Hi all.

clamav tells me that rundll32.exe is infected as trojan:

C:\WINDOWS\ServicePackFiles\i386\rundll32.exe: Trojan.Ldpinch-4700 FOUND
C:\WINDOWS\system32\rundll32.exe: Trojan.Ldpinch-4700 FOUND


i checked the file on virustotal.com and clamav is the only one that detects it as infected.

I can just confirm the same results on two computers

/media/win/WINDOWS/system32/rundll32.exe: Trojan.Ldpinch-4700 FOUND
/media/win/WINDOWS/system32/dllcache/rundll32.exe: Trojan.Ldpinch-4700 FOUND

with
ClamAV 0.95.3/10935/Thu May 6 14:40:42 2010

I rechecked with virustotal.com and still no other anti-virus identifies these files as infected.

Tomas B.

Yesterday I ran into a computer which definitly has something wrong with it.

So far clamav is the only one that found anything (after removing a few smaller things).

It looks like when you login with a user on the system with administrator rights it will be be used in UDP-based DOS-attacks and so on.

I can see something is wrong when I login and I use process explorer, services(.exe?) (which is the process that starts all the services) has a HTTPS-connection (port 443) open to different IP-addresses, the IP-adresses when resolved are all called things like: reliablehosting and things like that.

rundll32.exe is used on login, it's executed when explorer.exe is started, among other things, I think.

Thus so far it seems to fit in my case.

I will try replacing it will a known-good rundll32.exe if I can find one and see if the problems go away.

In my case it also was also found in:
WINDOWS/$NtServicePackUninstall$/rundll32.exe

I got it this morning.

C:\WXPFiles\I386\RUNDLL32.EX_: Trojan.Ldpinch-4700 FOUND

I am using a newer version of ClamWin (version 0.96.0.1) Database (main: 52; daily 10935 Updated 08:40 06 May 2010)

I also had a virus yesterday which I can't find much information about, C:\WINDOWS\Driver Cache\i386\sp3.cab: Trojan.Dropper-25553 FOUND
That one is unfortunately to large to upload to virustotal.com so, I don't know what other systems think of it.

this is strange the ms signature check should detect the file as safe, but maybe not in current catalog

you can unpack the cab in a directory and then scan the directory so you'll known the fp file

Hmm, I just checked, it it rundll32.exe is 'binary equal' with other machines which don't have that problem.

So yes, possible it's a false positive.

This is most certainly a false positive.
I've checked it against the extracted cab file from the official Windows install CD.
The files are identical, and clamscan detects both as Trojan.Ldpinch-4700.

If you find the same infection in more than one file, it is often a sign of a false positive. With a few exceptions, most viruses try to stay under the radar because too much visibility makes them more likely to be spotted.

See if you can submit the smaller file to Clam for a signature correction. I think they will take files up to around 20 MB or so.

Regards,

it gets detected as fp where not dected as a virus?

Sherpya, I think they are saying that it is detected as a virus by some users, but they think it is a false positive. What is scary is that the same file on other machines is not detected (perhaps it is not exactly the same file).

I can't find Trojan.Ldpinch-4700 on the Clam submission interface, so it has probably been corrected, and that is why some users don't detect it.

RWS

I am a new user here. While doing a daily ClamWin virus check on my boss' pc the following came up as positive

C:\windows\system32\rundll32.exe:trojan.LdPinch-4700

I have not been able to find any information on how to remove this from internet searching. Any info?

Please upload to https://www.virustotal.com/ https://www.virustotal.com/
and if it's detected as virus only by clamav submit as false positive here:
https://www.clamav.net/sendvirus/ https://www.clamav.net/sendvirus/

thanks