CMD32.DLL was not found

[Popsy]

Whenever I boot or re-boot my computer I end up with an 'Error Starting Program' box stating that "A required. DLL file. CMD32.DLL was not found". The computer functions fine however, whether I leave this 'box' on the screen or click the 'OK' button to remove and acknowledge the message.

My OS is WIN98SE, and I recently removed a Trojan using CWSShredder from the system. I think the message is a remnant from the Trojan or a horses tail if you like, but how can I get rid of the message and stop the system trying to find CMD32.DLL on start up?
I've searched for it in the registry: there's no reference to CMD32.DLL. Likewise there's nothing in win.ini or system.ini. So what is triggering my startup to look for CMD32.DLL? Any suggestions would be very greatfully received.
And for reference here is my HIJACKTHIS log which is 'seems' clean.

Logfile of HijackThis v1.97.7
Scan saved at 4:47:32 PM, on 4/9/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TM1184\CONTROLUTILITY\CONTROLUTILITY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - Startup: Dell Control Utility.lnk = C:\Program Files\TM1184\ControlUtility\ControlUtility.exe
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{90190409-6000-11D3-8CFE-0050048383C9}\misc.exe
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38037.8280439815
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

Kind Regards and Thanks.

 

[Cookiegal]

Hi Popsy,

After doing research on this problem, this entry is probably the culprit here.

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL

Have HJT fix that one. It will create a back-up anyway so if necessary you can restore it but I'm sure it won't be necessary.

Then search for these files and delete them if you find them

fgiebar.dll
flashget.chm
flashget.exe
jccatch.dll
unreg.inf

This should take care of the problem.

Cookie

 

[VirtualMe]

Also get rid of these too.

O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm

O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm

O9 - Extra button: FlashGet (HKLM)


Then do a online scan at one or more of the links below and see what turns up. Post back what it finds if anything.

http://housecall.trendmicro.com/

http://www.pandasoftware.com/activescan/

http://www.ravantivirus.com/scan/

http://www3.ca.com/virusinfo/virusscan.aspx

 

[Popsy]

Many thanks for the fast and appreciated responses.
I've deleted the FlashGet programme entirely and cleaned up the corresponding registry with HiJackThis. But I still have the CMD32.DLL message at boot-up. It appears towards the end of the desktop loading so I assume that whatever is triggering it is 'late' or maybe last in the OS boot sequence.
The 'new' HiJack log is

Logfile of HijackThis v1.97.7
Scan saved at 9:55:03 PM, on 4/9/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TM1184\CONTROLUTILITY\CONTROLUTILITY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - Startup: Dell Control Utility.lnk = C:\Program Files\TM1184\ControlUtility\ControlUtility.exe
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{90190409-6000-11D3-8CFE-0050048383C9}\misc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38037.8280439815
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

I am now going to run the AV Progs mentioned by VirtualMe and will report back. By the way the Trojan earlier removed was CMD32.EXE along with CMD32.DLL.
Thanks again for kind support.

 

[VirtualMe]

This one here is why I want you to run the online scan.

O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe

It may be virus related (BEAGLE.M or BEAGLE.N VIRUS), but want to be sure, so as to remove it right, if it is.

http://www.sysinfo.org/startuplist.php?filter=winupd.exe&count=&type=

 

[Popsy]

So far I've run TrendMicro which reports CLEAN, but Panda which took a long time to complete has found a virus, given as a Trojan Startpage.BL . The file was securea.html located in my WIN directory. Panda has innoculated it.
But I think you hit the jackpot, VirtualMe, because I have several other files in my WIN directory, and in my WIN\SYS directory, all with the same recent date and time as the securea.html file, and one of them is winupd.exe, the suspect you mentioned in your last post. My guess is that they have been modified or placed there by the Trojan.

It's past midnight here, (in Hong Kong), so I'll research this new Trojan and how to get rid of it thoroughly tomorrow, but I did just want to express my thanks again for putting me on the right track. I'll update you with my progress.

 

[Popsy]

Hi again, VirtualMe & CookieGal,
I deleted the winupd.exe run entry using HijackThis, and the message for CMD32.DLL on re-boot has now gone. Good News!! I'll sleep better. And Thanks.
But I still have to thoroughly clean up the Trojan which I'll get to tomorrow.
Kind Regards, meanwhile.

 

[Cookiegal]

Sounds great, glad VirtualMe was able to pick up on that for you.

Cookie

 

[Popsy]

An update and follow up.

A RAV scan showed a couple of virii in old (circa2001) inbox outlook express emails as well as picking up the remnants of the StartPage.BL. This RAV scanner is really good, (no wonder Microsoft bought the Company) and I would like to buy a copy to replace or supplement my present NortonAV. The RAV site though says their AV software is no longer being sold or available so I'm wondering if there are any suggestions in this regard.

The last eTrust AV scan showed clean yet it may be the result of the earlier three scanners innoculating some of the virii/trojan files.

So of the 'online' scanners both Panda and RAV "rock", at least in my present instance.

Using the date and time of the infected 'securea.html' file as reference, I moved the following files to an 'inactive' directory. They were:

From WIN directory:
consol32.exe
msstasks.exe
mstaskss.exe
sdsini.ini
secureb.html
test
toffel32.exe
winupd.exe

And from WIN\SYSTEM directory:
appsys.exe
mstasks1.exe
mstasks2.exe

The properties of some of these files indicated they are DOS executables! They are in an 'inactive' directory since I'm not sure whether any of them are genuine and required OS files in which case I can reinstate them. So far though the system works fine without them. The only one file which I didn't move, with the same date and time as the infected one, was 'hosts.sam'. I read on an AV advisory that this file should contain only "127.0.0.1 localhost" which it does.

So thats about it. The problem is solved and the computer works fine. Again my thanks for your much appreciated help.

 

[Cookiegal]

Glad you got it all worked out.

Cookie