1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Rundll32.exe or one it's components missing

Discussion in 'Virus & Other Malware Removal' started by Filewasp, Dec 15, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Filewasp

    Filewasp Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    664
    Things have been going way too good, I installed ICQ a bit back, also installed Autocad 2002 (that probably is not the problem) But when I went to add/remove it gives the Control Panel warning that Rundll32.exe or one of it's components could not be found. So obviously I cannot uninstall beans. Ran Adaware and Spybot and am running clean. Hmmmmm. . . . .
     
  2. Filewasp

    Filewasp Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    664
    Logfile of HijackThis v1.98.2
    Scan saved at 8:48:53 PM, on 12/15/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\HOSTEXPOLER.EXE
    C:\WINDOWS\SYSTEM\SPOOLDIR.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    D:\CAUGHT PROGRAMS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink, Inc.
    R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_16_0.DLL
    O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_16_0.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [datacrypt] C:\WINDOWS\SYSTEM\hostexpoler.exe
    O4 - HKLM\..\Run: [servicerunx] C:\WINDOWS\SYSTEM\spooldir.exe %srun%
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\RunOnce: [ICQ Lite] C:\PROGRAM FILES\ICQLITE\ICQLITE.EXE -trayboot
    O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL/SEARCH.HTML
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
    O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://www.flyordie.com/pub/dl/msjavx86.exe
    O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {5D409149-F8C3-11D3-859B-00105A10A549} (Agent2Flash Class) - http://www.learn2mail.com/L2MailComponents/L2MailDesigner.cab
    O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
    O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
     
  3. Elvandil

    Elvandil

    Joined:
    Aug 1, 2003
    Messages:
    51,988
  4. Filewasp

    Filewasp Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    664
    Elvandil, I really have no idea what Hostexpoler.exe is although if I do a find file it shows it was created Dec 2, 44.9 KB is the size, an application in Windows / System
     
  5. Filewasp

    Filewasp Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    664
    In msconfig it is listed under the start up as datacrypt and then the C:WINDOWS/SYSTEM/hostexpoler.exe
     
  6. Filewasp

    Filewasp Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    664
    Running a scan at trend, I had some alerts from Earthlink saying it blocked a couple e-mails that had virus's attached so it blocked them, odd enough trend came up with 2 worms with the same name as who the e-mail came from: something like "Sober" It did show the worm as being the mentioned hostexpoler.exe. Will continue the scan at Trend housecall and hopefully I can restore the Rundll32.exe as it is a very neccesary library file that finds all others if I am not mistaken. Be back in a jiffy. Steve.
     
  7. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Search your computer for the Win98_46.cab file and note its location. The location (Path) represent the folder that contains your installation files.

    Run SFC. Select "Extract one file from the installation Disk", type Rundll32.exe. As the source (Extract from) use the path where you instalations flies are. As the target (Save in) select C:\Windows.

    Once the file is extracted, test the Control Panel.
     
  8. Filewasp

    Filewasp Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    664
    I'll check that out when the scan is finished. Thanks so much, I was getting firewall alerts for spooldir trying to access the internet and it is mentioned in the trend findings so far but I want it to finish. So you are saying that a SFC might work, but don't I have to extract the file from my Win 98SE disc? Or is it saved on the hard drive somewhere? And I can save it just in Windows not specifically Windows/System? Sounds good, if all goes well, shoot I just reformatted two months ago! The scan is still running.
     
  9. Filewasp

    Filewasp Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    664
    No file was found on the C drive for Win98_46.cab
     
  10. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Perform the same search in your Windows 98 CD, and proceed with the extraction of this file. This time the Source (Extract from) will be the path (location) of the .cab file. The target is C:\Windows.
     
  11. Filewasp

    Filewasp Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    664
    !!! Cool thanks. It's still running. (Trend) Apparently the Sober.I Worm is rampant in e-mails.
     
  12. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Nice going! Wait until you and Elvandil resolve the HJT log issue, then if satisfied, use the thread's Tools and mark this thread as "Solved".

    Best wishes!
     
  13. Filewasp

    Filewasp Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    664
    No you missed a little bit my friend- I was waiting fot the trend scan to finish and it finally did. It said the host expoler.exe was non cleanable so I deleted it. The Sober.I Worm must be in my system (I assume) I still cannot access add/remove. (says the rundll32.exe cannot be found) I put in my 98SE disc but really don't know where to look for the file.I tried to use the find files to look at the "E" drive but no go. Is safe mode a resourse? Also I notice a little notice on the task bar that said something about "about blank" which I know is a baddie. The page was not open and I have no idea why it was there. Just for a second, then it was gone. Nothing odd running as show in control/alt/delete. I am pasting a copy of the mention in my start up list in the next post. right back!
     
  14. Filewasp

    Filewasp Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    664
    Let's see if this works- - - -
     

    Attached Files:

  15. Filewasp

    Filewasp Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    664
    I also found two files that are "open with" type
    RUNDLL32~~C C:WINDOWSAPPLOG\RUNDLL32~~C (2kb 11/03/04)
    RUNDLL32.LGC C:WINDOWSAPPLOG\RUNDLL32.LGC (9 KB 11/02/04
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/308286

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice