Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

jlu

73 Posts

3008

June 4th, 2004 14:00

what is msdtcuiu.exe?

Hi I had a trojan downloader.small infected on my laptop. I ran AVG and the file that is infected is msdtcuiu.exe which is located in C:\\windows\system32\msdtcuiu.exe. The file is currently in the avg virus vault and healing. But does anyone know what this application does and if I were to delete the entire file (msdtcuiu.exe), would there be any issues with my computer?

DELL-Chris M

Community Manager

 • 

56.9K Posts

 • 

232.1K Points

June 4th, 2004 15:00

jlu,

Welcome to the Dell Community Forum (DCF).
Copy, then rename the copy to msdtcuiu.~~~, then delete the original. Restart, see what happnes.

Texruss

2 Intern

 • 

3.4K Posts

June 6th, 2004 00:00

> infected is msdtcuiu.exe which is located in C:\\windows\system32\msdtcuiu.exe. The file is currently in the avg virus vault and healing. But does anyone know what this application does and if I were to delete the entire file (msdtcuiu.exe), would there be any issues with my computer?

Not a legitimate Windows file to my knowledge. If it's in quarantine (the vault) your computer can't utilize it anyway so if there were any issues from its loss you would already experience them.

Probably have more stuff...rats come in packs.

If you'd like us to take a look...download and install an analysis and repair tool called Hijackthis.

Go here and download the file: http://tomcoyote.com/hjt

Please unzip Hijackthis.zip into a new folder you create in the root (first) level of the C: drive. Name this folder HJT for best and safest results. (don't unzip it into a temp folder or run the file from a temp folder, or the Windows Desktop, etc...as it needs a safe folder to keep backup logs). Also when people post here and place it on the Desktop the log usually shows their full name since their Windows user profile is commonly named with their full name. We try not to disturb your privacy. *;-)

See my entire Hijackthis FAQ (Frequently Asked Questions) at:

http://russelltexas.com/malware/faqhijackthis.htm

After downloading, and unzipping the hijackthis file into a safe folder you create (preferably a folder named HJT in the first level of the C: drive)...run Hijackthis, click on the 'scan' button and then 'save log' button.

Copy and paste the contents of the text file you save into a reply to this message. A lot of posters make mistakes here in copying and pasting so reread the left info sidebar called Copy and Paste at http://www.tomcoyote.com/hjt

Special Notice! Hijackthis is a powerful tool that edits the brains of Windows (the Registry). DO NOT FIX anything in the Hijackthis log screen without assistance from the experts! Most of the line items in the scanned log are normal for Windows operation. Hijackthis should identify the vast majority of your problems and enable us to help you clean them off your system.


Stay in this thread for continuity. Reply to this message.


HTH (Hope that Helps)

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum 

jlu

73 Posts

June 6th, 2004 01:00

Hey thanks for the responses. this is a copy of my hijacklog, can u please let me know what i need to delete.  Also the file infected with the virus is still in the AVG virus vault healing....what should i do with this file?

 

Logfile of HijackThis v1.97.7
Scan saved at 10:24:02 PM, on 6/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\AVGANT~1\avgserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\ZoneAlarm\ZoneAlarm\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\explorer.exe
C:\AVGANT~1\AVGCC32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/Home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SpyBot\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AVG_CC] C:\AVG Antivirus\avgcc32.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\ZoneAlarm\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [msdtcuiu] C:\WINDOWS\System32\msdtcuiu.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://net.wcmc.com/Citrix/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {70647AB5-18FD-4142-82B0-5852478DD0D4} (Vividence Connector Launcher) - http://task.vividence.com/download/ConnectorLauncher.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/mail/autocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Texruss

2 Intern

 • 

3.4K Posts

June 6th, 2004 02:00

>the file infected with the virus is still in the AVG virus vault healing....what should i do with this file?

We will heal it permanently. *;-)

RedSwoosh is oh so popular tonight....

Edit: almost missed this until I snapped to it a few minutes later...*;-)
Warning! Unsafe Hijackthis folder! Please create a new folder named HJT in the first level of the C: drive. Copy or move the hijackthis executable file into the HJT folder and delete all other zip copies and extracted copies elsewhere.

See FAQ's 2,3,4 at http://russelltexas.com/malware/faqhijackthis.htm

Run Hijackthis in new safe folder, scan and check:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKCU\..\Run: [msdtcuiu] C:\WINDOWS\System32\msdtcuiu.exe
O16 - DPF: {70647AB5-18FD-4142-82B0-5852478DD0D4} (Vividence Connector Launcher) - http://task.vividence.com/download/ConnectorLauncher.cab

With no other windows open click on fix checked button in Hijackthis.

Exit Hijackthis.

Reboot to SAFE MODE and Show HIDDEN FILES and folders

FAQ 8 and 9 on this page: http://www.russelltexas.com/malware/faqhijackthis.htm

Open Windows Explorer: type the word explorer at Start/Run box and click OK:

Drill on down and delete the following file if it is present:

C:\WINDOWS\System32\msdtcuiu.exe   (your baddie...it may or may not be there). If AVG has it locked up then delete it in the AVG vault.

Reboot in normal mode Windows and run Disk Cleaner: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.

If you have any problems with Disk Cleaner completing...XP users can fix it here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;812248

Download and run these two programs at the following link (Spybot S&D and Adaware). Use Spybot first.

Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.

Follow the directions in this detailed guide for Spybot and Adaware...print out the guide and go slow on the directions for the custom setup of Adaware:

http://www.cjwd.demon.co.uk/spybot-adaware.html

After cleaning with Spybot and Adaware, reboot a final time.

Browse a bit and post a new Hijackthis log.

All the best,

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Message Edited by Texruss on 06-05-2004 10:26 PM

jlu

73 Posts

June 6th, 2004 11:00

Thank you soo much for helping me out and going thru it step by step.  I hope I did everything correct...=).  I did everything u asked except downloading adware.  I had adware downloaded on my computer awhile back but i uninstalled it cause i just preferred spybot.  But if there is anymore problems on my log then i will download it again.  Also when i went into safe mode, I didnt see the file msdtcuiu.exe, but I did see a file named msdtcuiu.dll.  I didnt delete it but i wasnt sure if this file has anything to do with msdtcuiu.exe.  I also deleted msdtcuiu.exe from the AVG virus vault.  I ran spy bot and AVG again.  So here is my new hijack log.  Please let me know what else I need to delete.

 

Logfile of HijackThis v1.97.7
Scan saved at 8:51:16 AM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\AVGANT~1\avgserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\AVG Antivirus\avgcc32.exe
C:\ZoneAlarm\ZoneAlarm\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/Home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SpyBot\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AVG_CC] C:\AVG Antivirus\avgcc32.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\ZoneAlarm\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/mail/autocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

jlu

73 Posts

June 6th, 2004 13:00

I also have this one other problem...ever since i got wireless internet at home, my computer freezes 3-5 times a week.  It occurs whenever Im surfing on the web and there are 2-3 IE windows open and the only way to get out of it is to hold down the power button for 5 secs.  ctrl alt del does not work.   I have dl most of the windows updates and zone alarm firewall but it still occurs.  It happened today after I posted my log file.  So if you know of anything that can u please let me know. Thank you

Texruss

2 Intern

 • 

3.4K Posts

June 6th, 2004 14:00

You did great...well done!  Adaware catches things Spybot misses and vice versa. They are the main guns for malware defenses so you're cheating yourself by not using Adaware. *;-) Any other issues besides the wireless?

Edit:  >but I did see a file named msdtcuiu.dll.  I didnt delete it
Yes... don't delete that one. I believe it is a legit Windows file.

Offtopic for this Forum, but I will try to help:

Your wireless connection may be unrelated to malware, so as a PC technician I would have to go through substitution checks to figure out what is going wrong.

1. Try another computer on the connection to eliminate the ISP as a factor. If the second computer doesn't freeze then the blame is off their end.

2. Try another port on your switchable hub if that's what you use for your wireless access point. If you have a wireless router then try a new patch cable. also turn off the router and turn it back on.

3. Reseat your wireless card if it's a desktop unit. If it's a laptop unit then the issue can be faulty internal chip or bad PC card unit (depending on what you have). Also if this is a Dell I have found the internal chip is not so strong for most WAP (wireless access points). A matched pair of PCMCIA (PC card slot) wireless card and WAP or router (all from same manufacturer works best in my experience.  

4. Try a hardwire Ethernet connection to your broadband.

5. Hardware checks complete, then it's time to look at software issues and this I'll leave to the Windows Forum. Msconfig is a good troubleshooter, but not a permanent fix.

All the best,

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Message Edited by Texruss on 06-06-2004 11:13 AM

Texruss

2 Intern

 • 

3.4K Posts

June 6th, 2004 18:00

Followup...I was concerned about this line:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe

I emailed my teacher, Chris and here's his reply:

Most likely malware – Get the properties from the file – and I expect you will need to kill and get them a new copy of Media player

*******************************************************************

Find that usually legitimate file in

C:\Program Files\Windows Media Player\wmplayer.exe

See my brand new tutorial here  on how to check. Report back what you find.

 If it is malware we will also need to fix check that line in Hijackthis, reboot to Safe Mode and delete that file. Then reboot to Windows and download and reinstall Media Player 9. If you have an older copy of Media Player (pull down under Help on top toolbar while in the program and click on About Windows Media Player to see your version) I would advise replacing with Media Player 9. I just did so myself as my new laptop from Dell (one month old) came with the older 8.0 version.

Media Player 9 can be downloaded from here.

HTH,

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

jlu

73 Posts

June 6th, 2004 18:00

There are no other issues.  I want to thank you for all your help...I really appreciate it.  Take care

Texruss

2 Intern

 • 

3.4K Posts

June 6th, 2004 19:00

Yes...do all that...remove Viewpoint, fix the line in Hijackthis and then get MP 9.

Edit: BTW...ViewPoint Media Player is persona non grata in my opinion:

Link

Texruss

Message Edited by Texruss on 06-06-2004 03:43 PM

jlu

73 Posts

June 6th, 2004 19:00

I got my dell laptop 2 years ago and I have windows media version 8.  I did right click properties and under the general tab its written wmplayer.   I dont know if this is the same thing as wmplayer.exe.  I havent deleted anything yet.  I rather download version 9....do i just go to control panel..add/remove and remove viewpoint media player?  Before i do all this should i run hihack this and remove the file?

jlu

73 Posts

June 6th, 2004 20:00

 downloaded version 9 into a new folder in program files but its not able to complete set for some reason..I tried a couple of time...this is what it states:

it was not possible to complete setup

windows media player 9 series was not installed.  to update windows, run windows media player 9 series setup again.

Texruss

2 Intern

 • 

3.4K Posts

June 6th, 2004 20:00

You can probably do OK just leaving that and reinstalling over the top. To kill a process file in memory do this: Boot to Safe Mode and attempt to delete the file. Resists? Hit Control-Shift-Escape keys at same time for XP users and in Processes stop that file or process. Then go back and delete file. Still resists? It may be read-only. Right button click on filename and left on Properties. Uncheck Read-Only attribute if it is checked.

Get your MP 9 installed and post a fresh log. You are doing fine.


HTH,

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

jlu

73 Posts

June 6th, 2004 20:00

I deleted the file from the hijackthis and I also removed viewpoint media player from the add/remove option on control panel.  There is a subfolder named windows media player which i cant delete manually in C://programfiles/windowsmediaplayer.  everytime i tried to delete the file it wont allow me and it states that ii is being used by another program. I closed out of everything and  I restarted the computer and i was still not able to delete the file.

Texruss

2 Intern

 • 

3.4K Posts

June 6th, 2004 21:00

If the Windows Media Player install fails, you can look for more information in the file "c:\windows\wmsetup.log". In this file will be lines beginning with "ERROR: ". Those lines help indicate what the error was. Please post those in one reply post and also a new Hijackthis log in a separate post.

Texruss

 

Was this post helpful?

View All

0 events found

No Events found!

Top