rundll32.exe malware generator, how do I kill it?

Over the last few months my computer has had lots of problems, I attributed them to age as I was unable to detect any malware…until now. I’m going to post the symptoms here so that others who have these problems can find this post and hopefully it can help them.

It started with GPU crashes…all the time. I would be playing a game and suddenly…pow 640x480 8bit. I also noticed a general degradation in performance. The next thing I noticed was that from time to time there would be not one but four listings of the rundll32.exe (all of them originating from \system32) and occasionally I would have trouble with my internet, getting constant internal connection errors, essentially an internal DDOS attack. This would continue until either I restarted my computer or I ended a mysterious program that would pop up sometimes called ~tmf********** (where stars indicate a random string of numbers), all the while avast would not pop up and I couldn’t find anything doing manual scans. Eventually one of the four rundll32.exe’s started being the culprit for the internet connection errors but there was no way of knowing for sure which one and so I would just reboot at every occasion, watching and waiting…sometimes searching and finding others had problems but nowhere could I find a solution.

Until today…this morning I restarted my computer as it was having problems again and upon boot Avast notified me that rundll32.exe was a “malware generator”. Avast had caught it trying to run three different dll’s from \application data…rujyiko.dll, homkido.dll and rosighm.dll. True to it’s name those dll’s didn’t infact exist as when Avast terminated the process it also terminated their existance.

Now, my question is, how do I squash this? It’s located in my \system32 folder meaning that it is still needed for my computer to boot so simply removing it is out of the question, what am I to do?

Thank you in advance :slight_smile:

See the logs guide above your post. http://forum.avast.com/index.php?topic=53253.0
Run first 4 programs and attach logs, when done removal experts will be notified and help you

Unfortunately Malwarebytes caused a reboot, my computer has always been pernickety about what it will run but here’s the other 3

and here’s the last one…something to note, Avast seems to have put a stop to rundll32.exe’s suspicious activity, there’s now only one listed under taskmanager…however it’s still the same infected rundll32.exe in my \system32 so it may happen all over again

Is this a legitimate copy of windows ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (a3rvgqk7)
IE - HKU\S-1-5-21-796845957-484763869-682003330-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com/?crg=3.1010000.10005
IE - HKU\S-1-5-21-796845957-484763869-682003330-500\..\SearchScopes\{2913FFDB-530A-4C30-A33D-A6B0B2A4548D}: "URL" = http://www.mysearchresults.com/search?&c=4001&t=10&q={searchTerms}
IE - HKU\S-1-5-21-796845957-484763869-682003330-500\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={38A6E2D7-7166-4192-BCF5-10C87E645230}&mid=c52d8a10a9b447df83d6d15659293b07-43f9c4a7fd96ddf8547483217013a05e61f2b6eb&lang=en&ds=AVG&pr=fr&d=2002-06-04 04:24:34&v=11.0.0.9&sap=dsp&q={searchTerms}
IE - HKU\S-1-5-21-796845957-484763869-682003330-500\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3198785
IE - HKU\S-1-5-21-796845957-484763869-682003330-500\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incredibar.com/mb139/?search={searchTerms}&loc=IB_DS&a=6PQCLB3fdM&i=26
IE - HKU\S-1-5-21-796845957-484763869-682003330-500\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&q={searchTerms}&crg=3.1010000.10005
IE - HKU\S-1-5-21-796845957-484763869-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 187.63.15.61:3128
O3 - HKU\S-1-5-21-796845957-484763869-682003330-500\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run: gost = C:\Documents and Settings\Administrator\Application Data\bot.exe
[2012/07/29 21:19:59 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\H@tKeysH@@k.DLL

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Run AdwCleaner select scan then once it has completed select Clean

Indeed it is, installed off an official WinXP Proffessional disc, of course I did little tidbits to it here and there such as allowing 3rd party themes but the original base is legitimate.
I did everything suggested but rundll32.exe is still rogue, thankfully dormant but still worrying

Why do you think run32.dll is a rogue file ?

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Well there’s a couple of reasons I think it’s infected

http://thumbnails103.imagebam.com/27209/cb6819272082720.jpg

In this image you can see that it has a different icon, not only that but it’s size is almost half what it used to be…then there’s it’s behavior…of course it might just have been used by another program, whatever it was it seems to have stopped for now. Is running Combofix a good idea, I used it way back to get rid of a particularly nasty trojan from a mates computer but rundll32 is required to boot, so if it is infected and Combofix “cleans” my system couldn’t that cause problems?

-Edit- Yes I know there is a little warning thingy on my toolbar :slight_smile:

Combofix will try to replace any system infected file, if it cannot do that it will then do nothing to the file and leave a note in the log for me to do a manual fix

Hmmm , it didn’t even try to touch rundll32, it did however remove rundll…ya know what, it’s not misbehaving…I’m left having to assume that it was either being used and avast quarentined the culprit or it’s just dormant for now, either way I think I’m going to let it go until it starts up again, I shall post the log here anyway…strangely windows seems to think I have AVG installed (I don’t)
Thank you for all your help :slight_smile:

The legitimate file is called rundll32 so CF did remove the bad version

How is the computer behaving now /

  1. Close any open browsers.

  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  3. Open notepad and copy/paste the text in the quotebox below into it:

Registry:: [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\docume~1\ADMINI~1\LOCALS~1\Temp\~tmf5904701207093653827.tmp"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

It is behaving as expected, it hasn’t internally DDOSed itself since avast labeled rundll32 as malware, equally that file hasn’t changed, after what you said I think perhaps rundll had something to do with it :smiley:

Avast has the capability of repairing files but not all

If all is well I will tidy up and remove my tools

It seems to be okay, if anything crops up again I have it all stored safely on my desktop, thanks again :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[
]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave: