×
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
skobel
Former Member
Message 1 of 13
‎12-17-2009 09:32 AM

msctrl32.exe

Jump to solution

This morning I had a web site download a file msctrl32.exe and named Spy Eraser.  McAfee did flag it as trying to update the registry and I denied it.

I couldn't find anything about this on the McAfee site, but google did turn up a few hits that indicated it was malware.  I ran a scan, and it didn't flag it as an error.  I deleted the file (it was 3232kb) and the short cut it put on the desktop, hoping that was all I needed to do.  When we switched to another user, we got a message for "error loading mpor.yuo, the specified module could not be found".   Again I got no hits on this on McAfee, but google flagged it as bad.  So - what else do I need to clean up from this mess, how badly am I infected, and why doesn't McAfee find anything when I run a scan?

Thanks for any help.

0 Kudos
Reply
1 Solution

Accepted Solutions
SeanMc98
Contributor III
Message 8 of 13
‎12-18-2009 10:53 PM

Re: msctrl32.exe

Jump to solution

From your descriptions, you may have 1) a partially-installed version of "Spy Eraser 2" (I believe from Uniblue), or 2) a relatively new malware ("msctrl32.exe" as opposed to the more well-known "msctrl32.scr"). or 3) something completely new.

If you have not already done so, download and run Malwarebytes AntiMalware (www.malwarebytes.org) http://www.malwarebytes.org

This will tell you if any malware is found, and remove it.

If the above does not resolve the issue, for the first two possibilities, I would suggest:

1)  Boot into "Safe Mode with Networking" (or just plain "Safe Mode").  To do this, re-boot, and as soon you start the boot, press F8 (I press it continually).  You should get a screen with various startup options.  Using the arrow keys on your keyboard, move the cursor to either "Safe Mode with Networking" or "Safe Mode", and hit "Enter".

2)  Once booted in "Safe Mode with Networking" you should see an information screen stating that you are in fact running in "Safe Mode".

3) You will be required to logon as either as a user or as "Administrator".  (Caveat: be very careful if you are logging in as "Administrator").

4)  From the Start Menu, click "Run", and enter "Regedit" (or, possibly "Regedt32" if "Regedit" bounces).

Using the arrow keys or the mouse navigate to the registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" (HKLM is "HKEY_LOCAL_MACHINE").  Once to that point, the machine startup commands are displayed in the right panel,  Your previous posting indicated a subkey ("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpyEraser.....").  I think that you will see (on the right side) something like:

SpyEraser  REG_SZ  "C:WINDOWS\SYSTEM32\msctrl32.exe"      (NB: there may or may not be double quotes!)

Take a screen shot and save it.  Go to Internet Explorer, come back to this thread, and post the screen shot.

After that, we will try the next step (removal).  Up to this point, you have changed nothing (unless Antimalware found and removed the nasties ).

Message was edited by: SeanMc98 (correction to "Regedt32" on 12/19/09 1:55:50 AM EST

View solution in original post

0 Kudos
Reply
12 Replies
Dinz
Former Member
Message 2 of 13
‎12-17-2009 10:02 AM

Re: msctrl32.exe

Jump to solution

Hi Skobel,

The term Zero-Day Attack refers to new types of threats and malware that are released before any security software vendor is aware of them and has time to add detections and proactive protection. To protect you from a virus or other malware, your security software must recognize some piece of the code used to carry out the attack. Completely new threats circumvent this because they do not use code which can be detected by existing anti-virus definition files.

Run a scan from the advanced stinger tool .

1. Download the Stinger tool from the link below:
http://download.nai.com/products/mcafee-avert/stinger.exe
 
2. Double-click Stinger and select Preferences.
3. Enable the Report Applications option.
4. Click OK.
5. Click Scan Now and allow the scan to complete.

NOTE: During the scan, you may receive a clean error during on certain .cab files. Ignore the error and allow the scan to complete. The files will be removed when the system is restarted.
 
6. Restart your computer.
7. Run Stinger again using the steps above. 

Kindly report back if you have any issue running the tool

Regards,
Dinesh K

0 Kudos
Reply
skobel
Former Member
Message 3 of 13
‎12-17-2009 10:05 AM

Re: msctrl32.exe

Jump to solution

Hi Dinesh,

Thank you for the response. I will download the tool and report back my results.

Sue

0 Kudos
Reply
skobel
Former Member
Message 4 of 13
‎12-18-2009 04:44 AM

Re: msctrl32.exe

Jump to solution

I ran the program, and it didn't find anything.  Here's the report:

McAfee® Stinger Version 10.0.1.624 built on Jul  6 2009

Copyright © 2009 McAfee, Inc. All Rights Reserved.

Virus data file v1000 created on Jul 6 2009.

Ready to scan for 897 viruses, trojans and variants.

Scan initiated on Thu Dec 17 19:43:51 2009

  Number of clean files: 321009

McAfee® Stinger Version 10.0.1.624 built on Jul  6 2009

Copyright © 2009 McAfee, Inc. All Rights Reserved.

Virus data file v1000 created on Jul 6 2009.

Ready to scan for 897 viruses, trojans and variants.

Scan initiated on Thu Dec 17 21:48:24 2009

  Number of clean files: 321151

Even though it didn't find anything, I still went ahead and restarted the pc and ran it a second time.  The report says the file is 6 months old.  Is there a more current version I should run?

The pc is still slow to start up, and we still get the message box from rundll  that mpor.yuo is not found.  Are there some other areas I should look at to clean up?

Thanks,

Sue

0 Kudos
Reply
MaheshCJ
Contributor III
Message 5 of 13
‎12-18-2009 04:53 AM

Re: msctrl32.exe

Jump to solution

Hi  skobel,

You can try the latest Build added on 11/23/2009 from the link below.

http://download.nai.com/products/mcafee-avert/stinger1001688.exe

But i would suggest you to run the stinger scan in the Safe Mode with Networking

Or

You can try the DOS Scan

Refer the Document below :


http://service.mcafee.com/FAQDocument.aspx?id=TS100288&lc=&pf=1

Thank you,

Regards,

Mahesh CJ

0 Kudos
Reply
skobel
Former Member
Message 6 of 13
‎12-18-2009 03:07 PM

Re: msctrl32.exe

Jump to solution

I tried the new file, and it still didn't find anything.  I tried booting to DOS, but it didn't work.  I'm not sure how to run it in safe mode with networking.  I don't have a true network set up.  I have a router, that I have 2 pc's connected to (one cable, one wireless), but no sharing of anything between them, just sharing the internet connection.

I'm also curious why even this file is nearly a month old.  I get updates almost daily - how is this stinger file better than the normal virus scan with current dat files?

P.S.  - the link on to TS100288 didn't work.  I had to do a search for it.

Thanks for your continued help.

Sue

0 Kudos
Reply
skobel
Former Member
Message 7 of 13
‎12-18-2009 08:25 PM

Re: msctrl32.exe

Jump to solution

Ok, I think I may have found something. I did a search for anything that had mpor.yuo in it. Four files popped up.  Under .... All Users\Application Data\McAfee\MCLOGS\MISP\mcnasvc\ there are 3 log files - MCNASVC000.LOG, MCNASVC001.LOG, & MCNASVC002.LOG.  A fourth file was found in WINDOWS\SYSTEM32.WBEM\LOGS\FrameWork.log


Messages in the Framework.log are along the lines of

Shell Name Explorer.exe rundll32.exe mpor.yuo pvihax in Registry not found in process list. 12/17/2009 10:32:47.500 thread:5288

The ones in the McAfee directory path had entries along the lines of:

12/18/2009 12:10:00 PM$ -- (Error)$ [   mcnmcsrv.dll]$ CMcNmcVirusScanItf::getLastScanDate(), getLoggedOnUserToken failed
12/18/2009 12:10:05 PM$ -- (Error)$ [     mcndsv.dll]$ Couldn't bind parameter to statement: library routine called out of sequence
12/18/2009 12:13:01 PM$ -- (Error)$ [   mcnmcsrv.dll]$ McNAUserSessionMgr::getShellPid, failed to find shell program process, 'explorer.exe rundll32.exe mpor.yuo pvihax'

I checked events log in security center. At the time the program downloaded itself, there was a warning about updates to the registry. I selected deny, but I see 2 entries at about the same time - one was denied, but one was allowed.

The denied update was at 07:42:37AM.  It was a registry update for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\ShellC:\Windows\explorer.exe

The allowed update was at 07:40:33AM. It was a registry update process for Winword.exe and the process version is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell

If I do a REGEDIT, that entry is for Explorer.exe rundll32.exe mpor.yuo pvihax.

In addition, if I look at the SYSTEM GUARD log, there is an additional entry in Startup Items that was Allowed at 7:42:16AM.  Process points to a file 46A.tmp in the temp folder of my local settings.  The process version is
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpyEraserC:WINDOWS\SYSTEM32\msctrl32.exe

So, I have deleted the file 46A.tmp, but I haven't touched any of the registry entries.

Any idea what the log entries in the All Users\Application Data\McAfee\MCLOGS\MISP\mcnasvc\  directory mean?

Thanks again for the help.

Sue

0 Kudos
Reply
SeanMc98
Contributor III
Message 8 of 13
‎12-18-2009 10:53 PM

Re: msctrl32.exe

Jump to solution

From your descriptions, you may have 1) a partially-installed version of "Spy Eraser 2" (I believe from Uniblue), or 2) a relatively new malware ("msctrl32.exe" as opposed to the more well-known "msctrl32.scr"). or 3) something completely new.

If you have not already done so, download and run Malwarebytes AntiMalware (www.malwarebytes.org) http://www.malwarebytes.org

This will tell you if any malware is found, and remove it.

If the above does not resolve the issue, for the first two possibilities, I would suggest:

1)  Boot into "Safe Mode with Networking" (or just plain "Safe Mode").  To do this, re-boot, and as soon you start the boot, press F8 (I press it continually).  You should get a screen with various startup options.  Using the arrow keys on your keyboard, move the cursor to either "Safe Mode with Networking" or "Safe Mode", and hit "Enter".

2)  Once booted in "Safe Mode with Networking" you should see an information screen stating that you are in fact running in "Safe Mode".

3) You will be required to logon as either as a user or as "Administrator".  (Caveat: be very careful if you are logging in as "Administrator").

4)  From the Start Menu, click "Run", and enter "Regedit" (or, possibly "Regedt32" if "Regedit" bounces).

Using the arrow keys or the mouse navigate to the registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" (HKLM is "HKEY_LOCAL_MACHINE").  Once to that point, the machine startup commands are displayed in the right panel,  Your previous posting indicated a subkey ("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpyEraser.....").  I think that you will see (on the right side) something like:

SpyEraser  REG_SZ  "C:WINDOWS\SYSTEM32\msctrl32.exe"      (NB: there may or may not be double quotes!)

Take a screen shot and save it.  Go to Internet Explorer, come back to this thread, and post the screen shot.

After that, we will try the next step (removal).  Up to this point, you have changed nothing (unless Antimalware found and removed the nasties ).

Message was edited by: SeanMc98 (correction to "Regedt32" on 12/19/09 1:55:50 AM EST
0 Kudos
Reply
skobel
Former Member
Message 9 of 13
‎12-19-2009 09:20 PM

Re: msctrl32.exe

Jump to solution

Hi SeanMc98,

Malwarebytes AntiMalware  seems to have done the trick.  Not only did it remove the 2 entries I had found, plus 2 files in my temp folder (one of which I was already suspicious of), but it flagged 5 other registry entries. I have no idea if they were part of this malware that was installed, or something that had been there for awhile, but it's all gone now.  Thank you very much.

Sue

0 Kudos
Reply
djnick
Former Member
Message 10 of 13
‎12-29-2009 01:14 AM

Re: msctrl32.exe

Jump to solution

Hi guys

This virus attacked me this morning so this is how I removed it.

Sounds stupid but: I killed task [ctrl+alt+del] & deleted msctrl32.exe & its icon from C/Windows/.... On the next reboot - nothing appears...

Btw, Stinger didn`t find anything...

0 Kudos
Reply
How Many Badges Can You Collect?
Ready for a little competition? Members like you are earning badges and unlocking perks for their helpful answers. Are you? Click here to find out.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community

* Important Terms and Offer Details:

  Subscription, Free Trial, Pricing and Automatic Renewal Terms:

  • The amount you are charged upon purchase is the price of the first term of your subscription. The length of your first term depends on your purchase selection (e.g. 1 month or 1 year).  Once your first term is expired, your subscription will be automatically renewed on an annual basis (with the exception of monthly subscriptions, which will renew monthly) and you will be charged the renewal subscription price in effect at the time of your renewal, until you cancel (Vermont residents must opt-in to auto-renewal.)
  • Unless otherwise stated, if a savings amount is shown, it describes the difference between the introductory first term price (available only to customers without an existing McAfee subscription) and the renewal subscription price (e.g., first term price vs. each year thereafter).
  • Pricing is subject to change. If the renewal price changes, we will notify you in advance so you always know what’s going on.
  • You can cancel your subscription or change your auto-renewal settings any time after purchase from your My Account page. To learn more, click here.
  • You may request a refund by contacting Customer Support within 30 days of initial purchase or within 60 days of automatic renewal (for 1 year terms or longer).
  • Your subscription is subject to our License Agreement and Privacy Notice. Subscriptions covering "all" devices are limited to supported devices that you own. Product features may be added, changed or removed during the subscription term.  Not all features may be available on all devices.  See System Requirements for additional information.
  • Free Trial Terms: At the end of your trial period you will be charged $39.99 for the first term. After the first term, you will be automatically renewed at the renewal price (currently $124.99/yr). We will charge you 7-days before renewal. You can cancel at any time before you are charged. ​

 **Free Benefits With Auto-Renewal:

  • For many qualifying product subscriptions McAfee offers additional benefits for free when you are enrolled in auto-renewal. You can check your eligibility for these benefits in your My Account page. Not all benefits are offered in all locations or for all product subscriptions.  System Requirements apply.   Turning off auto-renewal terminates your eligibility for these additional benefits. 
  • Virus Protection Pledge (VPP): If we cannot remove a virus from your supported device we’ll refund you the amount you paid for your current term subscription.  The refund does not apply to any damage or loss caused by a virus.  You are responsible for backing up your data to prevent data loss. See terms here: mcafee.com/pledge.
  • Safe Connect VPN:  You will receive free, unlimited access to our VPN wireless on supported devices. Users not on auto-renewal have access to 500 MB/month of bandwidth.

   Additional Terms Specific to Identity Monitoring Service:

  • Eligibility: McAfee® Identity Monitoring Service Essentials is available within active McAfee Total Protection and McAfee LiveSafe subscriptions with identity monitoring for up to 10 unique emails. Phone number monitoring is enabled upon activation of Automatic Renewal. Not all identity monitoring elements are available in all countries. See Product Terms of Service for more information. 
  • Your subscription is subject to our License Agreement and Privacy Notice. Product features may be added, changed or removed during the subscription term. Some features may require registration and a valid ID number to activate. See System Requirements for additional information.
  • While McAfee Identity Monitoring Service provides you tools and resources to protect yourself from identity theft, no identity can be completely secure.
  • US Only:
    Fair Credit Reporting Act: You have numerous rights under the FCRA, including the right to dispute inaccurate information in your credit report(s). Consumer reporting agencies are required to investigate and respond to your dispute, but are not obligated to change or remove accurate information that is reported in compliance with applicable law. While this plan can provide you assistance in filing a dispute, the FCRA allows you to file a dispute for free with a consumer reporting agency without the assistance of a third party.
  • Identity theft coverage is not available in New York due to regulatory requirements.


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Products

McAfee® Total Protection
McAfee® Gamer Security
McAfee® Identity Monitoring Service
McAfee® Security Scan Plus
McAfee® WebAdvisor
McAfee® Techmaster Concierge
McAfee® Virus Removal Service

Resources

Antivirus
Free Downloads
Parental Controls
Malware
Firewall
 Blogs
Activate Retail Card
Threat Center
McAfee Enterprise

Support

Consumer Support
FAQs
Renewals
Support Community

About

About McAfee
Careers
Contact Us
Newsroom
Investors
Legal Terms
Your Privacy Choices
System Requirements
Sitemap

Copyright © 2022 McAfee, LLC
Copyright © 2022 McAfee, LLC