1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. Two Factor Authentication is now available on BeyondUnreal Forums. To configure it, visit your Profile and look for the "Two Step Verification" option on the left side. We can send codes via email (may be slower) or you can set up any TOTP Authenticator app on your phone (Authy, Google Authenticator, etc) to deliver codes. It is highly recommended that you configure this to keep your account safe.

[Virus] Rundll32.exe Rundll31.exe infection?

Discussion in 'Off Topic' started by [IsP]KaRnAgE, Nov 7, 2003.

  1. [IsP]KaRnAgE

    [IsP]KaRnAgE You Can Be My Wingman

    Joined:
    Jul 24, 2001
    Messages:
    2,806
    Likes Received:
    0
    I turn on my PC, mozilla opens, and tries to contact what appears to be a porn site. I can't log onto the internet unless I turn off the two Rundll things in the Taskmanager. Then mozilla stops being "possessed". Now aren't the Rundlls system files? Wouldn't they be flagged as "system" in the manager? They are flagged as "home" now. The problem also ceases when I disable them. I'm sure I've heard of a virus that "hijacks" rundll32.exe but I'm not sure. Unfortunately, I'm not the only one who uses this PC, so I have NO clue what was done. I don't know where to start looking, or what I'm looking for. Spyware scan turns up nothing special. Deleting them doesn't solve the problem. Virus scans turned up a java/class loader, but healing that solved nothing it seems. I'm totally clueless right now.
     
  2. [UM]theswarm

    [UM]theswarm Spork of the Apocalypse!

    Joined:
    Sep 30, 2001
    Messages:
    1,058
    Likes Received:
    0
    AFAIK RunDll31.exe isn't a real file, maybe delete RunDll31.exe and see if you can get a new RunDll32.exe file from someone with the same OS as you?
     
  3. Fluid

    Fluid Zen fascists will control you

    Joined:
    Aug 2, 2000
    Messages:
    2,766
    Likes Received:
    0
    There is no such thing as rundll31.exe. :con:
     
  4. [IsP]KaRnAgE

    [IsP]KaRnAgE You Can Be My Wingman

    Joined:
    Jul 24, 2001
    Messages:
    2,806
    Likes Received:
    0
    I had it in my taskmanager, that is why i mentioned it :eek: It could be the sole source of the problem. I just didn't want to run around deleting files not really knowing what they were.
     
  5. OO7MIKE

    OO7MIKE Mr. Sexy

    Joined:
    May 2, 2000
    Messages:
    4,935
    Likes Received:
    0
    I take it you have tried Adaware, Spybot, and hyjack this?
    Rundll32 is a system file. Rundll31 is not.
    Run Adaware, Spybot, and of course a virus scanner.
     
  6. [IsP]KaRnAgE

    [IsP]KaRnAgE You Can Be My Wingman

    Joined:
    Jul 24, 2001
    Messages:
    2,806
    Likes Received:
    0
    I just ran Hijack This and found some things:

    Notice the red underlined things. The rundll32 thing is probably harmless. But I assume its OK to delete/fix those other entries?
     

    Attached Files:

    Last edited: Nov 7, 2003
  7. ZenPirate

    ZenPirate Living Legend (and moderator)

    Joined:
    Nov 21, 2000
    Messages:
    7,514
    Likes Received:
    3
    If it helps, here is my task manager... I have no dll32-31 running at all. Win XP Pro
     

    Attached Files:

  8. [IsP]KaRnAgE

    [IsP]KaRnAgE You Can Be My Wingman

    Joined:
    Jul 24, 2001
    Messages:
    2,806
    Likes Received:
    0
    Hmmm. Well I deleted dll31. Mozilla is no longer possessed on start up. (Thanks to Hijack.) However, Rundll32 is still running in my task manager. :eek:
     
  9. ZenPirate

    ZenPirate Living Legend (and moderator)

    Joined:
    Nov 21, 2000
    Messages:
    7,514
    Likes Received:
    3
    Good luck. I'd keep a real close eye on the task manager, and maybe log your net traffic for awhile, just to verify "stuff" isn't still on there.

    *edit* google searching turned up nothing on the "31" file. You may want to report it to norton, avg, or whoever to see if you can get some more info on it. Maybe it's a new virus
     
    Last edited: Nov 7, 2003
  10. haarg

    haarg PC blowticious

    Joined:
    Apr 24, 2002
    Messages:
    1,928
    Likes Received:
    0
    RUNDLL32 is used by many things, in your case it is being used by your NVidia driver. Although I'm not sure what exactly that NVidia process does, if you aren't using any of it's special functions (multiple desktops, alpha bleded windows, etc.) you are probably safe getting rid of it. It normally ran on my computer, but I recently got rid of it and haven't seen any ill effects. On the other hand, it doesn't do anything bad, so there really isn't any reason to remove it.

    Also, the third item in that screen shot, VB_run, is something you don't need. The only information I found on it was 'Dubious downloader from densmail.com' and listed it as something you definately don't need. Also, the name seems like somethat that is trying to hide itself - it is named very similar to real system components.
     
  11. [IsP]KaRnAgE

    [IsP]KaRnAgE You Can Be My Wingman

    Joined:
    Jul 24, 2001
    Messages:
    2,806
    Likes Received:
    0
    Ok, my problem is NOT fixed. I walked away from my PC, i see mozilla wants to set up a user profile when I come back, I tell it NO. I goto see why the PC is going into this mode when I idle, so I goto display>Screensaver, WHAM! Mozilla tries to contact that website. I check task manager, I now have TWO instances of rundll32.exe running, along with something called "mike.scr". :/
    It disconnects me from the internet, and I can't access the screen saver tab at all. :( :(
     
  12. namu

    namu Bleh.

    Joined:
    Dec 21, 2000
    Messages:
    4,411
    Likes Received:
    1
  13. ZenPirate

    ZenPirate Living Legend (and moderator)

    Joined:
    Nov 21, 2000
    Messages:
    7,514
    Likes Received:
    3

    You pimp :D
     
  14. [IsP]KaRnAgE

    [IsP]KaRnAgE You Can Be My Wingman

    Joined:
    Jul 24, 2001
    Messages:
    2,806
    Likes Received:
    0
    Searched mike.scr on google and I got a yahoo group page that shows that it was an attachment infected with KLEZH that was spread around. :hmm: The problem? This wasn't there earlier today. I have a funky feeling something horrible is happening...
     
  15. [IsP]KaRnAgE

    [IsP]KaRnAgE You Can Be My Wingman

    Joined:
    Jul 24, 2001
    Messages:
    2,806
    Likes Received:
    0
    Further breaking news.

    I ran two virus scans earlier. One found a trojan, the second found nothing. I start running a new scan and suddenly Resident shield pops up and tells me there is a WORM/Spybot in my documents and settings folder called explore.exe
    Why didn't it detect this before?
    Virus scan has caught it... After the scan finishes I'm going to reboot and see what happens... If another virus pops up before I goto bed I know that something fishy is going on...
     
  16. ZenPirate

    ZenPirate Living Legend (and moderator)

    Joined:
    Nov 21, 2000
    Messages:
    7,514
    Likes Received:
    3
    Unplug the ethernet cable before you go to sleep.
     
  17. [IsP]KaRnAgE

    [IsP]KaRnAgE You Can Be My Wingman

    Joined:
    Jul 24, 2001
    Messages:
    2,806
    Likes Received:
    0
    Scanned and healed explore.exe worm. Attempting to access screen saver tab still disconnects me from the internet, MIKE.scr (now in caps, it wasnt before) still pops into the task manager, as does Rundll32.exe and mozilla still gets hijacked. I disabled system restore when I scanned. I'm out of ideas now. I searched MIKE.scr on the symantec site and found nothing.
     
  18. Warm Pudgy

    Warm Pudgy i wanna be a nazi mod like swarthy

    Joined:
    Feb 18, 2001
    Messages:
    3,045
    Likes Received:
    0
    ok go to start>search
    type in mike.scr
    then delete what ever it finds, do the same for rundll31

    just incase make a backup of rundll32.exe and use the one ive attached

    then re-installe mozilla, and install spy bot search and destroy and install avg
    then do all the updates and scans

    then go to start>run
    type in msconfig
    click the start up tab
    uncheck everything
    click the services tab
    uncheck the following:
    automatic updates, imapi cd-burning com service, internet connection fire wall (its useless), and messenger, or uncheck anything you dont feel you need
     

    Attached Files:

  19. Warm Pudgy

    Warm Pudgy i wanna be a nazi mod like swarthy

    Joined:
    Feb 18, 2001
    Messages:
    3,045
    Likes Received:
    0
    also
    i have a feeling we'll be getting several new worms shortly
    my wormalert@hotmail.com account is getting all kinds of bat files and com files scr and exe's the past few days
     
  20. ZenPirate

    ZenPirate Living Legend (and moderator)

    Joined:
    Nov 21, 2000
    Messages:
    7,514
    Likes Received:
    3
    Thank Jeebus I almost never do internet stuff on the Windows box. Linux/Mac for teh intrawebnet, Windows has become my expensive gaming console.
     

Share This Page