Strange problem

Discussion in 'Trojan Defence Suite' started by suff, Nov 5, 2003.

Thread Status:
Not open for further replies.
  1. suff

    suff Registered Member

    Joined:
    Aug 15, 2003
    Posts:
    9
    Just thought I would post this as it relates to a problem I had earlier. Windows 2000 Pro, TDS-3 and error messages. Earlier i had warnngs about tojan/virus from TDS-3 app concerning what amounted to empty rundll32.exe files (0 KB). After running various recommended apps, we determined that there was not a problem, just deleted empty rundll32 files and all was OK. Recently I started losing access to non-system applets in control panel. Started getting error message when selecting applets that stated "Access to specified device, path, or file is denied.". Read various posts on newsgroups, tried countless scans with Norton AV and TDS-3, nothing showed up. After fruitless posts to newsgroups, various fixes based on Google searches I ran across a web page that mentioned control panel applets in registry with rundll32.exe mentioned in the same breath. I performed a search and lo and behold I once again had empty rundll32 files in various locations. I had earlier deleted TDS-3 app, thinking it might have been a culprit (possibly having a similar cpl filename as another app). When after a couple of weeks of not being able to fix problem I had re-installed tds-3 in a new folder. Installation and running of app appears and appeared to be good. Strangely enough, both the C drive root folder and the new tds folder had the empty rundll32.exe file. Once I copied the 10KB rundll32.exe file from thw WINNT system32 folder into the root drive folder, I got access back to the contriol panel.

    Sorry this is rambling but a fter getting prepared to reformat/backup if anyone has an idea of what might be causing this or what to look for I certainly would appreciate it. I'm not even sure if TDS-3 is supposed to have Rundll32 in its folder as well.
     

    Attached Files:

  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi suff,

    Not much help, but just so you know. You're HijackThis log is clean.

    Regards,

    Pieter
     
  3. suff

    suff Registered Member

    Joined:
    Aug 15, 2003
    Posts:
    9
    Now that was quick. So, the log was clean. What about rundll32, is that installed during seup by tds-3 app? Is it supposed to be there?

    Thanks for any and all help.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi suff,

    rundll32.exe is one of the most important Windows files.
    From: http://www.liutilities.com/products/wintaskspro/processlibrary/rundll32/
    "The Windows Rundll32 Program is used to run DLLs as programs and is used by many programs to execute functions located in a DLL file."

    Making zero-byte copies of it all over the place is very strange behavior, but I can't promise you that even a format would solve it.

    What you did, by placing the real file in the directories, where the empty files were found, is the only solution I know of.

    Regards,

    Pieter
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Where is this 10KB rundll.exe ?

    Programs can create 0 byte rundll.exe when trying to use various commands it allows. I actually dont ever see any of these myself.. its to do with whether or not Windows can find a file when it tries to access it. If the file isnt there, it creates a 0 byte copy. I DO have TDS installed to C:\TDS3 so having a non long pathname could help.

    There are some strange bugs with Execution Protection and this, so I could guess you are on Win2k or higher ? and have turned it on. If you can bear scanning suspicious files and know how to monitor your system then dont use it - I never do. Hopefully we can get the newer programs out for you soon which are not dependent on older execution protection, and work extremely well.
     
  6. suff

    suff Registered Member

    Joined:
    Aug 15, 2003
    Posts:
    9
    Well, I finally resolved this weird behavior. For whatever reason, I found instances of "rundll32.exe" in a few folders, one of which was in the Documents and Settings folder of my normal login, one instance in my default TDS-3 folder - C/farley, and the other in another user document & setting folder. Each of these instances were shown by Windows Explorer to have a size of "0 KB", as compared to the 10 KB size of the "rundll32.exe" in both the Winnt/System32 & Winnt/Dllcache folders. After copying the rundll32.exe from the winnt/system folder to the Documents and Settings folder, all control panel functions returned to normal.

    Yes I am running W2K and yes I do have execution protection turned on in TDS-3. My belief is that it is somehow related to TDS-3, based upon the only location other than user profile document and settings folders this was located on was the newly reinstalled default folder of TDS-3.
     
Thread Status:
Not open for further replies.