# Solved: RUNDLL32.exe Im infected?



## Toti (Apr 14, 2004)

HI I have noticed that my computer its been slow a bit , I saw in my Hijack this I got this RunDll32,exe 3 types of them , and my roomate told me that prob. my computer is infected wiht a virus  
this is my hijack this guys pls, thnks for your time and help and forgive my english  
It,s very early in the morning here, and I been working all nite doing some reports so I'm kind of tired, pls forgive my ignorance in this matter I need your help guys , thnsk.

=====================

Logfile of HijackThis v1.99.1
Scan saved at 5:20:20 AM, on 10/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ULi5287\ULi5287.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\WINXP\Logi_MwX.Exe
C:\WINXP\system32\RunDll32.exe
C:\WINXP\system32\RUNDLL32.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINXP\system32\nvsvc32.exe
C:\Documents and Settings\rat\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/start/enca/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ULiRaid5287] "C:\Program Files\ULi5287\ULi5287.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Global Startup: SETPOINT.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe

===============

Im on my way to Univ. right now but I'll brb in a couple of hrs, I really appreciate your help in this matter.

Toti


----------



## Toti (Apr 14, 2004)

HI guys well..... I used to have the smitfraudfix in my desktop, the one with the yellow icon with the Bio-contamination logo, ok... I ran the Trojan hunter and after it finish the scan , the report said that the smitifraud fix was a Trojan !! 
First to Quarantine then , I deleted it from the quarantine of trojan hunter.

Now , that took care of it.

Another situation I discover today , is when I open my Windows Task manager, I saw that I have 2 instances pretty similar, that I didn't saw before, this are:

explorer.exe .......with 61.272 K !!
iexplore.exe...... with 42,064 K !!

So...? Is this correct to have two internet explorer exes running both at the same time?

Pls guys Help. I m trying to do as far as I can 

Toti


----------



## Toti (Apr 14, 2004)

OK guys i did a scan search for explorer.exe

result that the location of this is in : 

1.- explorer ...............C:\WINXP
2.- explorer.................C:\WINXP\$NUninstallKB938828$
3.- EPLORER.EXE-0D300D8F........C:\Program Files\TrojanHunter5.0\Tools\AutostartExplorer
4.-An aplication file AutostartExplorer.... C:\WINXP\$hf_mig$\KB938828\SP2QFE

=====================

Now for iexplore.exe

iexplore.........C:\program Files\Internet Explorer
iexplore..........C:\WINXP\ie7
IEXPLORE>EXE-27122324......C:\WINXP\Prefetch
iexplore.exe.mui....C:\Program Files\Internet Explorer\en -US
iexplore...........C:\WINXP\ie7updates\KB931768-IE7
iexplore...........C:\WINXP\ie7updates\KB9 etc....-IE7
iexplore...........C:\WINXP\ie7updates\KB9 etc....-IE7
iexplore...........C:\WINXP\$hf_mig$\KB9 etc.......-IE7\SP2QFE
iexplore............C:\WINXP\$hf_mig$\KB9 etc.......-IE7\SP2QFE
iexplore............C:\WINXP\$hf_mig$\KB9 etc.......-IE7\SP2QFE
iexplore.............C:\WINXP\$hf_mig$\KB9 etc.......-IE7\SP2QFE
iexplore..............C:\WINXP\$hf_mig$\KB9 etc.......-IE7\SP2QFE

this is for the iexplore.exe

So my question is wich one of this is a real file and not a VIRUS ,?? o both are ok ???


Thanks 
Toti


----------



## jpshortstuff (Oct 19, 2007)

Hi

First of all, all 3 of those rundll32.exe entries are perfectly legitimate.

I can't see anything bad in your log, except for the fact that you don't appear to have a firewall running.
If this is true:
Install a *firewall*! Without a firewall your system is susceptible to being compromised, and people could gain access to your computer. If you don't have a firewall I strongly recommend you download *ZoneAlarm* or *Kerio*.

As for your explorer.exe and iexplore.exe:

explorer.exe:


processlibrary said:


> explorer.exe is the Windows Program Manager or Windows Explorer. It manages the Windows Graphical Shell including the Start menu, taskbar, desktop, and File Manager. By removing this process the graphical interface for Windows will disappear. This program is important for the stable and secure running of your computer and should not be terminated.


and iexplore.exe is just Internet Explorer.
Both of them are perfectly legit, and explorer is critical.

The reason SmitFraudFix was targeted by Trojan Hunter is because SmitFraudFix has some powerful tools in it, that it uses to help clean your computer of the infection it targets. Trojan Hunter saw these tools as a threat, and as it can't tell the difference between a powerful tool being used for good and a powerful tool being used for bad, it quarantined it.

Hope some of that info is of use to you,

_jpshortstuff_


----------



## Toti (Apr 14, 2004)

OK .. well I was reading about this two exes. and (iexplore.exe is my browser) , if is not with capital letters is OK safe and (explorer.exe that is the program that cames with windows) if is not capital letters is OK safe. and if the location is not in Windows 32 , it's safe.

about the ammount of Mem, take it by this ... o well , they really drain resources ,both  , but seems to be correct .

I hope this helps someone with this same questions. 

----------------------
at colofon :
remember to disable the system restore before any fix, once finish fixing your machine enable it again and create a new system restore day.

So my Smitfraudfix was a trojan deleted with Trojan Hunter link here : http://www.misec.net/ 
and I ran a full scan with SUPERantispyware ,this will take around 2 hrs, depending in how many files you got .
I din't have tu run WinsockXPFix Link for this : http://www.tacktech.com/display.cfm?ttid=257
or LSPFix . link for this last one : http://cexx.org/lspfix.htm
at last I ran Ccleaner, Reboot enable my System restore and it seems everything is running more smooth  
now I can go a take a nap , I'm really tired.

Thank you to respond me jpshortstuff , you are very kind !! and thanks for the Info, about the Firewall I have the windows Firewall on , and me and my roomate are under a router firewalled, is that ok ? or we need more protection ?
about the Smitfraudfix so its safe, good to know , well I delete it anyhow.. I didnt want to run any risk .

Oh and by the way I read, found this : http://www.techspot.com/vb/topic70127.html that Comobfix was infected by a rootkit ?? if it's safe now to use ??

I'm going to make this thread as SOLVED !!

Thank you 
xoxox 
Toti


----------



## jpshortstuff (Oct 19, 2007)

Hi *Toti*

ComboFix is safe to use (there was a bug that meant if you had a certain rootkit it would systematically delete your system32 folder).
However, it is a powerful tool, and should not be run unless told to do by a Helper. I see no reason for you to run ComboFix, your computer seems to be clean and it wont speed things up.

I would recommend that you install one of the firewalls I recommended and use that instead of Windows Firewall, as I believe them to be better protection. The choice however, is entirely yours.

Glad I could help,

_jpshortstuff_


----------

