Rundll32.exe and spyware

Printable View

October 29th, 2004, 11:20 AM
ROMAX

Rundll32.exe and spyware

Okay, quick story. My client has a Dell with windows 98. He had it cleaned last week and bought Norton internet security 2005. Went home,connected to the broadband( before the AV was installed) and got infected. As he tried to istall Norton he got an error" Norton has failed to install, do you want to continue"
At this stage he called me, on running Pestpatrol,spybot etc, found multiple spyware and adware on the unit and removed them. Ran Stinger and reported clean and ran Hirens with F-prot also clean.
Then the fun part, on reboot and trying to install Norton Internet sercurity 2005, it fails again, this time saying that a failed instal or uninstall was found, please reboot and try again.
Again tried this and also all the ideas from the Symantec website. No help.

Also during this time it keeps trying to connect to the web and when the DSL is connected several webpages are displayed. Ctrl-Alt-DEL shows Rundll32.exe is running and when I stop this, the pages stop comming up (for a while) then later they appear again. I know there is something on the unit stopping me installing Norton but is not showing up in any of my Spyware or adware or AV programs.
When I check out Rundll32.exe in the Windows folder it looks ok and is dated April 1999

Spybot has just come back and found a load od "Coolwww" and a DSO exploit on the system. I just clean this lot last night.

Any Ideas?

Robert :mad:
October 29th, 2004, 11:25 AM
ROMAX

Update the DSO expliot has come up in German with an error during check
Ungultiger Datentyp Fur

What does this mean?
October 29th, 2004, 11:35 AM
ROMAX

Update: Google found and told me what the Z-demon is and I will try and remove it
October 29th, 2004, 11:46 AM
nihil

Slanite va,

Kildare?........................the "lilly whites"?

OK the "Curragh" is fine for the horses, but you are a large ball county........would you fancy the small ball against the "Banner County"

:D

Then, I will try to answer your real question
:cool:
October 29th, 2004, 12:15 PM
ROMAX

Go on ya boy ya!

Sure the hurl is better, but if your up for a game, why not. But do ya want to play golf or soccer? I mean the K club is only down the road from here!

Rob
October 29th, 2004, 04:14 PM
cgkanchi

1. The DSO exploit is simply a bug in spybot. It's a false positive
2. Run HijackThis! and look for anything out of place
3. Rundll32.exe is probably not the culprit here. All sorts of programs use it to launch other crap. So, it's not necessarily Rundll32.exe that is infected.

Cheers,
cgkanchi