# Page Fault in KERNEL32.dll



## Lulie (May 5, 2004)

Any help would be greatly appreciated. I've recently been experiencing significant problems with my machine (P3 running Windows 98SE). To keep things simple, the most significant problem right now is constant page fault errors when I try to shut-down. More specifically:

EXPLORER casued an invalid page fault in module KERNEL32.DLL at 0177:bff87f00

and

EXPLORER casued an invalid page fault in module KERNEL32.DLL at 0177:bff87ede

and

EXPLORER casued an invalid page fault in module KERNEL32.DLL at 0177:bff76840

I've also recieved a "blue screen" error that references 0E at bff87ede.

Please let me know if you require any additional information to provide advice. I've been battling this for about 2 days and I'm about to drop kick my machine out the window.

Thanks!
Lulie


----------



## Styxx (Sep 8, 2001)

http://www.generation.net/~hleboeuf/errkrn32.htm

***

Uninstall all unnecessary programs in the Add/Remove Programs control panel (freebies/demos/non-microsoft games etc.

***

Click the Start button; Point to Control Panel, select Internet Options; In the box that opens, click the Clear History; Delete Cookies And Delete Files buttons (tick the box next to, 'Delete all off-line content', each in turn; In the box that opens after activating each button, click the OK button. Click OK to close the Internet Options window.

Clear the contents of the c:\Windows\Cookies; Temporary Internet Files and Temp folders.

***

You've got way too much running at Windows startup.

Check your available resources by right-clicking My Computer; clicking Properties; Click the Performance tab. Resources available are displayed as percent there at top. Check it when you get done running the System Configuration Utility mentioned below.

Click the Start button; Run; type 'msconfig', without the quotation marks, in the Run box and click OK; Then click the Startup tab; Uncheck anything you don't need running in the background. For reference on what's not needed running in the background in the System Configuration Utility, view this website first and print out the list:

http://www2.whidbey.net/djdenham/Running_items.htm

It's important that you print out the above mentioned list. The site provides a printer friendly link.

In the System Configuration Utility (SCU), you can uncheck programs you suspect one at a time and restart your computer. If something doesn't work right, you can always go back into the SCU and re-check it and restart your computer via the Start button. The changes are completely reversible by re-checking an item in SCU or by selecting Normal Startup under the General tab in the SCU and all the programs listed run when Windows starts as it was before you started.

***

You need to be running a firewall like free Sygate from http://download.com - type, sygate, in the Search box, you must be on-line to register Sygate, that is if you're not using a firewalled Router on a Network or, have another third-party firewall like Sygate installed, to protect you and the Internet community from hackers, spammers and terrorist from using your computer for their own illicit needs while you're on-line?

***

Get, install, update and run free Ad-aware (and its HexDump plug-in) from http://www.lavasoftusa.com/software/adaware/

First in the main window look in the bottom right corner and click on Check for updates now and download the latest referencefiles.

Make sure the following settings are made and on -------ON=GREEN

From main window :Click Start then Activate in-depth scan (recommended)

Click Use Custom Scanning Options' then click Customize' and have these options selected: Under Drives and Folders put a check by Scan Within Archives and below that under Memory and Registry put a check by all the options there.

Now click on the Tweak button in that same window. Under Scanning engine select: Unload recognized processes during scanning and under Cleaning Engine select: Let windows remove files in use at next reboot

Click proceed to save your settings.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.

***

You might post exactly what programs you have in the Add/Remove Programs Control Panel list box.

***

Go to http://housecall.trendmicro.com or http://www.pandasoftware.com/activescan/com/activescan_principal.htm and click the Scan Now link to run a free on-line virus scan.

***

What anti-virus are you using? If you're running Mcaffee or Norton anti-virus and have not recently paid for a one year subscription to download weekly new virus definitions, you might consider getting free AntiVir 6 from http://free-av.com - Uninstalling Mcaffee; Restarting your computer and installing free AntiVir Anti-virus 6.0.***


----------



## Lulie (May 5, 2004)

Hi Styxx,
Thanks for all the info.

I've actually already done some of what you've suggested, but not all.
I've gotten rid of almost all unnecessary programs, although I recently loaded some system utility programs (Registry Medic, Advanced System Optimizer, TuneUp Utility) to try and clean up my hard drive more thoroughly and fix the registry. The registry seems to have significant errors and is fragmented, but I can't tell if the tools I'm using are making it better or worse.

Although I've tried to unistall everything I don't need, there are some programs that I can't seem to get removed in the Add/Remove control panel.
Below is a list of all current programs in Add/Remove:
3Com Modem Manager
Act!2000 (SFA tool)
Active Disk (not sure what this is but was afraid to uninstall it)
Adobe Acrobat 4.0
Adobe SVG Viewer 3.0 
ArcSoft Software Suite (tried to uninstall but got error)
ATI-Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATP (not sure what this is but was afraid to uninstall it)
Avery DesignPro (use to print business cards)
Connect Direct (not sure what this is but was afraid to uninstall it)
DellZone
eAcceleration (virus/firewall protection SW)
Epson Copy Utility
Epson EIC CX5400
Epson Photo Print
Epson Printer Software
Epson Scan
Sepson Smart Panel
Epson USB Printer Devices
HP OfficeJet Series 600 (remove only) - fax machine, not sure why it says remove only
ICQ - use for chatting, but don't really use often
InCD - CD-RW burning software
Java 2 Runtime Environment, SE v1.41
Java Web Start
Microsoft IntelliPoint
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Small Business
Microsoft Outlook Express 6 (don't use, use Outlook 2000)
Microsoft Outlook Personal Folders Backup
Microsoft Windows 98 Resource Kit Tools Sampler (not sure what this is)
Nero - Burning Rom (CD-RW Software)
Nikon View 6 (for my digital camera)
Palm Desktop (for Palm Pilot)
PocketMirror 3.1.6 (Standard Edition) - for syncronizing with Outlook
Quicktime
Shockwave
TBS Montego II (jukebox SW came with system)
TBS Montego II Application (jukebox SW came with system)
Voyetra AudioStation 6 (upgraded jukebox SW)
Voyetra MusicWrite Starter Kit (upgraded jukebox SW)
webscan (virus/firewall SW)
WinZip

Some of these programs I do not have the SW to reinstall, so if I uninstall them, they're gone for good. Please let me know what additional program you would recommend I uninstall as well as any suggestion on how to get rid of programs that will not uninstall.

I delete cookies (both through IE and a tool called IECookie), temporary internet files, and offline content often, but not usually history (I refer to this periodically). I also use Disk Cleanup and Disk Defragmenter (in Accessories\System Tools) periodically.

I've tried to minimize the programs I run at Startup as much as possible (through msconfig as well as another tool called StartUp that I have loaded in Control Panel). The programs currently listed in Startup of msconfig are:
ScaRegistry
SystemTray
POINTER
LoadPowerProfile
InCD (from aHead Nero) ----------> TURNED OFF
StillImageMonitor ----------> TURNED OFF
EPSON Stylus CX5400 ----------> TURNED OFF
ATIPTA (sw for my Graphics Card)
EanthologyAPP (one of the programs for my virus/firewall SW)
Eanth_system_patcher (virus/firewall SW)
WebScan (virus/firewall SW)
LSPFix (virus/firewall SW)
eMailEncription (virus/firewall SW)
winmodem
LoadPowerProfile
ATIPOLL (graphics card related SW but not really sure what it does) -->OFF
ATISmart (graphics card related SW but not really sure what it does) --> OFF
SchedulingAgent (don't really use, but wasn't sure if I could turn it off)
Microsoft Office StartUp ----------> TURNED OFF
NkvMon (SW for digital camera) ----------> TURNED OFF
PowerReg SchedulerV2 (assume this is a Windows program)
HotSync Manager (for my palm pilot) -----------> TURNED OFF

Let me know if any other of these program could/should be TURNED OFF.

As far as firewalls and anti-virus software, I've been running a freeware firewall called Tiny Personal Firewall for over 2 years, however I had to uninstall it recently due to problems encountered when I installed a D-Link 514 router. I have run McAfee in the past, but find it very intrusive. I actually uninstalled it, but ran their Stinger Freeware yesterday (I thought I had a trojan), so it keeps popping up on me. Yesterday I purchased a virus/firewall protection software called Stop-Sign (by eAcceleration) and it loads at start-up. If provides for virus scanning, firewall, pop-up blocker, spam detection, etc.

My system performance seems pretty good even prior to running SCU (80%
System Resources free).

After doing some more cleanup, I rebooted (still getting the same errors at shutdown) and ran "Step-by-step confirmation" in MS Windows 98 Startup Menu (hit F8 during reboot). Below are the results:

Load DoubleSpace driver --> Y
Process the system registry --Y
Create a startup log file (BOOTLOG.TXT) -->Y
Process your startup device drivers (CO"NFIG.SYS) -->Y
DEVICE=C:\WINDOWS\SETVER.EXE -->Y
DEVICE=C:\DELL\RTC.CLK +R --Y
DEVICE=C:\WINDOWS\HIMEM.SYS --Y
DEVICE=C:\DBLBUFF.SYS --Y
DEVICEHIGH=C:\WINDOWS\IFSHLP.SYS -->Y
Process your startup command file (AUTOEXEC.BAT) -->Y
C:\SET GRIP=C:\GRAVIS\GRIP (old game controller won't uninstall)
SET GRIP=C:\GRAVIS\GRIP -->N
C:\SET BLASTER=a240 I5 D1 T4
SET BLASTER=A240 I5 D1 T4 -->Y
C:\LH C:\WINDOWS\AU30DOS.COM (not sure what this is)
LH C:\WINDOWS\AU30DOS.COM -->Y
VORTEX DOS AUDIO DRIVER (2.000) Copyright (c) 1997,98 Aureal Semiconductor
PCI AUDI Pro enabled at ports 240-24Fh, Interrupt 5, DMA 1, Joystick 201h

ECHO OFF -->N
C:\>REM [Header]
REM [Header] -->Y
C:\>
C:\>REM [CD-ROM Drive]
REM [CD-ROM Drive] -->Y

C:\REM C:\WINDOWS\COMMAND\MSCDEX /D:MSCD001
REM C:\WINDOWS\COMMAND\MSCDEX /D:MSCD001 -->Y

C:\>
C:\>REM [Miscellaneous]
REM [Miscellaneous] --> Y

C:\> REM [Display]
REM [Display] -->Y

C:\>
C:\>
C:\>
C:\>SET PATH=C:\WINDOWS; C:\windows;c:\windows\COMMAND;C:\GRAVIS\GRIP
SET PATH=C:\WINDOWS; C:\windows;c:\windows\COMMAND;C:\GRAVIS\GRIP --Y

C:\>SET PATH=C:\WINDOWS; C:\windows;c:\windows\COMMAND;C:\GRAVIS\GRIP;C:\PROGRA~1\ATITEC~1\ATICON~1
SET PATH=C:\WINDOWS; C:\windows;c:\windows\COMMAND;C:\GRAVIS\GRIP;C:\PROGRA~1\ATITEC~1\ATICON~1 -->Y

C:\>

WIN -->Y

Please wait while Setup updates your configuration files.
This may take a few minutes... (not sure why but this happens every startup)

Completed updating files, continuing to load Windows

Load all Windows Drivers --Y
Override standard NTKERN --Y (no idea what this is! ref 'KERN' for KERNEL32)?
vnetsup.vxd -->Y (no idea what this is)
ndis.vxd -->Y (no idea what this is)
ndis2sup.vxd -->Y (no idea what this is)
JAVASUP.VXD --> Y (assuming this has to do with JAVA Runtime for Web App)
c:\windows\SYSTEM\vrtwd.386 -->Y (no idea what this is)
c:\windows\SYSTEM\vfixd.vxd -->Y (no idea what this is)
vnetbios.vxd -->Y (no idea what this is)
turbovbf.vxd -->Y (no idea what this is)
nwlink.vxd -->Y (no idea what this is)
vredir.vxd -->Y (no idea what this is)
dfs.vxd -->Y (no idea what this is)
ndiswan.vxd -->Y (no idea what this is)
C:\WINDOWS\SYSTEM\vshinit.vxd -->Y (no idea what this is)
msmouse.vxd -->Y
turbovcd.vxd -->Y (think this is driver for VeloCD CD Drive)

Seems to take a while to continue booting at this point, a good 30 seconds until wallpaper comes up. Also takes another 20 seconds to complete boot up after wallpaper comes up.

Once again, at Shutdown get following EXPLORER error windows popping up:

EXPLORER caused an invalid page fault in module KERNEL32.DLL at 0177:bff87f00

After clicking on "Close", receive another error:

EXPLORER caused an invalid page fault in module KERNEL32.DLL at 0177:bff76840

Click on "Close" and windows does not shut down completely (hangs up on "Windows is shutting down" screen. Forces a hard shut down.

I plan on loading the Spyware and Adaware protection software, but thought it might be best to resolve this KERNEL32.dll problem before I did. Let me know if you think I should load this programs before figuring out the shut down error.

I also ran HijackThis, so let me know if it would be helpful to you to see the log file.

Thanks,
Lulie



Styxx said:


> http://www.generation.net/~hleboeuf/errkrn32.htm
> 
> ***
> 
> ...


----------



## Styxx (Sep 8, 2001)

Please, don't re-quote what I've said, it just confuses things by making the post longer and longer for one thing, plus I know what you're referring to and what I posted, tnx in advance.  Top find out what any of the stuff is in add/remove just go to google.com and do a search for the name.

Go ahead and uninstall:

Active Disk
Act 2000 - unless you use it -> http://www.papab.com/act2000.htm
Quicktime
Shockwave
Connect Direct

[First off you have two (2) firewall anti-virus installed on your computer. eAcceleration (virus/firewall protection SW) is likely a game but uninstall it now anyway
webscan (virus/firewall SW), likely one very possible source of your difficulty. I use AntiVir and Sygate with Win98-WinXP with no problem.] /Uninstall each one, each in turn off-line, and restart yoiur computer after each one.

eAcceleration (virus/firewall protection SW)
webscan (virus/firewall SW) - > see the bottom of my post and click the colored link to get AntiVir anti-virus (click the Download button/click Red/black antivir icon) on their homepage, and click the colored link to get Sygate personal firewall at this post bottom. Off-line uninstall that webscan thing; restart your computer; then install the firewall then the anti-virus. you've got to be on-line to register Sygate. just click 'register later'.

ArcSoft software Suite - try to uninstall in Safe Mode - know how to get to Safe Mode? if that doesn't work remove the associated folder in the Program Files directory.


----------



## Lulie (May 5, 2004)

Thanks Styxx,
Sorry about quoting your reply, just habit I guess.

I removed Active Disk (I forgot it was for the Iomega drive I use to have), Quicktime, Shockwave, and Connect Direct. I use Act so I'll leave it on my HD.

I booted up into Safe Mode and tried to uninstall ArcSoft, but it still wouldn't work. I get an error "Internal error, unable to load or call external dll". If I delete the files from the "Program Files" folder, don't I also need to remove it from the registry?

I uninstalled the eAcceleration SW (waste of $25). It provides services other than virus/firewall protection including games, so that's most likely what you saw. It removed all components including webscan. I tried to reinstall Tiny Personal Firewall (my old freeware virus SW), but ran into problems with it, which is what made me buy eAcceleration. I wish I had decided to post here before I made that decision. I'm going to try Sygate now.

I have downloaded Spybot and Adaware. Is there any particular order that I should execute things (Sygate then Spybot then Adaware)?

Thanks again for all your help. Once I get through these steps, I'll post an updated status.

Lulie


----------



## Styxx (Sep 8, 2001)

Lulie:

If it's me, I just use Ad-aware configured accordingly as in my post above. It cuts down the time you take over Spyware and I believe, imho, that running both Ad-aware and Spybot S&D is redundant, and they look in the same areas for the same stuff plus, can even 'over-lap' the other' tasks (without actually being incompatible.  But still, if you do decide to use them both, I'd run a freshly updated Ad-aware first, then Spybot. One reason I stopped using Sybot? The company at times doesn't put out updates for months despite the fact you know new exploits come out all the time. Ad-aware may go two weeks but new updates keep coming a couple of times a month. But again, no harm in using both. Run Spybot first, either way is fine.

Please see the attached printable tutorial for editing the registry to clean the Add/Remove Programs control panel list (after you take out that Program Files folder associated with ArcSoft out and then restart your computer), referring to that cheap program that won't uninstall correctly.

Yep, go with AntiVir and Sygate. Note that those without firewalls are the ones getting smushed by that Sasser Worm. Damn thing. I think you'll like the way your computer runs using them. Only one anti-virus installed at once, now. Restart your computer between uninstalls/installs.


----------



## Lulie (May 5, 2004)

I've completed almost everything and things seem to be getting a little better, but I still seem to be having problems. Three things inparticular I've noticed.
1. AntiVir finds an infected file (twaintec.cab) in an archive but won't remove it. Should I just delete the archive that it is in? There also seems to be an associated dll file (twaintec.dll). Should I delete this file as well (assuming antivir didn't do it already)?
2. IE is still acting strange (home page changes, several pop-ups when I first open IE, and a strange blue menu bar near the top of the IE window. Everytime I run adaware, it seems to come up with the same three files (1 called vx2.betterinternet and 2 associated with allaboutsearching. I select the files to be removed, but they are constantly reoccuring.
3. AntiVir identifies 14 archived zip files that are password protected. They are:
Advertisingcom.zip
Advertisingcom1.zip
AlexaRelated.zip
Clop.zip
eAcceleration1.zip
eAcceleration.zip
MediaPlex.zip
VXf.zip
VXf1.zip
VXf2.zip
VXf3.zip
VXf4.zip
VXf5.zip
WindowsMediaPlayer.zip

Most of these files look suspicious to me. Should I just delete them. If they are the source of my problem, will simply deleting them resolve the issue or will I need to take further action in the registry?

Any ideas on next steps?

I'm in the process right now of running some of the other online virus scan services (symantec & trendmicro). I already ran pandasoftware.

(BTW, I'm still having shut down problems, but I figured it was best to get the virus/spyware issues under control before I try to deal with the shutdown issues) 

Thanks again for all your help! 
Julie


----------



## Styxx (Sep 8, 2001)

Ok, as to Ad-aware, get on-line

1. First in the main window look in the bottom right corner and click on Check for updates now and download the latest referencefiles.

Make sure the following settings are made and on -------ON=GREEN

From main window :Click Start then Activate in-depth scan (recommended)

Click Use Custom Scanning Options' then click Customize' and have these options selected: Under Drives and Folders put a check by Scan Within Archives and below that under Memory and Registry put a check by all the options there.

Now click on the Tweak button in that same window. Under Scanning engine select: Unload recognized processes during scanning and under Cleaning Engine select: Let windows remove files in use at next reboot

Click proceed to save your settings.

Wait and scan in Safe Mode after both programs are updated.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.

2. Update AntiVir

***

3. Boot to Safe Mode

(tap F8 five times per second during a restart; Choose option number three (3) in the Windows Startup dialog box using the arrow keys below the Delete key, and strike the Enter key; Click Ok when prompted).

4. Scan with both AntiVir and Ad-aware, one at a time of course. The rule for fighting virus is, 'when in doubt delete.'

Don't delete the whole .cab archive no, to get rid of twaintec.cab and twaintec.dll. Just try the scan in Safe Mode and post back whether the scan works or not. AntiVir is nice huh?

Delete everything Ad-aware finds.

Reply back as to how it went.


----------



## Lulie (May 5, 2004)

I actually had already configured Adaware as you suggested and gotten the latest updates for both Adaware and Antivir. The only thing I hadn't tried iwas to run them in Safte mode.

After running Adawre in Safe Mode, it found 1 Registry key and 9 files including the following:

VX2.BetterInternet (RegKey)
Virtumundo (File)
IBIS Toolbar (File)
Lop.com (File)
eAcceleration (File)
VX2.BetterInternet (File)
Virtumundo (File)
New.Net
VX2BetterInternet (File)
VX2BetterInternet (File)

After selecting all 10 objects and clicking next - Adaware deleted them all.

Next I ran AntiVir again (in Safe Mode) which detected no viruses.

Next I shut down the machine (without incident) and rebooted in normal mode. I still got the message about setup updating my configuration files (suspicious I think), and proceeded to open IE. Sadly, there still seem to be errors. The "unexpected and unknown" the blue tool is still there and running Adaware again produced additional objects.

It might be best at this point to post a hijackthis log for analysis. Ireally don't know what else to do, but I'm open to additional suggestions.

Thanks,

Lulie


----------



## Styxx (Sep 8, 2001)

Dell Zone you certainly need t uninstall. All cords are plugged in firmly on back of your computer? CD-ROM works ok? -> and CD lens cleaner run through it?

Obviously you're having less issues than you were and so making progress. You know the computer is Virus/Spyware free and shuts down/starts up with less issue than when you posted above, it appears.

Well Ad-aware finding additional items is not an issue. If new.dot net is in your Add/remove Programs list, select then delete it, if it isn't listed there right-click delete the proper Program files folder. A message about setup updating configuration files during a restart is also a non-issue.

Post a HiJackThis log ASAP!

I'd surely advise you to backup all your sensitive data in case your operating system becomes unbootable:

Backup all your Sensitive Data (Internet Explorer Favorites; Netscape Bookmarks, Address Book and Netscape Mail Folders; Outlook Express Address Books and Folders (compress any Netscape Mail or Outlook Express folders first) letters, pictures, databases, spreadsheets, music, etc.) to removable media for restoring later.

The blue screen(s) of death (BSOD) you call 'blue tool' can be a symptom or indication of sompthing going bad. that's why you should backup your sensitive data immediatel.

Click the following link to Troubleshooting Win98 Shutdown issues. Describe your shutdown issues in detail please.

http://support.microsoft.com/default.aspx?scid=kb;en-us;202633&Product=w98

***

Clean Device Manage in Safe Mode

Boot into Safe Mode - (tap F8 twice per second during a restart; Choose option number three (3) in the Windows Startup dialog box using the arrow keys below the Delete key, and strike the Enter key; Click Ok when prompted);

Right click My Computer; Point to Properties; Click the Device Manager tab; Click the plus sign beside CDROM; Highlight each device inside CDROM, each in turn, and click the Add/Remove button until no main CDROM entry is present.

Repeat with each device below that, Display Adapters etc. (see exceptions below), removing all duplicate entries inside a main heading. If duplicates are present, remove all those Duplicate Entries Only, inside a main heading.

Do Not bother Hard Disk Controllers, System Devices, and USB controllers.

Restart via the Start button and Windows will redetect, refresh and only replace those devices needed. There is no use for 2 keyboards, CDROM etc. as those duplicates cause some of the errors you describe.


----------



## Lulie (May 5, 2004)

HiJackThis log below.

Logfile of HijackThis v1.97.7
Scan saved at 7:45:21 AM, on 05/07/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MS HARDWARE\POINT32.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stop-sign.com/support/homepage.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\EPSON\epic\cx5400_e\wwhelp\wwhimpl\common\html\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: PINGGRIMLOG - {48811165-BC61-0FEA-43B4-69A0AB6ABB8F} - C:\PROGRAM FILES\DALEREGS\CDROM BOWS.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Dell Home (HKCU)
O9 - Extra button: Cookies (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
O16 - DPF: {1552B1CD-8CB7-4776-B6CB-16EA461928E5} (Cpuid Control) - http://www.powerleap.com/downloads/upgradefinder.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2740fbf3feaa8617b701/netzip/RdxIE601.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37875.6604398148
O16 - DPF: {140F03AE-0588-11D4-BD45-0050048A82BF} (eShare Web Collaboration Class) - http://ec112.ecicorp.com/netagent/objects/emagic.cab
O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {5242A5A1-EF1E-11D5-B3EE-0050DAC5EBD0} (printQuick Browser Add In (Ver4)) - http://ibmezprint.com/plugin/axversion/1410/printQuick1410.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-306.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {3E13AA37-352F-4E5F-91C4-08A0BA0C9541} (InSPECS2_0 Control) - http://161.58.155.13/cab_files/InSPECS2_0.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab


----------



## Styxx (Sep 8, 2001)

you can run HJT and click 'fix selected' on this

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)


----------



## Styxx (Sep 8, 2001)

This is a basic guide as to what the log means, and some tips on reading it yourself. This should in no way replace asking for help in the forums, but it will still help you somewhat in understanding and modifying the log yourself. 
--------------------------------------------------------------------------------

Overview

Each line in a HijackThis log starts with a section name.

For practical information, click the section name you need help with:
R0, R1, R2, R3 - Internet Explorer Start/Search pages URLs 
F0, F1 - Autoloading programs 
N1, N2, N3, N4 - Netscape/Mozilla Start/Search pages URLs 
O1 - Hosts file redirection 
O2 - Browser Helper Objects 
O3 - Internet Explorer toolbars 
O4 - Autoloading programs from Registry 
O5 - IE Options icon not visible in Control Panel 
O6 - IE Options access restricted by Administrator 
O7 - Regedit access restricted by Administrator 
O8 - Extra items in IE right-click menu 
O9 - Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu 
O10 - Winsock hijacker 
O11 - Extra group in IE 'Advanced Options' window 
O12 - IE plugins 
O13 - IE DefaultPrefix hijack 
O14 - 'Reset Web Settings' hijack 
O15 - Unwanted site in Trusted Zone 
O16 - ActiveX Objects (aka Downloaded Program Files) 
O17 - Lop.com domain hijackers 
O18 - Extra protocols and protocol hijackers 
O19 - User style sheet hijack

--------------------------------------------------------------------------------

R0, R1, R2, R3 - IE Start & Search page

What it looks like:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.google.com/
R3 - Default URLSearchHook is missing 
What to do:
If you recognize the URL at the end as your homepage or search engine, it's OK. If you don't, check it and have HijackThis fix it.
For the R3 items, always fix them unless it mentions a program you recognize, like Copernic. 
--------------------------------------------------------------------------------

F0, F1 - Autoloading programs

What it looks like: 
F0 - system.ini: Shell=Explorer.exe Openme.exe
F1 - win.ini: run=hpfsched

What to do:
The F0 items are always bad, so fix them.
The F1 items are usually very old programs that are safe, so you should find some more info on the filename to see if it's good or bad. 
--------------------------------------------------------------------------------

N1, N2, N3, N4 - Netscape/Mozilla Start & Search page

What it looks like: 
N1 - Netscape 4: user_pref("browser.startup.homepage", "www.google.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\defaulto9t1tfl.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\defaulto9t1tfl.slt\prefs.js) 
What to do:
Usually the Netscape and Mozilla homepage and search page are safe. They rarely get hijacked. Should you see an URL you don't recognize as your homepage or search page, have HijackThis fix it. 
--------------------------------------------------------------------------------

O1 - Hostsfile redirection

What it looks like: 
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch 
What to do:
This hijack will redirect the address to the right to the IP address to the left. If the IP does not belong to the address, you will be redirected to a wrong site everytime you enter the address. You can always have HijackThis fix these, unless you knowingly put those lines in your Hosts file. 
--------------------------------------------------------------------------------

O2 - Browser Helper Objects

What it looks like: 
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O2 - BHO: (no name) - {1A214F62-47A7-4CA3-9D00-95A3965A8B4A} - C:\PROGRAM FILES\POPUP ELIMINATOR\AUTODISPLAY401.DLL (file missing)
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\PROGRAM FILES\MEDIALOADS ENHANCED\ME1.DLL 
What to do:
If you don't directly recognize a Browser Helper Object's name, use TonyK's BHO List to find it by the class ID (CLSID, the number between curly brackets) and see if it's good or bad. In the BHO List, 'X' means spyware and 'L' means safe.

--------------------------------------------------------------------------------

O3 - IE toolbars

What it looks like: 
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O3 - Toolbar: Popup Eliminator - {86BCA93E-457B-4054-AFB0-E428DA1563E1} - C:\PROGRAM FILES\POPUP ELIMINATOR\PETOOLBAR401.DLL (file missing)
O3 - Toolbar: rzillcgthjx - {5996aaf3-5c08-44a9-ac12-1843fd03df0a} - C:\WINDOWS\APPLICATION DATA\CKSTPRLLNQUL.DLL 
What to do:
If you don't directly recognize a toolbar's name, use TonyK's Toolbar List to find it by the class ID (CLSID, the number between curly brackets) and see if it's good or bad. In the Toolbar List, 'X' means spyware and 'L' means safe.
If it's not on the list and the name seems a random string of characters and the file is somewhere in a folder named 'Application Data' (like the last one in the examples above), it's definitely bad, and you should have HijackThis fix it. 
--------------------------------------------------------------------------------

O4 - Autoloading programs from Registry

What it looks like: 
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE 
What to do:
Use PacMan's Startup List to find the entry and see if it's good or bad. 
--------------------------------------------------------------------------------

O5 - IE Options not visible in Control Panel

What it looks like: 
O5 - control.ini: inetcpl.cpl=no 
What to do:
Unless you've knowingly hidden the icon from Control Panel, have HijackThis fix it. 
--------------------------------------------------------------------------------

O6 - IE Options access restricted by Administrator

What it looks like: 
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present 
What to do:
Unless you have the Spybot S&D option 'Lock homepage from changes' active, have HijackThis fix this. 
--------------------------------------------------------------------------------

O7 - Regedit access restricted by Administrator

What it looks like: 
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 
What to do:
Always have HijackThis fix this. 
--------------------------------------------------------------------------------

O8 - Extra items in IE right-click menu

What it looks like: 
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.68-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm 
What to do:
If you don't recognize the name of the item in the right-click menu in IE, have HijackThis fix it. 
--------------------------------------------------------------------------------

O9 - Extra buttons on main IE toolbar, or extra items in IE 'Tools' menu

What it looks like: 
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: AIM (HKLM) 
What to do:
If you don't recognize the name of the button or menuitem, have HijackThis fix it. 
--------------------------------------------------------------------------------

O10 - Winsock hijackers

What it looks like: 
O10 - Hijacked Internet access by New.Net
O10 - Broken Internet access because of LSP provider 'c:\progra~1\common~2\toolbar\cnmib.dll' missing
O10 - Unknown file in Winsock LSP: c:\program files\newton knows\vmain.dll 
What to do:
It's best to fix these using LSPFix from Cexx.org, or Spybot S&D from Kolla.de. 
--------------------------------------------------------------------------------

O11 - Extra group in IE 'Advanced Options' window

What it looks like: 
O11 - Options group: [CommonName] CommonName 
What to do:
The only hijacker as of now that adds its own options group to the IE Advanced Options window is CommonName. So you can always have HijackThis fix this. 
--------------------------------------------------------------------------------

O12 - IE plugins

What it looks like: 
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll 
What to do:
Most of the time these are safe. Only OnFlow adds a plugin here that you don't want (.ofb). 
--------------------------------------------------------------------------------

O13 - IE DefaultPrefix hijack

What it looks like: 
O13 - DefaultPrefix: http://www.pixpox.com/cgi-bin/click.pl?url=
O13 - WWW Prefix: http://prolivation.com/cgi-bin/r.cgi? 
What to do:
These are always bad. Have HijackThis fix them. 
--------------------------------------------------------------------------------

O14 - 'Reset Web Settings' hijack

What it looks like: 
O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com 
What to do:
If the URL is not the provider of your computer or your ISP, have HijackThis fix it. 
--------------------------------------------------------------------------------

O15 - Unwanted site in Trusted Zone

What it looks like: 
O15 - Trusted Zone: http://free.aol.com 
What to do:
So far, only AOL has the tendency to add itself to your Trusted Zone, allowing it to run any ActiveX it wants. Always have HijackThis fix this. 
--------------------------------------------------------------------------------

O16 - ActiveX Objects (aka Downloaded Program Files)

What it looks like: 
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab 
What to do:
If you don't recognize the name of the object, or the URL it was downloaded from, have HijackThis fix it. If the name or URL contains words like 'dialer', 'casino', 'free_plugin' etc, definitely fix it. 
--------------------------------------------------------------------------------

O17 - Lop.com domain hijacks

What it looks like: 
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = W21944.find-quick.com
O17 - HKLM\Software\..\Telephony: DomainName = W21944.find-quick.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D196AB38-4D1F-45C1-9108-46D367F19F7E}: Domain = W21944.find-quick.com 
What to do:
If the domain is not from your ISP or company network, have HijackThis fix it. 
--------------------------------------------------------------------------------

O18 - Extra protocols and protocol hijackers

What it looks like: 
O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll
O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82}
O18 - Protocol hijack: http - {66993893-61B8-47DC-B10D-21E0C86DD9C8} 
What to do:
Only a few hijackers show up here. The known baddies are 'cn' (CommonName), 'ayb' (Lop.com) and 'relatedlinks' (Huntbar), you should have HijackThis fix those.
Other things that show up are either not confirmed safe yet, or are hijacked by spyware. In the last case, have HijackThis fix it. 
--------------------------------------------------------------------------------

O19 - User style sheet hijack

What it looks like: 
O19 - User style sheet: c:\WINDOWS\Java\my.css 
What to do:
In the case of a browser slowdown and frequent popups, have HijackThis fix this item if it shows up in the log.


----------



## Styxx (Sep 8, 2001)

Ok, you've got several critical items running at Windows Startup like ICQ, for one. Open ICQ, enter the Preferewnces/Options area and stop it from running at Start. Do the same with almost everything else that asccesses the Internet (BSODs) ICQ itself can cause random BSOD.

you might want to get the newest ICQ; uninstall ICQ; restart your computer; then install ICQ from scratch with a fresh download not the other old one.


----------



## Styxx (Sep 8, 2001)

yes, you let Sygate and AntiVir run at Startup but little else


----------



## Lulie (May 5, 2004)

Hi Styxx,
Based on your last few posts I have a few questions.

As far as ICQ goes, I don't think I've used it in over a year. I was afraid to uninstall it because I thought I heard that the SW was no longer free and I didn't want to loose it on the outside chance that someone wanted to chat.

Based on some of the description in the HJT information, there are some entries in my latest log file that I don't recognize (obviously doesn't mean they shouldn't be there).

I "fixed" the one toolbar you mentioned, but I still have that unknown toolbar in IE (it's actually not the BSOD, but a small toolbar just below the "address" area in IE's standard toolbar). When I "View" "Toolbars" in IE, there are 3 toolbars listed (standard buttons, address bar, links) and then a blank space below "Links". If I click on the blank space, a check mark comes up on the left of the blank space (as if I just turn on a toolbar) and that wierd blue toolbar comes up. This wierd toolbar is all blue and has the following hot links (running from left to right)
Search, News, MP3, Gambling, Entertainment, Books, Computer, Education

I noticed in my last HJT log there were 2 other toolbars listed:
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: PINGGRIMLOG - {48811165-BC61-0FEA-43B4-69A0AB6ABB8F} - C:\PROGRAM FILES\DALEREGS\CDROM BOWS.DLL
I haven't been able to get to TonyK's List (CGI's maxed out on the site) so I don't know if these are bad or OK.

I also thought that one of the 09 entries 
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) or
O9 - Extra button: Cookies (HKCU)
might be bad, especially the 2nd one (I'm always suspicious of cookies)

In going through the 04 entries, everything looked ligit, with one exception. There is an entry (not in the last HJT log I posted) referencing PCDRealtime. The exact entry is:
04 - HKLM\..\Run:[PCDRealtime] C:\WINDOWS\realtime.exe

I did a google search on PCDRealtime and while I couldn't find anything specific, I did see a reference to in in another forum (security-forums.com) where one of the advisors was suspicious of this.

Finally in section 016, there are several entries that are either suspicious or reference programs that I uninstalled.

The following entries seem to refer to programs I've uninstalled:

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pu...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab

The following entries I don't recognize

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download....ctl_0_0_0_1.ocx
O16 - DPF: {1552B1CD-8CB7-4776-B6CB-16EA461928E5} (Cpuid Control) - http://www.powerleap.com/downloads/upgradefinder.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2740fbf3feaa86...ip/RdxIE601.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {140F03AE-0588-11D4-BD45-0050048A82BF} (eShare Web Collaboration Class) - http://ec112.ecicorp.com/netagent/objects/emagic.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downl...922/wmv9VCM.CAB
O16 - DPF: {5242A5A1-EF1E-11D5-B3EE-0050DAC5EBD0} (printQuick Browser Add In (Ver4)) - http://ibmezprint.com/plugin/axvers...ntQuick1410.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-306.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {3E13AA37-352F-4E5F-91C4-08A0BA0C9541} (InSPECS2_0 Control) - http://161.58.155.13/cab_files/InSPECS2_0.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

The following entries reference online virus scan tools or virus programs I no longer use:

O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared...76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared...,16/mcgdmgr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab

Let me know what you think I should do about the above listed entries. Once again, I really appreciate all your insight and advice  
Thanks,

Lulie


----------



## Styxx (Sep 8, 2001)

I like how you're looking at your HJT log!  So here we go. 

I believe you're 'afeared' incorrectly, as fas as I can see ICQ is still free. I'd uninstall it and restart your computer to finalize the changes, Ok?

As to that toolbar, just untick the blank space so the toolbar doesn't appear below your browser Address box. It'll be fine, so that's resolved if you do that, Ok? That is, you untick the blank space and the toolbar disappears. Is that correct? If so, make it go away and you're done with that. I've helped folks in real-time at their homes and just unticked the toolbar entry. It's much more time consuming, frustrating and downright hazardous to fool around editing the registry to try to rid that toolbar off your system besides, 'fixing' these HJT toolbar entries will probably get it gone anyhow after running HJT, fixing and restarting your computer. I thought you meant a BSOD. 

As to your HJT log:
Just go ahead and run HJT and tick the boxes next to all the entries you mention in your above post, and the click the HJT 'fix selected' button/option.


----------



## Lulie (May 5, 2004)

Hi Styxx,
I actually posted a response to your last post this past Friday, but I notice that it's not there. Don't know what happened to it, but I do want you to know that I appreciate all your help. :up:  

Everything seems to be running much better. I think there are still a few spyware programs out there, but I'm going to use Spybot and Adaware to try and control them.

I do have a few questions about Sygate. After I installed the software, any request I've received coming in that I do not recognize, I've blocked. Currently there are two blocked entries (because I don't know what they are):

Win32Kernel Core Component from Path c:\windows\system\kernel32.dll (this only has entries in the "Outgoing" calls category)
Windows IPX/SPX-Compatible Protocol Driver from Path c:\windwos\system\nwlink.vxd (this only has entries in the "Incoming" calls category)

Any idea on why I am getting these calls?

Also, I notice in the Traffic Log a lot of calls (some blocked, some allowed, all incoming) which list my router (192.168.0.1) as the remote host. This may be perfectly normal, I'm just not familiar enough with Sygate to know what's normal and what's not. Any ideas you may have on this would be appreciated.

Thanks,

Lulie


----------



## Styxx (Sep 8, 2001)

Look, if you're behind a firewalled network Router (hardware firewall), you don't need, and shouldn't be using a software firewall like Sygate!

Can you please determine if your Router has a built-in firewall before you uninstall Sygate for me please?


----------



## GhettoChild (Mar 4, 2004)

I also got that Kernal32 thing when i try running my browser...Did anything Styxx say help your browser probs?


----------



## Lulie (May 5, 2004)

Hi Styxx,
Yes the DI-514 router has a built in firewall. Your point is a good one and I thought the same thing. However, all my "virus/spyware" problems seemed to start as soon as I uninstalled the Tiny Personal Firewall software I was using (after I installed the wireless router).

The router came with two default settings in the firewall. They are:

Action Name Source Destination Protocol 
Deny Default *,* LAN,* IP (0),* 
Allow Default LAN,* *,* IP (0),* 

This is all greek to me.  Does it mean anything to you?

Lulie


----------



## Styxx (Sep 8, 2001)

No I don't use a wireless Router but, if those settings you mentioned are the default for that Router and, you've only got one computer hooked to that Router there's no setting change I would recommend. Those settings regarding LAN (LAN = Local Access Network) refer to if you have more than one computer sharing a Internet connection and/or sharing files and printer(s). So aside from removing any software firewalls from the Add/Remove Programs control panel list and restarting your computer, you'd surely need to contact the Router maker's technical support lines by e-mail or phone for assistance as to the appropriate and optimal settings for your computer system application. That's a wireless (Wi-Fi) network Router, but most Routers can be used with just one computer too.

If you have Real Player, or RealOne, installed on that computer, remove it from the Add/Remove Programs control panel list and restart your computer.


----------

