Solved

mcenspc.dll error occuring various times

Posted on 2009-04-06
16
1,603 Views
Last Modified: 2012-05-06
Hello,

At random times, I am getting an error that says The application or DLL C:\\WINDOWS\system32\mcenspc.dll is not a valid Windows image. Please check this against your installation diskette.

I have attached a screen shot.

This particular time it happened when I double click the clock in the bottom right corner to bring up the calendar. It seems to happen at just random times and occasionally on startup. It doesn't appear to adversely effect anything when I click ok but nonetheless would rather not get this error...

Ideas?

Thanks!
error1.jpg
0
Comment
Question by:ChainGreyIV
  • 7
  • 5
  • 4
16 Comments
 
LVL 8

Expert Comment

by:skywalker39
ID: 24082192
Hi ChainGreyIV,

Try running your Anti-Virus, Anti-Spyware and see if your infected with anything.
0
 
LVL 8

Expert Comment

by:skywalker39
ID: 24082198
You'll might get this if the file mcenspc.dll is leftout while uninstalling some program or when attempted to elimitate spyware or malware through spyware scan.
0
 

Author Comment

by:ChainGreyIV
ID: 24082216
Hello,

What anti-spyware do you reccomend? I'm on avast av and it has turned up nothing.

thanks,
Gavin
0
 
LVL 8

Expert Comment

by:skywalker39
ID: 24082345
Here's some free one's to check out.

            1. SUPERAntiSpyware
            2. Malwarebytes' Anti-Malware
            3. Sophos Anti-Rootkit
            4. AVG
            5. PC Tools AntiVirus Free Edition

http://www.superantispyware.com/
http://www.malwarebytes.org/mbam.php
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
http://free.avg.com/download-avg-anti-virus-free-edition
http://www.pctools.com/free-antivirus/

Those are just a couple off the top of my head to try out.

Here's some that are pretty good also, but there not free.

          1. Spyware Doctor with AntiVirus
          2. Webroot Spy Sweeper
          3. Trend Micro                    (There is a trial edition you can try for I think around 14 days).
     
http://www.pctools.com/spyware-doctor-antivirus/
http://www.webroot.com/En_US/consumer-products-spysweeper.html
http://us.trendmicro.com/us/home/index.html?utm_source=www.trendmicro.com&utm_medium=referral&utm_campaign=www.trendmicro.com
0
 

Author Comment

by:ChainGreyIV
ID: 24082661
I will try these and check back
0
 

Author Comment

by:ChainGreyIV
ID: 24082842
I've run the SUPERAntiSpyware. I'm now getting this error popping up on startup for google tool bar, note book hardware control among others....

Is there a way to just copy a fresh copy of whatever this file is over?
0
 
LVL 8

Accepted Solution

by:
skywalker39 earned 250 total points
ID: 24082868
Do you have system restore enabled? If so, you can try a system restore and see if that fixes the problem. I would suggest you try doing a system restore in safe mode. If that doesn't work, if you have your Windows XP cd, you can try to do a repair, don't format your hard drive or don't do a fresh install, and let's see if that fixes the problem as well.
0
 

Author Comment

by:ChainGreyIV
ID: 24082887
Are there any repurcussions of doing a repair? Will I need to reinstall any updates or anything?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 8

Expert Comment

by:skywalker39
ID: 24082950
I would just to be safe then sorry would be to backup and important information (data) in case something does happen, nothing should, but just to be safe, as far as reinstalling any updates you shouldn't have to.
0
 
LVL 38

Expert Comment

by:BillDL
ID: 24086977
A quick search on google turns up a large number of pages in which the file C:\Windows\System32\mcenspc.dll appears to be virus related, and specifically Trojans.  Unfortunately there are an equal number of apparently unqualified people rendering advice to those people experiencing the error, and some of the advice ranges from plain dumb to dangerous.  Of course, I only believe about 10% of the stuff I read on other peoples' web pages, so I have checked a bit more.

The one common aspect in the majority of the reasonably well answered problem questions that have been resolved is the Registry key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]

In many of the online discussions people suggest deleting the entire "SecurityProviders" key, but from what I see this key is a legitimate one created by Windows.  I Believe that what they SHOULD have been suggesting is the deletion of the "mcenspc.dll" file name from within the data value named "SecurityProviders" within the "SecurityProviders" key.

Click on the "More Information" tab of this page and you will see a more qualified "rating" on that filename:
http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentjdq.html

If you open Regedit (Start Menu > Run > and type Regedit > click OK), and then expand the keys in the left pane by clicking the + signs, you can navigate down through the keys to that one mentioned above.  In the RIGHT-hand pane you will see the "SecurityProviders" value (white icon with burgundy "ab").  Double-Click on that and you will most likely see the following comma-separated file names in the "Value Data" field of the new popup dialog:

msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

Note, contrary to the wrong advice to delete the entire "SystemProviders" registry key or the REG_SZ value of the same name, the "mcenspc.dll" in that value is the rogue entry.  The other file names are genuine ones.  That is not to say for certain that the other files could not be infected, but the point is that the key and value is created by Windows with those file names, and malicious activity has ADDED the name "mcenspc.dll" to the list.

On an uninfected Windows XP SP3 system:

C:\WINDOWS\system32\msapsspc.dll
C:\WINDOWS\system32\dllcache\msapsspc.dll

File Size: 84.0 KB (86,016 bytes)

"CompanyName", "Microsoft Corporation"
"FileDescription", "DPA Client for 32 bit platforms"
"InternalName", "MSAPSSPC"
"LegalCopyright", "Copyright © 1995-1996 Microsoft Corporation"
"OriginalFilename", "MSAPSSPC.DLL"
"ProductName", "Microsoft® Internet Services"
"FileVersion", "6.00.7755"
"ProductVersion", "6.00.7755"

C:\WINDOWS\system32\schannel.dll
C:\WINDOWS\system32\dllcache\schannel.dll

File Size: 141 KB (144,384 bytes)

"CompanyName", "Microsoft Corporation"
"FileDescription", "TLS / SSL Security Provider"
"FileVersion", "5.1.2600.5512 (xpsp.080413-2113)"
"InternalName", "schannel.dll"
"LegalCopyright", "© Microsoft Corporation. All rights reserved."
"OriginalFilename", "schannel.dll"
"ProductName", "Microsoft® Windows® Operating System"
"ProductVersion", "5.1.2600.5512"

C:\WINDOWS\system32\digest.dll
C:\WINDOWS\system32\dllcache\digest.dll

File Size: 67.0 KB (68,608 bytes)

"CompanyName", "Microsoft Corporation"
"FileDescription", "Digest SSPI Authentication Package"
"FileVersion", "6.00.2900.5512 (xpsp.080413-2105)"
"InternalName", "digest.dll"
"LegalCopyright", "© Microsoft Corporation. All rights reserved."
"OriginalFilename", "digest.dll"
"ProductName", "Microsoft® Windows® Operating System"
"ProductVersion", "6.00.2900.5512"

C:\WINDOWS\system32\msnsspc.dll
C:\WINDOWS\system32\dllcache\msnsspc.dll

File Size: 284 KB (290,816 bytes)

"CompanyName", "Microsoft Corporation"
"FileDescription", "MSN Internet Access"
"FileVersion", "6.1.1825.0"
"InternalName", "MSNSSPC.DLL"
"LegalCopyright", "Copyright (C) Microsoft Corp. 1981-2001"
"OriginalFilename", "MSNSSPC.DLL"
"ProductName", "Microsoft(R) MSN(R)"
"ProductVersion", "6.1.1825.0"

You will note that each of the above legitimate files is found in two system folders.  The one in the "dllcache" folder is the backup used to restore the file if it is deleted or modified.  I suggest that you look in that folder to see if the rogue file "mcenspc.dll" exists there, and if so delete it.

If you cannot see that folder, then you need to do as follows:
In Windows Explorer: Tools > Folder Options > View tab.
or
Control Panel > Folder Options > View tab.

Check or uncheck the boxes (remembering what they were before doing this) so that you are seeing hidden and system files, the contents of system folders, and also protected system files.

Next I believe that you should ry to "Unregister" the rogue DLL file by typing the following command into the Start Menu's Run field:

regsvr32 /u c:\windows\system32\mcenspc.dll

If it comes up with a "DLL found but entry point not found" (or similar), then just accept that.  If that is the case, then the file is not the type that creates other registry entries through this process.

Now press Ctrl + Alt + Del to open Task Manager and look to see if "mcenspc.dll" is mentioned as a running process.  If so, then click on it and choose "End Task".   Another way to see what processes are loaded and running is to type MSINFO32 into the Start Menu's Run field, Wait for it to load fully, then expand it to the Software Environment > Loaded Modules section and wait for it to load.

Delete c:\windows\system32\mcenspc.dll

Now open Regedit, click on any key in the left pane, then press and hold the LEFT arrow key to collapse all keys and take it back up to the top level "My Computer".  Press the Right arrow once to open it out to only the master (hive) keys.

Edit > Find > and enter the file name mcenspc.dll
Set it to find Keys, Values, and Data, but UNCHECK the "Match whole string only".
Find Next.

For each EXACT match on the file name, evaluate whether it relates to an important setting.  When I say "important", what I mean is that the registry stores a lot of "MRU" settings, ie. Most Recently Used, and if you have searched for that file name in Internet Explorer or done a Windows search for it, these searches will be stored against a, b, c, etc values.

The idea here is to delete ONLY the values that are like the one mentioned earlier, ie. in the Key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
The instance of the file name in the Value named "SecurityProviders", NOT the Value or the Key that it is in.

If you have any doubts, then please ask first before doing.  The Registry is not a place to mess around in.

When that is done, I suggest that you run the following utility to display all processes that run when your system is launched:
http://www.silentrunners.org/index.html

Right-Click on the following link and choose "Save Target As" to save the file "Silent Runners.vbs":
http://www.silentrunners.org/Silent%20Runners.vbs
Save it to the Root of your C: Drive where it is easiest to run.

Right-Click the downloaded file and choose "Open with Command Prompt", which should be an option.

Assuming it runs, you will see "Silent Runners has started.  Please be patient", which is what you should be because it will take a while.  It will eventually close and create a report in the same folder (ie. the root of the C: Drive) named:
Startup Programs (ComputerName) YYYY-MM-DD HH.MM.SS.txt

If you see any instances of "mcenspc.dll" in the results file, and if you can't interpret the results, then feel free to upload the *.txt file here for us to see.

If it doesn't run, then first of all try the following command from the Start Menu's Run field:

cscript "c:\silent runners.vbs"

If that doesn't work, then read the FAQ page:
http://www.silentrunners.org/sr_faq.html

If there are any instances of "mcenspc.dll" in the Silent Runners results file, then something MAY try to reload it at the next reboot.  I am hoping not but you should be aware that this is a possibility, and it's always better to power off and then restart after a few minutes than to do a warm reboot after removing an malware.

Now finally do a full system scan for any other malware.

The reason I have taken time to spell this out in detail is that all the *.dll files mentioned in the registry value that seems to be written to by this malware are concerned with encryption and passwords.  I don't think I have to spell out the potential of having a rogue process affiliated with those activities.

Check your bank statements for unusual activity if you do online banking!!
0
 
LVL 38

Expert Comment

by:BillDL
ID: 24087102
I have attached a "Registry File" named "Remove-mcenspc-DLL.txt".
Save it to any folder, then Right-Click and rename it by changing the .TXT extension to .REG.
Accept the warnings about changing file types.

This is a registry script that will overwrite the existing "SecurityProviders" REG_SZ value in the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
so that it removes "mcenspc.dll" from the value but leaves the file names:
"msapsspc.dll, schannel.dll, digest.dll"

Right-Click on the *.REG file and choose "Merge".  Accept prompts about writing the data to the registry.

This is just to make it easier for you.  It would be a wise idea to first make sure that file names are listed in that value BEFORE merging the registry file.  You can do this quite easily by typing the following command into a new "Command" window:

reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders /v SecurityProviders

Open in new window

Remove-mcenspc-DLL.txt
0
 

Author Comment

by:ChainGreyIV
ID: 24134567
i will give this a shot and get back with the results.

thanks!!
0
 

Author Comment

by:ChainGreyIV
ID: 24144550
Please see attached screen shot of result of the cmd prompt query.
msapsspc.dll, schannel.dll, digest.dll were there, the msnsspc.dll appeared as well. mcenspc.dll was not.


cmdresults.jpg
0
 
LVL 38

Assisted Solution

by:BillDL
BillDL earned 250 total points
ID: 24145926
That's a bit disappointing.  I was really hoping that your scenario matched the root cause of the other similar questions and resolutions I found online.  At least we have eliminated that possibility.

OK, so something is trying to "call" mcenspc.dll.  It is still possible that there is some instance in the registry of this file name in keys other than the one we have eliminated.  Open Regedit and take it back up to the topmost "My Computer" level.  The easiest way is to click any key in the left pane then press and hold the Left arrow key to collapse all keys, then press the Right arrow key once.  Edit menu > Find.  Tick the Keys, Values, and Data options plus the "match whole string only", enter the full file name (mcenspc.dll ) and click "Find Next".

For each instance of that file name found, RIGHT-click on the Key (ie. Left pane) containing the found item, and choose "Copy Key Name".  Paste out into Notepad as the reference to later navigate back to the Key(s) to investigate.  Press F3 (Find Next option) to continue until it says not found.

Let us know if there are any instances of "mcenspc.dll" found in Regedit.

You mght also be able to replicate the error message.  This time open the Event Viewer and see if it provides details about what program or process called "mcenspc.dll".  To open Event Viewer, type the following into the Start Menu's Run field:

eventvwr.msc /s

If the error was trapped as an event, then it should show in the list under one of the category sections with a Red X at the time the error occurred.  Double-clicking on the actual event entry will display more detail that can be copied and pasted here.
0
 

Author Closing Comment

by:ChainGreyIV
ID: 31567274
I am a little unsure what ended up fixing this as it has gone away. I ran a system restore, repair via XP disk as well as following Bill DL's suggestions and in combination appear to have eliminated the problem.

Thanks guys.
0
 
LVL 38

Expert Comment

by:BillDL
ID: 24329120
Thank you ChainGreyIV.  I am glad you resolved the issue, by whatever means.
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

If you build your web application in Visual Studio you'll get at least a few binaries, or .DLL, files in your bin folder. However, there is more compiling to be done. Normally this would happen when an ASP.NET resource within the web site is request…
There are 2 things you must have in order to connect to the internet behind a router, The "Gateway IP" of the router, which is usually something like 192.168.xxx.1, I've seen routers with default values of: 192.168.0.1, 192.168.1.1, 192.168.11.1, …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now