Re: Many (runaway?) RunDLL32.exe processes starting - help

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Help (anonym_at_whoknowswhere.osh)
Date: 08/03/04 

Date: Tue, 03 Aug 2004 20:32:30 +0100

Hi Malke,

Thanks for the response .. I was deciding to blat and restart as the
fastest way to sort it out...

However, I have a bit more info and another question...

I ran a final virus scan with the system checking absolutely everything
it can and it found a part of the sasser virus. The file cmd.ftp was in
c:\windows\system32

This file is a temporary file used as part of the infecting process with
SASSER-A.

There were no signs of SASSER-A infected files anywhere else.. although
the symptoms are similar.

I did a scan for files that were modified around the same time as
cmd.ftp and found a couple in windows/system32:

cc.exe
msc.cpl

Neither show up in the sophos scan as being infected.

There were other bits such as things in prefetch .. but then the system
adds anything it runs to prefetch so these are presumably a kind of
audit trail of what was run when the infection took place.

I renamed the cc.exe, msc.cpl, and cmd.ftp to different names and
extensions.

The .cpl is a control panel file and would explain why I couldn't open
control panel.

Now, when I reboot, the machine starts up ok .. no extra processes and
seems clean.

My problem is that I don't know what else might have been
corrupted/changed when the infection took place and don't feel 100%
comfortable putting the machine on the network at the moment. (It is
currently standalone and I have been transferring files via a CD).

I assume that one or other of cc.exe, msc.cpl was triggering the
rundll32s and that they were being started by the prefetch (they were in
there from when they had run during the initial infection). I don't
know how realistic that is tho.

Again, any advice appreciated ...

Malke wrote:

> Help wrote:
>
>
>>Hi,
>>
>>I have had a laptop passed back to me by one of my users. After
>>booting up there were getting the RPC error... "Windows must now
>>restart because the RPC service terminated unsuccessfully" - and the
>>countdown.
>>
>>Although the machine is patched, I assumed that a sasser variant had
>>got in...
>>
>>When I got the machine, I booted it up in safe mode and ran a scan and
>>found the RBOT-AM virus on, which I removed. I also ran spybot - S&D
>>and adaware and remove a few bits but nothing dramatic.
>>
>>When I start up in normal mode, a load of rundll32 processes are
>>running .. a couple of hundred .. and they just seem to spawn until
>>there is no VM left and the machine shuts itself down.
>>
>>When I start in Safe Mode, I can use the machine excpet for accessing
>>the control panel. When I try to access the control panel, I get the
>>window up and then the searchlight icon spinning around. If I try to
>>get into task manager, then I see a lot of rundll32 processes again
>>and the machine runs out of VM again.
>>
>>One of the last things the user did before the problem occurred was to
>>install a BTBroadband CD. I uninstalled what I could of it .. mainly
>>an Intel DSL program, but, because I can't get to the control panel, I
>>can't get to Add/Remove programs.
>>
>>If I stop the shutdown with a shutdown -a, I only really delay the
>>inevitable because the machine still runs out of VM.
>>
>>Any help appreciated ...
>>
>>Anyone have any ideas as to why control panel fails in safe mode ?
>>
>>Is there anyway of finding out what might be triggering all the
>>rundlls ? What is the direct command to launch the Add/Remove programs
>>window ?
>>
>
> It sounds like the system is infested with viruses and spyware. At this
> point - particularly if you are a busy sysadmin - the easiest and most
> efficient way is to format and start over.

>
> Malke

Relevant Pages

  • Re: Remove SpyFalcon
    ... it is highly suggested that if there are any prior versions of Sun Java ... On Win9x/ME platforms the report will not be shown in your bowser but your PC will automatically be shutdown. ... It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML report for each session. ... It now places a false message infront of Microsoft anti-spyware notices, and when I run ad-aware & spybot search and destroy in safe mode the number of problems is growing, I now have 64, when it was only 8 early in the infection. ...
    (alt.comp.anti-virus)
  • Re: No Control Panel, cant open anything
    ... That yellow icon in your task bar is connected to one or more Trojans (I had ... As long as this Trojan is on your pc it will wreck havoc on ... The Trojan is gone but my Control Panel is still not showing up in My ... Restart in Safe Mode. ...
    (microsoft.public.windowsxp.help_and_support)
  • RE: Windows Explorer, Internet Explorer, MyComputer, Control Panel
    ... No control Panel, No MyComputer ..etc you ... "nass" wrote: ... I uninstalled through safe mode .. ... without any command from the run command on CMD command prompt?. ...
    (microsoft.public.windowsxp.general)
  • Re: my besieged by ie pop-up ads post 01/10/2008 16:21
    ... BTW, I did take on board Geoff's advice that, in as many words, the malware ... could be "hiding" when av-cls is running, even in Safe Mode, on the infected ... the four cls's in Windows normal mode - on a slave hd I:\ - as it is ... eliminated the infection and preserved the data. ...
    (microsoft.public.security.virus)
  • Re: control panel files deleted, how to reinstall
    ... In safe mode I found the system 32 folder. ... You also asked if I had multiple log ons for this machine. ... let us see if the control panel files are still really there. ... >> boot into safe mode to manually delete McAfee. ...
    (microsoft.public.windowsxp.perform_maintain)