Author Topic: RUN DLL32.EXE MISSING (Read 3013 times)

illustrious84 · « **on:** March 18, 2008, 06:37:52 PM »

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' /> I m unable to open my ctrl panel as i get a msg RUN DLL32.EXE MISSING!

what shud i do... here is my hijack this log!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:32:52 AM, on 3/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\drivers\svchost.exe
C:\WINDOWS\SYSTEM32\drivers\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe spo0lsv.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM32\drivers\svchost.exe,C:\WINDOWS\SYSTEM32\drivers\svchost.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Flashy Bot] C:\WINDOWS\system32\Flashy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 2251 bytes

guestolo · « **Reply #1 on:** March 18, 2008, 10:33:01 PM »

Download [color=\"red\"]SDFix[/color] and save this to your desktop
We will need it in a bit

Do a "System scan only" with Hijackthis and put a check next to these entries:

F2 - REG:system.ini: Shell=Explorer.exe spo0lsv.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM32\drivers\svchost.exe,C:\WINDOWS\SYSTEM32\drivers\svchost.exe,
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Flashy Bot] C:\WINDOWS\system32\Flashy.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In safe mode

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Go to START>>My Computer>>Double click to open the C:\ folder

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

I'll need to see that log later

Download this file - Combofix.exe and save it ONLY to your desktop

Temporarily Disable your AntiVirus software so it won't interfere with the next fix please

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
By default it will save a copy to C:\Combofix.txt
I'll need to see this log later
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Back in Windows

Post back the following:

1. Post the log from Combofix
2. Post a fresh hijackthis log
3. Post the report from SDFix

illustrious84 · « **Reply #2 on:** March 19, 2008, 05:37:28 PM »

thanx for your help n time. I really appreciate tht. here are the fresh logs you asked for

HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:38 AM, on 3/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Â¤uÂ¨Ã£Â¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Â¤uÂ¨Ã£Â¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe[/u]

End of file - 3281 bytes

SDFIX REPORT

SDFix: Version 1.159 [/b]

Run by niazi on Thu 03/20/2008 at 04:27 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix[/u]

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\drivers\svchost.exe - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-20 04:31:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 8 May 2007 34,332 A.SH. --- "C:\WINDOWS\system32\drivers\video.exe"

Finished!

COMBOFIX REPORT

ComboFix 08-03-18.1 - niazi 2008-03-20 4:40:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.81 [GMT -7:00]
Running from: C:\Documents and Settings\niazi\Desktop\ComboFix.exe
* Created a new restore point

[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\video.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-20 to 2008-03-20 )))))))))))))))))))))))))))))))
.

2008-03-20 04:25 . 2008-03-20 04:25 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-20 04:24 . 2008-03-20 04:33 <DIR> d-------- C:\SDFix
2008-03-19 23:51 . 2008-03-19 23:51 <DIR> d-------- C:\Documents and Settings\niazi\Application Data\Yahoo!
2008-03-19 23:51 . 2008-03-19 23:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-19 23:30 . 2008-03-19 23:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-19 23:26 . 2008-03-19 23:29 <DIR> d-------- C:\Program Files\Yahoo!
2008-03-19 05:32 . 2008-03-19 05:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-19 03:52 . 2008-03-19 03:52 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-03-18 03:54 . 2005-06-28 11:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-18 03:53 . 2008-03-20 04:08 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-18 01:47 . 2006-06-01 11:47 163,840 -----c--- C:\WINDOWS\system32\dllcache\jgdw400.dll
2008-03-18 01:47 . 2006-06-01 11:47 27,648 -----c--- C:\WINDOWS\system32\dllcache\jgpl400.dll
2008-03-15 01:14 . 2004-08-03 23:41 606,684 --a------ C:\WINDOWS\system32\drivers\ltmdmnt.sys
2008-03-15 01:14 . 2004-08-03 23:41 606,684 --a--c--- C:\WINDOWS\system32\dllcache\ltmdmnt.sys
2008-03-12 01:28 . 2008-03-12 01:28 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-03-11 23:17 . 2008-03-11 23:15 5,222 --------- C:\WINDOWS\ADOBE.ICO
2008-03-11 23:17 . 2008-03-11 23:15 1,078 --------- C:\WINDOWS\TUTOR.ICO
2008-03-11 23:17 . 2008-03-11 23:15 766 --------- C:\WINDOWS\ACTGPR2.ICO
2008-03-11 23:16 . 2008-03-11 23:16 <DIR> d-------- C:\WINDOWS\Crystal
2008-03-11 23:16 . 2003-02-28 19:25 172,032 --a------ C:\WINDOWS\system32\rsUtil.dll
2008-03-11 23:16 . 2003-02-28 20:01 86,016 --a------ C:\WINDOWS\system32\SDCCInfo.dll
2008-03-11 23:15 . 2008-03-11 23:17 <DIR> d-------- C:\Program Files\Peachtree
2008-03-11 23:15 . 2008-03-11 23:15 <DIR> d-------- C:\Program Files\Common Files\Peach
2008-03-11 22:17 . 2008-03-17 23:49 4,608 --a------ C:\WINDOWS\system32temp2.exe
2008-03-11 02:38 . 2008-03-11 02:38 <DIR> d-------- C:\Documents and Settings\niazi\Application Data\vlc
2008-03-10 02:11 . 2004-08-04 00:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-03-08 23:41 . 2001-08-17 13:11 128,000 --a------ C:\WINDOWS\system32\drivers\n100325.sys
2008-03-08 23:41 . 2001-08-17 13:11 128,000 --a--c--- C:\WINDOWS\system32\dllcache\n100325.sys
2008-03-08 23:33 . 2008-03-08 23:33 <DIR> d-------- C:\WINDOWS\Cache
2008-03-08 23:32 . 2008-03-08 23:32 <DIR> d-------- C:\Program Files\VideoLAN
2008-03-08 23:20 . 2008-03-08 23:18 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-03-08 23:20 . 2008-03-08 23:18 298,104 --a------ C:\WINDOWS\system32\imon.dll
2008-03-08 23:20 . 2008-03-08 23:18 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2008-03-08 23:18 . 2008-03-17 22:37 <DIR> d-------- C:\Program Files\ESET
2008-03-08 14:02 . 2008-03-08 14:05 <DIR> d-------- C:\Program Files\NEC
2008-03-08 14:02 . 2008-03-11 23:17 <DIR> d-------- C:\Program Files\InstallShield Installation Information
2008-03-08 14:02 . 2004-09-30 05:02 36,352 -ra------ C:\WINDOWS\system32\drivers\liusbm.sys
2008-03-08 14:02 . 2004-09-30 05:02 22,048 -ra------ C:\WINDOWS\system32\cocpyinf.dll
2008-03-08 13:47 . 2004-09-30 05:02 25,856 -ra------ C:\WINDOWS\system32\drivers\liusba.sys
2008-03-08 13:41 . 2004-09-30 05:02 33,920 -ra------ C:\WINDOWS\system32\drivers\liusbo.sys
2008-03-08 13:35 . 2004-09-30 05:02 43,264 -ra------ C:\WINDOWS\system32\drivers\liusbc.sys
2008-03-08 13:35 . 2004-09-30 05:02 12,928 -ra------ C:\WINDOWS\system32\drivers\liusbe.sys
2008-03-08 13:13 . 2008-03-08 13:48 <DIR> d-------- C:\Program Files\WPTCP
2008-03-08 13:09 . 2008-03-08 13:48 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-03-08 12:56 . 2008-03-08 12:56 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-08 12:55 . 2008-03-08 12:55 <DIR> d-------- C:\Program Files\Real
2008-03-08 12:55 . 2008-03-08 12:56 <DIR> d-------- C:\Program Files\Common Files\Real
2008-03-08 12:55 . 2008-03-08 12:55 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-03-08 12:55 . 2008-03-08 12:55 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-03-08 11:59 . 2003-06-18 18:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-03-08 11:59 . 2008-03-08 11:59 376 --a------ C:\WINDOWS\ODBC.INI
2008-03-08 11:57 . 2008-03-08 11:57 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-03-08 11:57 . 2008-03-08 11:57 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-03-08 11:57 . 2008-03-08 11:57 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-03-08 11:50 . 2008-03-08 11:50 <DIR> dr-h----- C:\MSOCache
2008-03-08 11:05 . 2008-03-08 11:05 <DIR> d-------- C:\Documents and Settings\niazi\Application Data\AdobeUM
2008-03-08 11:04 . 2008-03-08 11:04 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-08 10:47 . 2008-03-08 10:47 <DIR> d---s---- C:\Documents and Settings\niazi\UserData
2008-03-07 11:17 . 2004-08-03 16:07 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2008-03-07 11:15 . 2001-08-17 05:12 117,760 --a------ C:\WINDOWS\system32\drivers\e100b325.sys
2008-03-07 11:15 . 2004-08-03 15:59 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-03-07 11:12 . 2008-03-11 23:16 <DIR> d--hs---- C:\WINDOWS\Installer
2008-03-07 11:12 . 2008-03-07 19:30 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2008-03-07 11:10 . 2008-03-20 04:11 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-03-07 11:07 . 2008-03-07 19:39 261 --a------ C:\WINDOWS\system32\$winnt$.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 02:35 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 18:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-03-08 23:18 949376]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R3 N100;Compaq Ethernet or Fast Ethernet NIC Driver;C:\WINDOWS\system32\DRIVERS\n100325.sys [2001-08-17 13:11]
S3 liusba;NEC 338 Command Port Driver;C:\WINDOWS\system32\DRIVERS\liusba.sys [2004-09-30 05:02]
S3 liusbc;NEC 338 CONTROL Driver;C:\WINDOWS\system32\DRIVERS\liusbc.sys [2004-09-30 05:02]
S3 liusbe;NEC 338 ENUMERATION Driver;C:\WINDOWS\system32\DRIVERS\liusbe.sys [2004-09-30 05:02]
S3 liusbo;NEC 338 OBEX Port Driver;C:\WINDOWS\system32\DRIVERS\liusbo.sys [2004-09-30 05:02]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-20 04:41:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-20 4:42:30
ComboFix-quarantined-files.txt 2008-03-20 11:42:21
.
2008-03-20 11:10:44 --- E O F ---

EDIT>>Removed all the underlining, it's really not needed and actually harder to read the logs

guestolo · « **Reply #3 on:** March 19, 2008, 06:25:05 PM »

Can you do one more scan for me please
Although Nod32 is a great AntiVirus software, let's just get a second opinion

Temporarily disable Nod32
Use the Internet Explorer browser (or FireFox with IETab), and do an online scan with [color=\"blue\"]Kaspersky Online Scanner[/color]

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet [color=\"#3333FF\"]Explorer 7[/color] users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%[/i].)
The program launches and downloads the latest definition files.

Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
- Scan using the following Anti-Virus database:
  [color=\"#6666CC\"]Extended[/color]
Scan Options:
[color=\"#6666CC\"]Scan Archives[/color]

[color=\"#6666CC\"]Scan Mail Bases[/color]
[/list]
[/list]

Click OK and, under select a target to scan, select My Computer

When the scan is done, in the [color=\"Navy\"]Scan is completed [/color]window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the [color=\"Navy\"]Save as [/color]prompt, [color=\"navy\"]Save in[/color] area, select: Desktop
In the [color=\"navy\"]File name[/color] area, use KScan, or something similar
In [color=\"navy\"]Save as type[/color], click the drop arrow and select: Text file [*.txt]
Then, click: Save
Post the [color=\"Navy\"]Kaspersky Online Scanner Report [/color]in your reply.

Also, keep me informed how things are running please

illustrious84 · « **Reply #4 on:** March 23, 2008, 05:07:44 PM »

Hi,
I had to go out of town so culdnt rply earlier. Evrything else is fine except tht i still cant open anything in d ctrl panel and its nt freezing. Here is the report u asked for

Sunday, March 23, 2008 3:17:33 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/03/2008
Kaspersky Anti-Virus database records: 655593
Scan SettingsScan using the following antivirus database
extended Scan Archives true
Scan Mail Bases true
Scan TargetMy Computer
A:\
C:\
D:\
E:\
F:\ Scan Statistics
Total number of scanned objects23693
Number of viruses found7
Number of infected objects53
Number of suspicious objects0
Duration of the scan process01:06:01
Infected Object NameVirus NameLast Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\DocumentsandSettings\LocalService\LocalSettings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\LocalSettings\ApplicationData\Microsoft\
Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\
index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\niazi\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\niazi\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\niazi\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\niazi\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\niazi\Local Settings\Temp\~DFF202.tmp Object is locked skipped
C:\Documents and Settings\niazi\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\niazi\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\niazi\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\infected\02AWAWDA.NQF Infected: Virus.Win32.Virut.q skipped
C:\Program Files\ESET\infected\25VBR2CA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\2DN0INDA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\4DI0JCCA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\4EVTOLCA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\4JYSE0DA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\4TTUELDA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\5CEPLZCA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\AHFBGQBA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\AMGH3DBA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\BCRKUQCA.NQF Infected: Trojan-Dropper.Win32.Agent.ell skipped
C:\Program Files\ESET\infected\BDJAACBA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\FCSIQADA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\GFOM4YCA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\GVHJL5CA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\IZUPIKCA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\J0MJZ2CA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\J124SOBA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\JBYRPADA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\LTLS0HDA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\LY3WNHCA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\MWVF5IBA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\MZFVJHDA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\N4NEZZBA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\OLXIVGCA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\OMPIAXBA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\PFN4VSDA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\PSO134DA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\PT1ST3BA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\RCTGLHAA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\RGR4Y0BA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\ROFLCQDA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\STM4XICA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\UYWSCHAA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\VIGRJ3DA.NQF Infected: Trojan-Downloader.Win32.Agent.bsi skipped C:\Program Files\ESET\infected\VRDGHCAA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\W4Z5KFCA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\WDJCV0AA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\YIPBZJBA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\YK44APCA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\infected\YQF4VHCA.NQF Infected: Virus.Win32.Virut.q skipped C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\video.exe.vir Infected: Trojan-Dropper.Win32.Agent.ell skipped
C:\SDFix\backups\backups.zip/backups/svchost.exe Infected: Worm.Win32.AutoRun.cni skipped
C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F283BCEB-5441-420A-BA0E-DFC420256AA7}\RP13\A0013167.exe Infected: Worm.Win32.AutoRun.cni skipped
C:\System Volume Information\_restore{F283BCEB-5441-420A-BA0E-DFC420256AA7}\RP15\A0017220.exe Infected: Worm.Win32.AutoRun.cni skipped
C:\System Volume Information\_restore{F283BCEB-5441-420A-BA0E-DFC420256AA7}\RP18\A0021912.exe Infected: Worm.Win32.AutoRun.cni skipped
C:\System Volume Information\_restore{F283BCEB-5441-420A-BA0E-DFC420256AA7}\RP18\A0021920.exe Infected: Worm.Win32.AutoRun.cni skipped
C:\System Volume Information\_restore{F283BCEB-5441-420A-BA0E-DFC420256AA7}\RP19\A0021963.exe Infected: Trojan-Dropper.Win32.Agent.ell skipped
C:\System Volume Information\_restore{F283BCEB-5441-420A-BA0E-DFC420256AA7}\RP22\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{EF3D6A9E-AB92-4B27-A88B-724B864ABEE5}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\msisap.dll Infected: Trojan.Win32.Agent.fhz skipped C:\WINDOWS\system32\spo0lsv.exe Infected: Backdoor.Win32.Small.ctt skipped C:\WINDOWS\system32\srosvc.dll Infected: Trojan-Downloader.Win32.Small.iji skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\system32temp2.exe Infected: Worm.Win32.AutoRun.cni skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{F283BCEB-5441-420A-BA0E-DFC420256AA7}\RP22\change.log Object is locked skipped
E:\System Volume Information\_restore{F283BCEB-5441-420A-BA0E-DFC420256AA7}\RP22\change.log Object is locked skipped
Scan process completed.

guestolo · « **Reply #5 on:** March 23, 2008, 09:59:18 PM »

Delete your version of combofix
==REDownload this file - Combofix.exe and save it ONLY to your desktop

==Open notepad
Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work

[color=\"#0000FF\"]File::
C:\WINDOWS\system32\msisap.dll
C:\WINDOWS\system32\spo0lsv.exe
C:\WINDOWS\system32\srosvc.dll
C:\WINDOWS\system32temp2.exe
Folder::
C:\Program Files\ESET\infected

[/color]
Save this as txtfile on your desktop
CFScript

=================================
ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

========================================

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When finished, it shall produce a log for you with the name C:\ComboFix.txt..
I'll need to see that log

If you don't get Internet connection within a minute
Reboot the computer

Post back all the following

1. Post the log from ComboFix
2. Post a fresh hijackthis log

NOTE: Although we may be able to get this computer clean
It may be best to backup and reinstall the operating system, would you like to go this route?

illustrious84 · « **Reply #6 on:** March 24, 2008, 08:06:04 AM »

hi, howdy?

Well i wish i could re install but i hardly get any time 4 dat.. May be on sundays..
I only installed this thing a few weeks ago.. Actually i downloaded a game frm net
and was trying to sort out the screen resolution wen my system wen bizzare..
I ll post the logs u require later but if u think it wud b good to re install the windows,
I will opt 4 dat..Do tell me wat softwares i need to have for protection if i reinstall it...

N thank u again 4 the help, i relly appreciate tht.

guestolo · « **Reply #7 on:** March 24, 2008, 12:11:01 PM »

Try my last set of instructions, let's see how much damage it has done
But since you did just clean install, I would opt to do it again

TheTechGuide Forum

News:

Author Topic: RUN DLL32.EXE MISSING (Read 3013 times)

illustrious84

RUN DLL32.EXE MISSING

guestolo

RUN DLL32.EXE MISSING

illustrious84

RUN DLL32.EXE MISSING

guestolo

RUN DLL32.EXE MISSING

illustrious84

RUN DLL32.EXE MISSING

guestolo

RUN DLL32.EXE MISSING

illustrious84

RUN DLL32.EXE MISSING

guestolo

RUN DLL32.EXE MISSING