[Virus] Rundll32.exe Rundll31.exe infection?

  • Two Factor Authentication is now available on BeyondUnreal Forums. To configure it, visit your Profile and look for the "Two Step Verification" option on the left side. We can send codes via email (may be slower) or you can set up any TOTP Authenticator app on your phone (Authy, Google Authenticator, etc) to deliver codes. It is highly recommended that you configure this to keep your account safe.

[IsP]KaRnAgE

You Can Be My Wingman
Jul 24, 2001
2,806
0
36
The Highway to the Danger Zone
I turn on my PC, mozilla opens, and tries to contact what appears to be a porn site. I can't log onto the internet unless I turn off the two Rundll things in the Taskmanager. Then mozilla stops being "possessed". Now aren't the Rundlls system files? Wouldn't they be flagged as "system" in the manager? They are flagged as "home" now. The problem also ceases when I disable them. I'm sure I've heard of a virus that "hijacks" rundll32.exe but I'm not sure. Unfortunately, I'm not the only one who uses this PC, so I have NO clue what was done. I don't know where to start looking, or what I'm looking for. Spyware scan turns up nothing special. Deleting them doesn't solve the problem. Virus scans turned up a java/class loader, but healing that solved nothing it seems. I'm totally clueless right now.
 

OO7MIKE

Mr. Sexy
May 2, 2000
5,022
107
63
Nalicity, NC
I take it you have tried Adaware, Spybot, and hyjack this?
Rundll32 is a system file. Rundll31 is not.
Run Adaware, Spybot, and of course a virus scanner.
 

[IsP]KaRnAgE

You Can Be My Wingman
Jul 24, 2001
2,806
0
36
The Highway to the Danger Zone
I just ran Hijack This and found some things:

Notice the red underlined things. The rundll32 thing is probably harmless. But I assume its OK to delete/fix those other entries?
 

Attachments

  • jacked.jpg
    jacked.jpg
    133.3 KB · Views: 60
Last edited:

ZenPirate

Living Legend (and moderator)
Nov 21, 2000
7,516
9
38
51
New York
If it helps, here is my task manager... I have no dll32-31 running at all. Win XP Pro
 

Attachments

  • screen.jpg
    screen.jpg
    72.6 KB · Views: 33

ZenPirate

Living Legend (and moderator)
Nov 21, 2000
7,516
9
38
51
New York
Good luck. I'd keep a real close eye on the task manager, and maybe log your net traffic for awhile, just to verify "stuff" isn't still on there.

*edit* google searching turned up nothing on the "31" file. You may want to report it to norton, avg, or whoever to see if you can get some more info on it. Maybe it's a new virus
 
Last edited:

haarg

PC blowticious
Apr 24, 2002
1,927
0
36
39
Over there
RUNDLL32 is used by many things, in your case it is being used by your NVidia driver. Although I'm not sure what exactly that NVidia process does, if you aren't using any of it's special functions (multiple desktops, alpha bleded windows, etc.) you are probably safe getting rid of it. It normally ran on my computer, but I recently got rid of it and haven't seen any ill effects. On the other hand, it doesn't do anything bad, so there really isn't any reason to remove it.

Also, the third item in that screen shot, VB_run, is something you don't need. The only information I found on it was 'Dubious downloader from densmail.com' and listed it as something you definately don't need. Also, the name seems like somethat that is trying to hide itself - it is named very similar to real system components.
 

[IsP]KaRnAgE

You Can Be My Wingman
Jul 24, 2001
2,806
0
36
The Highway to the Danger Zone
Ok, my problem is NOT fixed. I walked away from my PC, i see mozilla wants to set up a user profile when I come back, I tell it NO. I goto see why the PC is going into this mode when I idle, so I goto display>Screensaver, WHAM! Mozilla tries to contact that website. I check task manager, I now have TWO instances of rundll32.exe running, along with something called "mike.scr". :/
It disconnects me from the internet, and I can't access the screen saver tab at all. :( :(
 

[IsP]KaRnAgE

You Can Be My Wingman
Jul 24, 2001
2,806
0
36
The Highway to the Danger Zone
Searched mike.scr on google and I got a yahoo group page that shows that it was an attachment infected with KLEZH that was spread around. :hmm: The problem? This wasn't there earlier today. I have a funky feeling something horrible is happening...
 

[IsP]KaRnAgE

You Can Be My Wingman
Jul 24, 2001
2,806
0
36
The Highway to the Danger Zone
Further breaking news.

I ran two virus scans earlier. One found a trojan, the second found nothing. I start running a new scan and suddenly Resident shield pops up and tells me there is a WORM/Spybot in my documents and settings folder called explore.exe
Why didn't it detect this before?
Virus scan has caught it... After the scan finishes I'm going to reboot and see what happens... If another virus pops up before I goto bed I know that something fishy is going on...
 

[IsP]KaRnAgE

You Can Be My Wingman
Jul 24, 2001
2,806
0
36
The Highway to the Danger Zone
Scanned and healed explore.exe worm. Attempting to access screen saver tab still disconnects me from the internet, MIKE.scr (now in caps, it wasnt before) still pops into the task manager, as does Rundll32.exe and mozilla still gets hijacked. I disabled system restore when I scanned. I'm out of ideas now. I searched MIKE.scr on the symantec site and found nothing.
 

Warm Pudgy

null
Feb 18, 2001
3,050
1
38
40
ok go to start>search
type in mike.scr
then delete what ever it finds, do the same for rundll31

just incase make a backup of rundll32.exe and use the one ive attached

then re-installe mozilla, and install spy bot search and destroy and install avg
then do all the updates and scans

then go to start>run
type in msconfig
click the start up tab
uncheck everything
click the services tab
uncheck the following:
automatic updates, imapi cd-burning com service, internet connection fire wall (its useless), and messenger, or uncheck anything you dont feel you need
 

Attachments

  • rundll32.zip
    11.8 KB · Views: 24

ZenPirate

Living Legend (and moderator)
Nov 21, 2000
7,516
9
38
51
New York
Thank Jeebus I almost never do internet stuff on the Windows box. Linux/Mac for teh intrawebnet, Windows has become my expensive gaming console.