Sidney said:
We have a network of 200+ users and almost 80% of users get this error
when they logon. I have checked the startup programs and can't find any
ref to any program that tries to register the dll below.
LoadLibrary("c\windows\system32\addressuk.dll")failed- The specified
module could not be found
Anyone with any ideas!
Thanks
That sound like an Viral Adware installed on the server and on the users
computer like the GoGOTool, as Ramesh mentioned try Download the Autorun to
monitor the causing party or culprit and try troubleshooing from there.
Beside this you should make all users do a scan on their computers for
viruses and malware.
Things to look at:
Open the Windows Explorer and delete the suspecious Entries and Temorary
Internet Files:
[-] Documents and Settings
[+]All Users
[-] Nass
[&]Cookies
[&]Desktop
[+]*Favorites
[+]My Docs
[-]Start Menu
[+]Programs
[-]UserData
[&]JHDFKLL <= Delete all suspecius entries referre to the culprit
[&]KLGDfhb.yt <= // //
[&]ZLQPUPP.txt <= Delete this
[+] Programs Files
[-]Windows
[+]Cookies
[+]History
[+] ~~~
[+]System32 you can open the *Hosts* file to check is clean from bad
Entries.
[-]TEMP
[-] Temporary Internet Files
[&]Content IE5
[&]HFDKG.tmp <= Delete this
[&]KJFDD.tmp <= Delete this and all Files/Folders under (ContentIE5
sub-Folder)
Also check this path for Excutable program with .exe
"C:\Windows\Address.exe" you can search for the ame on the search Engine.
--------------------------
Open the Registry Editor by opena Run Command and type:
regedit.exe click [OK]
Open this Key and see the commmand set to excute by the Malware/ Virus on
the Machine or server:
[-]HKEY_CLASSES_Root\batfile\Shell\Open\Command =
[ab]("Default") "%filename here% "%1% "%"
[-]HKEY_CLASSES_Root\Comfile\Shell\Open\Command =
[ab]("Default") "%filename here% "%1% "%"
[-]HKEY_CLASSES_Root\exefile\Shell\Open\Command =
[ab]("Default") "%filename here% "%1% "%"
[-]HKEY_CLASSES_Root\regfile\Shell\Open\Command =
[ab]("Default") "%filename here% showerror
[-]HKEY_CLASSES_Root\piffile\Shell\Open\Command =
[ab]("Default") "%filename here% "%1% "%"
[-]HKEY_CLasses_Root\Scrfile\Shell\Open\Command =
[ab]("Default") "%filename here% "%1% " /G
See the Runing Service by going to this Key:
[-]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run =
Look for the runing service there on the Right Pane/Window
[-]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce = the
same
On the Registry Editor locate these Keys and Edit/Remove the bad Entries by
the Malware/Virus:
[-]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolder=
[ab]Startup look for the start up entry in the Right Pane/Window
Check this Key for account been set for the Network:
[-]HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts =
See the accounts there and what the fake one and delete it.
Open this Key the Malware/virus may created a rule to not Allow editing the
Registry:
[-]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System=
"Disable Registry Tool" Change this if was been set like this.
See this Key for a strang looking string entry:
[-]HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Explorer=
%Random name/string here%
On the server locate this Key and see the entries there:
[-]HKEY_CURRENT_USER\Software\Kazza\Local Content =
"Funy name here" 012345:C\windows\Temp entry like that or different.
Again are you emplementing a Security policy for the users to not be able
install or uninstall fancy nancy toolbars search map..etc....
HTH.
Please let us know,
Regs,
nass
