Rundll32.exe strange problem

chip2006uk · 06-01-2008

Ok hello again everyone, I recently posted about a problem with explorer.exe here Explorer.exe being a pain which I believed to have found the solution. Well although I found the cause of the problem and (thought) I had fixed it it seems like this isnt the end.

Basically a bit of background first, After stupidly downloading a very suspicious file the option to open the task manager dissapears, after finding a fix to this (thanks to Brink) I realised that explorer would every so often stop responding and restart, this started to happen alot and eventually I found a .dll file that was causing this, after deleting it I thought that was that.

Now to the matter at hand - The other day explorer was once again being slow so I looked in the task manager processes and found this (this screenshot was taken just now,)

And thats only about a third of the rundll32.exe processes that are running at the moment.

So yeah needless to say this is bogging down the system and subsequently really getting on my nerves. Ive also done about a million virus searches with various different programs all updated and in safe mode and although each one has found some sort of virus (off the top of my head i recall TR/vundo and a couple of others) the problem is still there

Anyway the file the *seems* to be the problem is this one (this is in the autoruns program).

The file is called 1c1a6320 (just under the PC tools firewall) but unfortunately the image path is seemingly generated at random each time it activates itself. Everytime I delete that file things run smooth for a while but then sooner or later it comes back with a randomly generated file name. Im pretty sure the rundll32.exe and this file are connected, I would say Im about 95% sure, everytime I find a lot of rundll32.exe's running im pretty certain that this file will have activated itself.

Argh my laptops been playing up ever since I downloaded that one file, I hate myself for downloading such an obviously suspicious file. How can one little file cause so much aggro?

Any help would be appreciated

Wont be able to reply to for a while but I should be able to in the next 3 hours or so

**sidney1st** · 06-01-2008

In the next 3 hours, i'll be sleeping

Yes you are infected and to cure, deleting a file or 2 is not enough you have to follow a certain procedure depending of the virus found.
Run hijackthis and attach the log file here ( HijackThis Logfileauswertung )

Maybe a moderator could transfer this thread in the adequate section.

chip2006uk · 06-01-2008

Logfile of HijackThis v1.99.1
Scan saved at 00:44:24, on 02/06/2008
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Running processes:
C:\Program Files\PowerForPhone\PowerForPhone.exe
C:\Windows\ASScrPro.exe
C:\Windows\VMSnap1.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe

C:\Windows\system32\rundll32.exe
(DMEX Edit: Over 200 variations of this program running)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Live Search:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Welcome to AOL UK in partnership with talktalk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Live Search:

O2 - BHO: (no name) - {240A2128-ACD4-4124-87AF-527124CAAC38} - C:\Windows\system32\vtUlMdaw.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {BAC0A6E4-796D-4129-B7BA-150D5C446BFB} - C:\Windows\system32\iIBrsPjj.dll
O3 - Toolbar: (no name) - {89175504-FC6D-43A2-BB07-E3247659C95A} - (no file)
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [VMSnap1] C:\Windows\VMSnap1.exe

O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\vtUlMdaw.dll,#1

O17 - HKLM\System\CCS\Services\Tcpip\..\{B072C319-4EA9-4552-
AA00-F70606A6E0FA}: NameServer = 62.24.252.134 62.24.252.135
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - Unknown owner - C:\Program Files\TalkTalk\bin\sprtsvc.exe" /service /p TalkTalk (file missing)
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson/ST330/service/st330service.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
owner - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe" /p TalkTalk (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\Windows\system32\UAService7.exe

Edited by DMEX: Trimmed log of all known legitimate programs.

Ok theres a hijackthis log, since everyone will be asleep at this time (including me now

) I might have to bump this in the morning.

Night all

**dmex** · 06-02-2008

Hey Chip,

You can use both http://www.safer-networking.org/ and Ad-Aware @ Lavasoft - The Original Anti-Spyware Company - Lavasoft to remove all the spyware..

You might want to check the Forum Rules too, Bumping posts results in the thread getting deleted

so just post a question instead of just a "bump"

Steven

06-01-2008	#1 (permalink)
chip2006uk Junior Member	Rundll32.exe strange problem Ok hello again everyone, I recently posted about a problem with explorer.exe here Explorer.exe being a pain which I believed to have found the solution. Well although I found the cause of the problem and (thought) I had fixed it it seems like this isnt the end. Basically a bit of background first, After stupidly downloading a very suspicious file the option to open the task manager dissapears, after finding a fix to this (thanks to Brink) I realised that explorer would every so often stop responding and restart, this started to happen alot and eventually I found a .dll file that was causing this, after deleting it I thought that was that. Now to the matter at hand - The other day explorer was once again being slow so I looked in the task manager processes and found this (this screenshot was taken just now,) And thats only about a third of the rundll32.exe processes that are running at the moment. So yeah needless to say this is bogging down the system and subsequently really getting on my nerves. Ive also done about a million virus searches with various different programs all updated and in safe mode and although each one has found some sort of virus (off the top of my head i recall TR/vundo and a couple of others) the problem is still there Anyway the file the seems to be the problem is this one (this is in the autoruns program). The file is called 1c1a6320 (just under the PC tools firewall) but unfortunately the image path is seemingly generated at random each time it activates itself. Everytime I delete that file things run smooth for a while but then sooner or later it comes back with a randomly generated file name. Im pretty sure the rundll32.exe and this file are connected, I would say Im about 95% sure, everytime I find a lot of rundll32.exe's running im pretty certain that this file will have activated itself. Argh my laptops been playing up ever since I downloaded that one file, I hate myself for downloading such an obviously suspicious file. How can one little file cause so much aggro? Any help would be appreciated Wont be able to reply to for a while but I should be able to in the next 3 hours or so

06-01-2008	#2 (permalink)
sidney1st Member	Re: Rundll32.exe strange problem In the next 3 hours, i'll be sleeping Yes you are infected and to cure, deleting a file or 2 is not enough you have to follow a certain procedure depending of the virus found. Run hijackthis and attach the log file here ( HijackThis Logfileauswertung ) Maybe a moderator could transfer this thread in the adequate section.

06-01-2008	#3 (permalink)
chip2006uk Junior Member	Re: Rundll32.exe strange problem Logfile of HijackThis v1.99.1 Scan saved at 00:44:24, on 02/06/2008 Platform: Unknown Windows (WinNT 6.00.1905 SP1) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Running processes: C:\Program Files\PowerForPhone\PowerForPhone.exe C:\Windows\ASScrPro.exe C:\Windows\VMSnap1.exe C:\Program Files\TalkTalk\bin\sprtcmd.exe C:\Program Files\Apoint2K\ApMsgFwd.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Apoint2K\HidFind.exe C:\Program Files\Apoint2K\Apntex.exe C:\Windows\system32\rundll32.exe (DMEX Edit: Over 200 variations of this program running) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Live Search: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Welcome to AOL UK in partnership with talktalk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Live Search: O2 - BHO: (no name) - {240A2128-ACD4-4124-87AF-527124CAAC38} - C:\Windows\system32\vtUlMdaw.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {BAC0A6E4-796D-4129-B7BA-150D5C446BFB} - C:\Windows\system32\iIBrsPjj.dll O3 - Toolbar: (no name) - {89175504-FC6D-43A2-BB07-E3247659C95A} - (no file) O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [VMSnap1] C:\Windows\VMSnap1.exe O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\vtUlMdaw.dll,#1 O17 - HKLM\System\CCS\Services\Tcpip\..\{B072C319-4EA9-4552- AA00-F70606A6E0FA}: NameServer = 62.24.252.134 62.24.252.135 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing) O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing) O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - Unknown owner - C:\Program Files\TalkTalk\bin\sprtsvc.exe" /service /p TalkTalk (file missing) O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson/ST330/service/st330service.exe O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe owner - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe" /p TalkTalk (file missing) O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\Windows\system32\UAService7.exe Edited by DMEX: Trimmed log of all known legitimate programs. Ok theres a hijackthis log, since everyone will be asleep at this time (including me now ) I might have to bump this in the morning. Night all Last edited by dmex; 06-02-2008 at 01:20 PM.

06-02-2008	#4 (permalink)
dmex ɠɛɐǨ	Re: Rundll32.exe strange problem Hey Chip, You can use both http://www.safer-networking.org/ and Ad-Aware @ Lavasoft - The Original Anti-Spyware Company - Lavasoft to remove all the spyware.. You might want to check the Forum Rules too, Bumping posts results in the thread getting deleted so just post a question instead of just a "bump" Steven

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Very strange UAC problem	Mary	Vista General	2	06-11-2008 06:09 AM
Very strange UAC problem	Mary	Vista General	1	04-18-2008 01:42 PM
Pinnacle studio ultimate and rundll32 problem	redlinez	Graphic cards	0	12-15-2007 08:08 AM
readyboost rundll32 problem	average650	Vista performance & maintenance	1	07-08-2007 12:08 AM
ACPI problem but no problem at all - Strange thing	Marco	Vista installation & setup	2	02-23-2007 08:23 PM