[debbyski]

Hi,
I recently have been having this problem that results in a explorer caused a general protection fault in module user.exe at 0003:0006c50 error message.

After closing the error message, the desktop goes white to active desktop recovery. After clicking restore, everything goes back to normal.

I'm running windows 98 SE, internet explorer 6.0 (which I have to run because I previously had an issue with a newer version of explorer which caused a buffer run) and MSN 5.0 with verizon dsl being my server. The only new programs I have installed were a adblocker called Admuncher 4.52 about 2 weeks ago. I don't know if this software could cause this error message.

Any suggestions?

Deborah

[Advertisements]

I have a hunch you may have something new called the narrator trojan.

• Download finditnt2000xp.zip.
• Unzip the contents of finditnt2000xp.zip to a convenient location.
• Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
• A command prompt will open and it will search your computer for malicious files.
• Once it has finished a Notepad window will pop up with output.txt.
• Copy the entire contents of output.txt into your next post.

[admin]

I have a hunch you may have something new called the narrator trojan.

• Download finditnt2000xp.zip.
• Unzip the contents of finditnt2000xp.zip to a convenient location.
• Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
• A command prompt will open and it will search your computer for malicious files.
• Once it has finished a Notepad window will pop up with output.txt.
• Copy the entire contents of output.txt into your next post.

[debbyski]

I did exactly what you said. I downloaded the file to my desktop and then I unzipped it with a utility called extract now which is a drop and drag utility and very easy to use. After unzipping it, I noticed it said that errors occured. I still was able to vavigate to the find in NT-2K-XP folder and I double-clicked on find.bat. Nothing happened. Nothing opened. I tried it several times and then finally deleted the files on the desktop. I do have HiJack this and ran a log. Here are the scanned results.
Logfile of HijackThis v1.97.7
Scan saved at 12:09:48 PM, on 1/8/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\ROXIO\GOBACK\GBPOLL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\AD MUNCHER\ADMUNCH.EXE
C:\PROGRAM FILES\ROXIO\GOBACK\GBTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msnmember.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://msnmember.msn.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_2/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ege94lo1.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ege94lo1.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [Ad Muncher] C:\PROGRAM FILES\AD MUNCHER\ADMUNCH.EXE /bt
O4 - HKLM\..\Run: [ PC Adware-Spyware Removal 1.2Clean] C:\PROGRAM FILES\PC ADWARE-SPYWARE REMOVAL\PCADWARESPYWAREREMOVAL.EXE /quick
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Roxio\GoBack\GBPoll.exe
O4 - Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O9 - Extra button: AIM (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by5fd.bay5.ho...es/MsnPUpld.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://live.landsend...ets/msie40x.cab

[admin]

I double-clicked on find.bat. Nothing happened. Nothing opened.

Strange?

Let's try this. Download DLL Compare here:
http://download.broa.../DllCompare.exe

Start program, Click the RunLocate.com button, when finished click the Make log of what was found buton. Paste the contents of that log here in your reply.

[debbyski]

I clicked on the provided link and it gave me a "error 400" bad request error message. I have run several spyware programs and haven't found anything, but this thing seems to happen when the sceensaver goes on (not always). I have disabled the screen saver to see if this helps.
Deborah

[debbyski]

Oh,
I also found this on google

http://www.trendmicr...RATOR.A&VSect=T

I couldn't find any entries in the registry or folders.
Deborah

[admin]

Try this link for DLLCompare:
http://www.geekstogo...=download&id=38

[debbyski]

Ok,
Finally we got something to work. I tried this link and here is a copy of the log. I haven't got the error message after I disabled the screen saver yet.

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\archlib.dll Sat May 29 2004 11:57:22p A.S.. 204,800 200.00 K
________________________________________________

845 items found: 845 files (1 H/S), 0 directories.
Total of file sizes: 167,232,892 bytes 159.48 M

--------------------End log---------------------

[admin]

Please submit this file:
C:\WINDOWS\SYSTEM\archlib.dll

Here: -> http://www.kaspersky.com/scanforvirus

Reply with the results.

[debbyski]

Hi,
I submitted it and here was the reply.

Online Virus Scanner


You're clean!
Kaspersky Anti-Virus has not detected any viruses at this time in the file you submitted.

That was neat! I'm saving it to my favorites. And I'm saving that dll compare tool. The only thing I can tell you is that I haven't had the error message since I have disabled the screen saver, but it could be a coincidence.

[admin]

I'm still have a suspicion there's something lurking in your system. I noticed I gave you the link to the wrong version of Find_It above. Please try this one, and reply with the results:
http://www.geekstogo...=download&id=42

[debbyski]

I downloaded the file from your latest provided link, saved it to my desktop, tried to open it, and nothing happened just like before. Extract now said there were errors in trying to unzip this particular utility. Maybe you could send me the file in an exe. form somehow.