Helping people with computers... one answer at a time.

Most malware tools can remove most malware fairly well. Occasionally a removal will leave behind startup entries that I'll show you how to clean up.

I was receiving popped up virus/trojan warnings from Avira. At first, I just kept ignoring it since it was on the "Deny Access" selection. It continued to pop up frequently each time I am in the internet. I finally changed the "Deny Access" selection to the "Delete" selection. As soon as I did this, Windows Defender also did it's thing. I couldn't remember what the message was from WD. I no longer get the pop up warnings but each time I log in to my computer, I get the following error message:

RunDll
Error loading C:/Users/leon/AppData/Local/Temp/cmstpcln.dll
The specified module could not be found.

After I click the OK button, I had no problem getting into the internet. Can you explain to me why I am getting this error message and how do I get rid of it? Did I do the right thing by deleting the virus/trojan warning?

You did the right thing, absolutely.

It's just that the cleanup performed by your anti-malware tools was just shy of complete. That's not actually that uncommon, though I'm not sure why.

I'll explain what happened, and how to clean that last annoying part up manually.

One Way That Malware Works

Malware inserts itself into your system in many different ways. One of the most common things that malware does is to ensure that it runs automatically when you reboot and/or login to your machine.

"One of the most common things that malware does is to ensure that it runs automatically when you reboot and/or login to your machine."

Unless you're running malware scans you actually might not notice. For example, malware that acts as a zombie on a botnet actually doesn't want to be noticed - it's not going to do anything destructive to your machine, it just wants to sit there and quietly send out spam - lots of spam.

Malware most often inserts itself into one of the several "auto-start" portions of the system registry. That way, not only does the malware exist in some file or files on your system, but when you reboot or login the malware is once again automatically started.

Once your malware removal tools do detect and remove the malware - whatever kind it might be - you might think that you're done. Unfortunately, for reasons that aren't clear, sometimes malware removal tools will leave the auto-start instructions in place.

And that's what you're seeing.

The malware has been removed, but the instructions to start it when you login have not been removed. Thus when you login you get the error message as the system attempts to start a program that no longer exists.

Before we Begin...

Back up.

We're about to make changes to your system - in the registry actually - and it's always a good idea to be backed up before you do that.

I prefer a true full system or image backup. In a case like this where we're only making changes to the registry, setting a system restore point (which backs up the registry) is typically sufficient.

Removing the Auto-Start Entry

Fortunately, getting rid of the entry is actually pretty simple. (Which is why I'm somewhat confused as to why it would be left at all.)

We'll use the free downloadable tool autoruns, from Microsoft.

Download and run autoruns and you should see a window very similar to this:

Autoruns

If you're running Windows Vista or Windows 7 be sure and click on the File menu and select Run as Administrator to ensure you have access to all entries.

Yes, there's a lot of really geeky stuff in that display. It's showing you everything that might be involved in starting up your computer, or logging in, and it's a long and often complex list.

The good news is you don't need to understand any of it. Smile

You've actually got enough information to go right to the problem.

Click on the File menu and select Find...:

Autoruns Find dialog

Type in the base name of the module from your error message. In your case, the error message referenced "C:/Users/leon/AppData/Local/Temp/cmstpcln.dll" so you'd enter cmstpcln, and press Find Next. Autoruns will highlight the first entry in which it finds the string.

Don't do anything with what you find just yet.

Instead, repeat the search (just press F3) to see if it appears in more than once place in the registry.

If it appears in only one place (and particularly if that one place is in a folder called "temp", as yours is), then it should be safe to simply remove the reference.

Double check that the column labeled "Image Path" matches the path referenced in the error message.

Right click on the entry and click on Delete to remove it.

Now, when you reboot, you should no longer have that annoyance on login.

Multiple Entries, Partial Matches and More

In your case, I believe that there'll be only one entry, it'll match your error message completely, and deleting it will resolve your issue.

Malware also attempts to disguise itself by using names of other more common components. In this case, you need to do a little more careful examination of the results before deleting anything. There are no blanket rules here, just a few tips and guidelines.

I'll make up an example - let's say that your error message referenced "C:/Users/leon/AppData/Local/Temp/qttask.exe". In searching for it before deleting we might find more than one instance of something called "qttask".

One of them is valid:

autoruns showing a valid qttask

The things to note here include:

  • The full path does not match error message, even thought the base name is the same.

  • This executable does not reside in a suspicious location. "Program Files" is where much software gets installed. "Temp" is not.

  • Other information about the executable listed appears valid.

  • It's for software that I know I actually have installed on the machine.

As I said, these aren't rules as much as guidelines (malware could certainly install itself in "Program Files" for example), but when used as clues and particularly when matching against a specific error message such as in your original example, they can be used to make some fairly educated decision about what is and what is not likely to be malware.

And if we guess wrong - well, that's why we started with a backup.

Article C4375 - July 22, 2010 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

2 Comments
Ron
July 27, 2010 5:49 PM

Just curious. Why not just uncheck the entry in Autoruns, close Autoruns and restart computer. If the error message does not recur and no new problems arise, it is safe to delete the entry from Autoruns.

Jim
July 28, 2010 1:11 PM

I always like to run Ccleaner before and after running spyware scans to clean out all the temp directories. It also does registry cleaning and its free.
http://www.onlinecomputertips.com/software/ccleaner.html

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.