Well, obviously HandlerPadARM.dll is not in your machine, so you should be looking for the program that wants this .dll. My guess is that rundll.exe tries to execute this program. I would start asking her to log in using safe mode. After try disabling startup itens, services until you locate the culprit.
HTH, E. > >This appears to be malware of some sort. > >I have an XP machine, restricted user. When s/he logs in she gets a Windows >error message indicating that an attempt by rundll.exe to start something >called HandlerPadARM.dll has failed because the module can't be located. > >This dll is allegedly in ..\[User Name]\Local Settings\Application >Data\mfcmapserv\ > >There is no such dll in that location. In fact, ..\mfcmapserv\ does not exist. > >This problem only occurs when this restricted domain user logs into this >machine; it does not occur when I log in with a domain administrator account. >So this has to be something in either the user's StartUp menu folder or in >HKCU, yes? > >Except: There's nothing in the startup menu folder. A registry search on >"handlerpadarm" finds nothing anywhere. I checked the Run, RunOnce, and >RunServices registry nodes and nothing seems to be amiss there. > >I have run the following scans: > >Avast anti-virus (most current network-based version) Spybot 1.6.2 with most >recent updates MalwareBytes 1.6.x with most recent updates ComboFix (most >recent version) > >Avast and ComboFix found and removed some stuff but they didn't solve this >problem. > >CCCleaner doesn't find any issues that appear to be relevant. > >A Google search on handlerpadarm finds nothing--zero results. > >A Google search on mfcmapserv finds some references to malware involving dlls >of that name, ie. mfcmapserv.dll--but no references to a folder by that name. >These hits suggest that I should check HKCU... run, runonce, etc...as I noted, >nothing found there. > >This error message appears to be harmless but it is very annoying. I REALLY >don't want to have to delete this person's profile and recreate it. > >Any suggestions would be gratefully appreciated. > >Ken Dibble >www.stic-cil.org > > >[excessive quoting removed by server] > >_______________________________________________ >Post Messages to: [email protected] >Subscription Maintenance: http://leafe.com/mailman/listinfo/profox >OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech >Searchable Archive: http://leafe.com/archives/search/profox >This message: >http://leafe.com/archives/byMID/profox/[email protected] >** All postings, unless explicitly stated otherwise, are the opinions of the >author, and do not constitute legal or medical advice. This statement is added >to the messages for those lawyers who are too stupid to see the obvious. > > > --- StripMime Report -- processed MIME parts --- multipart/alternative text/plain (text body -- kept) text/html --- _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
