Solved RunDLL Error boxes after start-up?

Status
Not open for further replies.

cburchell11b

New Member
Thread author
Jul 6, 2013
5
Please help me someone. These pop up every time I start up my computer and they did not start popping up until after we detected/removed some Trojan virus's from our computer. I'm wondering if this can be fixed.

Anyone got any ideas on how to fix this?
 

Attachments

  • popups after boot.png
    popups after boot.png
    46.8 KB · Views: 1,403

Jack

Administrator
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
Hello,
This are some start-up items that are looking for a file that does not exist anymore on your machine. Your antivirus or on-demand scanner has removed the malicious files from your machine, however it has left behind a startup key. While it's not dangerous without the malicious payload, it's still pretty annoying. :)
Lets try to remove this startup key with Malwarebytes StartupLite:
Download Malwarebytes StartupLite from here: http://www.malwarebytes.org/products/startuplite/ , then run this tool.
Let Malwarebytes do its job, and if you see any strange or unwanted startup items you can uncheck them yourself. Restart your computer, and see if your issue is fixed.
If error message persists, just take a screenshot of Malwarebyte StartupLite, and we will help you with the items that can be unchecked.

Also I would suggest that you perform a computer scan with Malwarebytes Anti-Malware and HitmanPro.

INFO: How to take a screenshot:
Press the "PrtSc" (Print screen) key (upper right part of keyboard)> open Paint (Start > All programs > Accessories) > Edit > Paste, File > Save as (jpeg or png, Not bmp). Open your browser > Go here > Select browse > click once to select file > Open > Upload > Reply whit the link
 
Upvote 0

cburchell11b

New Member
Thread author
Jul 6, 2013
5
Jack said:
Hello,
This are some start-up items that are looking for a file that does not exist anymore on your machine. Your antivirus or on-demand scanner has removed the malicious files from your machine, however it has left behind a startup key. While it's not dangerous without the malicious payload, it's still pretty annoying. :)
Lets try to remove this startup key with Malwarebytes StartupLite:
Download Malwarebytes StartupLite from here: http://www.malwarebytes.org/products/startuplite/ , then run this tool.
Let Malwarebytes do its job, and if you see any strange or unwanted startup items you can uncheck them yourself. Restart your computer, and see if your issue is fixed.
If error message persists, just take a screenshot of Malwarebyte StartupLite, and we will help you with the items that can be unchecked.

Also I would suggest that you perform a computer scan with Malwarebytes Anti-Malware and HitmanPro.

INFO: How to take a screenshot:
Press the "PrtSc" (Print screen) key (upper right part of keyboard)> open Paint (Start > All programs > Accessories) > Edit > Paste, File > Save as (jpeg or png, Not bmp). Open your browser > Go here > Select browse > click once to select file > Open > Upload > Reply whit the link

Hello Jack, I appreciate the quick response. I ran StartupLite and only one thing was in there. Ill post the SS.

Also, I run Malwarebytes on a regular basis but I have never tried HitmanPro. I will download and run that now. Thanks again man.
 

Attachments

  • StartupLite SS.png
    StartupLite SS.png
    42.4 KB · Views: 1,044
Upvote 0

Jack

Administrator
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
Hey,
Can you click on the Re-enable disable items link from StartupLite. This should bring up the System Configuration box, go to the Startup tab, and take a screenshot...Lets see if that's there...
 
Upvote 0

cburchell11b

New Member
Thread author
Jul 6, 2013
5
Jack said:
Hey,
Can you click on the Re-enable disable items link from StartupLite. This should bring up the System Configuration box, go to the Startup tab, and take a screenshot...Lets see if that's there...

Ok while trying to get HitmanPro, I got a nice little freebee called SweetIM for Messenger 3.7 that I can't seem to get rid of. *sigh* I hate my life...

I ran StartupLite again and now this is what its showing now...

It wont let me click the Re-enable disable items link.
 

Attachments

  • StartupLite SS2.png
    StartupLite SS2.png
    39.8 KB · Views: 908
Upvote 0

cburchell11b

New Member
Thread author
Jul 6, 2013
5
I really like this HitmanPro ALOT. Thanks for the advice man. Heres what it found.



HitmanPro 3.7.6.201
www.hitmanpro.com

Computer name . . . . : BURCHELLFAMILY
Windows . . . . . . . : 6.1.1.7601.X64/2
User name . . . . . . : BurchellFamily\Burchell Family
UAC . . . . . . . . . : Enabled
License . . . . . . . : Trial (30 days left)

Scan date . . . . . . : 2013-07-06 14:08:34
Scan mode . . . . . . : Normal
Scan duration . . . . : 7m 57s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No

Threats . . . . . . . : 0
Traces . . . . . . . : 252

Objects scanned . . . : 1,459,604
Files scanned . . . . : 23,413
Remnants scanned . . : 287,930 files / 1,148,261 keys

Suspicious files ____________________________________________________________

C:\Users\Burchell Family\Downloads\Windows Media Player 11\WMP11\legitlib.dll -> Deleted
Size . . . . . . . : 435,464 bytes
Age . . . . . . . : 354.9 days (2012-07-16 15:45:18)
Entropy . . . . . : 7.2
SHA-256 . . . . . : 1CF4D691028AC080E1D6B2398794C4A30DFD747AEEF26764AF76055F6FC69ED7
Product . . . . . : Microsoft® Windows Genuine Advantage Validation
Publisher . . . . : Microsoft® Corporation
Description . . . : Windows Genuine Advantage Validation Library
Version . . . . . : 1.4.0410.0
Copyright . . . . : Copyright © Microsoft Corporation. All rights reserved.
RSA Key Size . . . : 2048
Authenticode . . . : Invalid
Fuzzy . . . . . . : 25.0
Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.

C:\windows\SysWOW64\DBCLIENT.DLL -> Deleted
Size . . . . . . . : 210,032 bytes
Age . . . . . . . : 278.6 days (2012-09-30 23:27:26)
Entropy . . . . . : 6.4
SHA-256 . . . . . : 8395C8F23C50D2203FC3F4A9847ABADDF6F240C593E17A4B3625F3985F423236
Publisher . . . . : Inprise Corporation
Description . . . : Borland Database Engine
Version . . . . . : 5.0.1.32
Copyright . . . . : Copyright Inprise Corp. 1991-1998
RSA Key Size . . . : 512
Authenticode . . . : Self-signed
Fuzzy . . . . . . : 26.0
Program is code signed with a weak certificate. This is common to malware.
Program is code self-signed.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.


Potential Unwanted Programs _________________________________________________

C:\ProgramData\Babylon\ (Babylon) -> Deleted
C:\Users\Burchell Family\AppData\Roaming\Babylon\ (Babylon) -> Deleted
C:\Users\Burchell Family\AppData\Roaming\Babylon\log_file.txt (Babylon) -> Deleted
HKLM\SOFTWARE\Classes\Prod.cap\ (Claro) -> Deleted
HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}\ (Yontoo) -> Deleted
HKLM\SOFTWARE\Wow6432Node\Babylon\ (Babylon) -> Deleted
HKU\S-1-5-21-3663612630-4161862881-3605775948-1000\Software\Softonic\ (Softonic) -> Deleted

Cookies _____________________________________________________________________

C:\Users\Burchell Family\AppData\Roaming\Microsoft\Windows\Cookies\Q1BCZ36G.txt
C:\Users\Burchell Family\AppData\Roaming\Mozilla\Firefox\Profiles\d21sv6kn.default\cookies.sqlite:2o7.net
C:\Users\Burchell Family\AppData\Roaming\Mozilla\Firefox\Profiles\d21sv6kn.default\cookies.sqlite:ad.yieldmanager.com
C:\Users\Burchell Family\AppData\Roaming\Mozilla\Firefox\Profiles\d21sv6kn.default\cookies.sqlite:at.atwola.com
C:\Users\Burchell Family\AppData\Roaming\Mozilla\Firefox\Profiles\d21sv6kn.default\cookies.sqlite:atdmt.com
C:\Users\Burchell Family\AppData\Roaming\Mozilla\Firefox\Profiles\d21sv6kn.default\cookies.sqlite:c.atdmt.com
C:\Users\Burchell Family\AppData\Roaming\Mozilla\Firefox\Profiles\d21sv6kn.default\cookies.sqlite:casalemedia.com
C:\Users\Burchell Family\AppData\Roaming\Mozilla\Firefox\Profiles\d21sv6kn.default\cookies.sqlite:collective-media.net
C:\Users\Burchell Family\AppData\Roaming\Mozilla\Firefox\Profiles\d21sv6kn.default\cookies.sqlite:dmtracker.com
C:\Users\Burchell Family\AppData\Roaming\Mozilla\Firefox\Profiles\d21sv6kn.default\cookies.sqlite:doubleclick.net
C:\Users\Burchell Family\AppData\Roaming\Mozilla\Firefox\Profiles\d21sv6kn.default\cookies.sqlite:equifax.122.2o7.net
C:\Users\Burchell Family\AppData\Roaming\Mozilla\Firefox\Profiles\d21sv6kn.default\cookies.sqlite:equifaxps.122.2o7.net
C:\Users\Burchell Family\AppData\Roaming\Mozilla\Firefox\Profiles\d21sv6kn.default\cookies.sqlite:experianservicescorp.122.2o7.net
C:\Users\Burchell Family\AppData\Roaming\Mozilla\Firefox\Profiles\d21sv6kn.default\cookies.sqlite:h.atdmt.com
C:\Users\Burchell Family\AppData\Roaming\Mozilla\Firefox\Profiles\d21sv6kn.default\cookies.sqlite:invitemedia.com
C:\Users\Burchell Family\AppData\Roaming\Mozilla\Firefox\Profiles\d21sv6kn.default\cookies.sqlite:statse.webtrendslive.com
C:\Users\Burchell Family\AppData\Roaming\Mozilla\Firefox\Profiles\d21sv6kn.default\cookies.sqlite:survey.g.doubleclick.net
C:\Users\Burchell Family\AppData\Roaming\Mozilla\Firefox\Profiles\d21sv6kn.default\cookies.sqlite:walmartstores.112.2o7.net
C:\Users\Burchell Family\AppData\Roaming\Mozilla\Firefox\Profiles\d21sv6kn.default\cookies.sqlite:zag.122.2o7.net
 
Upvote 0

cburchell11b

New Member
Thread author
Jul 6, 2013
5
Hey Jack, because of the information you gave me in the beginning I was able to locate these lines in CCleaner. Should I disable them with CCleaner?
 

Attachments

  • CCleaner startup error lines.png
    CCleaner startup error lines.png
    428.3 KB · Views: 1,189
Upvote 0

Littlebits

Retired Staff
May 3, 2011
3,893
Yes you should delete those two entries.
That is what is causing the errors because those files are missing.

Enjoy!! :D
 
Upvote 0

Jack

Administrator
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
Hello,
Yes, you can delete those items, and furthermore, I would recommend that you review all the startup items as not all of them are necessary and will slow down your computer.
When you disable a startup program, this will not delete any programs from your hard drive. Instead it will remove only the entry for that program in the Startup Programs list, preventing the program from restarting every time your system does.
Note that some applications need to be configured to stop launching themselves when the computer boots, or they will just add themselves to the list of startup programs again. In this case, there is usually a setting in a program’s options to prevent it from starting with Windows.


Also because there are some PUP's (potentially unwanted programs) on your machine, I recommend that you perform a scan with the following tools:

STEP 1: Run a scan with AdwCleaner

  1. Download AdwCleaner from the below link.
    ADWCLEANER DOWNLOAD LINK (This link will automatically download AdwCleaner on your computer)
  2. Close all open programs and internet browsers.
  3. Double click on adwcleaner.exe to run the tool.
  4. Click on Delete,then confirm each time with Ok.
  5. Your computer will be rebooted automatically. A text file will open after the restart.
  6. Please post the contents of that logfile with your next reply.
  7. You can find the logfile at C:\AdwCleaner[S1].txt as well.


STEP 2: Run a scan with Junkware Removal Tool

  1. Please download Junkware Removal Tool to your desktop from the following link:
    JUNKWARE REMOVAL TOOL DOWNLOAD LINK (This link will automatically download Junkware Removal Tool on your computer)
  2. Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
  3. The tool will open and start scanning your system
  4. Please be patient as this can take a while to complete depending on your system's specifications
  5. On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
  6. Post the contents of JRT.txt into your next reply


STEP 3: Run a scan with ESET Online Scanner
  1. Download ESET Online Scanner utility from the below link
    ESET ONLINE SCANNER DOWNLOAD LINK (This link will automatically download ESET Online Scanner on your computer.)
  2. Double click on the Eset installer program (esetsmartinstaller_enu.exe).
  3. Check Yes, I accept the Terms of Use
  4. Click the Start button.
  5. Check Scan archives
  6. Push the Start button.
  7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  8. When the scan completes, push List of found threats
  9. Push Export to Text file  and save the file to your desktop using a unique name, such as ESET Scan. Include the contents of this report in your next reply.Note - when ESET doesn't find any threats, no report will be created.
  10. Push the back button.
  11. Push Finish
 
Upvote 0
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top