# Scrrun.dll ? (and page faults in User32.dll)



## chief1966 (Feb 17, 2004)

I noticed another thread today saying they try to repair IE6SP1 and get the message that scrrun.dll is missing. The answer given by rolling rog is to remove IE6 and reinstall. I have the IE6setup.exe on my desktop. If I remove the IE6SP1 and then run that file will it reinstall it clean for me? When I run sfc i get the message that IE4.dll is missing. will the above solve this problem?
I am also getting invalid page fault errors in Module USER32.dll or user exe or Module(unknown). Are all of these problems tied together? Any instructions need to give me all the steps as I am not very sure about some of the moves.

I am running windows 98 on a PentiumII, 350 Mhz with 256K memory. I have all of the Windows updates downloaded, however I have noticed that the latest security download ending in 009 (I think) does not show in add/remove programs and update keeps telling me to download it again, even tho i have downloaded it several times. I have avg free, ad-aware, spybot, spyblaster and try to run them regularly. 

Chief


----------



## Rollin' Rog (Dec 9, 2000)

I'm not sure about the page fault being related since it's not a part of IE itself; but if you remove your current version of IE it would be better for you to update it again directly to SP1 AND apply the last cumulative patch update -- both would have to be done. If your setup doesn't say ie60sp1, it isn't

I believe IE4.dll will come with the new setup.

The IE Homepage site is here: http://www.microsoft.com/windows/ie/default.mspx

If you continue to have problems after removing and reinstalling IE, post a HijackThis Scanlog:

Download and install HijackThis using the "self extractor". Run it and select "do a system scan and save the log file". Then copy/paste the contents of the log to a reply

http://www.thespykiller.co.uk/files/hijackthis_sfx.exe


----------



## JSntgRvr (Jul 1, 2003)

Search for the file scrrun.dll. If present in your C:\Windows\System folder, re-register the file:

Go to Start->Run, type the following and click OK:

REGSVR32 "C:\Windows\System\Scrrun.dll"

Retry the Repair.


----------



## chief1966 (Feb 17, 2004)

in find files I find scrrun.dll in C\unzipped\ size 145 application extension. How can I move this to IE?


----------



## Rollin' Rog (Dec 9, 2000)

First right click on it and select Properties > Version.

For IESP1 it should be

5.6.0.6626

If it is you can copy it to c:\windows\system


----------



## JSntgRvr (Jul 1, 2003)

Extract and save in C:\Windows\System. Once done register the file as previously posted.


----------



## chief1966 (Feb 17, 2004)

Could not find a version number on the file I had, so downloaded it and installed it and registered it and then the ie repair did work. going to reboot now and see what happens will let you know later. Thanks for the help to now.


----------



## chief1966 (Feb 17, 2004)

OK, I rebooted and ran sfc and it still shows IE4.dll corrupted. Do you have a download for that and where do I save it to? and do I need to register it too?
Chief


----------



## chief1966 (Feb 17, 2004)

Still need download of IE4.dll. Also this morning I received invalid page faults in DIBENG.dll and Kernel32.dll. Do these indicate anything?


----------



## JSntgRvr (Jul 1, 2003)

Download, extract and save in C:\Program Files\Internet Explorer, then register the file:

REGSVR32 "C:\Program Files\Internet Explorer\IE4.dll"


----------



## JSntgRvr (Jul 1, 2003)

If experiencing error messages, click on the Details of the error message and post its contents in a reply.


----------



## chief1966 (Feb 17, 2004)

Having trouble with the registration of IE4.dll, after I downloaded it and tried to register it I got the following error message. 
Load Library(C:\Program Files\Internet Explorer\ IE4.dll") failed . 
Get last error returns 0x0000001f
Am I doing something wrong? When I download it it doesnot seem to come up with the route as just as you list it. Not sure if I am getting it to the right place. Help Please


----------



## Rollin' Rog (Dec 9, 2000)

> LoadLibrary("dskmaint.dll") failed. GetLastError returns 0x000001f
> 
> From Winerror.h, 0x000001f = 31 (ERROR_GEN_FAILURE), which means "A device attached to the system is not functioning." This behavior can occur if you try to register a Win16 .dll file. For example, typing regsvr32 dskmaint.dll returns this error message.


ref: http://support.microsoft.com/default.aspx?scid=KB;EN-US;q249873&


----------



## JSntgRvr (Jul 1, 2003)

chief1966 said:


> Having trouble with the registration of IE4.dll, after I downloaded it and tried to register it I got the following error message.
> Load Library(C:\Program Files\Internet Explorer\ IE4.dll") failed .
> Get last error returns 0x0000001f
> Am I doing something wrong? When I download it it doesnot seem to come up with the route as just as you list it. Not sure if I am getting it to the right place. Help Please


Seach for this file. Where is it located?


----------



## Rollin' Rog (Dec 9, 2000)

I get the same error when trying to register the file; regsvr32 found the file or you would have gotten a different error. So one must assume, but I cannot tell for sure, that it is a 16 bit dll.

What I can tell you for sure, is you do not need it to run Internet Explorer -- in fact I am posting with Win98 IE6 SP1 now with that file renamed in the IE folder.

It is probably just used for setup purposes and does not otherwise load.


----------



## chief1966 (Feb 17, 2004)

I found that file as JSntqRvr asked and found it

C:\Windows 140 4-29-99 application exte
C:\Windows 119 8-29-02 "
C:\My Documents 119 8-29-02 "
C:\Program Files 119 7-15-05 "
C:\ Program Files 119 8-29-02 "
C:\Unzipped 104 9-18-97 "
C:\unzipped 119 8-29-02 "
evidently I had this problem some time ago but canI delete some of these. 

Also Rog I think you are right it seems ok without it.
I am still getting invalid page faults. should I post them in this thread or start another?
Sure appreciate thehelp

Chief


----------



## chief1966 (Feb 17, 2004)

Oh yes , another question. When I get an invalid page fault window, Is there a way I can copy it and paste it back here without writing it out and typing it here. I dont know how to do this. Is it possible?

Chief


----------



## Rollin' Rog (Dec 9, 2000)

Download and install HijackThis using the "self extractor". Run it and select "do a system scan and save the log file". Then copy/paste the contents of the log to a reply

http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

On the issue of copying "illegal operation" faults; I can't remember whether what you see on the "details" tab is directly copyable. Only the first two lines are really important.

However I'm uploading an attached zip file. Completely unzip this so it is not in the zip folder and double cliick it and accept the merge to the registry. If successful it will say so.

Thereafter, and you can make a shortcut to it, fault logs will be stored in "c:
windows\faultlog.txt" when they occur.

You can copy/paste those.

You can delete the zip and registry file or store it someplace once it is merged.

Also does the IE Repair utility complete without error now that you have replaced scrrun.dll?


----------



## JSntgRvr (Jul 1, 2003)

chief1966 said:


> I found that file as JSntqRvr asked and found it
> 
> C:\Windows 140 4-29-99 application exte
> C:\Windows 119 8-29-02 "
> ...


Still in the wrong place. It should be copied to C:\Program Files\Internet Explorer folder. Specially the one downloaded / dated 8-29-02 . The rest can be deleted.

If the error message is on a blue screen, you willl need to write it down. If on a grey screen, ussually there is a button labeled "Details". In this case you will be able to copy and paste the contents of the Details.


----------



## chief1966 (Feb 17, 2004)

I downloaded frontlog but havent seen a page fault yet. Will post it when I get it again. I ran IE repair and it went thru clean.
Here is my hijack log
Logfile of HijackThis v1.99.1
Scan saved at 9:27:03 PM, on 7/15/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\ATI\ATIDESK\ATISCHED.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\PROGRAM FILES\123 FREE SOLITAIRE\123FREESOLITAIRE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - c:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - c:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - c:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - c:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - c:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r 
O4 - HKLM\..\Run: [Atikey] Atitask.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - Startup: ATI Scheduler.lnk = C:\ATI\atidesk\ATISCHED.EXE
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: lass414 - https://onlinegames.lasseters.com.au/classes/lass414.cab
O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFS.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1504d58377b8cfaaa619/netzip/RdxIE601.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab


----------



## Rollin' Rog (Dec 9, 2000)

The Scanlog is clean of obvious "malware", however you might want to review the "bonafides" of spykiller, especially as you have two other similar programs and an antivirus:

http://www.google.com/search?q=spykiller.exe&sourceid=opera&num=0&ie=utf-8&oe=utf-8

I suspect the "user32" error was a resources conflict, either due to a depletion of "system" resources or one of your programs behaving badly. The Startup list might benefit from some trimming.

One thing I'd suggest is enabling the "resource meter" as a startup -- this monitors so called "user" and "gdi" resources.

You can read about what these are on this site:

http://aumha.org/win4/a/resource.htm

http://www.russelltexas.com/tutorials/resourcemeter.htm


----------



## chief1966 (Feb 17, 2004)

I have put the resource meter in my taskbar. Will watch it and see if it is showing the reason for page faults. I ran a file search for spykiller.exe and do not find it. Where did you see it? In my hi-jack log? Tell me in more detail and I will get rid of it.Thanks Again


----------



## chief1966 (Feb 17, 2004)

oops, looked in msconfig and it did list spykiller, so I unchecked it and will see if that helps. Thanks again


----------



## Rollin' Rog (Dec 9, 2000)

Shouldn't have overlooked this, close Internet Explorer and try checking and fixing them and reboot:

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)


After rebooting run HijackThis again and see if the R3 entry got "fixed". This affects the ability to do searches from the address bar. The tilde there should be a bracket; if it is fixed successfully the R3 entry will not appear in the scanlog at all. If it is not, some manual editing or patching of the registry may be necessary. The "tilde" on the left should be a bracket, like the others.

The registry location (run regedit) is:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

You can manually edit this by right clicking the "clsid" in the right pane and seleting "modify". Make sure Internet Explorer is closed


----------



## chief1966 (Feb 17, 2004)

After I unchecked spysweeper I had to reboot to apply and then my computer would not go past a error message
Afatal exception has occurred at 0028:Co2758DE in VXD VMM(06) + 000028DE. The current application will be terminated.
I finally got started again by going into safe mode and doing a selected start(strictly a lucky guess on what I said no to). Can you tell anything from that message that will help me.
O yes I did get rid of that R3-URL search hook using hi-jack and it was not there when I ran it again.
Unless you can id that error message I will have to start up in safe mode.


----------



## Rollin' Rog (Dec 9, 2000)

Are you posting from the system now? Because you would not normally have internet access in safe mode.

Vmm 06 errors, as I recall, may have to do with corrupted registry entries, but without selective troubleshooting it's hard to be sure.

I was about to tell you to run "scanreg /restore" but now I see you do not have "scanregistry" enabled in your startups. Which means your choices are likely to be very old and inappropriate.

Try restarting with all entries unchecked in msconfig > startups and see if you get a normal boot. Then re-enable a few selectively and reboot to see if one of them is causing the problem.

If you get a normal boot, be sure to check "scanregistry" if present so you get a registry backup archived.


----------



## chief1966 (Feb 17, 2004)

In order to get back online I went into the safe mode and used a selective startup. I said no to about 3 or 4 different things and ended up with a boot. That is where i am now. 
I looked in startup list and do not see a scanregistry tab. I hate to shut down because I am not sure I can get started again. I just got an invalid page fault again. Sometimes it says (user32.dll) sometimes it says unknown once it was dibeng.dll and one time kernel32.dll. right now my resource meter says system 51% user 53% GDI 51%


----------



## Rollin' Rog (Dec 9, 2000)

But you are not now in Safe Mode, right? If you were you would have had to select Safe Mode with networking support and be on a broadband, not dialup connection. And it would say Safe Mode in all 4 corners of the screen.

an error in dibeng.dll would point towards a video driver problem. If your graphics resolution is reduced that might indicate why you think you are still in Safe Mode. You can try running *msconfig* and selecting the Advanced tab and loading VGA 640 drivers, which are like Safe Mode but you would otherwise be in normal startup configuration.

You are going to have to take risks. If you ran *msconfig* and disabled the entire startup group, then you need to selectively troubleshoot individual entries under the startup tab by reenabling a few of them at a time.

I can give you instructions for replacing Scanregistry, but let's try to get a normal boot first.

If you cannot isolate the problem to a particular entry in the startup list, you can try booting to a command prompt and running:

scanreg /fix


----------



## chief1966 (Feb 17, 2004)

I am not in safe mode. I clicked F8 when it started to rebootbut instead of going into safe mode I went to a selective start up and answered each start up line with yes or no. When I saw one that said AVG I said no when I saw one that said VXD in the line I said no. I think I clicked no on about 4 of the lines. Then it started normally. But I havent rebooted since then because I am sure it will not normally reboot again. Since then I have been getting theseinvalid page faults a lot. 
My better half wants to go to dinner now so I will try to disable things in msconfig startup and try that later this evening when I get back. Then will post the results. I dont think I have any graphics resolution problems. Will post later.


----------



## Rollin' Rog (Dec 9, 2000)

Ok, I think you mean either "step by step confirmation" or "Diagnostic (interactive) startup" -- if you used msconfig.

I would suggest you run *msconfig* and take the check out of "load startup group" and reboot for a test. You can probably go online, but you will have no antivirus or firewall support.

If you get an error free boot, go back and select the "startup" TAB in msconfig and begin re-enabling a few at a time.

There is no way to isolate this except by trial and error.

You will be doing a form of Clean-boot troubleshooting; you can review these articles for detailed info:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;192926
http://support.microsoft.com/default.aspx?scid=KB;en-us;q188867


----------



## chief1966 (Feb 17, 2004)

I did not start up in msconfig but I punched F8 like i was going to safe mode but scrolled on down to a manual selective startup. I will try it with out the load start up group and see what happens.


----------



## JSntgRvr (Jul 1, 2003)

This situation started when Spykiller was deselected from the Startup Tab? Why is Spysweeper mentioned in one of the replies? Are these two different programs?

Why don't you search in your registry for entries related to Spykiller or Spysweeper, whatever may be the case, and delete those entries from the registry. If the error is due to to this scum program, eliminating any related calls from the registry may help you boot in Normal Mode.


----------



## chief1966 (Feb 17, 2004)

Rog, you are right I was using step by step confirmation in the windows 98 start up menu. By elimination I found it was in Grisoft AVG VXD, there were 3 different start lines with the VXD in them. Anyway, I uninstalled my AVG free and happened to have the install on my desktop yet so just reinstalled it and boot up works fine now except on start up I get an error message

Error loading C:\Windows\System\STLBDIST.DLL, cannot find above file.
Will need to download that file I guess.
Then we can attack those invalid page faults
IExplore caused an invalid page fault in Module ,<unknown>at 000:064f9al. witha bunch of registers below that


----------



## chief1966 (Feb 17, 2004)

anLogfile of HijackThis v1.99.1
Scan saved at 9:12:20 PM, on 7/16/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MEDIASCAPE\MULTIMEDIA KEYBOARD\MEDIACTR.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\ATI\ATIDESK\ATISCHED.EXE
C:\PROGRAM FILES\MEDIASCAPE\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRA~1\MEDIAS~1\ONSCRE~1\OSD.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - c:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - c:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - c:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - c:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - c:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\SYSTEM\STLBDIST.DLL,DllRunMain
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r 
O4 - HKLM\..\Run: [Atikey] Atitask.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: ATI Scheduler.lnk = C:\ATI\atidesk\ATISCHED.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: lass414 - https://onlinegames.lasseters.com.au/classes/lass414.cab
O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFS.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1504d58377b8cfaaa619/netzip/RdxIE601.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

d here is my latest hijack log


----------



## JSntgRvr (Jul 1, 2003)

The error is due to the following line:

O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\SYSTEM\STLBDIST.DLL,DllRunMain

Run HJT and put a check mark on that line and click on Fix checked.


----------



## JSntgRvr (Jul 1, 2003)

Download and extract the attached file to the desktop. Doubleclick on the file and merge it with the registry. That will include ScanRegistry as part of the Startup programs. Once done, restart the computer and post a new log.


----------



## chief1966 (Feb 17, 2004)

ok did the hijack fix and downloaded the file and merged it into the registry. Here is new file.Logfile of HijackThis v1.99.1
Scan saved at 9:12:20 PM, on 7/16/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MEDIASCAPE\MULTIMEDIA KEYBOARD\MEDIACTR.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\ATI\ATIDESK\ATISCHED.EXE
C:\PROGRAM FILES\MEDIASCAPE\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRA~1\MEDIAS~1\ONSCRE~1\OSD.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - c:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - c:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - c:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - c:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - c:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\SYSTEM\STLBDIST.DLL,DllRunMain
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r 
O4 - HKLM\..\Run: [Atikey] Atitask.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: ATI Scheduler.lnk = C:\ATI\atidesk\ATISCHED.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: lass414 - https://onlinegames.lasseters.com.au/classes/lass414.cab
O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFS.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1504d58377b8cfaaa619/netzip/RdxIE601.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab


----------



## chief1966 (Feb 17, 2004)

My system resources are running about 64 64 75 now what can I unload?


----------



## Rollin' Rog (Dec 9, 2000)

Are you sure this is a Scanlog taken AFTER you performed those actions? It does not reflect the expected results.

These items need to be checked and "fixed":

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\SYSTEM\STLBDIST.DLL,DllRunMain

O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

It might be best to perform these actions in Safe Mode, and delete this file while you are there:

C:\WINDOWS\SYSTEM\STLBDIST.DLL

You can delete the entire "spykiller" folder while in Safe Mode, or you can look for an entry for it in Add/Remove programs and uninstall it if one is present.

When running that registry fix, it must be completely out of the zip folder. You should get a prompt to merge it to the registry and then a confirmation that it merged successfully.

Run a HijackThis scanlog right after rebooting, WITHOUT opening IE or going online and verify whether those items stayed deleted. Then go online for about 20 minutes and run it again to see if anything else has returned.


----------



## chief1966 (Feb 17, 2004)

Fixed 4 items in hiJack 1 didnt seem to be there and the system file STLBDIST.dll i couldnt find either. Here is new hijack scan

Logfile of HijackThis v1.99.1
Scan saved at 9:21:22 AM, on 7/17/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\ATI\ATIDESK\ATISCHED.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\123 FREE SOLITAIRE\123FREESOLITAIRE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - c:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - c:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - c:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - c:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - c:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r 
O4 - HKLM\..\Run: [Atikey] Atitask.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - Startup: ATI Scheduler.lnk = C:\ATI\atidesk\ATISCHED.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: lass414 - https://onlinegames.lasseters.com.au/classes/lass414.cab
O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFS.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1504d58377b8cfaaa619/netzip/RdxIE601.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

See what you think. Rebooting is normal but I am still getting invalid page faults.


----------



## Rollin' Rog (Dec 9, 2000)

I still do not see "scanregistry" there. Tell me what is happening when you double click that file.

Otherwise the scanlog looks normal at this point, so we need to document those page faults a little further. They should be showing up in c:\windows\faultlog.txt

Again, this was a .reg file. And when double clicking it you should have gotten a prompt to merge it to the registry and a confirmation that it merged successfully. If this did not happen, try it again. The faultlogs will only begin to appear once the file has been merged and a fault occurs.

If the file merged successfully, when you run *regedit* the entry should be here:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Fault]
"LogFile"="C:\\WINDOWS\\FAULTLOG.TXT"

Also try to detect a pattern. Do they all occur online? Do they occur randomly, when changing sites or closing windows? Your "system resources" do not appear to be an issue at this point, and normally shouldn't be unless the lowest value is below 25% -- at which time I would recommend a reboot or a closing of all unnecessary programs.


----------



## JSntgRvr (Jul 1, 2003)

You can live without the following programs in the background if your computer is a Desktop:

Atikey
SchedulingAgent
LoadPowerProfile (Both Entries)


Seems to me that you are over-protecting the computer. These programs are always active in the background performing the same task:

zSPGuard
WinPatrol
PopUpStopperFreeEdition

In Windows 98 all you need is an Antivirus Program and a Firewall. The above programs make no sense to me and could be the cause of your problems. In your position I would remove these programs from the computer, as well as Spykiller, throughout the Add/Remove Programs option in the Control Panel.

You can always download Sygate as a Firewall from the internet.

The ScanRegistry Fix did not work. We may have to do this manually.

Go to Start->Run, type Scanregw.exe and click Ok. If asked to save the registry, select YES.

Go to Start->Run, type regedit and click Ok. The Registry editor will be displayed.

Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Please note that in Windows 98 there are two Run keys. One of them has a "-" sign. You will be working on the Run without the "-" sign. 

Click on Run as to highlight it. On the Right Pane, right click on an empty space and select New->String Value. Label this string SCanRegistry.

Right click on the newly created String Value (ScanRegistry) and select Modify. On the Value type the following:

"C:\WINDOWS\scanregw.exe /autorun"

Once done, click Ok, close all windows and restart the computer. Post a new log.


----------



## chief1966 (Feb 17, 2004)

Found fault log

**********************************************************************
Date 07/15/2005 Time 21:14
IEXPLORE caused an invalid page fault in
module URLMON.DLL at 015f:1a40e6c1.
Registers:
EAX=004d7fc4 CS=015f EIP=1a40e6c1 EFLGS=00010202
EBX=00000000 SS=0167 ESP=0401f974 EBP=0401f990
ECX=635c80ec DS=0167 ESI=004dcedc FS=7b17
EDX=8197d0d8 ES=0167 EDI=004dce48 GS=0000
Bytes at CS:EIP:
ff 51 08 83 26 00 81 c7 3c 01 00 00 57 e8 01 4b 
Stack dump:
004d7fc4 004dce48 00000000 1a40e54a 00000000 00cc001c 0049d30c 0401facc 630210d0 00cc001c 004dce48 00000046 0401f9b8 00000004 0049d30c 02812bb0 
**********************************************************************
Date 07/15/2005 Time 23:55
IEXPLORE caused an invalid page fault in
module <unknown> at 0000:0064f9a1.
Registers:
EAX=01b5c4b0 CS=015f EIP=0064f9a1 EFLGS=00010206
EBX=00000003 SS=0167 ESP=0064f998 EBP=00000000
ECX=0064e898 DS=0167 ESI=01bfe860 FS=4eb7
EDX=81981ee8 ES=0167 EDI=01bfe8a0 GS=0000
Bytes at CS:EIP:
3a 5c 57 49 4e 44 4f 57 53 5c 46 61 76 6f 72 69 
Stack dump:
00000104 00000000 575c3a43 4f444e49 465c5357 726f7661 73657469 0064f900 8190c050 819867f0 c15fb5c0 0064f9e8 bff7a0fe bff7b317 bff713e2 0000015f 
**********************************************************************
Date 07/16/2005 Time 00:02
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff766b9.
Registers:
EAX=00550020 CS=015f EIP=bff766b9 EFLGS=00010246
EBX=0064f7e8 SS=0167 ESP=00550000 EBP=00550008
ECX=00550108 DS=0167 ESI=81981ee0 FS=4eb7
EDX=00550164 ES=0167 EDI=00550020 GS=0000
Bytes at CS:EIP:
6a 00 68 14 00 2a 00 e8 0f ad ff ff 8b 55 08 8f 
Stack dump:
00550020 0064e908 005500f0 bff76737 00550020 005500f0 00000004 00550258 ffffffff 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
**********************************************************************
Date 07/16/2005 Time 00:07
IEXPLORE caused an invalid page fault in
module <unknown> at 0000:0064f9a1.
Registers:
EAX=01b43360 CS=015f EIP=0064f9a1 EFLGS=00010206
EBX=00000003 SS=0167 ESP=0064f998 EBP=00000000
ECX=0064e898 DS=0167 ESI=01b62bd0 FS=3c8f
EDX=8198c38c ES=0167 EDI=01b62c10 GS=0000
Bytes at CS:EIP:
3a 5c 57 49 4e 44 4f 57 53 5c 46 61 76 6f 72 69 
Stack dump:
00000104 00000000 575c3a43 4f444e49 465c5357 726f7661 73657469 0064f900 8190c050 81990108 c160d480 0064f9e8 bff7a0fe bff7b317 bff713e2 0000015f 
**********************************************************************
Date 07/16/2005 Time 00:07
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff766b9.
Registers:
EAX=00550020 CS=015f EIP=bff766b9 EFLGS=00010246
EBX=0064f7e8 SS=0167 ESP=00550000 EBP=00550008
ECX=00550108 DS=0167 ESI=8198c384 FS=3c8f
EDX=00550164 ES=0167 EDI=00550020 GS=0000
Bytes at CS:EIP:
6a 00 68 14 00 2a 00 e8 0f ad ff ff 8b 55 08 8f 
Stack dump:
00550020 0064e908 005500f0 bff76737 00550020 005500f0 00000004 00550258 ffffffff 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
**********************************************************************
Date 07/16/2005 Time 14:18
IEXPLORE caused an invalid page fault in
module USER32.DLL at 015f:bff50003.
Registers:
EAX=018dd840 CS=015f EIP=bff50003 EFLGS=00010216
EBX=00000001 SS=0167 ESP=0064f89c EBP=0064fa9f
ECX=0064e898 DS=0167 ESI=01879760 FS=3b7f
EDX=00003233 ES=0167 EDI=01846bd0 GS=0000
Bytes at CS:EIP:
00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 
Stack dump:
ffffffff 7150e14c 0064f8fa 71502014 00000000 71500000 003a0043 0050005c 004f0052 00520047 004d0041 00460020 004c0049 00530045 0049005c 0054004e 
**********************************************************************
Date 07/16/2005 Time 14:18
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff9d5c2.
Registers:
EAX=00550028 CS=015f EIP=bff9d5c2 EFLGS=00010206
EBX=0064f6ec SS=0167 ESP=0054ff0c EBP=0055002c
ECX=0054ffd8 DS=0167 ESI=00550134 FS=3b7f
EDX=0055004c ES=0167 EDI=0055004c GS=0000
Bytes at CS:EIP:
50 51 ff 75 08 8d 85 e0 fe ff ff 50 ff 75 0c e8 
Stack dump:

**********************************************************************
Date 07/16/2005 Time 14:32
IEXPLORE caused an invalid page fault in
module USER32.DLL at 015f:bff50003.
Registers:
EAX=01882510 CS=015f EIP=bff50003 EFLGS=00010216
EBX=00000001 SS=0167 ESP=0064f89c EBP=0064fa9f
ECX=0064e898 DS=0167 ESI=01892380 FS=21c7
EDX=00003233 ES=0167 EDI=0183bbb0 GS=0000
Bytes at CS:EIP:
00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 
Stack dump:
ffffffff 7150e14c 0064f8fa 71502014 00000000 71500000 003a0043 0050005c 004f0052 00520047 004d0041 00460020 004c0049 00530045 0049005c 0054004e 
**********************************************************************
Date 07/16/2005 Time 14:43
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff9d5c2.
Registers:
EAX=00550028 CS=015f EIP=bff9d5c2 EFLGS=00010206
EBX=0064f6ec SS=0167 ESP=0054ff0c EBP=0055002c
ECX=0054ffd8 DS=0167 ESI=00550134 FS=21c7
EDX=0055004c ES=0167 EDI=0055004c GS=0000
Bytes at CS:EIP:
50 51 ff 75 08 8d 85 e0 fe ff ff 50 ff 75 0c e8 
Stack dump:

**********************************************************************
Date 07/16/2005 Time 14:52
IEXPLORE caused an invalid page fault in
module USER32.DLL at 015f:bff50003.
Registers:
EAX=018a0680 CS=015f EIP=bff50003 EFLGS=00010216
EBX=00000001 SS=0167 ESP=0064f89c EBP=0064fa9f
ECX=0064e898 DS=0167 ESI=01862fc0 FS=3df7
EDX=00003233 ES=0167 EDI=01862100 GS=0000
Bytes at CS:EIP:
00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 
Stack dump:
ffffffff 7150e14c 0064f8fa 71502014 00000000 71500000 003a0043 0050005c 004f0052 00520047 004d0041 00460020 004c0049 00530045 0049005c 0054004e 
**********************************************************************
Date 07/16/2005 Time 16:30
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff9d5c2.
Registers:
EAX=00550028 CS=015f EIP=bff9d5c2 EFLGS=00010206
EBX=0064f6ec SS=0167 ESP=0054ff0c EBP=0055002c
ECX=0054ffd8 DS=0167 ESI=00550134 FS=3df7
EDX=0055004c ES=0167 EDI=0055004c GS=0000
Bytes at CS:EIP:
50 51 ff 75 08 8d 85 e0 fe ff ff 50 ff 75 0c e8 
Stack dump:

**********************************************************************
Date 07/16/2005 Time 17:03
IEXPLORE caused an invalid page fault in
module USER32.DLL at 015f:bff50003.
Registers:
EAX=01887450 CS=015f EIP=bff50003 EFLGS=00010216
EBX=00000001 SS=0167 ESP=0064f89c EBP=0064fa9f
ECX=0064e898 DS=0167 ESI=01846480 FS=4fff
EDX=00003233 ES=0167 EDI=018464c0 GS=0000
Bytes at CS:EIP:
00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 
Stack dump:
ffffffff 7150e14c 0064f8fa 71502014 00000000 71500000 003a0043 0050005c 004f0052 00520047 004d0041 00460020 004c0049 00530045 0049005c 0054004e 
**********************************************************************
Date 07/16/2005 Time 17:29
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff9d5c2.
Registers:
EAX=00550028 CS=015f EIP=bff9d5c2 EFLGS=00010206
EBX=0064f6ec SS=0167 ESP=0054ff0c EBP=0055002c
ECX=0054ffd8 DS=0167 ESI=00550134 FS=4fff
EDX=0055004c ES=0167 EDI=0055004c GS=0000
Bytes at CS:EIP:
50 51 ff 75 08 8d 85 e0 fe ff ff 50 ff 75 0c e8 
Stack dump:

**********************************************************************
Date 07/16/2005 Time 17:30
IEXPLORE caused an invalid page fault in
module USER32.DLL at 015f:bff50003.
Registers:
EAX=0186d450 CS=015f EIP=bff50003 EFLGS=00010216
EBX=00000001 SS=0167 ESP=0064f89c EBP=0064fa9f
ECX=0064e898 DS=0167 ESI=0188fbc0 FS=4c4f
EDX=00003233 ES=0167 EDI=0188fc00 GS=0000
Bytes at CS:EIP:
00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 
Stack dump:
ffffffff 7150e14c 0064f8fa 71502014 00000000 71500000 003a0043 0050005c 004f0052 00520047 004d0041 00460020 004c0049 00530045 0049005c 0054004e 
**********************************************************************
Date 07/16/2005 Time 17:30
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff9d5c2.
Registers:
EAX=00550028 CS=015f EIP=bff9d5c2 EFLGS=00010206
EBX=0064f6ec SS=0167 ESP=0054ff0c EBP=0055002c
ECX=0054ffd8 DS=0167 ESI=00550134 FS=4c4f
EDX=0055004c ES=0167 EDI=0055004c GS=0000
Bytes at CS:EIP:
50 51 ff 75 08 8d 85 e0 fe ff ff 50 ff 75 0c e8 
Stack dump:

**********************************************************************
Date 07/17/2005 Time 00:16
IEXPLORE caused a general protection fault
in module USER.EXE at 001b:00000a08.
Registers:
EAX=00000000 CS=16cf EIP=00000a08 EFLGS=00000246
EBX=013f00f6 SS=7317 ESP=0000b520 EBP=000024eb
ECX=00000000 DS=1697 ESI=00000000 FS=6577
EDX=024a0000 ES=0000 EDI=00000000 GS=0000
Bytes at CS:EIP:
c2 0a 00 90 c8 0a 00 00 56 ff 76 10 6a 00 6a 00 
Stack dump:
82779090 24eb0040 82779090 14eb0040 82779090 14eb0040 82779090 82770040 90900040 90909090 90909090 90909090 90909090 90909090 90909090 90909090 
**********************************************************************
Date 07/17/2005 Time 00:23
IEXPLORE caused an invalid page fault in
module <unknown> at 0000:00000003.
Registers:
EAX=01863b10 CS=015f EIP=00000003 EFLGS=00010213
EBX=00000001 SS=0167 ESP=03b9fac8 EBP=00000000
ECX=c8eab903 DS=0167 ESI=0193bab0 FS=50af
EDX=819abf2c ES=0167 EDI=0193baf0 GS=0000
Bytes at CS:EIP:
00 65 04 70 00 16 00 15 07 65 04 70 00 65 04 70 
Stack dump:
00001d30 00000124 821a1360 bff7a391 8218f000 821a1484 00001d30 00000000 8218f00c 8218f000 821a1360 00000040 00000000 8190e280 8218f00c c1797000 
**********************************************************************
Date 07/17/2005 Time 00:23
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff76732.
Registers:
EAX=03b9eb38 CS=015f EIP=bff76732 EFLGS=00010246
EBX=03b9f918 SS=0167 ESP=03aa0000 EBP=03aa00e0
ECX=03aa00f8 DS=0167 ESI=819abf24 FS=50af
EDX=03aa0154 ES=0167 EDI=03aa0010 GS=0000
Bytes at CS:EIP:
e8 74 ff ff ff 83 c4 0c 8f 87 9c 00 00 00 57 ff 
Stack dump:
03aa0010 03aa00e0 00000004 03aa0248 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
**********************************************************************
Date 07/17/2005 Time 07:21
IEXPLORE caused an invalid page fault in
module USER32.DLL at 015f:bff50003.
Registers:
EAX=01aa8830 CS=015f EIP=bff50003 EFLGS=00010216
EBX=00000001 SS=0167 ESP=0064f89c EBP=0064fa9f
ECX=0064e898 DS=0167 ESI=01ac1770 FS=2217
EDX=00003233 ES=0167 EDI=01ae5750 GS=0000
Bytes at CS:EIP:
00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 
Stack dump:
ffffffff 7150e14c 0064f8fa 71502014 00000000 71500000 003a0043 0050005c 004f0052 00520047 004d0041 00460020 004c0049 00530045 0049005c 0054004e 
**********************************************************************
Date 07/17/2005 Time 07:21
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff9d5c2.
Registers:
EAX=00550028 CS=015f EIP=bff9d5c2 EFLGS=00010206
EBX=0064f6ec SS=0167 ESP=0054ff0c EBP=0055002c
ECX=0054ffd8 DS=0167 ESI=00550134 FS=2217
EDX=0055004c ES=0167 EDI=0055004c GS=0000
Bytes at CS:EIP:
50 51 ff 75 08 8d 85 e0 fe ff ff 50 ff 75 0c e8 
Stack dump:

**********************************************************************
Date 07/17/2005 Time 07:47
MSIMN caused an invalid page fault in
module MSHTML.DLL at 015f:637687e7.
Registers:
EAX=023b9640 CS=015f EIP=637687e7 EFLGS=00010246
EBX=0000000a SS=0167 ESP=00570a58 EBP=0056fa58
ECX=0056fa74 DS=0167 ESI=023c2600 FS=3c4f
EDX=00018ce4 ES=0167 EDI=023c2b70 GS=0000
Bytes at CS:EIP:
5d c2 14 00 8b 44 24 04 53 56 8b f1 8b 4e 1c 57 
Stack dump:

Closed extra programs in startup list Here is new hijack list

**********************************************************************
Date 07/15/2005 Time 21:14
IEXPLORE caused an invalid page fault in
module URLMON.DLL at 015f:1a40e6c1.
Registers:
EAX=004d7fc4 CS=015f EIP=1a40e6c1 EFLGS=00010202
EBX=00000000 SS=0167 ESP=0401f974 EBP=0401f990
ECX=635c80ec DS=0167 ESI=004dcedc FS=7b17
EDX=8197d0d8 ES=0167 EDI=004dce48 GS=0000
Bytes at CS:EIP:
ff 51 08 83 26 00 81 c7 3c 01 00 00 57 e8 01 4b 
Stack dump:
004d7fc4 004dce48 00000000 1a40e54a 00000000 00cc001c 0049d30c 0401facc 630210d0 00cc001c 004dce48 00000046 0401f9b8 00000004 0049d30c 02812bb0 
**********************************************************************
Date 07/15/2005 Time 23:55
IEXPLORE caused an invalid page fault in
module <unknown> at 0000:0064f9a1.
Registers:
EAX=01b5c4b0 CS=015f EIP=0064f9a1 EFLGS=00010206
EBX=00000003 SS=0167 ESP=0064f998 EBP=00000000
ECX=0064e898 DS=0167 ESI=01bfe860 FS=4eb7
EDX=81981ee8 ES=0167 EDI=01bfe8a0 GS=0000
Bytes at CS:EIP:
3a 5c 57 49 4e 44 4f 57 53 5c 46 61 76 6f 72 69 
Stack dump:
00000104 00000000 575c3a43 4f444e49 465c5357 726f7661 73657469 0064f900 8190c050 819867f0 c15fb5c0 0064f9e8 bff7a0fe bff7b317 bff713e2 0000015f 
**********************************************************************
Date 07/16/2005 Time 00:02
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff766b9.
Registers:
EAX=00550020 CS=015f EIP=bff766b9 EFLGS=00010246
EBX=0064f7e8 SS=0167 ESP=00550000 EBP=00550008
ECX=00550108 DS=0167 ESI=81981ee0 FS=4eb7
EDX=00550164 ES=0167 EDI=00550020 GS=0000
Bytes at CS:EIP:
6a 00 68 14 00 2a 00 e8 0f ad ff ff 8b 55 08 8f 
Stack dump:
00550020 0064e908 005500f0 bff76737 00550020 005500f0 00000004 00550258 ffffffff 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
**********************************************************************
Date 07/16/2005 Time 00:07
IEXPLORE caused an invalid page fault in
module <unknown> at 0000:0064f9a1.
Registers:
EAX=01b43360 CS=015f EIP=0064f9a1 EFLGS=00010206
EBX=00000003 SS=0167 ESP=0064f998 EBP=00000000
ECX=0064e898 DS=0167 ESI=01b62bd0 FS=3c8f
EDX=8198c38c ES=0167 EDI=01b62c10 GS=0000
Bytes at CS:EIP:
3a 5c 57 49 4e 44 4f 57 53 5c 46 61 76 6f 72 69 
Stack dump:
00000104 00000000 575c3a43 4f444e49 465c5357 726f7661 73657469 0064f900 8190c050 81990108 c160d480 0064f9e8 bff7a0fe bff7b317 bff713e2 0000015f 
**********************************************************************
Date 07/16/2005 Time 00:07
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff766b9.
Registers:
EAX=00550020 CS=015f EIP=bff766b9 EFLGS=00010246
EBX=0064f7e8 SS=0167 ESP=00550000 EBP=00550008
ECX=00550108 DS=0167 ESI=8198c384 FS=3c8f
EDX=00550164 ES=0167 EDI=00550020 GS=0000
Bytes at CS:EIP:
6a 00 68 14 00 2a 00 e8 0f ad ff ff 8b 55 08 8f 
Stack dump:
00550020 0064e908 005500f0 bff76737 00550020 005500f0 00000004 00550258 ffffffff 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
**********************************************************************
Date 07/16/2005 Time 14:18
IEXPLORE caused an invalid page fault in
module USER32.DLL at 015f:bff50003.
Registers:
EAX=018dd840 CS=015f EIP=bff50003 EFLGS=00010216
EBX=00000001 SS=0167 ESP=0064f89c EBP=0064fa9f
ECX=0064e898 DS=0167 ESI=01879760 FS=3b7f
EDX=00003233 ES=0167 EDI=01846bd0 GS=0000
Bytes at CS:EIP:
00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 
Stack dump:
ffffffff 7150e14c 0064f8fa 71502014 00000000 71500000 003a0043 0050005c 004f0052 00520047 004d0041 00460020 004c0049 00530045 0049005c 0054004e 
**********************************************************************
Date 07/16/2005 Time 14:18
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff9d5c2.
Registers:
EAX=00550028 CS=015f EIP=bff9d5c2 EFLGS=00010206
EBX=0064f6ec SS=0167 ESP=0054ff0c EBP=0055002c
ECX=0054ffd8 DS=0167 ESI=00550134 FS=3b7f
EDX=0055004c ES=0167 EDI=0055004c GS=0000
Bytes at CS:EIP:
50 51 ff 75 08 8d 85 e0 fe ff ff 50 ff 75 0c e8 
Stack dump:

**********************************************************************
Date 07/16/2005 Time 14:32
IEXPLORE caused an invalid page fault in
module USER32.DLL at 015f:bff50003.
Registers:
EAX=01882510 CS=015f EIP=bff50003 EFLGS=00010216
EBX=00000001 SS=0167 ESP=0064f89c EBP=0064fa9f
ECX=0064e898 DS=0167 ESI=01892380 FS=21c7
EDX=00003233 ES=0167 EDI=0183bbb0 GS=0000
Bytes at CS:EIP:
00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 
Stack dump:
ffffffff 7150e14c 0064f8fa 71502014 00000000 71500000 003a0043 0050005c 004f0052 00520047 004d0041 00460020 004c0049 00530045 0049005c 0054004e 
**********************************************************************
Date 07/16/2005 Time 14:43
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff9d5c2.
Registers:
EAX=00550028 CS=015f EIP=bff9d5c2 EFLGS=00010206
EBX=0064f6ec SS=0167 ESP=0054ff0c EBP=0055002c
ECX=0054ffd8 DS=0167 ESI=00550134 FS=21c7
EDX=0055004c ES=0167 EDI=0055004c GS=0000
Bytes at CS:EIP:
50 51 ff 75 08 8d 85 e0 fe ff ff 50 ff 75 0c e8 
Stack dump:

**********************************************************************
Date 07/16/2005 Time 14:52
IEXPLORE caused an invalid page fault in
module USER32.DLL at 015f:bff50003.
Registers:
EAX=018a0680 CS=015f EIP=bff50003 EFLGS=00010216
EBX=00000001 SS=0167 ESP=0064f89c EBP=0064fa9f
ECX=0064e898 DS=0167 ESI=01862fc0 FS=3df7
EDX=00003233 ES=0167 EDI=01862100 GS=0000
Bytes at CS:EIP:
00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 
Stack dump:
ffffffff 7150e14c 0064f8fa 71502014 00000000 71500000 003a0043 0050005c 004f0052 00520047 004d0041 00460020 004c0049 00530045 0049005c 0054004e 
**********************************************************************
Date 07/16/2005 Time 16:30
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff9d5c2.
Registers:
EAX=00550028 CS=015f EIP=bff9d5c2 EFLGS=00010206
EBX=0064f6ec SS=0167 ESP=0054ff0c EBP=0055002c
ECX=0054ffd8 DS=0167 ESI=00550134 FS=3df7
EDX=0055004c ES=0167 EDI=0055004c GS=0000
Bytes at CS:EIP:
50 51 ff 75 08 8d 85 e0 fe ff ff 50 ff 75 0c e8 
Stack dump:

**********************************************************************
Date 07/16/2005 Time 17:03
IEXPLORE caused an invalid page fault in
module USER32.DLL at 015f:bff50003.
Registers:
EAX=01887450 CS=015f EIP=bff50003 EFLGS=00010216
EBX=00000001 SS=0167 ESP=0064f89c EBP=0064fa9f
ECX=0064e898 DS=0167 ESI=01846480 FS=4fff
EDX=00003233 ES=0167 EDI=018464c0 GS=0000
Bytes at CS:EIP:
00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 
Stack dump:
ffffffff 7150e14c 0064f8fa 71502014 00000000 71500000 003a0043 0050005c 004f0052 00520047 004d0041 00460020 004c0049 00530045 0049005c 0054004e 
**********************************************************************
Date 07/16/2005 Time 17:29
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff9d5c2.
Registers:
EAX=00550028 CS=015f EIP=bff9d5c2 EFLGS=00010206
EBX=0064f6ec SS=0167 ESP=0054ff0c EBP=0055002c
ECX=0054ffd8 DS=0167 ESI=00550134 FS=4fff
EDX=0055004c ES=0167 EDI=0055004c GS=0000
Bytes at CS:EIP:
50 51 ff 75 08 8d 85 e0 fe ff ff 50 ff 75 0c e8 
Stack dump:

**********************************************************************
Date 07/16/2005 Time 17:30
IEXPLORE caused an invalid page fault in
module USER32.DLL at 015f:bff50003.
Registers:
EAX=0186d450 CS=015f EIP=bff50003 EFLGS=00010216
EBX=00000001 SS=0167 ESP=0064f89c EBP=0064fa9f
ECX=0064e898 DS=0167 ESI=0188fbc0 FS=4c4f
EDX=00003233 ES=0167 EDI=0188fc00 GS=0000
Bytes at CS:EIP:
00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 
Stack dump:
ffffffff 7150e14c 0064f8fa 71502014 00000000 71500000 003a0043 0050005c 004f0052 00520047 004d0041 00460020 004c0049 00530045 0049005c 0054004e 
**********************************************************************
Date 07/16/2005 Time 17:30
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff9d5c2.
Registers:
EAX=00550028 CS=015f EIP=bff9d5c2 EFLGS=00010206
EBX=0064f6ec SS=0167 ESP=0054ff0c EBP=0055002c
ECX=0054ffd8 DS=0167 ESI=00550134 FS=4c4f
EDX=0055004c ES=0167 EDI=0055004c GS=0000
Bytes at CS:EIP:
50 51 ff 75 08 8d 85 e0 fe ff ff 50 ff 75 0c e8 
Stack dump:

**********************************************************************
Date 07/17/2005 Time 00:16
IEXPLORE caused a general protection fault
in module USER.EXE at 001b:00000a08.
Registers:
EAX=00000000 CS=16cf EIP=00000a08 EFLGS=00000246
EBX=013f00f6 SS=7317 ESP=0000b520 EBP=000024eb
ECX=00000000 DS=1697 ESI=00000000 FS=6577
EDX=024a0000 ES=0000 EDI=00000000 GS=0000
Bytes at CS:EIP:
c2 0a 00 90 c8 0a 00 00 56 ff 76 10 6a 00 6a 00 
Stack dump:
82779090 24eb0040 82779090 14eb0040 82779090 14eb0040 82779090 82770040 90900040 90909090 90909090 90909090 90909090 90909090 90909090 90909090 
**********************************************************************
Date 07/17/2005 Time 00:23
IEXPLORE caused an invalid page fault in
module <unknown> at 0000:00000003.
Registers:
EAX=01863b10 CS=015f EIP=00000003 EFLGS=00010213
EBX=00000001 SS=0167 ESP=03b9fac8 EBP=00000000
ECX=c8eab903 DS=0167 ESI=0193bab0 FS=50af
EDX=819abf2c ES=0167 EDI=0193baf0 GS=0000
Bytes at CS:EIP:
00 65 04 70 00 16 00 15 07 65 04 70 00 65 04 70 
Stack dump:
00001d30 00000124 821a1360 bff7a391 8218f000 821a1484 00001d30 00000000 8218f00c 8218f000 821a1360 00000040 00000000 8190e280 8218f00c c1797000 
**********************************************************************
Date 07/17/2005 Time 00:23
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff76732.
Registers:
EAX=03b9eb38 CS=015f EIP=bff76732 EFLGS=00010246
EBX=03b9f918 SS=0167 ESP=03aa0000 EBP=03aa00e0
ECX=03aa00f8 DS=0167 ESI=819abf24 FS=50af
EDX=03aa0154 ES=0167 EDI=03aa0010 GS=0000
Bytes at CS:EIP:
e8 74 ff ff ff 83 c4 0c 8f 87 9c 00 00 00 57 ff 
Stack dump:
03aa0010 03aa00e0 00000004 03aa0248 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
**********************************************************************
Date 07/17/2005 Time 07:21
IEXPLORE caused an invalid page fault in
module USER32.DLL at 015f:bff50003.
Registers:
EAX=01aa8830 CS=015f EIP=bff50003 EFLGS=00010216
EBX=00000001 SS=0167 ESP=0064f89c EBP=0064fa9f
ECX=0064e898 DS=0167 ESI=01ac1770 FS=2217
EDX=00003233 ES=0167 EDI=01ae5750 GS=0000
Bytes at CS:EIP:
00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 
Stack dump:
ffffffff 7150e14c 0064f8fa 71502014 00000000 71500000 003a0043 0050005c 004f0052 00520047 004d0041 00460020 004c0049 00530045 0049005c 0054004e 
**********************************************************************
Date 07/17/2005 Time 07:21
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff9d5c2.
Registers:
EAX=00550028 CS=015f EIP=bff9d5c2 EFLGS=00010206
EBX=0064f6ec SS=0167 ESP=0054ff0c EBP=0055002c
ECX=0054ffd8 DS=0167 ESI=00550134 FS=2217
EDX=0055004c ES=0167 EDI=0055004c GS=0000
Bytes at CS:EIP:
50 51 ff 75 08 8d 85 e0 fe ff ff 50 ff 75 0c e8 
Stack dump:

**********************************************************************
Date 07/17/2005 Time 07:47
MSIMN caused an invalid page fault in
module MSHTML.DLL at 015f:637687e7.
Registers:
EAX=023b9640 CS=015f EIP=637687e7 EFLGS=00010246
EBX=0000000a SS=0167 ESP=00570a58 EBP=0056fa58
ECX=0056fa74 DS=0167 ESI=023c2600 FS=3c4f
EDX=00018ce4 ES=0167 EDI=023c2b70 GS=0000
Bytes at CS:EIP:
5d c2 14 00 8b 44 24 04 53 56 8b f1 8b 4e 1c 57 
Stack dump:


----------



## chief1966 (Feb 17, 2004)

Logfile of HijackThis v1.99.1
Scan saved at 4:21:02 PM, on 7/17/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\ATI\ATIDESK\ATISCHED.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\123 FREE SOLITAIRE\123FREESOLITAIRE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - c:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - c:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - c:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - c:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - c:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [SCanRegistry] "C:\WINDOWS\scamregw/exe/autorun"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - Startup: ATI Scheduler.lnk = C:\ATI\atidesk\ATISCHED.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: lass414 - https://onlinegames.lasseters.com.au/classes/lass414.cab
O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFS.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1504d58377b8cfaaa619/netzip/RdxIE601.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

I unchecked extra programs on start up list. Did the new registry string value. Oh yes the faults only seem to happen on line, but I dont do a lot of work off line so not sure of that.


----------



## chief1966 (Feb 17, 2004)

here's another

Logfile of HijackThis v1.99.1
Scan saved at 4:21:02 PM, on 7/17/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\ATI\ATIDESK\ATISCHED.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\123 FREE SOLITAIRE\123FREESOLITAIRE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - c:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - c:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - c:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - c:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - c:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [SCanRegistry] "C:\WINDOWS\scamregw/exe/autorun"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - Startup: ATI Scheduler.lnk = C:\ATI\atidesk\ATISCHED.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: lass414 - https://onlinegames.lasseters.com.au/classes/lass414.cab
O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFS.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1504d58377b8cfaaa619/netzip/RdxIE601.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab


----------



## Rollin' Rog (Dec 9, 2000)

Ok, well we got scanregistry, and the scanlog is "clean".

Now comes the problem of figuring out where these "user32.dll" and other errors are coming from. The "BFF" portion of the error address tends to point me towards video driver issues. Are these errors more likely to occur when scrolling pages or doing a page load or close?

There are a couple of ways we can test this without actually removing and reinstalling or updating drivers. I have ATI on my Win98 system and had similar issues with the original driver install. It was particularly vulnerable to corruption when screen savers were enabled. I've updated them a couple of times from the original "Rage Pro 2" install.

Anyway to test you can:

right click on My Computer and select Properties > Performance > Graphics and move the accelerator slider to "NONE". You will see a substantial performance loss in scrolling and page loading at this level, but if you go with out errors you can begin bumping it up a notch. You will still have normal color depth and screen resolution (by the way your color depth should not be greater than 16 bit "high" color)

A second way is to run *msconfig* and select the "Advanced" tab and load standard VGA 640 drivers there. In this option you will look like you are in Safe Mode.

Some other "to-dos": go to Internet Options and delete your Temporary Internet Cache, History, and offline content.


----------



## JSntgRvr (Jul 1, 2003)

You did well, except there is a typo in the command sintax.

This is how appears in the HJT log:

O4 - HKLM\..\Run: [SCanRegistry] "*C:\WINDOWS\scamregw/exe/autorun*"

The command should read as follows:

*"C:\WINDOWS\scanregw.exe /autorun"*

That is,

"C:\Windows\scanregw.exe[Space]/Autorun"

Go back to the Registry key, right click on ScanRegistry and select modify. Fix the command sintax and click Ok, restart the computer.

Have HJT fix the following line:

O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - (no file)

I hope you're not getting confused having two persons replying on your requests. All replies are complimentary from each other.


----------



## chief1966 (Feb 17, 2004)

Rog I do not run any screensaver. I have set my graphics slider to none. And I have my color set at 16 bit high color.

JS I dont mind having 2 people answering me if that gets the job done, changed the registry entry and new hijack log below.

Logfile of HijackThis v1.99.1
Scan saved at 10:38:52 PM, on 7/17/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\ATI\ATIDESK\ATISCHED.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - c:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - c:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - c:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - c:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - c:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [SCanRegistry] "C:\Windows\scanregw.exe /Autorun"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - Startup: ATI Scheduler.lnk = C:\ATI\atidesk\ATISCHED.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: lass414 - https://onlinegames.lasseters.com.au/classes/lass414.cab
O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFS.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1504d58377b8cfaaa619/netzip/RdxIE601.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab


----------



## Rollin' Rog (Dec 9, 2000)

Sorry, I should have caught those typos -- good thing JS' gave it a closer look.

Did you just reduce the graphics acceleration, or has it been set there and you were getting errors anyway?


----------



## chief1966 (Feb 17, 2004)

I did reset the graphics and am still getting the faults. Seems to only happen on the internet and when I have multiple windows open. Here is new hi jack log.

Logfile of HijackThis v1.99.1
Scan saved at 7:19:28 AM, on 7/18/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\ATI\ATIDESK\ATISCHED.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\123 FREE SOLITAIRE\123FREESOLITAIRE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - c:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - c:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - c:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - c:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - c:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [SCanRegistry] "C:\Windows\scanregw.exe /Autorun"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - Startup: ATI Scheduler.lnk = C:\ATI\atidesk\ATISCHED.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: lass414 - https://onlinegames.lasseters.com.au/classes/lass414.cab
O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFS.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1504d58377b8cfaaa619/netzip/RdxIE601.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

am having trouble pasting fault log after I have pasted hijack log. Doesnt seem to work? I keep going to the hi jack log.


----------



## Rollin' Rog (Dec 9, 2000)

With respect to the faultlog, you can rename the old one so that just new entries are present in the new one; if you have trouble with a copy/paste just upload it as an attachment.

Let's try doing some "cleaner" booting. Run *msconfig* and under the startup tab leave just scanregistry and systray checked. This will disable AVG antivirus so use discretion in your surfing and downloading.

Also go to Internet Options and select the "Advanced" tab. Take the check out of "enable 3rd party browser extensions" (requires restart). This will disable Earthlink's BHOs. You will probably get pop-ups, since they will not be blocked.

We may also want to test with an alternate browser such as Firefox or Opera.


----------



## chief1966 (Feb 17, 2004)

Rog
Went in to startup and unchecked everything but the 2 you said. In internet tools that third party cookies as not checked. Will shut down now to apply changes.


----------



## Rollin' Rog (Dec 9, 2000)

Nothing to do with cookies ... you should be looking under the Advanced tab for 3rd party BROWSER Extensions.

With this unchecked none of your Earthlink (or Spybot) add-ons should be functional.


----------



## chief1966 (Feb 17, 2004)

Sorry Third party browser extensions is not checked. I mis stated it in my reply.


----------



## Rollin' Rog (Dec 9, 2000)

Since your popup blocker should have been disabled with that 3rd party browser extensions disabled, were you getting popups?

You might as well re-check it if these were not implicated in the issue.

If errors continue, it may be time to try Firefox or Opera and see if they are isolated to the use of Internet Explorer.


----------



## chief1966 (Feb 17, 2004)

Dont seem to be getting many popups, just a couple but I didnt have any page faults last night. Only surfed about 1 hour.


----------



## Rollin' Rog (Dec 9, 2000)

Great, try to surf under the conditions that would normally create them -- as long as you are not taking any "infection" risks. When it seems clearly stable, go back to msconfig and enable the AVG entries and see how it goes.


----------



## chief1966 (Feb 17, 2004)

Will do


----------



## chief1966 (Feb 17, 2004)

I cannot find any rhyme or reason to these page faults, I closed evrything in startup, then added AVG and seemed ok, added 2 items task monitor and win patrol started getting page faults, so took them back out, and got faults with just AVG. Have now taken everything out again and will start over I cant find the fault log, where do I look?


----------



## Rollin' Rog (Dec 9, 2000)

Leave Task Monitor unchecked, that could be an issue. In fact find c:\windows\applog and delete it as well.

Task Monitor monitors disk access for optimizing defrag. Corruption in the applog file can cause errors, but these usually occur when closing programs or windows

c:\windows\faultlog.txt

should be the location for the faultlog.

Also I don't remember whether we've tried this: Start > shutdown > restart in MS-DOS mode. At the prompt enter:

*scanreg /fix*


----------



## chief1966 (Feb 17, 2004)

OK the only thing checked is systray and scanregister. I deleted applog and will see where this leads me . Here is fault log.

**********************************************************************
Date 07/17/2005 Time 16:37
IEXPLORE caused an invalid page fault in
module USER32.DLL at 015f:bff50003.
Registers:
EAX=0163a1a0 CS=015f EIP=bff50003 EFLGS=00010216
EBX=00000002 SS=0167 ESP=0064f89c EBP=0064fa9f
ECX=0064e898 DS=0167 ESI=016522e0 FS=479f
EDX=00003233 ES=0167 EDI=015eb4b0 GS=0000
Bytes at CS:EIP:
00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 
Stack dump:
ffffffff 7150e14c 0064f8fa 71502014 00000000 71500000 003a0043 0050005c 004f0052 00520047 004d0041 00460020 004c0049 00530045 0049005c 0054004e 
**********************************************************************
Date 07/17/2005 Time 16:37
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff9d5c2.
Registers:
EAX=00550028 CS=015f EIP=bff9d5c2 EFLGS=00010206
EBX=0064f6ec SS=0167 ESP=0054ff0c EBP=0055002c
ECX=0054ffd8 DS=0167 ESI=00550134 FS=479f
EDX=0055004c ES=0167 EDI=0055004c GS=0000
Bytes at CS:EIP:
50 51 ff 75 08 8d 85 e0 fe ff ff 50 ff 75 0c e8 
Stack dump:

**********************************************************************
Date 07/17/2005 Time 23:47
IEXPLORE caused a general protection fault
in module USER.EXE at 001b:00000a08.
Registers:
EAX=00000000 CS=16df EIP=00000a08 EFLGS=00000246
EBX=013f00f6 SS=129f ESP=0000b520 EBP=000024eb
ECX=00000000 DS=16a7 ESI=00000000 FS=3447
EDX=03f70000 ES=0000 EDI=00000000 GS=0000
Bytes at CS:EIP:
c2 0a 00 90 c8 0a 00 00 56 ff 76 10 6a 00 6a 00 
Stack dump:
82779090 24eb0040 82779090 14eb0040 82779090 14eb0040 82779090 82770040 90900040 90909090 90909090 90909090 90909090 90909090 90909090 90909090 
**********************************************************************
Date 07/19/2005 Time 21:53
IEXPLORE caused an invalid page fault in
module URLMON.DLL at 015f:1a40e6c1.
Registers:
EAX=021f9d18 CS=015f EIP=1a40e6c1 EFLGS=00010206
EBX=00000000 SS=0167 ESP=04e5f974 EBP=04e5f990
ECX=635c80ec DS=0167 ESI=01fbbc70 FS=5ce7
EDX=8198d698 ES=0167 EDI=01fbbbdc GS=0000
Bytes at CS:EIP:
ff 51 08 83 26 00 81 c7 3c 01 00 00 57 e8 01 4b 
Stack dump:
021f9d18 01fbbbdc 00000000 1a40e54a 00000000 00cc0024 004801e4 04e5facc 630210d0 00cc0024 01fbbbdc 00000046 04e5f9b8 00000004 004801e4 004d4e38 
**********************************************************************
Date 07/20/2005 Time 08:54
MSIMN caused an invalid page fault in
module MSHTML.DLL at 015f:637687e7.
Registers:
EAX=021d28a0 CS=015f EIP=637687e7 EFLGS=00010246
EBX=00000001 SS=0167 ESP=00570a58 EBP=0056fa58
ECX=0056fa74 DS=0167 ESI=021d73e0 FS=350f
EDX=00018ce4 ES=0167 EDI=021d7420 GS=0000
Bytes at CS:EIP:
5d c2 14 00 8b 44 24 04 53 56 8b f1 8b 4e 1c 57 
Stack dump:

**********************************************************************
Date 07/20/2005 Time 12:19
IEXPLORE caused a general protection fault
in module USER.EXE at 001b:00000a08.
Registers:
EAX=00000000 CS=16df EIP=00000a08 EFLGS=00000246
EBX=013f00f6 SS=5757 ESP=0000b520 EBP=000024eb
ECX=00000000 DS=16a7 ESI=00000000 FS=357f
EDX=03640000 ES=0000 EDI=00000000 GS=0000
Bytes at CS:EIP:
c2 0a 00 90 c8 0a 00 00 56 ff 76 10 6a 00 6a 00 
Stack dump:
82779090 24eb0040 82779090 14eb0040 82779090 14eb0040 82779090 82770040 90900040 90909090 90909090 90909090 90909090 90909090 90909090 90909090 
**********************************************************************
Date 07/20/2005 Time 12:30
IEXPLORE caused an invalid page fault in
module <unknown> at 0000:00000003.
Registers:
EAX=0170fa90 CS=015f EIP=00000003 EFLGS=000102d2
EBX=00000001 SS=0167 ESP=035cfac8 EBP=00000000
ECX=c8ea5c03 DS=0167 ESI=0175f690 FS=6527
EDX=8199e05c ES=0167 EDI=0175f6d0 GS=0000
Bytes at CS:EIP:
00 65 04 70 00 16 00 15 07 65 04 70 00 65 04 70 
Stack dump:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
**********************************************************************
Date 07/20/2005 Time 12:30
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff76732.
Registers:
EAX=035ceb38 CS=015f EIP=bff76732 EFLGS=00010246
EBX=035cf918 SS=0167 ESP=034d0000 EBP=034d00e0
ECX=034d00f8 DS=0167 ESI=8199e054 FS=6527
EDX=034d0154 ES=0167 EDI=034d0010 GS=0000
Bytes at CS:EIP:
e8 74 ff ff ff 83 c4 0c 8f 87 9c 00 00 00 57 ff 
Stack dump:
034d0010 034d00e0 00000004 034d0248 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
**********************************************************************
Date 07/20/2005 Time 12:41
IEXPLORE caused a general protection fault
in module USER.EXE at 001b:00000a08.
Registers:
EAX=00000000 CS=16df EIP=00000a08 EFLGS=00000246
EBX=013f00f6 SS=4cef ESP=0000b520 EBP=000024eb
ECX=00000000 DS=16a7 ESI=00000000 FS=5ca7
EDX=03870000 ES=0000 EDI=00000000 GS=0000
Bytes at CS:EIP:
c2 0a 00 90 c8 0a 00 00 56 ff 76 10 6a 00 6a 00 
Stack dump:
82779090 24eb0040 82779090 14eb0040 82779090 14eb0040 82779090 82770040 90900040 90909090 90909090 90909090 90909090 90909090 90909090 90909090 
**********************************************************************
Date 07/20/2005 Time 12:46
IEXPLORE caused a general protection fault
in module USER.EXE at 001b:00000a08.
Registers:
EAX=00000000 CS=16df EIP=00000a08 EFLGS=00000246
EBX=013f00f6 SS=6fb7 ESP=00008cd8 EBP=000024eb
ECX=00000000 DS=16a7 ESI=00000000 FS=222f
EDX=038c0000 ES=0000 EDI=00000000 GS=0000
Bytes at CS:EIP:
c2 0a 00 90 c8 0a 00 00 56 ff 76 10 6a 00 6a 00 
Stack dump:
82779090 24eb0040 82779090 14eb0040 82779090 14eb0040 82779090 82770040 90900040 90909090 90909090 90909090 90909090 90909090 90909090 90909090 
**********************************************************************
Date 07/21/2005 Time 07:32
IEXPLORE caused an invalid page fault in
module <unknown> at 0000:0064f9a1.
Registers:
EAX=01517240 CS=015f EIP=0064f9a1 EFLGS=00010202
EBX=00000002 SS=0167 ESP=0064f998 EBP=00000000
ECX=0064e898 DS=0167 ESI=01564210 FS=5277
EDX=00018ce4 ES=0167 EDI=01564250 GS=0000
Bytes at CS:EIP:
3a 5c 57 49 4e 44 4f 57 53 5c 46 61 76 6f 72 69 
Stack dump:
00000104 00000000 575c3a43 4f444e49 465c5357 726f7661 73657469 0064f900 8190c050 81964d00 d5b58b40 0064f9e8 bff7a0fe bff7b317 bff713e2 0000015f 
**********************************************************************
Date 07/21/2005 Time 07:32
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff766b9.
Registers:
EAX=00550020 CS=015f EIP=bff766b9 EFLGS=00010246
EBX=0064f7e8 SS=0167 ESP=00550000 EBP=00550008
ECX=00550108 DS=0167 ESI=81976720 FS=5277
EDX=00550164 ES=0167 EDI=00550020 GS=0000
Bytes at CS:EIP:
6a 00 68 14 00 2a 00 e8 0f ad ff ff 8b 55 08 8f 
Stack dump:
00550020 0064e908 005500f0 bff76737 00550020 005500f0 00000004 00550258 ffffffff 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
**********************************************************************
Date 07/21/2005 Time 10:37
IEXPLORE caused a general protection fault
in module USER.EXE at 001b:00000a08.
Registers:
EAX=00000000 CS=16df EIP=00000a08 EFLGS=00000246
EBX=013f00f6 SS=55bf ESP=00009890 EBP=000024eb
ECX=00000000 DS=16a7 ESI=00000000 FS=32b7
EDX=03600000 ES=0000 EDI=00000000 GS=0000
Bytes at CS:EIP:
c2 0a 00 90 c8 0a 00 00 56 ff 76 10 6a 00 6a 00 
Stack dump:
82779090 24eb0040 82779090 14eb0040 82779090 14eb0040 82779090 82770040 90900040 90909090 90909090 90909090 90909090 90909090 90909090 90909090 
**********************************************************************
Date 07/21/2005 Time 10:38
IEXPLORE caused a general protection fault
in module USER.EXE at 001b:00000a08.
Registers:
EAX=00000000 CS=16df EIP=00000a08 EFLGS=00000246
EBX=013f00f6 SS=533f ESP=0000a388 EBP=000024eb
ECX=00000000 DS=16a7 ESI=00000000 FS=237f
EDX=03880000 ES=0000 EDI=00000000 GS=0000
Bytes at CS:EIP:
c2 0a 00 90 c8 0a 00 00 56 ff 76 10 6a 00 6a 00 
Stack dump:
82779090 24eb0040 82779090 14eb0040 82779090 14eb0040 82779090 82770040 90900040 90909090 90909090 90909090 90909090 90909090 90909090 90909090 
**********************************************************************
Date 07/21/2005 Time 10:42
IEXPLORE caused a general protection fault
in module USER.EXE at 001b:00000a08.
Registers:
EAX=00000000 CS=16df EIP=00000a08 EFLGS=00000246
EBX=013f00f6 SS=32a7 ESP=0000b520 EBP=000024eb
ECX=00000000 DS=16a7 ESI=00000000 FS=2a5f
EDX=03c30000 ES=0000 EDI=00000000 GS=0000
Bytes at CS:EIP:
c2 0a 00 90 c8 0a 00 00 56 ff 76 10 6a 00 6a 00 
Stack dump:
82779090 24eb0040 82779090 14eb0040 82779090 14eb0040 82779090 82770040 90900040 90909090 90909090 90909090 90909090 90909090 90909090 90909090

As you can see it is not always the same page fault. It sure is a pain.


----------



## Rollin' Rog (Dec 9, 2000)

Would you install Mozilla Firefox, browse with it instead of Internet Explorer, and see if you get any errors:

http://www.mozilla.org/products/firefox/

Also go to start > run and enter:

drwatson

an icon should appear in your system tray. Left click on that and select Dr Watson. It should generate a system snapshot.

Let me know if it says "Dr watson found nothing unusual", or if it reports a problem.

Dr Watson will generate its own error logs as long as you leave it in the tray, but I'd rather have you select "exit" after the snapshot, at least for now.


----------



## chief1966 (Feb 17, 2004)

I dont think that I have Dr. Watson on this compter. I am not getting an icon on the systray. Also I have a 4gb hard drive with a little less than half used now. How will that work with firefox? I have looked for Dr. Watson before and could never find it. Is it something I can download. I am going to have to leave for a while but will be back about 9-10.


----------



## Rollin' Rog (Dec 9, 2000)

Both firefox and opera are under 5mb downloads. You do need adequate memory to run them though -- 128 mb should be enough.

Is system tray enabled in msconfig? If not enable it and reboot and try again.

Drwatson is a standard part of the Win98 installation; it should be found as drwatson.exe in c:\windows

If it's not there and you have c:\windows\options\cabs

run *sfc* and extract it from there to c:\windows


----------



## JSntgRvr (Jul 1, 2003)

I would suggest to reinstall IExplorer:

Start the Registry Editor (Start->Run, type Regedit and click Ok).

Go to HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Active Setup \ Installed Components \ {89820200-ECBD-11cf-8B85-00AA005B4383}

Highlight the key {89820200-ECBD-11cf-8B85-00AA005B4383} by clicking on it. On the right pane look for the IsInstalled value. Right click on it, and then click Modify. Change the value data, from 1 to 0 and click Ok.

Use the same process and change the IsInstalled value from the following registry key:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Active Setup \ Installed Components \ {44BBA840-CC51-11CF-AAFA-00AA00B6015C} from 1 to 0.

Go online and download the latest version of Internet Explorer for your OS:

http://www.microsoft.com/downloads/...cb-5e5d-48f5-b02b-20b602228de6&DisplayLang=en


----------



## chief1966 (Feb 17, 2004)

Dr. Watson would not run, but under find files I found it but the exe file would not open. I went to sfc and extracted it from cab files and I now find 2 exe files, but neither one will open. What do I do about that.


----------



## Rollin' Rog (Dec 9, 2000)

Is systray enabled in your startups? When you run it, it should produce an icon there, that is the practical interface to it.


----------



## chief1966 (Feb 17, 2004)

Systray is enabled, but drwatson exe will not open and it will not run. I did the scanreg /fix. Maybe I will just see if any of that fixes it before I do too much more?


----------



## Rollin' Rog (Dec 9, 2000)

Scanreg /fix is a longshot -- but if you are currently stable it might be worth waiting to see.

I still STRONGLY recommend you familiarize yourself with another browser. Both for troubleshooting, security and ultimately convenience.

Reinstalling Internet Explorer was one of the first suggestions I made (removing it first through Add/Remove Programs). I realize however that this can be a multi-hour process on dialup connections, so I don't press to hard if people would rather spend those hours troubleshooting.

In this case it's not absolutely clear that a reinstall will solve the problem. BUT if these errors do not occur on another browser, we know for sure they are somehow related to Internet Explorer's many modules, most of which are there for the purposes of developers, not your immediate convenience.


Compare the file download for IE to Firefox or Opera -- it is 15x greater !

At this point I would not do anything with Internet Explorer before having an alternate browser in place and testing it.

>> I don't know what is going on with DrWatson -- is it showing up in the Task Manager?

You could try opening it in DEPENDS, which you downloaded previously. The Depends interface also has an option called the PROFILER, which, for executables like DrWatson, actually runs the file and gives further details on load failures. You can try that as well. Just hit the Profile tab and then 'start'.

I could compare your log with mine -- but keep in mind this is kind of a side road.

By the way, while the System File Checker can be used to replace most files in Windows 98 First Edition, USER.EXE is NOT one of them. So just a heads up here, don't try to do it as it will likely result in a non booting system.

If it comes down to it we can usual manual extraction methods to replace it. But I'm hoping it won't, becuase this is a tricky affair that requires getting it from the right cab file and possibly doing the replacement in DOS.


----------



## chief1966 (Feb 17, 2004)

I was looking for drwatson, I couldnt find taskmaster to see if it was theree but under system information it shows spyware blasterthat is damaaged. Do you think I should uninstall it? Where do I find taskmaster?


----------



## chief1966 (Feb 17, 2004)

sorry taskmanager


----------



## Rollin' Rog (Dec 9, 2000)

Sorry I tend to use Task Manager as a term when I should be saying "close programs" window in Win9x. What I mean is just ctrl-alt-del and see if it is in the running processes list.

I didn't know that the system information utility (msinfo32), if that's what you are referring to can spot a damaged program?

Where are you seeing this? Possibly it is the Active X part (present in the Downloaded Programs Folder) that is "damaged".

There should be "no harm" in uninstallng something like that. Be sure to reboot afterwards.


----------



## chief1966 (Feb 17, 2004)

I am hoping to send you a pic of the msinfo utility showing a file damaged in spyware blasterUpdate Class	Installed	5,3,3790,13	http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37873.8097685185
SBFullS Control	Damaged	1,0,0,8	http://www.spyblast.com/download/SBFS.cab
RdxIE Class	Installed	6,0,0,10	http://software-dl.real.com/1504d58377b8cfaaa619/netzip/RdxIE601.cab
ActiveScan Installer Class	Installed	57,6,0,0	http://www.pandasoftware.com/activescan/as5/asinst.cab
Yahoo! Gin	Installed	0,0,0,1799	http://download.games.yahoo.com/games/clients/y/nt1_x.cab
{32564D57-0000-0010-8000-00AA00389B71}	Not Available	0,0,0,1	http://codecs.microsoft.com/codecs/i386/wmv8ax.cab
Shockwave Flash Object	Installed	7,0,19,0	http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Yahoo! Euchre	Installed	0,0,0,1799	http://download.games.yahoo.com/games/clients/y/et1_x.cab
lass414	Installed	4,1,4,562	https://onlinegames.lasseters.com.au/classes/lass414.cab
{33564D57-9980-0010-8000-00AA00389B71}	Not Available	0,0,0,1	http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
Shockwave ActiveX Control	Installed	8,5,1,102	http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
{33564D57-0000-0010-8000-00AA00389B71}	Not Available	0,0,0,1	http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

The second item is what I am referring to. It is just a file I see but it says from spywareblaster. It is under software, IE, cache, List of objects.


----------



## Rollin' Rog (Dec 9, 2000)

Ok, these are all Active X objects present in the Downloaded Programs folder.

You can view these directly by going to Internet Options > Temporary Internet Files > Settings > View Objects.

You can remove them from there; they are typically only in use when you go to a Web page that wants to access them, so I doubt they are involved in your problem.

If you remove one and go to a site that needs to use it, you will be prompted to reinstall it through an automatic download. Never accept these prompts unless they come from sites you trust.


----------



## chief1966 (Feb 17, 2004)

I surfed several hours now with only systray and scanregistry checked in start up list and I did not get any page fault errors. I will add AVG virus program and see what happens next. I did run regedit /fix yesterday. I still cant get Drwatson to open and I am not sure what you mean by opening it in Depends. Can you tell me about that again.


----------



## Rollin' Rog (Dec 9, 2000)

I got my threads mixed up. I've never had you download or use "Depends". It's a rather geeky program that can be used to check file dependencies and load errors. I don't know how much time you want to give to it, but if you'd like to have a gander you can get it here:

http://dependencywalker.com/

One method I use is simply to run depends.exe, use the File Open menu to "open" the application in question, and if it is an executable, use the "profile" tab to profile it. Just select the tab and start the profiler by clicking "ok". The dependency log can be saved as a text file (you must specify this in the File > Save AS TYPE box). But don't try to copy/paste it, it will be too long. You should be able to upload it as an attachment though.


----------



## chief1966 (Feb 17, 2004)

Rollin' Rog said:


> I got my threads mixed up. I've never had you download or use "Depends". It's a rather geeky program that can be used to check file dependencies and load errors. I don't know how much time you want to give to it, but if you'd like to have a gander you can get it here:
> 
> http://dependencywalker.com/
> 
> One method I use is simply to run depends.exe, use the File Open menu to "open" the application in question, and if it is an executable, use the "profile" tab to profile it. Just select the tab and start the profiler by clicking "ok". The dependency log can be saved as a text file (you must specify this in the File > Save AS TYPE box). But don't try to copy/paste it, it will be too long. You should be able to upload it as an attachment though.


----------



## chief1966 (Feb 17, 2004)

I did not get any page fault errors after adding avg virus back in with systray and scan register. I will add things that I want on start up back 1 item at a time and see if I can determine which one is causing page faults. If you have other ideas, please let me know. Thanks


----------



## Rollin' Rog (Dec 9, 2000)

Okeydoke; I never know what scanreg /fix will really fix, so maybe there was some registry structure problem at the root of it.

If you want to give this a run, you can:

Try this drill for doing a DOS level cleanup of your cache. It's more thorough than Windows.

Click Start>Shutdown>Restart in MS-DOS mode.

At the c:\windows\> prompt enter each bold line:

*smartdrv
deltree tempor~1
deltree temp
deltree history
del win386.swp
deltree locals~1\tempor~1
exit*

(you may get an error message on this last one (locals~1), just skip to "exit" if you do, it just means you don't have that directory)

Enter smartdrv first or the process will take a very long time. For each deltree, confirm by entering 'y' if the target directory is correct.


----------



## chief1966 (Feb 17, 2004)

I tried your dos cleanup drill. The only command after the smartdrv showed that prodess that got any action was the deltree temp. It showed that it would delete things. After the others there was no action just proceded to another prompt. What does that indicate?


----------



## Rollin' Rog (Dec 9, 2000)

For any "deltree" command, if there are subfolders, it should be followed by a prompt to confirm. Once you select 'y' and hit enter, if there is little to delete it may complete and return you to the prompt with no further ado. 

If there are extensive numbers of files to delete, then the process may take longer with the cursor or '-' blinking for awhile before it finishes. The purpose of the smartdrv command at the beginning is to speed this process up.

the "del win386.swp" command is not a deltree because this is a single file, the so called 'swap file' -- corruption here can cause oddball errors so I opted to include it in the list as well.


----------



## chief1966 (Feb 17, 2004)

Evidently there were no folders on most of them because they went back to the prompt real quick. I notice that there are several items in the start up list that I cannot identify, when I put them into the find folders they do not show up. Can I delete them out of the start up list?


----------



## Rollin' Rog (Dec 9, 2000)

Which items are you referring to? They should be in one of the previous Scanlogs.


----------



## chief1966 (Feb 17, 2004)

such items as sotc, clrschloader, bargains, absr, ebatesmoemoneymaker I cant locate these files on a search and wondered what they are and how do i get them out of the start up list? Oh by the way no page faults again last nite or this morning.


----------



## Rollin' Rog (Dec 9, 2000)

????

That's all malware. Where are you seeeing it? None of it was posted in prevevious scanlogs. Are you saying these were present in msconfig > startups, unchecked, all this time?

If you were to reenable them and reboot HijackThis could be used to "fix" them.

Otherwise you can look for them directly in the registry (run *regedit*):

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

>>> In Win9x and WinME you can find the DISABLED items in the keys with - (minus) after them.For example:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run-

You can right click on these in the right pane and select "delete"


----------



## chief1966 (Feb 17, 2004)

Yes they were unchecked in the start up list. I did use regedit and deleted some. Not sure which other ones would be bad or are ok. Here is what is left there after I deleted some, Clock Sync, sotc (couldnt find that one in the registry), pop up stopper free edition, spy sweeper,
E6taskpanel, system tray, scan registry, 3 entrys for AVG, Win Patrol, zSPGuard, IST Service, update stats,
TkBellExe, Autoloaderaproposclient, openwareliveupdate,
Autoupdater, PCDRealtime, POINTER, KBD Media Center, load power profile, ATI key, Critical update, AtiCwd32, 
zSPGuard, Task Monitor, Scheduling agent, KB891711, Load Power Profile, ATI scheduler, Encoder agent, Load=OPLimit\Ocraware , load= PTSnoop.exe The only items that i have checked right now are systray, scan registry, 3 avg, Win Patrol and scheduling agent(mstask.exe)


----------



## chief1966 (Feb 17, 2004)

I have also noticed that I keep getting a message from Windows Update to Download a Cumulative security update for Outlook Express 6, service pack 1 KB837009 I have downloaded it probably 6 times but then in a few days I get a notice to download it again. It does not show up in add/remove programs in the control panel. Got any ideas about this?


----------



## Rollin' Rog (Dec 9, 2000)

In addition to general Google searches for obscure items, I use these sites frequently:

http://www.sysinfo.org/startuplist.php?type=&filter=&count=100&offset=0
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm
http://computercops.biz/modules.php?name=StartupList

I haven't looked them all up, but these stand out based on experience:

IST Service, update stats, Autoloaderaproposclient, openwareliveupdate,Autoupdater, PCDRealtime

Have you ever installed, updated and ran a full drive Ad-aware SE scan?

Ad-Aware Home Page

http://download.lavasoft.de.edgesuite.net/public/plvx2cleaner.exe

The VX2 plugin will be available in the "add-ons" window once installed and is run from there.

As for that particular update, I've seen other people post repeatedly with that same problem regarding it. I don't really know what the resolution is.

See if the suggestion offered here helps:

http://www.mcse.ms/message1689382.html

If you download the update manually, be sure to save it to the hard drive, run the setup offline and reboot.


----------



## chief1966 (Feb 17, 2004)

I assume that the ones you listed that stand out in your memory are bad ones and should be deleted. Is this right? 
I do use ADaware SE Personal but I usually do a selective scan as I saw suggested in a post one time. I did look at the site you suggested on that update and I could not find the two registry keys that are talked about there. I think I was in the right place and there were none with those numbers. I will try to do it with out anything else open and see if it works. I tried it earlier today and they said it was unsuccessful. Looked again and I do not have any add ons. Will look for that and see if I can find it..


----------



## Rollin' Rog (Dec 9, 2000)

Yes I would get those out of the registry. While OpenWare is not "malware" per se, you probably didn't install it and I assume it came bundled with something else. I don't like to see these things running because you can't predict what they are going to try to update or install.

If you get an error or "unsuccessful" message when trying to update, copy it exactly. There may be some specific troubleshooting procedures for it. If you haven't tried it from the hard drive, do that; you should even be able to try the install in Safe Mode I believe.

I can't verify any specific entries in the active setup/installed folder -- as I really haven't done any recent updates other than Internet Explorer itself for Win98 -- 

Most critical updates are really only "critical" for folks who are taking chances they shouldn't be to begin with .... or who don't have exclusive control over who uses their computer.


----------



## chief1966 (Feb 17, 2004)

I downloaded that add on to adaware and ran it and a full scan and didnt find anything. I tried to delete those other start up items in the registry but most of them dont show up in the registry under microsoft\windows\run I deleted what I could. Otherwise things seem to be running well and I have not had any page faults.


----------



## Rollin' Rog (Dec 9, 2000)

Remember you are lookiing for them in the Run - (minus) keys in both the HKLM and HKCU keys. Some may also be under "run services" or be in the Program Menu's "disabled startups" folder.

If you can't find them, just enable them in msconfig, reboot and check and fix them in the scanlog. Assuming all the actual files are off the system, about all that should occur is you may get some startup file missing errors.

Sounds good about the lack of page faults, keep the fingers crossed


----------



## chief1966 (Feb 17, 2004)

I have deleted most of the start up items. I have a few I am not sure about and will look them up. I did receive several page faults last nite and went back and disabled the last item that I had checked(Win Patrol) will see what happens. May uninstall it and redownload it.


----------



## chief1966 (Feb 17, 2004)

No page faults last nite with out winpatrol. Downloaded later version, will try that today.


----------



## chief1966 (Feb 17, 2004)

Things seemed fine, but last nite I got several page faults again, only scanregistry, systray, avg, win patrol, and mstask are checked. Trying to send fault log but it will not paste in. My memory is so bad I cant remember how to paste it. It is ina zip file and cant seem to get the fault log open. Will be out today.


----------



## Rollin' Rog (Dec 9, 2000)

Don't try to copy/paste if it is very long. Just take it out of the zip container and upload the text file here as an attachment. (Manage Attachments tab in the reply options)

Have you gotten any errors with "winpatrol" not in the lineup?


----------



## chief1966 (Feb 17, 2004)

I tried to upload the fault log, not sure I got it. You can tell me. I couldnt seem to find the text file. How do I get it out of the zip folder? I will uncheck win patrol again and see what happens.


----------



## Rollin' Rog (Dec 9, 2000)

What you uploaded was the original zipped registry file.

The actual fault log is located in c:\windows\faultlog.txt

All you have to do is enter that in your address bar and it should open, or you can navigate there manually.

Don't try to copy/paste the whole log to a reply. You can, however upload the text file as an attachment.


----------



## chief1966 (Feb 17, 2004)

I'll try again.


----------



## Rollin' Rog (Dec 9, 2000)

Well it's really just more of the same. Although there was a gap of a few days with no errors. 

If that was with Winpatrol out of the picture, then there is just something your install of Internet Explorer does not like about it.

Once again I would encourage you to install an alternate browser and test with that. Or completely remove and reinstall Internet Explorer. But I think you should have another browser first.

Of course if you get no errors without Winpatrol, you can just go without that.


----------



## chief1966 (Feb 17, 2004)

I guess I will uninstall win patrol and see what happens first. Will let you know.


----------



## chief1966 (Feb 17, 2004)

Yesterday 8-9-05 I received page faults at 11:10 AM and again at 11:20 both times I was on techsupportguys forum and they were user32 and kernel32 faults. Again at 10:45pm I was on Outlook express and at 11:25 viewing a blog then at 7:18 I was on OE and got mshtml page fault and on Aumhaforums got user32 and kernel32 faults. Does this info help?


----------



## Rollin' Rog (Dec 9, 2000)

Not really, these are really the same kinds of errors you were receiving before. What we would want to know is if you made any configuration changes between such times as you were running error free and when you received these.


----------



## chief1966 (Feb 17, 2004)

I really didnt make any changes. I was just not on the computer during the times when I didn't report any faults. at least lately it seems to be happening more when I am on line, but I certlainly cant see any pattern. I can post fault log again if it would help.


----------



## Rollin' Rog (Dec 9, 2000)

It seems as if all the faults are IE related -- but I can't rule out an underlying hardware problem unless you are willing to try a different browser.

However one problem could be a failure to reboot the system from day to day to restore resources.


----------



## chief1966 (Feb 17, 2004)

I do reboot every day because of my small hard drive I have to to keep it working. 
I have downloaded a different driver for my video card. w82474EN.EXE. Dont know if it has helped any as I havent had time to test it yet. Will let you know.


----------



## chief1966 (Feb 17, 2004)

My page faults seem to be down by a lot. I still get one occasionally. 
I do have another small problem that I have seen answered before but I cannot find it.
When I open a new window by clicking on a url, picture or other or when I left click an item and click to open it in a new window, the window that opens is not full screen sized. It is some smaller size. I have to click on the maximize box (upper right) to get it full sized. Can someone tell me how to have it open full sized?


----------



## Rollin' Rog (Dec 9, 2000)

That is the default behavior in Internet Explorer. 

The so called "fix" is to manually resize by dragging the window to a larger size and then, with only that window open, press either the ctrl or shift keys while closing the window using the X.

This may work for a session or two in my experience, but it does not hold up for long.


----------



## chief1966 (Feb 17, 2004)

OK Tried that resizing and close. Seems to work for now.
Thanks a lot.


----------

