Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Missing dll for One User


  • Please log in to reply
3 replies to this topic

#1 john_feiereisen

john_feiereisen

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 08 February 2014 - 09:44 AM

Windows XP

Media Center Edition

Version 2002

Service Pack 3

 

I recently scrubbed my computer of a virus using Malwarebytes and Windows Security Essentials.  I've had pretty good luck with this combination in the past.  It looks like I've gotten rid of the trouble, but I haven't gotten rid of a chunk of code that tries to launch the virus.  (More testing today to be sure.)

 

By wife's profile is the only one affected (and as far as I know the only one that had the browser redirect and trojan -- one of which was Miuref.A).  The bootup process is fine and all other profiles are fine, but when my wife logs in she gets a dialog box:

 

Window Title bar: RegSvr32

Message: LoadLibrary("C:\Documents and Settings\Lisa\Local Settings\Application Data\Uvhdmedia\Notifications.dll") failed - The specified module could not be found.

 

It has one button: OK

 

This only shows up when she logs in (not when she's already logged in and we switch to her user)  Clicking the red X in the upper right-hand corner of the box makes it go away and it appears not to launch anything.

 

In the past I've had similar issues where I've had to delete registry keys my virus software missed when getting rid of the virus proper.  But in this case I can't find what key in the registry is doing it or exactly what step of her login process does it.  I've checked her startup folder and there's nothing there.

 

Where should I be looking for stuff that gets executed for only a single user during that user's login?

 

Thanks.


Edited by hamluis, 08 February 2014 - 11:19 AM.
Moved from XP to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 dls62

dls62

  • Members
  • 623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Berkshire, UK
  • Local time:10:57 PM

Posted 08 February 2014 - 10:36 AM

Hi,

 

If you're comfortable with registry editing, you will probably find the entry in one of these keys (when logged on as your wife):

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]



#3 john_feiereisen

john_feiereisen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 08 February 2014 - 11:18 AM

Thank you!!!!!!

 

It was the "when logged on as your wife" that I was missing.  I logged in as her, found the key, deleted it, and all is well.  (At least so far.  I still need to reboot, login/logout, and run some virus scans with no incidents found before I'm completely convinced.)  But the dialog box no longer appears when she logs in.

 

I thought the registry was the registry regardless of who was logged in (and only specific branches came into play depending on who was logged in).  Is there any way I can see *everything*, or do I have to log in as each user and regedit to be sure I'm seeing everything?

 

Thanks again.



#4 dls62

dls62

  • Members
  • 623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Berkshire, UK
  • Local time:10:57 PM

Posted 08 February 2014 - 11:31 AM

Each user has their own registry hive with personal settings that is stored within their user profile.  When you run Regedit you will only see the user hive for the logged-on user, although it is possible to load other user hives - it's not a very elegant solution.

 

Autoruns from the Microsoft Sysinternals Suite allows you to easily switch between different users.  This is also a safer solution because it allows you to disable an entry without deleting it and then re-enable it if needed.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users