Jump to content

Recommended Posts

When I run Malwarebytes, it finds an infection in 'themed32.dll',

if I follow the instructions and 'remove selected' - themed32.dll, my computer collapses - it won't restart, I get multiple errors around ' this application failed to start because themed32.dll is missing' and I can't get the desktop or access task manager or the command prompt

I have learnt that I can do a successful system restore if I boot from my Vista CD and that puts the computer back to how it was before I ran Malwarebytes.

However, the themed32 infection is still there.

I use the Pc for a few hours and then suddenly windows explorer stops working, followed by loads of other applications and then it shuts down, I do a boot from the CD, a system restore and start again. I have to system restore about twice a day.

Is there a way to get an un-infected version of themed32.dll off my installation CD and replace the bad one?

I don't want to run anymore anti-virus stuff until an expert tells me to , in case I make this situation even worse.

Please respond in very basic terms if possible, I have read other very complicated solutions around this issue on the forums and I can't seem follow them.

Thankyou!

Link to post
Share on other sites

I have tried to follow the forum instructions for posting a log - but I've made the problem much worse. After scanning with Malwarebytes and Avira, I now have lost my system restore capabilities booting from the Vista CD so I cannot access my desktop/ task manager at all. I never got as far as being able to do a Hijack this log.

From the Vista CD, none of the repair/restore options seem available. Themed32.dll is still the issue preventing startup

Is there a way to re-install vista and not delete all my files?

Please help if you can

What should I do?

Thanks

Link to post
Share on other sites

I have just experienced the same thing...

I am in the middle of solving this.... and it occurred to me on how to do it...

It should avoid the need to do full Windows installs, etc.

First, I connected to Hard Drive directly with a (borrowed) USB HDD drive reader...

Then I went to directory on the HDD where MalWare Bytes kept the .log file...

<root>Documents and Settings/ <I put a copy of mbam-log-2010-07-27 (13-45-17) in Desktop>

It is probably in another place Malwarebytes put it.. a subfolder in Documents. Just search.

or maybe info below off my file is enough for you...?

The info there makes all the difference... Example here is the results:

But key info is what I can google for 2 files that I guess are false positives. (or just need replacing)

======================

C:\WINDOWS\system32\uxtheme.dll (Patched.UxTheme) -> Delete on reboot.

C:\WINDOWS\system32\themed32.dll (Spyware.OnlineGames) -> Delete on reboot.

And now I am googling to download the 2 filenames and Windows SP3 on softpedia to get them.

And the log tells me where they need to be put back..

Fingers crossed, but the MBAM log, I believe saves me here.

Here goes nuttin'

Here is full log results FYI

=================

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4356

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18372

7/27/2010 1:45:17 PM

mbam-log-2010-07-27 (13-45-17).txt

Scan type: Quick scan

Objects scanned: 173656

Time elapsed: 31 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 3

Registry Keys Infected: 14

Registry Values Infected: 3

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\themed32.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\Program Files\P2P_Torrent\tbP2P0.dll (Adware.Shopper) -> Delete on reboot.

C:\WINDOWS\system32\uxtheme.dll (Patched.UxTheme) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{69803a66-198d-4cd1-bca4-b875c3dbbc6c} (Adware.Shopper) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{69803a66-198d-4cd1-bca4-b875c3dbbc6c} (Adware.Shopper) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{bc4be15d-6a34-4356-9e97-79e43da32b1d} (Adware.Shopper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{bc4be15d-6a34-4356-9e97-79e43da32b1d} (Adware.Shopper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bc4be15d-6a34-4356-9e97-79e43da32b1d} (Adware.Shopper) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bc4be15d-6a34-4356-9e97-79e43da32b1d} (Adware.Shopper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a072ec12-a40b-41dd-9a1a-cdb848b70f3c} (Rogue.Installer) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{09f1adac-76d8-4d0f-99a5-5c907dadb988} (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{debeb52f-cfa6-4647-971f-3edb75b63afa} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportMgmtService.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportService.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c004b642 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{bc4be15d-6a34-4356-9e97-79e43da32b1d} (Adware.Shopper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{bc4be15d-6a34-4356-9e97-79e43da32b1d} (Adware.Shopper) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{bc4be15d-6a34-4356-9e97-79e43da32b1d} (Adware.Shopper) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\themed32.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\Program Files\P2P_Torrent\tbP2P0.dll (Adware.Shopper) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uxtheme.dll (Patched.UxTheme) -> Delete on reboot.

C:\WINDOWS\Temp\0.7771088515552823.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

Link to post
Share on other sites

MY Latest Status is that finding the 2 files.

(good) C:\WINDOWS\system32\uxtheme.dll Multiple copies elsewhere on PC, and it matches the version that I saw as download on Softpedia.

Just to be sure, I have on another Windows install, with same version (Windows 5.1.2600 Service Pack 3). So that is back in place.

(bad?) C:\WINDOWS\system32\uxtheme.dll Maybe it is not a false positive. Which I cannot find anywhere easily. and can't find on system recovery CD, etc.

So I will just put HDD back and try it... Plug in PC and see.

So that is that.. till later... Acid test.

Link to post
Share on other sites

I have the themed32.dll malware

lsass.exe unable to locate component UxTheme.dll not found

Click on OK allows me to login

userinit.exe unable to locate component UxTheme.dll not found

Click on OK

Exploror.exe unable to locate component UxTheme.dll not found

Click on OK

CTRL/ALT/DEL - to get to task menu

taskmgr.exe unable to locate component UxTheme.dll not found

Click OK

File click on New Task

I can boot in normal mode, login, get the task menu and command line to do anything. Networking is avaiable

I can download I am unable to install and get downlaods to run

Step by step how do I remove themed32.dll and is that all that I need to remove I was a liitle confused on this posting

Do I remove themed32.dll and UxTheme.dll or just themed32.dll

Pls advise how to do this

Link to post
Share on other sites

  • Staff

Hi,

You basically have to remove both. Themed32.dll is malware.

The uxtheme.dll is a legit Windows file, however, this one was replaced with an infected copy, so you need to delete the uxtheme.dll and replace it with a good copy.

Let malwarebytes delete the Themed32.dll.

After reboot, it will be possible that you'll get errors for almost everything. Don't worry about that as this is normal, because the infected uxtheme.dll is causing these errors since it looks for themed32.dll which you already deleted.

Just click the errors away and follow the following steps:

To solve this easily, open taskmanager (CTRL-ALT-DEL), click the error messages away.

Then go to File in the menu > new task > browse button.

When the browse window opens (explorer), select "All files" for File s of type:

Then, browse to your C:\windows\system32 folder and find uxtheme.dll in there. Rename that file to uxtheme.bad

Normally, Windows should already restore it with a new clean uxtheme.dll (from dllcache) automatically there. You can verify this if you rightclick inside the system32 folder and select refresh. A new uxtheme.dll should be created there (a good one)

If not, navigate to your C:\windows\system32\dllcache folder and COPY the one from there back to your system32 folder.

Or, another option is, this infection, before it has replaced the uxtheme.dll with a malicious version, it has first renamed the legitimate uxtheme.dll to uxtheme.dll~RF1ede9.TMP (last part may be random)

So the uxtheme.dll~RF1ede9.TMP (last part may be random) is also still present in the system32 folder. That's the good uxtheme.dll as well. So you can also rename that one back to uxtheme.dll.

Anyway, your choice which one to use to restore :lol:

Then reboot and all should be fixed again...

Link to post
Share on other sites

Hi,

You basically have to remove both. Themed32.dll is malware.

The uxtheme.dll is a legit Windows file, however, this one was replaced with an infected copy, so you need to delete the uxtheme.dll and replace it with a good copy.

Let malwarebytes delete the Themed32.dll.

After reboot, it will be possible that you'll get errors for almost everything. Don't worry about that as this is normal, because the infected uxtheme.dll is causing these errors since it looks for themed32.dll which you already deleted.

Just click the errors away and follow the following steps:

To solve this easily, open taskmanager (CTRL-ALT-DEL), click the error messages away.

Then go to File in the menu > new task > browse button.

When the browse window opens (explorer), select "All files" for File s of type:

Then, browse to your C:\windows\system32 folder and find uxtheme.dll in there. Rename that file to uxtheme.bad

Normally, Windows should already restore it with a new clean uxtheme.dll (from dllcache) automatically there. You can verify this if you rightclick inside the system32 folder and select refresh. A new uxtheme.dll should be created there (a good one)

If not, navigate to your C:\windows\system32\dllcache folder and COPY the one from there back to your system32 folder.

Or, another option is, this infection, before it has replaced the uxtheme.dll with a malicious version, it has first renamed the legitimate uxtheme.dll to uxtheme.dll~RF1ede9.TMP (last part may be random)

So the uxtheme.dll~RF1ede9.TMP (last part may be random) is also still present in the system32 folder. That's the good uxtheme.dll as well. So you can also rename that one back to uxtheme.dll.

Anyway, your choice which one to use to restore :lol:

Then reboot and all should be fixed again...

:) I don't know how somehow I had already removed the themed32.dll

In my case it was the latter ....the legitimate version of uxtheme.dll had been renamed

I followed your instructions ....problem resolved THANK YOU! B)

By any chance would you know how to fix a broken WindowsINSATALLER??

Link to post
Share on other sites

Hi,

You basically have to remove both. Themed32.dll is malware.

The uxtheme.dll is a legit Windows file, however, this one was replaced with an infected copy, so you need to delete the uxtheme.dll and replace it with a good copy.

Let malwarebytes delete the Themed32.dll.

After reboot, it will be possible that you'll get errors for almost everything. Don't worry about that as this is normal, because the infected uxtheme.dll is causing these errors since it looks for themed32.dll which you already deleted.

Just click the errors away and follow the following steps:

To solve this easily, open taskmanager (CTRL-ALT-DEL), click the error messages away.

Then go to File in the menu > new task > browse button.

When the browse window opens (explorer), select "All files" for File s of type:

Then, browse to your C:\windows\system32 folder and find uxtheme.dll in there. Rename that file to uxtheme.bad

Normally, Windows should already restore it with a new clean uxtheme.dll (from dllcache) automatically there. You can verify this if you rightclick inside the system32 folder and select refresh. A new uxtheme.dll should be created there (a good one)

If not, navigate to your C:\windows\system32\dllcache folder and COPY the one from there back to your system32 folder.

Or, another option is, this infection, before it has replaced the uxtheme.dll with a malicious version, it has first renamed the legitimate uxtheme.dll to uxtheme.dll~RF1ede9.TMP (last part may be random)

So the uxtheme.dll~RF1ede9.TMP (last part may be random) is also still present in the system32 folder. That's the good uxtheme.dll as well. So you can also rename that one back to uxtheme.dll.

Anyway, your choice which one to use to restore :lol:

Then reboot and all should be fixed again...

B) I don't know how somehow I had already removed the themed32.dll

In my case it was the latter ....the legitimate version of uxtheme.dll had been renamed

I followed your instructions ....problem resolved THANK YOU!

By any chance would you know how to fix a broken WindowsINSATALLER??

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.