1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Windows host process (run32dll) stops working

Discussion in 'Malware and Virus Removal Archive' started by TheMick, 2010/08/29.

Page 5 of 5
  1. 2010/09/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Looks good :)
     
    broni,
    #81
  2. 2010/09/02
    TheMick

    TheMick Inactive Thread Starter

    Joined:
    2010/08/26
    Messages:
    71
    Likes Received:
    0
    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Thursday, September 2, 2010
    Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Wednesday, September 01, 2010 15:43:03
    Records in database: 4173897
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    A:\
    C:\
    D:\
    E:\
    G:\
    H:\
    I:\
    J:\

    Scan statistics:
    Objects scanned: 151927
    Threats found: 1
    Infected objects found: 1
    Suspicious objects found: 0
    Scan duration: 02:09:24

    Dawg! That's in one of my Embroidery softwares!

    File name / Threat / Threats count
    C:\Program Files\CONEXANT\EMBIRD32\IOFLOP32.DLL Infected: Trojan-PSW.Win32.Delf.ezw 1

    Selected area has been scanned.
     
    TheMick,
    #82


  3. to hide this advert.

  4. 2010/09/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
    Upload following files to http://www.virustotal.com/ for security check:
    - C:\Program Files\CONEXANT\EMBIRD32\IOFLOP32.DLL
    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
     
    broni,
    #83
  5. 2010/09/02
    TheMick

    TheMick Inactive Thread Starter

    Joined:
    2010/08/26
    Messages:
    71
    Likes Received:
    0
    VT Community Sign in ▼ My account ▼ Sign out Signing out... Languages ▼

    VirusTotal's website has changed, we need new translations, do you feel like helping the community?
    info@virustotal.com
    Sign in to VT CommunitySafety ratings and user comments (disinfection, in-the-wild locations, reverse engineering reports, etc.) on malware and URLs, free and easy.
    email
    password
    Keep me logged in
    Sign in Signing in, please wait...
    Login failed, please try again
    Forgot your password? Create an account

    Edit my profile
    View my profile
    Inbox

    Virustotal is a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...

    0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
    File name: IOFLOP32.DLL
    Submission date: 2010-09-02 17:53:17 (UTC)
    Current status: queued queued analysing finished


    Result: 7/ 43 (16.3%)
    VT Community

    not reviewed
    Safety score: -
    Compact Print results Antivirus Version Last Update Result
    AhnLab-V3 2010.09.02.05 2010.09.02 Trojan/Win32.Delf
    AntiVir 8.2.4.46 2010.09.02 TR/PSW.Delf.ezw
    Antiy-AVL 2.0.3.7 2010.09.02 -
    Authentium 5.2.0.5 2010.09.02 -
    Avast 4.8.1351.0 2010.09.02 -
    Avast5 5.0.594.0 2010.09.02 -
    AVG 9.0.0.851 2010.09.02 -
    BitDefender 7.2 2010.09.02 -
    CAT-QuickHeal 11.00 2010.09.02 -
    ClamAV 0.96.2.0-git 2010.09.02 -
    Comodo 5946 2010.09.02 Heur.Packed.Unknown
    DrWeb 5.0.2.03300 2010.09.02 -
    Emsisoft 5.0.0.37 2010.09.02 Trojan-PWS.Win32.Delf!IK
    eSafe 7.0.17.0 2010.09.01 -
    eTrust-Vet 36.1.7832 2010.09.02 -
    F-Prot 4.6.1.107 2010.09.01 -
    F-Secure 9.0.15370.0 2010.09.02 -
    Fortinet 4.1.143.0 2010.09.02 -
    GData 21 2010.09.02 -
    Ikarus T3.1.1.88.0 2010.09.02 Trojan-PWS.Win32.Delf
    Jiangmin 13.0.900 2010.08.30 -
    K7AntiVirus 9.63.2424 2010.09.02 -
    Kaspersky 7.0.0.125 2010.09.02 Trojan-PSW.Win32.Delf.ezw
    McAfee 5.400.0.1158 2010.09.02 -
    McAfee-GW-Edition 2010.1B 2010.09.02 -
    Microsoft 1.6103 2010.09.02 -
    NOD32 5419 2010.09.02 -
    Norman 6.05.11 2010.09.02 -
    nProtect 2010-09-02.01 2010.09.02 -
    Panda 10.0.2.7 2010.09.02 -
    PCTools 7.0.3.5 2010.09.02 -
    Prevx 3.0 2010.09.02 -
    Rising 22.63.03.03 2010.09.02 -
    Sophos 4.57.0 2010.09.02 -
    Sunbelt 6824 2010.09.02 -
    SUPERAntiSpyware 4.40.0.1006 2010.09.02 -
    Symantec 20101.1.1.7 2010.09.02 -
    TheHacker 6.5.2.1.361 2010.09.02 -
    TrendMicro 9.120.0.1004 2010.09.02 -
    TrendMicro-HouseCall 9.120.0.1004 2010.09.02 -
    VBA32 3.12.14.0 2010.09.02 Trojan-PSW.Win32.Delf.ezw
    ViRobot 2010.8.31.4017 2010.09.02 -
    VirusBuster 12.64.15.0 2010.09.02 -
    Additional informationShow all
    MD5 : b14e75deebcad84d4a547660496b85d1
    SHA1 : 03fc8725ab46c0476aaef6ca2e18e18764d5ff9c
    SHA256: 58a51a56f5127273e36ec981af764981ee2ae4690d8c3c2e5907173ed09b142c
    ssdeep: 3072:p5gpkRMg22FDWFamyN7K/FvlVl7R/ngLj2IPzrc77OWw8x8ctyUZ:hqk2F4SQi/Fvl9nCt
    c769/cA
    File size : 182784 bytes
    First seen: 2010-06-28 15:17:41
    Last seen : 2010-09-02 17:53:17
    TrID:
    Win32 Executable Generic (58.3%)
    Win16/32 Executable Delphi generic (14.1%)
    Generic Win/DOS Executable (13.7%)
    DOS Executable Generic (13.6%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
    sigcheck:
    publisher....: n/a
    copyright....: n/a
    product......: n/a
    description..: n/a
    original name: n/a
    internal name: n/a
    file version.: n/a
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned

    packers (F-Prot): Aspack
    PEInfo: PE structure information

    [[ basic data ]]
    entrypointaddress: 0x4C001
    timedatestamp....: 0x2A425E19 (Fri Jun 19 22:22:17 1992)
    machinetype......: 0x14c (I386)

    [[ 9 section(s) ]]
    name, viradd, virsiz, rawdsiz, ntropy, md5
    , 0x1000, 0x3E000, 0x1B400, 8.00, 36b7d8c47fa7fe19c714d516410bfd81
    , 0x3F000, 0x1000, 0x600, 7.38, 2b60cd32efb52056b898e0c8a2087e3b
    , 0x40000, 0x1000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
    , 0x41000, 0x2000, 0x200, 0.80, 05e2e016ac95a63671fc24623773e4bb
    , 0x43000, 0x1000, 0x400, 5.00, 2af1c976d6b728cfcfaaa6eb2953e5a0
    , 0x44000, 0x5000, 0x2C00, 7.98, 1eb54550796f418bb438e9f0c4441abc
    .rsrc, 0x49000, 0x3000, 0x1200, 6.36, 56600b916c743ed788c271137d7a9de7
    .data, 0x4C000, 0xD000, 0xC800, 7.77, 1cb089e489946dbfe1b7f4c0ef6334f6
    .data, 0x59000, 0x1000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e

    [[ 10 import(s) ]]
    kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA
    user32.dll: GetKeyboardType
    advapi32.dll: RegQueryValueExA
    oleaut32.dll: VariantChangeTypeEx
    advapi32.dll: RegQueryValueExA
    gdi32.dll: UnrealizeObject
    user32.dll: WindowFromPoint
    ole32.dll: IsEqualGUID
    comctl32.dll: ImageList_SetIconSize
    wow32.dll: WOWGetVDMPointerUnfix

    [[ 26 export(s) ]]
    IOFloppy_AlokujPamat, IOFloppy_DriveAvailable, IOFloppy_EmptyDrive, IOFloppy_FormatTrack, IOFloppy_GetDiskDrive, IOFloppy_GetDiskError, IOFloppy_GetPBuffer, IOFloppy_GetPOfs, IOFloppy_GetREALofs, IOFloppy_GetREALseg, IOFloppy_GetWindows95, IOFloppy_LockAvailable, IOFloppy_LockPhysicalVolume0, IOFloppy_LockPhysicalVolume00, IOFloppy_NoDiskError, IOFloppy_ReadSector, IOFloppy_ReadSectors, IOFloppy_ReadTrack, IOFloppy_SetDiskError, IOFloppy_SetDiskType, IOFloppy_Thunking, IOFloppy_UnlockPhysicalVolume, IOFloppy_UvolniPamat, IOFloppy_WriteSector, IOFloppy_WriteSectors, IOFloppy_WriteTrack



    VT Community

    0
    This file has never been reviewed by any VT Community member. Be the first one to comment on it!
    VirusTotal Team
    Add your comment... Remember that when you write comments as an anonymous user they receive the lowest possible reputation. So if you have not signed in yet don't forget to do so. How to markup your comments?

    You can add basic styles to your comments using the following accepted bbcode tags:

    text -- bold
    text -- italics
    text -- underline
    text -- strikethrough
    Code:
    text
    -- preformatted text

    You can also address comments to particular users using the "@" twitter-like mode. By prepending a "#" symbol to a word you can add custom tags to your comment, tags that can then be searched for.

    Goodware Malware Spam attachment/link
    P2P download Propagating via IM Network worm
    Drive-by-download



    Anonymous limit exceeded: anonymous users can only make one comment per file or URL, either sign in or register in order to continue making reviews on this item. Note that anonymous user discrimination is based on IP addresses, hence, it may be possible that another user behind your same proxy or NAT connection already made a review.

    Preview commentEdit comment Post comment Posting comment...
    Comment successfully posted







    ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
    VirusTotal © Hispasec Sistemas - Blog - Twitter - Contact: info@virustotal.com- Terms of Service & Privacy Policy
     
    TheMick,
    #84
  6. 2010/09/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    We better get rid of it....

    Run OTL
    • Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following

      Code:
      :OTL

:Services

:Reg

:Files
C:\Program Files\CONEXANT\EMBIRD32\IOFLOP32.DLL

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
    • Then click the [color= "#FF0000"]Run Fix[/color] button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ============================================================

    Your computer is clean :)

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how is your computer doing.
     
    broni,
    #85
  7. 2010/09/02
    TheMick

    TheMick Inactive Thread Starter

    Joined:
    2010/08/26
    Messages:
    71
    Likes Received:
    0
    Thank you so much finding and ridding my computer of that virus. The computer has gone back to it orgianl configuration of color screens and formatting. I still get the rundll32 error when I turn back on my UAC and Mcafee. I truly believe there is too much computer controll in blocking out some programs. You are not given much of a choice. As far as Mcafee some of the features like Quick Fix and Virtual Tech will not install . There support was of no help. I will be upgrading to Windows 7 and to another AV when my contract expired in 2 months. Thank you again for being so patient.
     
    TheMick,
    #86
  8. 2010/09/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    broni,
    #87
  9. 2010/09/02
    TheMick

    TheMick Inactive Thread Starter

    Joined:
    2010/08/26
    Messages:
    71
    Likes Received:
    0
    That works for me Babes! Thank again.
     
    TheMick,
    #88
  10. 2010/09/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Sure thing :)
     
    broni,
    #89
Page 5 of 5

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...