Exception and Fatal Exceptions......

Discussion in 'malware problems & news' started by dontana, Oct 17, 2003.

Thread Status:
Not open for further replies.
  1. dontana

    dontana Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    23
    Location:
    laurel, mississippi
    Have recently been getting exception , followed by fatal exception codes. Not sure what it means,however, when I scan with spybot, or go to the "darnit" site and run scans nothing comes up. These exceptions have happened prior to more things going very wrong. The following are the MOST recent exception codes. Hopefully someone can decifer whats going on this time..... " an exception has occured at 0028:C003B63C in VxD IOS (01) + 00000794. Thiswas called from 0028:C004B707 in VxD VFAT (01) + 000009F4B." Any key to resume....." A fatal Exception has occured in OE 0028:C003B636 in VxD IOS (01) + 00000794. The current application will be terminated."
    Neddless to say the computer didnot restart. I had to manually push the restart button.
    Here`s somethin else..I can`t access Internet Options from the Tools section of my page. BUT, That has been that way back when the idll.problem occured and registry keys where messed up.
    Well ...whatcha think? o_O :p
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Well, that's not an easy one to figure out from out here certainly. It could be so many different things. Is there a pattern at all? What are you running / trying to do when it happens?

    There are lots of questions that'll need to be asked probably and we may not find anything, however, the data that a HijackThis Log would provide the people here would be an excellent place to start. (While this may not be a hijack, these logs provide a lot of information on your system, so they are always helpful.)

    Generate and post the entire log and I'm sure people will have more questions after that.
     
  3. dontana

    dontana Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    23
    Location:
    laurel, mississippi
    Augh!

    EXPLORER caused an invalid page fault in
    module KERNEL32.DLL at 017f:bff9dfff.
    Registers:
    EAX=00000000 CS=017f EIP=bff9dfff EFLGS=00000246
    EBX=8168c0e4 SS=0187 ESP=0181f888 EBP=00000000
    ECX=00000187 DS=0187 ESI=00000001 FS=4887
    EDX=0181fa28 ES=0187 EDI=bffca060 GS=0000
    Bytes at CS:EIP:
    cc a1 e0 9c fc bf 8b 00 66 64 f7 05 1c 00 00 00
    Stack dump:
    01e60000 8168c128 7ffce5a4 00000000 8168d6a4 c16611b0 00000000 00000000 81b164dc 00000000 81b164ec bff55bd6 00000082 7fb910a1 00000f90 00000082
    What`s Kernelo_O?
    I just posted the hijackthis log and this happened. :mad:
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Re:Augh!

    Unfortunately, the log did not post here, can you try posting it again please...

    I'll append this to the other thread shortly.
     
  5. dontana

    dontana Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    23
    Location:
    laurel, mississippi
    Hijack this log...

    Logfile of HijackThis v1.97.3
    Scan saved at 8:43:28 PM, on 10/17/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
    C:\PROGRAM FILES\EYETIDE MEDIA\EYETIDE VIEWER\EYETIDECONTROLLER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS[1]\HIJACKTHIS.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.my.yahoo.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
    O4 - Startup: Eyetide Launcher.lnk = C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_3_0.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {56C9629A-C33F-11D3-BBFB-00105A1FAD68} - http://eyetide.com/download//225/Eyetide%20Installer.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37863.4597453704
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Thanks dontana. The information the log provides will give people a good idea about how your system is set up, and it may lead them to ask more specific questions regarding your problem.

    Keep in mind that these kinds of errors can be complex so it may take some time for people to come up with ideas (or not, we'll see), so you may have to check back periodically.

    Hopefully people will step in with ideas or suggestions.

    By the way, when you want to add a post here use the "reply" button at the top or bottom of this thread here, rather than posting a new topic. ;)
     
  7. dontana

    dontana Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    23
    Location:
    laurel, mississippi
    :D Thank YOU!!!!!
     
  8. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    http://www.all-windows.com/kernel32.html
     
  9. dontana

    dontana Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    23
    Location:
    laurel, mississippi
    THanks Mickey...but...nothing there that came close to my current issue. I did however manage to travel to a few different microsoft pages that came close...but no cigar. Is it possible that the problem is a first? Where exactly should I post my information for consideration? o_O ps.....taking 5 from info overload :p
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi dontana,

    Could you check the version of ios.vxd ?
    Find the file, rightclick and choose properties.
    If the version number is higher then 4.00.953 ignore my post.

    Regards,

    Pieter
     
  11. dontana

    dontana Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    23
    Location:
    laurel, mississippi
    pieter;
    Hi! Version is 4.10.2222. :)
     
  12. dontana

    dontana Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    23
    Location:
    laurel, mississippi
    hey guys and ghouls;
    Listen to this...when my home page loaded, today, (which is set for my yahoo.com) it barely started to download and went to a black screen. Also the cursor became an hour glass. conrl,alt,del. , did not function. pressed manual restart on tower to make the restart happen. Anyway,it happened again. Did all of my scans, spybot,hijack this,norton,disk clean-up, etc. negative results. I also have downloaded bhod emon and spyware blaster. I guess they run automatically.
    It seems as thou I`m missing or overlooking a test or scan to perform. I know something must be wrong, otherwise these funky little things wouldn`t be happening......right? o_O :p
     
  13. dontana

    dontana Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    23
    Location:
    laurel, mississippi
    One more item...Why would I keep receiving undeliverable e-mail that I never sent to begin with? Could someone else have accsess to my mailbox?? :eek:
     
  14. jayzzz

    jayzzz Registered Member

    Joined:
    Mar 23, 2003
    Posts:
    367
    Location:
    California
    My husband had the same thing happen. It turned out to be spam advertising, with a new twist to get the recipient to open it: looking as if the recipient sent it. It was somehow faked as having been sent from his former ATTBI address which no longer is accessible for anyone to use, at all, since the transition to CoNcast service. mj :)
     
  15. dontana

    dontana Registered Member

    Joined:
    Sep 27, 2003
    Posts:
    23
    Location:
    laurel, mississippi
    :) Thanks MJ !!
     
Thread Status:
Not open for further replies.