Multiple rundll32.exe with hijackthis log

I have changed the topic to update my problem. Looks like it never ends!


I have been getting pop ups from spyware doctor…

Threat Name - Trojan.Storm_Infection_Server
Details - Site Guard has blocked access to a bad website
Risk Level - Medium
Infection - 89.178.184.91

I did the usual scan and didn’t get anything. I’m getting paranoid with this so can someone help me out?

Please scan with the two programs mentioned here:
How to check if your computer is infected

Let us know the results of the scans.

Thanks for the reply! I have run the 2 scans and nothing came up on both. I have been reading on the link you gave and this looks like it will take a lot of time plus I’m a beginner with this. Any ideas on what I should do next?

Does this alert only happen when you go online or is it at random times?

If neither of the programs you scanned with found anything it’s pretty unlikely that you’re infected.

I’m not familiar with Spyware Doctor, but it almost seems like a web shield alert. Can you please give more information about the circumstances in which you get the alert.

Sorry for the late reply. I noticed it pops up sometimes when skype was running so I have contacted skype and looks like it’s their IP for peer to peer connection. I am also waiting for PCTOOLS reply.

I ran some scans again and for some reason comodo cloud scanner showed 4 malware stuff that didn’t came up before. I have provided a screenshot.

[attachment deleted by admin]

Did you submit those for analysis?

Comodo Cloud Scanner doesn’t scan for malware exactly but for unknown files. Those seem like Sony files, not malware. When you submit them for analysis they are checked using CIMA and it reports whether it thinks they’re malicious or not.

If these are all the files it found then please upload them to virustotal to make sure they are what they appear to be. If this is all CCS found and they turn out to be safe then I don’t believe you are infected.

89.178.184.91
That's a Russian site, if that helps

Thanks for the info… Is it part of skype?

I have read and tried the guide and I was wondering if it’s ok that I post a hijack log here? I’m not a pro at this and I want a second opinion from the resident experts here.

Sure, I can’t understand it, but someone can.

Here is my hijack this log. Thanks to anyone who will help!

[attachment deleted by admin]

I would like to add that I have noticed my ram usage tends to be a bit higher than normal so I checked process explorer and saw multiple rundll32.exe running.

Can anyone please help me out?

Can anyone help me out please?

Remove the following (as always, let “hijack this” create a backup copy just in case)

(Remember after removing some of these in “R1” and “R0”, some might come right back. Don’t worry about it if it does) :slight_smile:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKUS\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)

After doing that, restart the computer. Then start the next section

=============================================
Do you use or require “Blue tooth” ??? (If your not sure, leave it alone)

If not, remove the following (as always, let “hijack this” create a backup copy just in case) :slight_smile:

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Send image to &Bluetooth Device… - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device… - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: [at]btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: [at]btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

======================================

If everything seems fine (Give it a few days just to be safe), I’d delete all the system restore points and create a fresh new restore point

========================================

also

I would like to add that I have noticed my ram usage tends to be a bit higher than normal
While I never used skype, I'd check your skype options and make sure your not running "Supernode"
I checked process explorer and saw multiple rundll32.exe running.
Are they "signed" by mircosoft??? If not, upload it 1 by 1 of any unsigned rundl32.exe files to virustotal.com. <---Just optional, but feel free to double check if you like :)

Last, Are you running “magicjack” ??? I ask this because I saw it in your hijack this log

That is odd. You say the two scans didn’t find anything? That is extremely odd. I recommend contacting Comodo Live Support.

Observing, like what happens with scvhost, multiple instances of rundll32.exe does not mean that several instances of this file exist, or even that the only rundll32.exe is malicious, but only that rundll32.exe launches, it is its job, several different dll (including malicious ones if any).