lkssys64.dll is corrupt can't find on install disk

EdmondClay
EdmondClay used Ask the Experts™
on
I ran sfc and it came up lkssys64.dll is corrupt but it refuses to find a fresh copy on the installation disk Win98SE...i am trying to fix the defrag.exe which is not operating correctly.  In safe mode will I be in dos and will I use the command "chkdsk c: /f" ?  Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
dbruntonQuid, Me Anxius Sum?  Illegitimi non carborundum.

Commented:
I can't find that file in my system and a search on the Internet doesn't find it either.

Check out which folder it is in, write down this folder name,  and rename the folder  to something like unknown.  No dll extension.

Reboot and see if they system runs.  If it doesn't then boot up in dos and rename it back.

When you boot up in safe mode you are still in the GUI and you run scandisk and then defrag.

No need to drop into DOS mode and run chkdsk.

To get into the various modes, Normal, Safe Mode and Dos (Command Prompt), tap the F8 key on startup until you are given a menu to choose from.
Sounds to me asif your windows cant recognise the file it could be there. Try reinstalling windows again make sure you back up your files

Author

Commented:
Here's the code from the file...maybe that will help...thanks.


MZ         8       @                                   H   : 4      M!8LM!This program cannot be run in DOS mode.

$       1Iu(hTu(hTu(hTu(iTb(hT, {T(hT_ nTt(hTu(hTq(hTRichu(hT                PE  L C8        ` #            ,      0    
r            
      `     Ua                          7     d    @                      P     p                             f2hV3BO6ff1LinB+lwxCA472YprCicWuHYAiK5EQ        fFvqkVmXr9+EM6K9gqkMPRKwLfeXLhivCO0WueLm.data   Hnn0hsHcVz9Eyq50SzUTCcfg1+hXir2dF1zIpOlT    @  GUmnbzf8YIhr+525VUXaSbJcwG6ALOUhF7INIChK      GUmnYcV7hX1hVh3P5psjLlXEedyEDSMeHr27DyQA4PD8O  Gh2rEXftpiI9SnJWzv6Fv6QrLoxVbYUBXJ4Z7IhC32.dll KERNEL32.dll                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     "Itwp#twStw+uwo+uwi/uw</uw}/uwEtwLtwptw    `wxwL*xwhwIiw}*xw[ViwKViwIiw    tGawHawaw    axw            9+8                     9+8             !      9+8               "      9+8              ~'EnumDisplayDevicesW user32.dll  D i s p l a y   

r
r          
r

r D$h tHuh 0
r8
rk h 0
r0
r0B  U llP  SVWjP\
rx      E| 3[SSSh 
rkqht
rD
rh`
rPH
r3[      Ex;Ct@3v9]|v99R   3@=0|Ss+0|G0|H  PVSUx@tvt}u
F;u|rG3@_^[ICS4|SPS
rkit$
rB j|XB U lll   E M|SVW3h|        j@      8L
r p;w      ut  uF4              ExPhK        @n  EpPuxh1        @  WWWWWE`WPt  PD  P~Puxh|  @Q   Et      >j>(  Y5$~s% ,   \        (   MxGD           l  f 0~Pf      x  f ,~f      z   4~      t  hp   @*   utj$  Phk  @    GH   =D~w3@      Ck      GC   3@GC   H~      K L~      K P~      K ,~      K 0~      K 4~      K D~      C(f      C,f      C.      C0      C4      C8      C<      C@      CD E       K$      3@k4VhM   ut3uxh?  kGE||V<
rkGE|t E       8 E|_^[IB GE||kGU ll   UVWj$  Y      E3@=|js+ l  ^      Eh|vH        ElE      Ep P  G|l         uGEd         utGEx@       E|t@tMhQP;Fu
}x u Fk3@_^IB U ll EGEx@ l  vx        Mp$        Mt |        M|tItEpPQxu}x t3@IB j|XB( VW? 0
rW4
rjj@L
r p3@;pt L$       F      N      F       F!0
r            50
rW@
r F_^B SV; 0
rWS4
r!0
r t$;Fu       #0
rk@t ;Nt Akr       v =<
rWVWS@
r_^[B SV t$ 3[W9^tLSSv      ^      ^ hw   x;{t6 F;CtP<
rWSL
r;C      FtPWvhJ   ;Gt;{t xkM      ~ N 3@9L$s Ak;Kt v |$ AjAis% HXas$_^[B D$ @B VWt$ 3X
r pvtt$t$Vh   V xt$T
r G_^B  V3@WPPPP 
r pjVt$(
rt$t$V$
rV x 
r G_^B  3@B  U ljh
rh$
rd!    Pd      %    QQl@SVW      ehMX }7Lv3I      M|9t M|j}XiL  F      E,$        E0GE4   ]       ]8 E      E< US      U@ UP      UD      MTh 0
r4
rE,P        }Lvtm}Lvu%j$  PhS  !0
r      E\@t G@   knh 0
r@
r}Lvt }LBvulF      E(MdQPh  @u      GEXpkOVh   @u&Vhm|VhX|@tj$  PhZ  @JG   GEX}Vh:|@tu(h-  }L u&fg, G /E MH+H G$Ah/C+H      O(GEX   M| EXk
jXC ehH      E| Mpd      
    _^[IB U llL  VW3 uWWWWWWWW4~WPFPh=  @t< L        ;L~u. P        ;P~u T        ;T~u X        ;d~u3@kjX_^IB U ljh 
rh$
rd!    Pd      %    QQlSVW      eh ue| >Lv u,Pv      EXp~      E\? 0
rW4
rEXPVXW@
rff, f( kjXC ehM| Mpd      
    _^[IB U ll E@t[8Lv V0LvuC l  GEx@ vx        Ep$        Et |        E|t@tMpQPxu      FPh}  V<
r^IB j|XB j|XB j|XB  j|XB LLLU lSVWUj j hD
ruh8  ]_^[ e]C L$wA   8   t D$ T$      8   CSVW D$Pj~hL
rd5    d      %     D$ X p ~t.;t$$t(4v 3      L$      H |3 uh   D3h@   T3kCd    D _^[C3@d
    yL
ru Q R 9Qu8   CSQ; 0
rk
SQ; 0
r M      K      C      k Y[B LLVC20XC00U llSVWU| ] Ew@            Ex E      E|Ex      C| s {~ta v| tEVUkT]^ ] @t3x< {Sh)~DkVSh^~D vj Dha       C T { v 4k!8    k8   kUkjSh~D]8   ]_^[ e]CU L$ ) AP APhy~D]B %d
r% 
r%
r%
r%
r%
rh  |  d         X  N  T  4  ~  0                               *  6  B  P  \  l  |      Z  f  r  4  N       @      :  F  &      p      RtlUnwind ntdll.dll - CreateDCW Q DeleteDC  W GdiEntry3 Z GdiEntry6 V GdiEntry2 O GdiEntry10  N GdiEntry1 T DeleteObject  dGetRegionData bGetRandomRgn  I CreateRectRgn GDI32.dll IGetSystemMetrics  ReleaseDC  GetDC USER32.dll  Z DeleteCriticalSection EInitializeCriticalSection SGetProcAddress  :GetModuleHandleA  iLocalFree eLocalAlloc  ^LeaveCriticalSection  o EnterCriticalSection  KERNEL32.dll          }+8                8    X    v  R            %        U      #  @  
  #     u  |  X  
    -  @  Q  b  m  u   
    )  ;  M  ]  q       +   :                   
     
       DCIMAN32.dll DCIBeginAccess DCICloseProvider DCICreateOffscreen DCICreateOverlay DCICreatePrimary DCIDestroy DCIDraw DCIEndAccess DCIEnum DCIOpenProvider DCISetClipList DCISetDestination DCISetSrcDestClip GetDCRegionData GetWindowRegionData WinWatchClose WinWatchDidStatusChange WinWatchGetClipList WinWatchNotify WinWatchOpen                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             0                         H   `@  @                  @4   V S _ V E R S I O N _ I N F O     =o~           ?                            S t r i n g F i l e I n f o   |   0 4 0 9 0 4 B 0   L   C o m p a n y N a m e     M i c r o s o f t   C o r p o r a t i o n   @  F i l e D e s c r i p t i o n     D C I   M a n a g e r   8  F i l e V e r s i o n     5 . 0 0 . 2 1 8 0 . 1   2         I n t e r n a l N a m e   d c i m a n 3 2     t (  L e g a l C o p y r i g h t   C o p y r i g h t   ( C )   M i c r o s o f t   C o r p .   1 9 8 1 - 1 9 9 9   :         O r i g i n a l F i l e n a m e   d c i m a n 3 2     ~ /  P r o d u c t N a m e     M i c r o s o f t ( R )   W i n d o w s   ( R )   2 0 0 0   O p e r a t i n g   S y s t e m     <    P r o d u c t V e r s i o n   5 . 0 0 . 2 1 8 0 . 1   D    V a r F i l e I n f o     $    T r a n s l a t i o n           0                                                                                                      11$1(191?1F1L1e1w1~11      11p1|1)2O3[4b4l4      555&5.535B5_5k5#5+5656J6Y6h6q66 67767M7S7 8%8e8l8z8989y9b:|::~;;
;;;;                                                                                                                                                                                                                                                                                                                                                                                                        
dll\dciman32.dbg lib\i386\dciman32.dll                                                                                                                                                                                                                              
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

Author

Commented:
The experts at WinDrivers.com have suggested that the above corrupt code is perhaps a virus.  Comparing the above code to the below file DCIMAN32.dll which is indicated in the corrupt file shows a whole lot of extra code.  I plan to notify the appropriate authorities in the event that we conclude that there is virus behaviour here.  Should I post this question at a different forum?  Thanks guys!



MZ         8       @                                      : 4      M!8LM!This program cannot be run in DOS mode.

$       PE  L _! 7        ` ! <   
                 ~                     `                               l   0  (    @                      P  `                                                   p0  H                           .text   |                          `.data                             @  @.idata  \   0      0              @  @.rsrc       @      @              @  @.reloc      P      P              @  B                                                                                                                                                                                          32-bit DCIMAN   D$V t$ VPh  ~h  ~hn  @u3@^B  8   ^B  LLLVWjHj@t0~ xu
8t_^B D$ WPGH   hk   pv}W0~ F_^B D$      8 F_^B LLSV t$0WjTj@G    t0~ xu 8t_^[B( D$0W L$0P T$0Q D$0R L$0P T$0Q D$0R L$0P T$0QRGT   h
   X[}W0~ C_^[B( C      >_^[B( SV t$WjPj@G    t0~ xu 8t_^[B   D$W L$PQGP   hq   X[}W0~ C_^[B   C      >_^[B  LLLV t$VhR  V0~^B LLLLLLLLLL3@B  LLLZh)~h ~Ri_  dcithk_ThunkData16 @ ~` ~1U lQl<<~7@IC1U lQl<fuhz  P<~hs  IB 1U lQl<fuu uuuuu u$u( E,h$        U,P<~ M,h  IB( 1U lQl<fuh  Ph  P<~h  h
  IB  f9 @~lfu u vuVk}8WMl@9   -f+b{ u vuVk}0WMl9   -f+b{uuhs  ?Xi}  1 k1
U lQl<h}  P<~hw  IB 1
U lQl<h_  Pfu fufufu<~hH  IB 1      U lQl<h0  P<~h)  IB 1U lQl<h  Ph  P<~h  h   IB f9 @~l u vtvvF u vtvvFhG  P u vuVk}8WMl9   -f+b{ u vuVk}0WMl9   -f+b{he  ?Xh  i^  f9@~l u vtvvF u vtvvFhN  P u vuVk}8WMl9   -f+b{ u vuVk}0WMl9   -f+b{h4  Phf   7Xh  h'  i`   1U lQl<fu<~7@IB 1k1U lQl<fu<~IB f9@~l u vtvvFfu u vuVk}8WMl9   -f+b{fuh#   PhU   7Xh   iT   1U lQl<fu<~IB 1 k1U lQl<fuu hS   P<~A`,PhF   IB  %x0~%|0~%0~%0~%0~% 0~%0~%p0~%0~%0~% 0~%$0~%(0~%,0~%00~LL    ~F5               8    h  k  ~      @  p    I  m  D  9  c  \        z  l      `     !  0  A  T  e  v                .  =  O  a  o      !  9  M  \  i                  
     
         DCIMAN32.dll DCIBeginAccess DCICloseProvider DCICreateOffscreen DCICreateOverlay DCICreatePrimary DCIDestroy DCIDraw DCIEndAccess DCIEnum DCIOpenProvider DCISetClipList DCISetDestination DCISetSrcDestClip DllEntryPoint GetDCRegionData GetWindowRegionData WinWatchClose WinWatchDidStatusChange WinWatchGetClipList WinWatchNotify WinWatchOpen dcithk_ThunkData32                                                                                                                                         dciman.dll  dciman32.dll    LS01x%     LB01            $   D   LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL                                                                                                                                                                          (0  3B7N1  p0                      *1  D0  R0  ^0  j0  v0  1   1  1  80  >1  R1  h1  |1  1  &1  <1      ww?4Hw?`)w?,w?),w?A,w?w?w?7w?PIw?<w?|w?2w?rw?-w?mw?>.w?    :LocalFree 6LocalAlloc   FT_Thunk   FT_Exit12  FT_Exit16  FT_Exit20 SMapLS  $SUnMapLS  #SMapLS_IP_EBP_8 -SUnMapLS_IP_EBP_8 SMapLS_IP_EBP_12  %SUnMapLS_IP_EBP_12  SMapLS_IP_EBP_16  &SUnMapLS_IP_EBP_16  SMapLS_IP_EBP_20  'SUnMapLS_IP_EBP_20  ThunkConnect32  KERNEL32.dll                                                                                                                  ~F5                ~F5          0      ~F5               H   `@  @                  @4   V S _ V E R S I O N _ I N F O     =o~     N    N  ? 0                          S t r i n g F i l e I n f o   |   0 4 0 9 0 4 E 4   `    C o m p a n y N a m e     I n t e l ( R )   C o r p . ,   M i c r o s o f t   C o r p .   J   F i l e D e s c r i p t i o n     D C I   M a n a g e r   1 . 0 0     4
  F i l e V e r s i o n     4 . 0 3 . 1 9 9 8   6  I n t e r n a l N a m e   d c i m a n . d l l      5  L e g a l C o p y r i g h t   C o p y r i g h t   ( c )   1 9 9 2 - 1 9 9 8   I n t e l / M i c r o s o f t   C o r p o r a t i o n .     >    O r i g i n a l F i l e n a m e   d c i m a n . d l l     D   P r o d u c t N a m e     M i c r o s o f t   W i n d o w s   8
  P r o d u c t V e r s i o n   4 . 0 3 . 1 9 9 8   D    V a r F i l e I n f o     $    T r a n s l a t i o n           d                                                                                                                                                                                              `   0!0H0v0#0z0#1W1~111<1@1O1m1.2Z2s2^2 3+3P3i3b3o444{4 565<5B5H5N5T5Z5`5f5l5r5x5~55
5                                                                                        
dbruntonQuid, Me Anxius Sum?  Illegitimi non carborundum.

Commented:
If you look carefully at the code you will see it has an internal name of dciman.dll.

This is a driver file for QuickTime Video.

Have you tried renaming the file and seeing what happens yet?

Commented:
Gh2rEXftpiI9SnJWzv6Fv6QrLoxVbYUBXJ4Z7IhC32.dll
hm.. it appears to have references to a dll with that name
perhaps it unpacks that and tries to execute it
its data section appears to be
fFvqkVmXr9+EM6K9gqkMPRKwLfeXLhivCO0WueLm.data
it appears to be a polymorphic virus..
DeleteCriticalSection ÅInitializeCriticalSection SGetProcAddress  :GetModuleHandleA  éLocalFree åLocalAlloc  ÞLeaveCriticalSection  o EnterCriticalSection
those calls seem to suggest that it injects itself into running processes
and attempts to initiate the code for that dll

Author

Commented:
I've forwarded the code to several virus check sites and should have some feedback in a day or two.  I also noticed that when I loaded the code into an html format it showed a couple of links which are further curious.  Here are the links:

mailto:ÌÌÌVWjHj@ÿt0~<ø.ÿu

mailto:t$0WjTj@Ç

curiouser, and curiouser....

Commented:
oh no thats only because of the @ signs
browsers like to define links for you :D

Author

Commented:
I dl'd an evaluation copy of vexira av and lo and behold we did find TR\FlashKiller.B virus which supposedly destroyed a file canonbj/itp.exe.  I have forwarded the report to VAV for evaluation as it may only be a false positive...thanks for the feedback on the mailto:...

Commented:
i had a run in with that one too.. it took a liking to explorer.exe.. ick
flashkiller is a very nasty one.. hopefully its false positive heh

Author

Commented:
thanks. the file that it destroyed was canonbj\itp.exe  I am wondering if any itp.exe file that is fresh and uninfected could be inserted back into the canonbj directory and be considered repaired.  Canon is useless on support and I found a copy of ITP.EXE available from a site that makes it available for developers and database engineers.  I understand that it is an "Intelligent Whatever I can't find nor remember the original information" executable.  The infected file was 152kb and the fresh file is 34kb so I guess there is some, ahem, additional code in there...Well I stuck it in the canonbj file after extracting, av checking it, and I guess it will work, although I cannot tell what the problem was in the first place as my canon bj printer works just fine, ah well...whatever....thanks will get back when I have more in the next day or so...
Commented:
well..
i thot my comment that it was probably a polymorphic virus helped him to solve the issue
as then he downloaded a virus scanner and found that it was a virus

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial