# Solved: i just want to know what Appinit_DLLs is



## hanz012588 (Jan 4, 2008)

hello guys its been awhile,
as the t8itle stted what is appinit do???
here is my HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:52 PM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\eMail ID\OEAddOn\OEdmn_3.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IconixBHOClass Class - {761233B6-F228-49E4-8F6B-668499D4E55A} - C:\Program Files\eMail ID\IEAddOn\IconixBHO_28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IconixOEAddOn] "C:\Program Files\eMail ID\OEAddOn\OEdmn_3.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\eMail ID\IEAddOn\IconixBHO_28.dll
O9 - Extra 'Tools' menuitem: Email ID Preferences - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\eMail ID\IEAddOn\IconixBHO_28.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\eMail ID\IEAddOn\IconixBHO_28.dll
O9 - Extra 'Tools' menuitem: About Email ID - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\eMail ID\IEAddOn\IconixBHO_28.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1198475954875
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - 
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - (no file)
*O20 - AppInit_DLLs: *
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6176 bytes

ill wait for some en;lightenment
is this a problem???


----------



## Cookiegal (Aug 27, 2003)

It's a specific loading point in the registry and this particular entry in your HijackThis is usually indicative of a certain infection.

Download FindAWF.exe from *here* or *here* and save it to your desktop.

Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with the following Menu.
1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT​
*Select option 1*, then press Enter
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in Notepad called AWF.txt.
Please copy and paste the contents of the AWF.txt file in your next reply.


----------



## hanz012588 (Jan 4, 2008)

sorry for the delay of reply i was busy doing school work
heres the report of AWF.



Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Mon 02/11/2008 
The current time is: 20:38:23.31


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report


----------



## Cookiegal (Aug 27, 2003)

The good news is that this particular infection is not present. So then that entry is just an orphaned entry and should be fixed with HijackThis. There are legitimate programs that use this loading point and it's possible you removed something that left the entry orphaned.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

*O20 - AppInit_DLLs: *

HijackThis may throw off an error in removing that entry. If so, it's of no concern.

Are you having any specific problems? Because there are many infections that don't actually show up in a HijackThis log so if you are having issues, we need to dig deeper for the cauase.


----------



## hanz012588 (Jan 4, 2008)

well i got this Adware_Memwatcher when doing a trendmicro housecall scan...i dont know wht that is...and sometimes a dialog box whixh has access violation "sometimes" appears when i restart my pc


----------



## Cookiegal (Aug 27, 2003)

The housecall detection is likely a false positive. It's common for Housecall to detect the immunizations put in the hosts file by Spybot S&D as Adware_Memwatcher.

As for the access violation messages, this can be caused by several things and is likely hardware related.

Can you get the entire exact error please?

Please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "application" and "system" for recent errors shown in red and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## hanz012588 (Jan 4, 2008)

heres one of the errors in system which appears the most

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 2/13/2008
Time: 6:55:19 AM
User: N/A
Computer:	HANZDENZHAZHAN
Description:
The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: 
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

here is one from the game i and my siblings are playing (TricksterOnline)

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 2/5/2008
Time: 11:59:57 AM
User: N/A
Computer:	HANZDENZHAZHAN
Description:
Faulting application trickster.bin, version 0.8.4.71, faulting module trickster.bin, version 0.8.4.71, fault address 0x0006583d.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 74 72 69 ure tri
0018: 63 6b 73 74 65 72 2e 62 ckster.b
0020: 69 6e 20 30 2e 38 2e 34 in 0.8.4
0028: 2e 37 31 20 69 6e 20 74 .71 in t
0030: 72 69 63 6b 73 74 65 72 rickster
0038: 2e 62 69 6e 20 30 2e 38 .bin 0.8
0040: 2e 34 2e 37 31 20 61 74 .4.71 at
0048: 20 6f 66 66 73 65 74 20 offset 
0050: 30 30 30 36 35 38 33 64 0006583d
0058: 0d 0a ..

here's one for a faulty ad-aware2007

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 2/4/2008
Time: 6:31:04 PM
User: N/A
Computer:	HANZDENZHAZHAN
Description:
Faulting application ad-aware2007.exe, version 7.0.2.6, faulting module ad-aware2007.exe, version 7.0.2.6, fault address 0x00096756.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 61 64 2d ure ad-
0018: 61 77 61 72 65 32 30 30 aware200
0020: 37 2e 65 78 65 20 37 2e 7.exe 7.
0028: 30 2e 32 2e 36 20 69 6e 0.2.6 in
0030: 20 61 64 2d 61 77 61 72 ad-awar
0038: 65 32 30 30 37 2e 65 78 e2007.ex
0040: 65 20 37 2e 30 2e 32 2e e 7.0.2.
0048: 36 20 61 74 20 6f 66 66 6 at off
0050: 73 65 74 20 30 30 30 39 set 0009
0058: 36 37 35 36 0d 0a 6756..


----------



## hanz012588 (Jan 4, 2008)

thats the most recent of the logs i had


----------



## Cookiegal (Aug 27, 2003)

Go to *Start *- *Run *- type in *services.msc* and click OK.

Scroll down the list of services to *Plug & Play* and double click on it to open it and make sure the service is in a running state (status is "started") and the startup type is set to "automatic".

Let me know if these were not set that way please.


----------



## hanz012588 (Jan 4, 2008)

cookie im very sorry for the very late reply
the plug n play services is in started mode and in automatic


----------



## Cookiegal (Aug 27, 2003)

Please check the status of the *Telephony *service as well and let me know.


----------



## hanz012588 (Jan 4, 2008)

sori again for late reply
telephony service is disabled


----------



## Cookiegal (Aug 27, 2003)

Open up the Telephone service again and set the startup type to "manual" and click on the "start" button to start the service.

Reboot the machine and let me know if you still get the access violation messages.


----------



## hanz012588 (Jan 4, 2008)

its ok now...
could you recommend a btter browser than Firefox???
i tried opera but it was not working...


----------



## Cookiegal (Aug 27, 2003)

Not really. Firefox is very good and IE of course.

*Download and scan with* *SUPERAntiSpyware* Free for Home Users
Double-click *SUPERAntiSpyware.exe* and use the default settings for installation. 
An icon will be created on your desktop. Double-click that icon to launch the program. 
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._) 
Under "*Configuration and Preferences*", click the *Preferences* button. 
Click the *Scanning Control* tab. 
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._ 
_Scan for tracking cookies._ 
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen. 
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*. 
On the left, make sure you check *C:\Fixed Drive*. 
On the right, under "*Complete Scan*", choose *Perform Complete Scan*. 
Click "*Next*" to start the scan. Please be patient while it scans your computer. 
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*". 
Make sure everything has a checkmark next to it and click "*Next*". 
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu. 
If asked if you want to reboot, click "*Yes*". 
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._ 
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._ 
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._ 
*Please copy and paste the Scan Log results in your next reply.*

Click *Close* to exit the program.

Please go *HERE* to run Panda's ActiveScan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location.

Please post the results from the SuperAntiSpyware and Panda scans along with a new HijackThis log.


----------

