Re: rundll32 & adware
From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: Sat, 04 Dec 2004 20:00:41 GMT
Cute name; I N V U 9 :-)
Here's what "invu9_32.dll" is recognized as...
eTrust-Vet 22.214.171.124 12.03.2004 Win32.Startpage.KF
Kaspersky 126.96.36.199 12.04.2004 not-a-virus:AdWare.Look2Me.r
Sybari 7.5.1314 12.04.2004 Win32.Startpage.KF
"Jim Watt" <firstname.lastname@example.org_way> wrote in message
| On Sat, 04 Dec 2004 15:19:41 GMT, David Postill <email@example.com>
| >In article <firstname.lastname@example.org>, on Sat, 04 Dec 2004 15:39:01
| >Watt <email@example.com_way> wrote:
| >| On Sat, 04 Dec 2004 10:11:56 GMT, David Postill <firstname.lastname@example.org>
| >| wrote:
| >| >Have you run process explorer?
| OK by chance I went to the clients office today for something else
| so ran process explorer. It showed that the .dll was
| invu9_32.dll which goes not get a hit on google.
| The dll is in c:/windows/system and is flagged as +SR
| so did not show on explorer.
| I renamed it in DOS mode and the popups have stopped.
| If anyone is interested in looking at it further to determine its
| origin, its zipped up as
| Uh yes I did mean programs pleading not to be UNinstalled.
| I still do not understand quite how this gets run, but its
| currently disabled.
| Thanks for the good advice so far in the process.
| Jim Watt