Many (runaway?) RunDLL32.exe processes starting - help

[Help]

Hi,

I have had a laptop passed back to me by one of my users. After booting
up there were getting the RPC error... "Windows must now restart because
the RPC service terminated unsuccessfully" - and the countdown.

Although the machine is patched, I assumed that a sasser variant had got
in...

When I got the machine, I booted it up in safe mode and ran a scan and
found the RBOT-AM virus on, which I removed. I also ran spybot - S&D and
adaware and remove a few bits but nothing dramatic.

When I start up in normal mode, a load of rundll32 processes are running
... a couple of hundred .. and they just seem to spawn until there is no
VM left and the machine shuts itself down.

When I start in Safe Mode, I can use the machine excpet for accessing
the control panel. When I try to access the control panel, I get the
window up and then the searchlight icon spinning around. If I try to get
into task manager, then I see a lot of rundll32 processes again and the
machine runs out of VM again.

One of the last things the user did before the problem occurred was to
install a BTBroadband CD. I uninstalled what I could of it .. mainly an
Intel DSL program, but, because I can't get to the control panel, I
can't get to Add/Remove programs.

If I stop the shutdown with a shutdown -a, I only really delay the
inevitable because the machine still runs out of VM.

Any help appreciated ...

Anyone have any ideas as to why control panel fails in safe mode ?

Is there anyway of finding out what might be triggering all the rundlls ?
What is the direct command to launch the Add/Remove programs window ?

Any thoughts gratefully received

Thanks

 

[Malke]

Hi,

I have had a laptop passed back to me by one of my users. After
booting up there were getting the RPC error... "Windows must now
restart because the RPC service terminated unsuccessfully" - and the
countdown.

Although the machine is patched, I assumed that a sasser variant had
got in...

When I got the machine, I booted it up in safe mode and ran a scan and
found the RBOT-AM virus on, which I removed. I also ran spybot - S&D
and adaware and remove a few bits but nothing dramatic.

When I start up in normal mode, a load of rundll32 processes are
running .. a couple of hundred .. and they just seem to spawn until
there is no VM left and the machine shuts itself down.

When I start in Safe Mode, I can use the machine excpet for accessing
the control panel. When I try to access the control panel, I get the
window up and then the searchlight icon spinning around. If I try to
get into task manager, then I see a lot of rundll32 processes again
and the machine runs out of VM again.

One of the last things the user did before the problem occurred was to
install a BTBroadband CD. I uninstalled what I could of it .. mainly
an Intel DSL program, but, because I can't get to the control panel, I
can't get to Add/Remove programs.

If I stop the shutdown with a shutdown -a, I only really delay the
inevitable because the machine still runs out of VM.

Any help appreciated ...

Anyone have any ideas as to why control panel fails in safe mode ?

Is there anyway of finding out what might be triggering all the
rundlls ? What is the direct command to launch the Add/Remove programs
window ?

It sounds like the system is infested with viruses and spyware. At this
point - particularly if you are a busy sysadmin - the easiest and most
efficient way is to format and start over.

Malke

 

[Help]

Hi Malke,

Thanks for the response .. I was deciding to blat and restart as the
fastest way to sort it out...

However, I have a bit more info and another question...

I ran a final virus scan with the system checking absolutely everything
it can and it found a part of the sasser virus. The file cmd.ftp was in
c:\windows\system32

This file is a temporary file used as part of the infecting process with
SASSER-A.

There were no signs of SASSER-A infected files anywhere else.. although
the symptoms are similar.

I did a scan for files that were modified around the same time as
cmd.ftp and found a couple in windows/system32:

cc.exe
msc.cpl

Neither show up in the sophos scan as being infected.

There were other bits such as things in prefetch .. but then the system
adds anything it runs to prefetch so these are presumably a kind of
audit trail of what was run when the infection took place.

I renamed the cc.exe, msc.cpl, and cmd.ftp to different names and
extensions.

The .cpl is a control panel file and would explain why I couldn't open
control panel.

Now, when I reboot, the machine starts up ok .. no extra processes and
seems clean.

My problem is that I don't know what else might have been
corrupted/changed when the infection took place and don't feel 100%
comfortable putting the machine on the network at the moment. (It is
currently standalone and I have been transferring files via a CD).

I assume that one or other of cc.exe, msc.cpl was triggering the
rundll32s and that they were being started by the prefetch (they were in
there from when they had run during the initial infection). I don't
know how realistic that is tho.

Again, any advice appreciated ...

 

[Rock]

Hi Malke,

Thanks for the response .. I was deciding to blat and restart as the
fastest way to sort it out...

However, I have a bit more info and another question...

I ran a final virus scan with the system checking absolutely everything
it can and it found a part of the sasser virus. The file cmd.ftp was in
c:\windows\system32

This file is a temporary file used as part of the infecting process with
SASSER-A.

There were no signs of SASSER-A infected files anywhere else.. although
the symptoms are similar.

I did a scan for files that were modified around the same time as
cmd.ftp and found a couple in windows/system32:

cc.exe
msc.cpl

Neither show up in the sophos scan as being infected.

There were other bits such as things in prefetch .. but then the system
adds anything it runs to prefetch so these are presumably a kind of
audit trail of what was run when the infection took place.

I renamed the cc.exe, msc.cpl, and cmd.ftp to different names and
extensions.

The .cpl is a control panel file and would explain why I couldn't open
control panel.

Now, when I reboot, the machine starts up ok .. no extra processes and
seems clean.

My problem is that I don't know what else might have been
corrupted/changed when the infection took place and don't feel 100%
comfortable putting the machine on the network at the moment. (It is
currently standalone and I have been transferring files via a CD).

I assume that one or other of cc.exe, msc.cpl was triggering the
rundll32s and that they were being started by the prefetch (they were in
there from when they had run during the initial infection). I don't
know how realistic that is tho.

Again, any advice appreciated ...

You might want to run a few other spy checkers and several of the online
virus scans to be sure:

Cwshredder
http://209.133.47.200/~merijn/files/CWShredder.exe

Bazooka Adware and Spyware Scanner
http://download.com.com/3000-2144-10247783.html

Lastly run HiJackThis. If you are uncertain if something is a problem
post the log to one of the specialty forums listed below, _NOT_ this one.

HijackThis
http://www.majorgeeks.com/download.php?det=3155

Forums to Intrepret HijackThis Logs:

http://www.spywareinfo.com/forums/
http://forum.aumha.org/viewforum.php?f=30
http://forums.tomcoyote.org/
http://www.wilderssecurity.com/

After your system is clean use these programs to help keep it clean:

Spywareblaster
www.javacoolsoftware.com/sbdownload.html

Spywareguard
http://www.javacoolsoftware.com/sgdownload.html

IE-SPYAD
http://www.staff.uiuc.edu/~ehowes/resource.htm

Online and Downloadable Virus Scanning:

Bit Defender Online Virus Scan:
http://www.bitdefender.com/scan/license.php

Symantec Online Virus and Security Scan:
http://security.symantec.com/ssc/home.asp

TrendMicro:
http://housecall.trendmicro.com/housecall/start_corp.asp

McAfee Online Virus Scan:
http://www.mcafee.com/myapps/mfs/default.asp

Panda ActiveScan
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

RAV AntiVirus - Scan Online
http://www.ravantivirus.com/scan/

McAfee Stinger, Downloadable Virus Scanner:
http://us.mcafee.com/virusInfo/default.asp?id=stinger

Lastly, check the system for vulnerabilites using these websites:

Browser Security Tests:
http://www.jasons-toolbox.com/BrowserSecurity/

Symantec Security Check
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym

http://bcheck.scanit.be/bcheck/
https://testzone.secunia.com/browser_checker/
www.pcpitstop.com

 

[Malke]

Hi Malke,

Thanks for the response .. I was deciding to blat and restart as the
fastest way to sort it out...

However, I have a bit more info and another question...

I ran a final virus scan with the system checking absolutely
everything it can and it found a part of the sasser virus. The file
cmd.ftp was in c:\windows\system32

This file is a temporary file used as part of the infecting process
with SASSER-A.

There were no signs of SASSER-A infected files anywhere else..
although the symptoms are similar.

I did a scan for files that were modified around the same time as
cmd.ftp and found a couple in windows/system32:

cc.exe
msc.cpl

Neither show up in the sophos scan as being infected.

There were other bits such as things in prefetch .. but then the
system adds anything it runs to prefetch so these are presumably a
kind of audit trail of what was run when the infection took place.

I renamed the cc.exe, msc.cpl, and cmd.ftp to different names and
extensions.

The .cpl is a control panel file and would explain why I couldn't open
control panel.

Now, when I reboot, the machine starts up ok .. no extra processes and
seems clean.

My problem is that I don't know what else might have been
corrupted/changed when the infection took place and don't feel 100%
comfortable putting the machine on the network at the moment. (It is
currently standalone and I have been transferring files via a CD).

(snip)

You absolutely have the right idea. If this were a home user's pc where
you had to get the data off and you had hours to mess around, maybe it
would be worth hand-cleaning, running the usual 4 or 5 spyware removal
tools, rescanning with a different av (I really like TrendMicro's
SysClean utility). But in a corporate environment, as you so wisely
pointed out, you just can't afford to take the chance that you'll miss
a trojan. Wipe it and image the sucker.

Regards,

Malke

 

[Masta Eda]

I had this strange problem (or better virus/worm or something) too or
should I say a friend of mine. I spent all the nighttime searching for
an answer, and thank to god (and to mr. help ^^) I found one... thank
you for this.

There is something more I wanted to say:
The notebook (I repaired) was primaly infected with the Parite.A and
Tanked.B (or so), maybe this is a side effect from one of those
viruses or something like this?
Furthermore there was (and is -> cannot be repaired) also a registry
entry, which I found with HijackThis:
O21 - SSODL:ShellFolder for CD Burning -
{E61B5E20-DE35-11CF-9C87-1579005127ED} - C:\Windows\System32\msc.cpl

And... I opened the msc.cpl file with a hex-editor (wanted to find a
message) and found a strange line: "Polax Troy Terminal"... I googled
for this line and found out that Pola X is a movie (also Troy and
Terminal, but these words may have other meanings). So are there any
other speculations? I'm curious!

Greetz from Austria (no NOT kangaroo)!
ME

PS: This information should be given to av-experts...