fatal error messages

andy007 · #1 November 24th, 2002, 08:46 PM

can anyone please help. i have been experiencing the odd messages such as
'a fatal exception OE has occured at 0028:c001545A. the current application will terminate .. press any key to continue ...,' etc..etc..
then if i do nothing for a few minutes another appears saying
'an exception OE has occured at 0028' etc..., ' this was called from oo28:C17AECIA in VxD'
the current application ...' etc..
sometimes the system will just shut itself down and re-boot. it has only started doing this since a trial firewall ran out.
also the Macafee firewall which I have re-installed makes a snail seem fast when downloading from the net. sometimes pages take over 5 minutes to show.
i am convinced that something has got into my computer despite the latest virus/firewall protection.
please help save this compueter (which is still an infant ..6months old from doing a Micheal Jackson !)

**AnnMarie** · #2 November 24th, 2002, 09:28 PM

Hi andy007 - we can check to see whether or not you have a virus or trojan on your PC. Go here and download and run Startup List. It will generate a log file. Please copy and paste the log back in this thread and we will have a look at it for you.

andy007 · #3 November 24th, 2002, 09:43 PM

hi AnnMarie
thanks for your reply. this is going to be embarrasing for me but i do not know how to do what you have requested. i am pretty familiar with other operations but zip files are a mystery.i have tried to understand some info but ....
please help
thanks
Andy

**GretaP** · #4 November 24th, 2002, 09:44 PM

In addition to AnnMarie's excellent suggestion, you may want to see if the information in this MSKB article helps you.

andy007 · #5 November 24th, 2002, 09:49 PM

Hi GretaP
thankyou for your reply too. i will go and have a look at that site now and be back in a mo.. that is if the computer stays on long enough.. it has started doing some strange things like re-starting when it feels like it. me thinks it knows it is at the doctor's !
Andy

**AnnMarie** · #6 November 24th, 2002, 10:06 PM

Hi andy007 - do you have Winzip or another similar program installed? If so, you just have to doubleclick on the file and choose a directory to extract it to.

andy007 · #7 November 24th, 2002, 10:22 PM

hi AnnMarie
Yes I have zip central and have opened file in notepad.
loads of info but how do i send it back to you. i have been through the FAQ but it does not list it. sorry to be a pain but as you can tell i am new to this.
Andy

**AnnMarie** · #8 November 24th, 2002, 10:32 PM

Hi again andy, you are not a pain its no problem at all

Select and copy the contents of the log file and when you reply again, paste the contents into this thread.

andy007 · #9 November 24th, 2002, 10:48 PM

Me Again.
I can build a 32.000v generating system, and have an engineering degree, but computers ???
when i paste into the reply box it tells me the message is too long. I can c & p through the e-mail but please, talk this idiot through how to do it step by step .. please
thanks for your patients.
Andy

**AnnMarie** · #10 November 24th, 2002, 10:54 PM

It possible that the program could have been updated to include additional information and the log may not now fit in one post. Halve the file and make two posts Andy or if you like, you can email it to me and I will post it for you. Just click on my name, my email address is in my profile.

andy007 · #11 November 24th, 2002, 11:38 PM

StartupList report, 24/11/02, 23:34:03
StartupList version: 1.35.0
Started from : C:\WINDOWS\TEMP\_ZCTMP.DIR\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\PGP\IKESERVICE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\AVEO\ATTUNE\BIN\ATTUNE_ST.EXE
C:\PROGRAM FILES\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\HKCMD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\EZULA\MMOD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\ZIPCENTRAL\ZCENTRAL.EXE
C:\WINDOWS\TEMP\_ZCTMP.DIR\STARTUPLIST.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
Keyboard Manager = C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
AttuneSysTray = C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_st.exe
LWBMOUSE = C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
Alogserv = C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
CriticalUpdate = C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
HotKeysCmds = C:\WINDOWS\SYSTEM\hkcmd.exe
Mount Safe & Sound = C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SAFE&SOUND\FBMOUNT.EXE
IgfxTray = C:\WINDOWS\SYSTEM\igfxtray.exe
QuickTime Task = C:\WINDOWS\SYSTEM\QTTASK.EXE
HPDJ Taskbar Utility = C:\WINDOWS\SYSTEM\hpztsb04.exe
McAfee Guardian = "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
CreateCD50 = C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EX E -r

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services

McAfeeVirusScanService = C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
MiniLog = C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
IKEService95 = C:\Program Files\Network Associates\PGP\IKEService.exe
McAfee Firewall = "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

eZmmod = C:\PROGRA~1\ezula\mmod.exe
McAfee.InstantUpdate.Monitor = "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

--------------------------------------------------

andy007 · #12 November 24th, 2002, 11:43 PM

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\GARDEN~1.SCR
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 22/11/2002, 19:7:32)

[rename]
NUL=C:\PROGRA~1\MCAFEE\MCAFEE~2\INSTAN~1\TLSXPAND. DLL
NUL=C:\PROGRA~1\MCAFEE\MCAFEE~2\INSTAN~1\TLSXPAND. DLL
C:\PROGRA~1\MCAFEE\MCAFEE~2\INSTAN~1\TLSXPAND.DLL= C:\PROGRA~1\MCAFEE\MCAFEE~2\INSTAN~1\RTB10653

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

MODE CON CODEPAGE PREPARE=((850) C:\WINDOWS\COMMAND\EGA.CPI)
MODE CON CODEPAGE SELECT=850
KEYB UK,,C:\WINDOWS\COMMAND\KEYBOARD.SYS
SET PATH=%PATH%;C:\PROGRA~1\NETWOR~1\PGP
C:\PROGRA~1\COMMON~1\NETWOR~1\VIRUSS~1\40~1.XX\sca npm.exe C:\
@IF ERRORLEVEL 1 PAUSE
REM C:\PROGRA~1\COMMON~1\NETWOR~1\VIRUSS~1\40~1.XX\boo tscan.exe C:\
REM @IF ERRORLEVEL 1 PAUSE

--------------------------------------------------

C:\CONFIG.SYS listing:

DEVICE=C:\WINDOWS\COMMAND\DISPLAY.SYS CON=(EGA,,1)
COUNTRY=044,850,C:\WINDOWS\COMMAND\COUNTRY.SYS

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\BTMESS~1\BIN\ODIGOBHO.DLL - {6754A456-BAD9-11D4-93D3-00B0D03A2F91}
(no name) - C:\PROGRAM FILES\UCMORE\UCMIE.DLL - {ED8DB0FD-D8F4-4b2c-BB5B-9EF040FE104D}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
{001A52F7-41CB-11D6-9890-444553540000}_PC.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job
Symantec NetDetect.job
Windows Critical Update Notification.job

--------------------------------------------------

Enumerating Download Program Files:

[IntraLaunch.MainControl]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\INTRALAUNCH.OCX
CODEBASE = file://D:\SuperCD\IntraLaunch.CAB

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

[OPInstall Control]
InProcServer32 = C:\WINDOWS\SYSTEM\OPINST~1.DLL
CODEBASE = http://a14.g.akamai.net/f/14/7141/14...install_en.cab

[NSUpdateLiteCtrl Class]
InProcServer32 = C:\WINDOWS\SYSTEM\NSUPDATE.DLL
CODEBASE = http://204.177.92.201/quickdl/proclaim/NSupd9x.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
CODEBASE = http://security2.norton.com/SSC/Shar.../bin/cabsa.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AVSNIFF.DLL
CODEBASE = http://security2.norton.com/SSC/Shar...in/AvSniff.cab

[{A45F39DC-3608-4237-8F0E-139F1BC49464}]
CODEBASE = http://www.gayplugin.com/diallerfiles/010469.exe

[{A1DC3241-B122-195F-B21A-000000000000}]
CODEBASE = http://dload.ipbill.com/del/230001.cab

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R...n/actsetup.cab

[ActiveDataObj Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ACTIVEDATA.DLL
CODEBASE = https://www-secure.symantec.com/tech...ActiveData.cab

[eConn Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ECONNECT.DLL
CODEBASE = http://econnect.libereco.net/econnect.cab

[loader Class]
InProcServer32 = C:\WINDOWS\SYSTEM\COMLOAD.DLL
CODEBASE = http://dload.ipbill.com/del/loader.exe

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.co...566.5468055556

--------------------------------------------------
End of report, 10,405 bytes
Report generated in 1.190 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Hi AnnMarie
sorry for the delay in getting back to you but the computer kept re-starting when in felt like it. hope you have all the info you need. if not you can e-mail me on the private one.
i do thank you in advance as your skills will no doubt save this computer from my frustrations.
Andy

**AnnMarie** · #13 November 24th, 2002, 11:59 PM

Hi Andy, it will take a little time to evaluate the log but already I can see some spyware there. Spyware can cause problems similar to those that you are experiencing. I'll post back in about half an hour. Go and grab a cup of coffee

andy007 · #14 November 25th, 2002, 12:08 AM

BLESS YOU !

**AnnMarie** · #15 November 25th, 2002, 01:07 AM

Hi Andy - ok, you have Spyware, some dodgy looking BHO's (browser helper objects) and some premium rate dialers installed.

Lets start with the Spyware. Probably the easiest way to get rid of it is to download and run AdAware. This is a program which scans your system for spyware/foistware and you can download it from here .

After installing AAW, and before running the program, also download the Refupdate Utility. This utility searches for, downloads and automatically installs the latest AAW reffile (the spyware definitions).

Run the refupdate.exe installation file, and once installed, go to Start Menu>Programs, find the Lavasoft Refupdate entry and run it. If the main server happens to be down, pick another server from the list.

Now click connect; it will open a connection to the internet to check and update the current signature file.
signature file.

When that's completed, close Internet Explorer, launch Ad-aware, and look at the bottom left corner.
It should now say "Signature file in use: "042-24.09.2002".

Then have your drives and registry scanned for spyware, check all found files and reg keys, hit 'backup', then click continue, and have them all removed. When you have finished reboot.

C:\PROGRAM FILES\EZULA\MMOD.EXE - this is considered spyware and will be removed by AdAware.

C:\PROGRAM FILES\AVEO\ATTUNE\BIN\ATTUNE_ST.EXE

Attune is a service that provides you with targeted Intelligram messages to help you avoid common computer problems. Attune may also let you know when you need a specific product, service, or upgrade to optimise the use of your computer". It is not required and is treated as adware but may not be removed by AdAware.

C:\PROGRAM FILES\NETWORK ASSOCIATES\PGP\IKESERVICE.EXE - Apparently this executable is associated with PGP. See PGP. I'm wondering if it needs to be in your Startups.

Once you have run AdAware we will have to get rid of the BHO's below. Go here and download and run BHO Demon.

(no name) - C:\PROGRA~1\BTMESS~1\BIN\ODIGOBHO.DLL - {6754A456-BAD9-11D4-93D3-00B0D03A2F91}
(no name) - C:\PROGRAM FILES\UCMORE\UCMIE.DLL - {ED8DB0FD-D8F4-4b2c-BB5B-9EF040FE104D}

The below downloaded programs are premium rate dialers and other nasties that you have unwittingly downloaded on your system. We will deal with these after you have got rid of the spyware and BHO's

[IntraLaunch.MainControl]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\INTRALAUNCH.OCX
CODEBASE = file://D:\SuperCD\IntraLaunch.CAB

[OPInstall Control]
InProcServer32 = C:\WINDOWS\SYSTEM\OPINST~1.DLL
CODEBASE = http://a14.g.akamai.net/f/14/7141/1...pinstall_en.cab

[NSUpdateLiteCtrl Class]
InProcServer32 = C:\WINDOWS\SYSTEM\NSUPDATE.DLL
CODEBASE = http://204.177.92.201/quickdl/proclaim/NSupd9x.cab

[{A45F39DC-3608-4237-8F0E-139F1BC49464}]
CODEBASE = http://www.gayplugin.com/diallerfiles/010469.exe

[{A1DC3241-B122-195F-B21A-000000000000}]
CODEBASE = http://dload.ipbill.com/del/230001.cab

[loader Class]
InProcServer32 = C:\WINDOWS\SYSTEM\COMLOAD.DLL
CODEBASE = http://dload.ipbill.com/del/loader.exe

[eConn Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ECONNECT.DLL
CODEBASE = http://econnect.libereco.net/econnect.cab