Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > rundll32 & adware

Reply
Thread Tools

rundll32 & adware

 
 
Jim Watt
Guest
Posts: n/a
 
      12-03-2004
I have a couple of machines that pop up IE with adverts from nowhere;

There is nothing suspicious run from the registry etc, and spybot
finds nothing.

There is a process running with rundll32 shown, but no idea what
DLL its running.

Any suggestions on how to exorcise this ill ?

OS is windows/98
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
 
 
 
David H. Lipman
Guest
Posts: n/a
 
      12-03-2004
Jim:

What have you used to scan the PC besides SpyBot and have you done so in Safe Mode ?

Dave




"Jim Watt" <(E-Mail Removed)_way> wrote in message
news:(E-Mail Removed)...
| I have a couple of machines that pop up IE with adverts from nowhere;
|
| There is nothing suspicious run from the registry etc, and spybot
| finds nothing.
|
| There is a process running with rundll32 shown, but no idea what
| DLL its running.
|
| Any suggestions on how to exorcise this ill ?
|
| OS is windows/98
| --
| Jim Watt
| http://www.gibnet.com


 
Reply With Quote
 
 
 
 
Jim Watt
Guest
Posts: n/a
 
      12-03-2004
On Fri, 03 Dec 2004 22:18:26 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>Jim:
>
>What have you used to scan the PC besides SpyBot and have you done so in Safe Mode ?
>
>Dave


Nothing and yes.


--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
David H. Lipman
Guest
Posts: n/a
 
      12-03-2004
1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Dowload the Trend Pattern File by obtaining the ZIP file.
For example; lpt281.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

2) Update Adaware with the latest definitions.
3) Reboot your PC into Safe Mode
4) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
5) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware in Normal Mode


* * * Please report back your results * * *

Dave



"Jim Watt" <(E-Mail Removed)_way> wrote in message
news:(E-Mail Removed)...
| On Fri, 03 Dec 2004 22:18:26 GMT, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> wrote:
|
| >Jim:
| >
| >What have you used to scan the PC besides SpyBot and have you done so in Safe Mode ?
| >
| >Dave
|
| Nothing and yes.
|
|
| --
| Jim Watt
| http://www.gibnet.com


 
Reply With Quote
 
Jim Watt
Guest
Posts: n/a
 
      12-04-2004
On Fri, 03 Dec 2004 23:33:06 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

<snip>

Will have a go at that next week and see;

What worries me is how this thing is getting into memory as have
checked the usual methods and however its initiated is a new one
on me ...

--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
David Postill
Guest
Posts: n/a
 
      12-04-2004
In article <(E-Mail Removed)>, on Fri, 03 Dec 2004 20:54:41 +0100, Jim
Watt <(E-Mail Removed)_way> wrote:

| I have a couple of machines that pop up IE with adverts from nowhere;
|
| There is nothing suspicious run from the registry etc, and spybot
| finds nothing.
|
| There is a process running with rundll32 shown, but no idea what
| DLL its running.
|
| Any suggestions on how to exorcise this ill ?
|
| OS is windows/98

Have you run process explorer?

<http://www.sysinternals.com/ntw2k/freeware/procexp.shtml>:

"Process Explorer shows you information about which handles and DLLs processes have opened or
loaded.

The Process Explorer display consists of two sub-windows. The top window always shows a list of the
currently active processes, including the names of their owning accounts, whereas the information
displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle
mode you’ll see the handles that the process selected in the top window has opened; if Process
Explorer is in DLL mode you’ll see the DLLs and memory-mapped files that the process has loaded.
Process Explorer also has a powerful search capability that will quickly show you which processes
have particular handles opened or DLLs loaded."

<davidp />

--
David Postill
 
Reply With Quote
 
Jim Watt
Guest
Posts: n/a
 
      12-04-2004
On Sat, 04 Dec 2004 10:11:56 GMT, David Postill <(E-Mail Removed)>
wrote:

>Have you run process explorer?


No, but I will - did look for something like that, but only found
it for NT+ systems

What worries me is how the thing is getting executed. That
should help. I suspect its linked to 'cool web products'
crapware. There was a lot of that. I hate the trend that it
pleads with you not to install it and demands reasons.

--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
David Postill
Guest
Posts: n/a
 
      12-04-2004
In article <(E-Mail Removed)>, on Sat, 04 Dec 2004 15:39:01 +0100, Jim
Watt <(E-Mail Removed)_way> wrote:

| On Sat, 04 Dec 2004 10:11:56 GMT, David Postill <(E-Mail Removed)>
| wrote:
|
| >Have you run process explorer?
|
| No, but I will - did look for something like that, but only found
| it for NT+ systems
|
| What worries me is how the thing is getting executed. That
| should help. I suspect its linked to 'cool web products'
| crapware. There was a lot of that. I hate the trend that it
| pleads with you not to install it and demands reasons.

<http://www.spywareinfo.com/~merijn/cwschronicles.html>

HTH and good luck

<davidp />

--
David Postill
 
Reply With Quote
 
Ralph A. Jones
Guest
Posts: n/a
 
      12-04-2004
>>I hate the trend that it pleads with you not to install it and
demands reasons.<<

Assume you meant "not to [un]install". My current litmus test for
crapware -- if it starts demanding reasons for uninstalling, it's
crapware. Try using the Windows Add/Remove routine for removing "The
Bulls Eye Network" -- can't be done. And many of these browser
hijackers insert themselves into your restore points, so they'll be back.

Microsoft needs to take note and fix Add/Remove to not allow custom code
to fire, and to just allow a single, "Are you sure you want to remove
this program? Yes/No." Period. The custom code is a plain menace.
And I have only encountered it with crapware, never with legitimate
programs.

If you bill by the hour, sometimes it is more cost effective to simply
re-format and re-install the OS and software than to take the time to
hunt down all the adware/spyware and its variants and to attempt to
[unreliably] exorcise a system.

A donation to Spybot Search & Destroy is well worth it.



Jim Watt wrote:
> On Sat, 04 Dec 2004 10:11:56 GMT, David Postill <(E-Mail Removed)>
> wrote:
>
>
>>Have you run process explorer?

>
>
> No, but I will - did look for something like that, but only found
> it for NT+ systems
>
> What worries me is how the thing is getting executed. That
> should help. I suspect its linked to 'cool web products'
> crapware. There was a lot of that. I hate the trend that it
> pleads with you not to install it and demands reasons.
>
> --
> Jim Watt
> http://www.gibnet.com

 
Reply With Quote
 
Jim Watt
Guest
Posts: n/a
 
      12-04-2004
On Sat, 04 Dec 2004 15:19:41 GMT, David Postill <(E-Mail Removed)>
wrote:

>In article <(E-Mail Removed)>, on Sat, 04 Dec 2004 15:39:01 +0100, Jim
>Watt <(E-Mail Removed)_way> wrote:
>
>| On Sat, 04 Dec 2004 10:11:56 GMT, David Postill <(E-Mail Removed)>
>| wrote:
>|
>| >Have you run process explorer?


OK by chance I went to the clients office today for something else
so ran process explorer. It showed that the .dll was
invu9_32.dll which goes not get a hit on google.

The dll is in c:/windows/system and is flagged as +SR
so did not show on explorer.

I renamed it in DOS mode and the popups have stopped.

If anyone is interested in looking at it further to determine its
origin, its zipped up as

http://www.gibnet.com/security/crapware.zip

Uh yes I did mean programs pleading not to be UNinstalled.

I still do not understand quite how this gets run, but its
currently disabled.

Thanks for the good advice so far in the process.
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
RUNDLL32.EXE --tomcat-- Computer Support 7 04-26-2004 04:03 PM
Rundll32 run-time error '53' Ian H Computer Support 7 01-07-2004 12:28 AM
rundll32.exe sabine Computer Support 8 09-29-2003 04:29 PM
Re: A Big trojan problem (irc.flood.??) and rundll32.exe connecting to internet Timo aka Sul Computer Support 0 07-31-2003 07:58 PM
rundll32 Illegal operation error Fred Erfmann Computer Support 0 06-25-2003 02:27 PM



Advertisments