Computer Hope

Software => Computer viruses and spyware => Topic started by: mzdwells on March 26, 2009, 09:31:17 AM

Title: 'Error loading dll32' message
Post by: mzdwells on March 26, 2009, 09:31:17 AM

Yesterday I updated my Avast! virus software and it detected a virus which I moved to the chest (file is called dll32.dll).

Since doing that I get a window pop up after start up my computer  "Error loading dll32 The specified module could not be found". Also, I cannot access webpages through Internet Explorer (my only browser --- I am posting this message through my work computer). However, the internet does work as I can use Outlook Express.

Could someone please assist me in fixing this?

Thanks!

Title: Re: 'Error loading dll32' message
Post by: evilfantasy on March 27, 2009, 09:24:47 PM

Can you transfer over Dr Web and scan with it? I need the log it creates.

Download DrWeb CureIt (http://www.freedrweb.com/) & save it to your desktop. Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start
  
• An information notice will appear, click OK.
  
• This starts a short scan that will scan the files currently running in memory.
• If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version
  
• If or when something is found, click the Yes button when it asks you if you want to cure it.

.

• Once the short scan has finished, Click Settings > Change Settings
  
• Under the Scanning tab UNcheck Heuristic analysis and click OK
  
• Back at the main window, select the Complete scan button and then click the Green Arrow (http://i154.photobucket.com/albums/s258/evilfantasy69/drweb.jpg) Start Scanning button on the right and the scan will start.
  
• Click Yes to all if it asks if you want to cure/move any file(s).
  
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

.
* After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
* Copy and paste that log in the next reply

Title: Re: 'Error loading dll32' message
Post by: mzdwells on April 02, 2009, 07:18:15 AM

Here is the log:

A0175203.DLL;C:\System Volume Information\_restore{59343236-1A28-4710-BCCC-3F5F6633CEB6}\RP1395;Trojan.Click.24880;Deleted.;

Thanks again!

Title: Re: 'Error loading dll32' message
Post by: evilfantasy on April 02, 2009, 11:24:22 AM

Download TrendMicro HijackThis.exe (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) (HJT) to the Desktop.

• Double-click on HJTInstall.
• Click on the Install button.
  
• It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
  
• Upon install, HijackThis should open for you.
• Click on the Do a system scan and save a log file button
  
• HijackThis will scan and then a log will open in notepad.
• Copy and then paste the entire contents of the log in your post.
  
• Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

Title: Re: 'Error loading dll32' message
Post by: mzdwells on April 07, 2009, 11:00:52 AM

Here is the log, thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:51 PM, on 06/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nypost.com/gossip/gossip.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [dll] rundll32 dll32,sm
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.eurocom.ca/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2442357e849549126123/netzip/RdxIE601.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://www.rockefellercenter.com/viewer/wg_webeye.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D9CDEFE3-51BB-4737-A12C-53D9814A148C} (DAX Control) - https://webmail.ontario.ca/exchweb/controls/DAX.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://blacks.pnimedia.com/upload/activex/v2_0_0_7/PCAXSetupv2.0.0.7.cab?
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 8808 bytes

Title: Re: 'Error loading dll32' message
Post by: evilfantasy on April 07, 2009, 11:15:11 AM

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

• R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
• F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
• O4 - HKCU\..\Run: [dll] rundll32 dll32,sm

.
Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://subs.geekstogo.com/ComboFix.exe)

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Title: Re: 'Error loading dll32' message
Post by: mroilfield on April 09, 2009, 04:55:06 AM

BrockO,

You need to start your own thread.

Title: Re: 'Error loading dll32' message
Post by: mzdwells on April 09, 2009, 07:25:52 AM

I did this twice, the first time I couldn't connect to the internet for the 'recovery console' installation so I ran it again when the connection was regained. Hope that is ok....I am posting both logs.

Without internet connection:


omboFix 09-04-04.01 - Marta 2009-04-08 21:31:59.1 - FAT32x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.221.59 [GMT -4:00]
Running from: E:\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090407-0] *On-access scanning disabled* (Updated)
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref

.
(((((((((((((((((((((((((   Files Created from 2009-03-09 to 2009-04-09  )))))))))))))))))))))))))))))))
.

2009-04-06 19:53 . 2009-04-06 19:53   <DIR>   d--------   c:\program files\Trend Micro
2009-04-01 18:59 . 2009-04-01 18:59   <DIR>   d--------   c:\documents and settings\Marta\DoctorWeb
2009-03-25 21:20 . 2009-03-25 21:18   410,984   --a------   c:\windows\system32\deploytk.dll
2009-03-22 18:17 . 2009-03-23 21:18   3,157   ---h-----   c:\windows\f5087.dat
2009-03-22 18:11 . 2009-03-22 18:11   <DIR>   d--------   c:\windows\system32\887164
2009-03-22 18:11 . 2009-03-22 18:11   2   ---h-----   c:\windows\t55ft2792f44.dat
2009-03-22 18:11 . 2009-03-22 18:11   1   ---h-----   c:\windows\f23567.dat
2009-03-14 20:00 . 2009-03-14 20:00   <DIR>   d--hs----   C:\FOUND.027
2009-03-09 20:06 . 2009-03-09 20:06   <DIR>   d--hs----   C:\FOUND.026

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 11:13   1,846,784   ----a-w   c:\windows\system32\win32k.sys
2009-02-09 11:13   1,846,784   ------w   c:\windows\system32\dllcache\win32k.sys
2009-01-17 01:35   3,594,752   ----a-w   c:\windows\system32\dllcache\mshtml.dll
2008-07-29 23:26   32,768   --sha-w   c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008072920080730\index.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Update Manager"="c:\program files\Rogers\Update Manager\UpdateManager.exe" [2005-01-28 131072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray"="c:\windows\System32\sistray.EXE" [2002-05-09 303104]
"SiS KHooker"="c:\windows\System32\khooker.exe" [2002-01-25 290816]
"SiSUSBRG"="c:\windows\sisUSBrg.exe" [2002-04-25 32768]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-07-25 135168]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-25 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SoundMan"="SOUNDMAN.EXE" [2002-08-14 c:\windows\SOUNDMAN.EXE]
"CHotkey"="mHotkey.exe" [2001-12-26 c:\windows\mHotkey.exe]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-05 53317]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-09-05 65588]
NkvMon.exe.lnk - c:\program files\Nikon\NkView5\NkvMon.exe [2003-09-06 233472]
D-Link AirPlus.lnk - c:\program files\D-Link AirPlus\AirPlus.exe [2003-12-28 262144]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-06-21 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-06-21 20560]
.
Contents of the 'Scheduled Tasks' folder

2009-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
HKLM-Run-POINTER - point32.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nypost.com/gossip/gossip.htm
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {D9CDEFE3-51BB-4737-A12C-53D9814A148C} - hxxps://webmail.ontario.ca/exchweb/controls/DAX.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-08 21:35:30
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-08 21:37:48
ComboFix-quarantined-files.txt  2009-04-09 01:37:44

Pre-Run: 5,465,047,040 bytes free
Post-Run: 6,401,720,320 bytes free

99   --- E O F ---   2009-03-16 01:28:51


With internet connection:

ComboFix 09-04-04.01 - Marta 2009-04-08 21:49:48.2 - FAT32x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.221.42 [GMT -4:00]
Running from: E:\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090407-0] *On-access scanning disabled* (Updated)
.

(((((((((((((((((((((((((   Files Created from 2009-03-09 to 2009-04-09  )))))))))))))))))))))))))))))))
.

2009-04-08 21:45 . 2006-03-02 23:42   73,728   --a------   C:\pv.exe
2009-04-06 19:53 . 2009-04-06 19:53   <DIR>   d--------   c:\program files\Trend Micro
2009-04-01 18:59 . 2009-04-01 18:59   <DIR>   d--------   c:\documents and settings\Marta\DoctorWeb
2009-03-25 21:20 . 2009-03-25 21:18   410,984   --a------   c:\windows\system32\deploytk.dll
2009-03-22 18:17 . 2009-03-23 21:18   3,157   ---h-----   c:\windows\f5087.dat
2009-03-22 18:11 . 2009-03-22 18:11   <DIR>   d--------   c:\windows\system32\887164
2009-03-22 18:11 . 2009-03-22 18:11   2   ---h-----   c:\windows\t55ft2792f44.dat
2009-03-22 18:11 . 2009-03-22 18:11   1   ---h-----   c:\windows\f23567.dat
2009-03-14 20:00 . 2009-03-14 20:00   <DIR>   d--hs----   C:\FOUND.027
2009-03-09 20:06 . 2009-03-09 20:06   <DIR>   d--hs----   C:\FOUND.026

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 11:13   1,846,784   ----a-w   c:\windows\system32\win32k.sys
2009-02-09 11:13   1,846,784   ------w   c:\windows\system32\dllcache\win32k.sys
2009-01-17 01:35   3,594,752   ----a-w   c:\windows\system32\dllcache\mshtml.dll
2008-07-29 23:26   32,768   --sha-w   c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008072920080730\index.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Update Manager"="c:\program files\Rogers\Update Manager\UpdateManager.exe" [2005-01-28 131072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray"="c:\windows\System32\sistray.EXE" [2002-05-09 303104]
"SiS KHooker"="c:\windows\System32\khooker.exe" [2002-01-25 290816]
"SiSUSBRG"="c:\windows\sisUSBrg.exe" [2002-04-25 32768]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-07-25 135168]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-25 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SoundMan"="SOUNDMAN.EXE" [2002-08-14 c:\windows\SOUNDMAN.EXE]
"CHotkey"="mHotkey.exe" [2001-12-26 c:\windows\mHotkey.exe]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-05 53317]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-09-05 65588]
NkvMon.exe.lnk - c:\program files\Nikon\NkView5\NkvMon.exe [2003-09-06 233472]
D-Link AirPlus.lnk - c:\program files\D-Link AirPlus\AirPlus.exe [2003-12-28 262144]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-06-21 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-06-21 20560]
.
Contents of the 'Scheduled Tasks' folder

2009-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nypost.com/gossip/gossip.htm
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {D9CDEFE3-51BB-4737-A12C-53D9814A148C} - hxxps://webmail.ontario.ca/exchweb/controls/DAX.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-08 21:52:41
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-08 21:54:43
ComboFix-quarantined-files.txt  2009-04-09 01:54:40
ComboFix2.txt  2009-04-09 01:37:52

Pre-Run: 6,384,844,800 bytes free
Post-Run: 6,370,295,808 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

98   --- E O F ---   2009-03-16 01:28:51

Title: Re: 'Error loading dll32' message
Post by: evilfantasy on April 09, 2009, 10:51:17 AM

Quote

Running from: E:\ComboFix.exe

That isn't right. The directions call for ComboFix to be directly on the desktop. Go to Running from: E:\ComboFix.exe and delete Combofix.exe.

Download the new version directly to the desktop.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://subs.geekstogo.com/ComboFix.exe)

**Note:  It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Folder::
c:\windows\system32\887164
C:\FOUND.027
C:\FOUND.026

File::
c:\windows\f5087.dat 
c:\windows\t55ft2792f44.dat
c:\windows\f23567.dat
C:\FOUND.027
C:\FOUND.026

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

Title: Re: 'Error loading dll32' message
Post by: mzdwells on April 10, 2009, 10:14:52 AM

Here is the log:

ComboFix 09-04-04.01 - Marta 2009-04-10 11:01:15.3 - FAT32x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.221.43 [GMT -4:00]
Running from: c:\documents and settings\Marta\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Marta\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090409-0] *On-access scanning disabled* (Updated)
 * Created a new restore point
 
FILE ::
C:\FOUND.026
C:\FOUND.027
c:\windows\f23567.dat
c:\windows\f5087.dat
c:\windows\t55ft2792f44.dat
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\FOUND.026
c:\found.026\FILE0000.CHK
c:\found.026\FILE0001.CHK
C:\FOUND.027
c:\found.027\FILE0000.CHK
c:\windows\f23567.dat
c:\windows\f5087.dat
c:\windows\system32\887164
c:\windows\t55ft2792f44.dat
 
.
(((((((((((((((((((((((((   Files Created from 2009-03-10 to 2009-04-10  )))))))))))))))))))))))))))))))
.
 
2009-04-08 21:45 . 2006-03-02 23:42 73,728 --a------ C:\pv.exe
2009-04-06 19:53 . 2009-04-06 19:53 <DIR> d-------- c:\program files\Trend Micro
2009-04-01 18:59 . 2009-04-01 18:59 <DIR> d-------- c:\documents and settings\Marta\DoctorWeb
2009-03-25 21:20 . 2009-03-25 21:18 410,984 --a------ c:\windows\system32\deploytk.dll
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2009-01-17 01:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-07-29 23:26 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008072920080730\index.dat
.
 
(((((((((((((((((((((((((((((   SnapShot@2009-04-08_21.36.41.17   )))))))))))))))))))))))))))))))))))))))))
.
- 2009-04-09 01:14:14 39,992 ----a-w c:\windows\system32\perfc009.dat
+ 2009-04-10 15:10:24 39,992 ----a-w c:\windows\system32\perfc009.dat
- 2009-04-09 01:14:14 311,604 ----a-w c:\windows\system32\perfh009.dat
+ 2009-04-10 15:10:24 311,604 ----a-w c:\windows\system32\perfh009.dat
+ 2009-04-10 15:06:18 16,384 ----a-w c:\windows\Temp\Perflib_Perfdata_2e0.dat
+ 2009-04-10 15:06:12 16,384 ----a-w c:\windows\Temp\Perflib_Perfdata_6c4.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Update Manager"="c:\program files\Rogers\Update Manager\UpdateManager.exe" [2005-01-28 131072]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray"="c:\windows\System32\sistray.EXE" [2002-05-09 303104]
"SiS KHooker"="c:\windows\System32\khooker.exe" [2002-01-25 290816]
"SiSUSBRG"="c:\windows\sisUSBrg.exe" [2002-04-25 32768]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-07-25 135168]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-25 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SoundMan"="SOUNDMAN.EXE" [2002-08-14 c:\windows\SOUNDMAN.EXE]
"CHotkey"="mHotkey.exe" [2001-12-26 c:\windows\mHotkey.exe]
 
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-05 53317]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-09-05 65588]
NkvMon.exe.lnk - c:\program files\Nikon\NkView5\NkvMon.exe [2003-09-06 233472]
D-Link AirPlus.lnk - c:\program files\D-Link AirPlus\AirPlus.exe [2003-12-28 262144]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
 
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-06-21 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-06-21 20560]
.
Contents of the 'Scheduled Tasks' folder
 
2009-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nypost.com/gossip/gossip.htm
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {D9CDEFE3-51BB-4737-A12C-53D9814A148C} - hxxps://webmail.ontario.ca/exchweb/controls/DAX.cab
.
 
**************************************************************************
 
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 11:20:46
Windows 5.1.2600 Service Pack 3 FAT NTAPI
 
scanning hidden processes ...
 
scanning hidden autostart entries ...
 
scanning hidden files ...
 
scan completed successfully
hidden files: 0
 
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE
c:\program files\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-10 11:23:13 - machine was rebooted
ComboFix-quarantined-files.txt  2009-04-10 15:23:10
ComboFix3.txt  2009-04-09 01:37:52
ComboFix2.txt  2009-04-09 01:54:46
 
Pre-Run: 6,351,159,296 bytes free
Post-Run: 6,341,525,504 bytes free
 
129 --- E O F --- 2009-03-16 01:28:51

Title: Re: 'Error loading dll32' message
Post by: evilfantasy on April 10, 2009, 12:14:55 PM

How is the computer running now?

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.
.
The above procedure will:

• Delete: ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
----------

Use the  Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.

----------

I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

 SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
*  (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)

Check out  Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.

Also see  Slow Computer? It May Not Be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smooth.

Title: Re: 'Error loading dll32' message
Post by: mzdwells on April 10, 2009, 02:17:33 PM

The error dll32 message is gone now, but Internet Explorer still doesn't connect to any webpages....

Title: Re: 'Error loading dll32' message
Post by: evilfantasy on April 10, 2009, 02:21:36 PM

Click HERE (http://www.techsupportforum.com/attachments/internet-explorer-forum/21814d1199836009-ie-7-no-longer-connects-internet-neither-will-ie-6-iedll.zip) to download IEdll.zip. Save it to your desktop.
Right click on IEdll.zip click on Extract all.
Go to the extracted files and double click on IEdll.bat
Follow the prompts.
It will tell you when it is done.
When finished restart your computer.

Is it fixed now?

Title: Re: 'Error loading dll32' message
Post by: mzdwells on April 10, 2009, 04:05:27 PM

Still not working...

Title: Re: 'Error loading dll32' message
Post by: evilfantasy on April 10, 2009, 04:06:41 PM

Download Dial-a-Fix (http://wiki.djlizard.net/Dial-a-fix#Mirrors.2Fdownload_locations.2C_and_articles) by djlizard, save it to the desktop then extract it to it's own folder.

• Open the folder and run Dial-a-fix.exe
• 2 windows will open. Close the one in the background labeled Restrictive Policies
• Check the box in section 1, Empty temp folders.
  
• Check the box in section 2, Fix Windows Installer.
  
• Check the box in section 3, Fix Windows Update.
  
• Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
  
• Check all boxes in section 5, labeled Registration Center.
  
• Click Go
  
• OK any error messages if received, but write them down and post them here.
• Restart the computer when done.

.
Is the problem fixed?

Title: Re: 'Error loading dll32' message
Post by: mzdwells on April 16, 2009, 07:18:15 AM

Still not fixed....

Title: Re: 'Error loading dll32' message
Post by: mzdwells on April 21, 2009, 09:35:04 AM

I installed Firefox to see if I could connect to the Internet that way but it does not work either.

Title: Re: 'Error loading dll32' message
Post by: evilfantasy on April 21, 2009, 03:58:37 PM

Download and run WinSockFix (http://majorgeeks.com/download4372.html).
This is a two step process that will Back up the Registry and Reset the Winsock Stack.

• Double click on WinsockXPFix.exe to open.
  
• On the Winsock and TCP Repair Utility  screen, click "ReG-Backup"
  
• On the ERDNT Welcome screen, click "OK".
  
• On the Backup to: screen, click "OK".
  
• On the Folder does not exist question screen click "Yes".
  
• You will see a status screen as your registry is being backed up.
• On the Registry backup is complete! screen, click "OK" and you will go back to the main window.
  
• On the Winsock and TCP Repair Utility screen, click "Fix".
  
• On the Apply the VB_Winsock fix? screen click "Yes".
  
• The screen will display a status message "repair completed please reboot."
  
• On the Repair Completed screen click "OK" to reboot your computer.
  
• If your computer was not using DHCP, you will need to reconfigure TCP/IP.
• Hopefully you should have connectivity restored.

.
Note: Resetting  the Winsock in SP2 might remove third-party LSPs and restores Winsock to factory default setting. Existing programs that uses their own LSPs may need to be reinstalled. Example: Google Desktop Search.

Title: Re: 'Error loading dll32' message
Post by: mzdwells on April 24, 2009, 08:00:02 AM

I still can't connect through IE or Firefox.

I also got the following errors while running WinSockFix:

Error Saving file C:\ERDNT\SECURITY!
"             "                           SOFTWARE!
"             "                           SYSTEM!
"             "                           DEFAULT!
"             "                           SAM!

C:\ERDNT\Users\S-1-5-21-3581506895-2163411867-2876842818-1006\ntuser.dat!
C:\ERDNT\Users\S-1-5-21-3581506895-2163411867-2876842818-1006_Classes\UsrClass.dat!