NewsUnrealEdFilesModsFragBULiandri Archives
BeyondUnreal Forums

Go Back   BeyondUnreal Forums > BeyondUnreal > Off Topic

Reply
 
Thread Tools Display Modes
Old 7th Nov 2003, 02:02 PM   #1
[IsP]KaRnAgE
You Can Be My Wingman
 
[IsP]KaRnAgE's Avatar
 
Join Date: Jul. 24th, 2001
Location: The Highway to the Danger Zone
Posts: 2,809
Angry [Virus] Rundll32.exe Rundll31.exe infection?

I turn on my PC, mozilla opens, and tries to contact what appears to be a porn site. I can't log onto the internet unless I turn off the two Rundll things in the Taskmanager. Then mozilla stops being "possessed". Now aren't the Rundlls system files? Wouldn't they be flagged as "system" in the manager? They are flagged as "home" now. The problem also ceases when I disable them. I'm sure I've heard of a virus that "hijacks" rundll32.exe but I'm not sure. Unfortunately, I'm not the only one who uses this PC, so I have NO clue what was done. I don't know where to start looking, or what I'm looking for. Spyware scan turns up nothing special. Deleting them doesn't solve the problem. Virus scans turned up a java/class loader, but healing that solved nothing it seems. I'm totally clueless right now.
__________________
Don't screw around with me Maverick. You're a hell of an instinctive pilot. Maybe too good. I'd like to bust your butt but I can't. I got another problem here. I gotta send somebody from this squadron to Miramar. I gotta do something here, I still can't believe it. I gotta give you your dream shot! I'm gonna send you up against the best. You two characters are going to Top Gun.
[IsP]KaRnAgE is offline   Reply With Quote
Old 7th Nov 2003, 03:28 PM   #2
[UM]theswarm
Spork of the Apocalypse!
 
[UM]theswarm's Avatar
 
Join Date: Sep. 30th, 2001
Location: Everywhere
Posts: 1,058
AFAIK RunDll31.exe isn't a real file, maybe delete RunDll31.exe and see if you can get a new RunDll32.exe file from someone with the same OS as you?
[UM]theswarm is offline   Reply With Quote
Old 7th Nov 2003, 03:36 PM   #3
Fluid
Zen fascists will control you
 
Join Date: Aug. 2nd, 2000
Location: Maastricht, the Netherlands
Posts: 2,766
There is no such thing as rundll31.exe.
__________________
GMD/S/SS d- s:-- a-- C++++ U! P! L+ E-- W++ N o? K? w++ OS/2! M! VMS? PS+ PE++ Y+ PGP! t- 5! X! R(+) tv-- b+ DI D G e h! r! !z*

The man that hath no music in himself,
Nor is not mov’d with concord of sweet sounds,
Is fit for treasons, stratagems and spoils;
The motions of his spirit are as dull as night,
And his affections dark as Erebus:
Let no such man be trusted.
Fluid is offline   Reply With Quote
Old 7th Nov 2003, 04:23 PM   #4
[IsP]KaRnAgE
You Can Be My Wingman
 
[IsP]KaRnAgE's Avatar
 
Join Date: Jul. 24th, 2001
Location: The Highway to the Danger Zone
Posts: 2,809
I had it in my taskmanager, that is why i mentioned it It could be the sole source of the problem. I just didn't want to run around deleting files not really knowing what they were.
__________________
Don't screw around with me Maverick. You're a hell of an instinctive pilot. Maybe too good. I'd like to bust your butt but I can't. I got another problem here. I gotta send somebody from this squadron to Miramar. I gotta do something here, I still can't believe it. I gotta give you your dream shot! I'm gonna send you up against the best. You two characters are going to Top Gun.
[IsP]KaRnAgE is offline   Reply With Quote
Old 7th Nov 2003, 05:03 PM   #5
OO7MIKE
Mr. Sexy
 
OO7MIKE's Avatar
 
Join Date: May. 2nd, 2000
Location: Nalicity, NC
Posts: 4,931
I take it you have tried Adaware, Spybot, and hyjack this?
Rundll32 is a system file. Rundll31 is not.
Run Adaware, Spybot, and of course a virus scanner.
__________________
- = Michael Brinkerhoff Photography = -
OO7MIKE is offline   Reply With Quote
Old 7th Nov 2003, 05:59 PM   #6
[IsP]KaRnAgE
You Can Be My Wingman
 
[IsP]KaRnAgE's Avatar
 
Join Date: Jul. 24th, 2001
Location: The Highway to the Danger Zone
Posts: 2,809
I just ran Hijack This and found some things:

Notice the red underlined things. The rundll32 thing is probably harmless. But I assume its OK to delete/fix those other entries?
Attached Thumbnails
Click image for larger version

Name:	jacked.jpg
Views:	53
Size:	133.3 KB
ID:	68732  
__________________
Don't screw around with me Maverick. You're a hell of an instinctive pilot. Maybe too good. I'd like to bust your butt but I can't. I got another problem here. I gotta send somebody from this squadron to Miramar. I gotta do something here, I still can't believe it. I gotta give you your dream shot! I'm gonna send you up against the best. You two characters are going to Top Gun.

Last edited by [IsP]KaRnAgE; 7th Nov 2003 at 06:02 PM.
[IsP]KaRnAgE is offline   Reply With Quote
Old 7th Nov 2003, 06:10 PM   #7
ZenPirate
Living Legend (and moderator)
 
ZenPirate's Avatar
 
Join Date: Nov. 21st, 2000
Location: New York
Posts: 7,487
If it helps, here is my task manager... I have no dll32-31 running at all. Win XP Pro
Attached Thumbnails
Click image for larger version

Name:	screen.jpg
Views:	23
Size:	72.6 KB
ID:	68733  
ZenPirate is offline   Reply With Quote
Old 7th Nov 2003, 06:12 PM   #8
[IsP]KaRnAgE
You Can Be My Wingman
 
[IsP]KaRnAgE's Avatar
 
Join Date: Jul. 24th, 2001
Location: The Highway to the Danger Zone
Posts: 2,809
Hmmm. Well I deleted dll31. Mozilla is no longer possessed on start up. (Thanks to Hijack.) However, Rundll32 is still running in my task manager.
__________________
Don't screw around with me Maverick. You're a hell of an instinctive pilot. Maybe too good. I'd like to bust your butt but I can't. I got another problem here. I gotta send somebody from this squadron to Miramar. I gotta do something here, I still can't believe it. I gotta give you your dream shot! I'm gonna send you up against the best. You two characters are going to Top Gun.
[IsP]KaRnAgE is offline   Reply With Quote
Old 7th Nov 2003, 06:24 PM   #9
ZenPirate
Living Legend (and moderator)
 
ZenPirate's Avatar
 
Join Date: Nov. 21st, 2000
Location: New York
Posts: 7,487
Good luck. I'd keep a real close eye on the task manager, and maybe log your net traffic for awhile, just to verify "stuff" isn't still on there.

*edit* google searching turned up nothing on the "31" file. You may want to report it to norton, avg, or whoever to see if you can get some more info on it. Maybe it's a new virus

Last edited by ZenPirate; 7th Nov 2003 at 06:25 PM.
ZenPirate is offline   Reply With Quote
Old 7th Nov 2003, 06:28 PM   #10
haarg
Banned
 
haarg's Avatar
 
Join Date: Apr. 24th, 2002
Location: Over there
Posts: 1,929
RUNDLL32 is used by many things, in your case it is being used by your NVidia driver. Although I'm not sure what exactly that NVidia process does, if you aren't using any of it's special functions (multiple desktops, alpha bleded windows, etc.) you are probably safe getting rid of it. It normally ran on my computer, but I recently got rid of it and haven't seen any ill effects. On the other hand, it doesn't do anything bad, so there really isn't any reason to remove it.

Also, the third item in that screen shot, VB_run, is something you don't need. The only information I found on it was 'Dubious downloader from densmail.com' and listed it as something you definately don't need. Also, the name seems like somethat that is trying to hide itself - it is named very similar to real system components.
haarg is offline   Reply With Quote
Old 7th Nov 2003, 06:39 PM   #11
[IsP]KaRnAgE
You Can Be My Wingman
 
[IsP]KaRnAgE's Avatar
 
Join Date: Jul. 24th, 2001
Location: The Highway to the Danger Zone
Posts: 2,809
Ok, my problem is NOT fixed. I walked away from my PC, i see mozilla wants to set up a user profile when I come back, I tell it NO. I goto see why the PC is going into this mode when I idle, so I goto display>Screensaver, WHAM! Mozilla tries to contact that website. I check task manager, I now have TWO instances of rundll32.exe running, along with something called "mike.scr". :/
It disconnects me from the internet, and I can't access the screen saver tab at all.
__________________
Don't screw around with me Maverick. You're a hell of an instinctive pilot. Maybe too good. I'd like to bust your butt but I can't. I got another problem here. I gotta send somebody from this squadron to Miramar. I gotta do something here, I still can't believe it. I gotta give you your dream shot! I'm gonna send you up against the best. You two characters are going to Top Gun.
[IsP]KaRnAgE is offline   Reply With Quote
Old 7th Nov 2003, 06:41 PM   #12
namu
Bleh.
 
namu's Avatar
 
Join Date: Dec. 21st, 2000
Location: Dinae Mensa, Tharsis Regio
Posts: 4,226
You might find this thread useful.
__________________
United we stand, divided we run free at last !

We are not at war with Intel. We have never been at war with Intel. -- S. Jobs
namu is offline   Reply With Quote
Old 7th Nov 2003, 06:44 PM   #13
ZenPirate
Living Legend (and moderator)
 
ZenPirate's Avatar
 
Join Date: Nov. 21st, 2000
Location: New York
Posts: 7,487
Quote:
Originally Posted by namu
You might find this thread useful.

You pimp
ZenPirate is offline   Reply With Quote
Old 7th Nov 2003, 06:45 PM   #14
[IsP]KaRnAgE
You Can Be My Wingman
 
[IsP]KaRnAgE's Avatar
 
Join Date: Jul. 24th, 2001
Location: The Highway to the Danger Zone
Posts: 2,809
Searched mike.scr on google and I got a yahoo group page that shows that it was an attachment infected with KLEZH that was spread around. The problem? This wasn't there earlier today. I have a funky feeling something horrible is happening...
__________________
Don't screw around with me Maverick. You're a hell of an instinctive pilot. Maybe too good. I'd like to bust your butt but I can't. I got another problem here. I gotta send somebody from this squadron to Miramar. I gotta do something here, I still can't believe it. I gotta give you your dream shot! I'm gonna send you up against the best. You two characters are going to Top Gun.
[IsP]KaRnAgE is offline   Reply With Quote
Old 7th Nov 2003, 06:55 PM   #15
[IsP]KaRnAgE
You Can Be My Wingman
 
[IsP]KaRnAgE's Avatar
 
Join Date: Jul. 24th, 2001
Location: The Highway to the Danger Zone
Posts: 2,809
Further breaking news.

I ran two virus scans earlier. One found a trojan, the second found nothing. I start running a new scan and suddenly Resident shield pops up and tells me there is a WORM/Spybot in my documents and settings folder called explore.exe
Why didn't it detect this before?
Virus scan has caught it... After the scan finishes I'm going to reboot and see what happens... If another virus pops up before I goto bed I know that something fishy is going on...
__________________
Don't screw around with me Maverick. You're a hell of an instinctive pilot. Maybe too good. I'd like to bust your butt but I can't. I got another problem here. I gotta send somebody from this squadron to Miramar. I gotta do something here, I still can't believe it. I gotta give you your dream shot! I'm gonna send you up against the best. You two characters are going to Top Gun.
[IsP]KaRnAgE is offline   Reply With Quote
Old 7th Nov 2003, 07:02 PM   #16
ZenPirate
Living Legend (and moderator)
 
ZenPirate's Avatar
 
Join Date: Nov. 21st, 2000
Location: New York
Posts: 7,487
Unplug the ethernet cable before you go to sleep.
ZenPirate is offline   Reply With Quote
Old 7th Nov 2003, 07:13 PM   #17
[IsP]KaRnAgE
You Can Be My Wingman
 
[IsP]KaRnAgE's Avatar
 
Join Date: Jul. 24th, 2001
Location: The Highway to the Danger Zone
Posts: 2,809
Scanned and healed explore.exe worm. Attempting to access screen saver tab still disconnects me from the internet, MIKE.scr (now in caps, it wasnt before) still pops into the task manager, as does Rundll32.exe and mozilla still gets hijacked. I disabled system restore when I scanned. I'm out of ideas now. I searched MIKE.scr on the symantec site and found nothing.
__________________
Don't screw around with me Maverick. You're a hell of an instinctive pilot. Maybe too good. I'd like to bust your butt but I can't. I got another problem here. I gotta send somebody from this squadron to Miramar. I gotta do something here, I still can't believe it. I gotta give you your dream shot! I'm gonna send you up against the best. You two characters are going to Top Gun.
[IsP]KaRnAgE is offline   Reply With Quote
Old 7th Nov 2003, 07:52 PM   #18
Warm Pudgy
i wanna be a nazi mod like swarthy
 
Warm Pudgy's Avatar
 
Join Date: Feb. 18th, 2001
Posts: 3,045
ok go to start>search
type in mike.scr
then delete what ever it finds, do the same for rundll31

just incase make a backup of rundll32.exe and use the one ive attached

then re-installe mozilla, and install spy bot search and destroy and install avg
then do all the updates and scans

then go to start>run
type in msconfig
click the start up tab
uncheck everything
click the services tab
uncheck the following:
automatic updates, imapi cd-burning com service, internet connection fire wall (its useless), and messenger, or uncheck anything you dont feel you need
Attached Files
File Type: zip rundll32.zip (11.8 KB, 17 views)
__________________
Dear RSA,
If my friend masturbates twice and comes both times and wipes it on his hand and then wipes it on his pants, then masturbates with that hand, and then I help him but he doesn’t come ‘cause he has to leave, and then I go inside and wash my hands twice and eat and lick my finger, can I get pregnant?
Anonymous, U.S.

No.
Warm Pudgy is offline   Reply With Quote
Old 7th Nov 2003, 08:03 PM   #19
Warm Pudgy
i wanna be a nazi mod like swarthy
 
Warm Pudgy's Avatar
 
Join Date: Feb. 18th, 2001
Posts: 3,045
also
i have a feeling we'll be getting several new worms shortly
my wormalert@hotmail.com account is getting all kinds of bat files and com files scr and exe's the past few days
__________________
Dear RSA,
If my friend masturbates twice and comes both times and wipes it on his hand and then wipes it on his pants, then masturbates with that hand, and then I help him but he doesn’t come ‘cause he has to leave, and then I go inside and wash my hands twice and eat and lick my finger, can I get pregnant?
Anonymous, U.S.

No.
Warm Pudgy is offline   Reply With Quote
Old 7th Nov 2003, 08:45 PM   #20
ZenPirate
Living Legend (and moderator)
 
ZenPirate's Avatar
 
Join Date: Nov. 21st, 2000
Location: New York
Posts: 7,487
Thank Jeebus I almost never do internet stuff on the Windows box. Linux/Mac for teh intrawebnet, Windows has become my expensive gaming console.
ZenPirate is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 08:41 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.

Copyright ©1998 - 2012, BeyondUnreal, Inc.
Privacy Policy | Terms of Use
Bandwidth provided by AtomicGamer