RUNDLL error and can't connect to internet anymore?

[DizzyPip]

Hey i'm getting some weird rundll error message that has just started coming up and since this started I can no longer get on the internet. The error message is as follows:

 

C:/docume~1/admin~1/locals~1/temp/sbdlef.dll

The specified module could not be found.

 

When I try to connect to the internet it can't. If I run the diagnostic tool from IE window it says:

detected a problem with the Winsock provider catalogue.

 

If I try and get on via Chrome it says:

DNS look up failed.

 

I'm running Windows XP Pro on a Fujitsu Siemens Scaleo P (System Model P5GD1-FM) if that is of any use. I am absolutely out of ideas as to where this problem has come from and how to get rid of it! Help would be much appreciated guys.

[KenB]

Hi and welcome to ExTS

 

I see you are already receiving help with this at B-C and that the Winsock fix failed.

 

Try this ( scroll down to the "FixIT " button)

http://support.microsoft.com/kb/811259

[DizzyPip]

Hi, tried this earlier. Had to download the FixIt to a a memory (as I can't connect on other pc) ran it and it said it was fixed. However I still cannot get it to connect to the internet. Would the weird RUNDLL error message have anything to do with this?

[KenB]

Hi

 

Download CCleaner from here to your memory stick and install on the problem computer ( 3.7MB )

click here

 

We need to delete temp files.

 

DO NOT use the registry cleaner.

 

Do you still get the same error message.

[DizzyPip]

Hey, ran the ccleaner and still having the same problems exact same error wording as well.

[KenB]

I can find no reference to sbdlef.dll other than what you have posted on the web.

Are you sure it has been typed correctly?

 

Start > ...........type in ............cmd ..........ENTER

At the prompt type ............ping 127.0.0.1 ..............ENTER ( space after ping )

You should get 4 packets sent and 4 received no losses.

Do you ?

 

Have you run MalwareBytes ?

If not d/l from here to the memory stick:

click here

 

Install > Update > Run it

It will produce a log in Notepad.

Copy this to the memory stick and post here please.

[DizzyPip]

When I tried to ping it came up with unable to contact IP driver, error 2.

 

In regards to MalwareBytes I have installed it, when trying to update it brings up the following error message

PROGRAM_ERROR_UPDATING (0, 0, Host not found)

I am currently running the scanner now, thought I would post this to see if it offers any other clues as I don't know how long it will take to finish the scan.

[DizzyPip]

Ok scan has completed and has produced the following error report:

Malwarebytes Anti-Malware 1.62.0.1300http://www.malwarebytes.org

 

Database version: v2012.07.03.05

 

Windows XP Service Pack 3 x86 FAT32

Internet Explorer 8.0.6001.18702

Administrator :: SHOP [administrator]

 

12/07/2012 14:05:56

mbam-log-2012-07-12 (14-31-56).txt

 

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 204993

Time elapsed: 8 minute(s),

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 1

HKLM\SYSTEM\CurrentControlSet\Services\Mshost Manager (Backdoor.Agent) -> No action taken.

 

Registry Values Detected: 3

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|sbdlef (Trojan.Agent.LTGen) -> Data: rundll32.exe "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sbdlef.dll",WriteFileStamp -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|bcneh (Trojan.Agent.LTGen) -> Data: rundll32.exe "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bcneh.dll",ComputeTangentFrame -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|sastcv (Trojan.Agent.LTGen) -> Data: rundll32.exe "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sastcv.dll",GetImageInfoFromResourceA -> No action taken.

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 1

C:\Documents and Settings\Administrator\Application Data\Plug.bat (Backdoor.Agent) -> No action taken.

 

(end)

After this has been completed I used the option to remove the suggested files and the result is that I no longer get the weird RUNDLL error message upon start up. However I still cannot connect to the internet. Ran diagnostic tool again and it no longer mentions a winsock error it just says contact the XP provider straight after I select that I am using a wired connection. Screen grab of this and the diagnostic report below:

 

http://i731.photobucket.com/albums/ww319/philknight81/Diagnostics.jpg

[DizzyPip]

Could it be faulty winsock and winsock 2 keys (i've been reading other forums to try figure this out)? I have another computer running XP Pro here and it connect to the internet no problem on the same router, would I be able to copy the keys over to see if that would help sort it out?

[DizzyPip]

I'm looking at trying this method:

http://smokeys.wordpress.com/2008/07/20/how-to-recover-a-really-dead-windows-xp-sp2sp3-tcpip-stack/

 

 

However I am not too sure on where to start, where would the Netcpip.inf be found? Have looked/searched for it to no avail.

[KenB]

Hi

 

I will ask one of our Security Experts to take a look at the MBAM log - just in case.

 

Please be patient - they are busy guys.

[Starbuck]

As 'boopme' is helping you over at BC, i don't want to interfere too much and i should inform him that you are being helped here as well..

All i'll say at the moment is now that those files have been removed using MBAM... Try resetting everything again. (the files on your system may have prevented the previous fix from working)

 

Try one or both of these and see if your connection comes back.

 

Click Start...Run... Type in (or copy and paste) ipconfig /flushdns then click the 'enter' key. You'll get a confirmation that the flush was successful.

remember that there is a space between the g and the /

 

FOR CONNECTION PROBLEMS :

Click on Start... Control Panel, select the 'Network and Internet Connections' category or double click on Network Connections, depending on which View you are using. Then right click on your default connection, usually 'local area connection' for cable and dsl, and left click on properties. Double-click on the 'Internet Protocol' (TCP/IP) item. Write down the settings in case you should need to change them back. Select the radio dial that says 'Obtain DNS servers automatically'.

Press OK twice to get out of the properties screen and reboot if it asks. If it does not prompt you to reboot go ahead and reboot manually.

 

If that doesn't get it, try this one:

 

Go to Start ... Run and type in cmd

A dos Window will appear.

Type in the dos window: netsh winsock reset

Click on the 'enter' key.

 

Reboot your system to complete the process.

 

I will point out that this, is not good:

C:\Documents and Settings\Administrator\Application Data\Plug.bat (Backdoor.Agent)

HKLM\SYSTEM\CurrentControlSet\Services\Mshost Manager (Backdoor.Agent)

 

It is known that these trojans can communicate with remote computers, download and run code, steal passwords, send emails and redirect browser requests. Unfortunately we cannot be sure about what they have done.

 

If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation.

 

Though the Trojans have been identified there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

 

For more information read ....Here

If you choose to format and reinstall read...... Here

[BeeCeeBee]

It seems this thread is active in a number of sites. It may be wise for the member to select one for the benefit of everyone involved.

[Starbuck]

It may be wise for the member to select one for the benefit of everyone involved.

You are right BeeCeeBee.

I have informed 'Boopme' over at BC.

I will not add any more advice until we know which site is going to deal with this.

It's bad etiquette to receive help at a number of sites.

It's not only confusing for the helpers.... it's also wasting helpers time.

[DizzyPip]

Obviously I did not know where any of you were based and that there would be an overlap of anything, apologies. I have informed BC and CHF that I am would like to continue receiving help from this forum and that their efforts have been much appreciated.

[DizzyPip]

Using the method below I have managed to restore my internet connection.

 

http://smokeys.wordpress.com/2008/07/20/how-to-recover-a-really-dead-windows-xp-sp2sp3-tcpip-stack/

 

However I would still be interested to hear what the Security guys think on the Malware log info. Do you have any recommendations as to some good AV software? I have had McAfee/Norton (both stopped a lot of programs communicating effectively) in the past and never been too happy with it, Kaspersky was less irritating. Are any of the free ones like AVG any good?

 

Once again, many thanks for all your efforts.

[KenB]

You still have a serious problem on your system.

 

Starbuck should be around later - but I hope you noted what he said earlier re: bank details etc.

It is known that these trojans can communicate with remote computers, download and run code, steal passwords, send emails and redirect browser requests. Unfortunately we cannot be sure about what they have done.

 

If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation.

 

Even if you do not use the machine for banking - Starbuck still needs to advise you further.

[Plastic Nev]

May I also reinforce KenB's post as above, you may not do actual bank transactions, but if you bought anything via the internet while those trojans were active, they will have picked up your credit or debit card numbers, Paypal account details etc.

We don't like to hear if a member finds he has been robbed and accounts emptied by these criminals if we can warn in advance to prevent that.

 

Nev.

[Starbuck]

Hi Dizzypop,

 

I'll move this thread to the malware removal forum so that we can get some better scans done.

 

Step 1

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

 

Link 1

Link 2

 

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

 

 

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

 

This is an example, you may rename ComboFix to anything you want.

 

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
  For more information read:
  How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
   
  Then:
   
  Double click on Combo-Fix.exe & follow the prompts.
   
  Vista/Win7 users should right click on the icon and select Run as Administrator.
   
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
   
  If running Vista/Win7, you will not see the recovery console screens as they are Win XP related
   
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

http://img.photobucket.com/albums/v708/starbuck50/cf1.png

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

http://img.photobucket.com/albums/v706/ried7/whatnext.png

 

Click on Yes, to continue scanning for malware.

 

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

 

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

 

 

 

Step 2

• Download OTL to your desktop.
  If using Firefox ..right click on the link and select 'Save Link/Target As'.
   
  if you have problems, try this download link:
  OTL
  
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Check the boxes beside LOP Check and Purity Check

.

 

.

http://img.photobucket.com/albums/v708/starbuck50/new/Otllatest.png

 

Now copy the lines in bold below.

 

netsvcs

msconfig

%SYSTEMDRIVE%\*.*

%systemroot%\system32\Spool\prtprocs\w32x86\*.dll

%systemroot%\*. /mp /s

%systemroot%\system32\*.dll /lockedfiles

%systemroot%\Tasks\*.job /lockedfiles

%systemroot%\system32\drivers\*.sys /lockedfiles

%systemroot%\system32\*.exe /lockedfiles

%systemroot%\System32\config\*.sav

%PROGRAMFILES%\*

%USERPROFILE%\..|smtmp;true;true;true /FP

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

hklm\software\clients\startmenuinternet|command /rs

hklm\software\clients\startmenuinternet|command /64 /rs

CREATERESTOREPOINT

 

• right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.
   
  http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png
  .
  
• Click the Run Scan button.
   
  http://img.photobucket.com/albums/v708/starbuck50/runscan.png
   
  
• Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.

 

 

In your next reply, please submit:

Combofix.txt

and both reports from OTL.

 

Thanks