1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

CMD32.DLL was not found

Discussion in 'Earlier Versions of Windows' started by Popsy, Apr 9, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Popsy

    Popsy Thread Starter

    Joined:
    Apr 9, 2004
    Messages:
    9
    Whenever I boot or re-boot my computer I end up with an 'Error Starting Program' box stating that "A required. DLL file. CMD32.DLL was not found". The computer functions fine however, whether I leave this 'box' on the screen or click the 'OK' button to remove and acknowledge the message.

    My OS is WIN98SE, and I recently removed a Trojan using CWSShredder from the system. I think the message is a remnant from the Trojan or a horses tail if you like, but how can I get rid of the message and stop the system trying to find CMD32.DLL on start up?
    I've searched for it in the registry: there's no reference to CMD32.DLL. Likewise there's nothing in win.ini or system.ini. So what is triggering my startup to look for CMD32.DLL? Any suggestions would be very greatfully received.
    And for reference here is my HIJACKTHIS log which is 'seems' clean.

    Logfile of HijackThis v1.97.7
    Scan saved at 4:47:32 PM, on 4/9/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\MIXER.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\TM1184\CONTROLUTILITY\CONTROLUTILITY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
    O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - Startup: Dell Control Utility.lnk = C:\Program Files\TM1184\ControlUtility\ControlUtility.exe
    O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{90190409-6000-11D3-8CFE-0050048383C9}\misc.exe
    O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
    O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38037.8280439815
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

    Kind Regards and Thanks.
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,162
    Hi Popsy,

    After doing research on this problem, this entry is probably the culprit here.

    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL

    Have HJT fix that one. It will create a back-up anyway so if necessary you can restore it but I'm sure it won't be necessary.

    Then search for these files and delete them if you find them

    fgiebar.dll
    flashget.chm
    flashget.exe
    jccatch.dll
    unreg.inf

    This should take care of the problem.

    Cookie
     
  3. VirtualMe

    VirtualMe

    Joined:
    Sep 27, 2002
    Messages:
    867
    Also get rid of these too.

    O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm

    O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm

    O9 - Extra button: FlashGet (HKLM)


    Then do a online scan at one or more of the links below and see what turns up. Post back what it finds if anything.

    http://housecall.trendmicro.com/

    http://www.pandasoftware.com/activescan/

    http://www.ravantivirus.com/scan/

    http://www3.ca.com/virusinfo/virusscan.aspx
     
  4. Popsy

    Popsy Thread Starter

    Joined:
    Apr 9, 2004
    Messages:
    9
    Many thanks for the fast and appreciated responses.
    I've deleted the FlashGet programme entirely and cleaned up the corresponding registry with HiJackThis. But I still have the CMD32.DLL message at boot-up. It appears towards the end of the desktop loading so I assume that whatever is triggering it is 'late' or maybe last in the OS boot sequence.
    The 'new' HiJack log is

    Logfile of HijackThis v1.97.7
    Scan saved at 9:55:03 PM, on 4/9/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
    C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\MIXER.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\TM1184\CONTROLUTILITY\CONTROLUTILITY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
    O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - Startup: Dell Control Utility.lnk = C:\Program Files\TM1184\ControlUtility\ControlUtility.exe
    O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{90190409-6000-11D3-8CFE-0050048383C9}\misc.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38037.8280439815
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

    I am now going to run the AV Progs mentioned by VirtualMe and will report back. By the way the Trojan earlier removed was CMD32.EXE along with CMD32.DLL.
    Thanks again for kind support.
     
  5. VirtualMe

    VirtualMe

    Joined:
    Sep 27, 2002
    Messages:
    867
  6. Popsy

    Popsy Thread Starter

    Joined:
    Apr 9, 2004
    Messages:
    9
    So far I've run TrendMicro which reports CLEAN, but Panda which took a long time to complete has found a virus, given as a Trojan Startpage.BL . The file was securea.html located in my WIN directory. Panda has innoculated it.
    But I think you hit the jackpot, VirtualMe, because I have several other files in my WIN directory, and in my WIN\SYS directory, all with the same recent date and time as the securea.html file, and one of them is winupd.exe, the suspect you mentioned in your last post. My guess is that they have been modified or placed there by the Trojan.

    It's past midnight here, (in Hong Kong), so I'll research this new Trojan and how to get rid of it thoroughly tomorrow, but I did just want to express my thanks again for putting me on the right track. I'll update you with my progress.
     
  7. Popsy

    Popsy Thread Starter

    Joined:
    Apr 9, 2004
    Messages:
    9
    Hi again, VirtualMe & CookieGal,
    I deleted the winupd.exe run entry using HijackThis, and the message for CMD32.DLL on re-boot has now gone. Good News!! I'll sleep better. And Thanks.
    But I still have to thoroughly clean up the Trojan which I'll get to tomorrow.
    Kind Regards, meanwhile.
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,162
    Sounds great, glad VirtualMe was able to pick up on that for you.

    Cookie :)
     
  9. Popsy

    Popsy Thread Starter

    Joined:
    Apr 9, 2004
    Messages:
    9
    An update and follow up.

    A RAV scan showed a couple of virii in old (circa2001) inbox outlook express emails as well as picking up the remnants of the StartPage.BL. This RAV scanner is really good, (no wonder Microsoft bought the Company) and I would like to buy a copy to replace or supplement my present NortonAV. The RAV site though says their AV software is no longer being sold or available so I'm wondering if there are any suggestions in this regard.

    The last eTrust AV scan showed clean yet it may be the result of the earlier three scanners innoculating some of the virii/trojan files.

    So of the 'online' scanners both Panda and RAV "rock", at least in my present instance.

    Using the date and time of the infected 'securea.html' file as reference, I moved the following files to an 'inactive' directory. They were:

    From WIN directory:
    consol32.exe
    msstasks.exe
    mstaskss.exe
    sdsini.ini
    secureb.html
    test
    toffel32.exe
    winupd.exe

    And from WIN\SYSTEM directory:
    appsys.exe
    mstasks1.exe
    mstasks2.exe

    The properties of some of these files indicated they are DOS executables! They are in an 'inactive' directory since I'm not sure whether any of them are genuine and required OS files in which case I can reinstate them. So far though the system works fine without them. The only one file which I didn't move, with the same date and time as the infected one, was 'hosts.sam'. I read on an AV advisory that this file should contain only "127.0.0.1 localhost" which it does.

    So thats about it. The problem is solved and the computer works fine. Again my thanks for your much appreciated help.
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,162
    Glad you got it all worked out.

    Cookie :)
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/218646

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice