Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.dll Files Could not be Found


  • Please log in to reply
21 replies to this topic

#1 frankster

frankster

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 11 January 2009 - 01:53 AM

About a week ago, I started having a malware issue. Ad-Aware identified it as virtumonde and consistently detected it, but could not remove it. Spybot found a few other things and was able to remove them. AVG was able to deal with virtumonde. Everything was fine until today.

I noticed that browsing was slow on both firefox and internet explorer. I then also noticed that Zone Alarm was no longer automatically starting with Windows (I have since changed that). I ran the Ad-Aware smart scan and removed whatever it identified, but the computer remained slow. I then ran Spybot, which removed several things. Since this my computer has no longer been slow. Unfortunately it introduced another issue.

Now when I try to open a .doc file in Word, I get a message saying "Microsoft Word has encountered a problem and needs to close. We are sorry for the inconvenience." It says a few other things, has a check box for "Recover my work and restart Microsoft Word" and then a "Send Error Report" and "Don't Send" buttons. If I check the box, a new message appears saying that Word failed to start correctly. I am then prompted to start in safe mode. Word works fine this way in safe mode.

The first thing I did was restarted hoping that the issue would resolve itself. When Windows reloaded, I was greeted with two messages:
1) c:/windows/system32/dazetaha.dll could not be found
2) c:/windows/system32/kenahozi.dll could not be found

I assume that this is related to the Word issue because aside from that my computer is running fine.

I did some googling with those dll names and was directed to this site, where people have posted HJT logs that contain those dll names.

I looked at the stickies up top and saw one for XP Boot Fixes. I tried to run chkdsk but was unable to, both through the cmd prompt and by right clicking on the drive icon in my computer. I also was unable to run chkdsk in safe mode.

And that brings me to this post. Thanks in advance for any help. I likely will not be able to check back here until tomorrow afternoon.

There is one other thing that I forgot to mention. Every time that I reboot, my desktop icons revert to the extreme left side of my secondary monitor. I otherwise keep them on the extreme left side of my primary monitor.

Edited by KoanYorel, 11 January 2009 - 02:02 AM.
Moved from Windows XP Home and Professional to more appropriate forum


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,323 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:05 PM

Posted 11 January 2009 - 09:18 AM

Those files are associated with a Vundo or Virtumonde malware infection.

The two programs in the links below with the instructions to use them, have had success in removing Vundo. You should know though that Vundo is constantly changing to hide from the security programs so you may have to update both for a day or two to get rid of Vundo.

Super Antispyware instructions:
http://www.bleepingcomputer.com/forums/ind...t&p=1040160

MalwareBytes AntiMalware instructions:
http://www.bleepingcomputer.com/forums/ind...st&p=944365
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 frankster

frankster
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 11 January 2009 - 03:52 PM

Thanks for the response. Could you try posting those links again, or pasting the instructions into this thread?
I get "Error 404: Page not found" from each of them.

#4 buddy215

buddy215

  • Moderator
  • 13,323 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:05 PM

Posted 11 January 2009 - 04:04 PM

Not sure what the 404s are about.

http://www.superantispyware.com/
Please download and install SUPERAntiSpyware Free

* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the
definitions before scanning by selecting "Check for Updates". (If you encounter
any problems while downloading the updates, manually download them from
here and
unzip into the program's folder.)
* Under the "Configuration and Preferences", click the Preferences... button.
* Click the "General and Startup" tab, and under
Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
* Click the "Scanning Control" tab, and under Scanner
Options, make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:

* Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes" and reboot normally.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

http://www.malwarebytes.org/mbam.php
Download MBAM from link above.
* Double-click on mbam-setup.exe to install the application.
* When the installation begins, follow the prompts and do not make any changes to default settings.
* When installation has finished, make sure you leave both of these checked:
o Update Malwarebytes' Anti-Malware
o Launch Malwarebytes' Anti-Malware
* Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

* If an update is found, the program will automatically update itself.
* Press the OK button to close that box and continue.
On the Scanner tab:

* Make sure the "Perform Quick Scan" option is selected.
* Then click on the Scan button.
* If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
* The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
* When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
* Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

* Click on the Show Results button to see a list of any malware that was found.
* Make sure that everything is checked, and click Remove Selected.
* When removal is completed, a log report will open in Notepad.
* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
* Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Edited by buddy215, 11 January 2009 - 04:10 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 frankster

frankster
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 11 January 2009 - 05:37 PM

Twice in a row, about 30 minutes into the Super AntiSpyware scan, I received a message stating something like:
DCOM server process launcher has terminated unexpectedly...initiated by NT Authority\System
The computer is then forced to shut down 60 seconds later.

#6 buddy215

buddy215

  • Moderator
  • 13,323 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:05 PM

Posted 11 January 2009 - 05:45 PM

Try doing a scan with MBAM. That is the first time I have heard of the problem you are having. I will look around and get back when I have something.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 frankster

frankster
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 11 January 2009 - 05:50 PM

A quick google search indicates that it could be a ton of different things.
One option is to just stop the scan before the 30 minute mark. Within the first few minutes it finds 22 objects and then nothing else until the forced shutdown. Also, when it is forced to shut down, it is in the middle of scanning my music, of which there is about 80gb. I'm guessing that by that point, it has scanned most of the areas where there is likely an issue.

Thanks again for all the help. I'm about to download/run MBAM.

#8 buddy215

buddy215

  • Moderator
  • 13,323 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:05 PM

Posted 11 January 2009 - 05:51 PM

Open SAS and click on the "scanning control" tab.

Uncheck these two options: Use kernel direct file access and Use kernel direct registry access

Go ahead and run the MBAM scan first though.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#9 frankster

frankster
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 11 January 2009 - 06:13 PM

Not sure if this is normal, but on the MBAM reboot, a chkdsk was automatically run.
Computer feels much faster now, and hard drive activity is down significantly.
Also, the notice about the .dll files not being found did not appear when MBAM rebooted.


Malwarebytes' Anti-Malware 1.32
Database version: 1643
Windows 5.1.2600 Service Pack 3

1/11/2009 5:54:22 PM
mbam-log-2009-01-11 (17-54-22).txt

Scan type: Quick Scan
Objects scanned: 54311
Time elapsed: 2 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 13
Registry Values Infected: 5
Registry Data Items Infected: 5
Folders Infected: 2
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\pohudodi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\melidawa.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\jogekini.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7686c43a-eb6e-437e-a8a8-0c9ea96ade1c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7686c43a-eb6e-437e-a8a8-0c9ea96ade1c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7686c43a-eb6e-437e-a8a8-0c9ea96ade1c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\283ac541 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nijumiduro (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm2b09f6dd (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\pohudodi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\pohudodi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\pohudodi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\jogekini.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\jogekini.dll -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\capcom (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drvr2 (Malware.Trace) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\melidawa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\awadilem.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\jogekini.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vuhuviti.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pohudodi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\prunnet.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urqNDTJD.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\seneka.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekaqxfakfrq.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Adam\Local Settings\Temp\seneka8f70.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\74QXXSWO\InstallAVg_770522169170[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tmpE.exe (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0J2LM5OP\pldr8[1].htm (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekaoiyygmum.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekatoxjhcxx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.

#10 frankster

frankster
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 11 January 2009 - 06:26 PM

The original issue with Word has not been resolved.

I went back to SAS and am running it again. The options that you told me to change were already unchecked.

#11 Cerenia

Cerenia

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 11 January 2009 - 06:30 PM

Last time I had that happen (my fault), I went straight into the computer's clock, and changed the time back a couple of hours, gave me time to finish what I was doing, restart at my convenience, and then change the clock back.

#12 frankster

frankster
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 11 January 2009 - 09:14 PM

Now some of my internet searches using Firefox are redirected to a website called shopica.

Also, I am still having issues with Word. I first tried to repair it which didn't change a thing. Then I just reinstalled it and that also did not do a thing.

Edited by frankster, 11 January 2009 - 09:39 PM.


#13 buddy215

buddy215

  • Moderator
  • 13,323 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:05 PM

Posted 11 January 2009 - 09:49 PM

Bummer.

Maybe if you describe what is happening now with Word. Are you getting any message other than the need to close?
When you ran chkdsk was there any problem reported?
Your computer was heavily infected. It is possible that the malware or one of your security programs corrupted a system file while removing the malware and a reformat and reinstall may be the only solution.

A repair install sometimes works. If you need help with that, start another topic in XP forum.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#14 frankster

frankster
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 11 January 2009 - 10:01 PM

Unfortunately I still have Virtumonde - a Spybot scan just found multiple instances of it.

Chkdsk did not report anything.

I was also thinking of a repair install. As I understand it, this will not remove any of my files.

Edit: I just looked into a repair install a bit and because my xp cd is old, it involves reloading the sata driver. All I remember is that when I first built the computer this was a huge pain to deal with (I recall something with the wrong driver being on the mobo manufacturer's website). Anyway, the point is I really want to avoid this. Also, I tried to slipstream SP2 at one point but for whatever reason it didn't work.

Edited by frankster, 11 January 2009 - 10:16 PM.


#15 buddy215

buddy215

  • Moderator
  • 13,323 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:05 PM

Posted 11 January 2009 - 10:18 PM

Is Spybot perhaps reporting files that are in system restore points? Those are infected and If you are going to continue to clean rather than reformat that will be the last files to remove. They can only be activated if you do a system restore.

I would not do a repair install unless I was sure the computer was malware free. Only a complete erase of the harddrive would remove the malware. Then format and reinstall.

Did SAS find more malware other than cookies? If it did, could you post the log.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users