Jump to content


Photo

msmc/message mates and fatal exceptions


  • Please log in to reply
4 replies to this topic

#1 splinky

splinky

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 14 June 2004 - 05:29 AM

Hi,
I think I have multiple problems and I'm guessing it's all because of spyware. I've only developed these issuses within the last 2 weeks. I've used the most up to date ad-aware and spybot.
First, there is something that is called "message mates" that I can't seem to remove.
Second, something called msmc.exe(client man) seems to keep reappearing, no matter how many time I remove it. I think this is the one that keeps turning keywords into links to some search engine.
Thirdly, I can't even shutdown without having a fatal exception. The one that I keep receiving is :
A fatal exception 0E has occured at 0028:C02A27A8 in VXD VWIN32(05) + 000012D0 the current application will be terminated.
Then if I hit a key, my screen goes blank and if I ctrl/alt/delete the only thing showing is "RUNDLL 32"
These are the majority of my issues, there are others, but these are the ones that I am currently most concerned with.
Any help would be GREATLY appreciated.
Here is my hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 5:32:34 AM, on 6/14/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\TEXTBRIDGE PRO 8.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\CALLWAVE\IAM.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\ETOXE32R\HIJACKTHIS[1].EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNDAL.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink Network, Inc.
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/...//www.yahoo.com
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\SYSTEM\MSJFBL.DLL
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\SYSTEM\MSKHHE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~2.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~2.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\UPDATEMGR.EXE" -/NOCM
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\Run: [Dcfssvc] c:\windows\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\SYSTEM\idctup20.exe
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [PPMemCheck] "C:\PROGRAM FILES\PESTPATROL\PPMemCheck.exe"
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~2.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - User Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
O4 - User Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .doc: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPDOC.DLL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.c...et/src/vscp.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...ab?rand=2003453
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7995.3406597222
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx

#2 splinky

splinky

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 14 June 2004 - 06:39 PM

I forgot to add, that something is causing my windows to freeze suddenly, which requires me to shut down, which I can't do without having a fatal exception. Also, my windows media player has been corrupted by something and is not operational. I assume that all of these things are connected.
Thanks again for any help that is offered.

#3 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 15 June 2004 - 07:58 AM

Uninstall WinTools through the Add/Remove Programs control panel.

Next, close all programs, tick the following for removal in HijackThis, and click "Fix Checked:"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/...//www.yahoo.com

O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\SYSTEM\MSJFBL.DLL
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\SYSTEM\MSKHHE.DLL

O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)

O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\SYSTEM\idctup20.exe
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O9 - Extra button: WeatherBug (HKCU)

O16 - DPF: Dialpad US Java Applet - http://www.dialpad.c...et/src/vscp.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...ab?rand=2003453

Reboot.

Find and delete the following files/folders:

C:\Program Files\Common files\WinTools\
C:\WINDOWS\ALCHEM.exe
C:\WINDOWS\SYSTEM\idctup20.exe

Scan again with HijackThis and post the new log in a reply to this thread.
Signature file is under revision. This will be back shortly.

#4 splinky

splinky

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 15 June 2004 - 05:32 PM

Hi Tuxedo,
Thanks for the help, I appreciate your taking the time to assist. I did as you asked above. I do have a question for you, in my HJT folder there are 9 items titled backup that were created when I had hijack "fix checked", can these now be deleted?

Thanks again for your help.
Here is my new HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 6:26:53 PM, on 6/15/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ESET\NOD32KRN.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\TEXTBRIDGE PRO 8.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ESET\NOD32KUI.EXE
C:\PROGRAM FILES\CALLWAVE\IAM.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink Network, Inc.
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/...//www.yahoo.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~2.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~2.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\UPDATEMGR.EXE" -/NOCM
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\Run: [Dcfssvc] c:\windows\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~2.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NOD32kernel] C:\Program Files\Eset\nod32krn.exe
O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - User Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
O4 - User Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O12 - Plugin for .doc: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPDOC.DLL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7995.3406597222
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx

#5 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 03 July 2004 - 11:25 AM

I'm terribly sorry - I've been going nuts lately, and yes, you can delete the backups.

Close all programs, tick the following for removal in HJT, and click "Fix Checked:"

O9 - Extra button: WeatherBug (HKCU)

After that, you're clean.

Clear your Temporary Internet Files immediately. To do this, go to the Internet Controls control panel, then click "Delete Files." Tick the checkbox there, then click "OK.'

You may wish to look at Mozilla Firefox instead of IE. It has no security holes, doesn't integrate into the Windows shell (which is a bad thing due to the shell's control over the system), doesn't download anything without your approval, and doesn't get hijacked.

It also takes up less resources and uses tabs or new windows (tabs save desktop and taskbar space and make closing windows easier). It also comes with a built-in popup blocker as well as the ability to block images from servers (i.e. advertisements) with a right-click.

Firefox is immune to CWS in all its forms. You will _never_ get hijacked by CWS or any of its affiliates ever again if you use Firefox.

There's a link to it in my signature.

IE-SPYAD places over 4,000 known evil sites into the Restricted Sites zone in Internet Explorer so they can't execute ActiveX, Java, or place cookies on your machine. It's a rather nice thing to have. There's a link to it in my signature.

SpywareBlaster can prevent spyware from installing itself on your computer. It does require updating every now and again, but it's rather easy to operate. Just install, run, update, click "Protect," and you're done. Update once every month or so. There's a link in my signature.

Happy computing, and don't forget to use Windows Update once a week!

Edited by Tuxedo Jack, 03 July 2004 - 11:26 AM.

Signature file is under revision. This will be back shortly.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button