help with spyware/virus?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by chopinpl, Jul 15, 2004.

  1. chopinpl

    chopinpl Private E-2

    This is my problem. I have something that infected my rundll32.exe and winlogon.exe files. I know that because they both try to connect to a website look2me.com or something like that, luckily my firewall is able to detect it and i can block them. Now, I used almost all virus scannners available, including the web based ones, and none of them found anything wrong. Programs like ad-aware and spybot killer find .dll files related (I assume) to this damn thing, but nothing else. The programs aren't able to delete those .dll files unless I kill the rundll32.exe process. The thing is after a reboot the .dll files are back plus more with more or changed names. I tried replacing rundll32.exe with a clean copy, but once again after a reboot the infected file is back (I can tell by the file size). I changed winlogon.exe, but it screwed up my logon so I had to put it back... Well, what the hell is it? Im not to worried since they can't get passed my FW plus im planning to reinstall windows as soon as SP2 comes out. Im just curious though, thats all... thanx

    my specs:

    WinXP Prof. SP1 plus all the patches
    AMD 2700+
    Asus mobo
    512mb DDR
    WD 80gig HD
    Virus scanners:Norton 2005 beta, Kapersky, Panda etc... got them all.
     
    chopinpl, Jul 15, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Sounds like you could try Kill2me first:
    http://www.majorgeeks.com/download4166.html

    Why first?

    Because those files you named are system files. Im concerned your pc will not run without those files, unless they are not in their proper directory, in other words they were placed somewhere else for another purpose.

    Rundll32.exe and winlogin.exe should be in C:\WINDOWS\system32 and C:\WINDOWS\ServicePackFiles\i386

    If this is the exact filename and where they are, your machine will probably not restart if deleted. If they are in different folders or names, it *should* be ok, but check in first.

    I would verify the names if kill2me does not work, go to safe mode, possibly try Ad-Aware or a virus scanner. Avoid deleting them if then names you gave are correct. If the names are different check your startup for these being loaded.
     
    Major Attitude, Jul 15, 2004
    #2
  3. chopinpl

    chopinpl Private E-2

    They are where they're supposed to be. Windows\system32 and the service pack folders, plus in dllcache folder in windows\system32. Now, I already replaced the files once. Rundll32.exe keeps on coming back as the infected file, I can tell by the file size. Winlogon.exe, when I replaced that one, the PC would'nt boot, so I put the old one back. The files don't load through registry, win.ini or startup folder. Winlogon is a service so I can't disable that. Ad-aware or any of the virus scanners I used picked up what it is. I'll try the program you mentioned and we'll see how it goes... thanx
     
    chopinpl, Jul 15, 2004
    #3
  4. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Ok, then you know, do not delete or replace them. As I tell people often, you can have better luck by booting into safe mode without networking support (Reboot and tap f8 before the Windows splash screen) and having system restore disabled just to protect yourself from having it come right back.

    Hope Kill2me gets it, report back and we can try other things if not.
     
    Major Attitude, Jul 15, 2004
    #4
  5. chopinpl

    chopinpl Private E-2

    Well, no luck. Kill2me hasn't found anything wrong with my comp. Meanwhile this little bug lives on. This is really getting annoying. I checked the .dll dependencies by doing tasklist /m at command promt. I see the .dll files that the rundll32.exe needs to run, close the program, delete the files, but they come back under different name. What is causing that? How is rundll32.exe being loaded? Anyway, I'll try one more thing, if any of you have some thoughts, let me know.
     
    chopinpl, Jul 16, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    RUNDLL32.EXE is a system process that the system will run unless being loaded from a different path (as Major already said).

    Make sure your Ad-aware is on the current reference files recently updated.
    Read this info on how to do a fullscan: http://www.lavahelp.com/howto/fullscan/index.html
    Download & install the VX2 Cleaner Plugin for Ad-aware: http://www.majorgeeks.com/download4283.html
    Information on installing and running the plugin are on the link too. Read it but don't run yet.

    Boot to safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    Run the VX2 Cleaner Plugin for Ad-aware
    Run Ad-aware in fullscan mode.

    Reboot normal. If still having a problem, download HijackThis from here: http://www.majorgeeks.com/download3155.html
    and post a complete log (shutdown IE before running).
     
    chaslang, Jul 16, 2004
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds