Rundll32 - target unknown file - how to troubleshoot?

D

dave xnet

Hello,
recently had a virus that caught me by surprise. (on XP SP3)
It decided to "show" itsef at a time the computer was unattended.
(according to the logs Ireviewed) .
When I returned to the machne bad things had been happening for about
20 minutes. (Included screens and screens of gambling sites, and
the shell stopping and starting every 10 seconds after rebooting.
I was most surprised because Windows Defender and Avast
both had resident protection running.

With the help of avast, Spybot S&D, Windows Defender and Malwarebytes,
the machine is bootable and malware scans are not picking up anything
else.

However, I see something suspicious in the Task Manager, it's a
Rundll32 whose target I cannot find. There's two of them,
one is related to Nvidia - In process Explorer I see CMD line
"F:\WINDOWS\system32\RUNDLL32.EXE"
F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
I think that's OK.

But the other has this in the CMD line:
F:\WINDOWS\system32\rundll32.exe "F:\WINDOWS\system32\efcYPiJb.dll",d

What is efcYPiJb.dll ? A search of the HD fails to turn up this file.
I'm all the more suspicious, as I have just spent 2 or 3 days
cleaning up the xpre/xrun virus and possibly vundo.

Any thoughts on this?
TIA,
Dave
 
1

1PW

On 12/05/2008 11:40 PM, dave xnet sent:
> Hello,
> recently had a virus that caught me by surprise. (on XP SP3)
> It decided to "show" itself at a time the computer was unattended.
> (according to the logs I reviewed) .
> When I returned to the machine bad things had been happening for about
> 20 minutes. (Included screens and screens of gambling sites, and
> the shell stopping and starting every 10 seconds after rebooting.
> I was most surprised because Windows Defender and Avast
> both had resident protection running.
>
> With the help of avast, Spybot S&D, Windows Defender and Malwarebytes,
> the machine is bootable and malware scans are not picking up anything
> else.
>
> However, I see something suspicious in the Task Manager, it's a
> Rundll32 whose target I cannot find. There's two of them,
> one is related to Nvidia - In process Explorer I see CMD line
> "F:WINDOWSsystem32RUNDLL32.EXE"
> F:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
> I think that's OK.
>
> But the other has this in the CMD line:
> F:WINDOWSsystem32rundll32.exe "F:WINDOWSsystem32efcYPiJb.dll",d
>
> What is efcYPiJb.dll ? A search of the HD fails to turn up this file.
> I'm all the more suspicious, as I have just spent 2 or 3 days
> cleaning up the xpre/xrun virus and possibly vundo.
>
> Any thoughts on this?
> TIA,
> Dave

Hello Dave:

Download and execute HijackThis from:

http://www.trendsecure.com/portal/en-US/to...ools/hijackthis

Please, do _not_ post HJT logs to this newsgroup.

Here is where you can get good advice for HijackThis logs:

http://www.thespykiller.co.uk/index.php?board=3.0
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.tomcoyote.org/index.php?showforum=27
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.theeldergeek.com/forum/index.php?showforum=29

Note well: Registration is required in any of the above mentioned
forums. Before posting a HJT log, read the 'stickies'
(instructions/guidelines) for the respective HJT forum.

Please post a follow-up with a summary as to what was found and any
further action.

Good luck to you.

Pete

-- 1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

--
1PW

@?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
 
D

dave xnet

On Sat, 06 Dec 2008 01:36:23 -0800, 1PW
wrote:

>On 12/05/2008 11:40 PM, dave xnet sent:
>> Hello,
>> recently had a virus that caught me by surprise. (on XP SP3)
>> It decided to "show" itself at a time the computer was unattended.
>> (according to the logs I reviewed) .
>> When I returned to the machine bad things had been happening for about
>> 20 minutes. (Included screens and screens of gambling sites, and
>> the shell stopping and starting every 10 seconds after rebooting.
>> I was most surprised because Windows Defender and Avast
>> both had resident protection running.
>>
>> With the help of avast, Spybot S&D, Windows Defender and Malwarebytes,
>> the machine is bootable and malware scans are not picking up anything
>> else.
>>
>> However, I see something suspicious in the Task Manager, it's a
>> Rundll32 whose target I cannot find. There's two of them,
>> one is related to Nvidia - In process Explorer I see CMD line
>> "F:WINDOWSsystem32RUNDLL32.EXE"
>> F:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
>> I think that's OK.
>>
>> But the other has this in the CMD line:
>> F:WINDOWSsystem32rundll32.exe "F:WINDOWSsystem32efcYPiJb.dll",d
>>
>> What is efcYPiJb.dll ? A search of the HD fails to turn up this file.
>> I'm all the more suspicious, as I have just spent 2 or 3 days
>> cleaning up the xpre/xrun virus and possibly vundo.
>>
>> Any thoughts on this?
>> TIA,
>> Dave
>
>Hello Dave:
>
>Download and execute HijackThis from:
>
> http://www.trendsecure.com/portal/en-US/to...ools/hijackthis
>
>Please, do _not_ post HJT logs to this newsgroup.
>
>Here is where you can get good advice for HijackThis logs:
>
>http://www.thespykiller.co.uk/index.php?board=3.0
>http://www.spywarewarrior.com/viewforum.php?f=5
>http://forums.tomcoyote.org/index.php?showforum=27
>http://www.bleepingcomputer.com/forums/forum22.html
>http://www.malwarebytes.org/forums/index.php?showforum=7
>http://www.5starsupport.com/ipboard/index.php?showforum=18
>http://www.theeldergeek.com/forum/index.php?showforum=29
>
>Note well: Registration is required in any of the above mentioned
>forums. Before posting a HJT log, read the 'stickies'
>(instructions/guidelines) for the respective HJT forum.
>
>Please post a follow-up with a summary as to what was found and any
>further action.
>
>Good luck to you.
>
>Pete
>
>-- 1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
This process, was not picked up by any of the malware scanners.
The target dll didn't exist on the system. A Windows Sysinternals
expert looked at the rundll32 stack trace and asked me if I had
looked in Control Panel/Scheduled Tasks - perhaps something there
could be kicking it off.
Duh ! it was right there, hiding in plain sight. Seems as if it was
added by the malware, but this one piece was not cleaned up.

I'm doing a follow up with some of the malware forums to get
their opinion.
Thanks,
Dave
 
1

1PW

On 12/08/2008 03:52 PM, dave xnet sent:
> On Sat, 06 Dec 2008 01:36:23 -0800, 1PW
> wrote:
>
>> On 12/05/2008 11:40 PM, dave xnet sent:
>>> Hello,
>>> recently had a virus that caught me by surprise. (on XP SP3)
>>> It decided to "show" itself at a time the computer was unattended.
>>> (according to the logs I reviewed) .
>>> When I returned to the machine bad things had been happening for about
>>> 20 minutes. (Included screens and screens of gambling sites, and
>>> the shell stopping and starting every 10 seconds after rebooting.
>>> I was most surprised because Windows Defender and Avast
>>> both had resident protection running.
>>>
>>> With the help of avast, Spybot S&D, Windows Defender and Malwarebytes,
>>> the machine is bootable and malware scans are not picking up anything
>>> else.
>>>
>>> However, I see something suspicious in the Task Manager, it's a
>>> Rundll32 whose target I cannot find. There's two of them,
>>> one is related to Nvidia - In process Explorer I see CMD line
>>> "F:WINDOWSsystem32RUNDLL32.EXE"
>>> F:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
>>> I think that's OK.
>>>
>>> But the other has this in the CMD line:
>>> F:WINDOWSsystem32rundll32.exe "F:WINDOWSsystem32efcYPiJb.dll",d
>>>
>>> What is efcYPiJb.dll ? A search of the HD fails to turn up this file.
>>> I'm all the more suspicious, as I have just spent 2 or 3 days
>>> cleaning up the xpre/xrun virus and possibly vundo.
>>>
>>> Any thoughts on this?
>>> TIA,
>>> Dave
>> Hello Dave:
>>
>> Download and execute HijackThis from:
>>
>> http://www.trendsecure.com/portal/en-US/to...ools/hijackthis
>>
>> Please, do _not_ post HJT logs to this newsgroup.
>>
>> Here is where you can get good advice for HijackThis logs:
>>
>> http://www.thespykiller.co.uk/index.php?board=3.0
>> http://www.spywarewarrior.com/viewforum.php?f=5
>> http://forums.tomcoyote.org/index.php?showforum=27
>> http://www.bleepingcomputer.com/forums/forum22.html
>> http://www.malwarebytes.org/forums/index.php?showforum=7
>> http://www.5starsupport.com/ipboard/index.php?showforum=18
>> http://www.theeldergeek.com/forum/index.php?showforum=29
>>
>> Note well: Registration is required in any of the above mentioned
>> forums. Before posting a HJT log, read the 'stickies'
>> (instructions/guidelines) for the respective HJT forum.
>>
>> Please post a follow-up with a summary as to what was found and any
>> further action.
>>
>> Good luck to you.
>>
>> Pete
>>
>> -- 1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
> This process, was not picked up by any of the malware scanners.
> The target dll didn't exist on the system. A Windows Sysinternals
> expert looked at the rundll32 stack trace and asked me if I had
> looked in Control Panel/Scheduled Tasks - perhaps something there
> could be kicking it off.
> Duh ! it was right there, hiding in plain sight. Seems as if it was
> added by the malware, but this one piece was not cleaned up.
>
> I'm doing a follow up with some of the malware forums to get
> their opinion.
> Thanks,
> Dave

Hello Dave:

If you hadn't already done so, you might consider downloading, updating
and running the freeware version of:



Please update this thread again when you're able.

Pete
--
1PW

@?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
 
D

dave xnet

On Mon, 08 Dec 2008 21:23:30 -0800, 1PW
wrote:

>On 12/08/2008 03:52 PM, dave xnet sent:

>>> -- 1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
>> This process, was not picked up by any of the malware scanners.
>> The target dll didn't exist on the system. A Windows Sysinternals
>> expert looked at the rundll32 stack trace and asked me if I had
>> looked in Control Panel/Scheduled Tasks - perhaps something there
>> could be kicking it off.
>> Duh ! it was right there, hiding in plain sight. Seems as if it was
>> added by the malware, but this one piece was not cleaned up.
>>
>> I'm doing a follow up with some of the malware forums to get
>> their opinion.
>> Thanks,
>> Dave
>
>Hello Dave:
>
>If you hadn't already done so, you might consider downloading, updating
>and running the freeware version of:
>
>
>
>Please update this thread again when you're able.
>
>Pete

Hi Pete,
I'm at the point where the Malewarebytes, and ESET online scanner
say everything is clean. This is the first virus I had in over
10 years of being on the Internet. I've got to believe,
that is was from a browser exploit of somekind.
I've heard Java and PDF are getting hit because
people forget to update them.
 
You must log in or register to reply here.

Similar threads

R
Windows Server 2025 Secured-core Server
Replies
0
Views
54
RoySasabe
R
J
Microsoft Defender How to Remove a Virus That Was Found
Replies
0
Views
89
JHL1951
J
S
how to block entire .exe files of a specified folder using .bat file Windows firewall?
Replies
0
Views
188
Swgwm
S
A
"windows system32 secur32.dll is either not designed to run on windows or contains an error" has been popping up all over.
Replies
0
Views
165
AinsleyBoy
A
D
Windows 10 ACPIEX.SYS
Replies
0
Views
324
DS256
D
Back
Top Bottom