[DR04]

Efwis,

Came across an article on the microsoft support page that seemed to indicate that some PC's do not support Advanced Power Management. Either my machine is one of those OR something is really screwed up. Unfortunately, there are no fixes for the Msgsrv32.exe not responding error listed for machines that don't support APM. I'm pretty close to shooting my PC between the eyes (backing or data, reformatting the HDD, and reloading my applications). If you suggest that and I decide to take that route, any suggestions on what I should do to facilitate a 'smooth' format?

Thanks,
DR04

[Advertisements]

hi DR04,
I ahve another malware expert looking over this, if you still have the program please runa new findit log for me. I've included the link to it just in case you deleted it.

http://castlecops.co.../FindIt9xME.zip

you can run this in safe mode.

Download rkfiles.zip and unzip it to its own permanent folder.

Important! Reboot in SAFE MODE !!

Start in Safe Mode


Locate the rkfiles.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

Post the contents of C:\log.txt back here and I will review it when it comes in.

[Dragon]

hi DR04,
I ahve another malware expert looking over this, if you still have the program please runa new findit log for me. I've included the link to it just in case you deleted it.

http://castlecops.co.../FindIt9xME.zip

you can run this in safe mode.

Download rkfiles.zip and unzip it to its own permanent folder.

Important! Reboot in SAFE MODE !!

Start in Safe Mode


Locate the rkfiles.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

Post the contents of C:\log.txt back here and I will review it when it comes in.

[DR04]

Efwis,

Will have to figure out how to transfer the rkfiles.zip from my laptop to my desktop since I can't get to my desktop, and thus the internet, in normal mode. I don't have a 3.5" drive on my laptop, don't see the CD drive as available on my desktop when in SAFE mode, and not sure the USB drive work (I have a thumb drive). I have options if none of this works, but none will be easy.

Will post all the stuff when I figure it all it. Do you need new HJT and HJT start-up logs?

Thanks,
DR04

[Dragon]

no I just need the findit log

if you can't get it to work at all let me know.

[DR04]

Efwis,

Will do. Running FindIt now. Have downloaded the rkfiles.zip to my laptop. Will work out a way for the transfer and see about running the rest of it and posting the logs.

If something bends or breaks, I'll let you know.

DR04

[DR04]

Efwis,

Took me long enough , but finally got my machine up and running. Appears that the Kerio firewall was causing the problem . When I unloaded it, my machine booted up with no problems. Here's the HJT log I just ran. Let me know what you see and what, if anything, I need to do.

Thanks,
DR

Logfile of HijackThis v1.99.1
Scan saved at 7:18:44 AM, on 5/24/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\defwatch.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Brother SmartUI PopUp.lnk = C:\WINDOWS\SYSTEM\SYSAGENT.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

[DR04]

Efwis,

Here's a FindIt log, too.

DR

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C is WIN98SE
Volume Serial Number is 2029-12F4
Directory of C:\WINDOWS\SYSTEM

9,370.91 MB free

------- Hidden Files in System Directory -------


Volume in drive C is WIN98SE
Volume Serial Number is 2029-12F4
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 13,122 05-19-05 9:03p folder.htt
DESKTOP INI 266 05-19-05 9:03p desktop.ini
PROSETP GID 24,200 03-26-05 9:15a PROSETP.GID
VMSS <DIR> 03-06-05 6:30p vmss
3 file(s) 37,588 bytes
1 dir(s) 9,370.89 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{305938A1-9132-56EB-379D-BFFE055C0FC5}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
folder.htt Thu May 19 2005 9:03:46p ...H. 13,122 12.81 K
desktop.ini Thu May 19 2005 9:03:46p ...H. 266 0.26 K
prosetp.gid Sat Mar 26 2005 9:15:36a A..H. 24,200 23.63 K

3 items found: 3 files, 0 directories.
Total of file sizes: 37,588 bytes 36.71 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.A
C:\WINDOWS\lpt$vpn.518: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.518: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.518: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.518: TROJ_QOOLOGIC.A
C:\WINDOWS\hmrho.dll: excl_urls=photobucket.com,c1.zedo.com,media.deskwizz.com,stats.eblocs.com,passportimages.com,banners.searchingbooth.com,ads234.com,click2.containsitall.com,media.fastclick.net,sandboxer.com,a.websponsors.com,ads.clickagents.com,trk.bestmagsdirect.com,toprebates.com,ad.doubleclick.net,as.casalemedia.com,m3.doubleclick.net,dw.dailywinner.net,img2.mailpostdirect.com,bv.channel.aol.com,adlog2.lzio.com,host239.ipowerweb.com,popups.ad-logics.com,clickserve.cc-dt.com,hits.clickandtrack.net,ads.mydailyhoroscope.net,c5.zedo.com,affiliates.4lowrates.com,couponage.com,ekmas.com,creativeby.viewpoint.com,mydailyhoroscope.net,images.trafficmp.com,actualdeals.com,download.websearch.com,aim-charts.pf.aol.com,aol.com,target.com,yahoo.com,microsoft.com,anrdoezrs.net,isg05.casalemedia.com,jbigpops.cjt1.net,whenusearch.com,trk.pcsecurityshield.com,license.hotbar.com,web.icq.com,sc.musicmatch.com,comcast.net,filter.belkin.com,clickit.go2net.com,adverts.lzio.com,windowsupdate.microsoft.com,v4.windowsupdate.microsoft.com,odysseusmarketing.com,join1.winhundred.com,advert.runescape.com,top-banners.com,sr.websearch.com,messenger.msn.com,download.abetterinternet.com,adserv.internetfuel.com,pops.browseraid.com,banners.pennyweb.com,tv.180solutions.com,s.clkoptimizer.com,adserv1.gruvmedia.com,cdn.icq.com,messenger.zango.com,smileycentral.com,wwp.icq.com,web.tickle.com,isapi60.weatherbug.com,websearch.com,hop.clickbank.net,media76.fastclick.net,mmm.media-motor.net,rightmedia.net,bannerserver.gator.com,www4.yesadvertising.com,ww2.weatherbug.com,servedby.advertising.com,adsrv.qoologic.com,games.yahoo.com,weatherbug.com,jicmedia.cjt1.net,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,ar.atwola.com,ads.addynamix.com,wisapidata.weatherbug.com,popuppers.com,as.adwave.com,look2me.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,delfinproject.com,view.atdmt.com,mm.delfinproject.com,download.smileycentral.com,xadso.offeroptimizer.com,webpdp.gator.com,ayb.lop.com,stopzilla.com,pgq.yahoo.com,jmnad1.com,topicks.com,e.rn11.com,focusin.ads.targetnet.com,insider.msg.yahoo.com,m2.doubleclick.net,mail.yahoo.com,jcontent.bns1.net,ctl.twain-tech.com,master.mx-targeting.com,hotmail.com,searcheffect.com,ads.delfinproject.com,cfg.mywebsearch.com,akapp.whenu.com,newupdates.lzio.com,allaboutsearching.com,amch.questionmarket.com,adfarm.mediaplex.com,hotmail.msn.com,by.optimost.com,cdn-cf.aol.com,paypopup.com,popuptraffic.com,xadsq.offeroptimizer.com,jnictech.cjt1.net,xanga.com,count.exitexchange.com,servedby.adscpm.com,search200.com,cdn-aimtoday.aol.com,kill-pop-ups.com,us.update.companion.yahoo.com,qksrv.net,clickspring.net,xlime.offeroptimizer.com,sr.adwave.com,zone.msn.com,radio.launch.yahoo.com,ads.bidclix.com,counters.honesty.com,oz.valueclick.com,i.emarketresearchgroup.com,ads2.revenue.net,popup.msn.com,adsv2.delfinproject.com,u.clkoptimizer.com,ezula.com,server.iad.liveperson.net,loadingwebsite.com,pan-advert.com,t.trafficmp.com,clicktrk.com,aaabesthomepage.com,ads.exitexchange.com,us.a1.yimg.com,trafficmp.com,yimg.com,a.as-us.falkag.net,a1.yimg.com,z1.adserver.com,falkag.net,as-us.falkag.net,loginnet.passport.com,ads.inet1.com,pagead2.googlesyndication.com,login.passport.net,v8.alwaysupdatednews.com,adv.eblocs.com,alwaysupdatednews.com,fxfeeds.mozilla.org,cdn.aim.com,ar.atwola.com,c4.maxserving.com,maxserving.com,mediaplex.com,altfarm.mediaplex.com,topmoxie.com,global.msads.net,msads.net,banner.goldenpalace.com,goldenpalace.com,us.i1.yimg.com,cdn.comcast.net,us.yimg.com,us.js1.yimg.com,js1.yimg.com,switch.atdmt.com,atdmt.com,update32.searchmiracle.com,onemoresearch.net,
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"EnsoniqMixer"="C:\\WINDOWS\\starter.exe"
"Adaptec DirectCD"="C:\\PROGRA~1\\ADAPTEC\\DIRECTCD\\DIRECTCD.EXE"
"SetDefPrt"="C:\\Program Files\\Brother\\Brmfl03a\\BrStDvPt.exe"
"SystemTray"="SysTray.Exe"
"vptray"="C:\\PROGRA~1\\NORTON~1\\vptray.exe"
"CreateCD"="C:\\PROGRA~1\\ADAPTEC\\EASYCD~1\\CREATECD\\CREATECD.EXE -r"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"




[Dragon]

were you able to get rkfiles.zip transferred?? if so I could really use that log.

Also after you got it up and running was it still acting like before, slow to commands, msgsrvr32.dll file missing etc...

[DR04]

Efwis,

I'll run the rk files this afternoon or Friday (I'm going out of town and not sure that I'll be able to run it before I have to leave - off to work now).

As for performance, machine is running much faster now. No problems w/Ms file at all. Only thing is that I still get the C:\Win98se folder popping up whenever I power up or reboot. Was getting the Scheduled Tasks window, too, but think I have that turned off.

Thanks,
DR04

[Dragon]

ok, I'll wait for the rkfiles for the next move.