I've just installed Windows ME on my system and it runs pretty decent ecxept for this one illegal error that pops up when ever i want to do something productive... i don't remeber all the specifics because this error comes in many forms depending on the program that crashes but it kinda looks like this: ***** has preformed a illegal operation in *****.dll at 0197:**** the first two blanks are normally filled with EXPLORER and KERNEL32.DLL so i thought it was a windows problem but when this error came up for other programs such as Battlefield 1942, MSNexplorer, and other non microsoft programs. the pattern the same: illegal page fault, some Dll invloved and always 0197:**** could someone At lest tell me what all that means?

[Reply or follow-up to this message]

Sorry i forgot to put my comp specs here they are: Athalon XP 1600+ 1.4 ghtz Ati radeon 9600 SE 128 megs 512 DDR memory 40 gb drive

[Reply or follow-up to this message]

Open up your msconfig through run. Open the system ini page. Expand the 386Enh tree. Scroll down the list and find a line that says "MinSPs=?. If it has a "=4" increase it to 8. Do this by highlighting the line and then clicking the edit button and making the change. Save or apply this new value. If the line does not exist, create it by clicking the new button and give it a value of 8. Restart and try the new setting. If you still get the error message try increasing it to 12. The values start at 4 and increase by 4 {4,8,12 etc}. Try this and see what happens.


On Monday, December 1, 2003 at 7:47 pm, Nate E. Williams Jr. wrote:
>Sorry i forgot to put my comp specs here they are:
>
>
>Athalon XP 1600+ 1.4 ghtz
>Ati radeon 9600 SE 128 megs
>512 DDR memory
>40 gb drive

[Reply or follow-up to this message]

Try cleaning up the system with Windows ME Fixes .

[Reply or follow-up to this message]

When the system encounters an error, it saves the details to a file called "Faultlog.txt". You can access it via Start > Programs > Accessories > System Tools > System Information. Click the word "Tools" and choose "Faultlog.txt" from the menu.
It might be handy to see the full syntax of the error is suggestions already made don't fix the problem.


On Monday, December 1, 2003 at 7:26 pm, Nate E. Williams Jr. wrote:
>I've just installed Windows ME on my system and it runs pretty decent ecxept for
>this one illegal error that pops up when ever i want to do something productive...
>i don't remeber all the specifics because this error comes in many forms depending
>on the program that crashes but it kinda looks like this:
>
>***** has preformed a illegal operation in *****.dll at 0197:****
>
>the first two blanks are normally filled with EXPLORER and KERNEL32.DLL so i thought
>it was a windows problem but when this error came up for other programs such as Battlefield
>1942, MSNexplorer, and other non microsoft programs. the pattern the same: illegal
>page fault, some Dll invloved and always 0197:****
> could someone At lest tell me what all that means?

[Reply or follow-up to this message]

Ok this is really wierd!! it seems as though i went through all the steps you said except i don't see any MinSP= line! should i add one?


On Monday, December 1, 2003 at 8:07 pm, mistergil wrote:
>Open up your msconfig through run. Open the system ini page. Expand the 386Enh tree.
>Scroll down the list and find a line that says "MinSPs=?. If it has a "=4" increase
>it to 8. Do this by highlighting the line and then clicking the edit button and making
>the change. Save or apply this new value. If the line does not exist, create it by
>clicking the new button and give it a value of 8. Restart and try the new setting.
>If you still get the error message try increasing it to 12. The values start at 4
>and increase by 4 {4,8,12 etc}. Try this and see what happens.
>
>

[Reply or follow-up to this message]

Yes. Use 8 as an initial value.


On Tuesday, December 2, 2003 at 5:11 am, Nate E. Williams Jr. wrote:
>
>Ok this is really wierd!! it seems as though i went through all the steps you said
>except i don't see any MinSP= line! should i add one?
>
>

[Reply or follow-up to this message]

I tried setting it to 8,12,16,20,and 24 but the Page fault error still comes up(less frequently but still at odd and important times). Just curious, what does setting the MinSps do?


On Tuesday, December 2, 2003 at 10:22 am, mistergil wrote:
>Yes. Use 8 as an initial value.
>
>

[Reply or follow-up to this message]

Ok i got to the fault log and the pettern is just unbelieveable this is like the only error on this machine! i'm gonna include a couple of examples: Date 11/28/2003 Time 09:08 LUPRODRG caused an invalid page fault in module KERNEL32.DLL at 0197:bff78807. Registers: EAX=c002fa54 CS=0197 EIP=bff78807 EFLGS=00010202 EBX=0063ffec SS=019f ESP=0053feb0 EBP=00540028 ECX=00000000 DS=019f ESI=00000000 FS=3c8f EDX=bff6682d ES=019f EDI=bff69060 GS=0000 Bytes at CS:EIP: 53 56 57 8b 75 10 8b 38 33 db 85 f6 75 2d 8d b5 Stack dump: now you see what i mean.... but then look at this: Date 12/04/2003 Time 21:56 WORDPAD caused an invalid page fault in module MSWRD832.CNV at 0197:0140fcf5. Registers: EAX=00000001 CS=0197 EIP=0140fcf5 EFLGS=00010297 EBX=0143df98 SS=019f ESP=013af944 EBP=013af960 ECX=0040dffd DS=019f ESI=0040e000 FS=5467 EDX=00000000 ES=019f EDI=00400000 GS=49d6 Bytes at CS:EIP: 66 8b 06 83 c6 02 66 89 45 fe 8d 4d f8 51 8b 45 Stack dump: 0040d3d8 00000000 0040cfee 0041d14e 0040d3d8 00000008 0000cfee 013af988 01412e74 0040d150 0000fffe 00000002 00000000 00000000 00000000 0000036a I just wish i knew what this stuff means... one more for emphasis: Date 12/05/2003 Time 22:51 OPERA caused an invalid page fault in module OPERA.EXE at 0197:004bb0ae. Registers: EAX=02073190 CS=0197 EIP=004bb0ae EFLGS=00010246 EBX=02072090 SS=019f ESP=00d7f8f8 EBP=00d7fa54 ECX=00000249 DS=019f ESI=0067cdb4 FS=149f EDX=0001090f ES=019f EDI=00000000 GS=0000 Bytes at CS:EIP: 30 8d 75 e0 89 45 e0 89 45 e4 89 4d ec a5 a5 a5 Stack dump: 00d7fa5c 00008acc 00d7faa8 0000893c 00d7fe28 891e0000 08ef54b7 727f8930 00060200 895809ef 09cf329b 893c335f 89580000 09ef00d7 01d3029b 000107c4 You get the picture.


On Tuesday, December 2, 2003 at 4:06 am, worm wrote:
>When the system encounters an error, it saves the details to a file called "Faultlog.txt".
>You can access it via Start > Programs > Accessories > System Tools > System Information.
>Click the word "Tools" and choose "Faultlog.txt" from the menu.
>It might be handy to see the full syntax of the error is suggestions already made
>don't fix the problem.
>
>

[Reply or follow-up to this message]

Hi Nate,

Try performing a clean boot like this.
1. Go to Start > Run > type msconfig and click OK.
2. Checkmark the option "Selective Startup" and then remove the checkmark from all five fields below that like "Process system.ini" for example.
3. Click Apply/OK and reboot.
4. When the PC reboots, go back to "msconfig" again and checkmark "Normal Startup", click Apply/OK and reboot.

That first error mentioned in your log file called "LUPRODRG" sounds like a registration application trying to run. Have you installed anything that needs to be registered?

The second one, "WORDPAD caused an invalid page fault in module MSWRD832" means that Wordpad tried to open a document created in Microsoft "Word", but the text converter called MSWRD832.exe was unable to convert it. That often happens because "Wordpad" is a freebie that you get with Windows, but it's very limited in what it can do. If it can't read the format of the document, it throws up that error.

As regards the Opera.exe error, I'd be a bit careful about using it if I were you. There are a lot of security issues connected with it as can be illustrated here.


On Sunday, December 7, 2003 at 4:55 pm, Nate E. Williams Jr. wrote:
>
>Ok i got to the fault log and the pettern is just unbelieveable this is like the
>only error on this machine! i'm gonna include a couple of examples:
>
>Date 11/28/2003 Time 09:08
>LUPRODRG caused an invalid page fault in
>module KERNEL32.DLL at 0197:bff78807.
>Registers:
>EAX=c002fa54 CS=0197 EIP=bff78807 EFLGS=00010202
>EBX=0063ffec SS=019f ESP=0053feb0 EBP=00540028
>ECX=00000000 DS=019f ESI=00000000 FS=3c8f
>EDX=bff6682d ES=019f EDI=bff69060 GS=0000
>Bytes at CS:EIP:
>53 56 57 8b 75 10 8b 38 33 db 85 f6 75 2d 8d b5
>Stack dump:
>
>now you see what i mean.... but then look at this:
>Date 12/04/2003 Time 21:56
>WORDPAD caused an invalid page fault in
>module MSWRD832.CNV at 0197:0140fcf5.
>Registers:
>EAX=00000001 CS=0197 EIP=0140fcf5 EFLGS=00010297
>EBX=0143df98 SS=019f ESP=013af944 EBP=013af960
>ECX=0040dffd DS=019f ESI=0040e000 FS=5467
>EDX=00000000 ES=019f EDI=00400000 GS=49d6
>Bytes at CS:EIP:
>66 8b 06 83 c6 02 66 89 45 fe 8d 4d f8 51 8b 45
>Stack dump:
>0040d3d8 00000000 0040cfee 0041d14e 0040d3d8 00000008 0000cfee 013af988 01412e74
>0040d150 0000fffe 00000002 00000000 00000000 00000000 0000036a
>
>I just wish i knew what this stuff means... one more for emphasis:
>Date 12/05/2003 Time 22:51
>OPERA caused an invalid page fault in
>module OPERA.EXE at 0197:004bb0ae.
>Registers:
>EAX=02073190 CS=0197 EIP=004bb0ae EFLGS=00010246
>EBX=02072090 SS=019f ESP=00d7f8f8 EBP=00d7fa54
>ECX=00000249 DS=019f ESI=0067cdb4 FS=149f
>EDX=0001090f ES=019f EDI=00000000 GS=0000
>Bytes at CS:EIP:
>30 8d 75 e0 89 45 e0 89 45 e4 89 4d ec a5 a5 a5
>Stack dump:
>00d7fa5c 00008acc 00d7faa8 0000893c 00d7fe28 891e0000 08ef54b7 727f8930 00060200
>895809ef 09cf329b 893c335f 89580000 09ef00d7 01d3029b 000107c4
>
>You get the picture.

[Reply or follow-up to this message]

Ok i tried the clean boot well so far no pagefaults(of course i'm not really trying nething prductive yet. but let me see if i got this straight: ur saying that the errors are just regular program errors and that the 0197:******** or the fact that their pagefaults has nuthin to do with it?


On Monday, December 8, 2003 at 4:59 am, worm wrote:
>Hi Nate,
>
Try performing a clean boot like this.
>1. Go to Start > Run > type msconfig and click OK.
>2. Checkmark the option "Selective Startup" and then remove the checkmark from all
>five fields below that like "Process system.ini" for example.
>3. Click Apply/OK and reboot.
>4. When the PC reboots, go back to "msconfig" again and checkmark "Normal Startup",
>click Apply/OK and reboot.
>
That first error mentioned in your log file called "LUPRODRG" sounds like a registration
>application trying to run. Have you installed anything that needs to be registered?
>
>The second one, "WORDPAD caused an invalid page fault in module MSWRD832" means that
>Wordpad tried to open a document created in Microsoft "Word", but the text converter
>called MSWRD832.exe was unable to convert it. That often happens because "Wordpad"
>is a freebie that you get with Windows, but it's very limited in what it can do.
>If it can't read the format of the document, it throws up that error.
>
As regards the Opera.exe error, I'd be a bit careful about using it if I were
>you. There are a lot of security issues connected with it as can be illustrated >href="http://securitytracker.com/alerts/2003/Feb/1006044.html">here.
>
>

[Reply or follow-up to this message]

Hi Nate,

It's very difficult to answer that question without knowing the setup on your machine. And I don't just mean the hardware, but all the software you've got installed as well.
But if these errors start popping up again, you could try shutting down your anti-virus utility to see if that influences the problem.

If might be a good idea too if you go here and download "Hijack This!", run a scan and then post the log file here.
Please make sure you checkmark the field just above the "Post this message" button where it says "Check this box to preserve your spacing....." to ensure the log file formats properly.


On Monday, December 8, 2003 at 9:00 pm, Nate E. Williams Jr. wrote:
>Ok i tried the clean boot well so far no pagefaults(of course i'm not really trying
>nething prductive yet. but let me see if i got this straight: ur saying that the
>errors are just regular program errors and that the 0197:******** or the fact that
>their pagefaults has nuthin to do with it?
>
>

[Reply or follow-up to this message]

ok here's the hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 7:29:06 PM, on 12/9/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS1\SYSTEM\KERNEL32.DLL
C:\WINDOWS1\SYSTEM\MSGSRV32.EXE
C:\WINDOWS1\SYSTEM\SPOOL32.EXE
C:\WINDOWS1\SYSTEM\MPREXE.EXE
C:\WINDOWS1\SYSTEM\MSTASK.EXE
C:\WINDOWS1\SYSTEM\ATI2EVXX.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\SYMPROXYSVC.EXE
C:\WINDOWS1\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS1\SYSTEM\mmtask.tsk
C:\WINDOWS1\EXPLORER.EXE
C:\WINDOWS1\TASKMON.EXE
C:\WINDOWS1\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE
C:\WINDOWS1\SYSTEM\WMIEXE.EXE
C:\WINDOWS1\LOADQM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\WINDOWS1\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TRILLIAN\TRILLIAN.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\PROGRAM FILES\NORTON INTERNET SECURITY\ATRACK.EXE
C:\WINDOWS1\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.biblelookup.com/srchasst.html
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton 
SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - C:\PROGRA~1\ODIGO\BIN\ODIGOBHO.DLL 
(file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} 
- C:\WINDOWS1\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program 
Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS1\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS1\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS1\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton 
Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [eDonkey2000] C:\PROGRAM FILES\EDONKEY2000\eDonkey2000.exe -t
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS1\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS1\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec 
Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton 
CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common 
Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON 
GHOST\GHOSTSTARTSERVICE.EXE
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton 
SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: Trillian.lnk = C:\PROGRAM FILES\TRILLIAN\trillian.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37953.2615277778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab

What do you think?






On Tuesday, December 9, 2003 at 4:29 am, worm wrote:
>Hi Nate, 

>

>It's very difficult to answer that question without knowing the setup on your machine. 
>And I don't just mean the hardware, but all the software you've got installed as 
>well. 

>But if these errors start popping up again, you could try shutting down your anti-virus 
>utility to see if that influences the problem. 

>

>If might be a good idea too if you go here 
>and download "Hijack This!", run a scan and then post the log file here. 
Please 
>make sure you checkmark the field just above the "Post this message" button where 
>it says "Check this box to preserve your spacing....." to ensure the log 
file 
>formats properly. 
>

[Reply or follow-up to this message]

Hi Nate,

Thanks for the log file report.
I suggest you let HT fix these two.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.biblelookup.com/srchasst.html
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB

>ok here's the hijackthis log:
>
>Logfile of HijackThis v1.97.7
>Scan saved at 7:29:06 PM, on 12/9/2003
>Platform: Windows ME (Win9x 4.90.3000)
>MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
>Running processes:
>C:\WINDOWS1\SYSTEM\KERNEL32.DLL
>C:\WINDOWS1\SYSTEM\MSGSRV32.EXE
>C:\WINDOWS1\SYSTEM\SPOOL32.EXE
>C:\WINDOWS1\SYSTEM\MPREXE.EXE
>C:\WINDOWS1\SYSTEM\MSTASK.EXE
>C:\WINDOWS1\SYSTEM\ATI2EVXX.EXE
>C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
>C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
>C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
>C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
>C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
>C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
>C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
>C:\PROGRAM FILES\NORTON INTERNET SECURITY\SYMPROXYSVC.EXE
>C:\WINDOWS1\SYSTEM\RESTORE\STMGR.EXE
>C:\WINDOWS1\SYSTEM\mmtask.tsk
>C:\WINDOWS1\EXPLORER.EXE
>C:\WINDOWS1\TASKMON.EXE
>C:\WINDOWS1\SYSTEM\SYSTRAY.EXE
>C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
>C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
>C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE
>C:\WINDOWS1\SYSTEM\WMIEXE.EXE
>C:\WINDOWS1\LOADQM.EXE
>C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
>C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
>C:\WINDOWS1\SYSTEM\DDHELP.EXE
>C:\PROGRAM FILES\TRILLIAN\TRILLIAN.EXE
>C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
>C:\PROGRAM FILES\NORTON INTERNET SECURITY\ATRACK.EXE
>C:\WINDOWS1\SYSTEM\PSTORES.EXE
>C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
>C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
>
>R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.biblelookup.com/srchasst.html
>O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton 
>SystemWorks\Norton AntiVirus\NavShExt.dll
>O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
>O2 - BHO: (no name) - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - C:\PROGRA~1\ODIGO\BIN\ODIGOBHO.DLL 
>(file missing)
>O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} 
>- C:\WINDOWS1\SYSTEM\MSDXM.OCX
>O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program 
>Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
>O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
>O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS1\taskmon.exe
>O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS1\PCHealth\Support\PCHSchd.exe -s
>O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS1\scanregw.exe /autorun
>O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
>O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
>O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
>O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
>O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
>O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton 
>Ghost\GhostStartTrayApp.exe
>O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
>O4 - HKLM\..\Run: [LoadQM] loadqm.exe
>O4 - HKLM\..\Run: [eDonkey2000] C:\PROGRAM FILES\EDONKEY2000\eDonkey2000.exe -t
>O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
>O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
>O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
>O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS1\System\Restore\StateMgr.exe
>O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
>O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS1\SYSTEM\ati2s9ag.exe
>O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
>O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec 
>Shared\Script Blocking\SBServ.exe" -reg
>O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton 
>CleanSweep\CSINJECT.EXE
>O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton 
Utilities\NPROTECT.EXE
>O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common 
>Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
>O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON 
>GHOST\GHOSTSTARTSERVICE.EXE
>O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security\NISSERV.EXE
>O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton 
>SystemWorks\Norton CleanSweep\csinsm32.exe
>O4 - Startup: Trillian.lnk = C:\PROGRAM FILES\TRILLIAN\trillian.exe
>O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
>O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
>O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
>O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
>O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
>O9 - Extra button: Messenger (HKLM)
>O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
>O9 - Extra button: AIM (HKLM)
>O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37953.2615277778
>O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
>O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
>O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
>
>What do you think?
>
>

[Reply or follow-up to this message]

Ok i've gottne rid of those two. so you think that's where all these trojan attack 
my NIS firewall is telling me about is comming from?





On Wednesday, December 10, 2003 at 1:14 am, worm wrote:
>Hi Nate, 

>

>Thanks for the log file report. 

>I suggest you let HT fix these two.
>

>R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.biblelookup.com/srchasst.html
>O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
>
>Only keep the first one if this is your start page (biblelookup.com). 

>The second one is an ActiveX control that has been downloaded from a warez site 
called 
>"easydownloads.net" 
The big danger here is that it can be used to install Trojans, 
>viruses etc., without your knowledge.
>

[Reply or follow-up to this message]

Nate, There is a security patch at MS for this: http://216.65.38.226/crack.CAB, there are some problems with this IP, it's on a couple of banned IP lists.


On Wednesday, December 10, 2003 at 2:08 pm, Nate E. Williams Jr. wrote:

>
>Ok i've gottne rid of those two. so you think that's where all these trojan attack 
>my NIS firewall is telling me about is comming from?
>

[Reply or follow-up to this message]

Hi Nate,

Yes, it sounds like it.


On Wednesday, December 10, 2003 at 2:08 pm, Nate E. Williams Jr. wrote:

>
>Ok i've gottne rid of those two. so you think that's where all these trojan attack 
>my NIS firewall is telling me about is comming from?
>

[Reply or follow-up to this message]

• Search this forum
• Start a new thread on a different subject

• Report abuse of the forum