Major Spyware infection

Discussion in 'Malware Help (A Specialist Will Reply)' started by jeffk2121, Jan 16, 2005.

  1. jeffk2121

    jeffk2121 Private E-2

    wupdt...polallr1....farmmext....btgrab. How high do pc's bounce when dropped from the roof? Have run Spybot S&D...AdAware SE...McAfee, but to no avail. Will not post HiJack log until requested. Win 98 SE IE v6.00 SP1
     
    jeffk2121, Jan 16, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


    After doing ALL of the above if you still have a problem:

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Jan 16, 2005
    #2
  3. jeffk2121

    jeffk2121 Private E-2

    Performed all steps in Attitudes' removal procedures (except HSREMOVE...W98). Booted back to normal mode and ran HiJack log immediately (attached). Moments later Winpatrol detected .bmp .gif .jpg files default program (vuepro) being changed to winzip. I responded no.


    I attached the log.
     

    Attached Files:

    jeffk2121, Jan 16, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Why is this running? I have not played with Win98 for awhile.
    C:\WINDOWS\PACKAGER.EXE


    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - Default URLSearchHook is missing

    Do you use Lycos? If not, fix the next line too, otherwise skip it!
    O2 - BHO: (no name) - {FFFFDA2C-A0D5-4D60-8EE1-1B7F8929E24D} - C:\PROGRAM FILES\LYCOS\SST.DLL

    O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGRAB.DLL (file missing)
    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
    O4 - HKLM\..\Run: [qmnsdnsm] c:\windows\system\qmnsdnsm.exe
    O4 - HKCU\..\Run: [LDM] \Program\
    O9 - Extra button: Dell Home - {32ED3240-5EDF-11D3-8E34-A0C94DC10700} - http://www.dell.com/ (file missing) (HKCU)
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/208c406450cda9d3c416/netzip/RdxIE601.cab
    O18 - Protocol: offline-8876480 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bw00 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bw00s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bw10 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bw10s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bw20 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bw20s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bw30 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bw30s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bw40 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bw40s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bw50 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bw50s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bw60 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bw60s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bw70 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bw70s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bw80 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bw80s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bw90 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bw90s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwa0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwa0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwb0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwb0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwc0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwc0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwd0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwd0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwe0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwe0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwf0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwf0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwg0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwg0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwh0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwh0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwi0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwi0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwj0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwj0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwk0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwk0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwl0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwl0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwm0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwm0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwn0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwn0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwo0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwo0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwp0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwp0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwq0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwq0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwr0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwr0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bws0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bws0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwt0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwt0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwu0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwu0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwv0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwv0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bww0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bww0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwx0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwx0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwy0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwy0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwz0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwz0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bw-0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bw-0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bw+0 - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bw+0s - {5CE78CCC-96A1-49D7-89BD-CDF99F3ACCFD} - C:\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\DESKTOP MESSENGER\8876480\PROGRAM\GAPLUGPROTOCOL-8876480.DLL

    After clicking Fix, exit HJT.

    Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Jan 16, 2005
    #4
  5. jeffk2121

    jeffk2121 Private E-2

    followed all your instructions....had to reboot twice. Ran log..posted... winpatrol immediately came up warning of c/windows/zserv.dll

    Thank you so much for your help!
     
    jeffk2121, Jan 16, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not complete my instructions! Where is the follow up HJT log?

    Also see this on zserv.dll
    http://www.doxdesk.com/parasite/Transponder.html
     
    chaslang, Jan 17, 2005
    #6
  7. jeffk2121

    jeffk2121 Private E-2

    I'm apologize..I thought I did post it. A mind is such a terrible thing to waste!

    Thank you
     

    Attached Files:

    jeffk2121, Jan 17, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Looks better but it does not look like you did this:

    Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Also, do you know what this is:
    O4 - HKLM\..\Run: [qmnsdnsm] c:\windows\system\qmnsdnsm.exe

    Are you still having any problems?
     
    chaslang, Jan 17, 2005
    #8
  9. jeffk2121

    jeffk2121 Private E-2

    Ok...followed instructions....rt clicked on IE icon and did as you said. HJ log attached....noticed a new process running on it...windows\system\pstores???? Also attached is a word file with Spybot warning upon startup of IE...and when I try to log in to Hotmail...I'm getting a certificate security warning I never got. What should I do with these?

    As far as the qmnsdnsm.exe....no idea what it is.

    On the bright side, I haven't seen any popups. Thank you again for helping walk me thru this...I work closely with our IT dept and realize how frustrating it is when we users don't follow directions!!!!

    had to delete the spybot warning from the word file...too large...it reported that when I initiate IE upon startup of MSN that I am trying to download "Avenue A Inc" a known threat....block...Y/N? I'm answering Y
     

    Attached Files:

    jeffk2121, Jan 17, 2005
    #9
  10. jeffk2121

    jeffk2121 Private E-2

    Have also accumulated 2 windows/temp files with ZServ .cab inv & .dll files. Is there something in HiJack that I can do to fix...or anything else. I looke over the website you directed me to...and it is rather cryptic as to the fix
     
    jeffk2121, Jan 17, 2005
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It still does not look to me like you did this (do exactly what I indicate - even the home page):


    Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
     
    chaslang, Jan 18, 2005
    #11
  12. jeffk2121

    jeffk2121 Private E-2

    Swear I follwed directions yesterday....but did it again today. Rt click IE icon...properties...Programs...reset. General tab..typed www.majorgeeks.com...apply. Winpatrol prompted asking if change from http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome to Majorgeeks was ok...clicked OK. Suspicious...eh? Deleted cookies and files (incl offline)

    Yesterday I changed home simply to www.msn.com.

    Ran HJT log immediately (attached)

    When I ran IE...to www.majorgeeks.com...WinPatrol prompted I was downloading "double click"..a known threat. I blocked and got black screen (with majorgeeks address in upper panel and done in lower left. clicked on address in upper panel again and I got here




    extra note...after I posted I saw the url for the original homepage was not correctly dispalyed...I'm editing now and see the correct url is contained in the test....guess your system blanks out some of it for safety
     

    Attached Files:

    Last edited: Jan 18, 2005
    jeffk2121, Jan 18, 2005
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member


    What does the above mean? I saw that www.majorgeeks.com is now there. That's what I was looking for after the Reset Web Settings.

    What problems still remain on your system?
    Do you have ALL of your Windows updates? Have you check at MS Update recently (within the week)?
     
    chaslang, Jan 18, 2005
    #13
  14. jeffk2121

    jeffk2121 Private E-2

    jeffk2121, Jan 18, 2005
    #14
  15. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Ill double check with Jim, but I dont think we run Doublerclick and if we did, its a cookie like any other, harmless. Dont be fooled by the over paranoid people who claim cookies are spyware. The job of cookies is to track certain movements to improve online surfing, in the case of ads, they allow ad companies to show you different ads, or limit inline ads, etc. Not one spyware removal author we have talked to could show us an example of a malicious cookie.
     
    Major Attitude, Jan 19, 2005
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I still don't know what you mean! I had you change it to www.majorgeeks.com and it's there. What are you talking about and when and where did you key this in?

    Let's talk about Spybot warnings after you get all of your Window's updates installed.
     
    chaslang, Jan 19, 2005
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Thanks MA!
     
    chaslang, Jan 19, 2005
    #17
  18. jeffk2121

    jeffk2121 Private E-2

    I went to Microsoft.com...then chose update and the screen showed "software update incomplete". MS offered a help page to resolve this issue and I followed instruction to the point where it said to delete "iuctl.dll". When I tried to delete, was told "cannot delete:access denied".

    Am unable to update windows
     
    jeffk2121, Jan 19, 2005
    #18
  19. jeffk2121

    jeffk2121 Private E-2

    A an additional note...starting to get popups again...looked in Windows/temp and found 6 temp folders with zserv.cab-dll-inf....2 folders with farmmext.cab-exe-inf-ini....1 folder with wupdt.exe.....and 1 with thnall.exe and wupdsnff.exe
     
    jeffk2121, Jan 19, 2005
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Delete all of those folders and files from safe mode?

    Do you have a firewall installed yet?
     
    chaslang, Jan 19, 2005
    #20
  21. jeffk2121

    jeffk2121 Private E-2

    deleted the folders...not from safe mode

    Going to get firewall tomorrow...your recomendations? I have mcafee virus protection and Norton has a virus protecion and firewall bundle much cheaper.

    I just went thru MA's sticky note procedure again begining to finish and am attaching the HJT log
     

    Attached Files:

    jeffk2121, Jan 19, 2005
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You don't need either of them. See this: How to Protect yourself from malware!
     
    chaslang, Jan 19, 2005
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
    C:\WINDOWS\SYSTEM\QMNSDNSM.EXE

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [qmnsdnsm] c:\windows\system\qmnsdnsm.exe


    After clicking Fix, exit HJT.


    Now reboot in normal mode and post a new HJT log.
    See if you can get windows updates now. Use the link I gave you my previous thread in the "How to protect" link
     
    chaslang, Jan 19, 2005
    #23
  24. jeffk2121

    jeffk2121 Private E-2

    Got Sygate firewall....rebooted to safe mode and deleted tmp folders (yes there were more)booted normally and firewal had a # of prompts:

    Windows IXP/SPX Compatible Protocol driver (NWLINK.vdx) has rec'd a broadcast packet from the remote machine[10.18.112.1]. grant access?
    Answered Y

    Win32 Kernel.core component(kernel32.dll)has rec'd...etc...answered Y

    TODO <file description>QMNDSDN.exe is trying to connectto[69.28.155.9]using remote port 80[http-www]...answered N

    ctl-alt-del and tried to end QMNDSDN....not responding...end anyway and received firewall mssg <file description(QMDSDN.exe)is trying to connect to static.callinghome.biz [69.28.155.9]using remote port 80[http-www] answered N

    went back to task mgr and Q was still there...tried to end prog repeatedly and kept getting firewall messages and Q was still running in task mgr.

    ran HJT anyway and fixed c\windows\QMDSDN....rebooted and got no firewall msg about Q...checked task mgr and Q was not running. also noticed in task mgr that a process Smc (not responding)

    followed your link to windows update and got same result "software update incomplete"

    Attached HJT log for your perusal

    Thanks for the large amount of time you have spent on my problem
     

    Attached Files:

    jeffk2121, Jan 20, 2005
    #24
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jan 21, 2005
    #25
  26. jeffk2121

    jeffk2121 Private E-2

    I went thru the troubleshooting procedure a few days ago for Win Update (as indicated in your last reply...http://support.MicroSoft.com/kb/319585/en-us/)...did it again twice tonight. was able to complete the procedure (including deleting iuctl.dll & iuengine.dll). Emptied recycle bin (all in normal mode) and searched for iu files again...not found. Went to update site(using your link in "how to protect from malware") and got one step further...site presented certificate...I accepted and was taken back to the screen "software update incomplete".
     
    jeffk2121, Jan 21, 2005
    #26
  27. jeffk2121

    jeffk2121 Private E-2

    I just did a search for iuctl.dll and iuengine.dll and found them back on my harddrive....appears they are installed when logging in to the update site for Microsoft...should I delete them while in the site? I suspect they will be in use
     
    jeffk2121, Jan 21, 2005
    #27
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try going to the c:\program files\windows update folder and just renaming it.
    Change it to c:\program files\windows update backup

    Then do the last step Microsoft gave:

    Remove the Windows Update ActiveX Controls

    1.Click Start, click Find, and then click For Files or Folders. Search for the files named iuctl.dll and Iuengine.dll.
    2.Delete all copies of these files.
    3.Visit the Windows Update Web site to install new copies of the ActiveX controls.

    Then I would reboot and now try windows update again. Let me know what happens. If you get any error messages, make sure you post back here exactly what they say. Also one question, you are using Internet Explorer to browse and perform Windows update...right?
     
    chaslang, Jan 22, 2005
    #28
  29. jeffk2121

    jeffk2121 Private E-2

    Went to c:\program files\windows update and renamed as backup...start...find.....deleted activex iuctl and iuengine..went to MS webpage for update...looked in explorer and C\program files\windows update was recreated and start.... find.... found iuctl.dll and iuengine.dll again. WIndows update asked for certificate...accepted. "software update incomplete" again

    And yes...I am using IE to perform Windows update

    as a side note....haven't had nasty popups for 2 days now
     
    jeffk2121, Jan 22, 2005
    #29
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Glad to here about the pops being gone.

    Try disabling your firewall temporarily and then go to Windows Update. What happens?
     
    chaslang, Jan 22, 2005
    #30
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If that does not work that bring up you Task Manager by pressing CTRL-ALT-DEL simultaneously.
    Find each of the below processes and end them. Note in Windows 98 they will not show as I list them. Only the filename will appear. There will be no path or .EXE extension. So for example the first one I want you to end is C:\PROGRAM FILES\ENCOMPASS\ENCMONTR.EXE . It will appear as ENCMONTR (probably in lower case too).

    C:\PROGRAM FILES\ENCOMPASS\ENCMONTR.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
    C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
    C:\SCANJET\PRECISIONSCANLT\HPPWRSAV.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
    C:\AFTER DARK\AFTER DARK.EXE
    C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\PROGRAM FILES\LOGITECH\IMAGESTUDIO\LOGITRAY.EXE
    C:\PROGRAM FILES\LOGITECH\VIDEO\LOGITRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
    C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
    C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
    C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE
    C:\WINDOWS\SYSTEM\LVCOMS.EXE
    C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
    C:\PROGRAM FILES\LOGITECH\IMAGESTUDIO\LOWLIGHT.EXE

    End all of these processes and then try to use Windows Update.
     
    chaslang, Jan 22, 2005
    #31
  32. jeffk2121

    jeffk2121 Private E-2

    the ongoing saga
    disabling firewall did nothing...."Software Update Incomplete"

    Deleted programs in Task Mgr..deleting LVCOMS gave black screen and error..."Low in Resources" and froze PC...rebooted...tried ending again and froze again. deleted all tasks except LVCOMS....those remaining running:
    EXPLORER
    LVCOMS
    STIMON
    STTRAY
    SYSTRAY
    WINMGMT
    WMEXE

    went thru all steps in win update troubleshooting again...deleting iuctl and iuengine...ran find/files and looked for both....not there. Went to Microsoft.com...checked find/files...iuctl & iuengine still not on hard drive...chose windows update from menu. Certificate popped up "the authorization of this content cannot be verified" - root certificate has not been enabled as trusted. "do you want to install and run windows update?.....I clicked yes. same screen "Software update incomplete"....ran find files and found iuctl and iuengine installed again

    As a side note...prior to all this I went to IE tools-options-security-custom setting and did the following:
    changed download signed activex from prompt to enable
    changed download unsigned activex from disable to enable
    changed initialize & script activex not marked as safe from disable to enable
    changed java safety from high to low
    tried to reset custom settings from medium to low....but wouldn't allow me...when I clicked OK...and went back...custom setting was back at medium.

    Can I download updates onto a jumpdrive from another PC and install that way?
     
    jeffk2121, Jan 24, 2005
    #32
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jan 25, 2005
    #33
  34. jeffk2121

    jeffk2121 Private E-2

    Wish I hadn't done that!!! Downloaded and installed, rebooted as requested. When windows started got error "smi.exe performed an illegal function...closed. Explorer has performed an illegal function....closed and rebooted. Upon restart...blue screen...MS registry checker ran.....backed up files and restored files...info box popped up "Windows found an error in your system files and restored a recent backup of the files to fix the problem. Enter to restart" Restarted 4 times and got same message.

    Inserted my startup disk and booted....got to DOS....but didn't know what to do.

    Inserted McAfee rescue disk and booted.....

    "Starting Magic Bullet"
    BIOS read error X00

    Booted in safe mode and got warning

    "system file warning-following files have been replaced with an older version by a program you recently ran. Some windows functionality may not run correctly.. Please run these files by running Windows setup located on your original Windows disk to verify your current install C:\windows\system\winaspl.dll" was indicated in the message box.

    OK or Ignore...chose ignore

    tried to get to internet to post last night....but apparently can't access internet in safe mode

    Have orginal win 98 SE CD

    attached a copy of hijack log....for whatever it is worth
     

    Attached Files:

    jeffk2121, Jan 27, 2005
    #34
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry about that Jeff! I don't understand what happened.

    That utility does say that "Uninstallation is possible from Add-Remove Programs."

    So you can try booting in safe mode and uninstalling the package!
     
    chaslang, Jan 27, 2005
    #35
  36. jeffk2121

    jeffk2121 Private E-2

    K...got an old puter hooked up. The only thing I see that looks like a likely candidate to remove is System Files Update...does that sound right?
     
    jeffk2121, Jan 27, 2005
    #36
  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Last edited: Jan 28, 2005
    chaslang, Jan 28, 2005
    #37
  38. jeffk2121

    jeffk2121 Private E-2

    I posted at MSFN...we'll see what they say. I did notice their 2.0 Beta features an uninstall function...leads me to believe 1.6.2 cannot be uninstalled

    What happens if I reinstall windows? or get a new copy of "winaspl.dll"?
     
    jeffk2121, Jan 28, 2005
    #38
  39. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First are you sure it said winaspl.dll or was is winaspi.dll?

    I'm not sure what will happen, you may find that if you get past a problem with winaspl.dll, that another DLL name comes up.

    Also, hack at it this way may make uninstallation of this unofficial patch not possible (if it is possible to begin with).
     
    chaslang, Jan 28, 2005
    #39
  40. jeffk2121

    jeffk2121 Private E-2

    This is what I got at MSFN....and looks like they are getting above my head. Does this make sense to you? Any suggestions



    Attach New Poll | Track this topic | Email this topic | Print this topic
    jeffk2121 Posted: Jan 28 2005, 01:24 PM





    Group: Members
    Posts: 3
    Member No.: 42376
    Joined: 28-January 05





    Downloaded and installed Service Pack 1 v 1.6.2, rebooted as requested. When windows started got error "smi.exe performed an illegal function...closed. Explorer has performed an illegal function....closed and rebooted. Upon restart...blue screen...MS registry checker ran.....backed up files and restored files...info box popped up "Windows found an error in your system files and restored a recent backup of the files to fix the problem. Enter to restart" Restarted 4 times and got same message.

    Inserted my startup disk and booted....got to DOS....but didn't know what to do.

    Inserted McAfee rescue disk and booted.....

    "Starting Magic Bullet"
    BIOS read error X00

    Booted in safe mode and got warning

    "system file warning-following files have been replaced with an older version by a program you recently ran. Some windows functionality may not run correctly.. Please run these files by running Windows setup located on your original Windows disk to verify your current install C:\windows\system\winaspl.dll" was indicated in the message box.

    OK or Ignore...chose ignore

    tried to get to internet to post last night....but apparently can't access internet in safe mode

    Have orginal win 98 SE CD

    Do you have any suggestions how to fix this?

    Can it be uninstalled? Only likely suspect in Add/Remove is "system files update"

    I appreciate any help you can give me

    horsecharles Posted: Jan 28 2005, 02:23 PM


    Junior Member


    Group: Members
    Posts: 98
    Member No.: 41526
    Joined: 21-January 05





    Hi Jeff: I hope you haven't tried any other fixes yet... better that a day or two pass, than if you have to re-install: you could be there many more days updating, re-installing, losing some data forever........

    OK: this is what happened--

    you likely had this adaptec aspi layer(for cd's): http://www.adaptec.com/worldwide/support/d...1a2.exe&sess=no

    what you need & had is the last two here: install May's & update it w. November's: http://www.adaptec.com/worldwide/support/d...odkey=ASPI-4.70

    Gape gave us an earlier version because it's much more stable-- the latest one has caused problems for lots of folks-- in your case it looks like the opposite

    What i don't know is why your system is so complaining-- are you running a backround PC Health, Real Time System File Protector, etc. whether from MS, Norton, your AV, etc.?

    What you can/should do: go into control panel / add remove programs / uninstall Unofficial Windows SE Service Pack...... this should restore your system-- but before that!!!! disable preotected recycle bin, any norton utilities, firewall, AV, Spy Protector(SpywareGuard in particular can get in the way), Innoculators like Spybot, Spywareblaster....... even if you have to unplug your modem, do this first please.

    Then, you can re-install the Pack, but leave Adaptec Aspi Layer unchecked......

    If you still have problems, then install from first link provided.

    Good luck.......
    let us know if you have additional questions.......

    soldier1st Posted: Jan 28 2005, 03:21 PM


    I Work For The Shinra's Elite Squad Known As Soldier


    Group: Members
    Posts: 421
    Member No.: 36888
    Joined: 19-November 04





    and i would install the 2.0 beta 3 instead of the 1.6.2


    --------------------

    Here At Shinra HQ,Any and All Resistance Against The Shinra Will Be Dealt With Thus Utilizing Shinra's Elite Squad Known As Soldier

    jeffk2121 Posted: Jan 28 2005, 05:54 PM





    Group: Members
    Posts: 3
    Member No.: 42376
    Joined: 28-January 05





    I've done nothing else to fix this....learned long ago to rely on knowledge than luck!

    I am not running PC Health or Real time...that I know of. I'm running McAfee Viruscan 9.0 only. I do have Spybot....AdAware.... Spywareblaster...and Sygate firewall. I've never seen this registry checker run before...is it part of the service pack?

    A few questions (bear in mind I can only operate in Safe mode)

    1 Do I install Mays 2002 aspi then November 2002 in safe mode, then reboot to see if problem is fixed?

    2 if the new files do not correct the problem...in safe mode.....in Add/Remove programs...there is no Unofficial Windows SE Service pack listed.....only thing close is "system files update"...is this it....or what would it be named?

    3 should i install the 2.0 beta....instead of / over the tp of 1.62?





    jeffk2121 Posted: Jan 28 2005, 08:47 PM





    Group: Members
    Posts: 3
    Member No.: 42376
    Joined: 28-January 05





    I installed aspi_471.exe and ran.....then ran aspi_471a2. rebooted and received all the same errors. Looked in the c:\adaptec\aspi folder created by the install and found a number of files...aspi46.vx_....aspi2k.sy_...aspi32sy_.....as though another .exe needed to be run?????

    Installed both rebootted and had same results

    What now?

    horsecharles Posted: Jan 29 2005, 05:19 AM


    Junior Member


    Group: Members
    Posts: 98
    Member No.: 41526
    Joined: 21-January 05





    Sorry, Jeffk2121-- what i meant about fixing was something i do a lot: get all worked up & anxious to quickly get rid of the problem, then the next day i wish i hadn't tried a couple of the fixes....

    1. Please make sure all the security apps & settings are disabled-- AntiVirus, firewall, etc. can have a system file protection, or real-time scan & protect... in extreme cases i've seen where the firewall / AV has to be uninstalled & reinstalled afterwards-- disabling some doesn't auto-stop all their process: in startup you can confirm all their subprocesses are disabled w/ an app like this one: PC Forrest StartMan 1.03.9.6 Pls give the link a few seconds' time to appear.
    2. This is likely not your cause, but if it is, it's a quick fix: do a Find for ext2.vxd located in windows\system and rename it-- this is a file left behind when partitioning sometimes-- it will conflict with cd system files & lock you out of windows.
    3. So-- in add/remove there HAS to be an unistall entry for sesp1.6-- i have v2 which may be named differently.... this would be the safest bet, to undo the changes... If that doesn't work:
    4. Also in add/remove you would uninstall Adaptec UDF Reader-- though this may not totally work, reasons below...
    5. I assumed you tried already to rollback the registry to the last saved state: (boot to dos, type scanreg /restore)-- just asking: let's not do this yet.
    6. btw for future reference, this progam comes in very handy: InstallRite home: http://www.epsilonsquared.com/
    7. so does running scanreg just prior-- or this program that also backsup registry & system files: Cop2.2 info: http://www.bootdisk.com/cop.htm
    8. Ok-- on to Adaptec: the earlier of the two files you downloaded, should've given you a utility called aspichk.exe, which can also be downloaded standalone here: AspiChk
    It will show you the installed version, and whether you have both versions still in there(your likely problem)-- their install procedure can be buggy, not remove previous version...... When this is the case, folks use this to fix it: FixAspi

    When that doesn't work, they run a file called KillAspi.bat included in these two apps:

    ForceAspi1.17 which installs aspi layer 4.6x and ForceAspi1.18 which installs aspi layer 4.7x this last one courtesy of: Neo Hacker
    The problem(s) w/ Adaptec are that some versions are incompatible with other components, they may not install right(sometimes refuse to install when not detecting/finding cd hardware and/or a previous aspi layer in place), may not totally remove a previous version-- additionally windows likes to protect system files, not allow version downgrades, etc. Hence, other folks developed these useful apps. Btw, below is the official adaptec app that auto updates your layer, but the above third-party apps are more certain to work & eliminate problems. Aspi32

    9. One thing that occurs to me-- you may not even need the Adaptec layer: your system may perhaps be using the Nero layer-- so you may not even need to re-install Adaptec-- just excise it. One way to tell for sure: do a Find for Adaptec-- if those folders show a creation date of just recently, then you know your cdplay has not been utilizing/needing it.
    10. You will need all these utilities & both driver versions both now, and just in case, in the future if your cd play has issues from all this fixing.
    11. Speaking of future: if after this fixing you have issues with your cd play, it may help to reinstall your cd software AND remove from device manager your cd components & reboot: upon startup, as windows re-installs them, it will help them detect the newly-installed aspi layer.
    12. As you re-install the aspi layer with the appropriate apps, one trick i use to help make sure windows detects everything right, is i also right-click install all .inf files & register all .dll files... this app from the makers of X-Setup Pro can help to easily just right-click them & select Register: XQ Com Register EX 2.1

    13. Here's the manual way & most of what all those apps do:

    Firstly, you're in safe mode now, but in the future you could use this app that allows you to get around windows not letting one handle files in use / system files: CopyLock

    Uninstall cd software, Find, backup & delete all Adaptec folders and any of the following files:
    cdr4vsd.vxd, cdr4dll.dll, cdrtc.dll, cdral.dll, cdralvsd.vxd, scsi1hlp.vxd, iomega.vxd, cd_read.vxd

    windows\system\iosubsys\apix.vxd
    windows\system\aspienum.vxd
    windows\system\winaspi.dll
    windows\system\wnaspi32.dll

    in the Registry, Find, backup & delete(again we have a useful app for this-- it auto tracks all your edits, and can undo any w/ just one click-- no extra steps needed on your part: Vilma Registry Explorer
    any adaptec entries-- though if any also contain the brand name of your cd equipment within their contents, you may also need to re-flash their firmware & re-install them in windows system/device manager. Then install cleanly your aspi layer version of choice and/or cd software if necessary-- this latter would likely install correctly the needed aspi layer.

    Hope this if of use to you.... sorry it took so long.....
     
    jeffk2121, Jan 29, 2005
    #40

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds