Explorer Problems

Discussion in 'SpywareBlaster & Other Forum' started by DLee2913, Aug 9, 2003.

Thread Status:
Not open for further replies.
  1. DLee2913

    DLee2913 Guest

    Really appreciate this forum. I'm not much of a tech guy. . . . After running Spybot and Spyware, my computer ran much faster. Lots of free memory. Unfortunately, though, there have been some negatives impact.

    Whenever I surf the Web using Internet Explorer, I inevitable suffer an "illegal operation" that forces me to restart the computer. Sometimes it happens within my first 1-2 minutes on-line -- other times it takes place after 15-20 minutes. Big inconveninece.

    One other issue: When I first rebooted my computer after running spyware, I got the little flashlight box -- computer was looking for "offers.exe." It later did the same for "spybot.exe." Not sure whether this is the source of my explorer problem.

    I'd be grateful for any advice.

    Dave
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Hi DLee2913,

    Please note, I removed your other duplicate post so we can keep the conversation on this topic all in one place.

    Exactly what program are you talking about - which "Spyware" application? SpywareGuard? SpywareBlaster?

    Since there is no "offers.exe" in any Javacool products, I'm guessing that what happened is you ran a scan and repair pass with Spybot S&D and it cleaned up some malicious programs from your computer, namely this "offers.exe" and since it's gone, but its startup entries are still there, your system is letting you know that it can't find it.

    The Internet Explorer issues can also be caused by the remains of malicious programs having been removed from your system...

    So, I think you need to run a startup checker program (called HijackThis - see below), so we can finish the cleanup job and remove the entry that's looking for offers.exe.

    Go to http://www.tomcoyote.org/hjt and download "HijackThis!". Unzip it. Run the HijackThis.exe file and press the [Scan] button... When the scan is finished, the [Scan] button will change into a [Save Log] button. Press that, save the log somewhere and paste the contents into a post here for us to look at.

    Note that much of what will be listed there is correct and should not be fixed. So, just post the output here and let's see if the people here can help identify the problem.
     
  3. DLee2913

    DLee2913 Guest

    Thank you! I'm grateful for your help. To answer your first question, the program was Spyware Blaster. . . . I took your advice and ran HijackThis. The output is listed below:

    Logfile of HijackThis v1.96.0
    Scan saved at 8:39:25 AM, on 8/9/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\TRAYMAN\TRAYMAN.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\PCAMGT.EXE
    C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\AWHOST32.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\IRMON.EXE
    C:\PROGRAM FILES\THINKPAD\UTILITIES\TPHKMGR.EXE
    C:\CFGSAFE\AUTOCHK.EXE
    C:\WINDOWS\SYSTEM\DAEMON.EXE
    C:\WINDOWS\SYSTEM\IBMBAYSN.EXE
    C:\PROGRAM FILES\THINKPAD\UTILITIES\TPONSCR.EXE
    C:\WINDOWS\SYSTEM\IBMBAY2M.EXE
    C:\WINDOWS\SYSTEM\PRPCUI.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\PROMON.EXE
    C:\WINDOWS\SYSTEM\S3MON.EXE
    C:\PROGRAM FILES\THINKPAD\UTILITIES\PDIRECT.EXE
    C:\PROGRAM FILES\THINKPAD\UTILITIES\TP98.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\CLEARSEARCH\LOADER.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
    C:\PROGRAM FILES\SIDECAR\SIDECAR.EXE
    C:\WINDOWS\BLITZ\WINNOTIF.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\LINKSYS\WIRELESS NETWORK PC CARD\WPC11CFG.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://sharempeg.com/find/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=100
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=100
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=100
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.runsearch.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.runsearch.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.runsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.runsearch.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.runsearch.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.runsearch.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.runsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.runsearch.com/search.php?qq=%s (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.cnn.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_20.dll
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [IrMon] IrMon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\THINKPAD\UTILIT~1\TPHKMGR.EXE
    O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\AUTOCHK.EXE
    O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
    O4 - HKLM\..\Run: [IBMUltraBayHotSwapSound] c:\windows\SYSTEM\IBMBAYSN.EXE
    O4 - HKLM\..\Run: [IBMUltraBayHotSwapCPLLoader] c:\windows\SYSTEM\IBMBAY2M.EXE
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [S3Mon] S3Mon.exe
    O4 - HKLM\..\Run: [PDirect] C:\PROGRA~1\THINKPAD\UTILIT~1\PDirect.exe
    O4 - HKLM\..\Run: [TP98UTIL] C:\PROGRA~1\THINKPAD\UTILIT~1\TP98.EXE /s
    O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
    O4 - HKLM\..\Run: [PrecisionTime] C:\PROGRA~1\PrecisionTime\PrecisionTime.exe
    O4 - HKLM\..\Run: [Date Manager] "C:\PROGRA~1\Date Manager\DateManager.exe"
    O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
    O4 - HKLM\..\RunServices: [TrayManager] C:\PROGRA~1\TRAYMAN\TRAYMAN.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [pcAnywhere Agent] C:\Program Files\Symantec\pcAnywhere\pcamgt.exe
    O4 - HKLM\..\RunServices: [awhost32] C:\Program Files\Symantec\pcAnywhere\\Awhost32.exe /A
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: SideCar DCIS Authentication.lnk = C:\Program Files\SideCar\SideCar.exe
    O4 - Startup: WinNotif.lnk = C:\WINNT\Blitz\WinNotif.exe
    O4 - Startup: OfferCompanion.lnk = C:\WINDOWS\Desktop\spybotsd12.exe
    O4 - Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\Wireless Network PC Card\WPC11Cfg.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O12 - Plugin for .SWF: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir8d196a.cab
    O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
    O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/098fa6172d77d7268200/netzip/RdxIE601.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.1.1
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi DLee2913,

    First go to Add/Remove Software and see if you can remove NewDotNet aka New.Net there, either way continue with the following.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://sharempeg.com/find/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=100
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=100

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=100
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.runsearch.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.runsearch.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.runsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.runsearch.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.runsearch.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.runsearch.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.runsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.runsearch.com/search.php?qq=%s (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/

    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_20.dll
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL

    O4 - HKLM\..\Run: [PrecisionTime] C:\PROGRA~1\PrecisionTime\PrecisionTime.exe
    O4 - HKLM\..\Run: [Date Manager] "C:\PROGRA~1\Date Manager\DateManager.exe"

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup

    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/098fa6172d77d7268200/netzip/RdxIE601.cab

    Reboot after doing so, preferably into safe mode and delete:
    C:\Program Files\NewDotNet <= entire folder
    C:\PROGRAM FILES\CLEARSEARCH <= entire folder
    C:\PROGRAM FILES\PrecisionTime <= entire folder
    C:\PROGRAM FILES\Date Manager <= entire folder

    Then download Spybot - Search & Destroy
    After installing, first press Online, and search for, put a check mark at, and install all updates.
    Next, close all IE windows, hit 'Check for Problems', and have SpyBot remove all it marks in red.

    Or, download Ad-Aware at lavasoft.usa.com
    After installing AAW, and before running the program, update by using the Globe icon.
    Shut down and restart Ad-Aware.
    Now press "Scan Now", "Select drives\folders to scan" and select the active partition (usually C: ), then 'next', and let Ad-Aware scan your drives.
    It will find a number of "bad" files and registry keys. Click 'Next' again.
    Rightclick in that pane and choose "select all and click 'next'.
    It will ask you whether you'd like to remove all checked items. Click OK.
    Finally, close Ad-Aware, and reboot.

    Keep us posted on your progress.

    Regards,

    Pieter
     
  5. DLee2913

    DLee2913 Guest

    Looks like the problem's solved! My Explorer hasn't had an "illegal operation" all afternoon.

    Thank you!

    Dave
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi DLee2913,

    That is good to hear. :)

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.