Articles

Spyware in RUNDLL32.DLL

January 22, 2005 at 13:02:24
Specs: Win 2k, 300 MHZ/256 RAM

Im having trouble with some things, and ad-aware cant take car of it even in safe mode. Surprisingly this thing runs in safemode also.

When RunDll32.dll is running i get pop-ups = when i get rid of it pop-ups stop. Ad-Aware notices this issue but it cannot remove it because files are in use...

What could I do?


Thanks in Advance
Andrey


See More: Spyware in RUNDLL32.DLL

Report •


#1
January 22, 2005 at 21:19:32

The sircam worm will do what you say ,,, If you can ,, You might try copying a new clean copy Also found this... not sure if it's related Sounds funny ,nonetheless

When executed, Funner will copy itself to the WINDOWS directory under the name rundll32.dll and alter registry entries to ensure the worm is started. It will also copy itself under WINDOWS SYSTEM directory as

explorer.exe
IEXPLORE.EXE
userinit32.exe

The following registry keys are altered to ensure the worm runs upon next reboot

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "MMSystem"
"c:\winnt\rundll32.exe "c:\winnt\system32\mmsystem.dll"", RunDll32"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MMSystem"
"c:\winnt\rundll32.exe "c:\winnt\system32\mmsystem.dll"", RunDll32"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit"
"C:\WINNT\system32\userinit32.exe,"

Funner also overwrites the local hosts file with a file containing various URLs.

NOTE! There is Windows system DLL named rundll32.dll under WINDOWS SYSTEM directory. This DLL is part of Microsoft Windows operating system.

MSI 845e mb 768 mb ram and a p4 2.4n running xp ,win 2000 advanced server and win 98 SE alot to learn and I know so little !!!!


Report •

#2
January 22, 2005 at 22:19:00

I dont have the sircam worm or funner.

I did a check for both, no help.


Report •

#3
January 23, 2005 at 01:23:11

Have you tried Spybot SD?

If Spybot can't get rid of it because it's in use, it will ask you if it can run at startup before the offending file loads into memory.


Report •

Related Solutions

#4
January 23, 2005 at 07:24:01

tried stopping it in task manager 1st then spybot,if that dont work how about "hijack this",do google on it

smuggly


Report •

#5
January 24, 2005 at 09:14:37

try running ad aware and spybot, reboot in safe mode run them both again in safe mode....reboot.. and run this
http://housecall.trendmicro.com/


Report •

#6
January 30, 2005 at 07:45:39

You can find a lot of RunDLL32 references here: http://www.Dx21.com | Development | Scripting | RunDLL32

Report •


Ask Question