Jump to content

No Desktop (themed32.dll) Logs attached - Pl Help !!!


Recommended Posts

Dear Technical Team

My Dell PC has been messed up with a possible Trojan I believe but I have no idea about the level of infection. It stared happening from 22-06-2010 around 18:30 Hrs after reboot and the desktop won't come up with message "The application has failed to start because the themed32.dll was not found. Reinstalling the application may fix this problem."

I did some goggling and with the limited information believe that a Trojan has infected the uxtheme.dll file under c:/windows/system32. However the message gives misleading information about themed32.dll has there is no such file.

I have followed your instruction (malwarebytes->HighjackThis->defogger->DDS->gamer-OTL) and zipped and attached the following logs which I think should give you quite a bit of information. I have also done a virustotal of the uxtheme.dll file and a md checksum using your OTL tool.

Could you please have a look at the level of infection I have and if there is any "backdoor corruption" which I am very worried about.

Also if I replace the uxtheme.dll with a copy from the install CD can I solve this. Interestingly there is also a uxtheme.dll in the C:/windows/system32/dllcache folder - not sure if this gets loaded from the original file at system boot.

I am in IT so would not be a problem if you want me to check anything from your end.

All logs zipped and attached as attach.zip.

Much appreciate your help on this.

Thanks & Regards

baner n

attach.zip

Link to post
Share on other sites

  • Staff

Hi,

If you get the message themed32.dll is missing then it's indeed a fact that your uxtheme.dll got replaced here with a malicious copy.

To solve this easily, open taskmanager (CTRL-ALT-DEL), click the error messages away.

Then go to File in the menu > new task > browse button.

When the browse window opens (explorer), select "All files" for File s of type:

Then, browse to your C:\windows\system32 folder and find uxtheme.dll in there. Rename that file to uxtheme.bad

Normally, Windows should already restore it with a new clean uxtheme.dll (from dllcache) automatically there. You can verify this if you rightclick inside the system32 folder and select refresh. A new uxtheme.dll should be created there.

If not, navigate to your C:\windows\system32\dllcache folder and COPY the one from there back to your system32 folder.

Or, another option is, this infection, before it has replaced the uxtheme.dll with a malicious version, it has first renamed the legitimate uxtheme.dll to uxtheme.dll~RF1ede9.TMP (last part may be random)

So the uxtheme.dll~RF1ede9.TMP (last part may be random) is also still present in the system32 folder. That's the good uxtheme.dll as well. So you can also rename that one back to uxtheme.dll.

Anyway, your choice which one to use to restore :P

Then reboot and all should be fixed again...

Extra note..

Please update MalwareBytes, because the databaseversion AND program version is outdated.

  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • Once the updates are downloaded, perform a quick scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Hi Mieke

Spot on and many thanks. :P The refresh did the trick and a new uxtheme.dll got created from cache. Yes as you said my original uxtheme.dll was renamed by the trojan as uxtheme.dll~RFe765bb.TMP. After reboot all came up fine and the desktop is now available.

I have updated my malwarebytes to the latest version and did a quick scan but surprisingly it came out clean which is worrying. It should have atleast found the uxtheme.dll as infected. If you check my uxtheme_virustotal.htm file (inside the zip file) in my initial message it has the output of virustotal and there are three different vendors who could track the infection. All the rest got it clean. So looks like extreme sleuth trojan.

Here's the MBAM log output of the latest quick scan. Do I need to do a Full scan for it to trap the uxtheme.bad file ?

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4233

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

24/06/2010 19:05:54

mbam-log-2010-06-24 (19-05-54).txt

Scan type: Quick scan

Objects scanned: 175587

Time elapsed: 8 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Many Thanks

baner n

Link to post
Share on other sites

Thank You very much for your help.

No more issues as of now. :P

Just one more question do you think this Trojan could have caused any permanent backdoor on my system which could be exploited by others ?

I really do not want a OS reinstall/format HD but just wanted to be sure this was a low level trojan.

Many Thanks & Regards

baner n

Link to post
Share on other sites

  • Staff
do you think this Trojan could have caused any permanent backdoor on my system which could be exploited by others
No, you should be OK here :P

Glad I could help. ;)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.