Solved

'Explorer' Error

Posted on 2003-10-25
17
13,466 Views
Last Modified: 2013-12-29
I keep on getting 'Explorer' error messages saying that the program must be terminated after performing an illegal operation. This happens whenever I am using Internet Explorer or when browsing a folder on my computer. I have performed serveral virus checks using various programs and it does not seem to have a virus on the machine.

Does anyone know how I could solve this?

When I click on Details it comes up with:

EXPLORER caused an invalid page fault in
module <unknown> at 0000:02d7f6d8.
Registers:
EAX=02cd0fe2 CS=017f EIP=02d7f6d8 EFLGS=00010283
EBX=01cdfa3e SS=0187 ESP=01cdf86c EBP=01cdf880
ECX=02cd0fe7 DS=0187 ESI=01cdf9bc FS=8f4f
EDX=01cdf8cc ES=0187 EDI=00000000 GS=0000
Bytes at CS:EIP:
0
Comment
Question by:stephenharding
  • 10
  • 7
17 Comments
 
LVL 38

Expert Comment

by:BillDL
Comment Utility
We really need to see what processes are running on your system when this happens.  I'm afraid that the information below is a universal copy and paste, but will help to isolate and identify the problem area.

Firstly, download, install and run the freeware personal version of "Adaware" from Lavasoft.  It will identify any rogue Advertising Software or components on your system and allow you to get rid of them.

http://www.lavasoft.de/software/adaware/

Download, unzip, and run (no need to install) the freeware "BHO Demon".  Browser Helper Objects (or BHO's) are small programs that run automatically when you start your Internet Browser, come in many forms including the legitimate Adobe Acrobat Reader, and Norton AntiVirus, but also can be malicious or just a plain nuisance.  This program allows you to enable or disable them.  Take for example Go!Zilla, the downloading utility, which installs a BHO created by Radiate (formerly Aureate Media).  This BHO tracks which advertisements you see as you surf the Web, which may not bother you too much, but it is using up resources.

That said, there is no restriction on what a BHO can do your system.  It can do anything any other program can do ie. read or write (or delete) anything on your system.  Usually, software is installed on your system explicitly by you, but BHO's have a history of being installed without the users knowledge.

With BHO Demon, BHO's are disabled by simply renaming the DLL that houses them.  By renaming the DLL, instead of deleting it, you have the option of enabling it later if you wish.

http://www.definitivesolutions.com/bhodemon.htm
http://www.definitivesolutions.com/files/bhodmon1.zip

You should also run a Full virus scan of your system after updating your AntiVirus software with the latest definition download.  Scan ALL files, memory and boot sector where these are options.

It would be helpful if we could inspect what processes are running on your system when this occurs.

Use the Start Menu as follows:

1. Start > Run > and type MSINFO32
2. In the left pane, find "Software Environment"
3. For each of the following sections, click on it and then use the menu as follows:
    Edit > Select All > Edit Copy
4. Paste each into NotePad and save by the name of the section in MSINFO32
5. Copy and paste the details here if they are brief enough

Software Environment\
                                 Running Tasks
                                 Startup Programs
                                 System Hooks

Your list of startup programs will help us decide what you need and don't need to run automatically when Windows boots.  You could disable them using "Start > Run"  > and typing MSCONFIG.  The checkboxes are in the "startup" tab, and the only one you usually require is the System Tray.  You could retore them again one at a time again, rebooting between, and test until you find the culprit.

A helpful page to assist you in identifying Startup items is:
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm

Another useful program for finding things that take over your system is "HiJack This" from:

http://www.spywareinfo.com/downloads.php#det
http://www.spywareinfo.com/~merijn/files/hijackthis.zip

It will run from any folder without needing installation.  Just unzip it, launch Hijack This, then press "Config" > "Miscellaneous Tools", and press "Generate Startuplist Log"

This will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.  Maybe this would be better to post here.
0
 
LVL 38

Expert Comment

by:BillDL
Comment Utility
If you have Norton AntiVirus installed, go to the Options and find "Script Blocking".  Instead of the setting "stop all suspicious activity", change it to "ask me what to do".

If this is the problem (or at least a contributory one) then you will be informed.
0
 
LVL 1

Author Comment

by:stephenharding
Comment Utility
BillDL, Norton was already configured to 'ask me what to do', and the Script Blocking was activated.
0
 
LVL 1

Author Comment

by:stephenharding
Comment Utility
BillDL, I have copied the contents from the sections of MSINFO32.

**SYSTEM HOOKS**
Keyboard      Msctf.dll      CTFMON.EXE      C:\WINDOWS\SYSTEM\Msctf.dll      C:\WINDOWS\SYSTEM\CTFMON.EXE
GetMessage      Msctf.dll      CTFMON.EXE      C:\WINDOWS\SYSTEM\Msctf.dll      C:\WINDOWS\SYSTEM\CTFMON.EXE
GetMessage      Msh_zwf.dll      POINT32.EXE      C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\Msh_zwf.dll      C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
CBT      Msctf.dll      CTFMON.EXE      C:\WINDOWS\SYSTEM\Msctf.dll      C:\WINDOWS\SYSTEM\CTFMON.EXE
CBT      Msgplush1.dll      MSGPLUS.EXE      C:\PROGRAM FILES\MESSENGER PLUS! 2\Msgplush1.dll      C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
Mouse      Msctf.dll      CTFMON.EXE      C:\WINDOWS\SYSTEM\Msctf.dll      C:\WINDOWS\SYSTEM\CTFMON.EXE
Shell      Msctf.dll      CTFMON.EXE      C:\WINDOWS\SYSTEM\Msctf.dll      C:\WINDOWS\SYSTEM\CTFMON.EXE
0
 
LVL 1

Author Comment

by:stephenharding
Comment Utility
**STARTUP PROGS**

Connect...      Startup Group      Freeserve Anytime 29.01.03
ctfmon.exe      Registry (Per-User Run)      ctfmon.exe
MessengerPlus2      Registry (Per-User Run)      "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
msnmsgr      Registry (Per-User Run)      "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
ScanRegistry      Registry (Machine Run)      c:\windows\scanregw.exe /autorun
TaskMonitor      Registry (Machine Run)      c:\windows\taskmon.exe
SystemTray      Registry (Machine Run)      SysTray.Exe
LoadPowerProfile      Registry (Machine Run)      Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Microsoft IntelliType Pro      Registry (Machine Run)      "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
Disc Detector      Registry (Machine Run)      C:\Program Files\Creative\ShareDLL\CtNotify.exe
ScanFile      Registry (Machine Run)      
Devlog      Registry (Machine Run)      
AudioHQ      Registry (Machine Run)      C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
LoadQM      Registry (Machine Run)      loadqm.exe
ClickTheButton      Registry (Machine Run)      
POINTER      Registry (Machine Run)      point32.exe
WhenUSave      Registry (Machine Run)      C:\PROGRA~1\SAVE\Save.exe
Lexmark X73 Button Monitor      Registry (Machine Run)      C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
Lexmark X73 Button Manager      Registry (Machine Run)      C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
LexmarkPrinTray      Registry (Machine Run)      PrinTray.exe
LexStart      Registry (Machine Run)      Lexstart.exe
ccRegVfy      Registry (Machine Run)      "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
iamapp      Registry (Machine Run)      c:\Program Files\Norton Internet Security\IAMAPP.EXE
ccApp      Registry (Machine Run)      "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
msbb      Registry (Machine Run)      C:\WINDOWS\MSBB.EXE
LoadPowerProfile      Registry (Machine Service)      Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
ccEvtMgr      Registry (Machine Service)      "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
Nisum      Registry (Machine Service)      c:\Program Files\Norton Internet Security\NISUM.EXE
ccPxySvc      Registry (Machine Service)      c:\PROGRA~1\NORTON~3\CCPXYSVC.EXE
ScriptBlocking      Registry (Machine Service)      "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
nisserv      Registry (Machine Service)      c:\Program Files\Norton Internet Security\NISSERV.EXE
MessengerPlus2      Registry (Machine Service)      "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
SchedulingAgent      Registry (Machine Service)      mstask.exe
0
 
LVL 1

Author Comment

by:stephenharding
Comment Utility
**RUNNING TASKS**

Kernel32.dll      4.10.2222      Microsoft Corporation      Win32 Kernel core component      C:\WINDOWS\SYSTEM\Kernel32.dll      4.3      Microsoft(R) Windows(R) Operating System
MSGSRV32.EXE      4.10.2222      Microsoft Corporation      Windows 32-bit VxD Message Server      C:\WINDOWS\SYSTEM\MSGSRV32.EXE      4.0      Microsoft(R) Windows(R) Operating System
Mprexe.exe      4.10.1998      Microsoft Corporation      WIN32 Network Interface Service Process      C:\WINDOWS\SYSTEM\Mprexe.exe      4.0      Microsoft(R) Windows(R) Operating System
Ccevtmgr.exe      1.03.4      Symantec Corporation      Event Manager Service      C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\Ccevtmgr.exe      4.0      Event Manager
Nisum.exe      6.02.2003      Symantec Corporation      Norton Internet Security NISUM      C:\PROGRAM FILES\NORTON INTERNET SECURITY\Nisum.exe      4.0      Norton Internet Security
Ccpxysvc.exe      6.02.2003      Symantec Corporation      Norton Internet Security Proxy Service      C:\PROGRAM FILES\NORTON INTERNET SECURITY\Ccpxysvc.exe      4.0      Norton Internet Security
Msgplus.exe      2, 21, 0, 55      Patchou      Messenger Plus!      C:\PROGRAM FILES\MESSENGER PLUS! 2\Msgplus.exe      4.0      Messenger Plus! 2
Ptudfapp.exe      1, 3, 0, 152      Prassi Software USA, Inc.      abCD Interface application      C:\WINDOWS\SYSTEM\Ptudfapp.exe      4.0      abCD
MMTASK.TSK      4.03.1998      Microsoft Corporation      Multimedia background task support module      C:\WINDOWS\SYSTEM\MMTASK.TSK      4.0      Microsoft Windows
Taskmon.exe      4.10.1998      Microsoft Corporation      Task Monitor      C:\WINDOWS\Taskmon.exe      4.0      Microsoft(R) Windows(R) Operating System
Systray.exe      4.10.2224      Microsoft Corporation      System Tray Applet      C:\WINDOWS\SYSTEM\Systray.exe      4.0      Microsoft(R) Windows(R) Operating System
Speedkey.exe      1.01.430      Microsoft Corporation      MS IntelliType Pro      C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\Speedkey.exe      4.0      Microsoft IntelliType Pro
Ctnotify.exe      1.53.4.0      Creative Technology Ltd.      Disc Detector      C:\PROGRAM FILES\CREATIVE\SHAREDLL\Ctnotify.exe      4.0      Creative Disc Detector
Ahqtb.exe      1.0.185      Creative Technology Ltd.      Creative AudioHQ      C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\Ahqtb.exe      4.0      AudioHQ
Loadqm.exe      5.4.1103.3      Microsoft Corporation      Microsoft QMgr      C:\WINDOWS\Loadqm.exe      4.0      QMgr Loader
Point32.exe      3.20.0484      Microsoft Corporation      Cursor features application file      C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\Point32.exe      4.0      Microsoft Pointing Device Software
Save.exe      2, 5, 3, 1      WhenU.com, Inc.      Save!      C:\PROGRAM FILES\SAVE\Save.exe      4.0      Save!
Mediadet.exe      1.53.3.0      Creative Technology Ltd.      Disc Detector      C:\PROGRAM FILES\CREATIVE\SHAREDLL\Mediadet.exe      4.0      Creative Disc Detector
Acmonitor_x73.exe      1, 0, 0, 8      Silitek Corp.      ACMonitor      C:\PROGRAM FILES\LEXMARKX73\Acmonitor_x73.exe      4.0      ACMonitor
Acbtnmgr_x73.exe      1, 0, 0, 1      Jetsoft Development Company      AcBtnMgr      C:\PROGRAM FILES\LEXMARKX73\Acbtnmgr_x73.exe      4.0      Jetsoft Development Company AcBtnMgr
Spool32.exe      4.10.1998      Microsoft Corporation      Spooler Sub System Process      C:\WINDOWS\SYSTEM\Spool32.exe      4.0      Microsoft(R) Windows(R) Operating System
Pstores.exe      5.00.1877.3      Microsoft Corporation      Protected storage server      C:\WINDOWS\SYSTEM\Pstores.exe      4.0      Microsoft(R) Windows NT(R) Operating System
Lexbces.exe      5,13,00,00      Lexmark International, Inc.      LexBce Service      C:\WINDOWS\SYSTEM\Lexbces.exe      4.0      MarkVision for Windows (32 bit)
Ccapp.exe      1.08.01      Symantec Corporation      Common Client CC App      C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\Ccapp.exe      4.0      Common Client
Msbb.exe      4.1      180Solutions Inc      msbb      C:\WINDOWS\Msbb.exe      4.0      n-CASE
Ctfmon.exe      1.00.2409.7 built by: Lab06_N      Microsoft Corporation      Cicero Loader      C:\WINDOWS\SYSTEM\Ctfmon.exe      4.0      Microsoft(R) Windows NT(R) Operating System
Rpcss.exe      4.71.3328      Microsoft Corporation      Distributed COM Services      C:\WINDOWS\SYSTEM\Rpcss.exe      4.0      Microsoft(R) Windows NT(TM) Operating System
Msnmsgr.exe      6.0.0602      Microsoft Corporation      Messenger      C:\PROGRAM FILES\MSN MESSENGER\Msnmsgr.exe      4.0      Messenger
Rnaapp.exe      4.10.2222      Microsoft Corporation      Dial-Up Networking Application      C:\WINDOWS\SYSTEM\Rnaapp.exe      4.0      Microsoft(R) Windows(R) Operating System
Tapisrv.exe      4.10.2222      Microsoft Corporation      Microsoft® Windows(TM) Telephony Server      C:\WINDOWS\SYSTEM\Tapisrv.exe      4.0      Microsoft(R) Windows(R) Operating System
Wmiexe.exe      5.00.1755.1      Microsoft Corporation      WMI service exe housing      C:\WINDOWS\SYSTEM\Wmiexe.exe      4.0      Microsoft(R) Windows NT(R) Operating System
Lexpps.exe      5,13,00,00      Lexmark International, Inc.      LEXPPS.EXE      C:\WINDOWS\SYSTEM\Lexpps.exe      4.0      MarkVision for Windows (32 bit)
Msimn.exe      6.00.2800.1106      Microsoft Corporation      Outlook Express      C:\PROGRAM FILES\OUTLOOK EXPRESS\Msimn.exe      4.0      Microsoft® Windows® Operating System
Ddhelp.exe      4.08.01.0881      Microsoft Corporation      Microsoft DirectX Helper      C:\WINDOWS\SYSTEM\Ddhelp.exe      4.0      Microsoft® DirectX for Windows®  95 and 98
Mozilla.exe      1.4: 2003062408      Mozilla, Netscape      Mozilla      C:\PROGRAM FILES\MOZILLA.ORG\MOZILLA\Mozilla.exe      4.0      Mozilla
Mstask.exe      4.71.1972.1      Microsoft Corporation      Task Scheduler Engine      C:\WINDOWS\SYSTEM\Mstask.exe      4.0      Microsoft® Windows® Task Scheduler
Explorer.exe      4.72.3110.1      Microsoft Corporation      Windows Explorer      C:\WINDOWS\Explorer.exe      4.0      Microsoft(R) Windows NT(R) Operating System
Winzip32.exe      3.0 (32-bit)      Nico Mak Computing, Inc.      WinZip Executable      C:\PROGRAM FILES\WINZIP\Winzip32.exe      4.0      WinZip
Bhodemon.exe      1.0.0.3      Definitive Solutions, Inc.      BHODemon - Freeware - Manages BHOs.      C:\UNZIPPED\BHODMON1\Bhodemon.exe      4.0      BHODemon
Msinfo32.exe      4.10.2222      Microsoft Corporation      MSInfo32      C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\Msinfo32.exe      4.0      Microsoft System Information
0
 
LVL 38

Expert Comment

by:BillDL
Comment Utility
Thank you stephen, I will look at these items and come back with some suggestions.

Straight off, though, I can see a couple of things that you should disable.

Startup Programs:

LoadQM     Registry (Machine Run)     loadqm.exe
msnmsgr "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background

These two go hand-in-hand.  Microsoft Messenger installs and sets up a useless program named LoadQM.exe.  It is guilty of using up resources, although I don't think it would keep crashing Explorer.  Do you really need to have MSN Messenger start and run in the background from as soon as your system boots?

I also see that your Freeserve AnyTime Dialup Connection is loaded from a shortcut in your startup folder so that you are online from kick-off.  I don't see any evidence of "dialer.exe" which is that stupid autodialler thing they brought out to dial alternative numbers if the first connection failed.  Freeserve cuts you off on AnyTime after 2 hours anyway.  Couldn't you just connect when you want to connect using a shortcut to your Dialup Connection applet?

You also have Task Scheduler (MSTASK.EXE) running from Startup.  Do you, or does any application on your computer, actually use Task Scheduler.  Perhaps Norton uses it for scheduled scans or updates in which case it is essential, but if it isn't needed, just open it from your Task Tray, go to the "Advanced" menu > "stop using Task Scheduler" > Reboot.

There are 2 things that worry me in your Startup Programs and could very easily be a contributory factor:

WhenUSave   Registry (Machine Run)     C:\PROGRA~1\SAVE\Save.exe
This is known Spyware/Parasite.
http://www.doxdesk.com/parasite/SaveNow.html
Stability problems: Yes. Can cause frequent crashes

ClickTheButton  Registry (Machine Run)
This is known Spyware/Parasite.  
http://www.doxdesk.com/parasite/ClickTheButton.html
Stability problems: None known.

Both of these concern temselves with Internet activity and, because your Dialup Connection is also opening at Startup, they could easily be attempting intervallic sharing of info.  There is also a chance that Norton Internet Security is attempting to block any activity.

So, here's what I suggest to begin with:

1. Temporarily remove the shortcut to your Freeserve Dialup from your Start Menu > Programs > Startup folder and dump it on your Desktop for now.

2.  Start > Run > MSCONFIG > Startup tab.  Uncheck LoadQM.  Apply.

3. Open MSN Messenger and configure it so that it does not run at startup or automatically sign in or run in the background.

4. Open Task Scheduler
Start > Run > MSTASK > OK
or
Right-Click the Task Tray icon > Open
Check what scheduled tasks are listed.  If you don't need any of them, close Task Scheduler, find the application that made the setting, and disable scheduled activity from the user options.
Once you have done this, open Task Scheduler again and use the "Advanced" menu > "stop using Task Scheduler".

Now Reboot your computer.

5. Now you have to get rid of those 2 parasites that are loading.

The (Machine Run) expression against each of them indicate that they are both listed in the Registry Key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

Firstly, go to "Control Panel > Add/Remove Programs", and see if either can be uninstalled from there.

If not, look in MSCONFIG's "startup" tab and see if they are listed.  If so, uncheck them both, click Apply, and Reboot.

This will move the entry for both of them into another key:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run-]

This is the "disabled" startup items backup so that if you checked the box in MSCONFIG, it could restore that startup item.

At least now they won't be running automatically, and you can go about removing them if you are confident with the instructions on the linked pages above.

If you are NOT confident doing this, then I suggest leaving them checked in MSCONFIG's Startup tab, and run AdAware.  This should identify the components and allow you to select them for removal.

Once removed, you should be able to restore the items you disabled earlier (items 1 and 3 above), but do them one at a time with a reboot in between each.

Let us know how you get on with this, and I will look a bit more at your lists.

0
 
LVL 38

Expert Comment

by:BillDL
Comment Utility
I am pretty sure that HiJack This would also identify the 2 parasites.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:stephenharding
Comment Utility
Thanks for all your help so far!

I cannot find the item "[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]" in the Add/Remove Programs or in the Startup tab of MSCONFIG.

I think it does, but do these changes I am applying affect all of the users on my computer?

Thank You
0
 
LVL 38

Accepted Solution

by:
BillDL earned 50 total points
Comment Utility
Whooops.  I should have explained more about this.  I was assuming that you were aware of the layout of the Windows Registry, but mentioned that if you weren't confident, not to attempt changing or any other setting.

The windows utility RegEdit.exe allows you to make changes directly to the registry, and lays it out in a visual manner not unlike Windows Explorer.  It combines the data stored in 2 files (user.dat and system.dat) and displays them as 6 main registry keys called HIVE Keys, hence the HKEY prefix:

HKEY_CLASSES_ROOT - holds details of all the registered file types on the computer and their associations which affect them
HKEY_CURRENT_USER - contains unique settings only relating to whoever is logged in
HKEY_LOCAL_MACHINE - contains settings relating to the entire computer regardless of who is logged in (eg. AntiVirus programs where settings are common to all)
HKEY_USERS - contains individual preferences for each user of the computer
HKEY_CURRENT_CONFIG - links to the section of HKEY_LOCAL_MACHINE appropriate for the current hardware configuration
HKEY_DYN_DATA - points to part of HKEY_LOCAL_MACHINE and is used with the Plug-&-Play features of Windows to keep a dynamic record of hardware changes.

Each HIVE Key is split into sub-keys that gradually work down in hierarchy with DataValues (like files) in most of them.  DataValues are represented by text strings (like a path to a program used), binary or DWORD.  In many cases the values just tell the system to enable or disable an action using a 1 or zero.

So, I wouldn't worry about poking around in the registry.  When you run something like MSCONFIG and change a setting, it is automatically reflected in the registry, although sometimes the system requires a restart before it will take effect.

DON'T be tempted to use RegEdit unless you absolutely have to, and then do some reading first.  This is the best place to read about it if you want to understand it a bit better:  http://www.winguides.com/article.php?id=1&guide=registry.

Why not download a version of the site as an offline reference. The Registry Guide 2003.
http://www.winguides.com/software/click.php?id=1&action=download

Alternatively, download a tool that lets you inspect the contents as laid out by RegEdit, but in complete safety as a Read-Only format available in Windows Explorer.
http://www.winguides.com/software/click.php?id=28&action=download

To answer your question, if the 2 parasite items are listed in Add/Remove programs, then uninstall them and reboot.

If they aren't, then disable then try running "AdAware" or "HiJack" This and see if they are found.  If found, then check the box beside each item you want to remove, and continue.  Reboot once done.  They are very much like Virus Scanners in action, but report what the writer of the program has set in the database as "dodgy" or "potentially dodgy" :-)

Make sure that you allow each application to look for an updated data file online when you first run them, but before scanning the system.

I also suggest doing this in Safe Mode where perhaps you will have less problems navigating your system, and these items shold not have automatically loaded.

Press F8 repeatedly as your system starts booting, and it should bring up a DOS menu alowing you to arrow down to Safe Mode and press Enter.

If AdAware doesn't find them, then disable them in MSCONFIG > startup tab, Apply > Reboot.

The fact that they are referenced as (Machine Run) rather than (Per-user-run) means that their entries are in HKEY_LOCAL_MACHINE rather than HKEY_CURRENT_USER.  This is deliberate on their part so that it affects the computer, not only certain users.
0
 
LVL 1

Author Comment

by:stephenharding
Comment Utility
Thanks for all your help on this topic. I will gladly award you the points for all the help you have given me, however there are other problems with the computer so I have decided to get the computer completley reset and upgraded.

Thanks Alot For Your Help!

Stephen
0
 
LVL 38

Expert Comment

by:BillDL
Comment Utility
It's my pleasure Stephen.  Pity there are so many other problems.  Sometimes they are related, although often the connection isn't always obvious, and sometimes there are several unconnected issues that just compound the problem created by another.

If you have all the driver and software disks and a full Win98 CD and Win98 boot floppy, then it is probably better to backup any essential data and wipe the drive clean for a fresh start.

Do you need any advice about backing up your data, formatting the drive, and reinstalling?  If so, don't hesitate to ask and I will be happy to provide details.  It's not usually the done thing to carry on questions in a closed question, but as the suggestions didn't solve your problem, then we could just refer to it as a brief continuation of the original question to clarify outstanding matters.

Do you know how to back up your Outlook Express settings, dialup settings, Favorites, etc?

At least you now know what utilities to use on your fresh installation for regular maintenance and troublshooting.

The only thing I do suggest is that you try not to allow as many processes to startup at boot time.  When things do go wrong, it's much harder to isolate a problem, and the potential for startup, shutdown, and general runtime problems is increased.

A fresh start allows you to dispense with some of the programs that you previously installed but didn't really need or use.  It's amazing the debris that builds up after a while.

Oh, and another bit of useless info.  After installing Windows again, applying security updates and patches, run DEFRAG on your drive before installing MS Office.  I've found that it runs faster because it doesn't scatter its files around your drive quite as much.

Try and download as many Win 98 updates as you can NOW, because MS has stopped supporting Win98, and a lot of the downloads are disappearing from their websites.

0
 
LVL 38

Expert Comment

by:BillDL
Comment Utility
Stephen

I clean forgot that I had a text file sitting on my desktop to post here.  Remember I said that I would look at your lists?  Well, here's what I discovered yesterday and made notes of, but forgot to post.

Maybe you might just have one more go at solving this problem in view of what I learned.
If not, then it's something to keep a note of anyway.

--------------------------------------
I meant to say that there is one utility right on your system that can sometimes provide useful information when an error situation arises.
Go to Start > Run > and type DRWATSON > OK
This will place an icon for Dr Watson in your system tray.
Click on it, and select "Open".
Under the "Options" menu, set it to save log files wherever you want, and also to "open new windows in advanced view". Close the window.
It will have taken a snapshot of what is running on your system and will run in the background.
Now try and replicate the error.
Dr Watson may pop up with advice, or otherwise may have sent a report to the folder you specified.
To close thesystem tray icon, click on it and select "Exit".

The logfile is saved with a .wlg extension that will open with Dr Watson when double-clicked.
This is often asked for by Help Desk Operatives to get a picture of what was running.
You can, at any time, take a new snapshot and save it as a new .wlg file perhaps before an anticipated event, and after.

Here's my suggestions for the details you provided.

**SYSTEM HOOKS**

C:\PROGRAM FILES\MESSENGER PLUS! 2

Msgplush1.dll
MSGPLUS.EXE

http://www.msgplus.net/index.php?view=faq&expand=2

>>> "add-on for MSN Messenger and Windows Messenger, the two popular Instant Messaging softwares from Microsoft. Messenger Plus! adds different features to Messenger to make it more enjoyable for a regular usage. A list of the main features can be found on the main page of this site (click on the Features tab, next to Overview). Messenger Plus! is not a chat program, it only adds functionalities to Messenger, it can't be used as a standalone application. <<<

To temporarily disable this for troubleshooting, I have a feeling that BHO Demon MAY recognise it as a Browser Helper Object, and allow you to uncheck it.  You can alwayscheck it again when testing each newly-introduced service.

Unchecking it from MSCONFIG may disable this "hook" also - see below.
 
**STARTUP PROGS**

"Per-User-Run" means that it is listed in the registry key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"Machine Run" means that is is listed in the registry key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"Machine Service" means that is is listed in the registry key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]

For all 3 of these types, you can temporarily stop them from running by unchecking their entries in MSCONFIG's "startup" tab, Applying the change, and then restarting.

Preferably, look first at the relevant applications' "User Options" and see if the startup processes can be disabled there.

Some processes or programs may also start from a line placed in the [Windows] section of C:\windows\WIN.INI file with a "load= " or "run= " entry.  The quickest way to check this is using the Start > Run option > and typing SYSEDIT > OK.

I will use the abbreviation %Progs% to save space and indicate C:\Program Files.

Don't Disable
-------------

ScanRegistry *** Leave this
TaskMonitor *** Leave this
SystemTray *** Leave this
LoadPowerProfile *** Leave this unless you suspect power management problems
LoadPowerProfile powrprof.dll *** As above

C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE Registry (Machine Run)
(I assume that this is the SoundBlaster configurator)
POINTER  Registry (Machine Run) *** Intellipoint Keyboard/Mouse?

Definitely Disable
------------------

LoadQM Registry (Machine Run) *** Disable this entry ***
ClickTheButton Registry (Machine Run) *** PARASITE ***
WhenUSave Registry (Machine Run) *** PARASITE ***

Suggest disabling these to troubleshoot:
----------------------------------------

"%Progs%\Messenger Plus! 2\MsgPlus.exe" Registry (Per-User Run)
"%Progs%\MSN MESSENGER\MSNMSGR.EXE" Registry (Per-User Run)
"%Progs%\Messenger Plus! 2\MsgPlus.exe" Registry (Machine Service)
SchedulingAgent  Registry (Machine Service) mstask.exe
(only if no legitimate applications are listed)


Suggest disabling these to troubleshoot only:
---------------------------------------------
(BUT ONLY IF NOT CONNECTED TO THE INTERNET - They are Norton Processes)
*******************************************

ccRegVfy Registry (Machine Run)
iamapp     Registry (Machine Run)
ccApp     Registry (Machine Run)
ccEvtMgr Registry (Machine Service)
Nisum Registry (Machine Service)
ccPxySvc Registry (Machine Service)
ScriptBlocking Registry (Machine Service)
nisserv Registry (Machine Service)

Not Sure
---------
 
"%Progs%\Microsoft Hardware\Keyboard\speedkey.exe" Registry (Machine Run)    
%Progs%\Creative\ShareDLL\CtNotify.exe Registry (Machine Run)
(Installed by the Creative Sound card's software.  Do you need this?)
ScanFile Registry (Machine Run) *** Not sure what this is.  Do you know?    
Devlog  Registry (Machine Run) *** Not sure what this is.  Do you know?
Lexmark X73 Button Monitor Registry (Machine Run) *** Printer Status Monitor?
Lexmark X73 Button Manager Registry (Machine Run) *** Printer Status Monitor?
LexmarkPrinTray Registry (Machine Run) *** Printer Status Monitor?
LexStart Registry (Machine Run) *** Printer task Tray icon?
msbb Registry (Machine Run) C:\WINDOWS\MSBB.EXE *** WHAT IS THIS? ***
 
**RUNNING TASKS**

I have only left those processes which I am not sure about.  All the rest are normal, given your Startup settings and tasks running when you created the list.

I have used the abbreviations %Progs% for C:\Program Files, %WIN% for C:\windows, and %SYS% for C:\windows\system.

Save.exe WhenU.com Save!  %Progs%\SAVE\Save.exe *** That Parasite ***
Ptudfapp.exe Prassi Software %SYS%\Ptudfapp.exe  *** What is this? ***
Mozilla.exe 1.4  Mozilla %Progs%\MOZILLA.ORG\MOZILLA\Mozilla.exe
(I don't suppose that Explorer crashes ONLY when you have Mozilla running?)

Winzip32.exe 3.0 (32-bit) *** I assume you were using it at the time?
C:\UNZIPPED\BHODMON1\Bhodemon.exe *** I see you use your own default "Unzip to" folder like me.
---------------------------------------------------------

Sorry about that.  I work strange shifts, you see, and am usually home about 3am.
0
 
LVL 38

Expert Comment

by:BillDL
Comment Utility
You have another problem!!  I asked above, "what is MSBB.EXE?".  Here's what it seems to be:

--------------------------------------------------------------------------------------

http://www.mvps.org/inetexplorer/darnit_2.htm

Apparently related to software called Songspy - causes IE to pop up advertising Windows every hour or so.  Deleting it solved pop-up window problems for some - I would recommend renaming.

http://www.mvps.org/inetexplorer/Darnit.htm#msbb

msbb.exe

http://www.mvps.org/inetexplorer/darnit_2.htm

Internet Explorer hijacked by www.whazit.com
-----------------------------------------------------------

BHODemon (or HiJack This) should get rid of a lot of it - run that, disable the DLLs it finds,  then reboot.

Causes the error:  {run time error "9" Subscript out of range} in a popup window with the title WHAIMAGER.
 
There will possibly be an entry in Control Panel, Add/Remove Programs to uninstall it.

Whazit installs some/all of the following files:
------------------------------------------------

wanobsi.exe
msbb.exe
bho.dll
qogjuosk.dll
rgjwoyfh.dll
newones.dll
whattt.dll

Find and rename all, deleting after testing your computer for a while.

Delete the following registry keys using REGEDIT:
-------------------------------------------------

{D5B72AED-E54A-11D6-B1B2-444553540000} (pointing to QOGJUOSK.dll)

{D5B72AED-E54A-11D6-B1B2-444553540000} (pointing to bho.dll)

{C9176930-9C9F-4cba-9723-0F58C3E7CED6} (pointing to RGJWOYFH.dll)

HKEY_CURRENT_USER\Software\180solutions

HKEY_LOCAL_MACHINE\SOFTWARE\wms

Search for, export first, then delete any registry keys referring to:
whazit, whaimage or whareder, and also references to all files mentioned above (wanobsi.exe, msbb.exe etc),

Other files
------------

Reboot and then rename the following files (deleting after testing your computer for a while):

c:\WINDOWS\fiz1
c:\WINDOWS\kyf.dat
c:\WINDOWS\msbb.exe
c:\WINDOWS\ncmyb.dll
c:\WINDOWS\WANOBSI.exe
c:\WINDOWS\cards.ico
C:\windows\Desktop\Riviera Gold Casino!.url
C:\WINDOWS\FLEOK

Reconfiguring
-------------

Reboot and reset your search engine as per this link
http://www.mvps.org/inetexplorer/answers4.htm#search_engine

------------------------------------------------------------------------

I sense, from your earlier posting, that editing the registry manually could be a bit risky as you haven't had to do this type of thing before.  This reinforces your decision for a fresh format and reinstall.

My advice is download the free version of the Zone Alarm Firewall to try and avoid similar problems in the future.

1. Obtain the security updates from Microsoft.

2. Don't "preview" emails in Outlook Express until you have vetted them as non-spam and deleted the headers.

3. Make sure that the "Windows Scripting Host" isn't installed on your system.  I'm sure that I am correct in saying that it isn't installed during a standard install.  This is what is used to run Visual Basic and other scripts directly from web pages and emails without you clicking on anything.  The page being viewed can be sufficient.

Control Panel > Add/Remove Programs > WIndows Setup > Accessories item > Details button > uncheck "windows scripting host" > Apply.  Let it uninstall, then reboot.
0
 
LVL 38

Expert Comment

by:BillDL
Comment Utility
MORE SPYWARE!!!

Read this extract From: http://msgplus.patchou.com/index.php?view=faq&expand=2#install carefully:

---------------------------------------------
What does Messenger Plus! install on my computer?
 
When you install Messenger Plus!, several files are transferred to your computer.
All files placed in C:\Program Files\Messenger Plus! 2 have been developed by myself and are all specific to Messenger Plus!.

*************
For those who choose to support me by installing the optional sponsor program, the setup file is placed in C:\Program Files\C2Media and it's only purpose is to allow proper uninstallation of the sponsor program if you want to remove it at some point.
*************

From the Messenger Plus! FAQ page:
-----------------------------------

Q. Since I installed Messenger Plus! on my computer I get spammed, why?

A. Messenger Plus! now comes with an optional sponsor program.
This program will show ads from time to time on your computer and will change your start page in Internet Explorer.
In NO case this sponsor is mandatory.
If you don't want it, simply uncheck the sponsor box during setup.
If you installed it be error, just uninstall Messenger Plus!
(which will trigger the sponsor uninstall program) and reinstall without the sponsor.

Important: if you wish to get rid of the sponsor program, you must uninstall Messenger Plus! from the usual Add/Remove program window.
Don't worry, you'll be able to reinstall it later and chose not to install the sponsor anymore. If you start deleting files on your own you will prevent a full system restore as some of the files copied by the sponsor are backups of your original configuration files.
-----------------------------------------------

NOTE:  They are lying!!!  C2Media has been deemed Spyware by many:

http://www.spywareinfo.com/articles/lop/

http://simplythebest.net/info/spyware/lop_c2media_spyware.html

http://www.geocities.com/yosponge/udnskong.html

http://www.mickeytheman.com/forums/index.php?s=39a4bcb7733e7fca647d58fe86879be7&showtopic=170&st=0&#entry1891

http://www.consumerwebwatch.org/news/articles/spyware_categories.htm
 
0
 
LVL 1

Author Comment

by:stephenharding
Comment Utility
Thanks for the help, I've just been away until Friday which is why I hadn't replied to any of the posts.

I have had the PC completley reset with the Hard Drive reformatted, but I will certainly read up on the links that you gave me incase this happens again in the future.
0
 
LVL 38

Expert Comment

by:BillDL
Comment Utility
Thank you Stephen.  Your radical approach is probably the best approach given the debris that's bound to have been floating around in the registry and elsewhere.  It is certainly what I would have done in the same circumstances, but it's always annoying when it gets to that stage.
0

Featured Post

Want to promote your upcoming event?

Is your company attending an event or exhibiting at a trade show soon? Are you speaking at a conference? Spread the word by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

Suggested Solutions

Several part series to implement Internet Explorer 11 Enterprise Mode
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now