PDA

View Full Version : Question about suspected file...


Chaos31
2008-12-30, 21:12
Hey guys,

So I was a victim of Virtumonde and finally got it cleaned off, ran ton of scans afterwords including with Spybot S&D and came up with no threats. Everything is running fine again too.

Now I went into my task manager and rundll32.exe is currently running....when I had Virtumonde this was associated with it.

Should I be alarmed and do something, if so what? Or should I not worry about it?

Ever since I ran a ton of scans and they found nothing I haven't done any system restores or anything either, but everything is currently running 100% fine compared to when I had Virtumonde.

Thanks,

David
tashi
2008-12-30, 22:00
Hi there,

You did not mention your operating system or the path to rundll32.exe.

However this link should help explain.

http://www.howtogeek.com/howto/windows-vista/what-is-rundll32exe-and-why-is-it-running/

Cheers.
Chaos31
2008-12-30, 22:32
Oops sorry I forgot that.

OS: Windows XP Home Edition SP3

As for path I don't know it offhand I'll figure it out and read your link.
Chaos31
2008-12-30, 23:35
Sorry to double post, here's what I grabbed off it.

Path: C:\WINDOWS\system32\rundll32.exe

Command Line: C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\awtTkigD.dll",ShellPath

Current Directory: C:\WINDOWS\SYSTEM32\

Parent: svchost.exe(1516)
===============
Chaos31
2009-01-01, 22:35
anybody?
tashi
2009-01-02, 00:45
Hi there,


C:\WINDOWS\system32\awtTkigD.dll",ShellPath

Did you copy that exactly?

Apprantly awt.dll is a Java(TM) 2 Platform Standard Edition binary, but "awtTkigD.dll" and "awtTkigD.dll",ShellPath is unconventional.
Chaos31
2009-01-02, 04:21
Yes I copied as it appeared.
tashi
2009-01-02, 18:15
Hello Chaos31,

That entry could be a vundo file, either leftover or live. I will send you to the malware removal forum so they can see a log.

But first, which tools did you use aside from Spybot-S&D when you tried to clean the infection, and do you have old versions of Sun Java on that computer?

Sun Microsystems~Java. Security vunerability in older versions left on system (http://forums.spybot.info/showpost.php?p=12880&postcount=2 )

Best regards.
Chaos31
2009-01-02, 19:01
Nope I made sure to update my Java.

I used:
-ATF Cleaner
-Malwarebytes' Anti-Malware
-VundoFix
-SysRestorePoint (Just to make backup encase)
-erunt (Just to make system restore point encase)
tashi
2009-01-02, 19:27
Hi

As it could prove difficult to know what is going on without seeing the entire picture, please follow the procedure in this link: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a helper will advise you as soon as available.

Cheers.