RUNDLL error

I have this error message popping up every time I log in (WinXP professional):

RUNDLL
Error loading C:\PROGRA~\MYWEBS~1\bar\1.bin\F3SCRCTR.DLL
The specified module could not be found.

What is calling it and why? How do I fix this?
Thanks in advance.

There is some startup program or service. You can use the msconfig program to review the startup settings for your computer. Start - Run - msconfig

Everlearning , it sounds like you have a malware infection

F3SCRCTR.DLL is a known part of Mywebsearch infections.


I have notified the mods about this thread, and one of them will move it over to the antivirus forum.
Please get hold of the following tools from the links ion my signature
Ad-aware, Spybot Search and Destroy.
run them on your pc. then please download hijackthis from the link provided in my signature and install it to a permanent folder on your computer. then run it and save a log file. copy paste the log file into you next post.

Yeah, the routine is familiar to me, do it at home. This is my uni account that I had this error; i do not have administrator privileges to run SpyBot (or msconfig), but i ran everything else and i think i fixed it, i ran my log at this website, it was helpful in the past. Do you ever use it, any opinions? Is RUNDLL usually associated with malware?

Thanks for moving me to the right forum and your help

Rundll is a standard system component for windows systems. it is commonly targeted by malware, but you need it on your machine for windows to function. Please see the follwoing link for infroamtion on Rundll and Rundll32

http://support.microsoft.com/defaul...;EN-US;q164787&

Can you copy paste you log into the next post. you may not be able to undertake the fixes, but we will be able to go over it and let you know if you still have traces of any infections.

Here's my log. Are the bolded-ones I need to fix?

Logfile of HijackThis v1.99.1
Scan saved at 11:49:46 AM, on 5/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\WINDOWS\system32\proquota.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Local Settings\HijackThis.exe

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: CompanionHelper Class - {00000000-623A-11D4-BCDB-005004131771} - C:\WINDOWS\system32\VgIEHelper1-2-0-47.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [KeyAccess] C:\WINDOWS\keyacc32.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [PopularScreensaversWallpaper] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\F3SCRCTR.DLL,LES
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: acrotray.exe.lnk = C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: KeyAccess.lnk = C:\WINDOWS\keyacc32.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm776BBUS
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095262847760
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: KATRACK.DLL
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: GoBack Polling Service (GBPoll) - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McafeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: Python Cron Service (PyCron) - Unknown owner - C:\Program Files\pycron\pycron.exe

thanks again...

ok from a quick glance at your log, you have been infected with the LinkGrabber 99 is one of the more common forms of BHO adware which really can be hard to remove at times.

You have selected the correct entires for removal, but I strongly suggest you wait till Tom or somebody else at this forum is able to go over your log and suggest a method for you to elliminate the infection.
It is not enough to just fix the entries in the log, but you need to locate the right files on your harddisk for deletion and proceed in the right order.

Where do you see the LinkGrabber 99? in O2s?
I googled and could not find anything helpful, there's also a website <www.spywaredata.com> that you can search BHO:

nothing on this one:
O2 - BHO: CompanionHelper Class - {00000000-623A-11D4-BCDB-005004131771} - C:\WINDOWS\system32\VgIEHelper1-2-0-47.dll

these two -- "good":
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

these are the entries which lead me to the linkgrabber 99 infection. i'm sure somebody will stop by this thread and give you instructions on how to clean this out.

Hi EverLearning,

You might want to print these instructions for reference or copy and paste them into notepad and save them on your desktop, as you will be off the internet while using HijackThis.

If you have any questions before starting the fix, please don't hesitate to ask!

Please move or unzip HijackThis to a permanent folder such as C:\HJT or C:\Program Files. It is important that it is in it's own folder as it will make important backups of what we will fix.

Please go to Start > My Computer > double-click your C:\ drive > click: File > New > Folder > name it HJT and put HijackThis into that folder.

Next...

Please go to Start > Control Panel > Add/Remove programs and remove:

MyWebSearch

PopularScreensaversWallpaper

Next...

Logoff your internet/network connection. Run HijackThis, click scan, place a checkmark next to the following items. Close all browsers and any other windows or the fix may not work! Click "fix checked".

It is OK if some of these items are no longer listed.

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [PopularScreensaversWallpaper] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\F3SCRCTR.DLL,LES
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm776BBUS

These are resource hogs that can be fixed also:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

Next...

Boot into Safe Mode. Restart your computer, start tapping F8 when your computer first starts booting, there will be a menu displayed > select Safe Mode.

Make sure your computer is configured to show all files and folders.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.
Uncheck hide extensions for known file types.
Uncheck the Hide Protected Operating System Files option.
Click Yes to confirm.
Click OK.

Search for and delete the following folder:

C:\PROGRAM FILES\MYWEBSEARCH < delete the entire MYWEBSEARCH folder

Reboot normally.

Next....

Let's do some more cleaning up:

Download Ad-Aware SE Personal Edition version 1.06 from:

http://www.lavasoft.de/support/download/

Run Adaware, click the "Check for Updates now" link. Install the latest reference file

Perform a full system scan with Adaware, allow it to remove anything it finds. It may ask if it can run the next time your computer boots, allow it to do so.

Then...

Download Spybot - Search & Destroy 1.3 from.

http://www.safer-networking.org/en/download/index.html

Make sure you are online, run Spybot - Search & Destroy, click the "Check for Updates now" link. Install the latest reference file

Scan and fix all items checked in RED.

Reboot and post a fresh HijackThis log.

Tom

Hi I have scanned my system with Spybot, Spy Sweeper and McAfee but still have the error message. As for Hijackthis I find it a bit intimidating and don't quite know where to start. Any further help would be greatly appreciated.


Teggo

Just scan your Hijack log for that program that's trying to load. Then delete that file. Don't worry, Hijack won't do any system critical damage...atleast I haven't seen it do anything, and I've hit a few wrong buttons in learning how to use it

What error message are you receiving ?

Download HJT and then run it - it should ouptut to a text file, just copy the contents into a post on here and we'll go through the log for you and let you know what is ok and what needs to be removed.

Tom,

Wow this was a great post! I also have been getting the same RunDLL window popup. When I get home today I will follow your instructions. Thanks so much for taking the time to write this all down.

Ron S