# Solved: Wininet.dll Errors



## zkhul (Nov 26, 2002)

Hi Guys,

I can't get on the net with IE. I keep getting "IE has caused an error in wininet.dll. IE will close now. And then sometimes there's another one saying "This window is busy. Closing it may cause some problems. Do you want to close it?" I'd been using ad-aware and spybot and uninstalling stuff as
my HD was getting full. I used Regvac also, but restored most of its fixes after my puter started acting a fool with kernel32 and wininet.dlls. I have WINME OS and comcast cable. Isn't wininet connected wiith Win95 and dialup? Do I need to submit JHT log? I certainly hope that someone can help. Thanx, zkhul


----------



## JSntgRvr (Jul 1, 2003)

Lets try first to clear the cache ni the computer:

1. On the Tools menu in Internet Explorer, click Internet Options. 
2. Click the Advanced tab. 
3. Click to clear the Use inline AutoComplete for Web addresses and Use inline AutoComplete for Windows Explorer check boxes. 
4. Click OK. 
5. Reboot your computer. Tap on F8 during startup to display the Startup menu. 
6. Choose Command Prompt Only, and then press ENTER. 
7. Type the following items, pressing ENTER after each item:

cd\windows
deltree downlo~1
deltree tempor~1
deltree history
deltree cookies 

NOTE: Press Y if you are prompted to confirm any deletion.

8. Reboot your your computer normally. 
9. On the Tools menu in Internet Explorer, click Internet Options. 
10. Click the Advanced tab. 
11. Click to select the Use inline AutoComplete for Web addresses and Use inline AutoComplete for Windows Explorer check boxes. 
12. Click OK.
13. Restart the computer.


----------



## zkhul (Nov 26, 2002)

Thanks Jsntgrver, I can get to to advanced thru propertie of ie ICON ON DESKTOP. It only has one "use inline autocomplete" which was already unchecked. It did not differentiate between use for web address and internet explorer. (2) Tapping on f8 brings up the menu but it doesn't have the option "Command prompt only". so I went to "safe mode" and back to DOS where I deleted the tree of those 4 files and rebooted. But that didn't help. I coontinue to get Wininet.dll errors as well as Kernel32. Any more ideas would be appreciated. Thanx


----------



## JSntgRvr (Jul 1, 2003)

Attempt to repair the Internet Explorer.

Click on the Add/Remove Programs icon in the Control Panel. Attempt to remove Microsoft Internet Explorer and Internet Tools. You will be given the option to repair the Internet Explorer. Select that option and follow instructions on screen to repair the Internet Exporer.

If the issue persists, post a Hijackthis log to take a look at the runnng processes:

http://www.majorgeeks.com/download3155.html


----------



## zkhul (Nov 26, 2002)

Yes, I've tried to repair, BUT it says cannot be repaired, and to reinstall it. I do that and it says "finished" after running for about 2 secionds. No change, still doesn't work. So here is my JHT log (I've already posted one, on 14th but I guess in wrong place):

Logfile of HijackThis v1.99.1
Scan saved at 11:56:06 PM, on 3/24/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\TV VIEWER\TVWAKEUP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\TV VIEWER\ANNCLIST.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\VISIONEER ONETOUCH\ONETOUCHMON.EXE
C:\WINDOWS\SYSTEM\UDXREGQU.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\IC2UPAPI.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\E-REG\REMIND32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://zoesearchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\PROGRAM FILES\TV MEDIA\TVMBHO.DLL
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\0z9h6l7m.slt\prefs.js)
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\DLMAX.DLL (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL (file missing)
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll (file missing)
O2 - BHO: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\PROGRAM FILES\SPAMBLOCKERUTILITY\BIN\4.6.1.0\SBHOSTIE.DLL (file missing)
O2 - BHO: (no name) - {12EE7A5E-0674-42f9-A76A-000000004D00} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\PROGRAM FILES\SPAMBLOCKERUTILITY\BIN\4.6.1.0\SBHOSTIE.DLL (file missing)
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe 
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\SYSTEM\winupdt.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe ,DllRunMain
O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
O4 - HKLM\..\Run: [ZStart] C:\WINDOWS\SYSTEM\UDXREGQU.EXE lee0105
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\SYSTEM\GKGSYSI6.EXE lee0105
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\Run: [Breg] "c:\Program Files\Common Files\Java\bptre.exe"
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TVWakeup] C:\Progra~1\TVView~1\tvwakeup.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [VidSvr] 
O4 - HKLM\..\RunServices: [Announcements] C:\Program Files\TV Viewer\annclist.exe
O4 - HKCU\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\SYSTEM\BMUpdate.exe
O4 - HKCU\..\Run: [bor2RWcmi] IC2UPAPI.EXE
O4 - HKCU\..\RunServices: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
O4 - HKCU\..\RunServices: [BMUpdate] C:\WINDOWS\SYSTEM\BMUpdate.exe
O4 - HKCU\..\RunServices: [bor2RWcmi] IC2UPAPI.EXE
O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Mount Safe & Sound Volumes.lnk = C:\Program Files\McAfee\McAfee Shared Components\Safe & Sound\fbmount.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Startup: Reminder-hpc40503.lnk = C:\Program Files\CD-Writer Plus\E-Reg\REMIND32.EXE
O4 - User Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - User Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - User Startup: PowerReg Scheduler.exe
O4 - User Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - User Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - User Startup: Mount Safe & Sound Volumes.lnk = C:\Program Files\McAfee\McAfee Shared Components\Safe & Sound\fbmount.exe
O4 - User Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - User Startup: Reminder-hpc40503.lnk = C:\Program Files\CD-Writer Plus\E-Reg\REMIND32.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\PROGRAM FILES\ATI MULTIMEDIA\TV\EXPLBAR.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin6.dll
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnview95.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} - 
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9/ticker.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab
O18 - Protocol: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - (no file)


----------



## JSntgRvr (Jul 1, 2003)

Run Hijackthis. Place a checkmark on the following lines and click on Fix Checked (Some of these entries appear to be repeated, but they are not. the source is different):

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://zoesearchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\PROGRAM FILES\TV MEDIA\TVMBHO.DLL
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\DLMAX.DLL (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL (file missing)
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll (file missing)
O2 - BHO: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\PROGRAM FILES\SPAMBLOCKERUTILITY\BIN\4.6.1.0\SBHOSTIE.DLL (file missing)
O2 - BHO: (no name) - {12EE7A5E-0674-42f9-A76A-000000004D00} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\PROGRAM FILES\SPAMBLOCKERUTILITY\BIN\4.6.1.0\SBHOSTIE.DLL (file missing)
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
O4 - HKLM\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe 
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\SYSTEM\winupdt.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe ,DllRunMain
O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
O4 - HKLM\..\Run: [ZStart] C:\WINDOWS\SYSTEM\UDXREGQU.EXE lee0105
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\SYSTEM\GKGSYSI6.EXE lee0105
O4 - HKLM\..\RunServices: [TVWakeup] C:\Progra~1\TVView~1\tvwakeup.exe
O4 - HKLM\..\RunServices: [Announcements] C:\Program Files\TV Viewer\annclist.exe
O4 - HKCU\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\SYSTEM\BMUpdate.exe
O4 - HKCU\..\Run: [bor2RWcmi] IC2UPAPI.EXE
O4 - HKCU\..\RunServices: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
O4 - HKCU\..\RunServices: [BMUpdate] C:\WINDOWS\SYSTEM\BMUpdate.exe
O4 - HKCU\..\RunServices: [bor2RWcmi] IC2UPAPI.EXE
O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Reminder-hpc40503.lnk = C:\Program Files\CD-Writer Plus\E-Reg\REMIND32.EXE
O4 - User Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - User Startup: PowerReg Scheduler.exe
O4 - User Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - User Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - User Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - User Startup: Reminder-hpc40503.lnk = C:\Program Files\CD-Writer Plus\E-Reg\REMIND32.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\PROGRAM FILES\ATI MULTIMEDIA\TV\EXPLBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Go to the Add/Remove programs icon in the control Panel. Remove the following programs if exists:

TV Media, 
TV Media Display᾿ or 
MS T-Media Display
'My Web Search'
'My Bar'

Boot in Safe Mode. Open Windows Explorer. Select Tools from the Menu, then Folder options. Select the View tab. Under Hidden Files and Folders, select "show all files". Click Ok, close the Explorer. Search and delete the following files and folders:

C:\PROGRAM FILES\*TV MEDIA* <- this folder
C:\Program Files\*MyWebSearch* <- this folder

The following files:

*D0CE0C16B1
winupdt.exe 
bpcpost.exe
UDXREGQU.EXE 
GKGSYSI6.EXE
IC2UPAPI.EXE*

Restart the computer and post a new HJT log.


----------



## JSntgRvr (Jul 1, 2003)

This is the only line for McAfee. I see no other entery for a VirusScan or Firewall. Are these programs disabled?

O4 - Startup: Mount Safe & Sound Volumes.lnk = C:\Program Files\McAfee\McAfee Shared Components\Safe & Sound\fbmount.exe


----------



## zkhul (Nov 26, 2002)

Hello, yes I got rid of McaFee and Norton as they seemed to cause problems, though 
I've been planning to reinstalll Norton. I saw that entry, but left it alone as it had shared components, etc. I do have pop-up stopper (Panicware). I have ad-aware and spybot but can't access either due to the dll error.

I "fixed" your suggestions, but could only find Tv Media in Add/Remove; could only find Mywebsearch in program files and deleted the 6 other files you listed. Here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:21:26 PM, on 3/25/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\ASUS\PROBE\ASUSPROB.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\VISIONEER ONETOUCH\ONETOUCHMON.EXE
C:\WINDOWS\SYSTEM\GKGSYSI6.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\0z9h6l7m.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\SYSTEM\GKGSYSI6.EXE lee0105
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [VidSvr] 
O4 - HKCU\..\Run: [bor2RWcmi] IC2UPAPI.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - User Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - User Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin6.dll
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnview95.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} - 
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9/ticker.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab
O18 - Protocol: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - (no file)

. Here is the new HJT log:


----------



## JSntgRvr (Jul 1, 2003)

We have some recurring entries. Run Hijackthis. Put a check mark on the Following lines and click on Fix Checked:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\SYSTEM\GKGSYSI6.EXE lee0105
O4 - HKLM\..\RunServices: [VidSvr] 
O4 - HKCU\..\Run: [bor2RWcmi] C:\WINDOWS\SYSTEM\GKGSYSI6.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - User Startup: PowerReg Scheduler.exe

Boot the computer in Safe mode. Delete the following files and folders if exists:

C:\Program Files\Common Files\Java\bptre.exe
C:\WINDOWS\SYSTEM\GKGSYSI6.EXE

desktopdir+\startup\*powerreg scheduler v3.exe*
desktopdir+\startup\*webshots.lnk*
programfilesdir+\*powerreg*
startupfolder+\*powerreg scheduler v3.exe*
startupfolder+\*powerreg scheduler.exe*
startupfolder+\*powerreg schedulerv2.exe*
systemroot+\desktop\startup\*powerreg scheduler.exe*
systemroot+\start menu\programs\startup\*image.lnk*
systemroot+\start menu\programs\startup\*norton disk doctor.lnk*
systemroot+\start menu\programs\startup\*powerreg scheduler v3.exe*
systemroot+\start menu\programs\startup\*powerreg scheduler.exe*
desktopdir+*\startup*

Can you run either Adaware and Spybot Search and Destroy in Safe mode if available?

Restart the computer. Click on the Add/Remove Programs icon in the Control Panel. Attempt to remove Microsoft Internet Explorer and Internet Tools. You will be given the option to repair the Internet Explorer. Select that option and follow instructions on screen for the repair. If you receive an error, unable to repair, post the exact error message.

After a restart, test the computer and post another log for review.


----------



## zkhul (Nov 26, 2002)

Hello again,

I fixesd the 7 items you advised in HJT. The new one is attached. I deleted the 2 files in C. The 12 others, "search" couldn't find tho I think I've seen some of them in somewhere in regedit. I was able to run Spybot 3 times. The first it found and fixed 52 out of 54. I ran it 2 more times and each time it found DSO Exploit which was expunged.Adaware wouldn' run, itwas "attached to the missing Wininet.dll"

I could not repair IE with same msg in previous reply...."Please run setup again to reinstall all components". I clicked "details" and: "IE 6 cannoot be repaired due to the following--Version 5.50.4124.100 of file thumbvw.dll exists but the version needs to be greater than 5.50.1434.600.
Version 4.70.0.1215 of file wininet.dll exists but the version needs to be greater than 6.0.2800.1100." Here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:47:52 PM, on 3/25/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\ASUS\PROBE\ASUSPROB.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\VISIONEER ONETOUCH\ONETOUCHMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\0z9h6l7m.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\SYSTEM\GKGSYSI6.EXE lee0105
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - User Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin6.dll
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnview95.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} - 
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9/ticker.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab
O18 - Protocol: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - (no file)

PS


----------



## JSntgRvr (Jul 1, 2003)

> I could not repair IE with same msg in previous reply...."Please run setup again to reinstall all components". I clicked "details" and: "IE 6 cannoot be repaired due to the following--Version 5.50.4124.100 of file thumbvw.dll exists but the version needs to be greater than 5.50.1434.600.
> Version 4.70.0.1215 of file wininet.dll exists but the version needs to be greater than 6.0.2800.1100."


Search for the file ie6setup.exe in the computer. If found, double click on it. See if you can reinstall all components.


----------



## zkhul (Nov 26, 2002)

JSntgRvr said:


> Search for the file ie6setup.exe in the computer. If found, double click on it. See if you can reinstall all components.


Yes, I get the same result as I have in the past. "Already have all the latest components,. It is recommended that you exit". So instead, I click reinstall all
aND IT SAYS it is now ready for use, after about 1 second. Should I uninstall 
it altogether from my IE folder. And then try to reinstall. The point is, it was only installed a couple weeks ago over my IE 5.5 as I was trying to fix various problems. What to do......I hate to think of reformatting and all that goes with that. Thanx for your efforts in this regard.


----------



## JSntgRvr (Jul 1, 2003)

Try this first:

Start the Registry Editor (Start->Run, type Regedit and click Ok).

Go to HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Active Setup \ Installed Components \ {89820200-ECBD-11cf-8B85-00AA005B4383}

Highlight the key {89820200-ECBD-11cf-8B85-00AA005B4383} by clicking on it. On the right pane look for the IsInstalled value. Right click on it, and then click Modify. Change the value data, from 1 to 0 and click Ok. 

Use the same process and change the IsInstalled value from the following registry key:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Active Setup \ Installed Components \ {44BBA840-CC51-11CF-AAFA-00AA00B6015C} from 1 to 0.

Search again for the ie6setup and attempt to reinstall.


----------



## JSntgRvr (Jul 1, 2003)

If that fails:

To remove Internet Explorer 6.0 and return to your previous version follow these steps:

1. Click Start, point to Settings, click Control Panel, and then double-click Add/Remove Programs. 

2. On the Install/Uninstall tab, click Microsoft Internet Explorer 6 and Internet Tools in the list of installed programs, and then click Add/Remove. 

3. Click Restore the previous Windows configuration (or click Advanced to specify any additional components you want to remove), and then click OK. 

4. The Internet Explorer 6 and Internet Tools Setup dialog box appears. This portion of Setup is referred to as Maintenance mode. When Setup starts, click OK to restore the previous version of Internet Explorer and shared components. 

5. You are prompted to verify that you want to restore the previous version. Click Yes to start the uninstallation process. When the uninstallation process finishes, click Restart Windows when you are prompted to do so.


----------



## zkhul (Nov 26, 2002)

Hi, I just want to say that previous version option was always greyed out, or I would have been back long ago, but maybe it will be available after I follow your directives in regedit. I hope so. Thanx


----------



## zkhul (Nov 26, 2002)

Hi, I modified those 2 entries in regedit, rebooted and tried to remove IE6. As before,
the option to return to previous version is greyed out. (I wonder why) So I tried "repair". This time intead of saying "cannot repair, reinstall", it zoomed across in about 1 1/2 secs and said "FINISHED", REBOOT"


----------



## zkhul (Nov 26, 2002)

Hi, I modified those 2 entries in regedit, rebooted and tried to remove IE6. As before,
the option to return to previous version is greyed out. (I wonder why) So I tried "repair". This time intead of saying "cannot repair, reinstall", it zoomed across in about 1 1/2 secs and said "FINISHED", REBOOT", which I did and got
error msg: IExplore has caused an error in Wininet.dll and after that a window popped up saying IExplore has caused an error in Kernel32.dll. 

One thing is different however: When I click on an email which needs to access a URL on the net, instead of getting the usual " msimn has caused an error in wininet.dll, I get a page superimposed on the email but which shows the URL in the "location" box, but the browser icon (Firefox)keeps spinning and nothing happens, not even "page cannot be displayed" -- just nothing, like a transparent page.


----------



## JSntgRvr (Jul 1, 2003)

I see there is a recurrent unknown entry in the running processes, GKGSYSI6.EXE. That could be due to malware. Lets eliminate most of your ActiveX and Browser Helpers, and also attempt to eliminate that reccurent entry. Run Hijackthis and put a check mark next to the following lines and click on Fix Checked:

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01 .src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\0z9h6l7m.slt\prefs.js)

O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\SYSTEM\GKGSYSI6.EXE lee0105

O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/commo...MINIBrowser.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnview95.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} - 
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9/ticker.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spamblockerutility....ckerutility.cab

O18 - Protocol: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - (no file)

Press Ctrl+Alt+Delete. End Task to the *SysStart* entry.

Open Windows Explorer. Navigate to the C:\Windows\System folder. Select Tools from the menu, then Folder Options. select the View tab and under Hidden Files and Folder, select "View All Files and Folders". Click Ok.

Scroll down to the GKGSYSI6.EXE file and right click on it. Select Properties and remove all check marks from Read, Hidden, System, and Archive boxes and click OK.

Right click again over the GKGSYSI6.EXE file and select Delete. Close Windows Explorer, Empty the recycle Bin and restart the computer.

If you are unable to delete this file in Normal Mode, attempt to delete it in Safe mode.

See if that makes a difference. Post a New HJT log as to confirm that the entry has been fixed.


----------



## zkhul (Nov 26, 2002)

Hello again,

Well, evertime I went to Windows, then system, it hung and "is not responding",
(3 times)so I rebooted in safe mode and looked in the system file but could not find GKGSYS16.EXE. Also looked in dos system directory it wasn't there.
I actually deleted from system yesterday, but it still showed up in HJT afterwards. I don't see it in the current HJT below. So hopefully it is gone. I'm still getting the same old message for IE. But when I click google on my desktop, I get that an errror has been caused in wininet. And then a popup that won't away saying, "This window is busy. Closing it may cause some problems. Do you wanna" Oh, oh, a window just popped up saying "The procedure entry point InternetGetConnectedState could not be located in the dynamic link library Wininet.dll." And another (a second ago) saying The OBKR.exe file (?) is linked to missing export WININET.DLL:InternetGetConnectedState". LOL Do you think the problem may lie in WININET.DLL:InternetGetConnectedState. This is getting weirder and weirder. Anyhoo, here is my Hijackthis thing:


----------



## zkhul (Nov 26, 2002)

Oops, pc was getting ready to "HANG", SO AS NOT TO HAVE TO RETYPE ALL THAT, I sent without the log, so here it is:Logfile of HijackThis v1.99.1
Scan saved at 4:14:00 PM, on 3/26/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\ASUS\PROBE\ASUSPROB.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\VISIONEER ONETOUCH\ONETOUCHMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WWKKKUE\LFJUW.EXE
C:\WINDOWS\SYSTEM\GQTY\YPGY.EXE
C:\WINDOWS\SYSTEM\JSVTCRXU\AEIRJP.EXE
C:\WINDOWS\SYSTEM\YKIUARS\EIXYRH.EXE
C:\WINDOWS\SYSTEM\VNAUXN\EDFKRIQ.EXE
C:\TMP\XXKSAIW.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\0z9h6l7m.slt\prefs.js)
O2 - BHO: (no name) - {81B94B4A-E8DA-0462-621B-9A90FAFB9070} - C:\WINDOWS\SYSTEM\mxfcqbse\uyohlssq.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LFJUW] C:\WINDOWS\SYSTEM\WWKKKUE\LFJUW.EXE
O4 - HKLM\..\Run: [YPGY] C:\WINDOWS\SYSTEM\GQTY\YPGY.EXE
O4 - HKLM\..\Run: [AEIRJP] C:\WINDOWS\SYSTEM\JSVTCRXU\AEIRJP.EXE
O4 - HKLM\..\Run: [eixyrh] C:\WINDOWS\SYSTEM\ykiuars\eixyrh.exe
O4 - HKLM\..\Run: [EDFKRIQ] C:\WINDOWS\SYSTEM\VNAUXN\EDFKRIQ.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\TCYL.exe
O4 - HKLM\..\Run: [C:\WINDOWS\qqekm.exe] C:\WINDOWS\qqekm.exe
O4 - HKLM\..\Run: [skyhn] C:\TMP\XXKSAIW.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - User Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin6.dll

Think maybe I should get rid of that plugin for mP3. sOMETHING MIGHT HAVE COME IN WITH THAT. I see some other curious entries in this one - with mixed up alphabets,etc. Whaddaya think.

JSngtRvr!!! Alleluiah, MY INTERNET eXPLORER IS FIXED, THANK YOU, THANK YOU, THANK YOU!!! I just thought to try again too reinstall ie6setup. Since you had me remove all that stuff, we must have hit the jackpot. I was surprised to see it acting like it was installing because often in the pass it would make me think it was doing its do, but then would give me some kind of negative msg toward the end.ANYHOW, it finished and REBOOTED. I WAS SURPRISED TO SEE THE COOKIE BLOCKER POP UP (PRIVACY ALERt)and surmised that something had changed and Lo! IE and Google took me to my homepage which is the first time that happened "since Heck was a pup" ((;

But one more question for you. Do you think I should "fix" all those entries with mixed up letters as files on my last log? They all seem to be recent when I was receiving popups galore a few weeks ago. It looks like somebody's handiwork who has nothing to do but allow his brain to become the devil's workshop and whose intent is to bring misery to his brother's life instead of joy.

Thank you brother again for spending so much of your time and energy helping me.
Zkhul


----------



## JSntgRvr (Jul 1, 2003)

We still have some nasties. Have HJT Fix the following:

O4 - HKLM\..\Run: [LFJUW] C:\WINDOWS\SYSTEM\WWKKKUE\LFJUW.EXE
O4 - HKLM\..\Run: [YPGY] C:\WINDOWS\SYSTEM\GQTY\YPGY.EXE
O4 - HKLM\..\Run: [AEIRJP] C:\WINDOWS\SYSTEM\JSVTCRXU\AEIRJP.EXE
O4 - HKLM\..\Run: [eixyrh] C:\WINDOWS\SYSTEM\ykiuars\eixyrh.exe
O4 - HKLM\..\Run: [EDFKRIQ] C:\WINDOWS\SYSTEM\VNAUXN\EDFKRIQ.EXE

I will have someone else take a look as it. Meanwhile, download Startdreck Do not run it yet:

http://www.niksoft.at/_data/startdreck.zip

Download and run the LOP uninstaller and the Peper Trojan uninstaller from this link:

http://www.thespykiller.co.uk/downloads.htm

After running the above programs, run Startdreck:

UnZip the startdreck.zip file first. DoubleClick: 'StartDreck.exe' 
First click on the config button. 
Now click the Unmark all button 
Put a check by these boxes only: 
*Registry->run keys 
*Registry->Browser helper objects 
*System/drivers> Running processes 
hit >ok.

Now click the Save button to save that log. Go to the StartDreck folder and find the Startdreck.log file.

Copy and Paste the contents of that log back here, including a HJT log, and await further instructions.


----------



## JSntgRvr (Jul 1, 2003)

Since is already Easter in the UK, someone will be looking at this later on. Get those logs going and someone will be taking a look at them later on..


----------



## zkhul (Nov 26, 2002)

JSngtRvr!!! Alleluiah, MY INTERNET eXPLORER IS FIXED, THANK YOU, THANK YOU, THANK YOU!!! I just thought to try again too reinstall ie6setup. Since you had me remove all that stuff, we must have hit the jackpot. I was surprised to see it acting like it was installing because often in the pass it would make me think it was doing its do, but then would give me some kind of negative msg toward the end.ANYHOW, it finished and REBOOTED. I WAS SURPRISED TO SEE THE COOKIE BLOCKER POP UP (PRIVACY ALERt)and surmised that something had changed and Lo! IE and Google took me to my homepage which is the first time that happened "since Heck was a pup" ((;

But one more question for you. Do you think I should "fix" all those entries with mixed up letters as files on my last log? They all seem to be recent when I was receiving popups galore a few weeks ago. It looks like somebody's handiwork who has nothing to do but allow his brain to become the devil's workshop and whose intent is to bring misery to his brother's life instead of joy.

Thank you brother again for spending so much of your time and energy helping me.
Zkhul


----------



## JSntgRvr (Jul 1, 2003)

Yes I do. Also go to the following link, and even if you have to reinstall these programs, download and update the following programs:

http://forums.techguy.org/t110854.html

Coolweb Shredder
Spybot 
Adaware

Run the above programs once updated and remove all malware found.

Also perforn at least two online Virus Scans.

Keep me posted.


----------



## JSntgRvr (Jul 1, 2003)

Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.

http://forums.techguy.org/t110854.html


----------



## Cookiegal (Aug 27, 2003)

JSntgRvr asked me to take a look but it appears that everything is back to normal. It would still be a good idea to post one more log to be sure though.


----------



## zkhul (Nov 26, 2002)

Cookiegal thanks,

After I posted yed, I thot I spoke to soon cause after I rebooted I kept getting a 
screen that looked like it was in safe mode, but I wondered why I could still get on the 
net. So I changed my desktop to "none" (no image) AND IT RETUrned to normal.
But then, each time I reboot it would resort to the F8 screen and when I opted for
a "normal" boot it would still take me to safe mode. I was able to run my current spybot which found 524 entries which I got rid of. My ad-aware hung when I tried to 
delete what it found (a lot) so I will reinstall that. I'm still getting a bunch of popups even tho my Panicware popup stopper is active, so I plan to reinstall that. I got rid of some of these x y zs in in HJT log yed, but there's a bunch more. Should I empty my cookie jar every day as well as temp int files? Since t'day is Easter, I haven't done all that my saviour, jsntgrvr, suggested I do, but here is the current hjt log. Logfile of HijackThis v1.99.1
Scan saved at 8:34:24 PM, on 3/27/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCK.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCESS.EXE
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
C:\WINDOWS\SYSTEM\GQTY\YPGY.EXE
C:\WINDOWS\SYSTEM\DDZBTH.EXE
C:\WINDOWS\TEMP\XXKSAIW.EXE
C:\WINDOWS\PACKAGER.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\0z9h6l7m.slt\prefs.js)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\Run: [YPGY] C:\WINDOWS\SYSTEM\GQTY\YPGY.EXE
O4 - HKLM\..\Run: [ddzbth] c:\windows\system\ddzbth.exe
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [VidSvr] 
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin6.dll


----------



## JSntgRvr (Jul 1, 2003)

Download and run the Startdreck as suggested in Post #21. It will be needed. Await for Cookiegal support.


----------



## zkhul (Nov 26, 2002)

Dear Guys.

Below is my latest HJT log. My computer is working pretty good now, but I won't say "resolved" because my sento command doesn't work when right clicking on a file nor from a site or page online. Could I have deletefd or fixed something that I actually needed. I used super ad blocker whiich found a lot of stuff that must have been hiden secreted in crooks and crannies. And tho I reinstalled outlook express my insert attachment option pauses and then sends me to my deskktop with nothing else happening. Sounds like something fairly simple, but what do I know? Any ideas. Thanx

file of HijackThis v1.99.1
Scan saved at 9:44:06 PM, on 4/2/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\0z9h6l7m.slt\prefs.js)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab


----------



## JSntgRvr (Jul 1, 2003)

The HJT log is either incomplete or you have deselected lines in MSConfig. Essential programs seems to have been disabled. These are:

SystemTray
ScanRegistry
*Statemgr

If you are running Windows in selective Startup, run Msconfig, click on Normal Startup. Click Ok and restart the computer when prompted. Then Run HJT and submit the log.


----------



## zkhul (Nov 26, 2002)

So a lot of this stuff has been fixed already, now they're back. So what is my popup stopper doing. altho I'm not seeing that many popups now:


----------



## zkhul (Nov 26, 2002)

Logfile of HijackThis v1.99.1
Scan saved at 11:41:51 PM, on 4/2/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\VISIONEER ONETOUCH\ONETOUCHMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SADBLOCK.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\0z9h6l7m.slt\prefs.js)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ddzbth] c:\windows\system\ddzbth.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\SYSTEM\pacis.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\SYSTEM\wintask.exe
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [abasa5jrp] C:\WINDOWS\SYSTEM\abasa5jrp.exe
O4 - HKLM\..\Run: [etbrun] C:\WINDOWS\SYSTEM\ELITEYPJ32.EXE
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - User Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - User Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - User Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab


----------



## JSntgRvr (Jul 1, 2003)

JSntgRvr said:


> Download and run the Startdreck as suggested in Post #21. It will be needed. Await for Cookiegal support.


You disappeared after our last contact. Never deselect a program in Msconfig while we are dealing with these parasites. I will remind Cookiegal.


----------



## Cookiegal (Aug 27, 2003)

Go to Control Panel - Add/Remove programs and remove:

*Delfin Media Viewer*

Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click fix checked.

*O4 - HKLM\..\Run: [ddzbth] c:\windows\system\ddzbth.exe

O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\SYSTEM\pacis.exe

O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe

O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\SYSTEM\wintask.exe

O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe

O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun

O4 - HKLM\..\Run: [abasa5jrp] C:\WINDOWS\SYSTEM\abasa5jrp.exe

O4 - HKLM\..\Run: [etbrun] C:\WINDOWS\SYSTEM\ELITEYPJ32.EXE

O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE*

Then boot to safe mode (see how below), locate and delete these files and/or folders:

To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop. 
2. Double-click on the My Computer icon. 
3. Select the Tools menu and click Folder Options. 
4. After the new window appears select the View tab. 
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders. 
6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types. 
7. Remove the checkmark from the checkbox labeled Hide protected operating system files. 
8. Press the Apply button and then the OK button and shutdown My Computer.

c:\windows\system\*ddzbth.exe* - file
C:\WINDOWS\SYSTEM\*pacis.exe * - file
C:\WINDOWS\SYSTEM\*exp.exe* - file
C:\WINDOWS\SYSTEM\*wintask.exe* - file
C:\WINDOWS\*FARMMEXT.exe* - file
C:\WINDOWS\*BXXS5.DLL * - file
C:\WINDOWS\SYSTEM\*abasa5jrp.exe* - file
C:\WINDOWS\SYSTEM\*ELITEYPJ32.EXE* - file
C:\WINDOWS\SYSTEM\PICSVR\*PICSVR.EXE* - file

How to restart to safe mode:
http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

Do a couple of on-line virus scans at these links:

http://housecall.trendmicro.com/ - be sure to check auto clean before scanning

http://www.pandasoftware.com/activescan/

Click here : http://forums.techguy.org/attachment.php?attachmentid=46452
to download FindIt9xME.zip. Unzip it to your desktop.

Doubleclick on the find.bat file and let it run. It may take as long as ten minutes to run. When it is finished it will produce an output.txt file. Copy and paste the contents of output.txt here please.


----------



## zkhul (Nov 26, 2002)

Hi CookieGal, thanks for your help!
I did delete those 9 nasties and ran the virus scans. The first below is the \Startdreck log, that JSntgRvr reminded me I should do. And then yhe output.txt that you suggested. First let me say the first time I tried to open Startdreck, I got an error in Kernel32. Plus now the PC only boots to the startup "normal", "safe", etc screen. Until I click "normal". Don't have "command prompt" on there, but it used to be there. My "send to" command doesn't work, but I get online now with IE which I could notB4:

StartDreck (build 2.1.7 public stable) - 2005-04-04 @ 14:22:49 (GMT -04:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2800.1106
Logged in as zar at ZAR

»Registry
»Run Keys
»Current User
»Run
*HijackThis startup scan=C:\PROGRAM FILES\HIJACKTHIS\HijackThis.exe /startupscan
»RunOnce
»Default User
»Run
*HijackThis startup scan=C:\PROGRAM FILES\HIJACKTHIS\HijackThis.exe /startupscan
»RunOnce
»Local Machine
»Run
*SystemTray=SysTray.Exe
*ASUS Probe=C:\Program Files\ASUS\Probe\AsusProb.exe
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*OneTouch Monitor=C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*Adaptec DirectCD=C:\PROGRA~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*devldr16.exe=C:\WINDOWS\SYSTEM\devldr16.exe
»RunOnce
»RunServices
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
*SchedulingAgent=mstask.exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SSDPSRV=C:\WINDOWS\SYSTEM\ssdpsrv.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*WinTools=C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
*VidSvr= 
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*SABBHO.SuperAdBlockerBHO.1/{00000000-6C30-11D8-9363-000AE6309654}
`InprocServer32=C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SABBHO.DLL
*Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}
`InprocServer32=c:\program files\google\googletoolbar1.dll
»Files
»System/Drivers
»Running Processes
+FFCFA0E1=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFE585=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFED7D=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFFC505=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE9265=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFE85A9=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFD75FD=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFD72B1=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFDBE6D=C:\WINDOWS\SYSTEM\DEVLDR16.EXE
+FFFD9059=C:\WINDOWS\EXPLORER.EXE
+FFFC22F9=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFCD1D5=C:\PROGRAM FILES\VISIONEER ONETOUCH\ONETOUCHMON.EXE
+FFFCCC21=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFCC40D=C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
+FFF38739=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
+FFF39EED=C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
+FFFC38FD=C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
+FFF1EBA1=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFF3C575=C:\NEW FOLDER (4)\STARTDRECK.EXE
»Application specific-----------------------

Findit log:Warning! This utility will find legitimate files in addition to malware. 
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C is DISK 
Volume Serial Number is 3825-16EB
Directory of C:\WINDOWS\SYSTEM

16,442.31 MB free

------- Hidden Files in System Directory -------

Volume in drive C is DISK 
Volume Serial Number is 3825-16EB
Directory of C:\WINDOWS\SYSTEM

FFASTLOG TXT 23,667 04-04-05 1:58p FFASTLOG.TXT
NSVSVC 03-27-05 1:27p nsvsvc
FOLDER HTT 23,155 03-22-05 7:28p folder.htt
DESKTOP INI 271 03-22-05 7:28p desktop.ini
HPHPHT04 GID 8,628 02-12-05 2:30p hphpht04.GID
4 file(s) 55,721 bytes
1 dir(s) 16,442.30 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"H010818"=""

------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"ASUS Probe"="C:\\Program Files\\ASUS\\Probe\\AsusProb.exe"
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"OneTouch Monitor"="C:\\Program Files\\Visioneer OneTouch\\OneTouchMon.exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Adaptec DirectCD"="C:\\PROGRA~1\\CD-WRI~1\\DIRECTCD\\DIRECTCD.EXE"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"devldr16.exe"="C:\\WINDOWS\\SYSTEM\\devldr16.exe"

Bless you guys...........................


----------



## zkhul (Nov 26, 2002)

Hello again, here is what I sent to CookieGal, but I didn't send my most recent HJT log which I include here. Thanks for all your advice:

Hi CookieGal, thanks for your help!
I did delete those 9 nasties and ran the virus scans. The first below is the \Startdreck log, that JSntgRvr reminded me I should do. And then yhe output.txt that you suggested. First let me say the first time I tried to open Startdreck, I got an error in Kernel32. Plus now the PC only boots to the startup "normal", "safe", etc screen. Until I click "normal". Don't have "command prompt" on there, but it used to be there. My "send to" command doesn't work, but I get online now with IE which I could notB4:

StartDreck (build 2.1.7 public stable) - 2005-04-04 @ 14:22:49 (GMT -04:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2800.1106
Logged in as zar at ZAR

»Registry
»Run Keys
»Current User
»Run
*HijackThis startup scan=C:\PROGRAM FILES\HIJACKTHIS\HijackThis.exe /startupscan
»RunOnce
»Default User
»Run
*HijackThis startup scan=C:\PROGRAM FILES\HIJACKTHIS\HijackThis.exe /startupscan
»RunOnce
»Local Machine
»Run
*SystemTray=SysTray.Exe
*ASUS Probe=C:\Program Files\ASUS\Probe\AsusProb.exe
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*OneTouch Monitor=C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*Adaptec DirectCD=C:\PROGRA~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*devldr16.exe=C:\WINDOWS\SYSTEM\devldr16.exe
»RunOnce
»RunServices
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
*SchedulingAgent=mstask.exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SSDPSRV=C:\WINDOWS\SYSTEM\ssdpsrv.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*WinTools=C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
*VidSvr= 
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*SABBHO.SuperAdBlockerBHO.1/{00000000-6C30-11D8-9363-000AE6309654}
`InprocServer32=C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SABBHO.DLL
*Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}
`InprocServer32=c:\program files\google\googletoolbar1.dll
»Files
»System/Drivers
»Running Processes
+FFCFA0E1=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFE585=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFED7D=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFFC505=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE9265=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFE85A9=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFD75FD=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFD72B1=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFDBE6D=C:\WINDOWS\SYSTEM\DEVLDR16.EXE
+FFFD9059=C:\WINDOWS\EXPLORER.EXE
+FFFC22F9=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFCD1D5=C:\PROGRAM FILES\VISIONEER ONETOUCH\ONETOUCHMON.EXE
+FFFCCC21=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFCC40D=C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
+FFF38739=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
+FFF39EED=C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
+FFFC38FD=C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
+FFF1EBA1=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFF3C575=C:\NEW FOLDER (4)\STARTDRECK.EXE
»Application specific-----------------------

Findit log:Warning! This utility will find legitimate files in addition to malware. 
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C is DISK 
Volume Serial Number is 3825-16EB
Directory of C:\WINDOWS\SYSTEM

16,442.31 MB free

------- Hidden Files in System Directory -------

Volume in drive C is DISK 
Volume Serial Number is 3825-16EB
Directory of C:\WINDOWS\SYSTEM

FFASTLOG TXT 23,667 04-04-05 1:58p FFASTLOG.TXT
NSVSVC 03-27-05 1:27p nsvsvc
FOLDER HTT 23,155 03-22-05 7:28p folder.htt
DESKTOP INI 271 03-22-05 7:28p desktop.ini
HPHPHT04 GID 8,628 02-12-05 2:30p hphpht04.GID
4 file(s) 55,721 bytes
1 dir(s) 16,442.30 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"H010818"=""

------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"ASUS Probe"="C:\\Program Files\\ASUS\\Probe\\AsusProb.exe"
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"OneTouch Monitor"="C:\\Program Files\\Visioneer OneTouch\\OneTouchMon.exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Adaptec DirectCD"="C:\\PROGRA~1\\CD-WRI~1\\DIRECTCD\\DIRECTCD.EXE"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"devldr16.exe"="C:\\WINDOWS\\SYSTEM\\devldr16.exe"

Bless you guys...........................

Logfile of HijackThis v1.99.1
Scan saved at 3:01:00 PM, on 4/4/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\VISIONEER ONETOUCH\ONETOUCHMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
D:\WINZIP\WINZIP32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [VidSvr] 
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - User Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - User Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - User Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - User Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

I forgot also to mention my icons don't show in my systray all of a sudden. I restored my msconfig to normal.


----------



## Cookiegal (Aug 27, 2003)

Go to Control Panel - Add/Remove programs and remove:

WinTools or
WinTools for Internet Explorer V2 or
WinTools Easy Installer

Rescan with Hijack This and have it fix this entry:

O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE

Then, in safe mode locate and eelte this folder:

C:\PROGRA~1\COMMON~1\*WINTOOLS*

Download this zip file to your desktop. Double click the IEFix.exe and run it.

http://windowsxp.mvps.org/utils/IEFix.zip

Let me know how it goes please.


----------



## zkhul (Nov 26, 2002)

Things are getting curiouser and curiouser! The 3 Wintools files were not in Add/Remove in control Panel. I removed the item from HJT log. Couldn't find hide nor hair of it in dos directory or explorer/search folders. When I tried to reboot, it didn't until the 3rd try at which time it took me to the black f8 screen. Clicking normal took me to my desktop, but then the same ole same ole happened? Everything I clicked gave me kernel32 errors. Couldn't go anywhere, so I rebooted again and tho I got kernel32 error it still took me to msn.com, but wouldn't let me into my.msn.com due to a cookie problem. I enabled cookies, and still can't get in. I'm surprised I was able to get here. Still no icons in systray and still no "send to" action and when I try to "insert" attachment in OE. it hangs or sends me back to desktop. I ran IEfix, Do you need to see the log? I appreciate all the help you guys have given. Maybe I just need a new computer or to reformat or something. Thanx


----------



## JSntgRvr (Jul 1, 2003)

Start the Registry Editor (Start->Run, type Regedit and click Ok).

Go to HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Active Setup \ Installed Components \ {89820200-ECBD-11cf-8B85-00AA005B4383}

Highlight the key {89820200-ECBD-11cf-8B85-00AA005B4383} by clicking on it. On the right pane look for the IsInstalled value. Right click on it, and then click Modify. Change the value data, from 1 to 0 and click Ok.

Use the same process and change the IsInstalled value from the following registry key:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Active Setup \ Installed Components \ {44BBA840-CC51-11CF-AAFA-00AA00B6015C} from 1 to 0.

Close the Registry Editor.

Search in your computer for the file *ie6setup.exe*. Once found, doubleclick on it and reinstall all components.


----------



## zkhul (Nov 26, 2002)

There is nothing that says "IsInstalled". Is that the same as "default" which had no value. There are two 44BBA840-CC51-11CF-AAFA-00AA00B6015C, except one has "restore" after the bracket. I suppose I should disregard this?


----------



## JSntgRvr (Jul 1, 2003)

Seems that you have several registry entries missing. If that is the case, you will need to reinstall.

Search in the computer for the following files:

Precopy*.cab
Win_13.cab

If found let me know their location. This is to determine if the installation files are in the computer.


----------



## zkhul (Nov 26, 2002)

Hi, both precop~1 and win_13.cab are in C:\WINME\WIN9X


----------



## zkhul (Nov 26, 2002)

IE6setup said all components already installed, so I said reinstall all anyway. It did and rebooted. Virtual Bouncer tried to load, but spysubtract caught and killed it.
Tried to "insert" attachment in OE, it hung and then kernel32 error. Everything seems fine now except sendto and that insert command in OE, but don't want to speak to soon. My last HJT attempt caused error in kernel32. I have already "extracted kernel32 from win_10.cab /a, not that it's done any good. But you have to remain humorous in such circumstances. )) ;


----------



## zkhul (Nov 26, 2002)

Spoke to soon, tried to login to my bank and the kernel32 error showed up, wouldn't
go away with clicking and clicking, until finally just my desktop hung there with no icons. Had to shut down and reboot.


----------



## JSntgRvr (Jul 1, 2003)

Seems to me that you will need to reinstall. This can be done in several ways:

1. Install over the existing installation:

This can be done, however, there is always the possiblility that certain programs may interfere with the installation such as, Windows Media Player and Internet Explorer, if these programs were upgraded after the first installation. In order to avoid conflicts during Setup, these programs will need to be removed. In the case of Internet Explorer, this must be reversed to the previous version.

2. Parallel Install:

All your applications (Programs) will be lost but your documents will be safe.

Let me know what you want to do.


----------



## zkhul (Nov 26, 2002)

If parallel install means to a different folder, I'd rather not. WMP can always be reinstalled. I think I have already reinstalled over IE6 at one time or another. Why can't I again? Or can I uninstall it and use ie6setup again. What else may have to be uninstalled to assure a good reinstallaltion of Winme. What do you think of XP? I thot 
I had it on disc, but when trying it found the disk was empty. How it got erased, I'll never know. Thanx for all your input. Noe


----------



## JSntgRvr (Jul 1, 2003)

In my experience, only those two and if present, the Anti Virus program. Read the entire reply before making a move.

To install over the existing installation:

Remove all external peripherals from the computer. Only the Keyboard, Mouse and Monitor should be connected.

Remove the following programs from the computer:

Windows Media Player
Microsoft Internet Explorer and Internet Tools

If you cannot Remove Microsoft Internet Explorer and Internet Tools, reverse the program to a previous version (It will be an option).

Boot the computer with a startup diskette (ME). At the Menu select Minimum boot.

You will need the Product Key to proceed. The following Command will extract the Product Key from the registry. Type the following and press Enter after each line:

C: 
Copy C:\Windows\Command\Find*.* 
Find /I "ProductKey" C:\Windows\System.dat

If you are unable to obtain the Product Key by these means, the Product Key can also be obtained by running Regedit in Windows. Navigate to the following Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

Click on CurrentVersion to highlight it. Look at the right pane and scroll down to ProductKey. Double click on it. The Value will be the ProductKey.

*If you do not have a Product Key you cannot proceed as Windows will not install.*

Once you have the product key, continuing at the C:\ Command prompt, type the following, pressing Enter after each line:

Copy C:\Windows\Move*.*
Move C:\Progra~1\Window~1 WMP
Move C:\Progra~1\Intern~1 IE
cd WINME
cd WIN9X
Setup

Although I have tried in the above procedure to avoid conflicts in the installation, it is not a guarantee that you may not run into problems during installation, but there is always a way.

Let us know how it goes.


----------



## zkhul (Nov 26, 2002)

It seems years ago when I had Msn as an ISP I had kernel32.dll problems which the telephone techie told me how to fix. PC has worked fairly well today, fast, not many errors or hanging except for outlook express with which I cannot send to from a site or from right clicking on a file. I can send photos within the msg but not as an attachment. If there simply is no fix, I'll just have to reinstall. Doesn't anyone know fixes for kernel32.dll besides renaming and extracting from cab files, which I did.

Here is final HJT log:Logfile of HijackThis v1.99.1
Scan saved at 7:38:52 PM, on 4/6/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\VISIONEER ONETOUCH\ONETOUCHMON.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [VidSvr] 
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - User Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB


----------



## Cookiegal (Aug 27, 2003)

What is the exact Kernel32.dll error message you're getting?


----------



## zkhul (Nov 26, 2002)

Some program or another "has caused an error in kernel32.dll", e.g. Internet Explorer, Msimn, etc. It used to happen when ever I tried to go ANYWHERE. Foxfire in he main,
at one time. was the only way I could access the net. You guys solved that for me.
But now it is intermittent. I can't say at what point in a program it acts up, but
some page will hang, and control, alt, del, won't budge it or close it down, and sooner
or later the error in kernell32.dll. Then clicking OK will not get rid of the error msg(it flashes back on) until finally it goes and leaves a blank desktop (no icons) and at times it will take me to Big Blue and usually I just press "reboot" button. That's a close description/ xplanation of what/'s occurring witrh my PC. But I do remember 3 or4 years I fixed it. Thanx

I just saw on search page that kernel32.dll is mentioned several times witn
Wundows 95. I run Winme. Do I really need it?


----------



## Cookiegal (Aug 27, 2003)

Try renaming the hidden folder in windows named "APPLOG" to something different, like "APPLOG2" and see if that solves the problem.


----------



## zkhul (Nov 26, 2002)

Geez, I just wrote you a long message and went back to check on something I was writing and came back to find my message gone. Just let me say thanks guys. I believe my main wininet.dll and kernel32 problems are gone - resolved! ! As I have done my usual internet thing and have had not those errors today. I have a few malingerers ( : but I will post them later in the appropriate section - that sento command still doesn't work and that insert attachment in OE, etc. I am sincerely grateful for your aid guys, thanks again. Zkhul


----------



## Cookiegal (Aug 27, 2003)

You're welcome. What exactly happens, are *send to* and *insert attachment* greyed out?


----------



## JSntgRvr (Jul 1, 2003)

It seems that the Outlook Express installation is corrupted. I would suggest that you reinstall the Explorer after restoring it to a previous version.

*Restore the previous version of Internet Explorer.*

Start the computer with startup diskette (ME). At the Menu select Minimum Boot.

At the command prompt, type: edit c:\windows\system.ini. Press ENTER.

In the C:\windows\SYSTEM.INI file, locate the line of text under the [boot] section that lists Shell=Explorer.exe. This is typically the third line in the file.

Edit the Shell=Explorer.exe line by deleting the Explorer.exe text and replacing it with Winfile.exe. Example: the line should list the following: Shell=Winfile.exe

To save the changes, press the ALT+F keys.

A menu displays in the upper left corner of the screen. Press the X key to exit.

Press ENTER to save the changes and return to the command prompt.

At the command prompt, restart the computer by pressing the CTRL+ALT+DELETE keys. Once Windows has restarted, it starts into the Windows File Manager.

In the File Manager window, double-click progra~1 in the left hand window to open the Program Files folder.

Double-click intern~1 in the left hand window to open the Internet Explorer folder.

Double-click setup in the left hand window to open the Setup folder.

In the File Manager window, double-click Setup.exe in the right hand window to launch Internet Explorer setup.

Note: If the setup folder is not available, Internet Explorer has not been updated and a previous version of Internet Explorer cannot be restored.

In the Internet Explorer 6 and Internet Tools Setup window, click OK.

In the Setup Message dialog box, click Yes to restore the previous version of Internet Explorer.

Internet Explorer setup removes components.

In the Internet Explorer 6 and Internet Tools - Restart Windows dialog box, click Restart Windows and allow the computer to boot with the Startup diskette.

At the Menu select Minimum Boot.

At the command prompt, type: edit c:\windows\system.ini. Press ENTER.

In the C:\windows\SYSTEM.INI file, locate the line of text under the [boot] section that lists Shell= Winfile.exe. This is typically the third line in the file.

Edit the Shell=Winfile.exe line by deleting the Winfile.exe text and replacing it with Explorer.exe. Example: the line should list the following: Shell=Explorer.exe

To save the changes, press the ALT+F keys.

A menu displays in the upper left corner of the screen. Press the X key to exit.

Press ENTER to save the changes and return to the command prompt.

Remove the Startup diskette.

At the command prompt, restart the computer by pressing the CTRL+ALT+DELETE keys

Windows starts to a blue screen, but will still be accessing the hard drive for a period of time. When finished, Windows is on the desktop, but an older version of Internet Explorer is installed.

If you are able to restore the previous version of Internet Explorer, you can then go on line and reinstall Internet Explorer 6.0 SP1, which in turn will reinstall Outlook Express.

http://www.microsoft.com/downloads/...cb-5e5d-48f5-b02b-20b602228de6&DisplayLang=en


----------



## zkhul (Nov 26, 2002)

hELLO, THE INSERT ATTACHMENT COMMAND IS NOW WORKING IN OE. They weren't greyed out, just didn't move. I don't know why "insert didn't work. It hadn't in weeks. Guess you scared it Cookiegal () ; Send is not greyed out on drop-down menu- just won't send a file, photo, or song to "mail recipient". To others like floppy A, desktop, direct CD, my documents, etc. it works. On a web page, the drop down file box "send" doesn't do anything least of all send when clicked. No link, no page by email, no shortcut to desktop. I suspect JSntgRvr may be right about reinstalling tho I dread it. Oh, almost forgot, all of a sudden today, my sound is gone. Vol control is there, and not on mute. Might have been since Saturday, since today Mon, is first time since then I tried it. Everrything looks OK in system device, no yellow marks. I 
will report back here after following or trying to reinstall winme and ie. Thanx


----------



## zkhul (Nov 26, 2002)

Hi guys,

I'm so embarrassed. My sound is back because I turned my speakers back up. ):
My computer is running so beautifully...fast, no popups, (well except for a couple from Microsoft when it feels like buggin you. ( ; Since I hate reinstalling so bad, I'm going to research that sendto thing for a bit. I've seen suggestion that a registry item may be missing. It really is no biggie, just a bugger. Just in case tho I made sure to print out RJSntgsvr's instructions. Will be back........


----------



## zkhul (Nov 26, 2002)

Hi Guys,
Well I followed RJSntgsvr's detailed instructions and all went well til I said 'Yes, restore previous version", error that files are missing or corrupt, cannot restore, appeared. So I tried my heretofore trusty startup disk and got an I/O error. So booted to safe mode and "start, run" system.ini to change back to explorer.exe. Got my desktop back but the same ole version of internet explorer. Is there anything else we can do to restore "send" to functionality? Is this a specific OE problem, or just IE6 problem. If I tried to remove all traces of Ie5 as well as ie6 from registry, etc. then use Mozilla to reinstall 6.0 sp1, would this work? Thanks guys.........


----------



## JSntgRvr (Jul 1, 2003)

Have you tried downloading IE 6.0 SP1 from the Internet.

Not only you have missing files, but also registry entries.

If the attempt to reinstall IE throughout a download fails, I believe you will need to reinstall the OS. See Post #47.


----------



## zkhul (Nov 26, 2002)

Hi Guys, analyze this: I just left this forum with the intention of following your last advice. On a stroke of frustation,I uninstalled OE6, and clicked yes to reboot. Back at the desktop, I noticed Outlook Express icon still there, so naturally I clicked it. Voila, up popped OE 5.5, with the "insert" command working. But Alas, my sendto mail recipient on file dropdown menu and "send" on IE file menu, still doesn't work. I'll leave it at that since I should now be able to attach files and photos with my "insert", but not web pages to any mail I may send. I guess its time to say "RESOLVED"!! Do you agree? Once more--thank you.


----------



## JSntgRvr (Jul 1, 2003)

Here are two fixes:

http://windowsxp.mvps.org/sendtomail.htm

http://www.petri.co.il/send_to_mapi_recipient_shortcut.htm


----------



## JSntgRvr (Jul 1, 2003)

In my Windows 98 system, the file in the C:\Windows\Send to folder is labeled Mail Recipient.MAPIMail. It should be the same in Windows ME.


----------



## JSntgRvr (Jul 1, 2003)

Here is another one:

http://www.comcast.com/Support/Corp1/FAQ/FaqDetail_2248.html


----------



## zkhul (Nov 26, 2002)

Hi JSntgRvr. It is the same, but doesn't work. That's why i SUSPECT IT MAY BE THE REGISTRY, but the proper entry seems to be there. See below.

I used the advice given in URL 2 you posted, IT STILL DIDN'T WORK, BUT I noticed it said it would only work for Outlook 98, 2000, XP OR 2003 AS DEFAULT MAIL CLIENT, mine is outlook express on winme. Plus even tho the dropdown menu already has a "Mail Recipient.MapiMail" entry, I made a new entry with MapiMail as the extension and still no go.

URL # 1 was a little hard to understand for me. First in case #1, it was already set as default client. #2, I ran in separate entries - MSIMN.EXE /REG
regsvr32 "%ProgramFiles%\Outlook Express\msoe.dll"....#3 I need help. How do you "apply" this registry fix? Just by copying it to notepad> 
"---------Cut---------

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.MAPIMail]

@="CLSID\\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MAPIMail]

---------Cut---------"
I found that very entry is already in regedit. Can you explain? PS What do %s around files mean.


----------



## JSntgRvr (Jul 1, 2003)

Lets take it on by one. Using Windows Explorer, navigate to the C:\Windows\Sendto folder. Is there a file labeled "Mail Recipient"?


----------



## JSntgRvr (Jul 1, 2003)

Run the following Run Command one by one. (Start->Run, type the command)

MSIMN.EXE /REG
regsvr32 C:\Program Files\Outlook Express\msoe.dll
REGSVR32 SENDMAIL 

Restart and test the feature.


----------



## zkhul (Nov 26, 2002)

OK After running MSIMN.EXE /REG, No error msg or anything. after REGSVR32 SENDMAIL, I got dll......succeeded, and after rhe middle one,regsvr32 C:\Program............, I got this: Load Library ("C\Program") failed
GetLastError return - 0x00000485

And yes, there is Mail Recipient.MapiMail in C:\Windows\Sendto folder which when clicked takes you to "Open with" window. When clicked on in a file or photo drop-down window, it does nothing. I rebooted anyhow, and "send" still will not work.


----------



## JSntgRvr (Jul 1, 2003)

The error indicates that the MSOE.dll was not found. Search for this file. The correct path is C:\Program Files\Outlook Express. If not found, extract a copy of this file from the cabs. It should be located in the Win_13.cab Folder. Once extracted to the right path, run the command:

regsvr32 C:\Program Files\Outlook Express\msoe.dll


----------



## zkhul (Nov 26, 2002)

I renamed the msoe.dll and extracted same from win_13.cAB to Progra~1\Outlook Express and got same load library failed. But tell me, should the quotation marks go or stay? What about the % s (percents signs)?


----------



## zkhul (Nov 26, 2002)

Went to "read mail" from the internet and got "OE cannot open because msoe.dll
could be loaded". Although I got that same error "LoadLibrary failed" all yesterday, I still could access my email. What's happening with this puter??


UPDATE!!!JUST WENT BACK AND RESTORED MY OLD MSOE.DLL WHICH WAS A LATER ONE THAN THE ONE EXTRACTED FROM CAB AND OUTLOOK EX OPENED,
but the error still comes up.


----------



## JSntgRvr (Jul 1, 2003)

I am as Puzzle as you are. Maybe posting this question in the Web and E-mail Forum may throw a better light:

http://forums.techguy.org/f17-s.html


----------

