[j-alexander]

Hi, I posted about this before but the thread was closed due to "lack of feedback"...anyway I'm posting again since I really do need some form of solution to this problem - all I want to do is get the files off the rustbucket of the infected pc and get them over to my other computer (which I'm using now).

The main problem is that I cant get passed an error message, this error message:

EXPLORER caused an exception 03H in module
<unknown> at 0000:8calladd.
Registers:
EAX=8callae4 CS=0187 EIP=8calladd EFLGS=00000282
EBX=00000000 SS=018f ESP=0059dacc EBP=0059dafc
ECX=c009df0b DS=018f ESI=bff772be FS=0dc7
EDX=8lbl300c ES=018f EDI=00000000 GS=0000
Bytes at CS:EIP:
ba 50 6d 09 c0 ff el 0b c0 74 6f 8b 4c 24 04 8b
Stack dump:
8callae4 0059db3c 00000000 00000008 7fcb2e9e
0059db3c 00000000 00000008 80040154 bff772be
00000000 7fcb2d68 0059db14 7fcb2db2 0059db3c
7fcb2e30


This appears in the standard win98 error message box every time the pc is started up (not just when internet explorer is accessed - I cant run any programmes because I cant get passed the error message). If I can get passed this it's half the battle. I do however have access to the win98 cd .... but I am unsure how to use this without losing the files I would like to keep.

Please bear in mind that no programmes can be accessed because of this. Luckily before a complete block was put on the win98 system I was able to get this Hijackthis log:

The PC which is infected runs on windows 98 and I am currently using a clean xp system.
Here's the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 16:30:44, on 21/11/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\SYSVCS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {21E1CE21-55E1-11DA-A16B-0002A5F504A4} - C:\WINDOWS\SYSTEM\NEDD.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: StartMulti - {D741A309-75B3-929C-5D25-C7A1BCA0C982} - C:\PROGRAM FILES\ACID BLUE ERROR\INSIDE MATH.DLL (file missing)
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [MOSearch] c:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\SYSTEM\sysvcs.exe
O4 - HKCU\..\RunServices: [aupd] C:\WINDOWS\SYSTEM\sysvcs.exe
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = home.co.uk
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 194.168.4.100,194.168.8.100
O18 - Filter: text/html - {21E1CE20-55E1-11DA-A16B-0002CAB9A13F} - C:\WINDOWS\SYSTEM\NEDD.DLL
O18 - Filter: text/plain - {21E1CE20-55E1-11DA-A16B-0002CAB9A13F} - C:\WINDOWS\SYSTEM\NEDD.DLL
O21 - SSODL: hbeUYKE - {07D00B15-AD7A-A1BF-840D-413A4D7E085C} - C:\WINDOWS\SYSTEM\PZRKD.DLL


Hope someone will be able/willing to help me on this one.

Thanks in advance,
J-alexander

[Advertisements]

Hi JA: you have had several topics closed because of lack of feedback. If you had continued on with your fixes with Trevuren and Miekiemoes, they could have fixed it when the problem was fresh. It would have been fixed at that time. I hesitate to help you because we may get halfway through and you may bail out again. That is very frustrating to us. I am not convinced that will happen again looking at past history.

That hijack this log is nearly six months old. We really need a fresh one. Your computer is infected with malware. Can you post a new hijack this log?

[coachwife6]

Hi JA: you have had several topics closed because of lack of feedback. If you had continued on with your fixes with Trevuren and Miekiemoes, they could have fixed it when the problem was fresh. It would have been fixed at that time. I hesitate to help you because we may get halfway through and you may bail out again. That is very frustrating to us. I am not convinced that will happen again looking at past history.

That hijack this log is nearly six months old. We really need a fresh one. Your computer is infected with malware. Can you post a new hijack this log?

[j-alexander]

I'm not going to argue with you about past threads, however much I dispute it, and I would also appologise for any forum rules I have broken (if I have broken rules). This forum is very useful, as many forums are but when mods/admins get ridgid with a specific rule or a "recommendation" as I faced in another thread it also becomes extremely frustrating for the person looking for help. Because of time differences (between europe and america) it can be very difficult to give feedback within hours (or minutes as the case may be) at times.

If you dont want to help that's your decision, all I can do is ask, but once this problem is gone I dont envisage coming back to this forum any time in the near future (as I find it easier to manage win xp systems myself, not because of the previous threads).

I would run a new hijackthis log, and would probably have the problem fixed (and it is fixed for all I know) but I cant get passed the error message. If I could get past that I could get my files then go to the local dump with the computer.

The main problem is that I cant get passed an error message, this error message:

EXPLORER caused an exception 03H in module
<unknown> at 0000:8calladd.
Registers:
EAX=8callae4 CS=0187 EIP=8calladd EFLGS=00000282
EBX=00000000 SS=018f ESP=0059dacc EBP=0059dafc
ECX=c009df0b DS=018f ESI=bff772be FS=0dc7
EDX=8lbl300c ES=018f EDI=00000000 GS=0000
Bytes at CS:EIP:
ba 50 6d 09 c0 ff el 0b c0 74 6f 8b 4c 24 04 8b
Stack dump:
8callae4 0059db3c 00000000 00000008 7fcb2e9e
0059db3c 00000000 00000008 80040154 bff772be
00000000 7fcb2d68 0059db14 7fcb2db2 0059db3c
7fcb2e30


If I could actually access the system itself there wouldnt be an issue about getting rid of the malware infection, the pc is probably goin in the trash! It's just the files that would be useful. This was the reason as you put it that I "bailed out" of the last fix...but if I couldnt access the system how was I meant to continue to fix it? (there has been a misunderstanding in the last thread I think, not sure if I explained this well enough in the last thread). After I ran the CWS shredder (I think that's what it was called) I simply could no longer get passed that error message, no matter how many times I tried a reboot. - thats in bold because It's what I mustn't have set out clearly enough as the reason for being unable to continue the previous fix.

Sorry once again for any miscommunications or recommendation/rule breaks,

Hope you can help,

J-alexander

[coachwife6]

There are many tools that need to be downloaded to get rid of this infection and since you cannot get past the error page, I think you would have a better chance of getting this fixed if you posted it in the 98 forum.

Good luck.