Go Back   Cyber Tech Help Support Forums > Operating Systems > Older Windows Versions > Windows ME
Reload this Page error messages
Register Blogs FAQ Calendar Search Today's Active Topics Mark Forums Read

Notices
If you are experiencing difficulties posting your question please read our FAQ, or visit our site help that has adobe flash tutorials illustrating the question/reply process.

Reply
 
Topic Tools
  #1  
Old September 29th, 2003, 06:45 AM
racermok17 racermok17 is offline
New Member
  
Join Date: Jun 2003
Posts: 10
error messages
Hi guys, At start up im getting 2 differant messages First is ledll has caused an error in unknown and will now close, other is loader has caused an error in LOADER.EXE any help would be great. Mark
Reply With Quote
  #2  
Old September 29th, 2003, 07:03 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
Cyber Tech Help Moderator
  
Join Date: Oct 2001
Location: New Zealand
Posts: 47,172
Hi racermok17 - sounds like you have spyware on your PC. Go here and download and run a scan with Hijack This. Dont make any changes, just click on Save Log, copy it and post it back in this thread.
__________________
Moderator: Vista Forum

Microsoft MVP - Windows Desktop Experience 2004-2008

If we have helped you, please consider supporting Cyber Tech Help with a subscription

Please do not send me Emails or Private Messages for personal support. Last time I checked, there were still only 24 hours in a day. Thank you.

How to help prevent re-infection
Reply With Quote
  #3  
Old September 29th, 2003, 07:09 AM
racermok17 racermok17 is offline
New Member
  
Join Date: Jun 2003
Posts: 10
Quote:
Originally Posted by AnnMarie
Hi racermok17 - sounds like you have spyware on your PC. Go here and download and run a scan with Hijack This. Dont make any changes, just click on Save Log, copy it and post it back in this thread.
Logfile of HijackThis v1.97.2
Scan saved at 2:02:56 AM, on 9/29/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SVCHOST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.fastwebfinder.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.fastwebfinder.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.fastwebfinder.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fastwebfinder.com/hp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hp.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://hp.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hp.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.fastwebfinder.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.fastwebfinder.com/hp.php
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Svchost] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [loader] C:\WINDOWS\LOADER.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
Reply With Quote
  #4  
Old September 29th, 2003, 07:25 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
Cyber Tech Help Moderator
  
Join Date: Oct 2001
Location: New Zealand
Posts: 47,172
Hmmm..looks more like a virus or trojan (or both). Before we do any work, I would like to see what we are dealing with. Go here and run the online scanner. RAV will not clean or disinfect your files but it does generate a log. Please post the log back in this thread.
__________________
Moderator: Vista Forum

Microsoft MVP - Windows Desktop Experience 2004-2008

If we have helped you, please consider supporting Cyber Tech Help with a subscription

Please do not send me Emails or Private Messages for personal support. Last time I checked, there were still only 24 hours in a day. Thank you.

How to help prevent re-infection
Reply With Quote
  #5  
Old September 29th, 2003, 08:21 AM
racermok17 racermok17 is offline
New Member
  
Join Date: Jun 2003
Posts: 10
Quote:
Originally Posted by AnnMarie
Hmmm..looks more like a virus or trojan (or both). Before we do any work, I would like to see what we are dealing with. Go here and run the online scanner. RAV will not clean or disinfect your files but it does generate a log. Please post the log back in this thread.

Scanning memory...
c:\WINDOWS\SYSTEM\Hot Software-uninstall.exe->(UPXW) - Trojan:Porndial3 -> Infected
c:\WINDOWS\Temporary Internet Files\Content
Reply With Quote
  #6  
Old September 29th, 2003, 08:50 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
Cyber Tech Help Moderator
  
Join Date: Oct 2001
Location: New Zealand
Posts: 47,172
Hi again racermok17 - is that the whole log? It looks as though it is incomplete.

Make sure that you can view hidden files and go to C:\WINDOWS\SYSTEM and delete Hot Software-uninstall.exe. Also clear out your Temporary Internet Files from Internet Options in Control Panel.

When you have done this, go here and download CWShredder. Run it on your PC and then reboot.

When you have rebooted, run Hijack This again and post back a new log.
__________________
Moderator: Vista Forum

Microsoft MVP - Windows Desktop Experience 2004-2008

If we have helped you, please consider supporting Cyber Tech Help with a subscription

Please do not send me Emails or Private Messages for personal support. Last time I checked, there were still only 24 hours in a day. Thank you.

How to help prevent re-infection
Reply With Quote
  #7  
Old October 6th, 2003, 05:34 AM
racermok17 racermok17 is offline
New Member
  
Join Date: Jun 2003
Posts: 10
Quote:
Originally Posted by AnnMarie

When you have done this, go here and download CWShredder. Run it on your PC and then reboot.

When you have rebooted, run Hijack This again and post back a new log.
Ok ann all done, didnt get the message's when restarting. Sorry it took so long.
Logfile of HijackThis v1.97.2
Scan saved at 12:19:30 AM, on 10/6/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SVCHOST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\TEMP\TD_0002.DIR\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hp.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://hp.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hp.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Svchost] C:\WINDOWS\svchost.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
Reply With Quote
  #8  
Old October 6th, 2003, 07:31 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
Cyber Tech Help Moderator
  
Join Date: Oct 2001
Location: New Zealand
Posts: 47,172
Hi again racermok17 - one entry left to fix. It looks like a worm. Run Hijack This again and fix the below entry:

O4 - HKLM\..\Run: [Svchost] C:\WINDOWS\svchost.exe

Reboot and run a search for svchost.exe. When you find it, delete it. That does it!
__________________
Moderator: Vista Forum

Microsoft MVP - Windows Desktop Experience 2004-2008

If we have helped you, please consider supporting Cyber Tech Help with a subscription

Please do not send me Emails or Private Messages for personal support. Last time I checked, there were still only 24 hours in a day. Thank you.

How to help prevent re-infection
Reply With Quote
  #9  
Old October 7th, 2003, 06:02 AM
racermok17 racermok17 is offline
New Member
  
Join Date: Jun 2003
Posts: 10
Quote:
Originally Posted by AnnMarie
Hi again racermok17 - one entry left to fix. It looks like a worm. Run Hijack This again and fix the below entry:

O4 - HKLM\..\Run: [Svchost] C:\WINDOWS\svchost.exe

Reboot and run a search for svchost.exe. When you find it, delete it. That does it!
i didnt see it but i done some other things here is the log, I also downloaded the patch and installed it from microsoft=======you are the best ann


Logfile of HijackThis v1.97.2
Scan saved at 12:51:22 AM, on 10/7/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hp.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://hp.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hp.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...900.8848842593
Reply With Quote
  #10  
Old October 7th, 2003, 08:18 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
Cyber Tech Help Moderator
  
Join Date: Oct 2001
Location: New Zealand
Posts: 47,172
Your log looks fine now racermok17
__________________
Moderator: Vista Forum

Microsoft MVP - Windows Desktop Experience 2004-2008

If we have helped you, please consider supporting Cyber Tech Help with a subscription

Please do not send me Emails or Private Messages for personal support. Last time I checked, there were still only 24 hours in a day. Thank you.

How to help prevent re-infection
Reply With Quote
Reply

Bookmarks

« Previous Topic | Next Topic »
Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +1. The time now is 02:37 AM.

[ RSS ]