Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rundll Error Loading Iernonce.dll Process Not Found


  • This topic is locked This topic is locked
3 replies to this topic

#1 kcmal

kcmal

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 13 February 2008 - 03:41 PM

On reboot after windows starts with desktop background showing, but before desktop icons are shown/loaded I get:

RUNDLL
Error loading C:\windows\system32\iernonce.dll
The specified process could not be found

I think this was caused by VundoFix. This is the log:


VundoFix V6.7.8

Checking Java version...

Scan started at 8:51:28 PM 2/11/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...


My reason for running VundoFix is I am redirected to http://wwww2.look-up-results.com whenever I use the address bar in both Firefox and IE to search for a known site such as yahoo, digg, reddit. Google is supposed to be my default search. If I just use the word yahoo, digg, etc. I get redirected. If I use the word yahoo.com, digg.com I go to the correct site. I use Firefox most and only use IE if forced to. Can't get Windows Updates. After it starts it's prep I get an error 0x8007007F. Can't get Kaprasky online scan to load it's program. All this seems to be ActiveX problems. Ran McAfee complete virus scan, it's clean. Spybot S&D was clean except for 1 tracking cookie. Adaware was clean. McAfee Stinger was clean. The redirect only happens on my dialup connection, only on this laptop. My desktop PC is not affected on the same dialup connection. Also not redirected if I leech off my neighbor's WiFi.


Also ran ComboFix. Here is a part of it's log. Will post complete log on request.

ComboFix 08-02-13.2 - Mike Lindow 2008-02-12 16:29:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.72 [GMT -6:00]
Running from: C:\Documents and Settings\Mike Lindow\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://www.dj+|C̛v+@J:NGD_DQ{zGD_DQ{zGD_DQ{zGD_DQ{z+@J:Nj+|C̛vad S-1-5-18 `HT4?? 6VwoQZCDHMiC:\WINDOWS\SoftwareDistribution\Download\5a61c35c8b16af02e0d6ee9539eece21\WindowsXP-KB946627-x86-ENU.exe
.
((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.

2008-02-12 15:15 . 2001-08-17 22:36 23,040 --a------ C:\WINDOWS\system32\iernonce.dl_
2008-02-11 22:13 . 2008-02-11 22:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-11 20:51 . 2008-02-11 20:51 <DIR> d-------- C:\VundoFix Backups
2008-02-11 12:33 . 2008-02-11 12:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-11 12:10 . 2008-02-11 12:26 <DIR> d-------- C:\fixwareout
2008-02-04 14:34 . 2008-02-04 14:34 335 --a------ C:\WINDOWS\mozregistry.dat
2008-02-02 13:12 . 2008-02-04 11:53 <DIR> d-------- C:\Jobs
2008-02-01 12:18 . 2008-02-01 12:18 <DIR> d-------- C:\Documents and Settings\Mike Lindow\Application Data\Talkback

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-13 22:32 4,978,720 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-12 22:24 59,180 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-12 04:47 --------- d-----w C:\Program Files\directx
2008-02-12 00:41 --------- d-----w C:\Program Files\DAP
2008-02-12 00:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 22:59 --------- d-----w C:\Program Files\Spybot
2008-02-02 13:44 27,614 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_02_01_19_22_37_full.dmp.zip
2008-01-27 04:46 --------- d-----w C:\Documents and Settings\Mike Lindow\Application Data\uTorrent
2008-01-18 16:57 --------- d-----w C:\Program Files\McAfee
2008-01-16 01:03 --------- d-----w C:\Program Files\Procomm Plus
2008-01-01 20:03 --------- d-----w C:\Program Files\Java
2008-01-01 19:49 --------- d-----w C:\Program Files\Common Files\Java
2007-12-30 19:32 --------- d-----w C:\Program Files\Microsoft GIF Animator
2007-12-30 19:32 --------- d-----w C:\Program Files\IrfanView
2007-09-24 05:51 14,724 ----a-w C:\Program Files\GPS UtilityTrkLog070924_05.txt
2007-09-22 00:02 3,440 ----a-w C:\Program Files\GPS UtilityTrkLog070922_00.txt
2007-09-21 23:59 7,346 ----a-w C:\Program Files\GPS UtilityTrkLog070921_23.txt
2007-09-20 19:30 2,138 ----a-w C:\Program Files\GPS UtilityTrkLog070920_19.txt
2007-09-16 18:23 441 ----a-w C:\Program Files\GPS UtilityTrkLog070916_18.txt
.


Here is complete HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:49 PM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\CPal\CPBrWtch.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\McAfee\Avsynmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\McAfee\VsStat.exe
C:\Program Files\McAfee\Vshwin32.exe
C:\Program Files\McAfee\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirect...c02&lc=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirect...c02&lc=0409
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\VSCShellExtension.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [Cookie Pal] "C:\Program Files\CPal\CPBrWtch.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189205193863
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9E6657C-3624-4E1D-95BD-216046450BD2}: NameServer = 64.136.173.5 64.136.164.77
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\Avsynmgr.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6555 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 18 February 2008 - 06:35 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum.
My name is Richie and i'll be helping you to fix your problems.

Apologies for the late response,as i'm sure you can appreciate we are extremely busy.

If you've already recieved help at another forum and your issues have been resolved,or you're presently recieving help elsewhere then please let us know.

If you have not followed the info in the link below prior to posting your log then please do so now:
Preparation Guide for use before posting a HijackThis Log:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If you still require help,please post a new Hijackthis log into this topic in your next reply.

Also post a detailed description of the issues you're experiencing.

*Note*
Post all reports/logs directly into this topic,not as attachments,thanks.
Posted Image
Posted Image

#3 kcmal

kcmal
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 20 February 2008 - 11:27 PM

Tried a xp repair. COMPLETLY hosed the whole the thing. Solved problem by buying new laptop. (It was old and flaky as Fark anyway)

BTW, Vista sux.

Thanks anywho.

Please close topic.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 21 February 2008 - 07:36 AM

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users