Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.
I use NAV2008 on an HP Desktop running Windows Vista Home premium with Vista Service pack 1. All my updates ar current
I will be getting NIS 2009 in the next month or so, so I know the outgoing firewall will show me what programs are running
I notice that when I run a quick scan or a full system scan, I get MANY instances of An instance of "C:\Program Files\Norton AntiVirus\Navw32.exe" is preparing to access the Internet. I have checked the dll files in the My Norton Antivirus file and do see many dll application extensions. Not sure what they all mean, but they are digitally signed by Symantec. All my scans show only tracking cookies, no other infections. I have also run SpyBot and windows defender and none show any type of infection. When I pull up the windows task manager., it shows onlt 2 rundll.exe on, even when running the scan
My questions:
1.Should there be 11 instances where a dll files needs to access the internet for the scan to work?
2. I notice that there are 4-5 instances and then less than 1 second another 4-5 instances
3. Could this just be a logging clitch?
4. From your knowledge, does this appear to be some type of infection?
my activity logs shows the following:
9/15/08 11:11:05 pm An instance of "C:\Windows\System32\rundll32.exe" is preparing to access the Internet.
9/15/08 11:11:05 pm An instance of "C:\Windows\System32\rundll32.exe" is preparing to access the Internet.
9/15/08 11:11:04 pm An instance of "C:\Windows\System32\rundll32.exe" is preparing to access the Internet.
9/15/08 11:11:04 pm An instance of "C:\Windows\System32\rundll32.exe" is preparing to access the Internet.
9/15/08 11:11:04 pm An instance of "C:\Windows\System32\rundll32.exe" is preparing to access the Internet.
9/15/08 11:11:04 pm An instance of "C:\Windows\System32\rundll32.exe" is preparing to access the Internet.
9/15/08 11:11:03 pm An instance of "C:\Windows\System32\rundll32.exe" is preparing to access the Internet.
9/15/08 11:11:03 pm An instance of "C:\Windows\System32\rundll32.exe" is preparing to access the Internet.
9/15/08 11:11:03 pm An instance of "C:\Windows\System32\rundll32.exe" is preparing to access the Internet.
9/15/08 11:11:03 pm An instance of "C:\Windows\System32\rundll32.exe" is preparing to access the Internet.
9/15/08 11:11:03 pm An instance of "C:\Windows\System32\rundll32.exe" is preparing to access the Internet.
9/15/08 11:11:02 pm An instance of "C:\Windows\System32\rundll32.exe" is preparing to access the Internet.
9/15/08 11:10:56 pm An instance of "C:\Program Files\Norton AntiVirus\Navw32.exe" is preparing to access the Internet.
when I check the task manager, I see only two rundll.exe working. I do know that when I look into the folder for NAV2008, I do see many dll applications and extensions. So maybe several run when i do a scan. Nothing like this occurs when I check live update. I would think if something tricky were going on, then it would happen when I try to update
The file "Rundll32.exe" is used to run dll's as an application. I just can't think of a reason why it would continually try and access the internet on that regualr a basis for a legitimate process.
There are a couple of nasties that try and attempt to terminate Antivirus software.
If you use Hijackthis, I am willing to see the log if you like to see if any entries like F0 - system.ini: Shell=Explorer.exe, F1 - win.ini: or "F2 - REG:system.ini:Rundll32.exe..............." and so on.
and any other nasties in the log.
You can private message me the log if you like,
Quads
If it is a type of infection (unknown at this point) it doesn't mean that it should affect LU as it depends on what is going on and what is trying to be done.
Like infections affect Windows in different ways , more serverly or not, and so is sometimes easily noticed. Or sometimes uses the PC's resources, but somtimes works really quietly.
sorry all I should correct things
I'm talking about Navw32.exe and rundll32.exe I suspect if I had nav32.exe and or rundll.exe that might be cause for alarm.
But the Navw32.exe is digitally signed by symantec
Hi,
The "rundll32.exe" to me more of a concern the way it is trying to access the internet, when clean systems generally down have that.
Th name "rundll32.exe" can remain the same, but certian viruses and trojans use the file (modified or not) to try and access the net, and/or in the process attempt to shut down security software, or disable silently in an attempt to give free internet access.
"rundll32.exe" is a legitimate file and process and is used by legitimate programs (dll's). People making viruses also realise this and can create a program to modify or use "rundll32.exe" to run the dll the viral program (or trojan). Or create it's own file like for instance,
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
In this case is the "Lovegate" Virus.
I can't remember in Vista but in XP there could (or should) be a backup version of "rundll32.exe" in the "dllcache". (a hdden folder).
This is in case of the original file being modified, corrupted etc. by an infection. the file can be replaced with a clean version.
I can't think of any reason why "rundll32.exe" would continually want to access the internet if for legitimate reasons. like you showed in your first post.
more info for you.
Regards
Quads
I know that other users have noticed this on their systems too. So it may just be something common.
Hi NY1986,
I think that Quads made you a great offer to help you run and check a Hijack log about the multiple rundll's.
I'd take him up on that!
Best Wishes.
I appreciate all the help. I can tell you that my file
rundll32.exe shows no modifications. It is as it was when it came from the store
Hi NY1986,
What you're probably seeing is the scan executing rundll32.exe to perform detection and repair work that the service is unable to do on its own. The internet access comes from the DLL that it loads (ccEraser.dll) when it tries to verify digital file signatures with www.verisign.com. To make sure our service executes the correct rundll32.exe (and not some fake hijacker), we do a digital signature check on rundll32.exe before executing it.
If you want to verify this behavior independently, you can use Process Monitor from www.sysinternals.com
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Just set up a few filters to watch rundll32.exe and see what dll it loads. If you want to verify the traffic that's being initiated, you can use any kind of packet sniffing/firewall software to view connections or inspect packet payloads.
Lee
LNguyen Thanks. So the rundll32.exe is running because there is some additional process that was not part of the original scan engine and the scan engine is using an additional application (dll) that was added by Norton?
But why so many (as you can see from the post I made there are sometimes 11 such more or less depending on the number of cookies) ?
Does the ccEraser.dll need to run for each tracking cookie it is cleaning?
Are there othe dll s that the scan needs? Because sometimes there are two instances of rundll32.exe before the scan completes
Hi NY1986.
1. No. It's working around IE API limitations for cookie and browser cache detection and repair.
2. It's an unfortunate side effect of providing continued legacy support for much older products (e.g NAV 06, corporate products, etc).
3. Yes, unfortunately. See 2.
4. It's probably some asynchronous behavior you're seeing with rundll32.exe running ccEraser.dll multiple times. As long as rundll32.exe doesn't stick around for a "long time" and hog up "lots of memory" (e.g. the same PID for rundll32.exe running for more than 30 min while eating up 50MB of memory) , then you shouldn't need to worry much about it.
LNguyen where is ccEraser.dll located in my system ( I mean what folders)?
It's located in the virus definitions folder. The exact location of the virus def folder varies based on OS because of certain OS installation restrictions the product must adhere to. The location also varies by date because virus defs get updated often.
You can do a simple windows file search for the file if you need to find where it's located on your system. You can also use Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) to see which process is loading ccEraser.dll during a scan.
Now appears that if I run a quick or full scan, I get 4 instances of rundll32.exe, then navw32.exe and thne 2x the number of tracking cookies found. Coul dthi sbe due to new Norton updates and/or the fact that I have a dual core processer? Or that I have user account and admin account on same computer?
Probably the last one if both users are logged in via fast user switching. Regardless of how many rundll32.exe processes run, it's only a problem if rundll32.exe is running in the manner I described in my previous post:
LNguyen wrote:
As long as rundll32.exe doesn't stick around for a "long time" and hog up "lots of memory" (e.g. the same PID for rundll32.exe running for more than 30 min while eating up 50MB of memory) , then you shouldn't need to worry much about it.
Probably the last one if both users are logged in via fast user switching. Regardless of how many rundll32.exe processes run, it's only a problem if rundll32.exe is running in the manner I described in my previous post:
LNguyen wrote:
As long as rundll32.exe doesn't stick around for a "long time" and hog up "lots of memory" (e.g. the same PID for rundll32.exe running for more than 30 min while eating up 50MB of memory) , then you shouldn't need to worry much about it.
LN what do you mean by As long as rundll32.exe doesn't stick around for a "long time" When I check task manager and the scanning process is not running, I have 2 rundll32.exe showing but they are not using any CPU. Are you meaning if they are using CPU for a long period of time?
What you're describing is a bit of a problem. It implies that those rundll32 processes are stuck waiting for something to occur. That isn't something that our team has seen before.
First things first. Could you describe when you notice these processes beginning to hang around (e.g. does it happen when you boot up, does it happen immediately when the scan starts, etc)?
Usually these rundll32.exe processes last for only a second or less. Then, they should go away. You could see multiples of them running. But, the behavior is more like, "start and quit after less than a second, start again and quit after less than a second, repeat many times, etc. etc until scan completes". Those processes should definitely not be hanging around after the scan is complete.
The next thing you should check are those hanging rundll32.exe processes themselves. I'm not sure if you've tried the tools I mentioned earlier. But can you use Process Explorer to examine one of the hanging rundll32.exe processes? Basically, I just want to do a sanity check to make sure the hanging rundll32.exe processes are really loading ccEraser.dll. Just select one of the hanging rundll32.exe processes and press Ctrl+D to display that process' loaded DLLs. Make sure you see ccEraser.dll in that list. The reason I ask is because It's possible that that rundll32.exe could be loading some other DLL completely unrelated to Symantec.
Finally, if these hanging rundll32.exe processes are indeed loading ccEraser.dll, the easiest way to work around the issue for now is to just kill those those processes using Task Manager (or Process Explorer). Nothing horrible is going to occur to your system if you kill those hanging rundll32.exe processes. It's just a bit of an annoyance of going through the task manager to do it.
Let me know what things you find and I'll see if I can reproduce this also. If you can also try to describe your specific configuration (IE version, windows version, unusual network configurations, etc) and provide detailed repro steps, it may make it easier for me to reproduce this. Usually, the cause of really weird bugs like this is due to applications or other software that the customer may run that we couldn't find time to test against. So, if you have any other resident programs running, try quitting those to see if the problem goes away. Then, I'll know what kind of software to get to cause this issue on my end.