Jump to content


Photo

Windows ME headache


  • This topic is locked This topic is locked
4 replies to this topic

#1 Eishtmo

Eishtmo

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 18 September 2005 - 12:23 AM

I guess I'll be descriptive here.

First of all, this isn't my computer, it's my lovely sister's, which means I don't control the content or how she uses it, which is part of the problem. It's also and older HP computer (4 or 5 years, okay, not THAT old), so it didn't come with an ME disk, instead it came with a bunch of 'recovery disks' that according to the documentation will wipe the hard drive if I use them. I wish to avoid this if at all possible. I'd like to apologize now for any rambling, this is part cry for help, part insane rant.

Now the problem. Two weeks ago (not last Wednesday, the one before that), my sister clicked on an AIM profile to view it and the computer crashed to a blue screen, complaining about some error in vwin32(05) (I don't have the full error code on me, left it with my sister. I probably won't be able to get to it until morning. In any case, the code seems to change, so it may not be totally helpful anyway). This blue screen error would occur (still does in fact, but I'll get to that) usually only a few seconds after everything would have started up. Killing everything but the essentials did nothing.

Using AVG, there were no viruses to speak of, so I was reduced to using a woefully out of date Spybot (v1.3, why she didn't update it for 4+ months, I still don't know), which showed nothing. Searching for the error brought up a few suggestions about a bug in some nVida drivers, which might have made sense if she had nVida drivers (intel on board graphics is what she does have).

The oddest part about the problem is usually at boot up. Right when the background image comes up, the computer hangs. It sits there, staring at me, and CTRL-ALT-DEL brings up that two or more Rundll files are going and more often than not Explorer is listed as not responding. This happens in both normal and safe mode. I think it's related to whether the shut down was normal or done via the three finger salute, but I couldn't find any correlation between them, and frankly it ticks me off, so I try to avoid it. The only solution is to constantly kill a Rundll until the thing sticks and runs, but even then it takes forever, and I may not be actually doing any good by doing this (in fact, I'm pretty sure this is not a solution, but an exercise in futility, it'll boot up when it's good and ready). Final thing on boot up, last time I started it up, in safe mode no less, it flashed up the dial up screen (she's on a modem, as am I, we are poor).

Eventually, I found out that there is a stand alone update for Spybot (yeah, I should have know), used it, ran it, found some nasty thing (what it was has escaped me, I'm sorry to say), cleaned it out, rebooted and much to my surprise, it worked!

I had, in the intervening time, run HijackThis, found some nasty things via http://www.hijackthis.de/ but the program couldn't remove them, but after the thing booted up, I let it go. Figured it was fixed. (The log listed is the one I got from that inital battle, a more updated one can be obtained, but I don't think it's much different. The bad things I know of are bolded for your scrutiny.)

So when the error came back last Wednesday, I was more than a little irked. Apparently my lovely sister had again tried to view this person's AIM profile, but instead of immedieatly killing it, it waited about half an hour, litterally grinding the computer to halt in the process. I'm not sure if the AIM thing is connected to the actual problem or not, but you know. (Why she did this thing, I don't know, I could smack her for that. I didn't, but I could have.)

Spybot, run in safe mode, comes up clean. Crap. Shut it down, brood on it for a day or so, boot it back up in normal mode, get the vwin error. Out of curiosity, I hit enter (it suggests this to get back to windows, figured what the heck), and it worked! Used the time to download any other updates for Spybot (immunization file was about it) and get Adaware. 493 items came up. Killed them all. No resolution to the problem In fact, it seems to have gotten worse.

Yesterday, booted it up normal to see what I might be able to do, and it worked fine, for a while (not even the vwin error, I might add). Then the computer's hard drive light (little yellow one) and the clicking started up. And I mean started up and refused to stop. Scared the bejesus out of me, so I stripped what I could off of it (flash drives are nice), and shut it down. The next time I booted it up, blue screen, hit enter, then an error that had something do wtih DOSJAVA.DLL (Msgsrv32 has caused error in DOSJAVA.DLL, I think. I really should have written more of this stuff down). Yeah, that's the one in the Hijackthis log. This mysterious villian is playing havoc with the computer, I think. So much so that safe mode is randomly crashing (all icons, menu bar go poof), Explorer seems to be crashing (not responding first, then poof, gone) even in safe mode, and yet the computer still runs, for a time, then goes into a whirling crash of blue screens.

Which is where I sit now. I think that when I unleashed Adaware on the thing, I deleted the item (DOSJAVA.DLL, or whatever it really is), but the function is still in the registry (the log, as I said, is virtually identical to the one I have, sorry you'll have to wait till morning for a more up to date one, assuming the computer stays active long enough for me to get it). However, I'm not sure how, or even if, I can get rid of it for good. However, I fear even this may not save this thing.

So I'm at the end of my knowledge of these things, and what actions I can perform with certianty. Suggestions and possible solutions (short of format c:, though that's looking more and more likely) would be greatly appreacitated. Oh, and sorry for the rambling, writing it all down like this is actually very theraputic in it's own way. Thank you ahead of time.

The log:

Logfile of HijackThis v1.99.1
Scan saved at 1:05:51 PM, on 9/10/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\SPYBOT13\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://neopets.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot13\SDHelper.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\CURSORS\DOSJAVA.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [DJRegFix] regedit /s c:\hp\djregfix.reg
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb02.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunOnce: [*DOSJAVA] rundll32.exe C:\WINDOWS\CURSORS\DOSJAVA.DLL,CreateProtectProc rerun
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com

#2 Eishtmo

Eishtmo

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 18 September 2005 - 11:24 AM

Updated log:

Logfile of HijackThis v1.99.1
Scan saved at 12:20:54 PM, on 9/18/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\SPYBOT13\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://neopets.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot13\SDHelper.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\CURSORS\DOSJAVA.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [DJRegFix] regedit /s c:\hp\djregfix.reg
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb02.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunOnce: [*DOSJAVA] rundll32.exe C:\WINDOWS\CURSORS\DOSJAVA.DLL,CreateProtectProc rerun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com

#3 LonnyRJones

LonnyRJones

    Forum Deity

  • Developer
  • PipPipPipPipPip
  • 961 posts

Posted 26 October 2005 - 09:38 AM

Hi Eishtmo

If your still in need of assistance please post back with a fresh log

#4 Eishtmo

Eishtmo

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 26 October 2005 - 01:47 PM

Whoops, forgot I posted this. I actually managed to fix the problem and the computer works fine now. I think it got hit with a virus of some kind and it took a bit of work to clear all the crap out.

First I had to find that damn dosjava.dll file, which managed to somehow make itself invisible to windows explorer. Fixed that by trying to delete the directory. Popped right up after that. Deleted that, used some program (name I forget at the moment) to unlock the registry entries then killed the bugger with HijackThis! A reboot later, and the computer is clean and clear.

Like I said, I think it was a virus, but I have no idea where it came from or how it got on there. Problem hasn't come back since, so it's all good.

The thread can be moved away now, problem solved. Thanks for reminding me to post this mess.

#5 LonnyRJones

LonnyRJones

    Forum Deity

  • Developer
  • PipPipPipPipPip
  • 961 posts

Posted 27 October 2005 - 01:25 AM

Thanks for posting back.

Happy safe surfing




Member of UNITE
Support SpywareInfo Forum - click the button