Author Topic: "cannot process" rundll32.exe/Win32:Tibs-ADO  (Read 8486 times)

0 Members and 1 Guest are viewing this topic.

Offline k_e_moeller

  • Newbie
  • *
  • Posts: 10
"cannot process" rundll32.exe/Win32:Tibs-ADO
« on: January 06, 2007, 01:19:29 AM »
I have recurring D2_.exe and af.exe infection on this W98SE system.   A trojan also ruined my command.com and DOS terminal functionality, so I can't even see what network connections are running.

Looking at my 'run' history I see
msconfig
//maniack.free.fr/svchost.exe
command
//planet.nana.co.il/shimonshimon123/pack.exe
regedit

I KNOW I haven't run any of those.

Using AVAST today, running a C drive scan, it 'catches' rundll32.exe, identifies the Win32:Tibs-ADO Trojan.

When I say to quarantine it, it says "cannot process".  It will not allow a move/rename either.  Scanner status says 'infected'. 

Any advice?

thx
Karl
USA



« Last Edit: January 06, 2007, 06:00:53 PM by k_e_moeller »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: "cannot process" rundll32.exe/Win32:Tibs-ADO
« Reply #1 on: January 06, 2007, 01:24:27 AM »
Please REMOVE live links to infected files  :o
This is not allowed in the forum...

When I say to quarantine it, it says "cannot process".  It will not allow a move/rename either.  Scanner status says 'infected'. 
Access denied means, generally, that the file is in use by another process (program) and cannot be repaired/cleaned/moved/handled by avast!
Please, schedule the Boot Time Scanning:

Click on the Menu button.
Choose Schedule Boot Time Scan.
Doing so displays a dialog allowing you to schedule virus scanning.
Check Archives, if you want scan all the archives.
Specify whether all the disks or just a specific folder should be scanned.
Select Advanced options for scheduling details.
Select how to automatically process infected files.
Choose how to automatically process infected system files.
Click the Schedule button to confirm the settings.
The best things in life are free.

Offline k_e_moeller

  • Newbie
  • *
  • Posts: 10
Re: "cannot process" rundll32.exe/Win32:Tibs-ADO
« Reply #2 on: January 06, 2007, 06:13:08 PM »
>>Access denied means, generally, that the file is in use by another process (program) and cannot be repaired/cleaned/moved/handled by avast!

I get that.  However, that is exactly what I need to do.

>>Click on the Menu button.

What 'Menu button'?  The Avast icon on my desktop starts a memory test, which AGAIN finds

rundll32.exe

and PDLL.dll

neither of which can be quarantined, moved, or renamed.  Though I ran a complete C drive scan last night,  this Win32:Tibs-ADO trojan virus is still on my system.

>>Click on the Menu button.
>>Choose Schedule Boot Time Scan.
>>Doing so displays a dialog allowing you to schedule virus scanning.

Okay, the 4.7 tool finally displayed, and I found the Menu button.

Schedule Boot Time Scan is greyed-out and cannot be selected.

As is 'Status information'
'Last scan results'
'View scan reports'.

It's puzzling that Avast software identifies the Trojan perfectly yet is unable to actually eliminate it.  It keeps finding these over and over:

d2_.exe
svchost.exe


« Last Edit: January 06, 2007, 06:14:39 PM by k_e_moeller »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: "cannot process" rundll32.exe/Win32:Tibs-ADO
« Reply #3 on: January 06, 2007, 06:22:59 PM »
>>Access denied means, generally, that the file is in use by another process (program) and cannot be repaired/cleaned/moved/handled by avast!
I get that.  However, that is exactly what I need to do.
So, run a boot time scanning...

>>Click on the Menu button.
What 'Menu button'?  The Avast icon on my desktop starts a memory test, which AGAIN finds
rundll32.exe
and PDLL.dll
Stop memory scanning in order to get the avast skin (window).
If you want, you can schedule a boot time scanning just running:
C:\Program Files\ALWIL Software\Avast4\sched.exe /A:*

neither of which can be quarantined, moved, or renamed.  Though I ran a complete C drive scan last night,  this Win32:Tibs-ADO trojan virus is still on my system.
It's puzzling that Avast software identifies the Trojan perfectly yet is unable to actually eliminate it.  It keeps finding these over and over:
d2_.exe
svchost.exe
If a virus is replicant (coming and coming again), you should:

1) Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
2) Clean your temporary files. You can use the Windows Advanced Care features for that.
3) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
4) Use a-squared, Free AVG Antispyware or  SUPERantispyware (trojan removers).
5) Use the immunization of Windows Advanced Care features of spyware/adware cleaning and removal.
The best things in life are free.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
Re: "cannot process" rundll32.exe/Win32:Tibs-ADO
« Reply #4 on: January 06, 2007, 06:40:53 PM »
Boot scan is not availible in win 98se. Boot to safe mode and scan from there. The section in Tech's post regarding system restore does not apply either.

Post back with results.

Offline k_e_moeller

  • Newbie
  • *
  • Posts: 10
Re: "cannot process" rundll32.exe/Win32:Tibs-ADO
« Reply #5 on: January 06, 2007, 06:42:39 PM »
Tech, thank you for your help.

However, in order:

I cannot do
C:\Program Files\ALWIL Software\Avast4\sched.exe /A:*
..because one of these trojans ruined my 'command' executables, as I said in my first post.. I can't run a DOS window, and when I paste the statement above into the Run tool I get a persistent MMTASK error.. the same one that comes up when I try to clear my windows/temp area.

This is a W98SE system and I didn't get the Microsoft CDs when I bought it used.. stupid, I know.

update - I see that boot scanning isn't available in W98SE.

Safe mode scan?  I'll try it.

p.s. I am sorry to post live links to known bad files.. fixed now.

Karl
« Last Edit: January 06, 2007, 06:44:48 PM by k_e_moeller »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: "cannot process" rundll32.exe/Win32:Tibs-ADO
« Reply #6 on: January 06, 2007, 06:53:50 PM »
Boot scan is not availible in win 98se. Boot to safe mode and scan from there. The section in Tech's post regarding system restore does not apply either.
Sorry... Oldman is correct, both boot time scanning and system restoration aren't available for Windows 98.
I suggest that you add this HDD as a second (slave) in another computer with avast (better with Windows XP) and run a full avast scanning (or boot time scanning).
It will be good if in this second computer you have antitrojan applications installed.
The best things in life are free.

Offline Spiritsongs

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1757
  • Ad-aware orientated Support forum(s)
Re: "cannot process" rundll32.exe/Win32:Tibs-ADO
« Reply #7 on: January 06, 2007, 07:07:37 PM »
 :)  Hi Karl :

     "Trojans" are best handled by antiSPYWARE/antiTROJAN program(s); you have NOT mentioned
      IF you have any such program(s) on your computer !?
      Based on what you are reporting, it may be best IF you got the assistance of an experienced,
      volunteer Malware Expert usually found on an antiSPYWARE Support Forum !?
      If you know of none, I recommend www.landzdown.com . All such forums usually want to
      see a "log" from the "HijackThis" program, therefore :

      Download HijackThis© from:  www.thespykiller.co.uk/files/HJTsetup.exe .
At the download prompt, choose "Save". 
Navigate to the saved file and double-click the installer, HJTsetup.exe.
HijackThis will be installed on your computer at C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut.
When the installation is complete, exit HijackThis.
For the Best in what counts in Life :
www.tacf.org

Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2475
Re: "cannot process" rundll32.exe/Win32:Tibs-ADO
« Reply #8 on: January 06, 2007, 07:32:12 PM »
Karl - can you check for the presence of these files

svchost.exe in C:\Windows and also in C:\Windows\System

rundll32.exe in C:\Windows and also in C:\

pdll.dll in C:\Windows\System

d2_.exe and pack.exe anywhere on your computer

internat.exe in C:\Windows and also in C:\

Download HijackThis© from:  www.thespykiller.co.uk/files/HJTsetup.exe .
At the download prompt, choose "Save". 
Navigate to the saved file and double-click the installer, HJTsetup.exe.
HijackThis will be installed on your computer at C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut.
When the installation is complete, exit HijackThis.
and post the log here if you like ...
"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)

Offline k_e_moeller

  • Newbie
  • *
  • Posts: 10
Re: "cannot process" rundll32.exe/Win32:Tibs-ADO
« Reply #9 on: January 07, 2007, 12:55:21 AM »
svchost.exe in C:\Windows and also in C:\Windows\System

renamed to .vir

rundll32.exe in C:\Windows and also in C:\

YES, and this is now preventing me from even running Add/Remove programs

pdll.dll in C:\Windows\System

Yes

d2_.exe and pack.exe anywhere on your computer

No, been deleted quite a few times, not on now

internat.exe in C:\Windows and also in C:\

No, been deleted quite a few times, not on now

You missed af.exe, which is also gone.

QUESTIONS:

I see mention of HiJackThis.. this is not a browser hijacker.  Confused.

Also.. mention of using 'Trojan removal' software.. call me confused again.. Avast can identify the Trojan, but not remove it?  Since when is an antivirus not also an antiTrojan?

Do I need to do a Safe Mode C drive scan or not?

Do I have to do HiJackThis AND one of the Trojan removers?

thanks!

Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2475
Re: "cannot process" rundll32.exe/Win32:Tibs-ADO
« Reply #10 on: January 07, 2007, 03:19:05 AM »
svchost.exe in C:\Windows and also in C:\Windows\System

renamed to .vir

Did you rename it or it was renamed by the malware?  Are both instances renamed?

internat.exe in C:\Windows and also in C:\

No, been deleted quite a few times, not on now

Is it gone from both locations or is it still in C:\
(If its in C:\ don't delete it.)

I see mention of HiJackThis.. this is not a browser hijacker. Confused.
No, its not a hijacker at all.  Its a tool that enumerates the running processes, registry keys etc that can help us find a solution to your problem.  You can see what a hijackthis log looks like by looking at this thread

http://forum.avast.com/index.php?topic=25753.0

When you run the tool you will see options to "fix" things.  Don't do this right now - just generate and post the log.  If its too long to post in one reply use two or more.

Do I need to do a Safe Mode C drive scan or not?
Do I have to do HiJackThis AND one of the Trojan removers?
We may get to the safe mode scan but lets put that off a little.

It would be a good idea to download and install A-Squared which is an antitrojan program.  Get the free version here

http://www.emsisoft.com/en/software/download/

You need this because although antivirus programs do offer protection from trojans and worms their specialty is protecting you from viruses.  Antispyware programs are often better at finding trojans and worms.  This is true of all antivirus programs - not just avast!


Before posting the hijackthis log please upload samples of any instance of rundll32.exe and internat.exe you have to Jotti for analysis

http://virusscan.jotti.org/

Take careful note of which are infected and which are clean and post this information.  Also post the hijackthis log when you can.


EDIT:  Do you have a firewall installed?
"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
Re: "cannot process" rundll32.exe/Win32:Tibs-ADO
« Reply #11 on: January 07, 2007, 03:20:04 AM »
A lot of times when a file is in use it can't be accessed by an av. That's why a boot time scan is good to use. The scan runs before windows is loaded. Since you can't do a boot time scan, a safe mode scan is an alternative, but not as good since windows loads first, with minamal drivers and applaications. Hopefully the files you want to scan won't be won't be deemed nesseccary by windows and you will be able to scan them.

Highjackthis isn't just for hijaking. It is a powerful tool that analyses what is running on your system. Highjackthis can identify the malware and an antitrojan program can be used for removal.

Since your are using 98se, I would suggest asquared. Again in safe mode.

If avast does find anything, please do not delete it, send it to the chest.

Posting your hijackthis log here in this thread will get a response. Follow the tutorial.

Follow mauserme's instructions, my comments where just info for some of your questions.
« Last Edit: January 07, 2007, 03:23:20 AM by oldman »

Offline k_e_moeller

  • Newbie
  • *
  • Posts: 10
Re: "cannot process" rundll32.exe/Win32:Tibs-ADO
« Reply #12 on: January 07, 2007, 07:24:06 PM »
thanks, will do all, I appreciate the info and the TIME very much

Karl

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
Re: "cannot process" rundll32.exe/Win32:Tibs-ADO
« Reply #13 on: January 07, 2007, 07:29:32 PM »
No problem. Good luck and keep us posted!

Offline k_e_moeller

  • Newbie
  • *
  • Posts: 10
Re: "cannot process" rundll32.exe/Win32:Tibs-ADO
« Reply #14 on: January 08, 2007, 04:47:21 AM »
I leave to work out of town for four days.. however I did do one thing..

There is a link between Rundll32.exe and the Tibs-ADO virus. 

I also suspect my Dial-Up Networking (I'm using Ethernet and DSL) because out of the blue I'd get occasional illegal TAPISERV messages, and that is the dialer telephony software, unused on this system.  Tried to get into MODEM on the Control Panel, died with an illegal Rundll32.exe message - one that could not be gotten rid of.

When I search for rundll32.exe I find TWO files

C:\rundll32.exe size 21K creation date 1999

C:\Windows\Rundll32.exe size 131K creation date 12/2/2006

I booted with CTL and rather than launching into SAFE MODE I chose the DOS screen.

There I COPIED the C:\rundll32.exe onto the C:\Windows version and chose 'Overwrite=Yes'.

Rebooted and things seem to be working - I can look at my dialer.

Of course there's still that rotten PDLL.DLL hanging around.. Did a FIND on it, right clicked, told Avast to look at it, virus found, move to Chest, WORKED. 
« Last Edit: January 08, 2007, 04:50:34 AM by k_e_moeller »