rundll32.exe syntax question

  • Thread starter Thread starter Clive Everett
  • Start date Start date
C

Clive Everett

I have a startup procedure that I cannot find and I would appreciate some
help about where to look for it as I'd like to find out what it is. The
startup command in the registry is:

rundll32 j:\WINDOWS\System32:qnrxwud.dll, Init 1

I looked inside the System32 folder including the dllcache and there is
nothing called qnrxwud.dll. I don't understand what the
"System32:qnrxwud.dll" syntax means in the command line path above so I
don't where else to look. It must be valid syntax otherwise it wouldn't get
loaded.

I ran processxp and dependency walker and the dll is being loaded by most of
my running processes and it has exported some functions so it does exist.
In case it helps, the functions exported are:

DebugBreakpoint
DebugInit
Init
InitService
SpawnedInit
Uninstall


I have wasted lots of time searching by name and by the dates and sizes
reported, but got nowhere and I would appreciate some help.

Thanks,

Clive
 
Just a thought. This syntax is for streams. The UI has limited support for streams. All files have a default and unnamed stream. This is what we think of as a file. However a file can have more than one stream. If you fill in the summary info on a files property sheet that info is stored in a stream on the file.

Therefore see if there is a stream attached to the system32 folder or a file with that name. Remember there is only limited support for streams so most commands can't work.

This is how to see if a stream (named qnrxwud.dll) is attached (type won't work). There is no inbuilt command to list the streams.
more < c:\windows\system32:qnrxwud.dll
and if you get some gibberish then it is a stream. And if the first two letters are MZ then it's a DLL or EXE file. It was only a matter of time before virus writers were going to hide stuff in streams.

This third party tool may make investigations easier, http://www.sysinternals.com/ntw2k/source/misc.shtml#streams.
 
Thank you so much for your help. That's exactly what it was: a stream
attached to the \windows\system32 folder. The data started with MZ
confirming that the stream was the dll as you thought. So I seem to have
picked up a "stream" virus! It's concerning as I am pretty careful about
where I go and what I load and open in email or from Web sites and now I
shall have to be even more careful.

I used the program you recommended to delete the stream and now after
getting rid of the stream and the Run and RunOnce keys there is no trace of
it. It did seem to put itself back when I deleted anything so I rebooted
into a Win2003 boot and got rid of it from there.

Thanks again for your help. It was also fun to learn something about NTFS
streams which I never knew existed.

Clive




Just a thought. This syntax is for streams. The UI has limited support for
streams. All files have a default and unnamed stream. This is what we think
of as a file. However a file can have more than one stream. If you fill in
the summary info on a files property sheet that info is stored in a stream
on the file.

Therefore see if there is a stream attached to the system32 folder or a file
with that name. Remember there is only limited support for streams so most
commands can't work.

This is how to see if a stream (named qnrxwud.dll) is attached (type won't
work). There is no inbuilt command to list the streams.
more < c:\windows\system32:qnrxwud.dll
and if you get some gibberish then it is a stream. And if the first two
letters are MZ then it's a DLL or EXE file. It was only a matter of time
before virus writers were going to hide stuff in streams.

This third party tool may make investigations easier,
http://www.sysinternals.com/ntw2k/source/misc.shtml#streams.
 
Back
Top