Rundll32.exe

An on-line scan from trendmicro or pandasoft might help clarify the matter more.

We need to make you aware that many, many logs are being posted.  Because we are few, all volunteers with families and real jobs, we will have to ask you to be patient.  We work the logs in the order they come in, One of the experts (trained at SpywareInfo & Tom Coyote) will assist with your log as soon as possible. They may ask for a fresh log as rebooting can mutate the newest infections.

We need you to download and install an analysis and repair tool called HijackThis.
 
Download the zipped file from here: http://www.majorgeeks.com/download3155.html.  Please see the following link for information about downloading and other FAQ's.  There is also a link there to an .exe version of HijackThis if there is anyone who absolutely can not open a .zip file.  Please use this for that purpose only due to limited bandwidth, thank you.   http://russelltexas.com/malware/faqhijackthis.htm

Please unzip HijackThis.zip or move the HijackThis.exe file into a new folder you create in the root (first) level of the C: drive. Name this folder HJT for best and safest results. Don't place it on the Wallpaper, in a Temp folder, or the My Documents folder. It will create many backup files and they need to be stored in a unique HijackThis folder. If it is properly placed it will look like this:   C:\HJT\HijackThis.exe. Please be careful with these instructions, a misplaced log can slow down your repair while it is placed properly.

HijackThis FAQ (Frequently Asked Questions) at:  http://russelltexas.com/malware/faqhijackthis.htm
 
After downloading, and unzipping the HijackThis file into a safe folder you create (preferably a folder named HJT in the first level of the C: drive)...run HijackThis, click on the 'scan' button and then 'save log' button.
 
Copy and paste the contents of the text file you save into a reply to this message. A lot of posters make mistakes here in copying and pasting so reread the left info sidebar called Copy and Paste at http://www.tomcoyote.com/hjt
 
Special Notice! HijackThis is a powerful tool that edits the brains of Windows (the Registry). DO NOT FIX anything in the HijackThis log screen without assistance from the experts! Most of the line items in the scanned log are normal for Windows operation. HijackThis should identify the vast majority of your problems and enable us to help you clean them off your system.
 
Stay in this thread for continuity. Reply to this message.
 
Thanks,
 
pskelley
In Training at TomCoyote.com and Spywareinfo.com

Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on HijackThis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are one of our classmates and not on this list email me for an addition to this list...we need all the help we can get *;-) 

Hello.  I'm having all kinds of random problems w/ my computer, and I've noticed that each time I try to restart, I get a message stating that Windows is trying to End "rundll32.exe".  I followed the above instructions and here's what I got.  Any assistance would be MUCH appreciated - I'm at my wits end!  : )

Logfile of HijackThis v1.98.0
Scan saved at 9:03:12 PM, on 7/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\System32\fjvtvz.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0b\aoltray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Dell\Support\bin\ClientApplicationFrameWork.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Nicki\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [tzhsfmb] C:\WINDOWS\System32\fjvtvz.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: LimeWire 4.0.7.lnk = C:\Program Files\LimeWire\LimeWire 4.0.7\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,71/mcinsctl.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4018/ftp.coupons.com/v3123/cpbrkpie.cab

 

lrstblBlis,  I understand, and you do have some problems, but they can be fixed given time and patience.  Lets start here:

Please post your starter topic in the Main Index as a NEW TOPIC. We want to help and we can help best by seeing your message in its own thread.
 
One person per thread...that's the policy we must insist on as too many victims in one thread makes for a disjointed and confusing mess nobody can understand now or later. We are volunteers and need some control over the threads.
 
Click on the link below for the Main Index and post your message with a new topic.
 
http://forums.us.dell.com/supportforums/board/post?board.id=si_virus
 
We'll be glad to help you when you repost. Be aware we have only a handful of Hijackthis experts here (all volunteers with "real" jobs elsewhere *;-) for suggested fixes for Hijackthis logs and we answer posts in chronological order starting back with the oldest unanswered posts. Be patient as it may be a while before your turn comes up.

Before you post, please review the information in this thread, including the links, and follow all of the instructions.  When this is complete, then post your log as the instruction suggest.  Thanks...pskelley

http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=19204

Message Edited by pskelley on 07-17-2004 04:54 PM

>AnswersThatWork states that if you are running Windows XP, which I am on my Dell Dimension 4300, and "Rundll32.exe" is in the Task Manager, it is a virus. 

They don't say that...if rundll.exe shows up in XP then it is a virus.
If rundll32.exe shows up in C:\Windows\System32 folder then you are safe...that is where it belongs in XP.


>My McAfee virus program is running and does not show this as a virus.  Who is right?  Should Rundll32.exe show up in my Task Bar?

It better not show up in the Task Bar. If it does I will ask you to get me a screen capture. *;-)  (Just kidding)...You meant Task LIST.

Cheers,

Texruss

Thank you.  It does show up in Windows\System32 folder.  

Rundll32.exe also shows up 6 times in c:\Windows\Prefetch.  An example is Rundll32.exe-74F74CED.pf 

Any concern about that?

Herb typed these pixels of light:

>Rundll32.exe also shows up 6 times in c:\Windows\Prefetch.  An example is Rundll32.exe-74F74CED.pf 

Any concern about that?

Maybe...post a Hijackthis 1.98 log and we'll see.

Texruss

I just finished cleaning my mom's system of this virus this past weekend. I didn't know what it was at the time, but was able to remove it with the help of a lot of manual investigation. It appears to be distributed by a company called "Avenue Media in NV" (I think this is in Nevada).

The quicker way is to get yourself up and running is to follow the instructions at this URL. They've got it all figured out and will get you up and running in no time.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BLAZEFIND.A

Also, to clean up your system completely, you may want to clean up all the weird stuff now in your registry and executables and directories on you system. Also, history in your browser will have weird stuff. In the registry I found stuff like :
"Mr. Enigma"
"Microszoft Update machi1nezs"
"InternetOptimizer"
"WhenUSave"
"WhenUSearch"
All bad...this is just the tip of the iceburg...

Also, clean up the "wsaupdater.exe" execute string located in the user login variable in the registry.

HTH,

Maria

MATapia: Welcome to the forum. Like you I used to manually clean malware from the Registry. Now I rely on a tool that makes it much easier to detect and remove malware and point me towards any extra things I might need to dabble in the Registry. It's called HijackThis:

http://russelltexas.com/malware/faqhijackthis.htm

Try it and you might find a lot more baddies on mom's PC!

Cheers,

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum                  
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, pskelley, cghost, and SpotCheckBilly.

Also...these longtime DellForum regulars have proven to me time and again their advice is excellent for malware questions in general, Windows operations, and many specific items in Hijackthis logs:  jimw, ddeerrff, msgale, and redwolfe_98. Please follow their advice when they respond to your problems. They have a proven track record here.

BTW...clicking on people's usernames at the left will reveal information about them if they chose to have an open profile. My credentials are available for your perusal.