| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 57960 | 2005-05-17 10:19:00 | Rundll32 file not found. | waldorf (7440) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 355995 | 2005-05-17 10:19:00 | Yesterday my computer went a bit squiffy (coincidentally after opening some emails). It started running continuously until I rebooted it. The start menu had two entries I hadnt noticed before crypt /System/Dirdata.exe expolarx /sysrem/ dirdata.exe The Running processes included Dirdata and Dirmiss32 which I had never noticed before. I suspect some infection. After a bit of online research I disabled the above MS programs, which can be hijacked by Trojans, into the system file and things improved. I have run a number of well known spyfinder tools to no avail. But I have no rundll to make shortcuts work, for example I cant use Control Panel or the interent shortcuts My primary concern is to restore shortcut function. How please? The Rundll file icon appears in the System file but it is just a picture :badpc: |
waldorf (7440) | ||
| 355996 | 2005-05-17 10:40:00 | what antivirus do you use? is it trying to access the net? eg is anythin unusuall listed in your firewall ? |
tweak'e (69) | ||
| 355997 | 2005-05-17 10:42:00 | I would get trojan remover. See if this picks anything up www.simplysup.com Update it then scan.. Or get hijackthis make a folder called hjt, and unzip the hijackthis file into this folder. Do a scan and post a log here. |
Speedy Gonzales (78) | ||
| 355998 | 2005-05-17 10:43:00 | Have you spelt these file names correctly?? To fix shortcut problem. Try this click start then run, in this box type sfc /scannow note there is a space after sfc. This will run the windows file checker which should replace any missing files. Or grab Rundll32 from here. www.richardthelionhearted.com hth |
johnboy (217) | ||
| 355999 | 2005-05-17 12:55:00 | Thanks guys. I have reinstalled rundll from that site. Duh, I had actually been on that page earlier in the day when I getting Hijack to try. It showed up this list. Since I disabled those items I mentioned things seem to be back to relative normality now my icons work. Logfile of HijackThis v1.99.1 Scan saved at 11:41:08 p.m., on 17/05/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE C:\WINDOWS\SYSTEM\HPSYSDRV.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE C:\PROGRAM FILES\GUIDESCOPE\GUIDE.EXE C:\WINDOWS\START MENU\PROGRAMS\STARTUP\RAMPUP.EXE C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BWDELAY.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\WINZIP\WINZIP32.EXE C:\WINDOWS\RUNDLL32.EXE C:\MY DOCUMENTS\DOWNLOADS\SPYWARE TOOLSR\HIJACK\HIJACKTHIS.EXE C:\MY DOCUMENTS\DOWNLOADS\SPYWARE TOOLSR\HIJACK\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = g.msn.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:8000 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-US\MSNTB.DLL O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashserv.exe O4 - Startup: Guidescope.lnk = C:\Program Files\Guidescope\guide.exe O4 - Startup: RamPup.exe O4 - Startup: RAMPUP.INI O4 - Startup: SCREENTHEMES.LNK = C:\SCTHEMES\SCTHEMES.EXE O8 - Extra context menu item: Check &Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - ak.imgfarm.com O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - messenger.zone.msn.com O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - messenger.zone.msn.com |
waldorf (7440) | ||
| 356000 | 2005-05-17 13:13:00 | Speedy is not around at the moment I don't think, he is the Master Blaster when it comes to HijackThis logs but in the meantime you could go here and follow instructions: http://hjt.iamnotageek.com/ It is a HijackThis log analyser. |
zqwerty (97) | ||
| 356001 | 2005-05-17 21:14:00 | C:\PROGRAM FILES\GUIDESCOPE\GUIDE.EXE Do you use some kind of popup stopper?? I think this is what this is. Not sure if its spyware as well. Leave this entry unticked for now. C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BWDELAY.EXE Tick this. See if Backweb or similar is in add/remove programs. If it is uninstall it. R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:8000 Tick this entry O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun Tick this entry O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder Tick this entry O4 - Startup: Guidescope.lnk = C:\Program Files\Guidescope\guide.exe This looks like a popup stopper program. Leave this unticked for now. O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - ak.imgfarm.com Tick this. The above where I've said to tick, tick them and click on fix then reboot. Also check add/remove for these. Gator/Gain, CNBabe, Weatherbug, My Search Bar or MyWay Speed Bar. If theyre there, uninstall them. |
Speedy Gonzales (78) | ||
| 356002 | 2005-05-17 23:13:00 | remove these . C:\WINDOWS\START MENU\PROGRAMS\STARTUP\RAMPUP . EXE C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BWDELAY . EXE R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127 . 0 . 0 . 1:8000 O4 - HKLM\ . . \Run: [Delay] C:\WINDOWS\delayrun . exe O4 - HKLM\ . . \Run: [LoadQM] loadqm . exe O4 - Startup: RamPup . exe O4 - Startup: RAMPUP . INI O4 - Startup: SCREENTHEMES . LNK = C:\SCTHEMES\SCTHEMES . EXE DO NOT REMOVE "O4 - HKLM\ . . \Run: [ScanRegistry] C:\WINDOWS\scanregw . exe /autorun" it would pay to boot into safe mode and scan with the usual spyware/antivirus tools . also next time you do a hjt log do it from safe mode . |
tweak'e (69) | ||
| 1 | |||||