1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Question concerning rundll32.exe

Discussion in 'Virus & Other Malware Removal' started by Catharsis, Feb 2, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. Catharsis

    Catharsis Thread Starter

    Joined:
    Jul 31, 2004
    Messages:
    10
    Today when I turned on my computer and signed in, I get a pop up saying something about how rundll32.exe is unrecognized or something... I can't completly remember. Then I log in to Msn Messenger, and all my online contacts open up and then close. When I log off, I have no conversation boxes open, but it tells me all boxes will be closed, and all activities will be stopped. So I did a search on the rundll32.exe A number of matches come up, some created when I first got the computer sometime in 03, but most were created yesterday...

    SO I googled it and it said that rundll32 is a necessary part of Wiondows, however it is also a process which is registered as the W32.Miroot.Worm

    I was thinking maybe my strange msn experience was the worm spreading?

    So what should I do? Should I worry? Should I remove the files created yesterday?

    Thanks
     
  2. Catharsis

    Catharsis Thread Starter

    Joined:
    Jul 31, 2004
    Messages:
    10
    And If it matters Im running Windows XP home edition.
     
  3. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    Go to http://majorgeeks.com/download3155.html and download 'Hijack This!'.

    First make a folder on your computer in my documents called Hijackthis and then Unzip it to that folder.
    Then doubleclick the Hijackthis.exe.

    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here
    in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.

    Someone here will be happy to help you analyze the results.
     
  4. Catharsis

    Catharsis Thread Starter

    Joined:
    Jul 31, 2004
    Messages:
    10
    Oh boy seems like theres alot :S

    Logfile of HijackThis v1.99.0
    Scan saved at 1:59:48 PM, on 02/02/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\windows\system32\explorer.exe
    c:\windows\explorer.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    c:\windows\rundll32.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe
    c:\windows\system32\IEXPLORE.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Spencer\My Documents\Hijackthis\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://penny-arcade.com/view.php3
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://rogers.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit32.exe,
    O1 - Hosts: 222.89.98.219 www.wo365.com
    O1 - Hosts: 222.89.98.219 cmfu.com
    O1 - Hosts: 222.89.98.219 www.cmfu.com
    O1 - Hosts: 222.89.98.219 9i0.com
    O1 - Hosts: 222.89.98.219 www.9flash.com
    O1 - Hosts: 222.89.98.219 9flash.com
    O1 - Hosts: 222.89.98.219 www.nowok.net
    O1 - Hosts: 222.89.98.219 nowok.net
    O1 - Hosts: 222.89.98.219 wisa.com.cn
    O1 - Hosts: 222.89.98.219 www.sia.com.cn
    O1 - Hosts: 222.89.98.219 www.wisa.cn
    O1 - Hosts: 222.89.98.219 wisa.cn
    O1 - Hosts: 222.89.98.219 www.zhao99.com
    O1 - Hosts: 222.89.98.219 zhao99.com
    O1 - Hosts: 222.89.98.219 www.wo123.com
    O1 - Hosts: 222.89.98.219 wo123.com
    O1 - Hosts: 222.89.98.219 wo99.com
    O1 - Hosts: 222.89.98.219 www.wo99.com
    O1 - Hosts: 222.89.98.219 www.page.com.cn
    O1 - Hosts: 222.89.98.219 page.com.cn
    O1 - Hosts: 222.89.98.219 www.432.cn
    O1 - Hosts: 222.89.98.219 432.cn
    O1 - Hosts: 222.89.98.219 wysw.com
    O1 - Hosts: 222.89.98.219 14.com.cn
    O1 - Hosts: 222.89.98.219 www.14.com.cn
    O1 - Hosts: 222.89.98.219 cnww.net
    O1 - Hosts: 222.89.98.219 www.mv99.com
    O1 - Hosts: 222.89.98.219 mv99.com
    O1 - Hosts: 222.89.98.219 www.youav.com
    O1 - Hosts: 222.89.98.219 www.mtvav.com
    O1 - Hosts: 222.89.98.219 www.98983.com
    O1 - Hosts: 222.89.98.219 98983.com
    O1 - Hosts: 222.89.98.219 www.114.com.cn
    O1 - Hosts: 222.89.98.219 114.com.cn
    O1 - Hosts: 222.89.98.219 www.net114.com
    O1 - Hosts: 222.89.98.219 www.skywz.com
    O1 - Hosts: 222.89.98.219 skywz.com
    O1 - Hosts: 222.89.98.219 www.hao6.com
    O1 - Hosts: 222.89.98.219 hao6.com
    O1 - Hosts: 222.89.98.219 www.678a.com
    O1 - Hosts: 222.89.98.219 678a.com
    O1 - Hosts: 222.89.98.219 www.7510.com
    O1 - Hosts: 222.89.98.219 7510.com
    O1 - Hosts: 222.89.98.219 www.zzkan.com
    O1 - Hosts: 222.89.98.219 zzkan.com
    O1 - Hosts: 222.89.98.219 www.ca183.com
    O1 - Hosts: 222.89.98.219 ca183.com
    O1 - Hosts: 222.89.98.219 3tom.com
    O1 - Hosts: 222.89.98.219 www.yhjm.com
    O1 - Hosts: 222.89.98.219 yhjm.com
    O1 - Hosts: 222.89.98.219 www.k369.com
    O1 - Hosts: 222.89.98.219 www.xxwww.com
    O1 - Hosts: 222.89.98.219 xxwww.com
    O1 - Hosts: 222.89.98.219 www.fm1000.net
    O1 - Hosts: 222.89.98.219 fm1000.net
    O1 - Hosts: 222.89.98.219 www.ok135.com
    O1 - Hosts: 222.89.98.219 ok135.com
    O1 - Hosts: 222.89.98.219 www.link999.com
    O1 - Hosts: 222.89.98.219 link999.com
    O1 - Hosts: 222.89.98.219 www.001wz.com
    O1 - Hosts: 222.89.98.219 001wz.com
    O1 - Hosts: 222.89.98.219 www.7t7t.com
    O1 - Hosts: 222.89.98.219 7t7t.com
    O1 - Hosts: 222.89.98.219 www.7k7k.com
    O1 - Hosts: 222.89.98.219 7k7k.com
    O1 - Hosts: 222.89.98.219 www.webcool.net
    O1 - Hosts: 222.89.98.219 webcool.net
    O1 - Hosts: 222.89.98.219 www.51sobu.com
    O1 - Hosts: 222.89.98.219 51sobu.com
    O1 - Hosts: 222.89.98.219 cy.51sobu.com
    O1 - Hosts: 222.89.98.219 www.fj3721.com
    O1 - Hosts: 222.89.98.219 fj3721.com
    O1 - Hosts: 222.89.98.219 www.msncn.com
    O1 - Hosts: 222.89.98.219 msncn.com
    O1 - Hosts: 222.89.98.219 www.6235.com
    O1 - Hosts: 222.89.98.219 6235.com
    O1 - Hosts: 222.89.98.219 www.8goo.com
    O1 - Hosts: 222.89.98.219 8goo.com
    O1 - Hosts: 222.89.98.219 www.baimin.com
    O1 - Hosts: 222.89.98.219 baimin.com
    O1 - Hosts: 222.89.98.219 www.bwwz.com
    O1 - Hosts: 222.89.98.219 bwwz.com
    O1 - Hosts: 222.89.98.219 www.howow.net
    O1 - Hosts: 222.89.98.219 howow.net
    O1 - Hosts: 222.89.98.219 www.tongchi.com
    O1 - Hosts: 222.89.98.219 tongchi.com
    O1 - Hosts: 222.89.98.219 www.65658.com
    O1 - Hosts: 222.89.98.219 65658.com
    O1 - Hosts: 222.89.98.219 www.7o7o.com
    O1 - Hosts: 222.89.98.219 7o7o.com
    O1 - Hosts: 222.89.98.219 5126.net
    O1 - Hosts: 222.89.98.219 www.5126.net
    O1 - Hosts: 222.89.98.219 www.wangzhiku.com
    O1 - Hosts: 222.89.98.219 wangzhiku.com
    O1 - Hosts: 222.89.98.219 www.soyeah.com
    O1 - Hosts: 222.89.98.219 soyeah.com
    O1 - Hosts: 222.89.98.219 www.sowang.cn
    O1 - Hosts: 222.89.98.219 sowang.cn
    O1 - Hosts: 222.89.98.219 www.77177.com
    O1 - Hosts: 222.89.98.219 77177.com
    O1 - Hosts: 222.89.98.219 www.look8.net
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: IYBookmarkHO Class - {8B11A219-80C8-4B42-B558-B8C14D1AA8C4} - C:\Program Files\Yahoo!\browser\ybmho.dll
    O2 - BHO: AutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
    O4 - HKLM\..\Run: [MMSystem] c:\windows\rundll32.exe "c:\windows\system32\mmsystem.dll"", RunDll32
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MMSystem] c:\windows\rundll32.exe "c:\windows\system32\mmsystem.dll"", RunDll32
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
    O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
    O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx
    O23 - Service: Sony SPTI Service - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Question concerning rundll32
  1. Closed100
    Replies:
    0
    Views:
    531
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/326006

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice