Jump to content
IObit Forum
Top Free Driver Updater Tools Best 25 PC Optimization Software Best 22 Antimalware Best 22 Uninstaller Software IObit Coupons & Discount Offers PC Optimizer Mac Boost Advice IObit Coupons A Good Utility Program From IObit IObit Promo Codes IObit Coupon Codes IObit Coupons and Deals FAQs Driver Booster Pro Review

I'm getting RUNDLL error code [Copied to Spyware-Malware Removal Help! section]


Stixx

Recommended Posts

I think our user has another open topic for this problem here, as Gary pointed out :

https://forum.avast.com/index.php?topic=60135.0

 

(*Warning : FireFox blocked that URL for me and I had to make an exception rule to view it. It's a safe link, but I just wanted to give everyone using FF a heads up.)

 

@Stixx : if it is indeed you over there, please try not to post at different forums for help with a specific problem... because you could get yourself (your machine) in trouble.

 

That error is simple enough to understand when one knows the infection responsible for it : malware files were removed, but not the Run values for them. This is typical Vundo. Loaded with Rundll32.exe, you will get those errors when the registry tries to load them from the Run key, but can't find the files. The files are gone, but you have residuals that need to be removed and, possibly worse, other active and possibly hidden malware ; you usually get those with Vundo (rootkits especially).

 

Follow evilfantasy's advice, for your own good.

 

====

Link to comment
Share on other sites

I think our user has another open topic for this problem here, as Gary pointed out :

https://forum.avast.com/index.php?topic=60135.0

 

Thanks So_sad :)

 

 

(*Warning : FireFox blocked that URL for me and I had to make an exception rule to view it. It's a safe link, but I just wanted to give everyone using FF a heads up.)

 

Strange!

 

forum.avast.com uses an invalid security certificate.

 

The certificate is not trusted because it is self-signed.

 

(Error code: sec_error_untrusted_issuer)

 

@Stixx : if it is indeed you over there, please try not to post at different forums for help with a specific problem... because you could get yourself (your machine) in trouble.

 

That error is simple enough to understand when one knows the infection responsible for it : malware files were removed, but not the Run values for them. This is typical Vundo. Loaded with Rundll32.exe, you will get those errors when the registry tries to load them from the Run key, but can't find the files. The files are gone, but you have residuals that need to be removed and, possibly worse, other active and possibly hidden malware ; you usually get those with Vundo (rootkits especially).

 

Follow evilfantasy's advice, for your own good.

 

====

 

@Stixx: Please either respond to the requests at the Avast forum or inform them that you are being helped elsewhere.

Link to comment
Share on other sites

Hi there evilfantasy ;-)

 

I don't usually do this, but I'm making an exception this time...

 

@Stixx : the guy over at the Avast! forum doesn't know what he's dealing with. You'd think that with 50 000+ posts he would, but we all can't be perfect.

 

That said, your errors are easily fixed when the right tools are run. None of the right tools have been prescribed over there, unfortunately, and I mean none. Basic tools, darnit. You'll be wasting a lot of time if you stick around there.

 

Perform the few steps prescribed in the link provided by evilfantasy and you'll be rid of those errors in no time. Once the offending Run registry values are identified, fixing will only take... a few seconds.

 

Over and out.

 

===

Link to comment
Share on other sites

Alright So Sad got it, yes that was me over there. Nobody's perfect, your right. just want to get this RUNDLL *** out of my computer and nothings working. O.K. so going to evilfantasy directions and will give it a try. Thank You.

Link to comment
Share on other sites

[Copied to Spyware-Malware Removal Help! section]

 

Here's the results Evilfantasy

 

 

DDS (Ver_10-03-17.01) - NTFSx86

Run by stephen at 19:41:21.25 on Fri 05/28/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.479.158 [GMT -7:00]

 

AV: My Security Engine *On-access scanning enabled* (Outdated) {F86826C9-5952-4455-9C46-41887603AC2F}

FW: My Security Engine *enabled* {70484633-760D-4A59-99CF-7C089F5EC502}

 

============== Running Processes ===============

 

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\AirPort\APAgent.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\IObit\IObit Security 360\IS360tray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\LimeWire\LimeWire.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\IObit\IObit Security 360\is360.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Documents and Settings\stephen.STEPHENADMIN\My Documents\Downloads\dds.scr

 

============== Pseudo HJT Report ===============

 

uStart Page = about:blank

uSearch Page =

uSearch Bar =

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: {374D658D-FE8A-49A9-B36D-0E9F0980DDDC} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [Vgamujililun] rundll32.exe "c:\windows\dsetieqs.dll",Startup

mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Dpivozabul] rundll32.exe "c:\windows\osubasusevihe.dll",Startup

mRun: [iObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart

StartupFolder: c:\docume~1\stephe~2.ste\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe

mPolicies-system: EnableLUA = 0 (0x0)

IE: &Search

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} - hxxp://www.turntool.com/ViewerInstall.exe

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

TCP: {511AF471-4F5F-4506-8B7D-33239408EAE1} = 195.242.208.40

TCP: {92DA617D-43A4-4B4E-8955-34F1ABD920DB} = 195.242.208.40

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

IFEO: image file execution options - svchost.exe

Hosts: 74.125.45.100 4-open-davinci.com

Hosts: 74.125.45.100 securitysoftwarepayments.com

Hosts: 74.125.45.100 privatesecuredpayments.com

Hosts: 74.125.45.100 secure.privatesecuredpayments.com

Hosts: 74.125.45.100 getantivirusplusnow.com

 

Note: multiple HOSTS entries found. Please refer to Attach.txt

 

================= FIREFOX ===================

 

FF - ProfilePath - c:\docume~1\stephe~2.ste\applic~1\mozilla\firefox\profiles\6fgeb4bx.default\

FF - prefs.js: browser.search.selectedEngine - search

FF - prefs.js: browser.startup.homepage -

FF - prefs.js: keyword.URL - hxxp://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q=

FF - component: c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - HiddenExtension: XULRunner: {724BFE7E-07D6-40BC-BD64-720CE6012A69} - c:\documents and settings\stephen.stephenadmin\local settings\application data\{724BFE7E-07D6-40BC-BD64-720CE6012A69}

FF - HiddenExtension: XULRunner: {35435B99-6804-48F2-915E-36B3A9FD33B5} - c:\documents and settings\test\local settings\application data\{35435B99-6804-48F2-915E-36B3A9FD33B5}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

 

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

 

============= SERVICES / DRIVERS ===============

 

R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-5-28 311568]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-5-27 133104]

 

=============== Created Last 30 ================

 

2010-05-28 21:28:51 0 d-sh--w- c:\documents and settings\stephen.stephenadmin\IECompatCache

2010-05-28 20:37:40 0 d-----w- c:\windows\Downloaded Installations

2010-05-26 04:56:20 0 dc-h--w- c:\windows\ie8

2010-05-19 14:20:32 0 d-----w- c:\docume~1\stephe~2.ste\applic~1\Malwarebytes

2010-05-19 14:20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-19 14:20:06 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes

2010-05-19 14:20:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-19 14:20:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-18 08:10:36 0 d-sh--w- c:\documents and settings\stephen.stephenadmin\PrivacIE

2010-05-18 05:37:19 0 d-----w- C:\SMILES, Faces

2010-05-14 16:34:20 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-05-14 16:34:19 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-05-13 21:45:28 0 d-sh--w- c:\documents and settings\stephen.stephenadmin\IETldCache

2010-05-12 23:05:14 61056 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys

2010-05-12 23:05:14 61056 ----a-w- c:\windows\system32\drivers\ohci1394.sys

2010-05-12 21:05:46 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Alwil Software

2010-05-12 17:08:08 2544 ----a-w- c:\windows\ikimilabef.dll

2010-05-12 09:30:00 2544 ----a-w- c:\windows\enagunewucobuh.dll

2010-05-12 09:11:03 2544 ----a-w- c:\windows\onowerecome.dll

2010-05-12 08:57:11 2544 ----a-w- c:\windows\ulovamiwokojegig.dll

2010-05-12 08:34:08 2544 ----a-w- c:\windows\anafepohebafi.dll

2010-05-12 07:38:50 2544 ----a-w- c:\windows\ekituliv.dll

2010-05-12 04:02:44 2544 ----a-w- c:\windows\ajixohese.dll

2010-05-12 03:52:23 2544 ----a-w- c:\windows\uvukofeg.dll

2010-05-12 03:20:19 2544 ----a-w- c:\windows\okedowurafoxos.dll

2010-05-12 00:04:20 2544 ----a-w- c:\windows\itukiyitej.dll

2010-05-11 21:43:46 0 d-----w- c:\docume~1\stephe~2.ste\applic~1\f-secure

2010-05-11 21:41:24 0 d-----w- c:\program files\Charter Security Suite

2010-05-11 20:09:09 2544 ----a-w- c:\windows\ozanerokowucafo.dll

2010-05-11 13:46:48 2544 ----a-w- c:\windows\alogadag.dll

2010-05-10 20:59:17 2544 ----a-w- c:\windows\uqiqeyuhasaj.dll

2010-05-10 20:53:32 2544 ----a-w- c:\windows\ipaqoziyi.dll

2010-05-10 19:55:13 2544 ----a-w- c:\windows\uzuqotiwuvubomu.dll

2010-05-10 19:35:55 2544 ----a-w- c:\windows\omukodado.dll

2010-05-10 19:21:23 2544 ----a-w- c:\windows\alagodini.dll

2010-05-10 18:55:47 2544 ----a-w- c:\windows\etuqijiw.dll

2010-05-10 18:52:59 2544 ----a-w- c:\windows\edefiboq.dll

2010-05-10 18:06:40 2544 ----a-w- c:\windows\ojodotexaqak.dll

2010-05-10 17:42:31 2544 ----a-w- c:\windows\iyaxazig.dll

2010-05-10 08:44:18 0 d-----w- c:\docume~1\alluse~1.win\applic~1\fssg

2010-05-10 06:51:44 2544 ----a-w- c:\windows\afeweturet.dll

2010-05-10 06:15:32 0 d-----w- c:\docume~1\alluse~1.win\applic~1\f-secure

2010-05-10 04:49:44 2544 ----a-w- c:\windows\oxubelis.dll

2010-05-10 03:53:06 2544 ----a-w- c:\windows\ehamusigegobe.dll

2010-05-10 01:26:21 2544 ----a-w- c:\windows\ojurukururul.dll

2010-05-09 23:24:21 2544 ----a-w- c:\windows\ayisuxom.dll

2010-05-09 21:15:38 2544 ----a-w- c:\windows\ajekivegohekeva.dll

2010-05-09 20:29:16 2544 ----a-w- c:\windows\ozeluxocaciris.dll

2010-05-09 19:35:48 2544 ----a-w- c:\windows\imixuwenanojowa.dll

2010-05-09 13:38:44 2544 ----a-w- c:\windows\uwewadilak.dll

2010-05-09 11:36:44 2544 ----a-w- c:\windows\oxolupav.dll

2010-05-09 09:34:44 2544 ----a-w- c:\windows\ofozikagupise.dll

2010-05-09 07:32:44 2544 ----a-w- c:\windows\akebexuy.dll

2010-05-09 05:30:45 2544 ----a-w- c:\windows\ahaxanet.dll

2010-05-09 03:28:44 2544 ----a-w- c:\windows\amovesebevaxitig.dll

2010-05-09 01:26:44 2544 ----a-w- c:\windows\ocuhepayukay.dll

2010-05-09 01:15:24 2544 ----a-w- c:\windows\ejudefayoqevi.dll

2010-05-08 23:06:15 2544 ----a-w- c:\windows\abememapiqiyonox.dll

2010-05-08 21:13:19 2544 ----a-w- c:\windows\oqojuyokuyepebeh.dll

2010-05-08 08:34:12 2544 ----a-w- c:\windows\aqilutej.dll

2010-05-08 06:24:20 0 d-sh--w- c:\docume~1\alluse~1.win\applic~1\MSTPSNUXUE

2010-05-08 06:22:13 0 d-sh--w- c:\docume~1\alluse~1.win\applic~1\213a261

2010-05-03 10:06:02 2544 ----a-w- c:\windows\Bdisur.dat

2010-05-03 10:06:02 0 ----a-w- c:\windows\Vkocut.bin

2010-05-03 10:04:32 84992 --sha-r- c:\windows\system32\tssoft325.dll

 

==================== Find3M ====================

 

2010-04-08 20:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 20:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-03-27 13:25:03 499712 ----a-w- c:\windows\system32\msvcp71.dll

2010-03-27 13:25:03 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

 

============= FINISH: 19:41:46.40 ===============

Link to comment
Share on other sites

Thank you, enoskype :-)

 

@Stixx : if you read this... I see you are still posting over at the Avast! forum.

 

You have to choose dude : here or there, but you can't do both, because you are waisting a lot of people's time.

 

By the way, the offending Run values have been clearly identified, as explained before.

 

That Hosts file error you are getting from HijackThis is normal, considering your Hosts file has been corrupted by malware. Just ignore that error message by clicking "Ok", if you need to use HijackThis again. It'll be fixed once the infection is cured. You still have a lot of Vundo files on the machine, plus an IE proxy hijack (on top of that Hosts hijack), plus more that is possibly hidden, so stick around and wait for evilfantasy.

 

Thanks..

 

===

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...