psapi.dll and funny.exe Problem

[Dominik]

I got a Problem with an Windows 98 Plus PC.
I start the PC, then just got the Windows-Background, no Desktop Symbols, no toolbar, etc, I can't do something, I see only my Mouse Icon, when I press some buttons, a message with kernel32.dll shows up. Only thing I can do is restart the PC. I searched everywhere, but no solution. I don't know what to do.

I guess the PC is infected with Funner Virus, because I received the file funny.exe

If I start the PC in safe mode, message: File psapi.dll is missing, and I can't do something.

I tried command prompt: c:\scanreg and restore the *.cab file from a date when it worked properly. Didn't help, still the same problem.

Any suggestions? Would be great.

[guestolo]

Try this and see if it's some help

Instead of booting to safe mode
Boot to Command prompt only

At the prompt
type in

edit c:\windows\system.ini

Notice the space between edit and c
and hit Enter

in System.ini under the boot tab
Navigate with your arrow keys on the keyboard to

Shell under the boot section

If it doesn't read this way change to read like the bold below

Shell=Explorer.exe

Use the Reset button on your computer or (Ctrl+Alt+Del)
to restart your computer

If that gets you back to Windows in normal mode you still have some more work to do

Can you Download Hijackthis 1.99
A small utility to help identify if any Hijackers, Malware, Spyware, etc.....Reside on your computer

Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT

Download Hijackthis from CLICK HERE or CLICK HERE
Save it to that new folder

Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log  here... Don't try and fix anything yet----It is all important

If you can't boot to Command prompt only you will have to use a Startup disk (Floppy)
Ensure to enter Setup(Bios) and boot from floppy or removeable device first

At the A:\ after it's loaded type in
edit c:\windows\system.ini
make the changes and remove the startup disk and try booting to Windows

Make sure you post that Hijackthis log if you can

[Dominik]

Thanks for your fast help!

I tried what you wrote, I edited the system.ini File as you said and saved the file.

I changed it from:

Shell=C:\windows\system\explorer.exe

to Shell=Explorer.exe

saved the system.ini File and rebooted the PC

But it didn't help, still the same problem.

Hijackthis I can't use because Windows doesn't start.

[guestolo]

Try going back to a Command prompt again

At the prompt type in the below----after each hit Enter on the key board
Notice the space between del and c

del c:\windows\system\explorer.exe

del c:\windows\system\iexplore.exe

del c:\windows\system\userinit32.exe

del c:\windows\rundll32.exe

del c:\windows\hosts

del c:\funny.exe

del c:\windows\temp\*.*
if you get a prompt to delete contents of directory--Use Y on the keyboard then hit Enter

Finally enter this again at the prompt
edit c:\windows\system.ini

Make sure it still reads
Shell=Explorer.exe

If not change it to that and save the change

Restart the computer
If that gets you back into Windows we will have to replace some files overwritten by this nasty
Grab a copy of Hijackthis from my links
Open Hijackths>>Open Misc Tools>>Open the Hosts file manager
If prompted no hosts file is found>>Let it create one

Please post a log if you can

[Dominik]

Damn, your the man!

It worked, I'm back again in the Game, I mean Windows 98 Plus.

I run Hijackthis and here is the log File:

Logfile of HijackThis v1.99.0
Scan saved at 16:11:05, on 02.02.05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAMME\AVPERSONAL\AVSCHED32.EXE
C:\PROGRAMME\CREATIVE\WEBCAM CONTROL\CAMTRAY.EXE
C:\PROGRAMME\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAMME\OPENOFFICE.ORG1.1.3\PROGRAM\SOFFICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMME\MICROSOFT OFFICE\OFFICE\1031\MSOFFICE.EXE
C:\PROGRAMME\AVPERSONAL\INETUPD.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by19fd.bay19.Email Removed.msn.com/cgi-bi...g=DE&country=CH
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVSCHED32] C:\PROGRAMME\AVPERSONAL\AVSCHED32.EXE /min
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Programme\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [MMSystem] C:\WINDOWS\rundll32.exe "c:\windows\system\mmsystem.dll"", RunDll32
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MMSystem] C:\WINDOWS\rundll32.exe "c:\windows\system\mmsystem.dll"", RunDll32
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Startup: OpenOffice.org 1.1.3.lnk = C:\Programme\OpenOffice.org1.1.3\program\quickstart.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab

How do I replace the deleted Files?

Thank you so much for your Help, I'm so glad it works more or less now.

[guestolo]

Good work Dominik

Can you download and save to Desktop
Rundll32_98.zip

You will have to Right click on that link and Copy Shortcut
Paste it to the IE address bar and hit GO for it to work properly

Once you have that downloaded can you UNZIP it to your
C:\Windows
folder>>Allow to overwrite if prompted

After that is done

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKCU\..\Run: [MMSystem] C:\WINDOWS\rundll32.exe "c:\windows\system\mmsystem.dll"", RunDll32

O4 - HKCU\..\Run: [MMSystem] C:\WINDOWS\rundll32.exe "c:\windows\system\mmsystem.dll"", RunDll32

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

You may choose to fix the next one too, Not a threat, but not required on startup
Programs work fine without them and can be started manually
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE

Open Office>>you should be able to check the preferences and disable Quickstart or have hijackthis fix that entry too if you don't need it enable on startup

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

RESTART your computer

When your back in Windows

Find and delete this file if it exists
c:\windows\system\mmsystem.dll <--this file

Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back to finish the cleaning process

Post back with a fresh hijackthis log

Could you also open Hijackthis>>Open the Misc tools section>>Open Hosts file manager>>Click the "Open In Notepad"
Copy and paste back here the whole contents of the hosts notepad file

[Dominik]

When I try to install Ad-Aware a Message Pop's up:

Could not initalize Installation. System DLLs corrupt or missing.

Also I get some Error Messages when I start up Windows, I think the System is still infected somehow?

Here's the new Logfile from Hijackthis:

Logfile of HijackThis v1.99.0
Scan saved at 11:12:12, on 03.02.05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAMME\AVPERSONAL\AVSCHED32.EXE
C:\PROGRAMME\CREATIVE\WEBCAM CONTROL\CAMTRAY.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVGCtrl] "C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE" /min
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [AVSCHED32] C:\PROGRAMME\AVPERSONAL\AVSCHED32.EXE /min
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Programme\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: OpenOffice.org 1.1.3.lnk = C:\Programme\OpenOffice.org1.1.3\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

[guestolo]

I need more info than that Dominik
Did you save that link to Rundll32.zip to your desktop and UNZIP it to you
C:\Windows folder?

What error messages on startup?
Be a little more specific please
Go to START>>Run
Type in
sfc
Hit OK

Run system file checker >> have your Windows CD handy
http://service1.symantec.com/support/tsgen...001011114021106

The Ad-Aware problem, don't uninstall Ad-aware, I have a possible fix for that
But try the above first

Forgot about this Dominik

Could you also open Hijackthis>>Open the Misc tools section>>Open Hosts file manager>>Click the "Open In Notepad"
Copy and paste back here the whole contents of the hosts notepad file

[Dominik]

More or less the Windows 98 System works.

When I startup the PC at the beginning when windows loads, 2 messages pop up:

I can't translate it exactly in english, but I write it as I think you understand what it means:

A error message with winmm.dll - I know more or less what the problem is.

The second message: A error with unicows.dll - something with the unicode - but I don't know for which programm it is necessary? Maybe Office or Openoffice.org?

But that's not so important, i can live with this two messages at startup.

Ad-Aware I can't install.

I'm glad the system runs and I'd like to thank you very much for your great, fast help!

Thanks Dominik

[guestolo]

unicows.dll>>Can you do a Find (Search) on your computer
What locations do you find them in?

Ad-Aware>>>Let me know if you can find these 2 files in the
C:\Windows\System folder
Riched20.dll
Riched32.dll

While your in the System folder
Do you see
winmm.dll ?

I have 98SE on one of my computers, I may be able to help you out

You should also, at this time
Download and Install
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html
after every update just simply enable all protection

[Guest]

Well, ive also experienced this virus.. Not too impressive though. For windows XP users, this is how i did it.

I fysically removed my hardrive where ive got my OS on. I then inserted it into another PC. Make sure, its the secondary disk not first. Then u will be able to watch out your files. And take out the files you want. Then u insert the hardrive, into your old computer, and format it. Install windows, and bring your beloved files onto your harddrive.

Easy, and clean way to do it.
it took me about 20 minuites.

greets, from a Hamar bhoi

[guestolo]

If you can boot into Windows, there may be no reason to even
remove the hard drive
or pop in the Windows cd and use the Recovery console

[Guest]

very good http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />