Solve : dll missing after virus?

1.	Solve : dll missing after virus?
Answer» Quote resident came up with a lot of registry changes from YAHOO Pager, MSN messenger and some other, I denied them all for the moment Why? We'll have to repeat part of the process...Next time around, allow changes. Did you delete files, I asked you to delete in Safe Mode? Not all, I guess. * Disable TeaTimer, as it'll interfere with the cleaning process: Right click Spybot's TeaTimer System Tray Icon. Click Exit Spybot-S&D Resident. TeaTimer closes. 1. Print this post out, since you won't have an access to it, at some point. 2. Close all windows, except for HijackThis. 3. Put a checkmark next to the following HijackThis entry - O4 - HKLM\..\Run: [58c3e1bc] rundll32.exe "C:\WINXP\system32\drgbdkmj.dll",b 4. Click on Fix checked button. 5. Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts, until meny appears) 6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders. 7. Delete following files/folders (if present): - drgbdkmj.dll** from C:\WINXP\system32 8. Restart in Normal Mode. 9. Post new HijackThis log.Sorry. I did it again, this time there was no changes to be enabled. The file/folder: drgbdkmj.dll from C:\WINXP\system32 does not exist. Here is HJ: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:54:05 AM, on 26/04/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINXP\System32\smss.exe C:\WINXP\system32\winlogon.exe C:\WINXP\system32\services.exe C:\WINXP\system32\lsass.exe C:\WINXP\system32\svchost.exe C:\WINXP\System32\svchost.exe C:\WINXP\system32\spoolsv.exe C:\WINXP\Explorer.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\WINXP\AGRSMMSG.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINXP\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\RssReader\RssReader.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINXP\system32\cisvc.exe C:\Program Files\MailWasher\MailWasher.exe C:\WINXP\system32\svchost.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\WINXP\system32\wuauclt.exe C:\Program Files\Outlook Express\msimn.exe C:\WINXP\NOTEPAD.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\MICROSOFT\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/http://www.yahoo.com/ext/search/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/http://www.yahoo.com O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [LVCOMSX] C:\WINXP\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [RssReader] C:\Program Files\RssReader\RssReader.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'Default user') O4 - Startup: explorer.lnk = C:\WINXP\explorer.exe O4 - Startup: MailWasher.lnk = C:\Program Files\MailWasher\MailWasher.exe O4 - Startup: msimn.lnk = C:\Program Files\Outlook Express\msimn.exe O4 - Startup: NOTEPAD.lnk = C:\WINXP\NOTEPAD.EXE O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208395418737 O17 - HKLM\System\CCS\Services\Tcpip\..\{49AC404E-8299-485E-AAB2-E1B706324773}: NameServer = 203.0.178.191 O20 - Winlogon Notify: !saswinlogon - C:\WINXP\ O20 - Winlogon Notify: yayyvwoh - C:\WINXP\ O20 - Winlogon Notify: __c002fa39 - C:\WINXP\ O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Windows Presentation Foundation Font Cache 3.0.0.0 FontCache3.0.0.0VSS (fontcache3.0.0.0vss) - Unknown owner - C:\WINXP\system32\1033d.exe (file missing) O23 - Service: lxcg_device - Unknown owner - C:\WINXP\system32\lxcgcoms.exe -- End of file - 6298 bytes Very good. No more error at startup?Just did a reboot, no errors anymore. thank you SOOOO much. But if antivir, spybot etc can't stop those, who/what can? Also, I hope you dont mind if I put a link to this forum on my website: www.darwinnewsblog.com ? Thanks again, You are a champ! Regards JohnWe're not done, yet. Final step.... 1. Download, and install CCleaner: http://www.ccleaner.com/download/builds. Get "SLIM" version. Read CCleaner instruction here: http://www.jahewi.nl/ccleaner/ccleaner.html. Run CCleaner. 2. Turn off System Restore: - Windows XP: 1. Click Start. 2. Right-click the My Computer icon, and then click Properties. 3. Click the System Restore tab. 4. Check "Turn off System Restore". 5. Click Apply. 6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. 7. Click OK. - Windows Vista: 1. Click Start. 2. Right-click the Computer icon, and then click Properties. 3. Click on System Protection under the Tasks column on the left side 4. Click on Continue on the "User Account Control" window that pops up 5. Under the System Protection tab, find Available Disks 6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:") 7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this. 8. Click OK 3. Restart computer. 4. Turn System Restore on. 5. Download, and install free ThreatFire: http://www.threatfire.com/, which will give you real-time protection against malwares. It won't interfere with your antivirus, nor firewall. P. S. Quote But if antivir, spybot etc can't stop those, who/what can? You just have to use multiple protection, keep it up to date, scan, once in a while, and you should be fine. Quote Also, I hope you dont mind if I put a link to this forum on my website: www.darwinnewsblog.com ? Our pleasure Thanks again. You may know, I design blogs, but I am not a system's programer or expert like you are. I will now unsubscribe from this topic, BUT if you ever need a blog or something like that, PLEASE let me know, contact me in www.darwinnewsblog.com. Thanks Kind regards JohnThank you for your offer. I'll keep it in my mind. Happy computing

Answer»

Quote

resident came up with a lot of registry changes from YAHOO Pager, MSN messenger and some other, I denied them all for the moment

Why? We'll have to repeat part of the process...Next time around, allow changes.

Did you delete files, I asked you to delete in Safe Mode? Not all, I guess.

*** Disable TeaTimer, as it'll interfere with the cleaning process:
Right click Spybot's TeaTimer System Tray Icon.
Click Exit Spybot-S&D Resident.
TeaTimer closes.

1. Print this post out, since you won't have an access to it, at some point.

2. Close all windows, except for HijackThis.

3. Put a checkmark next to the following HijackThis entry

- O4 - HKLM\..\Run: [58c3e1bc] rundll32.exe "C:\WINXP\system32\drgbdkmj.dll",b

4. Click on Fix checked button.

5. Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts, until meny appears)

6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.

7. Delete following files/folders (if present):

- drgbdkmj.dll from C:\WINXP\system32

8. Restart in Normal Mode.

9. Post new HijackThis log.Sorry.
I did it again, this time there was no changes to be enabled.
The file/folder:
drgbdkmj.dll from C:\WINXP\system32
does not exist.
Here is HJ:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:05 AM, on 26/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINXP\AGRSMMSG.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINXP\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\RssReader\RssReader.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINXP\system32\cisvc.exe
C:\Program Files\MailWasher\MailWasher.exe
C:\WINXP\system32\svchost.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINXP\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINXP\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\MICROSOFT\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [LVCOMSX] C:\WINXP\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [RssReader] C:\Program Files\RssReader\RssReader.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: explorer.lnk = C:\WINXP\explorer.exe
O4 - Startup: MailWasher.lnk = C:\Program Files\MailWasher\MailWasher.exe
O4 - Startup: msimn.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Startup: NOTEPAD.lnk = C:\WINXP\NOTEPAD.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208395418737
O17 - HKLM\System\CCS\Services\Tcpip\..\{49AC404E-8299-485E-AAB2-E1B706324773}: NameServer = 203.0.178.191
O20 - Winlogon Notify: !saswinlogon - C:\WINXP\
O20 - Winlogon Notify: yayyvwoh - C:\WINXP\
O20 - Winlogon Notify: __c002fa39 - C:\WINXP\
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Windows Presentation Foundation Font Cache 3.0.0.0 FontCache3.0.0.0VSS (fontcache3.0.0.0vss) - Unknown owner - C:\WINXP\system32\1033d.exe (file missing)
O23 - Service: lxcg_device - Unknown owner - C:\WINXP\system32\lxcgcoms.exe

--
End of file - 6298 bytes
Very good. No more error at startup?Just did a reboot, no errors anymore.
thank you SOOOO much.
But if antivir, spybot etc can't stop those, who/what can?
Also, I hope you dont mind if I put a link to this forum on my website:
www.darwinnewsblog.com ?

Thanks again,
You are a champ!
Regards
JohnWe're not done, yet. Final step....

1. Download, and install CCleaner: http://www.ccleaner.com/download/builds. Get "SLIM" version.
Read CCleaner instruction here: http://www.jahewi.nl/ccleaner/ccleaner.html.
Run CCleaner.

2. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

3. Restart computer.

4. Turn System Restore on.

5. Download, and install free ThreatFire: http://www.threatfire.com/, which will give you real-time protection against malwares.
It won't interfere with your antivirus, nor firewall.

P. S.
Quote

But if antivir, spybot etc can't stop those, who/what can?

You just have to use multiple protection, keep it up to date, scan, once in a while, and you should be fine.
Quote

Also, I hope you dont mind if I put a link to this forum on my website:
www.darwinnewsblog.com ?

Our pleasure
Thanks again.
You may know, I design blogs, but I am not a system's programer or expert like you are.
I will now unsubscribe from this topic, BUT if you ever need a blog or something like that, PLEASE let me know, contact me in www.darwinnewsblog.com.

Thanks
Kind regards
JohnThank you for your offer. I'll keep it in my mind.
Happy computing

Solve : dll missing after virus?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment