rundll32 & adware

Discussion in 'Computer Security' started by Jim Watt, Dec 3, 2004.

  1. Jim Watt

    Jim Watt Guest

    I have a couple of machines that pop up IE with adverts from nowhere;

    There is nothing suspicious run from the registry etc, and spybot
    finds nothing.

    There is a process running with rundll32 shown, but no idea what
    DLL its running.

    Any suggestions on how to exorcise this ill ?

    OS is windows/98
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Dec 3, 2004
    #1
    1. Advertising

  2. Jim:

    What have you used to scan the PC besides SpyBot and have you done so in Safe Mode ?

    Dave




    "Jim Watt" <_way> wrote in message
    news:...
    | I have a couple of machines that pop up IE with adverts from nowhere;
    |
    | There is nothing suspicious run from the registry etc, and spybot
    | finds nothing.
    |
    | There is a process running with rundll32 shown, but no idea what
    | DLL its running.
    |
    | Any suggestions on how to exorcise this ill ?
    |
    | OS is windows/98
    | --
    | Jim Watt
    | http://www.gibnet.com
     
    David H. Lipman, Dec 3, 2004
    #2
    1. Advertising

  3. Jim Watt

    Jim Watt Guest

    On Fri, 03 Dec 2004 22:18:26 GMT, "David H. Lipman"
    <DLipman~nospam~@Verizon.Net> wrote:

    >Jim:
    >
    >What have you used to scan the PC besides SpyBot and have you done so in Safe Mode ?
    >
    >Dave


    Nothing and yes.


    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Dec 3, 2004
    #3
  4. 1) Download the following three items...

    Trend Sysclean Package
    http://www.trendmicro.com/download/dcs.asp

    Latest Trend signature files.
    http://www.trendmicro.com/download/pattern.asp

    Adaware SE (free personal version v1.05)
    http://www.lavasoftusa.com/

    Create a directory.
    On drive "C:\"
    (e.g., "c:\New Folder")
    or the desktop
    (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

    Download SYSCLEAN.COM and place it in that directory.
    Dowload the Trend Pattern File by obtaining the ZIP file.
    For example; lpt281.zip

    Extract the contents of the ZIP file and place the contents in the same directory as
    SYSCLEAN.COM.

    2) Update Adaware with the latest definitions.
    3) Reboot your PC into Safe Mode
    4) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
    platform and clean/delete any infectors/parasites found.
    (a few cycles may be needed)
    5) Restart your PC and perform a "final" Full Scan of your platform using both the
    Trend Sysclean utility and Adaware in Normal Mode


    * * * Please report back your results * * *

    Dave



    "Jim Watt" <_way> wrote in message
    news:...
    | On Fri, 03 Dec 2004 22:18:26 GMT, "David H. Lipman"
    | <DLipman~nospam~@Verizon.Net> wrote:
    |
    | >Jim:
    | >
    | >What have you used to scan the PC besides SpyBot and have you done so in Safe Mode ?
    | >
    | >Dave
    |
    | Nothing and yes.
    |
    |
    | --
    | Jim Watt
    | http://www.gibnet.com
     
    David H. Lipman, Dec 3, 2004
    #4
  5. Jim Watt

    Jim Watt Guest

    On Fri, 03 Dec 2004 23:33:06 GMT, "David H. Lipman"
    <DLipman~nospam~@Verizon.Net> wrote:

    <snip>

    Will have a go at that next week and see;

    What worries me is how this thing is getting into memory as have
    checked the usual methods and however its initiated is a new one
    on me ...

    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Dec 4, 2004
    #5
  6. In article <>, on Fri, 03 Dec 2004 20:54:41 +0100, Jim
    Watt <_way> wrote:

    | I have a couple of machines that pop up IE with adverts from nowhere;
    |
    | There is nothing suspicious run from the registry etc, and spybot
    | finds nothing.
    |
    | There is a process running with rundll32 shown, but no idea what
    | DLL its running.
    |
    | Any suggestions on how to exorcise this ill ?
    |
    | OS is windows/98

    Have you run process explorer?

    <http://www.sysinternals.com/ntw2k/freeware/procexp.shtml>:

    "Process Explorer shows you information about which handles and DLLs processes have opened or
    loaded.

    The Process Explorer display consists of two sub-windows. The top window always shows a list of the
    currently active processes, including the names of their owning accounts, whereas the information
    displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle
    mode you’ll see the handles that the process selected in the top window has opened; if Process
    Explorer is in DLL mode you’ll see the DLLs and memory-mapped files that the process has loaded.
    Process Explorer also has a powerful search capability that will quickly show you which processes
    have particular handles opened or DLLs loaded."

    <davidp />

    --
    David Postill
     
    David Postill, Dec 4, 2004
    #6
  7. Jim Watt

    Jim Watt Guest

    On Sat, 04 Dec 2004 10:11:56 GMT, David Postill <>
    wrote:

    >Have you run process explorer?


    No, but I will - did look for something like that, but only found
    it for NT+ systems

    What worries me is how the thing is getting executed. That
    should help. I suspect its linked to 'cool web products'
    crapware. There was a lot of that. I hate the trend that it
    pleads with you not to install it and demands reasons.

    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Dec 4, 2004
    #7
  8. In article <>, on Sat, 04 Dec 2004 15:39:01 +0100, Jim
    Watt <_way> wrote:

    | On Sat, 04 Dec 2004 10:11:56 GMT, David Postill <>
    | wrote:
    |
    | >Have you run process explorer?
    |
    | No, but I will - did look for something like that, but only found
    | it for NT+ systems
    |
    | What worries me is how the thing is getting executed. That
    | should help. I suspect its linked to 'cool web products'
    | crapware. There was a lot of that. I hate the trend that it
    | pleads with you not to install it and demands reasons.

    <http://www.spywareinfo.com/~merijn/cwschronicles.html>

    HTH and good luck

    <davidp />

    --
    David Postill
     
    David Postill, Dec 4, 2004
    #8
  9. >>I hate the trend that it pleads with you not to install it and
    demands reasons.<<

    Assume you meant "not to [un]install". My current litmus test for
    crapware -- if it starts demanding reasons for uninstalling, it's
    crapware. Try using the Windows Add/Remove routine for removing "The
    Bulls Eye Network" -- can't be done. And many of these browser
    hijackers insert themselves into your restore points, so they'll be back.

    Microsoft needs to take note and fix Add/Remove to not allow custom code
    to fire, and to just allow a single, "Are you sure you want to remove
    this program? Yes/No." Period. The custom code is a plain menace.
    And I have only encountered it with crapware, never with legitimate
    programs.

    If you bill by the hour, sometimes it is more cost effective to simply
    re-format and re-install the OS and software than to take the time to
    hunt down all the adware/spyware and its variants and to attempt to
    [unreliably] exorcise a system.

    A donation to Spybot Search & Destroy is well worth it.



    Jim Watt wrote:
    > On Sat, 04 Dec 2004 10:11:56 GMT, David Postill <>
    > wrote:
    >
    >
    >>Have you run process explorer?

    >
    >
    > No, but I will - did look for something like that, but only found
    > it for NT+ systems
    >
    > What worries me is how the thing is getting executed. That
    > should help. I suspect its linked to 'cool web products'
    > crapware. There was a lot of that. I hate the trend that it
    > pleads with you not to install it and demands reasons.
    >
    > --
    > Jim Watt
    > http://www.gibnet.com
     
    Ralph A. Jones, Dec 4, 2004
    #9
  10. Jim Watt

    Jim Watt Guest

    On Sat, 04 Dec 2004 15:19:41 GMT, David Postill <>
    wrote:

    >In article <>, on Sat, 04 Dec 2004 15:39:01 +0100, Jim
    >Watt <_way> wrote:
    >
    >| On Sat, 04 Dec 2004 10:11:56 GMT, David Postill <>
    >| wrote:
    >|
    >| >Have you run process explorer?


    OK by chance I went to the clients office today for something else
    so ran process explorer. It showed that the .dll was
    invu9_32.dll which goes not get a hit on google.

    The dll is in c:/windows/system and is flagged as +SR
    so did not show on explorer.

    I renamed it in DOS mode and the popups have stopped.

    If anyone is interested in looking at it further to determine its
    origin, its zipped up as

    http://www.gibnet.com/security/crapware.zip

    Uh yes I did mean programs pleading not to be UNinstalled.

    I still do not understand quite how this gets run, but its
    currently disabled.

    Thanks for the good advice so far in the process.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Dec 4, 2004
    #10
  11. Cute name; I N V U 9 :)

    Here's what "invu9_32.dll" is recognized as...

    eTrust-Vet 11.7.0.0 12.03.2004 Win32.Startpage.KF
    Kaspersky 4.0.2.24 12.04.2004 not-a-virus:AdWare.Look2Me.r
    Sybari 7.5.1314 12.04.2004 Win32.Startpage.KF

    Dave



    "Jim Watt" <_way> wrote in message
    news:...
    | On Sat, 04 Dec 2004 15:19:41 GMT, David Postill <>
    | wrote:
    |
    | >In article <>, on Sat, 04 Dec 2004 15:39:01
    +0100, Jim
    | >Watt <_way> wrote:
    | >
    | >| On Sat, 04 Dec 2004 10:11:56 GMT, David Postill <>
    | >| wrote:
    | >|
    | >| >Have you run process explorer?
    |
    | OK by chance I went to the clients office today for something else
    | so ran process explorer. It showed that the .dll was
    | invu9_32.dll which goes not get a hit on google.
    |
    | The dll is in c:/windows/system and is flagged as +SR
    | so did not show on explorer.
    |
    | I renamed it in DOS mode and the popups have stopped.
    |
    | If anyone is interested in looking at it further to determine its
    | origin, its zipped up as
    |
    | http://www.gibnet.com/security/crapware.zip
    |
    | Uh yes I did mean programs pleading not to be UNinstalled.
    |
    | I still do not understand quite how this gets run, but its
    | currently disabled.
    |
    | Thanks for the good advice so far in the process.
    | --
    | Jim Watt
    | http://www.gibnet.com
     
    David H. Lipman, Dec 4, 2004
    #11
  12. In article <>, on Sat, 04 Dec 2004 20:10:43 +0100, Jim
    Watt <_way> wrote:

    | On Sat, 04 Dec 2004 15:19:41 GMT, David Postill <>
    | wrote:
    |
    | >In article <>, on Sat, 04 Dec 2004 15:39:01 +0100, Jim
    | >Watt <_way> wrote:
    | >
    | >| On Sat, 04 Dec 2004 10:11:56 GMT, David Postill <>
    | >| wrote:
    | >|
    | >| >Have you run process explorer?
    |
    | OK by chance I went to the clients office today for something else
    | so ran process explorer. It showed that the .dll was
    | invu9_32.dll which goes not get a hit on google.
    |
    | The dll is in c:/windows/system and is flagged as +SR
    | so did not show on explorer.
    |
    | I renamed it in DOS mode and the popups have stopped.
    |
    | If anyone is interested in looking at it further to determine its
    | origin, its zipped up as
    |
    | http://www.gibnet.com/security/crapware.zip

    I sent it for an online scan at <www.virustotal.com>

    etrust-vet and sybari identified it as Win32.Startpage.KF

    <davidp />

    --
    David Postill
     
    David Postill, Dec 4, 2004
    #12
  13. I should have added that both Adaware and TrendMicro Sysclean with current updates don't
    detect it. :-(

    Dave


    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    news:JHosd.809$S33.782@trnddc03...
    | Cute name; I N V U 9 :)
    |
    | Here's what "invu9_32.dll" is recognized as...
    |
    | eTrust-Vet 11.7.0.0 12.03.2004 Win32.Startpage.KF
    | Kaspersky 4.0.2.24 12.04.2004 not-a-virus:AdWare.Look2Me.r
    | Sybari 7.5.1314 12.04.2004 Win32.Startpage.KF
    |
    | Dave
     
    David H. Lipman, Dec 4, 2004
    #13
  14. Jim Watt

    Jim Watt Guest

    On Sat, 04 Dec 2004 20:04:52 GMT, "David H. Lipman"
    <DLipman~nospam~@Verizon.Net> wrote:

    >I should have added that both Adaware and TrendMicro Sysclean with current updates don't
    >detect it. :-(


    OK, there is still the mystery (to me) of how it gets into memory,
    where is the line that loads it hidden?

    The crap that pops up uses an IP rather than a domain name
    presumably to avoid blocking in the Hosts file;

    69.20.16.183
    OrgName: Rackspace.com
    OrgID: RSPC
    Address: 112 E. Pecan St.
    Address: Suite 600
    City: San Antonio
    StateProv: TX
    PostalCode: 78205
    Country: US

    Who I believe are a large hosting company.

    The machine had so much rubbish on it, that its hard to know
    eactly who this belongs to, but I note 'smiley central' in the
    popups. There should be a law against this ******** stuff.

    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Dec 4, 2004
    #14
  15. There is a law in Utah that is a precedent but it was blocked by a Adware company in NY
    state (?) pending a court hearing.
    I don't know if the case was heard yet.

    One way to find how the file is launched would be to search for the presence of the string;
    invu9_32.dll
    { Get a sandwich, it will take a while :) }

    Go to; Start --> Search --> for Files and Folders
    In the field "Containing text:" enter; invu9_32.dll

    Dave


    ..
    "Jim Watt" <_way> wrote in message
    news:...
    | On Sat, 04 Dec 2004 20:04:52 GMT, "David H. Lipman"
    | <DLipman~nospam~@Verizon.Net> wrote:
    |
    | >I should have added that both Adaware and TrendMicro Sysclean with current updates don't
    | >detect it. :-(
    |
    | OK, there is still the mystery (to me) of how it gets into memory,
    | where is the line that loads it hidden?
    |
    | The crap that pops up uses an IP rather than a domain name
    | presumably to avoid blocking in the Hosts file;
    |
    | 69.20.16.183
    | OrgName: Rackspace.com
    | OrgID: RSPC
    | Address: 112 E. Pecan St.
    | Address: Suite 600
    | City: San Antonio
    | StateProv: TX
    | PostalCode: 78205
    | Country: US
    |
    | Who I believe are a large hosting company.
    |
    | The machine had so much rubbish on it, that its hard to know
    | eactly who this belongs to, but I note 'smiley central' in the
    | popups. There should be a law against this ******** stuff.
    |
    | --
    | Jim Watt
    | http://www.gibnet.com
     
    David H. Lipman, Dec 4, 2004
    #15
  16. Jim Watt

    Jim Watt Guest

    On Sat, 04 Dec 2004 21:43:01 GMT, "David H. Lipman"
    <DLipman~nospam~@Verizon.Net> wrote:

    >There is a law in Utah that is a precedent but it was blocked by a Adware company in NY
    >state (?) pending a court hearing.


    One of the problems is that if we introduced a law here to deal with
    these menaces, by for instance making loading programs onto a PC
    via the internet without the explicit consent of the owner, not just
    clicking an 'I agree' box how could we take action against the
    company responsible in another jurisdiction if its outside the EU?

    >One way to find how the file is launched would be to search for the presence of the string;
    >invu9_32.dll


    Will do that Monday.

    Theres a write up at

    http://be.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=TROJ_STARTPAG.KF

    But it does not match the behaviour of this thing using rundll32
    and running when IE is not.


    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Dec 4, 2004
    #16
  17. I tested the DLL against Trend Sysclean using Pattern File version: 2.282.06 and it failed
    to flag the DLL.

    The problem with the Anti Virus industry is that there is no common naming convention so a
    name provided by Company A may not be the same name used by Company B.

    For example;
    MyDoom is also known as Bofra
    Blaster is also known as Lovsan
    Bagle is also known as Beagle
    Backdoor.SDbot.gen is also known as W32/Sdbot.worm.gen.j and Backdoor.Win32.Rbot.gen

    Dave




    "Jim Watt" <_way> wrote in message
    news:...
    | On Sat, 04 Dec 2004 21:43:01 GMT, "David H. Lipman"
    | <DLipman~nospam~@Verizon.Net> wrote:
    |
    | >There is a law in Utah that is a precedent but it was blocked by a Adware company in NY
    | >state (?) pending a court hearing.
    |
    | One of the problems is that if we introduced a law here to deal with
    | these menaces, by for instance making loading programs onto a PC
    | via the internet without the explicit consent of the owner, not just
    | clicking an 'I agree' box how could we take action against the
    | company responsible in another jurisdiction if its outside the EU?
    |
    | >One way to find how the file is launched would be to search for the presence of the
    string;
    | >invu9_32.dll
    |
    | Will do that Monday.
    |
    | Theres a write up at
    |
    |
    http://be.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=TROJ_STARTPAG.KF
    |
    | But it does not match the behaviour of this thing using rundll32
    | and running when IE is not.
    |
    |
    | --
    | Jim Watt
    | http://www.gibnet.com
     
    David H. Lipman, Dec 4, 2004
    #17
  18. Jim Watt

    Ant Guest

    "Jim Watt" wrote:

    > OK, there is still the mystery (to me) of how it gets into memory,
    > where is the line that loads it hidden?


    Another good utility from www.sysinternals.com is autoruns. It will
    show what programs attempt to load at startup. It could be that
    some other program loaded via a registry entry is in turn loading
    this. Now that you've removed the executable, check the event logs
    (with event viewer) for error messages relating to a failure to start.
     
    Ant, Dec 4, 2004
    #18
  19. Jim Watt

    Jim Watt Guest

    On Sat, 4 Dec 2004 23:30:25 -0000, "Ant" <> wrote:

    >check the event logs
    >(with event viewer) for error messages relating to a failure to start.


    Good idea, but its windows/98
    I think we will be replacing it with w2k shortly.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Dec 5, 2004
    #19
  20. McAfee sent me an EXTRA.DAT today for this Adware object, presently identified as
    "Adware-adwr" and will be included in next week's release of v4413 DAT files.

    Dave




    "Jim Watt" <_way> wrote in message
    news:...
    | I have a couple of machines that pop up IE with adverts from nowhere;
    |
    | There is nothing suspicious run from the registry etc, and spybot
    | finds nothing.
    |
    | There is a process running with rundll32 shown, but no idea what
    | DLL its running.
    |
    | Any suggestions on how to exorcise this ill ?
    |
    | OS is windows/98
    | --
    | Jim Watt
    | http://www.gibnet.com
     
    David H. Lipman, Dec 9, 2004
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Fred Erfmann

    rundll32 Illegal operation error

    Fred Erfmann, Jun 25, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    627
    Fred Erfmann
    Jun 25, 2003
  2. Timo aka Sul
    Replies:
    0
    Views:
    699
    Timo aka Sul
    Jul 31, 2003
  3. sabine

    rundll32.exe

    sabine, Sep 28, 2003, in forum: Computer Support
    Replies:
    8
    Views:
    2,743
  4. Ian H

    Rundll32 run-time error '53'

    Ian H, Jan 3, 2004, in forum: Computer Support
    Replies:
    7
    Views:
    2,528
    David A. Seiver
    Jan 7, 2004
  5. --tomcat--

    RUNDLL32.EXE

    --tomcat--, Jan 22, 2004, in forum: Computer Support
    Replies:
    7
    Views:
    814
    Juan Pérez
    Apr 26, 2004
Loading...

Share This Page