PDA

View Full Version : Rundll32 file not found.



waldorf
17-05-2005, 10:19 PM
Yesterday my computer went a bit squiffy (coincidentally after opening some emails). It started running continuously until I rebooted it.

The start menu had two entries I hadnt noticed before

crypt /System/Dirdata.exe
expolarx /sysrem/ dirdata.exe

The Running processes included Dirdata and Dirmiss32 which I had never noticed before. I suspect some infection.

After a bit of online research I disabled the above MS programs, which can be hijacked by Trojans, into the system file and things improved.

I have run a number of well known spyfinder tools to no avail.

But I have no rundll to make shortcuts work, for example I cant use Control Panel or the interent shortcuts

My primary concern is to restore shortcut function. How please?

The Rundll file icon appears in the System file but it is just a picture :badpc:

tweak'e
17-05-2005, 10:40 PM
what antivirus do you use?

is it trying to access the net? eg is anythin unusuall listed in your firewall ?

Speedy Gonzales
17-05-2005, 10:42 PM
I would get trojan remover. See if this picks anything up

http://www.simplysup.com/tremover/

Update it then scan..

Or get hijackthis make a folder called hjt, and unzip the hijackthis file into this folder. Do a scan and post a log here.

johnboy
17-05-2005, 10:43 PM
Have you spelt these file names correctly??
To fix shortcut problem.
Try this click start then run, in this box type sfc /scannow note there is a space after sfc.
This will run the windows file checker which should replace any missing files.
Or grab Rundll32 from here.
http://www.richardthelionhearted.com/~merijn/winfiles.html
hth

waldorf
18-05-2005, 12:55 AM
Thanks guys.

I have reinstalled rundll from that site. Duh, I had actually been on that page earlier in the day when I getting Hijack to try. It showed up this list.
Since I disabled those items I mentioned things seem to be back to relative normality now my icons work.

Logfile of HijackThis v1.99.1
Scan saved at 11:41:08 p.m., on 17/05/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\GUIDESCOPE\GUIDE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\RAMPUP.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BWDELAY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\MY DOCUMENTS\DOWNLOADS\SPYWARE TOOLSR\HIJACK\HIJACKTHIS.EXE
C:\MY DOCUMENTS\DOWNLOADS\SPYWARE TOOLSR\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:8000
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-US\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashserv.exe
O4 - Startup: Guidescope.lnk = C:\Program Files\Guidescope\guide.exe
O4 - Startup: RamPup.exe
O4 - Startup: RAMPUP.INI
O4 - Startup: SCREENTHEMES.LNK = C:\SCTHEMES\SCTHEMES.EXE
O8 - Extra context menu item: Check &Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

zqwerty
18-05-2005, 01:13 AM
Speedy is not around at the moment I don't think, he is the Master Blaster when it comes to HijackThis logs but in the meantime you could go here and follow instructions:

http://hjt.iamnotageek.com/

It is a HijackThis log analyser.

Speedy Gonzales
18-05-2005, 09:14 AM
C:\PROGRAM FILES\GUIDESCOPE\GUIDE.EXE

Do you use some kind of popup stopper?? I think this is what this is.
Not sure if its spyware as well. Leave this entry unticked for now.

C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BWDELAY.EXE

Tick this. See if Backweb or similar is in add/remove programs.
If it is uninstall it.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:8000

Tick this entry

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

Tick this entry

O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder

Tick this entry

O4 - Startup: Guidescope.lnk = C:\Program Files\Guidescope\guide.exe

This looks like a popup stopper program. Leave this unticked for now.


O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
http://ak.imgfarm.com/images/nocach...etup1.0.0.6.cab

Tick this. The above where I've said to tick, tick them and click on fix then reboot.

Also check add/remove for these. Gator/Gain, CNBabe, Weatherbug, My Search Bar or MyWay Speed Bar. If theyre there, uninstall them.

tweak'e
18-05-2005, 11:13 AM
remove these.

C:\WINDOWS\START MENU\PROGRAMS\STARTUP\RAMPUP.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BWDELAY.EXE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:8000
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - Startup: RamPup.exe
O4 - Startup: RAMPUP.INI
O4 - Startup: SCREENTHEMES.LNK = C:\SCTHEMES\SCTHEMES.EXE

DO NOT REMOVE "O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun"

it would pay to boot into safe mode and scan with the usual spyware/antivirus tools. also next time you do a hjt log do it from safe mode.