• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
lemp4

KERNEL32.DLL screwed up after CoolWebSearch Detect

7 posts in this topic

Hello, I'm posting this here because I can't figure out how to post under PC Troubleshooting area...

 

I detected a virus on my CPU the other night (StartPage-DU) that somehow came

along with an adware program (CoolWebSearch)... after finally getting

rid of them both using McAfee and Ad-Aware, and CWShredder, etc... (i THINK i removed all traces of it...) now my CPU is (still) really

screwed up. Every time Windows ME starts up, it says "keybdmgr has

caused an error in KERNEL32.DLL... if problem persists, try restarting

your computer" and then it freezes. Sometimes when it starts up it says

the same thing, except "Osd has caused an error in KERNEL32.DLL..." and

sometimes its "Rundll caused an error in MMSYSTEM.DLL"... it usually

takes around 5 reboots to successfully get into windows, where i have

limited access to programs and its kinda slow... when i try to open certain programs, like winamp... it says "winamp has caused an error in KERNEL32.DLL..." etc...

 

what happened to my computer?? did the virus do this damage, and is it fixable or permanent?????

Share this post


Link to post
Share on other sites

It seems like you may end up having to reinstall some files or do a system restore. But first lets see a HijackThis log, if at all possible.

 

Download HijackThis now, if you haven't already. Then run it, press Scan then Save Log and paste the contents here. Perhaps it's just a startup entry that's doing this.

Share this post


Link to post
Share on other sites

Hello, Thank you for responding to my problem. I'm still getting lots of random KERNEL32.DLL errors, and in addition now there are KRNL386.EXE errors as well...

 

Just a side note, when McAfee did detect the startpage-DU virus one of the files was "c:\windows\fhmfkad.dll" and it said that it was unable to remove it... when i rebooted in safe mode and scanned again it detected the same file and was still unable to remove it, and when i checked the windows folder the file mysteriously disappeared and now my virus scanner isn't picking up that i have a virus, but is it possible the virus is still in my system?

 

Here is my Hijack this log, i hope this helps..

 

 

-------------------------------------

 

Logfile of HijackThis v1.98.0

Scan saved at 2:44:40 PM, on 7/12/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\FRAMEWORKSERVICE.EXE

C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE

C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\NAPRDMGR.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\HPSYSDRV.EXE

C:\WINDOWS\DELAYRUN.EXE

C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE

C:\WINDOWS\SYSTEM\HPZTSB02.EXE

C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\UPDATERUI.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE

C:\WINDOWS\RunDLL.exe

C:\PROGRAM FILES\AIM95\AIM.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE

C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\HIJACK\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dictionary.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 172.23.2.5

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb02.exe

O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe \DeadAIM.ocm,ExportedCheckODLs

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [McAfee Framework Service] C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\FRAMEWORKSERVICE.EXE /ServiceStart

O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE

O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = resnet.rutgers.edu

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 128.6.216.19,128.6.224.114

O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

Share this post


Link to post
Share on other sites

Hey guys, i'm still waiting for a little bit of help here if anybody has some time or knowledge... but in the meantime I have made some significant improvements. For anybody who cares (or has a similar problem), I was able to fix my registry by restoring the registry backup (run: scanregw /restore)... luckily there was a restore point from a week ago. I tried a system restore but there were NO RESTORE POINTS available, except from one day ago. Anyways, fixing the registry got rid of >95% of the DLL errors on bootup. Wish somebody could've told me how to fix the registry earlier...

 

But anyways, I think this original virus is still in my system. Ever since I first posted, TrendMicro's PC-Cillin and/or McAfee keep scanning out some random DLL file in the windows folder as being the STARTPAGE virus , in addition to some .CYP file in the internet explorer/temp directory, and also sometimes in the hidden system restore folder. Every day I delete the infected files and they keep commin back. Also today Housecall scanned out TROJ_AGENT.AC, which it was unable to remove, but i deleted it and did the routine of safemode scans.

 

Can anyone tell me if anything's still wrong with my CPU?

 

Thanks for your time.

 

 

Logfile of HijackThis v1.98.0

Scan saved at 1:08:14 AM, on 7/16/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE

C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\FRAMEWORKSERVICE.EXE

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE

C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE

C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\NAPRDMGR.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\HPSYSDRV.EXE

C:\WINDOWS\SYSTEM\HPZTSB02.EXE

C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\UPDATERUI.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\RunDLL.exe

C:\PROGRAM FILES\AIM95\AIM.EXE

C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE

C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE

C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE

C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE

C:\HIJACK\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaul...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dictionary.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us2.hpwis.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 172.23.2.5

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb02.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\RunServices: [McAfee Framework Service] C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\FRAMEWORKSERVICE.EXE /ServiceStart

O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = resnet.rutgers.edu

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 128.6.216.19,128.6.224.114

O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

Share this post


Link to post
Share on other sites

I don't spot any obvious problems here.

 

You may have infection in your System Restore. Turn it off - directions here:

http://support.microsoft.com/default.aspx?...kb;en-us;264887

Reboot will then delete all the old restore points.

Then turn System Restore back on and reboot again. ME will automatically make a new restore point.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0