Messages after rebooting

[icart89]

I was on the usual sites I browse through, when I got a virus alert pop up
from my McAfee VirusScan enterprise. I forgot the names, but 2 things were
found and deleted. I then decided to run a custom scan with superantispyware
(free edition) which found 46 items. I then had to reboot to get rid of those
items. Once my computer restarted I got 2 error messages, each titled RUNDLL.

Not knowing I did a custom scan, I immediately did a complete scan. That
time it found 12 items and my computer needed to reboot again to remove those
items. After restarting my computer again, I got 3 messages this time. I was
able to capture them with print screen:

http://img.photobucket.com/albums/v607/xqueenofdiamondsx/RUNDLLmessages.jpg

Can someone tell me what's going? What was the cause? how can I fix it? Do I
have to send it to a repair shop?

other info: my computer is windows xp, my hard drive is less than a year
old, and I've received no random pop ups when online.

Thanks for your attention,
Traci

 

[Patrick Keenan]

I was on the usual sites I browse through, when I got a virus alert pop up
from my McAfee VirusScan enterprise. I forgot the names, but 2 things were
found and deleted. I then decided to run a custom scan with
superantispyware
(free edition) which found 46 items. I then had to reboot to get rid of
those
items. Once my computer restarted I got 2 error messages, each titled
RUNDLL.

Not knowing I did a custom scan, I immediately did a complete scan. That
time it found 12 items and my computer needed to reboot again to remove
those
items. After restarting my computer again, I got 3 messages this time. I
was
able to capture them with print screen:

http://img.photobucket.com/albums/v607/xqueenofdiamondsx/RUNDLLmessages.jpg

Can someone tell me what's going? What was the cause? how can I fix it? Do
I
have to send it to a repair shop?

other info: my computer is windows xp, my hard drive is less than a year
old, and I've received no random pop ups when online.

Thanks for your attention,
Traci

Those messages mean that your system was infected. It's possible that it
still is.

Specifically, those messages are a good thing; they mean that there are
registry or startup references to those files *or a launcher*, and the files
have been removed but the references have not. You need to manually remove
the references; MSCONFIG will show you where they are.

If successive scans keep finding problems, then your system is still
infected, and you may need to use other tools to find and remove the
launcher. HiJack This is an excellent tool, but it requires an amount of
knowledge to use.

You can start by clearing the Temp and Temporary Internet Files folders;
much malware enters through those locations. The built-in XP tools often
leave stuff behind, but the freeware tool ccleaner (www.ccleaner.com) does
the job quickly and thoroughly. Look for the "other builds" link and take
the "slim" version, which doesn't have the Yahoo toolbar.

Note that ccleaner can remove cookies and files that will cause you to have
to re-enter things like banking site passwords, but if your system is
infected and you are storing those, you should change them promptly from an
uninfected system.

HTH
-pk

 

[icart89]

Those messages mean that your system was infected. It's possible that it
still is.

Specifically, those messages are a good thing; they mean that there are
registry or startup references to those files *or a launcher*, and the files
have been removed but the references have not. You need to manually remove
the references; MSCONFIG will show you where they are.

If successive scans keep finding problems, then your system is still
infected, and you may need to use other tools to find and remove the
launcher. HiJack This is an excellent tool, but it requires an amount of
knowledge to use.

You can start by clearing the Temp and Temporary Internet Files folders;
much malware enters through those locations. The built-in XP tools often
leave stuff behind, but the freeware tool ccleaner (www.ccleaner.com) does
the job quickly and thoroughly. Look for the "other builds" link and take
the "slim" version, which doesn't have the Yahoo toolbar.

Note that ccleaner can remove cookies and files that will cause you to have
to re-enter things like banking site passwords, but if your system is
infected and you are storing those, you should change them promptly from an
uninfected system.

HTH
-pk

Thanks for the quick reply. I installed the ccleaner but I don't know what
to do next. do I click on 'Analyze' or 'Run Cleaner'? what happens after that?

 

[PA Bear [MS MVP]]

There is a very good chance that you are seeing the affects of a hijackware
infection.

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan!

2. WinXP ONLY!! => Run the Windows Live Safety Center's 'Protection' scan
(only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://www.dslreports.com/forum/cleanup, http://aumha.net/viewforum.php?f=30
or other appropriate forums.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
=====================
Start a free Windows Update support incident request:
https://support.microsoft.com/oas/default.aspx?gprid=6527

Support for Windows Update:
http://support.microsoft.com/gp/wusupport

For home users, no-charge support is available by calling 1-866-PCSAFETY in
the United States and in Canada or by contacting your local Microsoft
subsidiary. There is no-charge for support calls that are associated with
security updates.

 

[icart89]

I'm a little confused about step 2. I know what safe mode is, but what is
"with Networking"? How much would it cost to take it to a local computer
repair shop? can ccleaner help in any way?

 

[Patrick Keenan]

Thanks for the quick reply. I installed the ccleaner but I don't know what
to do next. do I click on 'Analyze' or 'Run Cleaner'? what happens after
that?

Analyze shows you what it finds. Run removes what it found. If your
system was infected, I would suggest that you let it remove everything it
finds, the first time.

HTH
-pk

 

[Patrick Keenan]

I'm a little confused about step 2. I know what safe mode is, but what is
"with Networking"?

There are two versions of Safe Mode. One doesn't support networking - so
you can't run a browser - and the other does.

How much would it cost to take it to a local computer
repair shop?

Hard to say, depends on the shop. You may not need to do this. If you
feel you need to, back up your data first.

can ccleaner help in any way?

Yes, it can, by removing infected files. Most malware enters systems via
the folders that ccleaner empties.

For example, you'll sometimes see in MSCONFIG or in error messages,
references to programs or files located in the temp or temporary internet
folders. This is a strong sign of infection. .

HTH
-pk

 

[icart89]

Analyze shows you what it finds. Run removes what it found. If your
system was infected, I would suggest that you let it remove everything it
finds, the first time.

HTH
-pk

Patrick, I analyzed and removed what was found. What do I do next? And how
do I manually remove references with MSCONFIG?

 

[icart89]

Patrick that's very good to hear!!! The thing is, my hard drive isn't even a
year old yet, and my sister had to pay over $200 for it, since the previous
one failed. So I'm glad to hear that it's not absolutely necessary for it to
be taken to a shop.

 

[icart89]

Just wanted to let you know that I did a system restore to the 24th of April
at 12:49:41 PM and those messages did not show up! is my computer still
infected?

 

[Elmo]

I was on the usual sites I browse through, when I got a virus alert pop up
from my McAfee VirusScan enterprise. I forgot the names, but 2 things were
found and deleted. I then decided to run a custom scan with superantispyware
(free edition) which found 46 items. I then had to reboot to get rid of those
items. Once my computer restarted I got 2 error messages, each titled RUNDLL.

Not knowing I did a custom scan, I immediately did a complete scan. That
time it found 12 items and my computer needed to reboot again to remove those
items. After restarting my computer again, I got 3 messages this time. I was
able to capture them with print screen:

http://img.photobucket.com/albums/v607/xqueenofdiamondsx/RUNDLLmessages.jpg

Can someone tell me what's going? What was the cause? how can I fix it? Do I
have to send it to a repair shop?

other info: my computer is windows xp, my hard drive is less than a year
old, and I've received no random pop ups when online.

Thanks for your attention,
Traci

The reference to the malware was not removed from the registry.

Click Start, Run, type REGEDIT, click OK. Press the Home key, press F3,
type the name of the file into the search pane. Click "Find Next", and
when located, delete the reference to the file. Press F3 to continue
the search.

You can click File, Export, and save the entry to the Desktop. If you
remove it and there's a problem, double-click the .reg file you exported
to the Desktop and it'll be added to the registry again. You can create
a restore point before editing the registry too.

You could click Start, Run, type MSCONFIG, click OK, click the StartUp
tab, and deselect the item(s). When you restart the computer, you will
be warned that you're running in the Diagnostic mode; click to not alert
you again, and OK out. You won't see the message again. But I think
it's best to just remove the references from the registry.

 

[PA Bear [MS MVP]]

A1. See http://support.microsoft.com/kb/315222

A2. I have no idea but most shops will charge a bench fee of ~$75-$100 just
to look at the machine.

A3. No, CCleaner will not help here.

 

[PA Bear [MS MVP]]

Most likely, yes.

Just wanted to let you know that I did a system restore to the 24th of
April
at 12:49:41 PM and those messages did not show up! is my computer still
infected?

 

[icart89]

Elmo, what file name am I supposed to type in the search pane? And how do I
know which reference to delete? (sorry, i dont want to mess anything up)

 

[icart89]

How do I do an eset online scan?

 

[icart89]

So what should I do? I'm scanning right now with malware bytes and
superantispyware. I'm going to remove what it finds. Will my computer still
be infected?