run an AdAware scan, Spybot S&D and nothing malicious came back. I also ran a CCleaner and it made no difference. As a last resort (and something I used when I had a Malware infection) I used SmitFraudFix in Safe Mode, but nothing really worked.

I'm at a complete loss and would be really really grateful for some help at ridding this problem!! If I can get this sorted I'm intending to subscribe to Ewido as they now have something called a Resident Shield which I'm lead to believe would've stopped this nasty (whatever it is!) from getting through. Any additional advice would hugely welcomed!

If it helps my saviour out there, here is my Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 20:52:33, on 01/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\DOCUME~1\STEVED~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1149098842234
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

#2 ModestNovice

ModestNovice

    Member

  • Members
  • PipPip
  • 18 posts

Posted 04 September 2006 - 10:24 AM

Has anyone had chance to look at this issue yet? PLEASE! I'm getting desperate and have spent all weekend trying different scans and deleting things but to no avail.

I've been reading about RAT's on some of CalamityJane's postings and it's got me worried. I still can't access things on my Control Panel and I think I need to reinstall the rundll32.exe file, but I don't know how to. My bigger concern is that some sort of nasty is still lurking in my system.

Any suggestions????

HELP!

#3 Ad Astra

Ad Astra

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 881 posts

Posted 04 September 2006 - 11:50 AM

Hi

Can you try this and post back what happens please.

Click start select run and enter the text


appwiz.cpl


click OK to start this, it should start the add or reove programs, if it gives any errors please post back with the details.

#4 ModestNovice

ModestNovice

    Member

  • Members
  • PipPip
  • 18 posts

Posted 04 September 2006 - 05:59 PM

Hi Ad Astra,

Did as you said, however it asked "Choose a program you want to use to open this file".

What program should I choose?

#5 Ad Astra

Ad Astra

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 881 posts

Posted 04 September 2006 - 06:54 PM

Ok,

It should not need to ask that question but hopefully there is a quick fix for this.

Go to this web site

http://www.dougknox..../file_assoc.htm

and download the item for

CPL File Association Fix (Restore the default associations for CPL files)

Download this file, unzip it and then double click on the cpl_file_assoc.reg file. If prompted to confirm select yes at the import prompt.

Try running the appwiz.cpl command as before, does it work ok now?

#6 ModestNovice

ModestNovice

    Member

  • Members
  • PipPip
  • 18 posts

Posted 05 September 2006 - 06:44 PM

Sorry Ad Astra, I've followed the instructions and it confirmed that the cpl_file_assoc.reg file had been added to the registry, but when I've tried to the runappwiz.cpl command it's still asking "Choose a program you want to use to open this file".

How bad is this problem I have, should be getting more worried than I already am?

#7 Ad Astra

Ad Astra

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 881 posts

Posted 05 September 2006 - 06:48 PM

Sorry, I should have asked you to reboot the PC after merging the reg file. Can you reboot then retry

Click start select run and enter the text in bold


appwiz.cpl


click OK to start, does a rebbot help or do you still get the error message?

#8 ModestNovice

ModestNovice

    Member

  • Members
  • PipPip
  • 18 posts

Posted 05 September 2006 - 07:36 PM

Arghh! No, it's still asking which program I want to open it with.

#9 Ad Astra

Ad Astra

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 881 posts

Posted 05 September 2006 - 08:13 PM

OK, Lets try another step


Click start select run and enter the text in bold

cmd

Click OK, this will start a command window (black background)

At the prompt in the command window, type the text in bold. (note the space after regsvr32)


regsvr32 appwiz.cpl


then press the return key to run the command to register appwiz.cpl

now Click start select run and enter the text in bold


appwiz.cpl


click OK to start, does it work after registering appwiz.cpl?

#10 ModestNovice

ModestNovice

    Member

  • Members
  • PipPip
  • 18 posts

Posted 05 September 2006 - 08:27 PM

Followed instructions through cmd and it is said "RegSvr32 - DllRegisterServer in appwiz.cpl succeeded"
I then tried running the command appwiz.cpl and it still threw up the same message prompt. I tried re-booting and tried again but no difference.

(By the way, thanks for all your help throughout this, it's hugely appreciated)

#11 ModestNovice

ModestNovice

    Member

  • Members
  • PipPip
  • 18 posts

Posted 05 September 2006 - 08:28 PM

Also meant to add, that my PC upon reboot appeared to run a little quicker, especially on IE.

#12 Ad Astra

Ad Astra

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 881 posts

Posted 05 September 2006 - 09:00 PM

Hi

Could you check your rundll32.exe file please.

Click start, select search then under All or part of file name: enter

rundll32.exe


then under advanced options ensure "search system folders" "search hidden files and folders" and "search subfolders" are selected.

click on the search button to scan your system for rundll32.exe.

several may be found, on the right-hand panel right mouse click and select view then details. This will display items such as file size.

For files with the exact name rundll32.exe (ignore prefetch etc) right mouse click on each and select properties then select the version tab. Does it say Microsoft Corporation against Company?

How many rundll32.exe files does it find and what size is reported in the search results window?

Could you also post back if you have a Windows XP CD should we need to restore rundll32.exe.


Thanks

#13 ModestNovice

ModestNovice

    Member

  • Members
  • PipPip
  • 18 posts

Posted 05 September 2006 - 09:18 PM

Hi AdAstra,

Righto, did search and nothing returned with the exact match rundll32.exe. Apart from prefetch and one called rundll32 (in folder C:/i386 and 33KB big) no, can't find anything. Looking at my orginal post, is there a chance that in deleting the trojan via Ewido (Ewido said that the Trojan was located in the file C:\WINDOWS\system32\rundll32.exe) the rundll32.exe has gone too?

With regards to the Windows XP CD, I do have one that Dell sent me (my PC is a Dell Dimension 3100) which is a reinstallation CD. I also have a Drivers & Utilities CD (if that's any help?)

Thanks

#14 Ad Astra

Ad Astra

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 881 posts

Posted 05 September 2006 - 09:34 PM

OK, no rundll32.exe looks like the cause of your problems.

First try this

Click start select run and enter the text in bold

cmd

Click OK, this will start a command window (black background)

At the prompt in the command window, type the text in bold.

expand C:\i386\rundll32.ex_ %windir%\system32\rundll32.exe

You should be able to cut and paste the text in bold above into the command window.

then if this works reboot and try as before:

Click start select run and enter the text in bold


appwiz.cpl


click OK to start. Any success?

#15 ModestNovice

ModestNovice

    Member

  • Members
  • PipPip
  • 18 posts

Posted 05 September 2006 - 09:48 PM

I cut and pasted the command in and it came back saying:

"Can't open input file: c:\i386\rundll32.ex_"

#16 Ad Astra

Ad Astra

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 881 posts

Posted 05 September 2006 - 09:52 PM

Ok,

Try this technique, it may well ask for the Windows XP CD so have that to hand.

Click start select run and enter the text in bold

cmd

Click OK, this will start a command window (black background)

At the prompt in the command window, type the text in bold.

sfc /scannow

This will look for corrupt or missing windows files and so may require the Windows XP CD. Just follow the prompts if it does.

Fingers crossed.

#17 ModestNovice

ModestNovice

    Member

  • Members
  • PipPip
  • 18 posts

Posted 05 September 2006 - 10:23 PM

No joy AdAstra, it ran through, but never once asked for the Windows XP CD.

So what does this mean? Man, this is getting frustrating now! (as I'm sure it is for you too by now!)

What's next then....;o)

(If I could beam you over a beer I would!)

#18 Ad Astra

Ad Astra

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 881 posts

Posted 05 September 2006 - 10:47 PM

Hi

Maybe it used the i386 folder rather than the CD. Is there a rundll32.exe in c:\windows\system32 now?

Start search as before but before running the search click the icon showing a folder with a red tick, (folder options), click on the view tab, and scroll down to "Hide extensions for known file types" make sure this is not selected, if it is click to deselect it then click on apply. Now run the search as before, how many rundlll32.exe files are found now?
What is the size of the file, if any, in c:\windows\system32 folder?

Thanks

#19 ModestNovice

ModestNovice

    Member

  • Members
  • PipPip
  • 18 posts

Posted 05 September 2006 - 11:06 PM

Ok, done as said, and it came back with (ignoring prefetch data) one application called:

rundll32.exe located in C:\WINDOWS - 33KB

Incidentally, whilst I thought you were offline, I Googled pages on missing Rundll32.exe and tried some help from a site called jsifaq.com where it gives a method of restoring a clean version of Rundll32.exe. I followed the instructions: Mount XP CD-ROM, Open CMD.exe session and type d:\i386\rundll32.ex_ %Systemroot%\rundll32.exe

When I ran this it said "expanding d:\i386\rundll32.ex_ to c:\i386\rundll32.ex
d:\i386\rundll32.ex_ 11853 bytes expanded to 33280 bytes. 180% increase.

Apologies if I've done something wrong, but I thought your status said offline and assumed you'd gone so tried a method similar to what you'd suggested (Christ, I hope I haven't done the wrong thing!!)

Anyway, when I now run the appwiz.cpl, I get the Add/Remove programs screen!! Are we getting somewhere? I still can't access stuff on my control panel, but this has given me some hope...at last!!

#20 Ad Astra

Ad Astra

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 881 posts

Posted 05 September 2006 - 11:35 PM

Good stuff, no you did nothing wrong.

What kind of problems do you have with Control Panel, can you run Add or Remove programs from the Control Panel OK now?

If so try the following to register other items that maybe affected.

Click start select run and enter the text in bold


cmd


Click OK, this will start a command window (black background)

At the prompt in the command window, type the text in bold one line at a time and press return key to run then repeat for the next item, cut and paste would be easiest line by line,


regsvr32 %systemroot%\System32\Mshtml.dll
regsvr32 %systemroot%\System32\Jscript.dll
regsvr32 %systemroot%\System32\Msi.dll
regsvr32 "%ProgramFiles%\Common Files\System\Ole DB\Oledb32.dll"
regsvr32 "%ProgramFiles%\Common Files\System\Ado\Msado15.dll"
regsvr32 %systemroot%\System32\Mshtmled.dll


p.s. got to go for now but post back what kind of problems you have with control panel after trying the above.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users