Can't Access Web Sites

[Tommy Meehan]

After running CWShredder on my IBM Thinkpad 380ED with Win98, which took care of a Coolsearch worm nicely, I can 1) log on to AOL normally, but 2) Internet Explorer won't open at all and 3) I can't access any websites. I get an "Illegal Operation" message instead.

Is this an LSP problem? Any suggestions folks? BTW, if I seem like I know something about computers, I don't. But I write freelance historical articles and depend on my laptop immensely. Tommy

 

[Krelian]

If you can connect to the internet, than it's probably not an LSP problem.

Nevertheless, here is a small page on LSP fixing:
http://www.cexx.org/lspfix.htm


Have you also ran other spyware utilities such as ad-aware or spybot S&D?

Ad-aware:
http://download.com.com/3000-8022-10214379.html?tag=lst-0-7

Spybot S&D:
http://download.com.com/3000-8022-10194058.html?tag=lst-0-2

-If Internet Explorer crashes, perhaps you could do a repair? Go to Add/Delete Programs in the control panel and select Internet Explorer. You will get an option to repair.

-If AOL has similar problems, you should note that AOL's browser is really just a spruced up and much more buggy Internet Explorer.

-If AOL wont access websites all together, then you might have an LSP problem.

-Also, you might want to check for virii.

-In a last resort, you can always use a system restore, or if it REALLY calls for it, reinstall windows 98.


Reguardless of any of those tips, you can help further any support by posting a Hijack This Log.

Download this:
http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Unzip it to a folder somewhere on your hard drive, then open it and hit Scan...

DO NOT FIX ANYTHING UNTIL INSTRUCTED TO DO SO! YOU COULD VERY BADLY MESS UP YOUR COMPUTER!

..Instead, hit "Save Log" then come back here, open that log with Notepad and copy/paste it here so that the experts may index it and give their opinions.

 

[Tommy Meehan]

Thanks Krelian I'm at work right now (laptop is home) but I downloaded the Hijack This file and will run tonite.

 

[Tommy Meehan]

Here's the result of my HJT scan on my Thinkpad 380 ED w/WIN98. I ran LSP, Winsock and Spybot but still can't access websites. Can log on to AOL and read and send email. Hmmm


Logfile of HijackThis v1.97.7
Scan saved at 11:16:09 PM, on 4/7/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\OPTIMIZE.EXE
C:\WINDOWS\SYSTEM\EXPLORER.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\AOLTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MSNIA\TRAYCLNT.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\ACTALERT.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
A:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.184.51/find4u/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1311.DLL
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM214.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRAM FILES\ISTBAR\ISTBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SystemTasks] C:\filez.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [nmn] C:\WINDOWS\nmn.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [System Update2] c:\windows\system\explorer.exe
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: MSN Internet Access.lnk = C:\Program Files\MSNIA\TRAYCLNT.EXE
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Sidesearch (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .com/v1/wJJOQAbrBgqrTtJiKteKHNqa6Gv4XFY-NLl4SR15qHUqPtBfP6jq95kB769CrtRXe2rGVywbV152iJmSyqk/Commuters Wear Pig Masks: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37992.7893171296
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,77/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,18/mcgdmgr.cab
O19 - User stylesheet: (file missing)

 

[Krelian]

First
------------

Download this:
http://www.spywareinfo.com/~merijn/files/CWShredder.exe

***Close all browsers.***

Run CWShredder.exe, let it finish and close.


Second
------------

Go here and read this and follow the instructions:
http://www.spyany.com/program/article_spy_rm_Internet_Optimizer.html

Go here and read this and follow the instructions:
http://simplythebest.net/info/spyware/istbar_spyware.html

Third
------------

Open hijack this and scan. Put a check mark next to the following entries if they appear:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.184.51/find4u/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1311.DLL
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRAM FILES\ISTBAR\ISTBAR.DLL
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O19 - User stylesheet: (file missing)

Fourth
------------

Reboot, rescan, and post your hijack this log again. I'm not an expert at hijack this logs, so I'm just giving you any help at cleaning off at least some of the junk. You'll have to wait until someone with a bit more experience comes around to tell you what else you need to do.

 

[Tommy Meehan]

Krelian thanks again. I will follow the procedures as listed tonite and finish with an HJT scan.

 

[NiteHawk]

Let me add a few more to the already excellent advise you have gotten from Krelien

In Hijack This, check ALL of the following items. Double check so as to be sure not to miss a single one.
Next, close all browser Windows, and have HT fix all checked.

O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM214.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)

O4 - HKLM\..\Run: [SystemTasks] C:\filez.exe
O4 - HKLM\..\Run: [nmn] C:\WINDOWS\nmn.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [System Update2] c:\windows\system\explorer.exe
filez.exe is an adult dialer. Nmn is considered spyware. IST is spyware. The VALID explorer.exe (Windows Explorer) is I C:\Windows, NOT windows\system. There are several virus programs that use this trick.

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
These two are big resource hogs. FindFast takes much and gives little in return. By gaining back the resources it uses you can find and open MS Office files just as fast or faster!

O9 - Extra button: Sidesearch (HKLM)

O12 - Plugin for .com/v1/wJJOQAbrBgqrTtJiKteKHNqa6Gv4XFY-NLl4SR15qHUqPtBfP6jq95kB769CrtRXe2rGVywbV152iJmSyqk/Commuters Wear Pig Masks: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

O19 - User stylesheet: (file missing)



Next reboot into Safe Mode and remove the following files and folders that are bolded

C:\ filez.exe

C:\Windows\Nmn.Exe
C:\Windows\Nem214.Dll

C:\Windows\System\Explorer.Exe

C:\Program Files\Istbar\Istbar.Dll
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Lycos\Sidesearch\Sidesearch1311.Dll

See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for how to start in safe mode if you don't know how.

Reboot into normal mode


Now download Spybot - Search & Destroy (if you haven't got the program installed already)

After installing, first press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

Reboot

Last, run HJT again and post your log again to see if anything was missed.

Thanks

 

[Tommy Meehan]

Nitehawk thanks! I will incorporate your advice as well. And yes, I have SpyBot installed. One thing, you mentioned closing all Internet Explorer windows. That's the problem. I can't open Internet Explorer. When I click on the Desktop shortcut I get nothing! Though I can log on to AOL I can't even open Google. When I try, I crash!

 

[NiteHawk]

Let's get the above items cleaned up first. Getting IE to open may be a by product of that work. IF not we can look into that problem after the cleanup.

Also I would suggest going to \Windows\Temporary Internet Files and deleting ALL of them. Needless garbage and overhead and sometimes a hidding place for malware.

Also delete all files and folders in \Windows\Temp.

 

[Tommy Meehan]

Hi Guys I followed the above instructions and am once again able to access web sites. Terrific and I thank you both, Krelian and Nitehawk. The ONLY folders/files I couldn't and delete find were - 1) c:\filez.exe, 2) C:\windows|nmn.exe. 3) c:\windows\nem214.dll and C:\windows\system\explorer.exe. Everything else was successfully deleted.

However...

Heh heh

A strange thing happened. A popup called-
http://trafficex.org/trs/redirect.php?adv=aI8pgk

ALSO reappeared. That's what got me into this mess to begin with. While in AOL the above opens in IE, and then starts opening porn sites. I close it and it reopens in 3-5 minutes. Again and again and....

Anyway, here's the HJT log

Logfile of HijackThis v1.97.7
Scan saved at 8:06:46 PM, on 4/8/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCUPDATE.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\WINDOWS\CONSOL32.EXE
C:\WINDOWS\DLM.EXE
C:\WINDOWS\DL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\AOLTRAY.EXE
C:\PROGRAM FILES\MSNIA\TRAYCLNT.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
A:\HIJACKTHIS.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [Cons] C:\WINDOWS\consol32.exe
O4 - HKLM\..\Run: [Dial33] C:\WINDOWS\dlm.exe
O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: MSN Internet Access.lnk = C:\Program Files\MSNIA\TRAYCLNT.EXE
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37992.7893171296
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,77/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,18/mcgdmgr.cab

 

[Krelian]

You must boot into safe mode to delete those files.

http://service1.symantec.com/SUPPOR...001052409420406

 

[Tommy Meehan]

Hi Krelian
I did go into Safe Mode and managed to find several of the files Nitehawk suggested deleting -C:\program files\istbar and lycos\sidesearch.

Previously, on a thread about deleting trafficex.org, someone suggested - whoops here comes trafficex.org again - (okay I shut it down), someone recommended going into msconfig and unchecking the following-

C:\WINDOWS\CONSOL32.EXE
C:\WINDOWS\DLM.EXE
C:\WINDOWS\DL.EXE

It DID get rid of traffic.org but the IE browser was still opening on its own (both when I was in AOL and off-line) and instead of trafficex.org I would get "Can't find server" or something to that effect. I wanted to get rid of THAT, ran CWShredder and then lost internet connectivity altogther which, thanks - man, there goes traffic.org again, it's like frigging Old Faithful! - anyway, thanks to you and Hawk I have now regained.

But how, after running Spybot, Adaware and CWshredder did this pesky pop up manage to survive? It must be hardier than a cockroach!

Tommy

 

[NiteHawk]

You're right about the cockroach!! Running CWShredder, Spybot and Ad-Aware should have zapped it!! Also some reference to trafficex usually shows up in the O16 items.

Let's have another go at this puppy.

In Hijack This, check ALL of the following items. Double check so as to be sure not to miss a single one.
Next, close all browser Windows, and have HT fix all checked.

O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [Cons] C:\WINDOWS\consol32.exe
O4 - HKLM\..\Run: [Dial33] C:\WINDOWS\dlm.exe
O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe




Next reboot into Safe Mode and remove the following files and folders that are bolded

C:\WINDOWS\consol32.exe
C:\WINDOWS\dlm.exe
C:\WINDOWS\dl.exe

See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for how to start in safe mode if you don't know how.

REBOOT into normal mode


Now download Spybot - Search & Destroy (if you haven't got the program installed already)

After installing, first press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

REBOOT

Also let's make another pass using CWShredder and then Ad-Aware. Make sure that you have the latest CWShredder ad that you get the newest updates for both Spybot and Ad-Aware.

Last, run HJT again and post your log again to see if anything was missed.

Thanks

 

[Tommy Meehan]

Thanks again. I will follow the procedures (possibly this afternoon if my Boss lets us outa here early ) and post a new HJT scan log.

 

[Tommy Meehan]

Nitehawk I followed your instructions and was able to delete everything except-

O4 - HKLM\..\Run: [Cons] C:\WINDOWS\consol32.exe
O4 - HKLM\..\Run: [Dial33] C:\WINDOWS\dlm.exe
O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe

The problem was I couldn't find them in the HJT scan. Then I followed the rest of your directions except for Ad-Aware since it takes awhile to run and as you can see by the time I'm posting this, it was getting pretty late.

Anyway, my laptop is running much faster and smoother now and my browser has not been hijacked once. Wow! Whatta country!!

Here's my latest HJT scan log

Logfile of HijackThis v1.97.7
Scan saved at 1:39:28 AM, on 4/10/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\AOLTRAY.EXE
C:\PROGRAM FILES\MSNIA\TRAYCLNT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
A:\HIJACKTHIS.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: MSN Internet Access.lnk = C:\Program Files\MSNIA\TRAYCLNT.EXE
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37992.7893171296
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,77/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,18/mcgdmgr.cab