trouble with Control Panel

Had trouble with spyware a few weeks ago. Resulting my computer being hijacked, search engined changed, bookmarks changed etc.

Downloaded CWShredder, SpyBot and Hijack this. Cleared out what was on my computer. But now a few things changed.

I can open the Control Panel but I cannot open any icon when I open the Control Panel. I tried everyway you could imgine and I get a message that says, "Access to path, file or device is denied "

Also when I boot up I now get a black window that says at the top of the windowRundll32, and when I close the window I get the message, "The file C://windows/rundll32.exe is not a valid MS-Dos program file. It may be damaged.

Whatever help anyone can provide would surely be appreciated!

thanks,
J in VA

 

Hi guitarplayer
So were you infected with CWS coolwebsearch ?
I hope you didnt fix anything with hijackthis ,without assistance ?
If so tell us exatly what or better yet copy paste its backups here for us
you can right click on them and open with ,choose notepad
uncheck the always open with box(if its shown)

Then post a log ..dont have anything excluded and thats it's the latest version..

I suggest you also post it and your problems at www.forums.spywareinfo.com also

Lonny

 

Have you run any online virus scans?

RAV

Housecall

PC Pitstop

 

Lonny yes it was a CoolWeb Search Hijack and yes I did fix with Hijack This but I am sure I only deleted stuff that wasn't supposed to be there. In any case I restored everything the way it was with my backup and here is my current log.

Logfile of HijackThis v1.97.7
Scan saved at 4:12:00 AM, on 1/3/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\COMPAQ\INTERNET\ISDBDC.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE
C:\WINDOWS\TWAIN\A4s2\Watchdog.exe
C:\PROGRAM FILES\COMMON FILES\MYSOFTWARE\INTERCOM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLWBSPD.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Dazzle Multimedia, Inc.
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [isdbdc] c:\compaq\internet\isdbdc.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE "
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O4 - Startup: Watchdog.lnk = C:\WINDOWS\TWAIN\A4s2\Watchdog.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: MySoftware InterCom.lnk = C:\Program Files\Common Files\MySoftware\intercom.exe
O8 - Extra context menu item: Send Image to Photo Library - file://C:\Program Files\MGI\YM Digital Makeover Magic\Temp\MGI00000.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://h30135.www3.hp.com/bus-nacons/caller/SysQuery.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37969.239212963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop.com/antivirus/PCPAV.CAB
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net


Good idea Lonny to Post in the Spyware forum, will try it this morning.

Noah I hadn't run a virus scan because I use a fire wall and I never open attachments or any file from anyone but just in case I ran the Pitstop Scan and it said I had no viruses.

After restoring everything from the Hijack This log I rebooted and still got the black window with rundll32 and the error message.

I also still cannot open any icons in my Control Panel!

When I intially downloaded CWShredder it caught something and I cannot remember what it was, I do know that it was common and unfortunately there is no restore log for Shredder (I think) so it is deleted. I think it deleted maybe advert.dll from Aureate.

I did some research and spyware is in some of my programs (pi$$es me off too) most notable CuteFTP which I use all the time and need. After using Shredder I found I could not use CuteFTP. This is when I researched and found out about Aureate's spyware. I reinstalled CuteFTP (and the spyware I suppose) and now it works again.

Do you think its possible something got deleted that I need to open the icons in the Control Panel when all this was going on?

God I am frustrated now and do not know what to do, I hope you guys or someone can help me.

I think it should be crimminal for companies to attach spyware without your permission!

 

Dynamic link libraries are never asked to do any work before Windows gets out of bed so I'd be interested in where that instance of rundll32.exe is being put forward.

 

<<Dynamic link libraries are never asked to do any work before Windows gets out of bed so I'd be interested in where that instance of rundll32.exe is being put forward.>>

If I am understanding this right, you mean what am I doing to get the rundll32 error message?

I get it whenever I reboot or boot up my OS.

 

A 32 bit application has been invited to run in a 16 bit environment and DOS is not going to buy it. That's why you are getting "The file C://windows/rundll32.exe is not a valid MS-Dos program file. It may be damaged. "

The question is at what point in the boot process is the invitation being made.

Restart and press F8 or Ctrl to get to the StartUp menu and choose option 2 to create a bootlog.txt file. At the desktop execute c:\bootlog.txt in the Run command line and then do a search for rundll32.

 

I wonder what was it you had removed,, have you restarted the pc after restoring ? if not restart and scan again

also why is SPYBOT running ?
Not related to the problem at hand but worth mentioning >
heres some info on p_981116.exe DXM6Patch_981116
http://www.windowsstartup.com/wso/browse.php?l=16
"It's a leftover from a DirectX 6.0 upgrade. It was supposed to run once and
go away but on some systems it sticks around. You can un-check the line in
MSCONFIG and then delete the executable file. "

also look here but wait on your own post before doing anything
http://forums.spywareinfo.com/index.php?showtopic=25325&hl=intercom\.exe


If youve used another name there (spywsrinfo) please do tell
so I could keep an eye on it ?

 

Hey Lonney,

jim n virginia is the username I am using on the spyware forum. Some one there suggests that I download rundll.exe and reinstall and that maybe I just have a case of damaged file. I'll give it a try and get back to the thread with my results!

Thanks for your interest!

--j_n_va--

 

Now I am really confused. I'm now not sure if I need to extract Rundll.exe or Rundll32.exe from the restore disk. In any case I looked for BOTH and cannot find either on the Master restore Disk that can with me computer.

When I reboot I still get the black window with Rundll32 on top of the window and the same error message when I close the window.

It says Rundll32 is not a valid program

Does this mean the file is corrupted or maybe a trojan?

 

Gee I thought I spotted differences in the log there
so assumed it wasnt you so Lonney might be appropriate


TonyKlein is one of the best people out there to get help from !!

I'm keeping an eye on that thread good luck

 

I had a look at what processes were invoked on clicking an icon in the Control Panel. Guess what? Several sub functions of rundll32.exe are run. What you have called rundll32.exe may not be the original.

Whilst no app is carved in stone my rundll32.exe is as the CD-ROM so I'd go ahead and replace yours; after saving it somewhere where it cannot be run.

On looking at a binary dump of my rundll32.exe the first set of ascii characters displayed is "This program cannot be run in MS-DOS mode ". No surprises there since it is a Win32 app.

I am still intrigued as to why your system should tell us that "rundll32.exe is not a valid MS-Dos program file" unless it was trying to run in DOS.

Do you have any unexplained entries in your Autoexec.bat file?

 

Looking at your posts I think you have a virus, run a complete check, shut down all programs running on bootup, does the problem occur then?

Is it ok in safe mode?

Regards
tel33

 

guitarplayer issue was solved
they had had a varient of the coolwebsearch hijacker slash trojan.
IT and the fix couses the control panel problems

On windows 98 using SFC to replace rundll32.exe and rundll.exe fixed the problems

Now hopefully they will get all updates from windows update ,, and not be vulnerable to that expliot any-longer
Lonny