Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

7 Each Regsvr32 Windows On Desktop At Startup


  • Please log in to reply
8 replies to this topic

#1 FlyerEd

FlyerEd

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 24 February 2008 - 06:16 PM

Attached File  RegSvr32__.dll.doc   223KB   13 downloadsI recently was infected with Zlob or Zlock which SpyBot identified and removed. I have a Dell with Windows XP. The next time I booted up I had seven (7) approx. 1-1/2" x 6-1/2" windows on my desktop which were identical except for a 7 or 8 letter portion of the file names. I found I could go back to SpyBot and recover one of them and then it would not appear on my desktop, but that was putting an infection back on my computer. I can temporarily remove these windows by clicking on the "OK" box, but they're back the next time I start the computer. I'm going to attempt to enclose them as an attachment. If that's not successful, I'll come back and give all the information on one plus the other 6 different 7 or 8 letter portions of the file name. I believe these are having an adverse effect on the performance of my computer. It has been grinding almost to a halt over the last several days. I have a 2 GB processor and 1 GB of RAM and historically it has been very fast. I have no idea where to start with this, but I'm sure there are several of you that have gone through this or know exactly how to fix it. I sure hope so!!

Just in case the attachment is hard to read, I'm going to still describe one of the windows plus the other 7 or 8 letter files.
RegSvr32
LoadLibrary("C:\Documents and Settings\All Users\Application Data\atuhgvkf.dll") failed - The specified module could not be found.
The other six (6): pybclwhg.dll, uvqzexaf.dll, xgpytifc.dll, hcfstyjy.dll, cxyvifol.dll, and vsdiduni.dll.

THANKS SO MUCH!!

Edit: Moved topic to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:06:41 PM

Posted 24 February 2008 - 06:21 PM

It appears that the virus removal wasn't complete, and something is still trying to register those infected DLL's on you system at startup. We can stop the messages, but I suspect that there's some other infective process going on that's causing the slowdown. As such, I'd recommend that you post over in the "Am I Infected" forum for some more assistance: http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,958 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:41 PM

Posted 24 February 2008 - 06:30 PM

Hello FlyerEd,

Those windows you are getting are caused by left-over registry entries. The registry says "load this file" and the computer says, "I haven't got the file, so I can't load it." In this case, this is a good thing. To fix this problem, download Autoruns, search for the related entries and then delete them.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if your not sure how to do this.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file(s) in the error message.
  • Right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.

I would also like you to run an additional scan with SUPERAntiSpyware in Safe Mode to see if anything else is lurking. You will, of course, install it in Normal Mode.

Download and install SUPERAntiSpyware free found here: SUPERAntiSpyware

Be sure to click on the download button to the left, not on the free trial download on the right.

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
Reboot into Safe Mode
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
Reboot into Normal Mode
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

Please post the log in your next reply and let us know if the Can't find messages have gone away.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 FlyerEd

FlyerEd
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 29 February 2008 - 10:43 PM

I have been unable to get any message out to you even though I've typed it (including the scan log) four times now. Internet Explorer closes everything down as soon as I try to post reply. If you get this message you will know that I'm trying to get my system in a condition where I can send you my entire message. 7 files still on desktop at start-up

FlyerEd

#5 FlyerEd

FlyerEd
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 29 February 2008 - 10:55 PM

Orange Blossom,
I see that the last message went through even though Internet Explorer 7 shut me down. I had a error message that my message was trying to be intercepted by unauthorized source. I ignored it and clicked send anyway and must have sneaked it through. I went through the Autoruns process and examined the list. None of the the 7 problem files were on the list so there was nothing I could delete. In the middle of all this, my $750.00 HP All-in-One printer/fax/copier/scanner decided to die an early death. I've not had it all that long but it's out of warranty and HP and I have been troubleshooting it and they have informed me that the problem is in the unit and they do not repair my model anymore. They wanted me to return it to them in exchange for a discounted price on a different refurbished printer. I checked on line (and at Sam's) and I can buy a new printer as cheaply as sending mine back for a refurbished one. Anyway, I am including the scan log below:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/27/2008 at 10:05 PM

Application Version : 4.0.1152

Core Rules Database Version : 3411
Trace Rules Database Version: 1403

Scan type : Complete Scan
Total Scan Time : 01:24:11

Memory items scanned : 478
Memory threats detected : 0
Registry items scanned : 5975
Registry threats detected : 2
File items scanned : 52406
File threats detected : 17

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@gomyhit[1].txt
C:\Documents and Settings\Owner\Cookies\owner@richmedia.yahoo[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[1].txt
C:\Documents and Settings\LocalService\Cookies\system@2o7[1].txt

Rogue.WinPerformance
C:\Program Files\WinPerformance\extensions
C:\Program Files\WinPerformance\files
C:\Program Files\WinPerformance
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0CEEE5DD-3078-4C26-9242-7DAD88C5E0CD}\RP206\A0039949.EXE
C:\WINDOWS\PERFINFO\TMP19248.EXE
C:\WINDOWS\PERFINFO\U1SUMETJ4SWP.EXE
C:\WINDOWS\Prefetch\TMP19248.EXE-33CD8445.pf

Rogue.ErrorFighter
HKCR\SecMediaOnline
HKCR\SecMediaOnline\CLSID

Desktop Hijacker.AboutYourPrivacy
C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\IMAGES\CAPT.GIF.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\IMAGES\DANGER.JPG.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\IMAGES\DOWN.GIF.VIR

Trojan.Unclassified/MicroDrv
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0CEEE5DD-3078-4C26-9242-7DAD88C5E0CD}\RP219\A0042469.DLL
C:\WINDOWS\WNDSK.DLL


I hope this will help. I would certainly like to rid myself of these 7 files and any harm they are causing on my system.
Thanks so much for all your help.

FlyerEd

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,958 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:41 PM

Posted 01 March 2008 - 12:32 AM

Hello FlyerEd,

The log does help. At this point, I am going to turn this thread over to someone with more experience than I.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:41 PM

Posted 01 March 2008 - 07:53 AM

Did you follow the instructions provided by spybotsandra (Team Spybot) in your thread posted here? You were asked to verify your version, update if not current and to run a full scan in safe mode.

They seem to be familiar with your problem and said doing as instructed should resolve the issue.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 FlyerEd

FlyerEd
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 01 March 2008 - 02:29 PM

ADDITIONAL RESPONSES TO THOSE WHO POSTED REPLIES REGARDING 7 RegSvr 32 .dll ON DESKTOP AT STARTUP:
1. Yes I did follow the instructions posted by spybotsandra (Team Spybot), as well as, many, many additional spyware/spam/antivirus scans from other providers (SUPERAntiSpyware, Windows Defender, AVG, McAfee, etc.). All infections of any kind that were found were quarintined or removed. You will see in my replies that I also did the Autoruns and posted the scan log. I doubt that there are any infections of any kind that have not been discovered.
2. NEW INFO: I noticed this morning when I went to msconfig -- Startup Tab, that the 7 RegSvr 32 .dll files were listed and checked. That means they exist on the computer and are going to start at "Startup". I tried unchecking all of them and then closing msconfig, but my sytem would not let me. They wanted administrator approval, etc. (I am the administrator and the only person who has ever used this computer.) When I checked, I was still logged on as Administrator. I THAUGHT THIS INFO MIGHT BE IMPORTANT since it shows that the files are hanging around and are listed and checked to load at startup.

Again, I appreciate all the help and support that each of you has provided.

Thanks,
FlyerEd

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:41 PM

Posted 02 March 2008 - 08:00 AM

This issue will require further investigation. Before that can be done you will need you to create and post a hijackthis log.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install the current version of HJT in the proper location.) If using Windows Vista, be sure to Run As Administrator.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users