cswilley
asked on
RUNDLL Error loading C:\WINDOWS\Khescb.dll.
I currently have a Dell D600 Latitude laptop, and a Dell Optiplex GX280 workstation that both are receiving this error message at boot up: RUNDLL Error loading C:\WINDOWS\Khescb.dll. Does anyone know what this is and how to resolve?
Thanks
cswilley
Thanks
cswilley
Well, does C:\WINDOWS\Khescb.dll exist on your computer? Try TuneUp Utilities (http://tuneup.swmirror.com/TU2007TrialEN.exe)
Since usually DLLs are not installed in 'C:\WINDOWS', this pretty much looks like malware. Go to 'Start', 'Run...', type 'msconfig', then hit 'ENTER'. When 'msconfig' has started, go to the rightmost tab and locate the entry that contains the reference to that DLL and disable it.
You could do that, too...
Also, how about sending us your HijackThis (http://www.merijn.org/files/HiJackThis_v2.exe) log?
Also, how about sending us your HijackThis (http://www.merijn.org/files/HiJackThis_v2.exe) log?
ASKER
Hi everybody thanks so much for responding to me and so fast! The first thing I did was to disable the DLL on each system thorugh msconfig, this stopped the initinal error message the c:\windows\khescb.dll, but now it's giving an error message of svchost.exe application error message, unable to read memory. Both systems will work after clicking the ok button on the error message. I did run the Hijack on one of the systems but wasn't to sure where to send the report.
After you scan, click the "Save Log" button, I think.
ASKER
orangutang:You could do that, too...
Also, how about sending us your HijackThis (http://www.merijn.org/files/HiJackThis_v2.exe) log?
I need and email address to send the report to.
Also, how about sending us your HijackThis (http://www.merijn.org/files/HiJackThis_v2.exe) log?
I need and email address to send the report to.
I think you could just copy and paste its contents here.
ASKER
Here's the report
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:30:49 PM, on 3/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\csrss. exe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\WLTRYS VC.EXE
C:\WINDOWS\System32\bcmwlt ry.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\System32\SCardS vr.exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsr v\inetinfo .exe
C:\Program Files\LANDesk\LDClient\Loc alSch.EXE
C:\WINDOWS\system32\CBA\pd s.exe
C:\PROGRA~1\LANDesk\LDCLie nt\issuser .exe
C:\Program Files\LANDesk\LDCLient\xdd client.exe
C:\PROGRA~1\LANDesk\LDClie nt\collect or.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\slpser vice.exe
C:\WINDOWS\system32\slpmon x.exe
C:\Program Files\LANDesk\LDCLient\sof tmon.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr .exe
C:\WINDOWS\System32\alg.ex e
C:\WINDOWS\system32\wbem\w miprvse.ex e
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\LANDesk\LDCLie nt\rcgui.e xe
C:\WINDOWS\system32\cmd.ex e
C:\WINDOWS\system32\cscrip t.exe
C:\WINDOWS\system32\rundll 32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EX E
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EX E
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\bdefevere\Local Settings\Temporary Internet Files\Content.IE5\HFYE62CJ \HiJackThi s_v2[1].ex e
C:\Program Files\LANDesk\LDCLient\vul Scan.exe
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,ShellNext = http://triblink.trb/
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,AutoConfigURL = http://config.trb./proxy.pac
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn\ yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system 32\userini t.exe,C:\W INDOWS\sys tem32\ntos .exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7 695ECA0567 0} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn\ yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIE Helper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-8 3598F25D7E 9} - C:\WINDOWS\system32\tmp51. tmp.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2 FC0DE4A789 7} - C:\Program Files\Yahoo!\Common\yiesrv c.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0 050DA59922 B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: (no name) - {9ccf96cb-1010-41df-b4b5-a 1a6514a010 a} - C:\WINDOWS\system32\MSDcat .dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\program files\google\googletoolbar 3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0 445EE16191 0} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClien t.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn\ yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0 819E2EAAC9 3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClien t.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 3.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAg ent] rundll32.exe bthprops.cpl,,BluetoothAut henticatio nAgent
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN ~1\YAHOOM~ 1.EXE" -quiet
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.e xe
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\ntos.e xe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [IESet] IExplorer.dll .dbt (User 'Default user')
O4 - Startup: MSWin--1811083516.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch .htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict .htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap. htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms. htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2 FC0DE4A789 7} - C:\Program Files\Yahoo!\Common\yiesrv c.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0 050045C3C9 6} - C:\Program Files\Yahoo!\Messenger\Yah ooMessenge r.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0 050045C3C9 6} - C:\Program Files\Yahoo!\Messenger\Yah ooMessenge r.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-8 30A59E2353 3} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C 7C580BBF70 0} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-3 0A17DE16AD 0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-9 1670C3DD66 E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120161319418
O16 - DPF: {DBA230D1-8467-4e69-987E-5 FAE815A3B4 5} -
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = TRIBUNE.AD.TRB
O17 - HKLM\Software\..\Telephony : DomainName = TRIBUNE.AD.TRB
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = TRIBUNE.AD.TRB
O17 - HKLM\System\CS1\Services\T cpip\Param eters: SearchList = TRB,CORP,TRIBUNE.AD.TRB
O17 - HKLM\System\CS1\Services\T cpip\..\{1 BE7E23B-DC AC-4A8D-99 FB-461C492 8A12F}: NameServer = 163.194.17.2,163.192.23.12
O17 - HKLM\System\CS2\Services\T cpip\Param eters: Domain = TRIBUNE.AD.TRB
O17 - HKLM\System\CS2\Services\T cpip\Param eters: SearchList = TRB,CORP,TRIBUNE.AD.TRB
O17 - HKLM\System\CS3\Services\T cpip\Param eters: Domain = TRIBUNE.AD.TRB
O17 - HKLM\System\CS3\Services\T cpip\Param eters: SearchList = TRB,CORP,TRIBUNE.AD.TRB
O17 - HKLM\System\CCS\Services\T cpip\Param eters: SearchList = TRB,CORP,TRIBUNE.AD.TRB
O20 - AppInit_DLLs:
O20 - Winlogon Notify: MSDcat - C:\WINDOWS\SYSTEM32\MSDcat .dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-0 0A0C90312E 1} - C:\WINDOWS\system32\browse ui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3 078302C203 0} - C:\WINDOWS\system32\browse ui.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2ev xx.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \1150\Inte l 32\IDriverT.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\Loc alSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pd s.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDCLie nt\issuser .exe
O23 - Service: LANDesk(R) Extended device discovery service (LDXDD) - Unknown owner - C:\Program Files\LANDesk\LDCLient\xdd client.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SLPMONX - ProdEx Technologies - C:\WINDOWS\system32\slpser vice.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDCLient\sof tmon.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYS VC.EXE
--
End of file - 12203 bytes
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:30:49 PM, on 3/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\csrss.
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\WLTRYS
C:\WINDOWS\System32\bcmwlt
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
C:\WINDOWS\System32\SCardS
C:\WINDOWS\system32\svchos
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsr
C:\Program Files\LANDesk\LDClient\Loc
C:\WINDOWS\system32\CBA\pd
C:\PROGRA~1\LANDesk\LDCLie
C:\Program Files\LANDesk\LDCLient\xdd
C:\PROGRA~1\LANDesk\LDClie
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\slpser
C:\WINDOWS\system32\slpmon
C:\Program Files\LANDesk\LDCLient\sof
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr
C:\WINDOWS\System32\alg.ex
C:\WINDOWS\system32\wbem\w
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\LANDesk\LDCLie
C:\WINDOWS\system32\cmd.ex
C:\WINDOWS\system32\cscrip
C:\WINDOWS\system32\rundll
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\svchos
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EX
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EX
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\bdefevere\Local Settings\Temporary Internet Files\Content.IE5\HFYE62CJ
C:\Program Files\LANDesk\LDCLient\vul
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
F2 - REG:system.ini: UserInit=C:\WINDOWS\system
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-8
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0
O2 - BHO: (no name) - {9ccf96cb-1010-41df-b4b5-a
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [BluetoothAuthenticationAg
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.e
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\ntos.e
O4 - HKUS\.DEFAULT\..\Run: [IESet] IExplorer.dll .dbt (User 'Default user')
O4 - Startup: MSWin--1811083516.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-8
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {406B5949-7190-4245-91A9-3
O16 - DPF: {493ACF15-5CD9-4474-82A6-9
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {DBA230D1-8467-4e69-987E-5
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CS3\Services\T
O17 - HKLM\System\CS3\Services\T
O17 - HKLM\System\CCS\Services\T
O20 - AppInit_DLLs:
O20 - Winlogon Notify: MSDcat - C:\WINDOWS\SYSTEM32\MSDcat
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-0
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2ev
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\Loc
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pd
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDCLie
O23 - Service: LANDesk(R) Extended device discovery service (LDXDD) - Unknown owner - C:\Program Files\LANDesk\LDCLient\xdd
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SLPMONX - ProdEx Technologies - C:\WINDOWS\system32\slpser
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDCLient\sof
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYS
--
End of file - 12203 bytes
Or have the log analyzed at www.hijackthis.de
You can also download, install and run Prevx1 available here > http://www.prevx.com/
You can also download, install and run Prevx1 available here > http://www.prevx.com/
Your system is really infected. Run a Spyware and Virus scan. You may need additional tools. Will post a couple of links shortly. What i would like you to do is click start, run, regedit.
Find the following key:
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows NT\CurrentVersion\Windows
In the right pane, check if "AppInit_DLLs" have any data. If so, post the details here.
Find the following key:
HKEY_LOCAL_MACHINE\SOFTWAR
In the right pane, check if "AppInit_DLLs" have any data. If so, post the details here.
Run Hijackthis again, then fix the following entries:
C:\WINDOWS\system32\cscrip t
F2 - REG:system.ini: UserInit=C:\WINDOWS\system 32\userini t.exe,C:\W INDOWS\sys tem32\ntos .exe, > Should be C:\WINDOWS\system32\userin it.exe,
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-8 3598F25D7E 9} - C:\WINDOWS\system32\tmp51. tmp.dll
O2 - BHO: (no name) - {9ccf96cb-1010-41df-b4b5-a 1a6514a010 a} - C:\WINDOWS\system32\MSDcat .dll
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.e xe
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\ntos.e xe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [IESet] IExplorer.dll .dbt (User 'Default user')
O4 - Startup: MSWin--1811083516.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0 050045C3C9 6} - C:\Program Files\Yahoo!\Messenger\Yah ooMessenge r.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0 050045C3C9 6} - C:\Program Files\Yahoo!\Messenger\Yah ooMessenge r.exe (file missing)
O16 - DPF: {DBA230D1-8467-4e69-987E-5 FAE815A3B4 5} -
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = TRIBUNE.AD.TRB
O17 - HKLM\Software\..\Telephony : DomainName = TRIBUNE.AD.TRB
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = TRIBUNE.AD.TRB
O17 - HKLM\System\CS1\Services\T cpip\Param eters: SearchList = TRB,CORP,TRIBUNE.AD.TRB
O17 - HKLM\System\CS1\Services\T cpip\..\{1 BE7E23B-DC AC-4A8D-99 FB-461C492 8A12F}: NameServer = 163.194.17.2,163.192.23.12 > Check if you know these IP addresses before cleaning
O17 - HKLM\System\CS2\Services\T cpip\Param eters: Domain = TRIBUNE.AD.TRB
O17 - HKLM\System\CS2\Services\T cpip\Param eters: SearchList = TRB,CORP,TRIBUNE.AD.TRB
O17 - HKLM\System\CS3\Services\T cpip\Param eters: Domain = TRIBUNE.AD.TRB
O17 - HKLM\System\CS3\Services\T cpip\Param eters: SearchList = TRB,CORP,TRIBUNE.AD.TRB
O17 - HKLM\System\CCS\Services\T cpip\Param eters: SearchList = TRB,CORP,TRIBUNE.AD.TRB
O20 - AppInit_DLLs: > For this one, see my previous post
O20 - Winlogon Notify: MSDcat - C:\WINDOWS\SYSTEM32\MSDcat .dll
C:\WINDOWS\system32\cscrip
F2 - REG:system.ini: UserInit=C:\WINDOWS\system
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-8
O2 - BHO: (no name) - {9ccf96cb-1010-41df-b4b5-a
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.e
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\ntos.e
O4 - HKUS\.DEFAULT\..\Run: [IESet] IExplorer.dll .dbt (User 'Default user')
O4 - Startup: MSWin--1811083516.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0
O16 - DPF: {DBA230D1-8467-4e69-987E-5
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CS3\Services\T
O17 - HKLM\System\CS3\Services\T
O17 - HKLM\System\CCS\Services\T
O20 - AppInit_DLLs: > For this one, see my previous post
O20 - Winlogon Notify: MSDcat - C:\WINDOWS\SYSTEM32\MSDcat
ASKER
Nothing was in the AppInit_DLLs
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
When the system is restarted, put your XP cd-rom into the drive, then click Start, Run and type :
sfc /scannow
to restore missing or corrupted operating system files.
sfc /scannow
to restore missing or corrupted operating system files.
ASKER
Thanks for all of the help I cleared up the laptop, however two more workstations now have this problem, I am going to reimage those workstations. Thanks again!
I'd say that "When 'msconfig' has started, go to the rightmost tab and locate the entry that contains the reference to that DLL and disable it." would have done the job also.
ASKER
Thanks for the additional information.