1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] Run32.DLL ? ?

Discussion in 'Virus & Other Malware Removal' started by Akmorph, Jan 30, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Akmorph

    Akmorph Thread Starter

    Joined:
    Nov 14, 2002
    Messages:
    114
    I am constanly seeing this when i look at my task manager.. yet when i check my msconfig start upfile i dont see squat about this dll.. can anyone shed some light on what it is .. what it might be doing , why i have 3 of them constantly running .. and why my adaware , and other programs dont dectect any foul play ?

    thanks for the time!
     
  2. Davey7549

    Davey7549

    Joined:
    Feb 28, 2001
    Messages:
    11,584
    Akmorph
    Are you sure this program showing in task manager is Run32.dll and not Rundll32?
    If you are sure it is run32.dll then we need to start looking what critter you have running around in your machine.

    Either way a free online virus scan is in order and also downloading the startuplist and spybot.

    Free online virus scan Here

    And download the startuplist and spybot Here

    If anything is found in the online virus scan record what it is and let Housecalls help remove and let us know what it found.

    Now for the startuplist.
    Unpack the program and run it. After it runs it will produce a report of all startup items. Copy and paste the result file here.

    After we have a peek at the startuplist then we will move on to spybot and its instructions.

    Dave
     
  3. Akmorph

    Akmorph Thread Starter

    Joined:
    Nov 14, 2002
    Messages:
    114
    Holy .. nice virus program .. norton couldnt even find these

    BKDR_DELF.BZ
    BKDR_DELF.BZ
    BKDR_DELF.BZ
    BKDR_SUB7.21F
    BKDR_SUB7.21F
    BKDR_DELF.BF
    BKDR_DELF.BZ
    JS_SEEKER.E1
    JS_SEEKER.E1
    TROJ_JUSTIN.A

    Ok thank you for helping me get rid of that shiz!!!.. heres a long list of what ever it just ran on my comp

    -==============================================
    StartupList report, 1/31/2003, 5:10:36 PM
    StartupList version: 1.51
    Started from : F:\Program Files\Lurk\StartupList.EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    F:\WINDOWS\System32\smss.exe
    F:\WINDOWS\system32\winlogon.exe
    F:\WINDOWS\system32\services.exe
    F:\WINDOWS\system32\lsass.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\System32\svchost.exe
    F:\WINDOWS\Explorer.EXE
    F:\WINDOWS\system32\spoolsv.exe
    F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    F:\WINDOWS\System32\rundll32.exe
    F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    F:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    F:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    F:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    F:\Program Files\QuickTime\qttask.exe
    F:\Program Files\Common Files\Symantec Shared\ccApp.exe
    F:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Tweak-XP\blads.exe
    F:\Program Files\Messenger\msmsgs.exe
    F:\Program Files\AIM95\aim.exe
    F:\Program Files\Executive Software\DiskeeperServer\DKService.exe
    F:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    F:\WINDOWS\System32\RUNDLL32.exe
    F:\WINDOWS\System32\RUNDLL32.exe
    F:\WINDOWS\System32\rundll32.exe
    F:\Program Files\Common Files\Real\Update_OB\realsched.exe
    F:\Program Files\Internet Explorer\iexplore.exe
    F:\Program Files\Lurk\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [F:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Adobe Gamma Loader.exe.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = F:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    New.net Startup = rundll32 F:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
    ATIPTA = F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    GhostStartTrayApp = F:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    TkBellExe = F:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ATI Launchpad = "F:\Program Files\ATI Multimedia\main\launchpd.exe"
    BlockAds = C:\Program Files\Tweak-XP\blads.exe
    MSMSGS = "F:\Program Files\Messenger\msmsgs.exe" /background
    media_stub = C:\Program Files\ebkrdr\stub.exe
    AIM = F:\Program Files\AIM95\aim.exe -cnetwait.odl

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - (no file) - {00000000-0000-0000-0000-000000000000}
    (no name) - F:\WINDOWS\System32\TPS108.dll (file missing) - {0000026A-8230-4DD4-BE4F-6889D1E74167}
    (no name) - F:\WINDOWS\System32\F1.dll - {00000EF1-34E3-4633-87C6-1AA7A44296DA}
    (no name) - F:\PROGRA~1\COMMON~1\MSIETS\msiets.dll - {0A68C5A2-64AE-4415-88A2-6542304A4745}
    (no name) - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll - {206E52E0-D52E-11D4-AD54-0000E86C26F6}
    (no name) - F:\Program Files\NewDotNet\newdotnet4_50.dll - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
    Natural Language Navigation - F:\WINDOWS\System\BHO001.DLL - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF}
    (no name) - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
    (no name) - F:\PROGRA~1\BARGAI~1\bin\apuc.dll - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1}
    (no name) - F:\WINDOWS\System32\msiein.dll - {D6E66235-7AA6-44ED-A06C-6F2033B1D993}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Mephbot.job
    Norton AntiVirus - Scan my computer.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [HS_live Control]
    InProcServer32 = F:\WINDOWS\System32\HS_live.ocx
    CODEBASE = http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab

    [QuickTime Object]
    InProcServer32 = F:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [Video Class]
    InProcServer32 = F:\WINDOWS\Downloaded Program Files\videox.dll
    CODEBASE = http://stream10k.redhotnetworks.com/cabs/videox.cab

    [{41F17733-B041-4099-A042-B518BB6A408C}]
    CODEBASE = http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe

    [RdxIE Class]
    InProcServer32 = F:\WINDOWS\Downloaded Program Files\RdxIE.dll
    CODEBASE = http://207.188.7.150/30e6d7b61d9471872822/netzip/RdxIE6.cab

    [HouseCall Control]
    InProcServer32 = F:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab

    [{9656B666-992F-4D74-8588-8CA69E97D90C}]
    CODEBASE = http://www.commonname.com/en/oneclick/uninstbb.cab

    [Update Class]
    InProcServer32 = F:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37581.8187152778

    [eConn Class]
    InProcServer32 = F:\WINDOWS\Downloaded Program Files\eConnect.dll
    CODEBASE = http://econnect.libereco.net/econnect.cab

    [Shockwave Flash Object]
    InProcServer32 = F:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    NameSpace #4: F:\Program Files\NewDotNet\newdotnet4_50.dll
    Protocol #1: F:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL
    Protocol #2: F:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL
    Protocol #8: F:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL
    Protocol #9: F:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL

    --------------------------------------------------
    End of report, 6,869 bytes
    Report generated in 0.191 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  4. Davey7549

    Davey7549

    Joined:
    Feb 28, 2001
    Messages:
    11,584
    Well AKA Dan it seems you had enough worms and Trojans to go fishing!:eek: ;)

    Now that we have that behind us you need to get rid of a load of Parasites in the form of Spyware you still have. Many of your BHO's (Browser Helper Objects) are nasties.

    Before We setup the program to do that (Spybot) I would like you to Go to Add-Remove Programs in control Panel and locate Newdot.net then highlight it and click remove for uninstall.

    After uninstall restart system.

    Now Locate the ssd14.exe Spybot setup program Executable I had you download and double click to install. After install locate the Program Icon and double click to start program. After arriving at main screen make sure all updates are current by click the Online tab and check for updates. If updates found click all boxes of updates listed and retrieve updates.

    After updates are installed then click the Settings tab and then click the file sets tab. Make sure the checkmarks are removed for System Tracks and also for Internals. These you can read about and look at later if you wish but be careful about using unless you research.

    After checkmarks are removed in above items then click the Spybot S&D tab and Click the "Check for Problems Tab" to run program.

    Program will list many items I am sure and the ones in red are the ones we want to remove so make sure there are checkmarks in boxes for the red items and then click "fix problems".

    Note: Only let Spybot fix the red items in case the file sets was set wrong.

    After all items are removed then restart system and rerun Startuplist and post your results back here again.

    Dave
     
  5. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    all those rundll32.exe's are associated with the latest version of NAV (2003). Everyone who has it seems to have at least two of them running.

    You do have a lot of Spyware there. As Davey said, another startuplist after running Spybot is necessary. I'd also recommend you run Spybot TWICE. Reboot after each run, then repost the startuplist.

    There's bound to be stuff left that wasn't removed. TonyKlein is really tops at breaking those things down, but I'll go through it if he's not around.
     
  6. Akmorph

    Akmorph Thread Starter

    Joined:
    Nov 14, 2002
    Messages:
    114
    Ok ran search&destroy and ran start up again .. hopefully this fixxed some of the problems.. i anxiously wait your reply .. thank you again


    Running processes:

    F:\WINDOWS\System32\smss.exe
    F:\WINDOWS\system32\winlogon.exe
    F:\WINDOWS\system32\services.exe
    F:\WINDOWS\system32\lsass.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\System32\svchost.exe
    F:\WINDOWS\system32\spoolsv.exe
    F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    F:\WINDOWS\Explorer.EXE
    F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    F:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    F:\Program Files\Common Files\Real\Update_OB\realsched.exe
    F:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    F:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    F:\Program Files\QuickTime\qttask.exe
    F:\Program Files\Common Files\Symantec Shared\ccApp.exe
    F:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Tweak-XP\blads.exe
    F:\Program Files\Messenger\msmsgs.exe
    F:\Program Files\AIM95\aim.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    F:\Program Files\Executive Software\DiskeeperServer\DKService.exe
    F:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    F:\WINDOWS\system32\ZoneLabs\vsmon.exe
    F:\WINDOWS\System32\RUNDLL32.exe
    F:\WINDOWS\System32\RUNDLL32.exe
    F:\Program Files\Lurk\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [F:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Adobe Gamma Loader.exe.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = F:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ATIPTA = F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    GhostStartTrayApp = F:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    TkBellExe = F:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ATI Launchpad = "F:\Program Files\ATI Multimedia\main\launchpd.exe"
    BlockAds = C:\Program Files\Tweak-XP\blads.exe
    MSMSGS = "F:\Program Files\Messenger\msmsgs.exe" /background
    AIM = F:\Program Files\AIM95\aim.exe -cnetwait.odl

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll - {206E52E0-D52E-11D4-AD54-0000E86C26F6}
    Natural Language Navigation - F:\WINDOWS\System\BHO001.DLL - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF}
    (no name) - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Mephbot.job
    Norton AntiVirus - Scan my computer.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [HS_live Control]
    InProcServer32 = F:\WINDOWS\System32\HS_live.ocx
    CODEBASE = http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab

    [QuickTime Object]
    InProcServer32 = F:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [Video Class]
    InProcServer32 = F:\WINDOWS\Downloaded Program Files\videox.dll
    CODEBASE = http://stream10k.redhotnetworks.com/cabs/videox.cab

    [{41F17733-B041-4099-A042-B518BB6A408C}]
    CODEBASE = http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe

    [RdxIE Class]
    InProcServer32 = F:\WINDOWS\Downloaded Program Files\RdxIE.dll
    CODEBASE = http://207.188.7.150/30e6d7b61d9471872822/netzip/RdxIE6.cab

    [HouseCall Control]
    InProcServer32 = F:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab

    [Update Class]
    InProcServer32 = F:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37581.8187152778

    [Shockwave Flash Object]
    InProcServer32 = F:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------
    End of report, 5,505 bytes
    Report generated in 0.190 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  7. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    One bad BHO still remains:

    Natural Language Navigation - F:\WINDOWS\System\BHO001.DLL - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF}

    It's IGN Keywords

    Download BHODemon, launch the program, and locate BHO001.DLL.

    Highlight it, click 'details', and in "Select Status" click disabled

    Click OK, and close the program

    And there are a few ActiveX objects that need to go.

    Go to Internet Options > Temp Internet Files > Settings > Show Objects, and locate and remove the following:

    [Video Class]
    InProcServer32 = F:\WINDOWS\Downloaded Program Files\videox.dll
    CODEBASE = http://stream10k.redhotnetworks.com/cabs/videox.cab

    [RdxIE Class]
    InProcServer32 = F:\WINDOWS\Downloaded Program Files\RdxIE.dll
    CODEBASE = http://207.188.7.150/30e6d7b61d9471...tzip/RdxIE6.cab
     
  8. Akmorph

    Akmorph Thread Starter

    Joined:
    Nov 14, 2002
    Messages:
    114
    Thank you all very much for helping me get most of this crap off of my comp.. a while this stuff i never knew was on it .and by you guys helping me i will be able to help people in the future with getting this crap off their systems..
     
  9. Davey7549

    Davey7549

    Joined:
    Feb 28, 2001
    Messages:
    11,584
    Akmorph

    Glad we all could help solve your problem for you!

    Also to answer your original question AdAware will be coming out with long anticipated version 6.0 early Feb 2003 which will replace the now vastly outdated 5.83. If you have 5.83 or older you may as well uninstall it because 6.0 is suppose to be a brand new engine.

    Dave
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/116179

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice