• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
splinky

msmc/message mates and fatal exceptions

5 posts in this topic

Hi,

I think I have multiple problems and I'm guessing it's all because of spyware. I've only developed these issuses within the last 2 weeks. I've used the most up to date ad-aware and spybot.

First, there is something that is called "message mates" that I can't seem to remove.

Second, something called msmc.exe(client man) seems to keep reappearing, no matter how many time I remove it. I think this is the one that keeps turning keywords into links to some search engine.

Thirdly, I can't even shutdown without having a fatal exception. The one that I keep receiving is :

A fatal exception 0E has occured at 0028:C02A27A8 in VXD VWIN32(05) + 000012D0 the current application will be terminated.

Then if I hit a key, my screen goes blank and if I ctrl/alt/delete the only thing showing is "RUNDLL 32"

These are the majority of my issues, there are others, but these are the ones that I am currently most concerned with.

Any help would be GREATLY appreciated.

Here is my hijackthis log:

 

Logfile of HijackThis v1.97.7

Scan saved at 5:32:34 AM, on 6/14/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\STARTER.EXE

C:\PROGRAM FILES\TEXTBRIDGE PRO 8.0\BIN\INSTANTACCESS.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE

C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\SYSTEM\LEXBCES.EXE

C:\PROGRAM FILES\CALLWAVE\IAM.EXE

C:\WINDOWS\SYSTEM\LEXPPS.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\ETOXE32R\HIJACKTHIS[1].EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNDAL.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink Network, Inc.

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com

O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\SYSTEM\MSJFBL.DLL

O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\SYSTEM\MSKHHE.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.ExE

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~2.0\BIN\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~2.0\BIN\REGIST~1.EXE

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [updateMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\UPDATEMGR.EXE" -/NOCM

O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"

O4 - HKLM\..\Run: [Dcfssvc] c:\windows\System32\Drivers\dcfssvc.exe

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\SYSTEM\idctup20.exe

O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe

O4 - HKLM\..\Run: [LexStart] lexstart.exe

O4 - HKLM\..\Run: [PPMemCheck] "C:\PROGRAM FILES\PESTPATROL\PPMemCheck.exe"

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~2.0\BIN\REGIST~1.EXE

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE

O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - User Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE

O4 - User Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE10\EXCEL.EXE/3000

O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html

O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: WeatherBug (HKCU)

O12 - Plugin for .doc: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPDOC.DLL

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tri...ab?rand=2003453

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7995.3406597222

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx

Share this post


Link to post
Share on other sites

I forgot to add, that something is causing my windows to freeze suddenly, which requires me to shut down, which I can't do without having a fatal exception. Also, my windows media player has been corrupted by something and is not operational. I assume that all of these things are connected.

Thanks again for any help that is offered.

Share this post


Link to post
Share on other sites

Uninstall WinTools through the Add/Remove Programs control panel.

 

Next, close all programs, tick the following for removal in HijackThis, and click "Fix Checked:"

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com

 

O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL

O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\SYSTEM\MSJFBL.DLL

O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\SYSTEM\MSKHHE.DLL

 

O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)

 

O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\SYSTEM\idctup20.exe

O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

 

O9 - Extra button: WeatherBug (HKCU)

 

O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab

O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tri...ab?rand=2003453

 

Reboot.

 

Find and delete the following files/folders:

 

C:\Program Files\Common files\WinTools\

C:\WINDOWS\ALCHEM.exe

C:\WINDOWS\SYSTEM\idctup20.exe

 

Scan again with HijackThis and post the new log in a reply to this thread.

Share this post


Link to post
Share on other sites

Hi Tuxedo,

Thanks for the help, I appreciate your taking the time to assist. I did as you asked above. I do have a question for you, in my HJT folder there are 9 items titled backup that were created when I had hijack "fix checked", can these now be deleted?

 

Thanks again for your help.

Here is my new HJT log:

 

Logfile of HijackThis v1.97.7

Scan saved at 6:26:53 PM, on 6/15/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\ESET\NOD32KRN.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\STARTER.EXE

C:\PROGRAM FILES\TEXTBRIDGE PRO 8.0\BIN\INSTANTACCESS.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE

C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\LOADQM.EXE

C:\PROGRAM FILES\ESET\NOD32KUI.EXE

C:\PROGRAM FILES\CALLWAVE\IAM.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\MY DOCUMENTS\HJT\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink Network, Inc.

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.ExE

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~2.0\BIN\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~2.0\BIN\REGIST~1.EXE

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [updateMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\UPDATEMGR.EXE" -/NOCM

O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"

O4 - HKLM\..\Run: [Dcfssvc] c:\windows\System32\Drivers\dcfssvc.exe

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE

O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~2.0\BIN\REGIST~1.EXE

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [NOD32kernel] C:\Program Files\Eset\nod32krn.exe

O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE

O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - User Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE

O4 - User Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE10\EXCEL.EXE/3000

O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html

O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: WeatherBug (HKCU)

O10 - Broken Internet access because of LSP provider 'imon.dll' missing

O12 - Plugin for .doc: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPDOC.DLL

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7995.3406597222

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx

Share this post


Link to post
Share on other sites

I'm terribly sorry - I've been going nuts lately, and yes, you can delete the backups.

 

Close all programs, tick the following for removal in HJT, and click "Fix Checked:"

 

O9 - Extra button: WeatherBug (HKCU)

 

After that, you're clean.

 

Clear your Temporary Internet Files immediately. To do this, go to the Internet Controls control panel, then click "Delete Files." Tick the checkbox there, then click "OK.'

 

You may wish to look at Mozilla Firefox instead of IE. It has no security holes, doesn't integrate into the Windows shell (which is a bad thing due to the shell's control over the system), doesn't download anything without your approval, and doesn't get hijacked.

 

It also takes up less resources and uses tabs or new windows (tabs save desktop and taskbar space and make closing windows easier). It also comes with a built-in popup blocker as well as the ability to block images from servers (i.e. advertisements) with a right-click.

 

Firefox is immune to CWS in all its forms. You will _never_ get hijacked by CWS or any of its affiliates ever again if you use Firefox.

 

There's a link to it in my signature.

 

IE-SPYAD places over 4,000 known evil sites into the Restricted Sites zone in Internet Explorer so they can't execute ActiveX, Java, or place cookies on your machine. It's a rather nice thing to have. There's a link to it in my signature.

 

SpywareBlaster can prevent spyware from installing itself on your computer. It does require updating every now and again, but it's rather easy to operate. Just install, run, update, click "Protect," and you're done. Update once every month or so. There's a link in my signature.

 

Happy computing, and don't forget to use Windows Update once a week!

Edited by Tuxedo Jack

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0