help? rundll32 pointing to nonexistent malware that i deleted...

Discussion in 'malware problems & news' started by chrome_sturmen, Nov 22, 2010.

Thread Status:
Not open for further replies.
  1. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    i got some malware a few days ago, and deleted the malware files and the startup entries to it manually - but now each time i start my computer, there is an instance of rundll32 pointing to the (now nonexistent) malware:

    the rundll32 properties:

    C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\srclient4.dll",qggcirmv


    well those files themselves now dont exist, but something apparently is still telling rundll32 to run them, anyone know how i can locate and remove whatever is telling rundll32 to execute these files?

    thanks in advance :blink:
     
  2. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    give it a shot with Hitman Pro, perhaps it will detect it
     
  3. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    vtol, thanks for your time - i actually tried hitman pro just before i made this topic - it did find the srclient4.dll as a threat (even though i deleted it yesterday?) but upon reboot for removal, i got a failure message from hitman pro, saying failure to remove. i doubt it would be because i didnt actually install hitman. i'll keep working with it o_O
     
  4. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    hm, does this mean i shouldve installed hitman to the harddisk, instead of running it from the exe?

    this was in eventviewer:

    The Hitman Pro 3.5 Crusader (Boot) service failed to start due to the following error:
    The system cannot find the path specified.
     
  5. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  6. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    cudni, thanks for the links!

    i installed hitman, but again it failed (probably because the malware file doesnt exist, because i deleted it)

    its like it's finding references to the file, and so assuming its there, when it isnt. i just need to find and remove those references to the malware, the malware itself is gone hehe *puppy*
     
  7. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    not sure it is that simple as you wish. sounds more like an evil resident on your system, which HMP is able to detect but has trouble to remove. there is some nasty stuff which is really tough to flush out. you may want check out and follow the info given by the link cudni mentioned

    a search for srclient4.dll turned this forum thread up, there is somebody else having at least the same dll on the system
     
    Last edited: Nov 22, 2010
  8. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    vtol, yeah i saw that post on a search last night. im pretty sure i removed the srclient4.dll, because i booted to a different isr snapshot, browsed to my other $isr folder with xyplorer, and then searched for and deleted srclient4.dll using unlocker. now a search for it turns up nothing, so i guess its gone. there has to be some references to it somewhere though, because rundll32 is being invoked, but i guess ive neutered it, at least hehe*puppy*
     
  9. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    a scan with nod32 returns this result after scan:

    C:\WINDOWS\system32\srclient4.dll - error opening

    i wonder if thats because i deleted the file, or if the file is in fact on my system, but cant be cleaned. i sure cant find any file called srclient4.dll on my system, and my system seems to be running fine, anyone have any thoughts?
     
  10. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
  11. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    damn, i did just find srclient4.dll in my windows/system32 folder, i was able to delete it with unlocker, but i thought i had already done that... i wonder what happens now :oops:
     
  12. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    hope you did not catch something residing in the mbr and rewriting that dll on every reboot!
     
  13. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
  14. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Reading your posts I thought ;) you might've known that one.
     
  15. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    well, i wound up going back to an earlier snapshot and nuking the one that was infected - its costing me some work i lost, but not too much. though i had disarmed the malware, i didnt like that there were still references to it somewhere that i couldnt find and remove, so i took the hit. i couldve avoided this had i been more careful, but after having a strong system for awhile, sometimes i get too comfortable, and thats when a problem can occur.

    thanks all, for all the advices!
     
  16. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    too bad. lesson learned though - until next time then ;)
     
Loading...
Thread Status:
Not open for further replies.