jimg972
asked on
How can I view all active dlls?
I have an active non-Windows dll (win32sockdrv.dll) that reports to have the McAfee Exploit-DcomRpc trojan. I am unable to delete the dll because it is active. Is there a way to see which
dlls are active and disable it so I can delete it?
This is associated with a msblaster.exe infection.
dlls are active and disable it so I can delete it?
This is associated with a msblaster.exe infection.
to disable DLL file you should Unregister it by the following command :
regsvr32 /u <PATH>\file.dll
where is the <PATH> may be any path of that file for example : c:\windows\system32
then restart PC
regsvr32 /u <PATH>\file.dll
where is the <PATH> may be any path of that file for example : c:\windows\system32
then restart PC
Greetings!
Your DLL file is likely active because it is required by a "Normal Mode" process.
Try starting your system in "Safe Mode" and removing the DLL files then.
Immediately after a fresh boot (literally seconds), hold down the <Left-Ctl> key until a command screen (white text on black background) appears offering you a choice to select "Safe Mode" which you will do by using the arrow (cursor) keys.
Expect that your screen will appear larger than usual (640 x 480) and colours will be 16 or 256 only (not 16 or 32-bit).
The words "Safe Mode" should appear in all 4 corners of your screen, as well.
Hope this helps!
Ted
Your DLL file is likely active because it is required by a "Normal Mode" process.
Try starting your system in "Safe Mode" and removing the DLL files then.
Immediately after a fresh boot (literally seconds), hold down the <Left-Ctl> key until a command screen (white text on black background) appears offering you a choice to select "Safe Mode" which you will do by using the arrow (cursor) keys.
Expect that your screen will appear larger than usual (640 x 480) and colours will be 16 or 256 only (not 16 or 32-bit).
The words "Safe Mode" should appear in all 4 corners of your screen, as well.
Hope this helps!
Ted
ASKER
Tedsky,
To clarify, I am running in "Safe Mode". I am running in diagnostic mode to ensure I have only the
most basic functions loaded. The win32sockdrv.dll is still active (but I can't find an reference to it
on the microsoft web site.
Nadir,
I thought this was exactly what I wanted. When I logged in as Administrator and ran
regsvr32 /u c:\windows\system32\win32s
C:\windows\system32\win32s
not found.
It was unable to unregister the dll. None of the other regsvr32 options appeared to offer me any
other functionality. Since this is apparently NOT a Microsoft dll, I don't think it should be loading
at all when I boot in "Safe Mode", unless it is an undocumented Microsoft dll that has been corrupted.
CrazyOne,
Thank you for the link to the process explorer. When booted in Normal Mode, the win32sockdrv.dll is
listed as active under the Explorer.exe application.
When booted under Safe Mode, I am unable to launch procexp. It generates a GID file that states:
Windows cannot open this file:
File: PROCEXP.GID
To open this file, Windows needs to know what program created it. Windows can go online to look it
up automatically, or you can manually select from a list of programs on your computer.
Therefore, in Safe Mode, I am unable to view the associated application of win32sockdrv.dll but in
Normal Mode it appears to be associated with Explorer.exe.
I need to determine how to delete this corrupted file. Would an O/S repair be in order at this point?
Thanks for your help.
Regards,
jimg972
To clarify, I am running in "Safe Mode". I am running in diagnostic mode to ensure I have only the
most basic functions loaded. The win32sockdrv.dll is still active (but I can't find an reference to it
on the microsoft web site.
Nadir,
I thought this was exactly what I wanted. When I logged in as Administrator and ran
regsvr32 /u c:\windows\system32\win32s
C:\windows\system32\win32s
not found.
It was unable to unregister the dll. None of the other regsvr32 options appeared to offer me any
other functionality. Since this is apparently NOT a Microsoft dll, I don't think it should be loading
at all when I boot in "Safe Mode", unless it is an undocumented Microsoft dll that has been corrupted.
CrazyOne,
Thank you for the link to the process explorer. When booted in Normal Mode, the win32sockdrv.dll is
listed as active under the Explorer.exe application.
When booted under Safe Mode, I am unable to launch procexp. It generates a GID file that states:
Windows cannot open this file:
File: PROCEXP.GID
To open this file, Windows needs to know what program created it. Windows can go online to look it
up automatically, or you can manually select from a list of programs on your computer.
Therefore, in Safe Mode, I am unable to view the associated application of win32sockdrv.dll but in
Normal Mode it appears to be associated with Explorer.exe.
I need to determine how to delete this corrupted file. Would an O/S repair be in order at this point?
Thanks for your help.
Regards,
jimg972
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There is lot there to read but if you follow the instructions to the letter you should be able to get rid of the file.
"I thought this was exactly what I wanted. When I logged in as Administrator and ran
regsvr32 /u c:\windows\system32\win32s
C:\windows\system32\win32s
not found".
To make sure that the path is correct before this step search about the file in My Computer then confirm the path
and download the patch from this exploit from http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
regsvr32 /u c:\windows\system32\win32s
C:\windows\system32\win32s
not found".
To make sure that the path is correct before this step search about the file in My Computer then confirm the path
and download the patch from this exploit from http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
are your that win32sockdrv.dll ? I doubt in that or that file is Random file name generated by a virus or trojan
Here's what CO was referring to ...
(Quoted from the link he provided, regarding the "w32.randex.e.html" virus)
3.
Creates one of the following:
%System%\win32sockdrv.dll
%System%\yuetyutr.dll
The worm injects the dropped DLL as a module into the Explorer.exe process. It also uses the dropped DLL file to spread itself through IRC, and uses the DLL to exploit the DCOM RPC vulnerability, as described in Microsoft Security Bulletin MS03-026.
So, if you haven't already done, check out CrazyOne's link ASAP!
http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.e.html
Ted
(Quoted from the link he provided, regarding the "w32.randex.e.html" virus)
3.
Creates one of the following:
%System%\win32sockdrv.dll
%System%\yuetyutr.dll
The worm injects the dropped DLL as a module into the Explorer.exe process. It also uses the dropped DLL file to spread itself through IRC, and uses the DLL to exploit the DCOM RPC vulnerability, as described in Microsoft Security Bulletin MS03-026.
So, if you haven't already done, check out CrazyOne's link ASAP!
http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.e.html
Ted
Also, Nadir's link ...
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
will ensure that you download and install the MS patch dealing with an RPC/DCOM vulnerability, unearthed a month or so ago, that several "idiots" to date have tried to exploit (somewhat successfully, as in the "blaster" worm).
Ted
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
will ensure that you download and install the MS patch dealing with an RPC/DCOM vulnerability, unearthed a month or so ago, that several "idiots" to date have tried to exploit (somewhat successfully, as in the "blaster" worm).
Ted
ASKER
CrazyOne,
Thank you very much for the info you provided. It was timely and very beneficial. It turns out that I had a
blended threat with W32.blaster.worm, W32.Randex.E and W32.spybot.worm. Any one of the three would
have been relatively straightforward to eliminate. The combination of all three led to some very nasty
side effects that it made it difficult just to troubleshoot the system (blowing away the task manager
and msconfig every time you opened them, registry entrys that prevented you from removing executables
from the msconfig startup, etc.).
The Symantec link to the W32.Randex.E worm was instrumental.
In the end, I had to update my Norton virus definitions manually to be able to capture all instances of
the Randex.E and spybot worms.
Again, Thanks for the pointers.
Thank you very much for the info you provided. It was timely and very beneficial. It turns out that I had a
blended threat with W32.blaster.worm, W32.Randex.E and W32.spybot.worm. Any one of the three would
have been relatively straightforward to eliminate. The combination of all three led to some very nasty
side effects that it made it difficult just to troubleshoot the system (blowing away the task manager
and msconfig every time you opened them, registry entrys that prevented you from removing executables
from the msconfig startup, etc.).
The Symantec link to the W32.Randex.E worm was instrumental.
In the end, I had to update my Norton virus definitions manually to be able to capture all instances of
the Randex.E and spybot worms.
Again, Thanks for the pointers.
You are welcome :>)
Note when you open the program go to the menu View and make sure there is a check mark next to View DLL's if there isn't then click on it.
Process Explorer
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml