1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

.dll series of problems

Discussion in 'Virus & Other Malware Removal' started by Bob_Bask, Nov 21, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Bob_Bask

    Bob_Bask Thread Starter

    Joined:
    Nov 21, 2003
    Messages:
    5
    Hey, kinda serial problem, basically every program on my computer is vulnerable, well has had the error message where it says an error was caused in --.dll. After running a program called "Dr.Watson" I got the following information on one of the errors when one popped up.

    OLEAUT32.DLL attempted to read from memory that does not exist. It may be using an uninitialized variable, or it may be attempting to access memory after having freed it.

    Adobe Type Manager has altered Windows system files.

    Module Name: ATMSYS.DRV
    Description: Adobe Type Manager
    Version: R v4.00-32S058G06NN
    Product: Adobe Type Manager
    Manufacturer: Adobe Systems Incorporated

    Any help be a big help, thanks.
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Hi Bob, and welcome to TSG.

    Dr. Watson sounds like a better idea than it is for most folks. The messages it provides tend to be misleading.

    You can ignore the one about ATMSYS.drv, it simply tells you that you have Adobe Type Manager installed and it has changed a default startup. If you are not getting any specific errors caused by that, nothing needs to be done. If you do wish to disable it, (it really does nothing for you), follow directions here:

    http://support.microsoft.com/?kbid=69692

    It's difficult to intrepret the "oleaut32.dll" message unless it repeats persistantly. And here you should provide the normal "windows" "illegal opertion" message, giving us the module and address reported on the "details" tab.

    I would disable Dr. Watson so it does not get in the way of the normal windows error reporting.

    Many illegal operation messages are caused by conflicts among programs, in particular advertiing and spyware files that often get installed without a user's knowledge.

    Let us see a copy/paste of a HijackThis Scanlog to show what is currently running. Follow directions here:

    http://mjc1.com/mirror/hjt/
     
  3. Bob_Bask

    Bob_Bask Thread Starter

    Joined:
    Nov 21, 2003
    Messages:
    5
    Thanks for your quick response. Yeah your right about Adobe Type Manager I've never had a problem relate to it.

    The Oleaut32.dll "illegal operation" message appears constantly, the information from the "details" tab is below:

    IEXPLORE caused an invalid page fault in
    module OLEAUT32.DLL at 017f:653aac21.
    Registers:
    EAX=fffff2ed CS=017f EIP=653aac21 EFLGS=00010286
    EBX=03d73fdc SS=0187 ESP=0483eca4 EBP=0483ecb4
    ECX=65350218 DS=0187 ESI=80020006 FS=3dd7
    EDX=004ef330 ES=0187 EDI=03d78ba1 GS=0000
    Bytes at CS:EIP:
    02 00 00 83 6c 24 04 08 e9 d4 00 00 00 83 6c 24
    Stack dump:
    653b29f7 004ef2d8 00000000 004ef2dc 0483ece8 653b297d 004ef2d8 fffffffe 0483ed6c 00000001 0483ee54 0483ee58 00000000 ffffffff 03d73fdc 00000001

    I've also donwloaded and used the HijackThis program, the scan results are below:

    Logfile of HijackThis v1.97.7
    Scan saved at 14:36:14, on 22/11/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\AOL 7.0B\AOLTRAY.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NSCHED32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\AOL 7.0B\WAOL.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://acc.count-all.com/--/?cxlow (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://acc.count-all.com/---/?cxlow (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://acc.count-all.com/--/?cxlow (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://acc.count-all.com/-/?cxlow about:blank (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acc.count-all.com/-/?cxlow (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?cxlow (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://acc.count-all.com/---/?cxlow (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?cxlow (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://acc.count-all.com/-/?cxlow about:blank (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thko.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://acc.count-all.com/--/?cxlow (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.co.uk
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?cxlow (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?cxlow (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://acc.count-all.com/---/?cxlow (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?cxlow (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?cxlow (obfuscated)
    F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\info32.exe
    O1 - Hosts: 3510794918 xuto.search.msn.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
    O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRAM FILES\GO!ZILLA\GOIEHLP.DLL (file missing)
    O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB2} - C:\WINDOWS\MSMOEM.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel.dll
    O4 - HKLM\..\Run: [Tapicfg.exe] C:\WINDOWS\SYSTEM\tapicfg.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Go!Zilla] "C:\PROGRAM FILES\GO!ZILLA\gozilla.exe" /tray
    O4 - Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0b\aoltray.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\NSCHED32.EXE
    O8 - Extra context menu item: Download with Go!Zilla - file://C:\PROGRAM FILES\GO!ZILLA\download-with-gozilla.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {1E89F686-B78D-4C85-9EFC-3474516E3FE2} - http://directplugin.com/plugin/109976.exe
    O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://216.65.38.226/Download_Plugin.exe
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab
    O19 - User stylesheet: C:\WINDOWS\Web\win.def
    O19 - User stylesheet: C:\WINDOWS\default.css (HKLM)

    Thanks for all the help so far, feel already like I might finally be able to fix my computer and get it "normally" again.
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You have a rather significant "malware" infestation. So I'm going to give you some preliminary instructions and move this to the Security forum. If the Oleaut32.dll errors persist, we can replace the file using the System File Checker or other means.

    First, go to this site and run the Coolwebshredder utility:

    http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder

    After doing that and rebooting, run HijackThis, close all browser windows and check and "fix" the following entries if they remain:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://acc.count-all.com/--/?cxlow (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://acc.count-all.com/---/?cxlow (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://acc.count-all.com/--/?cxlow (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://acc.count-all.com/-/?cxlow about :blank (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acc.count-all.com/-/?cxlow (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?cxlow (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://acc.count-all.com/---/?cxlow (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?cxlow (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://acc.count-all.com/-/?cxlow about :blank (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thko.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://acc.count-all.com/--/?cxlow

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?cxlow (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?cxlow (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://acc.count-all.com/---/?cxlow (obfuscated)

    F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\info32.exe
    O1 - Hosts: 3510794918 xuto.search.msn.com

    O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRAM FILES\GO!ZILLA\GOIEHLP.DLL (file missing)
    O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB2} - C:\WINDOWS\MSMOEM.DLL

    O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel.dll

    O4 - HKCU\..\Run: [Go!Zilla] "C:\PROGRAM FILES\GO!ZILLA\gozilla.exe" /tray

    ^^^ Go!zilla, which is spyware, has to go. You should remove this through Add/Remove programs. Alternate utilities, such as FreshDownload are available

    O19 - User stylesheet: C:\WINDOWS\Web\win.def
    O19 - User stylesheet: C:\WINDOWS\default.css (HKLM)

    Reboot after this. On our "Securities Help Tools" page. under "Parasitic":

    http://forums.techguy.org/t110854/s.html

    ... you will find links to Spybot and Ad-aware. Install, update and run at least one of these programs according to directions.

    Reboot and post another Scanlog and let us know if you are still getting Oleaut32.dll errors.



    You should manually find and delete the following files if they remain:

    info32.exe
    kernel.dll >> NOT kernel32.dll!!
    win.def
    default.css
     
  5. Bob_Bask

    Bob_Bask Thread Starter

    Joined:
    Nov 21, 2003
    Messages:
    5
    So far no Oleaut32.dll errors, but I did forget to mention once my computer loads up, an LOADQM "illegal operation" pops up. The details are below:

    LOADQM caused an invalid page fault in
    module QMGR.DLL at 017f:00585b9a.
    Registers:
    EAX=004032a4 CS=017f EIP=00585b9a EFLGS=00010202
    EBX=00000000 SS=0187 ESP=010bfd50 EBP=010bfd70
    ECX=00000000 DS=0187 ESI=bff77039 FS=2e27
    EDX=00400000 ES=0187 EDI=006b0840 GS=3056
    Bytes at CS:EIP:
    89 04 0b 8d 45 fc 50 8d 45 f8 6a 04 50 ff 75 08
    Stack dump:
    00000000 006b0200 006b0840 006b0268 00000000 00000050 7800320e 00000004 010bfd94 00585246 000000b0 00000000 004084c4 000000b0 00000000 4c50202f

    I've followed the advice you gave and here's the new scanlog:

    Logfile of HijackThis v1.97.7
    Scan saved at 18:45:51, on 22/11/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\AOL 7.0B\AOLTRAY.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NSCHED32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0b\aoltray.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\NSCHED32.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {1E89F686-B78D-4C85-9EFC-3474516E3FE2} - http://directplugin.com/plugin/109976.exe
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

    Thanks again for your help Rollin' Rog.
     
  6. IMM

    IMM

    Joined:
    Feb 1, 2002
    Messages:
    3,257
    Run HijackThis again and check the following items.
    Next, close all browser Windows, and have HT fix all checked.

    O16 - DPF: {1E89F686-B78D-4C85-9EFC-3474516E3FE2} - http://directplugin.com/plugin/109976.exe
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab


    Download Spybot - Search and Destroy
    After installing, first press Online, and search for, put a check mark at, and install all updates.
    Next, close all Internet Explorer windows, hit 'Check for Problems', and after SpyBotSD has completed it's scan push the 'Fix checked' button for all that it has automatically selected.

    ----edit
    Sorry if I stepped on your toes Rog - didn't see you around when I started :(
     
  7. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Ah, that looks so much better.

    Here's the skinny on loadqm:

    Executable Name: loadqm.exe
    Required: User's choice
    Comments: Installed with MSN Explorer and loads the MSN Queue Manager. Required to enable the WU AutoUpdate feature. Note that disabling this can sometimes prevent internet sharing working on Win2K Pro SP2. Reports also suggest that removing it will re-enable internet access - hence the "users choice" recommendation. If you have problems leave it, otherwise I recommend you disable it

    ref: http://www.lafn.org/webconnect/mentor/startup/PENINDEX.HTM

    ^^ this is a good link to check out any questions you may have about startups.

    We often recommend that folks just check and "fix" (delete the registry run entry) using HijackThis.

    However an alternative solution is to run msconfig and remove the startup check for it under the startup tab.

    Since the file appears to be corrupt, for it to work properly it would probably have to be deleted and the program that installed it reinstalled.

    I'm 99% sure you do not need it for anything, so it's your choice of methods.

    Let us know how it goes. You are most welcome for the help. :)

    IMM: no problem

    Bob, you can check and fix those 016 entries IMM mentions; I didn't know what they were so ignored them. But a general principle with those particular items is you can remove them without risk. Sites will prompt you to reinstall the ActiveX files if required, but you should ONLY accept those prompts from trusted sites if you know what you are getting. You should have "prompt" selected in Internet Options > Security > Custom for installing ActiveX plugins and downloads which are considered safe, and "disable" for all others.

    I think you have already run Spybot or Ad-aware, but both are good programs.
     
  8. Bob_Bask

    Bob_Bask Thread Starter

    Joined:
    Nov 21, 2003
    Messages:
    5
    All seemed better, alot better...but I just got a new "illegal operation" message with Shlwapi.dll:

    EXPLORER caused an invalid page fault in
    module SHLWAPI.DLL at 017f:70bd2054.
    Registers:
    EAX=2ddb0000 CS=017f EIP=70bd2054 EFLGS=00010246
    EBX=00000000 SS=0187 ESP=01f4e948 EBP=01f4e978
    ECX=01f4e9f0 DS=0187 ESI=01f4e9d0 FS=1bcf
    EDX=00000000 ES=0187 EDI=70bd2040 GS=232e
    Bytes at CS:EIP:
    8b 08 50 ff 51 08 eb f2 55 8b ec 8b 55 10 85 d2
    Stack dump:
    7111c953 01f4e9f0 004419bd 01f4e9d0 711137fd 70bd2c98 0044f118 01f4e9d0 0044f11c 00000001 00000001 0049d388 01f4e9c0 70bd2bf9 0044f11c 01f4e9a0

    Thanks, again for the continuous support. I think my computer is falling apart...:(
     
  9. IMM

    IMM

    Joined:
    Feb 1, 2002
    Messages:
    3,257
  10. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    It could be associated with a corrupt swap file. What we need to determine is whether it is repeatable, occuring when you do the same thing.

    File version mismatches can also be an issue, although these will often prevent Explorer from loading all together.

    Let's try a DOS level cleanup of both the swap and temp files in Windows and IE. I am going to assume the swap file is in c:\windows, the default location if you have not altered the way Windows handles virtual memory.

    Here are the instructions:

    Click Start>Shutdown>Restart in MS-DOS mode.

    At the c:\windows\> prompt enter each bold line:

    smartdrv
    deltree tempor~1
    deltree temp
    deltree history
    del win386.swp
    deltree locals~1\tempor~1
    exit


    (you may get an error message on this last one (locals~1), just skip to "exit" if you do, it just means you don't have that directory)

    Enter smartdrv first or the process will take a very long time. For each deletion, confirm by entering 'y' if the target directory is correct.
     
  11. Bob_Bask

    Bob_Bask Thread Starter

    Joined:
    Nov 21, 2003
    Messages:
    5
    Hi, tryed the computer for an hour last night - fine, but then started to play up again. Just turning my computer on to get online and post this message I've had AOL not respond, my start up bar from the bottom of the screen disappear and my desktop need to be reactived three times. Below are three message I managed to copy.

    IEXPLORE executed an invalid instruction in
    module KERNEL32.DLL at 017f:bff7d025.
    Registers:
    EAX=ffffffff CS=017f EIP=bff7d025 EFLGS=00010246
    EBX=004d7f74 SS=0187 ESP=020edb44 EBP=020edb58
    ECX=00000000 DS=0187 ESI=000004e4 FS=41c7
    EDX=00000000 ES=0187 EDI=81b16404 GS=0000
    Bytes at CS:EIP:
    8f f9 ff ff 0f 85 14 01 00 00 83 f8 ff 7f 08 8b
    Stack dump:
    bff77d9f 00000000 00000000 020edbd4 00000000 020edb90 690203b7 00000000 00000000 004d7f74 ffffffff 00000000 00000000 00000000 00000000 006b1d40

    IEXPLORE caused an invalid page fault in
    module MSHTML.DLL at 017f:70c32cdf.
    Registers:
    EAX=00000001 CS=017f EIP=70c32cdf EFLGS=00010202
    EBX=00000000 SS=0187 ESP=0058d79c EBP=0058d7b4
    ECX=5318458b DS=0187 ESI=70cb8c76 FS=1a2f
    EDX=00000000 ES=0187 EDI=00000000 GS=0000
    Bytes at CS:EIP:
    8b 41 1c 8b 49 18 f6 c1 80 75 0e f6 c5 01 75 09
    Stack dump:
    70c4ed7b 70cb8c76 0058d824 70c4ed35 00000000 00000000 0058d918 70c51ba6 01c7b7a0 00453378 00000000 70d1b76f 0058d824 70cb8c76 01c7b7a0 70cb8c76

    WINOLDAP caused a general protection fault
    in module KRNL386.EXE at 0002:00001ec7.
    Registers:
    EAX=00000032 CS=0167 EIP=00001ec7 EFLGS=00000202
    EBX=178f463e SS=2fbf ESP=0000464e EBP=80894654
    ECX=00000032 DS=228f ESI=000003ab FS=2f77
    EDX=0003228f ES=2fbf EDI=000003ab GS=0000
    Bytes at CS:EIP:
    f3 a4 06 1f 8b c8 5f 5e 1f c9 ca 06 00 c8 5e 00
    Stack dump:
    228e056f 47082fbf 229f001c 03ab0032 28ee228e 228e2fbe 00002fbf 46b40187 01b70038 01778000 1ce7470c 00070167 2fbf468b 2fbe0007 2fbf228e 41524707

    Thanks ten times in advance for any help.
     
  12. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    The intermittant nature of the problem and the almost "random" types of faults you are getting makes me suspect a hardware problem. Perhaps bad ram or overheating.

    But first, how much free space is available on the hard drive?

    And if you right click on My Computer, select Properties > Performance > Virtual Memory do you have "let windows manage my Virtual Memory" checked. How much does it say is free there?

    Did you follow those instructions to do a "cleanup"? Be sure to empty the recycle bin as well.

    How much ram is installed in the system, and do you have multiple modules or just 1?
     
  13. IMM

    IMM

    Joined:
    Feb 1, 2002
    Messages:
    3,257
    This one has me wondering

    WINOLDAP caused a general protection fault
    in module KRNL386.EXE at 0002:00001ec7.

    The WinOLDAP is actually a DOS window (perhaps a hidden one)
    Can you tell me if you had a dos box open for something when that happened?
    There is a possibility that something is starting we haven't seen
    (possibly from autoexec.bat or similar)

    You might post a Startup List log
    In HJT use Config > Misc. Tools (check the box which says "List also Minor Sections") > Generate StartupList log


    It might be some AV starting or ??
    Is there some dos driver for you NIC ?
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/181458

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice