1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Question concerning rundll32.exe

Discussion in 'Virus & Other Malware Removal' started by Catharsis, Feb 2, 2005.

Thread Status:
Not open for further replies.
  1. Catharsis

    Catharsis Thread Starter

    Jul 31, 2004
    Today when I turned on my computer and signed in, I get a pop up saying something about how rundll32.exe is unrecognized or something... I can't completly remember. Then I log in to Msn Messenger, and all my online contacts open up and then close. When I log off, I have no conversation boxes open, but it tells me all boxes will be closed, and all activities will be stopped. So I did a search on the rundll32.exe A number of matches come up, some created when I first got the computer sometime in 03, but most were created yesterday...

    SO I googled it and it said that rundll32 is a necessary part of Wiondows, however it is also a process which is registered as the W32.Miroot.Worm

    I was thinking maybe my strange msn experience was the worm spreading?

    So what should I do? Should I worry? Should I remove the files created yesterday?

  2. Catharsis

    Catharsis Thread Starter

    Jul 31, 2004
    And If it matters Im running Windows XP home edition.
  3. mjack547

    mjack547 Malware Specialist

    Sep 1, 2003
    Go to http://majorgeeks.com/download3155.html and download 'Hijack This!'.

    First make a folder on your computer in my documents called Hijackthis and then Unzip it to that folder.
    Then doubleclick the Hijackthis.exe.

    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here
    in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.

    Someone here will be happy to help you analyze the results.
  4. Catharsis

    Catharsis Thread Starter

    Jul 31, 2004
    Oh boy seems like theres alot :S

    Logfile of HijackThis v1.99.0
    Scan saved at 1:59:48 PM, on 02/02/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Spencer\My Documents\Hijackthis\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://penny-arcade.com/view.php3
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://rogers.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit32.exe,
    O1 - Hosts: www.wo365.com
    O1 - Hosts: cmfu.com
    O1 - Hosts: www.cmfu.com
    O1 - Hosts: 9i0.com
    O1 - Hosts: www.9flash.com
    O1 - Hosts: 9flash.com
    O1 - Hosts: www.nowok.net
    O1 - Hosts: nowok.net
    O1 - Hosts: wisa.com.cn
    O1 - Hosts: www.sia.com.cn
    O1 - Hosts: www.wisa.cn
    O1 - Hosts: wisa.cn
    O1 - Hosts: www.zhao99.com
    O1 - Hosts: zhao99.com
    O1 - Hosts: www.wo123.com
    O1 - Hosts: wo123.com
    O1 - Hosts: wo99.com
    O1 - Hosts: www.wo99.com
    O1 - Hosts: www.page.com.cn
    O1 - Hosts: page.com.cn
    O1 - Hosts: www.432.cn
    O1 - Hosts: 432.cn
    O1 - Hosts: wysw.com
    O1 - Hosts: 14.com.cn
    O1 - Hosts: www.14.com.cn
    O1 - Hosts: cnww.net
    O1 - Hosts: www.mv99.com
    O1 - Hosts: mv99.com
    O1 - Hosts: www.youav.com
    O1 - Hosts: www.mtvav.com
    O1 - Hosts: www.98983.com
    O1 - Hosts: 98983.com
    O1 - Hosts: www.114.com.cn
    O1 - Hosts: 114.com.cn
    O1 - Hosts: www.net114.com
    O1 - Hosts: www.skywz.com
    O1 - Hosts: skywz.com
    O1 - Hosts: www.hao6.com
    O1 - Hosts: hao6.com
    O1 - Hosts: www.678a.com
    O1 - Hosts: 678a.com
    O1 - Hosts: www.7510.com
    O1 - Hosts: 7510.com
    O1 - Hosts: www.zzkan.com
    O1 - Hosts: zzkan.com
    O1 - Hosts: www.ca183.com
    O1 - Hosts: ca183.com
    O1 - Hosts: 3tom.com
    O1 - Hosts: www.yhjm.com
    O1 - Hosts: yhjm.com
    O1 - Hosts: www.k369.com
    O1 - Hosts: www.xxwww.com
    O1 - Hosts: xxwww.com
    O1 - Hosts: www.fm1000.net
    O1 - Hosts: fm1000.net
    O1 - Hosts: www.ok135.com
    O1 - Hosts: ok135.com
    O1 - Hosts: www.link999.com
    O1 - Hosts: link999.com
    O1 - Hosts: www.001wz.com
    O1 - Hosts: 001wz.com
    O1 - Hosts: www.7t7t.com
    O1 - Hosts: 7t7t.com
    O1 - Hosts: www.7k7k.com
    O1 - Hosts: 7k7k.com
    O1 - Hosts: www.webcool.net
    O1 - Hosts: webcool.net
    O1 - Hosts: www.51sobu.com
    O1 - Hosts: 51sobu.com
    O1 - Hosts: cy.51sobu.com
    O1 - Hosts: www.fj3721.com
    O1 - Hosts: fj3721.com
    O1 - Hosts: www.msncn.com
    O1 - Hosts: msncn.com
    O1 - Hosts: www.6235.com
    O1 - Hosts: 6235.com
    O1 - Hosts: www.8goo.com
    O1 - Hosts: 8goo.com
    O1 - Hosts: www.baimin.com
    O1 - Hosts: baimin.com
    O1 - Hosts: www.bwwz.com
    O1 - Hosts: bwwz.com
    O1 - Hosts: www.howow.net
    O1 - Hosts: howow.net
    O1 - Hosts: www.tongchi.com
    O1 - Hosts: tongchi.com
    O1 - Hosts: www.65658.com
    O1 - Hosts: 65658.com
    O1 - Hosts: www.7o7o.com
    O1 - Hosts: 7o7o.com
    O1 - Hosts: 5126.net
    O1 - Hosts: www.5126.net
    O1 - Hosts: www.wangzhiku.com
    O1 - Hosts: wangzhiku.com
    O1 - Hosts: www.soyeah.com
    O1 - Hosts: soyeah.com
    O1 - Hosts: www.sowang.cn
    O1 - Hosts: sowang.cn
    O1 - Hosts: www.77177.com
    O1 - Hosts: 77177.com
    O1 - Hosts: www.look8.net
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: IYBookmarkHO Class - {8B11A219-80C8-4B42-B558-B8C14D1AA8C4} - C:\Program Files\Yahoo!\browser\ybmho.dll
    O2 - BHO: AutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
    O4 - HKLM\..\Run: [MMSystem] c:\windows\rundll32.exe "c:\windows\system32\mmsystem.dll"", RunDll32
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MMSystem] c:\windows\rundll32.exe "c:\windows\system32\mmsystem.dll"", RunDll32
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
    O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
    O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx
    O23 - Service: Sony SPTI Service - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Similar Threads - Question concerning rundll32
  1. Closed100
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/326006

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice