[Resolved] Run32.DLL ? ?

[Akmorph]

I am constanly seeing this when i look at my task manager.. yet when i check my msconfig start upfile i dont see squat about this dll.. can anyone shed some light on what it is .. what it might be doing , why i have 3 of them constantly running .. and why my adaware , and other programs dont dectect any foul play ?

thanks for the time!

 

[Davey7549]

Akmorph
Are you sure this program showing in task manager is Run32.dll and not Rundll32?
If you are sure it is run32.dll then we need to start looking what critter you have running around in your machine.

Either way a free online virus scan is in order and also downloading the startuplist and spybot.

Free online virus scan Here

And download the startuplist and spybot Here

If anything is found in the online virus scan record what it is and let Housecalls help remove and let us know what it found.

Now for the startuplist.
Unpack the program and run it. After it runs it will produce a report of all startup items. Copy and paste the result file here.

After we have a peek at the startuplist then we will move on to spybot and its instructions.

Dave

 

[Akmorph]

Holy .. nice virus program .. norton couldnt even find these

BKDR_DELF.BZ
BKDR_DELF.BZ
BKDR_DELF.BZ
BKDR_SUB7.21F
BKDR_SUB7.21F
BKDR_DELF.BF
BKDR_DELF.BZ
JS_SEEKER.E1
JS_SEEKER.E1
TROJ_JUSTIN.A

Ok thank you for helping me get rid of that shiz!!!.. heres a long list of what ever it just ran on my comp

-==============================================
StartupList report, 1/31/2003, 5:10:36 PM
StartupList version: 1.51
Started from : F:\Program Files\Lurk\StartupList.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\System32\rundll32.exe
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
F:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
F:\Program Files\Microsoft Hardware\Keyboard\type32.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Tweak-XP\blads.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\AIM95\aim.exe
F:\Program Files\Executive Software\DiskeeperServer\DKService.exe
F:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
F:\WINDOWS\System32\RUNDLL32.exe
F:\WINDOWS\System32\RUNDLL32.exe
F:\WINDOWS\System32\rundll32.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Lurk\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[F:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.exe.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = F:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

New.net Startup = rundll32 F:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
ATIPTA = F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
GhostStartTrayApp = F:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
TkBellExe = F:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ATI Launchpad = "F:\Program Files\ATI Multimedia\main\launchpd.exe"
BlockAds = C:\Program Files\Tweak-XP\blads.exe
MSMSGS = "F:\Program Files\Messenger\msmsgs.exe" /background
media_stub = C:\Program Files\ebkrdr\stub.exe
AIM = F:\Program Files\AIM95\aim.exe -cnetwait.odl

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - (no file) - {00000000-0000-0000-0000-000000000000}
(no name) - F:\WINDOWS\System32\TPS108.dll (file missing) - {0000026A-8230-4DD4-BE4F-6889D1E74167}
(no name) - F:\WINDOWS\System32\F1.dll - {00000EF1-34E3-4633-87C6-1AA7A44296DA}
(no name) - F:\PROGRA~1\COMMON~1\MSIETS\msiets.dll - {0A68C5A2-64AE-4415-88A2-6542304A4745}
(no name) - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll - {206E52E0-D52E-11D4-AD54-0000E86C26F6}
(no name) - F:\Program Files\NewDotNet\newdotnet4_50.dll - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
Natural Language Navigation - F:\WINDOWS\System\BHO001.DLL - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF}
(no name) - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - F:\PROGRA~1\BARGAI~1\bin\apuc.dll - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1}
(no name) - F:\WINDOWS\System32\msiein.dll - {D6E66235-7AA6-44ED-A06C-6F2033B1D993}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Mephbot.job
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[HS_live Control]
InProcServer32 = F:\WINDOWS\System32\HS_live.ocx
CODEBASE = http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab

[QuickTime Object]
InProcServer32 = F:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Video Class]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\videox.dll
CODEBASE = http://stream10k.redhotnetworks.com/cabs/videox.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe

[RdxIE Class]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://207.188.7.150/30e6d7b61d9471872822/netzip/RdxIE6.cab

[HouseCall Control]
InProcServer32 = F:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab

[{9656B666-992F-4D74-8588-8CA69E97D90C}]
CODEBASE = http://www.commonname.com/en/oneclick/uninstbb.cab

[Update Class]
InProcServer32 = F:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37581.8187152778

[eConn Class]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\eConnect.dll
CODEBASE = http://econnect.libereco.net/econnect.cab

[Shockwave Flash Object]
InProcServer32 = F:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: F:\Program Files\NewDotNet\newdotnet4_50.dll
Protocol #1: F:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL
Protocol #2: F:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL
Protocol #8: F:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL
Protocol #9: F:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL

--------------------------------------------------
End of report, 6,869 bytes
Report generated in 0.191 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[Davey7549]

Well AKA Dan it seems you had enough worms and Trojans to go fishing!

Now that we have that behind us you need to get rid of a load of Parasites in the form of Spyware you still have. Many of your BHO's (Browser Helper Objects) are nasties.

Before We setup the program to do that (Spybot) I would like you to Go to Add-Remove Programs in control Panel and locate Newdot.net then highlight it and click remove for uninstall.

After uninstall restart system.

Now Locate the ssd14.exe Spybot setup program Executable I had you download and double click to install. After install locate the Program Icon and double click to start program. After arriving at main screen make sure all updates are current by click the Online tab and check for updates. If updates found click all boxes of updates listed and retrieve updates.

After updates are installed then click the Settings tab and then click the file sets tab. Make sure the checkmarks are removed for System Tracks and also for Internals. These you can read about and look at later if you wish but be careful about using unless you research.

After checkmarks are removed in above items then click the Spybot S&D tab and Click the "Check for Problems Tab" to run program.

Program will list many items I am sure and the ones in red are the ones we want to remove so make sure there are checkmarks in boxes for the red items and then click "fix problems".

Note: Only let Spybot fix the red items in case the file sets was set wrong.

After all items are removed then restart system and rerun Startuplist and post your results back here again.

Dave

 

[Rollin' Rog]

all those rundll32.exe's are associated with the latest version of NAV (2003). Everyone who has it seems to have at least two of them running.

You do have a lot of Spyware there. As Davey said, another startuplist after running Spybot is necessary. I'd also recommend you run Spybot TWICE. Reboot after each run, then repost the startuplist.

There's bound to be stuff left that wasn't removed. TonyKlein is really tops at breaking those things down, but I'll go through it if he's not around.

 

[Akmorph]

Ok ran search&destroy and ran start up again .. hopefully this fixxed some of the problems.. i anxiously wait your reply .. thank you again


Running processes:

F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
F:\Program Files\Microsoft Hardware\Keyboard\type32.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Tweak-XP\blads.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\AIM95\aim.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
F:\Program Files\Executive Software\DiskeeperServer\DKService.exe
F:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\System32\RUNDLL32.exe
F:\WINDOWS\System32\RUNDLL32.exe
F:\Program Files\Lurk\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[F:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.exe.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = F:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ATIPTA = F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
GhostStartTrayApp = F:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
TkBellExe = F:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ATI Launchpad = "F:\Program Files\ATI Multimedia\main\launchpd.exe"
BlockAds = C:\Program Files\Tweak-XP\blads.exe
MSMSGS = "F:\Program Files\Messenger\msmsgs.exe" /background
AIM = F:\Program Files\AIM95\aim.exe -cnetwait.odl

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll - {206E52E0-D52E-11D4-AD54-0000E86C26F6}
Natural Language Navigation - F:\WINDOWS\System\BHO001.DLL - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF}
(no name) - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Mephbot.job
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[HS_live Control]
InProcServer32 = F:\WINDOWS\System32\HS_live.ocx
CODEBASE = http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab

[QuickTime Object]
InProcServer32 = F:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Video Class]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\videox.dll
CODEBASE = http://stream10k.redhotnetworks.com/cabs/videox.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe

[RdxIE Class]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://207.188.7.150/30e6d7b61d9471872822/netzip/RdxIE6.cab

[HouseCall Control]
InProcServer32 = F:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab

[Update Class]
InProcServer32 = F:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37581.8187152778

[Shockwave Flash Object]
InProcServer32 = F:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------
End of report, 5,505 bytes
Report generated in 0.190 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[TonyKlein]

One bad BHO still remains:

Natural Language Navigation - F:\WINDOWS\System\BHO001.DLL - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF}

It's IGN Keywords

Download BHODemon, launch the program, and locate BHO001.DLL.

Highlight it, click 'details', and in "Select Status" click disabled

Click OK, and close the program

And there are a few ActiveX objects that need to go.

Go to Internet Options > Temp Internet Files > Settings > Show Objects, and locate and remove the following:

[Video Class]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\videox.dll
CODEBASE = http://stream10k.redhotnetworks.com/cabs/videox.cab

[RdxIE Class]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://207.188.7.150/30e6d7b61d9471...tzip/RdxIE6.cab

 

[Akmorph]

Thank you all very much for helping me get most of this crap off of my comp.. a while this stuff i never knew was on it .and by you guys helping me i will be able to help people in the future with getting this crap off their systems..

 

[Davey7549]

Akmorph

Glad we all could help solve your problem for you!

Also to answer your original question AdAware will be coming out with long anticipated version 6.0 early Feb 2003 which will replace the now vastly outdated 5.83. If you have 5.83 or older you may as well uninstall it because 6.0 is suppose to be a brand new engine.

Dave