Probably questions for Mucks!

[gabriella]

Dear all

HELP!!

First question:

When starting computer the following message comes up twice in quick succession:

RUNDLL

Error loading

C:\WINDOWS\system32\MSA64CHK.dll

The specified module could not be found

I have found the above in the start up registry and have disabled it so that stops it running on start up now.

Question is: what is it and how do I get rid of it permanently?

Second question:

Webroot Spy Sweeper: how do you get it to run on multiple Windows XP accounts. As far as I can tell, it is just on my account.

Please keep it simple for me!!

Kind regards

Gabriella x

 

[Me__2001]

ok googled the MSA64CHK.dll and it most common result is that it is spyware, the symantec site says it is a dialer the link below shows the removal process

http://securityresponse.symantec.com/avcenter/venc/data/dialer.mostrar.htm

 

[Ian]

Webroot Spy Sweeper: how do you get it to run on multiple Windows XP accounts. As far as I can tell, it is just on my account.

When you installed it there may have been an option to install under your user account, or all user accounts. Most new applications have this option.

If it doesn't appear on the start menu for each person, the easiest way would be to simply create a new shortcut on each persons desktop to the application. They can then run it from other accounts

 

[muckshifter]

This site has removal instructions you should be able to follow.

Spy Sweeper removed the nasty MSA64CHK.dll for you, however, it did not remove the parts in the registry that call the DLL file. You will have to do it yourself.

Have you run MS Anti-Spyware?

 

[gabriella]

Dear Mucks

You are quite right about Webroot removing the nasty and the registry entry remaining, I have 'uncliked' it for now in the registry so that it doesn't run on start up. The problem is I don't know how to get rid of the registry entry for now and to be honest I am slightly baffled as to what anti spyware to run. Please may I crave your help in the following:

1 Is the Webroot enough and would you recommend buying?
2 What else do I need?
3 How do I get rid of the registry entry for good?

At the moment I have NAV and the Webroot. I had Hijack, Spybot Search and Destroy and Adaware but I have deleted the former threee as Webroot said it wouldn't run with them.

I am really sorry to bother you in this amount of detail, but this really isn't my forte. I was prompted to pose the thread question as I had read your very useful article and decided to go for the Webroot as the PC has been mightily playing up of late. My instinct is to blame MSN which may or may not be correct. My older 2 children are MSN kings and queens and are always sharing files and the like with their mates.

I need something competent and fairly simple to keep the PC in good working order as the family look to me to sort out whatever problems there are! I am quite happy to purchase whatever is needed but to the untrained eye the selection and choice out there is fairly baffling!!

Thank you for reading, your help and the very useful article.

Kind regards

Gabriella x

 

[muckshifter]

I’m afraid no Anti-Spyware I know of will rid it from your registry for you … The little nasty was installed legitimately by you, or a member of your family … and although Spy Sweeper fond the DLL file to be a known nasty does not have the power to un-install the rest of it.

The link above I gave you has specific instructions on how to remove this dialler from the registry … if you feel this is beyond you capabilities then you will need to seek out someone who can do it for you.

One complication … this particular Dialler compromises the Windows code-signing system so that its manufacturers are considered “Trusted publishers” and can install further software from any web page even after MatrixDialer is removed. So it is essential to make use of any software at your disposal to keep an eye out for any other potential threats.

Another reason to install Microsoft’s own Anti-Spyware program … as long as you are using IE 6 it doesn’t matter about the operating system, although XP has better defences then other OSs

There is one program that can help, but you will also need the help of their ‘experts’ to interpret its ‘log file’ … the program is HiJackThis … With their expert advice they can also ‘see’ and rid you of any other potential nasties. They are located at http://www.spywareinfo.com/

The ‘article’ I wrote is intended to make people aware of the potential dangers that lurk out there and, in my opinion, how best to defend themselves against them. As you are now aware, and I’m trying my best to be as polite as possible here, nothing will protect you 100% if one goes off and willy-nilly downloads any old software.

Unfortunately you’re not alone, I see many others, on other sites I visit, doing the same thing and then wonder why?

Don’t hesitate in asking as many questions as you wish, I’ll try and answer as best as my knowledge will allow.

Mucks

 

[ChristopherP]

thats a plus of broadband - you can't be hit by nasty premium rate diallers...

 

[muckshifter]

thats a plus of broadband - you can't be hit by nasty premium rate diallers...

You can ... and hard.

One complication … this particular Dialler compromises the Windows code-signing system so that its manufacturers are considered “Trusted publishers” and can install further software from any web page even after it is removed.

 

[ChrisIMRIE]

Well,

They can be installed but they cant dial out of an adsl modem.

Broadband has its weaknesses aswell...

Chris,

 

[floppybootstomp]

OK, I'm confused now. As I understand things, diallers can only dial up premium rate lines using a telephone line.

Therefore, if one is using broadband, a dialler can't dial - can it?

I suppose it may come down to how one defines 'dialler' really.

Somebody care to enlighten this foo?

My daughter managed to download a worm this evening, just lucky when I checked that AntiVir identified it and gave me the option to delete the infected file. Also lucky she hadn't opened the file.

Mucks, you wonder why people can be so foolish as to download this rubbish, just try and imagine being aged 10 to 20 again, and being as thick as a brick. There's your answer.

 

[muckshifter]

Hmmm, how big do I make this ...

can install further software from any web page even after it is removed.

Yes, you are correct; diallers have a hard time 'dialling' out on broadband.

The point I am trying to make is pretty obvious, will I thought it was obvious, is this particular nasty can install other nasties.

Mucks, you wonder why people can be so foolish as to download this rubbish, just try and imagine being aged 10 to 20 again, and being as thick as a brick. There's your answer.

Well, I know people are not as thick as a brick, just lacking in some knowledge. I'm just trying to educate as best I can the trials and tribulations of connecting to the Internet.

I was not my intention to mock anybody ... what would have been the outcome to your daughter's PC if you had not been aware that some AV programs will/do not detect a Trojan/Worm/Malware?

If I can bring one 'viewer' to appreciate how important it is to NOT rely on one program to assist in protecting their PC and at the same time provide added information as to what is also needed then I'll be quite happy.

You and I both know that, for every ‘member’ that reads this thread there will be, hopefully, ten potential ‘lurkers’ also reading this tread … another ten people better armed better informed as to how best cope and eliminate further attacks.

 

[floppybootstomp]

Fair enough Mucks, a fair few points you've made there

I would just like to point out that I don't consider people of a certain age group to be deficient in the brains department, if my text came across that way.

And yes, you're right, it's probably not stupidity, but ignorance.

Having said that, how do many manage to do the same thing over and over again?

The worm I caught was named Bropia.F btw.

 

[gabriella]

Dear all

Here I sit and have done so for many hours tonight trying to get rid of this beast. I have followed all your helpful instructions to the letter and am no closer to sorting this one I fear.

What I have is this:

2 registry entries reminaing ref: msa64chk.dll and yet when I go into the regedit/msconfig etc... I cannot find the references that Muck's helpful articles point to. The registry entries are disabled for now which has obviously stopped the problem on start up.

This may all sound very basic and even stupid to people who wok on computers for a living or are really clued up but it's beyond me. Please bear with me! I would gladly trade knowledge on my area of skill!!

Please could anyone tell me very simply :

1 How to get rid of the registry entries
2 Is it enough to remove the entries OR are there other bits lurking elsewhere? What might they be, how do I find and destroy them?

I do agree that young people may not be aware of what they are sharing with friends/signing up for. My kids are always downloading stuff etc... and sharing files. I agree, they cannot see the dangers always not because they don't have the intelligence but because they don't have the knowledge and expereince. They see themselves sat at home doing whatever and don't see the vulnerabilities.

My real worry with this dialer is that it has known links to pornographic sites and I really do want to sort it asap.

Failing that, is there any kind soul that would talk me through removal 1:1 on the phone?

If the latter is an option for any willing soul who 'knows' me through this site, please send me a PM.

Many thanks and off to bed now!

Gabrielle x

 

[floppybootstomp]

Gabriella, try this programme, it's a freebie named regcleaner, small download.

Jv16 Reg Cleaner

Using this program, you may be able to see and delete the offending files more easily.

Be very careful as to what you delete, deletions are irreversible and deleting an entry in error could give you problems.

If you can't get rid of the bad entries, try using the program in safe mode.

There's also a link to another similar program that Quads listed some time ago, but not quite sure whereabouts it is on the Forum.

 

[muckshifter]

I'll still be interested to see if you have used Microsoft Anti-Spyware I mentioned in a previous post.

Another "registry cleaner", I find quite safe, is http://personal.inet.fi/business/toniarts/ecleane.htmEasyCleaner, it may help.



As the rogue file msa64chk.dll has been deleted by Spy Sweeper the 'threat' to your system has diminished. However, we still need to get rid of the other 'hooks' that seems to be persisting.

If you still would like a 'one-to-one' then PM me with your contact details and any specific time you would like.

 

[muckshifter]

I have been doing a little more research ...

The file infecting AdWare saga continues
Roel February 10, 2005 | 15:28 MSK

comment
We are currently seeing an increase in cases which involve file infecting AdWare.

These new viruses are more sophisticated than the one we previously reported and append malicious code to Windows' explorer.exe. The viruses belong to the Virus.Win32.Bube family.

For example, Virus.Win32.Bube.d downloads AdWare and Trojans, including: AdWare.ISearch.d, Trojan-Clicker.Win32.Agent.bn, Trojan.Win32.LowZones.ai and PornWare.Dialer.Salc.

Disinfection in this case is tricky, as explorer.exe is an important Windows process. Additionally, the malware tries to prevent removal by disabling system restore, infecting the explorer.exe residing in %sysdir%\dllcache and lowering overall system security.

Things can get extra complicated as an AV can block access to the infected explorer.exe.

More details here

Trial version of Kaspersky Anti-Virus Personal 5.0

Give it a shot, but pay attention as to how to disable/turn off your current AV program in the first link.

 

[gabriella]

Dear Mucks

I have installed and run MS Anti Spyware as you suggested and I have installed Regcleaner. So, I now have both of these plus NAV and the Webroot Spysweeper. MS Antispyware picked up some stuff that Webroot hadn't. Mysteriously the registry entries that relate to the dialler seem to have gone although I can't say how and when or if they have really gone.

So, my latest questions are:

1 Do you think that there will be anything lurking around that I need to zap?

2 Would you recommend MS Antispyware and the Webroot as permanent installations on my system?

Depending on your answers to the above and whether any action I need to take is out of my league, I may want to take you up on your kind offer of 1:1.

Kind regards and many thanks

Gabriella x

 

[muckshifter]

Dear Gabriella,

I cannot stress to highly the importance of using MS Anti-Spyware ... it has consistently proved to be the best at its job. However, it does tend to ignore 'tracking cookies' and most of us agree that we would rather these cookies be deleted as well. This is the reason I like Spy Sweeper to run in conjunction.

Here is what I recommend ...
Microsoft Anti-Spyware, running all the time.
Spy Sweeper, I don't have it run "on Windows Start-up", I have that turned off (it's not a clever as MSs A-S) and only run SS Monday/Wednesday/Friday although I will run it at other times, just to be sure ... you can run it whenever you like though.

and I use Norton AV

I still use Ad-Aware, 'cos I paid for it. However, they are in my 'bad black book' because they seem to have sold out to Malware and dropped the recognition to WhenU ... I won't drop it just yet as my 'paid for copy' has "Ad-Watch". But I really have lost favour with it.

Whenever I uninstall anything I use EasyCleaner ... I have never found it cause any problem to what I delete from the registry ... the other tools are also very useful.

I also use SpywareBlaster ... it is a simple, but powerful, program and no system should be without it. There is just one more, sad isn't it, and that is IE-Spyad ... another simple program you use once and forget it.

As to whether your ‘problem’ has been solved, I don’t know. Using the above programs will better help protect your system, but be aware, if YOU install a program that has spyware embedded within it, you are, in effect, allowing that program to do what it will. Only after it has run will any of your ‘protection’ hopefully leap into action.

Before running any "new must have" anything, check here with us or ask Google.

 

[gabriella]

Dear Mucks

Thank you for your patience and helpful advice. I will keep an eye on things and let you/the forum know of any further problems.

Again, many thanks for your time and trouble.

Kind regards

Gabriella x

 

[gabriella]

Dear all

Now Feb 22 and (fingers crossed), things seem to be sorted. The weird happenings have stopped, the dialler has gone (I think). I am running MS Anti Spy and Webroot every day now and so far, so good!

Bye for now

Gabriella x