Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Antivirus keeps removing: C:\Windows\system32\0051.dll

  • This topic is locked This topic is locked
2 replies to this topic

#1 Fires


  • Members
  • 2 posts
  • Local time:08:12 PM

Posted 30 July 2010 - 02:34 PM

Lately, since about the 6th of July, my parents have been getting an error message. Which was something along the lines of C:\Windows\system32\0051.dll not being a valid windows image. (sorry dont' know what the exact message was as the error message is no longer popping up) They decided to completely ignore this, even though it was popping up a few times when you loaded Chrome. Letting it be for a while has made it just worse, up to a point where they couldn't even start windows anymore, not even in safe mode. Having them come to me to help fix this issue, I've decided to just do a repair install of windows. This worked, but the error message would still popup. Doing a quick scan, with panda, it seemed to remove a few files it classified as trojans, but found the C:\Windows\system32\0051.dll to be suspicious, but did not seem to remove it, just contained. After restarting the computer, panda no longer contained it, and doing a a scan on it again, did not find it as a threat at all, but it did found some more trojans in other areas, including system32. Any help with this would be greatly appreciated, here are the logs:

DDS (Ver_10-03-17.01) - NTFSx86
Run by LioutsiaS at 14:26:59.68 on Fri 07/30/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447.73 [GMT -4:00]

AV: Panda Cloud Antivirus *On-access scanning enabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}

============== Running Processes ===============

svchost.exe 4
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe 4
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Program Files\Mail.Ru\Agent\MAgent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\LioutsiaS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\LioutsiaS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\LioutsiaS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\LioutsiaS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\LioutsiaS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Documents and Settings\LioutsiaS\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: {83821c2b-32a8-4dd7-b6d4-44309a78e668} - c:\program files\mail.ru\agent\mra\dll\newmrasearch.dll
BHO: adShotHlpr Object: {c7554b61-d154-43c8-bf11-3f52fa55a5ed} - c:\windows\system32\kqxxt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Google Update] "c:\documents and settings\lioutsias\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Rhirupewukuwup] rundll32.exe "c:\windows\mgrckxsh.dll",Startup
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [VTTimer] VTTimer.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MAgent] c:\program files\mail.ru\agent\MAgent.exe -LM
mRun: [skb] rundll32 "kqxxt.dll",,Run
mRun: [nonep] c:\windows\temp\1.tmp
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PSNUpd] "c:\program files\panda security\panda cloud antivirus\psnupd.exe" /UpgradeNotification
IE: {7558B7E5-7B26-4201-BEDB-00D5FF534523} - c:\program files\mail.ru\agent\magent.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
TCP: {67A99278-287A-4C94-BCAF-B7A50167C997} =
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: reset5c - reset5c.dll
AppInit_DLLs: c:\windows\system32\0051.DLL

============= SERVICES / DRIVERS ===============

R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2009-10-13 114312]
R2 NanoServiceMain;NanoServiceMain;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2009-10-30 136448]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2009-10-30 146952]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2009-10-13 95880]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2009-10-13 101512]
R4 PsBoot;Panda boot driver;c:\windows\system32\drivers\psboot.sys --> c:\windows\system32\drivers\PsBoot.sys [?]
S2 dmadminDnscache;Logical Disk Manager Administrative Service dmadminDnscache;c:\windows\system32\3com_dmix.exe srv --> c:\windows\system32\3com_dmix.exe srv [?]

=============== Created Last 30 ================

2010-07-30 18:10:38 0 d-----w- c:\program files\Trend Micro
2010-07-30 16:34:27 0 d-----w- c:\documents and settings\all users\HF_PCA_1.00.00.0002
2010-07-30 16:34:24 0 d-----w- c:\documents and settings\all users\HF_PCA_1.00.00.0004
2010-07-30 16:34:21 0 d-----w- c:\documents and settings\all users\HF_PCA_1.00.00.0005
2010-07-30 00:45:58 143422 -c--a-w- c:\windows\system32\dllcache\softkey.dll
2010-07-30 00:44:59 7680 -c--a-w- c:\windows\system32\dllcache\migregdb.exe
2010-07-30 00:43:56 78848 -c--a-w- c:\windows\system32\dllcache\dayi.ime
2010-07-30 00:42:59 20536 -c--a-w- c:\windows\system32\dllcache\shtml.dll
2010-07-30 00:40:42 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-07-30 00:40:35 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-07-30 00:40:35 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-07-30 00:40:35 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-07-30 00:40:35 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest
2010-07-30 00:40:35 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-07-30 00:40:16 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-07-29 23:50:11 0 d-----w- c:\program files\Synaptics
2010-07-29 23:47:10 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-07-29 23:47:10 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-07-29 23:47:10 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-07-29 23:47:10 13312 ----a-w- c:\windows\system32\irclass.dll
2010-07-05 14:08:02 37376 ----a-w- c:\windows\system32\0051.DLL

==================== Find3M ====================

2010-07-30 00:38:43 22720 ----a-w- c:\windows\system32\emptyregdb.dat
2010-06-29 12:08:48 4 ----a-w- c:\docume~1\liouts~1\applic~1\avdrn.dat
2010-06-25 17:41:00 1058056 --sha-w- c:\windows\system32\1054t.sys
2010-06-05 14:56:31 4 ----a-w- c:\docume~1\liouts~1\applic~1\dhxiuw.dat

============= FINISH: 14:27:55.68 ===============

Attached Files

BC AdBot (Login to Remove)


#2 Fires

  • Topic Starter

  • Members
  • 2 posts
  • Local time:08:12 PM

Posted 31 July 2010 - 12:43 PM

Sorry could not wait, moving issue to different forum.

#3 Budapest


    Bleepin' Cynic

  • Moderator
  • 23,579 posts
  • Gender:Male
  • Local time:10:12 AM

Posted 01 August 2010 - 05:57 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users