I was receiving popped up virus/trojan warnings from Avira. At first, I just kept ignoring it since it was on the "Deny Access" selection. It continued to pop up frequently each time I was on the internet. I finally changed the "Deny Access" selection to the "Delete" selection. As soon as I did this, Windows Defender also did its thing. I couldn't remember what the message was from WD. I no longer get the pop up warnings but each time I log in to my computer, I get the following error message:
RunDll
Error loading C:/Users/<removed>/AppData/Local/Temp/cmstpcln.dll
The specified module could not be found.
After I click the OK button, I have no problem getting into the internet. Can you explain to me why I am getting this error message and how do I get rid of it? Did I do the right thing by deleting the virus/trojan warning?
Letting the anti-malware tools do their job was absolutely the right thing to do.
It's simply that the cleanup performed by your anti-malware tools was just shy of complete. That's not actually uncommon, though I'm not sure why. I'll explain what happened, and how to clean that last annoying part up manually.
It's actually a technique that can be useful in other, non-malware related situations as well.
Become a Patron of Ask Leo! and go ad-free!
One way malware works
Malware inserts itself into your system in many different ways. One of the most common is that it runs automatically when you reboot and/or log in to your machine.
Unless you're running malware scans, you might not notice. For example, malware that acts as a zombie on a botnet doesn't want to be noticed -- it's not going to do anything destructive to your machine, but it just wants to sit there and quietly send out spam -- lots of spam.
Malware most often inserts itself into one of the several "auto-start" portions of the system registry. That way, not only does the malware exist in some file or files on your system, but when you reboot or log in, the malware is once again automatically started.
Once your malware removal tools detect and remove the malware -- whatever kind it might be -- you might think you're done. Unfortunately, for reasons that aren't clear to me, sometimes malware removal tools leave the auto-start instructions in place.
And that's what you're seeing.
The malware has been removed, but the instructions to start it when you log in have not been removed. When you log in, you get the error message as the system attempts to start a program that no longer exists.
Before we begin...
We're about to make changes to your system -- in the registry, actually -- and it's always a good idea to back up fully before you do that.
I prefer a true full-system (or image) backup. In a case like this, where we're only making changes to the registry, setting a system restore point (which backs up the registry) is typically sufficient.
Removing the auto-start entry
Fortunately, getting rid of the entry is pretty simple, which is why I'm somewhat surprised it would be left at all.
We'll use the free downloadable tool Autoruns, from Microsoft.
Download and run Autoruns, and you should see a window very similar to this:
Be sure and click on the File menu and select Run as Administrator to ensure you have access to all entries.
There's a lot of really geeky stuff in that display. It's showing you everything that might be involved in starting up your computer. It's a long and often complex list.
The good news is, you don't need to understand any of it. You already have enough information to go right to the problem.
Click on the Entry menu at the very top, and select Find...
Type in the base name of the module from your error message. In your case, the error message referenced "C:/Users/<removed>/AppData/Local/Temp/cmstpcln.dll", so you'd enter cmstpcln and press Find Next. Autoruns will highlight the first entry in which it finds the string.
Don't do anything with what you find just yet.
Instead, repeat the search (just press F3) to see if it appears in more than once place in the registry.
If it appears in only one place (and particularly if that one place is in a folder called "temp", as yours is), it should be safe to simply remove the reference. Double check that the column labeled "Image Path" matches what's in the error message.
Right-click on the entry and click on Delete to remove it.
Now, when you reboot, you should no longer have that annoying error message.
Multiple entries, partial matches, and more
In your case, I believe there'll be only one entry, it'll match your error message completely, and deleting it will resolve your issue. But what if you find more than one entry in Autoruns?
Malware also attempts to disguise itself by using names of other more common components. In this case, you need to do a little more careful examination of the results before deleting anything. There are no blanket rules here, just a few tips and guidelines.
I'll make up an example. Let's say that your error message referenced "C:/Users/leon/AppData/Local/Temp/acrotray.exe". In searching for it, before deleting anything, we might find more than one instance of something called "acrotray".
One of them is valid:
The things to note here include:
- The full path does not match the error message, even though the base name is the same.
- This executable does not reside in a suspicious location. "Program Files" is where much software gets installed. "Temp" is not.
- Other information about the executable listed appears valid.
- It's for software I know I actually installed on the machine: Adobe Acrobat.
Bottom line: this isn't one to be deleted; it's legit.
As I said, these aren't rules as much as guidelines (malware could certainly install itself in "Program Files", for example), but when used as clues, and particularly when matching against a specific error message such as in your original example, they can be used to make some fairly educated decision about what is and what is not likely to be malware.
And if we guess wrong -- well, that's why we started with a backup.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Just curious. Why not just uncheck the entry in Autoruns, close Autoruns and restart computer. If the error message does not recur and no new problems arise, it is safe to delete the entry from Autoruns.
I always like to run Ccleaner before and after running spyware scans to clean out all the temp directories. It also does registry cleaning and its free.
http://www.onlinecomputertips.com/software/ccleaner.html
Running CCleaner might remove the malware .dll file because the file is in the Temp folder. Although if the file is in use, CCleaner would skip over it. But if it does remove the file, it wouldn’t fix the problem described in the article because it’s the registry pointing to the no longer existent file in the temp folder.
The registry cleaning part will identify the entry as pointing to the now non-existent file and offer to remove it.
Sorry to say that the advice in this article really isn’t great. When a system has been compromised in this way, it’s quite possible that login credentials, including banking user names and passwords, have been compromised too. Consequently, the first step should be to immediately change every password and to do that using a different computer. Second step should be to reload the OS on the compromised computer. You’ve got no way of knowing whether other malware was installed, whether it’s being concealed by a rootkit or whether you antivirus is able to detect and clean it.
Sorry, but suggesting that people fool around with Autoruns is plain silly.