rundll32 issue

[billyboy]

I'm working on my friends computer that became infected with a few trojans after his grandaughter was on msn. He is running winme and is using selective startup in the system config. In the config utility he only has loadpowerprofile and systemtray checked. When I do a ctrl/alt/del , instead of it showing explorer and system tray, it shows Rundll32 only. I have run avg and microtrend system clean, a host of spyware, and removed manually what was imbedded. I've read that some trojans will copy themselves as Rundll32 and that it how it avoids the antivirus scans. When the computer was connected to the web it was constantly loading lexplore(that's Lexplore but with a lower case L). When it's disconnected from the internet,it only shows the Rundll32. Does anyone have any experience with this? I've read that it adds a line to the original windows Rundll32 in the registry . Thanks for any help that you can offer.

[Tarun]

You can always try to post a HijackThis log, or refer to the Anti-Malware cleaning sticky at the top. Since you're on a Windows ME machine you'll want the Anti-Malware Lite package.

[LLXX]

Beware of startups originating in win.ini and system.ini

I have seen this before, a trojan is loaded from a line in system.ini or win.ini and is called rundII (notice the I instead of L) which then proceeds to load explorer, "wrapping" around it.

[billyboy]

I downloaded and ran Process Explorer. Rundll32.exe is running a bunch of processes but there are 3 that I'm curious about and they are

Process rundll32.exe(FFFDAB15)

String rundll32.exe(FFFDAB15) FFFDA9A9

String rundll32.exe(FFFDAB15) FFFD756D

I would think that one of these must be the one that is the infection. If anyone has any experience with this software could they please get back to me and tell me if they are legit or bogus

Edited July 8, 2006 by billyboy

[Tarun]

Please refer to this link and then post your HijackThis log.