help a brother out . i got a virus called downloader.trojan on my PC and it infected my rundll_32.exe when i looked at SARC they told me to delete any files recognized with that virus and as a fact i kno rundll_32.exe is a VERY important file PLEASE give me any info on what to do about this

theJman The file rundll32.exe is the valid one...You have a file rundll_32.exe with an underscore in the file name which is not a valid windows file. Before letting your AV delete the file...do a search on your hard drive for rundll32.exe (without underscore) there should be one in the system32 folder and likely a bunch in the prefetch folder. If it is there...just delete the rundll_32.exe. Doing the search will tell you if the trojan overwrote the real file. (downloader.trojan includes many...it is just a generic name) Virus writers will name their files to look like valid windows ones so we find it harder to find and scared to remove them. You will need to remove the registry entries associated with it to prevent errors on bootup. (Symantec will give instructions for that) If more help is needed...post back. _____________________________________ I never give up! Windows Update

ok i did a search and found 2 files rundll32 which is an Application and is described to run a DLL as an App. its located in WINDOWS/system32. another is rundll32.exe.mdmp and the rundll_32.exe is in my quarantine section. so i should go and delete the rundll_32.exe?

sry for my double post but i just deleted the rundll_32.exe and blender said something about removing some files associated w/ rundll_32.exe so i wont have errors on bootup plz explain how symantec can help me do that

theJman If you are not getting errors on bootup looking for that rundll_32.exe you should be ok. Sometimes trojans will put instructions in the registry telling windows to start that file...sometimes they don't. If you are getting errors on startup proceed with below instructions. Since it requires editing the registry...I don't know how comfortable you are with doing that... an easier and safer way to do is: (Hijackthis is a program that shows the automatic startups good and bad, browser helper objects and alot of other stuff enabling quick analysis of possible problems which would indicate virus/spyware infection. It is also in many cases a safe way to remove registry related entries that point to the infection) Download HijackThis from here: http://spywarewarrior.com/files/HijackThis.exe Save it to it's own folder on your computer eg: c:\hijack\hijackthis.exe Reason for that is it makes backups of removed items if something goes wrong. Start hijackthis, click scan, scan button changes to "save log" button. Save the log, it will pop up in notepad. Copy/paste entire results here in reply. We will be able to see if there are any registry entries telling that file to run. Dont fix anything with hijack yet...most of what you see is safe or even essential. I will help analyze the log. I never give up! Windows Update

heres my Hijack This! log Logfile of HijackThis v1.97.7 Scan saved at 6:25:19 AM, on 4/16/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\Explorer.exe C:\windows\system\hpsysdrv.exe C:\HP\KBD\KBD.exe C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\S3apphk.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\Yahoo!\browser\ybrwicon.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe c:\Program Files\Norton AntiVirus\Navw32.exe c:\PROGRA~1\NORTON~1\QServer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\KuYa\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us5.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us5.hpwis.com/ O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [S3apphk] S3apphk.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [Morpheus] "C:\Documents and Settings\KuYa\Desktop\MuZiK\Morpheus\Morpheus.exe" -min O4 - HKCU\..\Run: [f~a] C:\WINDOWS\System32\f~a\ra32.exe O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\explorer.exe O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe O9 - Extra button: MktBrowser (HKLM) O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM) O9 - Extra button: Yahoo! Login (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: MoneySide (HKLM) O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{EB420109-5EE0-43E8-9A10-D2ADE7812097}: NameServer = 206.13.30.12 206.13.29.12 ive seen somewhere that "O4 - HKCU\..\Run: [f~a] C:\WINDOWS\System32\f~a\ra32.exe" had something to do with the virus also tell me what should be fixed thx

theJman A few problems to fix. You are right about the 04 you flagged as being a virus...actually it is a password stealing trojan. I don't know if you use WildTangent or not...seems to come installed on many systems but it does contain adware. If you don't use or need it you can remove it through add/remove programs. You also have CoolWebSearch hijack. Download CWShredder from here: http://www.spywareinfo.com/~merijn/downloads.html Save the download to disk, go offline and run it; click fix not just scan. Let it fix what it finds. Reboot the computer. Important: Create a folder on the C: drive called C:\HJT. You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. Move HijackThis.exe into this folder. When you run HijackThis from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary. Start hijackthis and check the following to fix: (some may not be present after shredder fix) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us5.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us5.hpwis.com/ <- both these url's are part of CoolWebSearch hijack. O4 - HKCU\..\Run: [f~a] C:\WINDOWS\System32\f~a\ra32.exe <- password steal trojan O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\explorer.exe <-CoolWebSearch trojan...explorer.exe only belongs in the windows folder. Once all are checked, close all windows except hijack and click fix checked Reboot to safe mode (tap f8 on startup) and delete: c:\windows\system32\f~a <-entire folder c:\windows\system\explorer.exe <-file (if still there)...Leave the one in the windows folder! Reboot to normal windows and post new hijack log in reply. Since you had a password steal trojan...if you do any online banking or anything you don't want passwords known for; You want to change all your passwords including your windows logon, admin passwords if you use them. You should also install all your windows updates, you will need to visit several times to get them all. Several big gaping security holes have been fixed with the updates. If slow connection is a problem M$ offers a free update cd that includes sp1 and all updates up to February. To order go here: http://www.microsoft.com/security/protect/cd/order.asp I never give up! Windows Update