Post by: Dominik on January 28, 2005, 08:10:45 AM
I start the PC, then just got the Windows-Background, no Desktop Symbols, no toolbar, etc, I can't do something, I see only my Mouse Icon, when I press some buttons, a message with kernel32.dll shows up. Only thing I can do is restart the PC. I searched everywhere, but no solution. I don't know what to do.
I guess the PC is infected with Funner Virus, because I received the file funny.exe
If I start the PC in safe mode, message: File psapi.dll is missing, and I can't do something.
I tried command prompt: c:\scanreg and restore the *.cab file from a date when it worked properly. Didn't help, still the same problem.
Any suggestions? Would be great.
Post by: guestolo on January 28, 2005, 02:11:52 PM
Instead of booting to safe mode
Boot to Command prompt only
At the prompt
type in
edit c:\windows\system.ini
Notice the space between edit and c
and hit Enter
in System.ini under the boot tab
Navigate with your arrow keys on the keyboard to
Shell under the boot section
If it doesn't read this way change to read like the bold below
Shell=Explorer.exe
Use the Reset button on your computer or (Ctrl+Alt+Del)
to restart your computer
If that gets you back to Windows in normal mode you still have some more work to do
Can you Download Hijackthis 1.99
A small utility to help identify if any Hijackers, Malware, Spyware, etc.....Reside on your computer
Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT
Now you will have C:\HJT
Download Hijackthis from CLICK HERE (http://\"https://ssl.perfora.net/tools.radiosplace.com/HijackThis.exe\") or CLICK HERE (http://\"http://aumha.org/downloads/hijackthis.exe\")
Save it to that new folder
Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important
If you can't boot to Command prompt only you will have to use a Startup disk (Floppy)
Ensure to enter Setup(Bios) and boot from floppy or removeable device first
At the A:\ after it's loaded type in
edit c:\windows\system.ini
make the changes and remove the startup disk and try booting to Windows
Make sure you post that Hijackthis log if you can
Post by: Dominik on February 01, 2005, 08:49:52 AM
I tried what you wrote, I edited the system.ini File as you said and saved the file.
I changed it from:
Shell=C:\windows\system\explorer.exe
to Shell=Explorer.exe
saved the system.ini File and rebooted the PC
But it didn't help, still the same problem.
Hijackthis I can't use because Windows doesn't start.
Post by: guestolo on February 01, 2005, 04:13:25 PM
At the prompt type in the below----after each hit Enter on the key board
Notice the space between del and c
del c:\windows\system\explorer.exe
del c:\windows\system\iexplore.exe
del c:\windows\system\userinit32.exe
del c:\windows\rundll32.exe
del c:\windows\hosts
del c:\funny.exe
del c:\windows\temp\*.*
if you get a prompt to delete contents of directory--Use Y on the keyboard then hit Enter
Finally enter this again at the prompt
edit c:\windows\system.ini
Make sure it still reads
Shell=Explorer.exe
If not change it to that and save the change
Restart the computer
If that gets you back into Windows we will have to replace some files overwritten by this nasty
Grab a copy of Hijackthis from my links
Open Hijackths>>Open Misc Tools>>Open the Hosts file manager
If prompted no hosts file is found>>Let it create one
Please post a log if you can
Post by: Dominik on February 02, 2005, 10:15:02 AM
It worked, I'm back again in the Game, I mean Windows 98 Plus.
I run Hijackthis and here is the log File:
Logfile of HijackThis v1.99.0
Scan saved at 16:11:05, on 02.02.05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAMME\AVPERSONAL\AVSCHED32.EXE
C:\PROGRAMME\CREATIVE\WEBCAM CONTROL\CAMTRAY.EXE
C:\PROGRAMME\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAMME\OPENOFFICE.ORG1.1.3\PROGRAM\SOFFICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMME\MICROSOFT OFFICE\OFFICE\1031\MSOFFICE.EXE
C:\PROGRAMME\AVPERSONAL\INETUPD.EXE
C:\HJT\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by19fd.bay19.Email (http://\"http://by19fd.bay19.Email\") Removed.msn.com/cgi-bi...g=DE&country=CH
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVSCHED32] C:\PROGRAMME\AVPERSONAL\AVSCHED32.EXE /min
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Programme\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [MMSystem] C:\WINDOWS\rundll32.exe "c:\windows\system\mmsystem.dll"", RunDll32
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MMSystem] C:\WINDOWS\rundll32.exe "c:\windows\system\mmsystem.dll"", RunDll32
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Startup: OpenOffice.org 1.1.3.lnk = C:\Programme\OpenOffice.org1.1.3\program\quickstart.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
How do I replace the deleted Files?
Thank you so much for your Help, I'm so glad it works more or less now.
Post by: guestolo on February 02, 2005, 11:58:41 AM
Can you download and save to Desktop
Rundll32_98.zip
You will have to Right click on that link and Copy Shortcut
Paste it to the IE address bar and hit GO for it to work properly
Once you have that downloaded can you UNZIP it to your
C:\Windows
folder>>Allow to overwrite if prompted
After that is done
Do another scan with Hijackthis and put a check next to these entries:
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKCU\..\Run: [MMSystem] C:\WINDOWS\rundll32.exe "c:\windows\system\mmsystem.dll"", RunDll32
O4 - HKCU\..\Run: [MMSystem] C:\WINDOWS\rundll32.exe "c:\windows\system\mmsystem.dll"", RunDll32
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
You may choose to fix the next one too, Not a threat, but not required on startup
Programs work fine without them and can be started manually
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
Open Office>>you should be able to check the preferences and disable Quickstart or have hijackthis fix that entry too if you don't need it enable on startup
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis
RESTART your computer
When your back in Windows
Find and delete this file if it exists
c:\windows\system\mmsystem.dll <--this file
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer back to finish the cleaning process
Post back with a fresh hijackthis log
Could you also open Hijackthis>>Open the Misc tools section>>Open Hosts file manager>>Click the "Open In Notepad"
Copy and paste back here the whole contents of the hosts notepad file
Post by: Dominik on February 03, 2005, 05:15:24 AM
Could not initalize Installation. System DLLs corrupt or missing.
Also I get some Error Messages when I start up Windows, I think the System is still infected somehow?
Here's the new Logfile from Hijackthis:
Logfile of HijackThis v1.99.0
Scan saved at 11:12:12, on 03.02.05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAMME\AVPERSONAL\AVSCHED32.EXE
C:\PROGRAMME\CREATIVE\WEBCAM CONTROL\CAMTRAY.EXE
C:\HJT\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/ (http://\"http://www.google.ch/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVGCtrl] "C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE" /min
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [AVSCHED32] C:\PROGRAMME\AVPERSONAL\AVSCHED32.EXE /min
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Programme\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: OpenOffice.org 1.1.3.lnk = C:\Programme\OpenOffice.org1.1.3\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
Post by: guestolo on February 03, 2005, 10:10:37 AM
Did you save that link to Rundll32.zip to your desktop and UNZIP it to you
C:\Windows folder?
What error messages on startup?
Be a little more specific please
Go to START>>Run
Type in
sfc
Hit OK
Run system file checker >> have your Windows CD handy
http://service1.symantec.com/support/tsgen...001011114021106 (http://\"http://service1.symantec.com/support/tsgeninfo.nsf/docid/2001011114021106\")
The Ad-Aware problem, don't uninstall Ad-aware, I have a possible fix for that
But try the above first
Forgot about this Dominik
Quote
Could you also open Hijackthis>>Open the Misc tools section>>Open Hosts file manager>>Click the "Open In Notepad"
Copy and paste back here the whole contents of the hosts notepad file
Post by: Dominik on February 09, 2005, 04:42:45 AM
When I startup the PC at the beginning when windows loads, 2 messages pop up:
I can't translate it exactly in english, but I write it as I think you understand what it means:
A error message with winmm.dll - I know more or less what the problem is.
The second message: A error with unicows.dll - something with the unicode - but I don't know for which programm it is necessary? Maybe Office or Openoffice.org?
But that's not so important, i can live with this two messages at startup.
Ad-Aware I can't install.
I'm glad the system runs and I'd like to thank you very much for your great, fast help!
Thanks Dominik
Post by: guestolo on February 09, 2005, 04:29:52 PM
What locations do you find them in?
Ad-Aware>>>Let me know if you can find these 2 files in the
C:\Windows\System folder
Riched20.dll
Riched32.dll
While your in the System folder
Do you see
winmm.dll ?
I have 98SE on one of my computers, I may be able to help you out
You should also, at this time
Download and Install
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
after every update just simply enable all protection
Post by: Guest on February 16, 2005, 04:56:15 PM
I fysically removed my hardrive where ive got my OS on. I then inserted it into another PC. Make sure, its the secondary disk not first. Then u will be able to watch out your files. And take out the files you want. Then u insert the hardrive, into your old computer, and format it. Install windows, and bring your beloved files onto your harddrive.
Easy, and clean way to do it.
it took me about 20 minuites.
greets, from a Hamar bhoi
Post by: guestolo on February 17, 2005, 11:47:20 PM
remove the hard drive
or pop in the Windows cd and use the Recovery console
Post by: Guest on February 22, 2005, 02:35:36 PM
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />