Tried everything to get rid of MSG121.dll

Discussion in 'adware, spyware & hijack cleaning' started by JennyN, Apr 7, 2004.

Thread Status:
Not open for further replies.
  1. JennyN

    JennyN Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    5
    OK, I've tried everything posted on this site. I downloaded Hijack this:
    Logfile of HijackThis v1.97.7
    Scan saved at 9:12:13 AM, on 4/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Sygate\SSA\Smc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
    C:\PROGRA~1\navnt\DefWatch.exe
    C:\PROGRA~1\navnt\Rtvscan.exe
    C:\WINDOWS\SavRoam.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
    C:\Program Files\Common Files\ActivCard\acautoreg.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Compaq\EAB\EabServr.exe
    C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
    C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
    C:\WINDOWS\System32\atiptaxx.exe
    C:\Program Files\Compaq\Hotkey Software\hkss.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\navnt\vptray.exe
    C:\Program Files\Jabber\Messenger\JabberMessenger.exe
    C:\Program Files\Compaq Wireless LAN\Client Manager\CMCOM.EXE
    C:\Program Files\eRoom 6\ERClient.exe
    C:\Unzipped\hijackthis[1]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.portal.hp.com/search/iesearchpane/pane.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy/autoproxy/autoproxy
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy.cv.hp.com:8088
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
    O4 - HKLM\..\Run: [IDA] C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
    O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
    O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\navnt\vptray.exe
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKCU\..\Run: [Jabber Messenger] C:\Program Files\Jabber\Messenger\JabberMessenger.exe -hidden
    O4 - Startup: Monitor My eRooms.lnk = C:\Program Files\eRoom 6\ERClient.exe
    O4 - Global Startup: Compaq Client Manager.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O15 - Trusted Zone: http://ie.config.asia.compaq.com
    O15 - Trusted Zone: http://ie.config.eur.compaq.com
    O15 - Trusted Zone: http://ie.config.im.hou.compaq.com
    O15 - Trusted Zone: http://ie.config.jp.compaq.com
    O15 - Trusted Zone: http://ie.config.ecom.dec.com
    O15 - Trusted Zone: http://ie.config.tandem.com
    O16 - DPF: HPVC component - http://vrm08.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/component401131.cab
    O16 - DPF: HPVC resources - http://vrm08.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/resources40147.cab
    O16 - DPF: HPVC signed - http://vrm08.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/signed40139.cab
    O16 - DPF: HPVC support - http://vrm08.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/support4016.cab
    O16 - DPF: HPVC vminfo - https://www.hpe-learning.com/testsetup/vminfo.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38061.4257986111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D36DB929-4E4C-11D0-BDC3-0040053958FE} (WComboBoxControl.WComboBox) - http://boi1168.boise.itc.hp.com:8080/treecontrol/WComboBox.CAB
    O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - https://eroom3.external.hp.com/eroomsetup/client.cab

    I ran the Kill Box:
    Log for KillBox Version: 2.00.0176
    ------------------------------------

    Input Entry C:\WINDOWS\system32\msg121.dll
    c:\windows\system32\msg121.dll Could Not be Deleted
    ---msg{}dll search---
    C:\WINDOWS\System32\msg121.dll
    C:\WINDOWS\System32\msgina.dll
    C:\WINDOWS\System32\msgsvc.dll
    C:\WINDOWS\System32\Msgsys.dll
    C:\WINDOWS\System32\dllcache\msgina.dll
    C:\WINDOWS\System32\dllcache\msgr3en.dll
    C:\WINDOWS\System32\dllcache\msgrocm.dll
    C:\WINDOWS\System32\dllcache\msgsvc.dll
    C:\WINDOWS\System32\Setup\msgrocm.dll
    Input Entry C:\WINDOWS\System32\Setup\msgrocm.dll

    I downloaded the MSG121 Finder!:
    A C:\WINDOWS\System32\msg121.cpy.dll
    A C:\WINDOWS\System32\msg121.dll
    File not found - C:\WINDOWS\System32\msguard.dll


    Following processes use 'msguard.dll'
    [Access denied] 0
    [Unknown] 4
    [Access denied] 932
    [Access denied] 1648
    [Access denied] 1660
    [Access denied] 288
    [Access denied] 844
    [Access denied] 2140
    Following processes use 'msg120.cpy.dll'
    [Access denied] 0
    [Unknown] 4
    [Access denied] 932
    [Access denied] 1648
    [Access denied] 1660
    [Access denied] 288
    [Access denied] 844
    [Access denied] 2140
    Following processes use 'msg120.dll'
    [Access denied] 0
    [Unknown] 4
    [Access denied] 932
    [Access denied] 1648
    [Access denied] 1660
    [Access denied] 288
    [Access denied] 844
    [Access denied] 2140
    Following processes use 'msg121.cpy.dll'
    [Access denied] 0
    [Unknown] 4
    [Access denied] 932
    [Access denied] 1648
    [Access denied] 1660
    [Access denied] 288
    [Access denied] 844
    rundll32.exe 260
    [Access denied] 2140
    Following processes use 'msg121.dll'
    [Access denied] 0
    [Unknown] 4
    [Access denied] 932
    winlogon.exe 956
    [Access denied] 1648
    [Access denied] 1660
    [Access denied] 288
    [Access denied] 844
    [Access denied] 2140


    "File(s) not found: ***good news***!!!"
    "File(s) found: ***bad news***!!!"


    And the MSG121Fix! tool which wouldn't reboot my computer automatically. The instructions say not to touch the screen's prompt box (!) but it kept timing out and just hanging there when it would try to log off. So I'm still stuck with this MSG121 problem. Please help. :'(
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi JennyN,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html

    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

    Then copy and paste the text in bold into your IE addressbar and post the results that get displayed:
    javascript:navigator.userAgent

    Regards,

    Pieter
     
  3. JennyN

    JennyN Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    5
    Here's what came back...
    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {A59C0389-6BA9-450E-9E97-C483B6C9101D}; .NET CLR 1.0.3705)

    o_O
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi JennyN,

    Did you get the files here: http://www10.brinkster.com/expl0iter/freeatlast/L2M/Msg121.htm and did you follow the instructions for Win2k/XP ?

    Let me know if you succeed this time. If not, I will ask FreeAtLast to assist.

    Regards,

    Pieter
     
  5. JennyN

    JennyN Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    5

    Here's my new HiJack This log (it seems to be getting worse!)

    Logfile of HijackThis v1.97.7
    Scan saved at 10:40:04 AM, on 4/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Sygate\SSA\Smc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
    C:\PROGRA~1\navnt\DefWatch.exe
    C:\PROGRA~1\navnt\Rtvscan.exe
    C:\WINDOWS\SavRoam.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
    C:\Program Files\Common Files\ActivCard\acautoreg.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Compaq\EAB\EabServr.exe
    C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
    C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
    C:\WINDOWS\System32\atiptaxx.exe
    C:\Program Files\Compaq\Hotkey Software\hkss.exe
    C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\navnt\vptray.exe
    C:\Program Files\eRoom 6\ERClient.exe
    C:\Program Files\Jabber\Messenger\JabberMessenger.exe
    C:\WINDOWS\System32\PSCN604P.exe
    C:\WINDOWS\System32\PSCN604P.exe
    C:\Program Files\Nortel Networks\Extranet.exe
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Unzipped\hijackthis[1]\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://athp.hp.com/portal/index.jsp
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy/autoproxy/autoproxy
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy.cv.hp.com:8088
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
    O4 - HKLM\..\Run: [IDA] C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
    O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
    O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\navnt\vptray.exe
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKCU\..\Run: [Jabber Messenger] C:\Program Files\Jabber\Messenger\JabberMessenger.exe -hidden
    O4 - Startup: Monitor My eRooms.lnk = C:\Program Files\eRoom 6\ERClient.exe
    O4 - Global Startup: Compaq Client Manager.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O15 - Trusted Zone: http://ie.config.asia.compaq.com
    O15 - Trusted Zone: http://ie.config.eur.compaq.com
    O15 - Trusted Zone: http://ie.config.im.hou.compaq.com
    O15 - Trusted Zone: http://ie.config.jp.compaq.com
    O15 - Trusted Zone: http://ie.config.ecom.dec.com
    O15 - Trusted Zone: http://ie.config.tandem.com
    O16 - DPF: HPVC component - http://vrm08.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/component401131.cab
    O16 - DPF: HPVC resources - http://vrm08.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/resources40147.cab
    O16 - DPF: HPVC signed - http://vrm08.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/signed40139.cab
    O16 - DPF: HPVC support - http://vrm08.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/support4016.cab
    O16 - DPF: HPVC vminfo - https://www.hpe-learning.com/testsetup/vminfo.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38061.4257986111
    O16 - DPF: {A1BFBE93-8D91-427C-965B-72088CFAADF4} (CCertificateDelete Object) - https://hppkis01.can.hp.com/userweb/vscertdel.cab
    O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://hppkis01.can.hp.com/userweb/capicom.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D36DB929-4E4C-11D0-BDC3-0040053958FE} (WComboBoxControl.WComboBox) - http://boi1168.boise.itc.hp.com:8080/treecontrol/WComboBox.CAB
    O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - https://eroom3.external.hp.com/eroomsetup/client.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6FF9C4ED-9821-4952-8821-99B499EFF816}: NameServer = 15.243.160.51,15.235.240.51


    Here's my Finder Log:
    A C:\WINDOWS\System32\msg121.dll
    File not found - C:\WINDOWS\System32\msguard.dll


    Following processes use 'msguard.dll'
    [Access denied] 0
    [Unknown] 4
    [Access denied] 928
    [Access denied] 1616
    [Access denied] 1628
    [Access denied] 260
    [Access denied] 792
    Following processes use 'msg120.cpy.dll'
    [Access denied] 0
    [Unknown] 4
    [Access denied] 928
    [Access denied] 1616
    [Access denied] 1628
    [Access denied] 260
    [Access denied] 792
    Following processes use 'msg120.dll'
    [Access denied] 0
    [Unknown] 4
    [Access denied] 928
    [Access denied] 1616
    [Access denied] 1628
    [Access denied] 260
    [Access denied] 792
    Following processes use 'msg121.cpy.dll'
    [Access denied] 0
    [Unknown] 4
    [Access denied] 928
    [Access denied] 1616
    [Access denied] 1628
    [Access denied] 260
    [Access denied] 792
    Following processes use 'msg121.dll'
    [Access denied] 0
    [Unknown] 4
    [Access denied] 928
    winlogon.exe 952
    [Access denied] 1616
    [Access denied] 1628
    [Access denied] 260
    [Access denied] 792


    "File(s) not found: ***good news***!!!"
    "File(s) found: ***bad news***!!!"


    I some how got rid of the ...cpy.msg121.dll file - not sure how. Maybe Ad Aware was able to delete that one, but still have the original file msg121.dll

    Thanks for your help.
     
  6. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hi JennyN,

    Please answer Pieter's questions so we can decide where to go from here.

    Thanks,
    Kent
     
  7. JennyN

    JennyN Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    5
    Sorry, I haven't checked lately.... :rolleyes:
    It mysteriously disappeared one day. I kept running adaware 6.0, and it must have gotten rid of it somehow.
    I now have one showing up called 6004svc.copy.dll
    Is this a new 'bad' file?

    Thanks, and I'll check back more frequently in the future!!
    Jenny
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
  9. JennyN

    JennyN Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    5
    Thank you for directing me to that web site. It was tedious to go through all the steps, but now I'm free!!
    Free at last! Free at last, thank God Almighty! I'm free at last!!! :-*
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.