Tip: Run a free scan for common Windows errors ad

re: CW-Shredder help, please? Sunday, March 14, 2004 at 2:07 pm Posted by Ms. Eagle (33640 messages posted) lina, that variant closes spyware removal programs. You need to run this mini removal tool first. Then run the Shredder again. CoolWWWSearch.SmartKiller: SmartKiller.exe Carol [Reply or follow-up to this message] re: CW-Shredder help, please? Sunday, March 14, 2004 at 6:57 pm Posted by triplate (20834 messages posted) Thanks for your kind help, Carol. On Sunday, March 14, 2004 at 2:07 pm, Carol wrote: > >lina, that variant closes spyware removal programs. You need to run this mini removal >tool first. Then run the Shredder again. > >CoolWWWSearch.SmartKiller: color="FF69B4">SmartKiller.exe > > > Carol > [Reply or follow-up to this message] re: CW-Shredder help, please? Sunday, March 14, 2004 at 7:23 pm Posted by Ms. Eagle (33640 messages posted) Carol On Sunday, March 14, 2004 at 6:57 pm, triplate wrote: >Thanks for your kind help, Carol. [Reply or follow-up to this message] re: CW-Shredder help, please? Sunday, March 14, 2004 at 10:44 pm Posted by Ms. Eagle (33640 messages posted) In case you'd rather, you'll also find the CoolWWWSearch.SmartKiller download on this page: CoolWebSearch Chronicles Carol [Reply or follow-up to this message] re: CW-Shredder help, please? Wednesday, March 17, 2004 at 7:43 am Posted by lina (209 messages posted) Carol, I ran the smartkiller.exe first as you suggested, then tried CW-Shredder again but I still have that variant and it keeps closing the CW-Shredder. I don't know what to do now. thank you. lina [Reply or follow-up to this message] re: CW-Shredder help, please? Wednesday, March 17, 2004 at 11:50 am Posted by Ms. Eagle (33640 messages posted) I haven't heard that before. Be sure you have the most recent Shredder version. It's updated very frequently. Try downloading a fresh copy of both the SmartKiller and Shredder. Then try again. Be sure to close all browser windows and run them "offline". If it still doesn't work, download and run Spybot first. Reboot. Then give it another go. We can use HijackThis if necessary. I hadn't advised you to clear out your TIF and other temps also. Go to Control Panel - Internet Options. Under the General tab click the Delete temporary internet files, choose to delete all Offline content. In Settings, set the size of your TIF folder between 5 - 10 MB. Choose View Objects tab. On the toolbar, choose View Details. If any of those ActiveX Controls are marked "damaged", remove them. Any and all ActiveX Controls, can be safely removed. They'll be downloaded again as needed. To uninstall, right click and Remove. You may want to keep those by MS, Macromedia or Apple. Also, go to Start - Find - Files or folders - in the named box, type: *.tmp and choose Edit - select all - File - delete. Empty the contents of the C:\Windows\temp folder and C:\temp folder, if you have one. Empty Recycle bin. Download Spybot S&D Close all running programs, install then reboot. Start it and go online and press 'search for updates' tab. (NOTE: if you have problems, select the US or Australian mirror site to download updates from). Download all updates that aren't optional. Close all browser windows and run the scan. When it's finished, 'Check All', and fix everything SpybotSD labels in RED. Reboot. Carol On Wednesday, March 17, 2004 at 7:43 am, lina wrote: >Carol, I ran the smartkiller.exe first as you suggested, then tried CW-Shredder again >but I still have that variant and it keeps closing the CW-Shredder. I don't know >what to do now. > >thank you. lina [Reply or follow-up to this message] re: CW-Shredder help, please? Wednesday, March 17, 2004 at 1:45 pm Posted by lina (209 messages posted) I checked I have the latest version of Shredder. I have downloaded the Smartkiller.exe today as well. Still the same story. Ran all offline and after re-booting. I have been using an updated Spybot either. I do not have, however, HijackThis. I followed all your instructions about the *.tmp. The only thing I could not do was to set the size of the TIF folder, could not see where. Also which are the Active X Controls? In View Objects I just have a few downloaded components like of HouseCall and Panda Onlince Scan, Shockwave Flash, Yahoo mail and messenger. Shall I delete them? Anyway, still the Shredder is not able to continue because of that variant on the computer. Can you suggest what next? Thanks, Carol. lina [Reply or follow-up to this message] re: CW-Shredder help, please? Wednesday, March 17, 2004 at 2:29 pm Posted by Ms. Eagle (33640 messages posted) This is really weird. If you're able to run SpybotSD, then there's something else wrong. Are you having problems opening any other programs? You haven't mentioned any other problems, but it would help to know. If you don't have tons of ActiveX Controls installed, Downloaded Programs, keep those if you use them. They tend to pile up. When you choose View Details, if there are any 'unknown' or 'damaged' ones showing, right click and remove them. Download 'Hijack This' Unzip 'HT' into a new folder. Close all browser windows and run it offline. Double click the .Exe file to run it. Choose Scan. It'll display a list. Most of the things you see listed are necessary or required entries, so don't fix anything, until you know which items to fix. First, check the description of the entries in the log, check here: HijackThisTutorial After the scan is finished, the Scan button will turn into Save Log. Press that and copy/paste the contents in a post. Before you post it, please be sure to check this below: Check this box to preserve your spacing.... Carol [Reply or follow-up to this message] re: CW-Shredder help, please? Thursday, March 18, 2004 at 9:09 am Posted by lina (209 messages posted) Hi, Carol, thanks for answering again. I do have other problems on my comuter as you have guessed, which I have thought are alos connected with spyware that is still lurking. I do not have problems opeing programs really, but I do get problems with Explorer - very often the lexplore message of preforming illegal operation which closes the Explorer. If it's not lexplore (which I have heard is spyware and I have tried to delete its name from the registry, however is still somewhere out there), it's the Explorer messege of having performed illegal operation and closes the explorer window. I can't think of any other problems at the moment but like I said I have had on-going fights with spyware, having been forced to use Ad-Aware first, then Spybot, in the past have those Zone-Labs and Stop-Sign which seemed to be spyware themselves, and now also use Spybot S&D. I will do as you say to download now HijackThis and post the log file for you to see. Thanks again. Talk to you. lina [Reply or follow-up to this message] re: CW-Shredder help, please? Thursday, March 18, 2004 at 9:58 am Posted by lina (209 messages posted) Here is the saved log. I have flicked through the tutorial to know what to fix and what not to. Thanks, Carol. Logfile of HijackThis v1.97.7 Scan saved at 17:46:17, on 18/03/04 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v4.72 SP1 (4.72.3110.0000) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\F-PROT ANTIVIRUS\F-STOPW.EXE C:\PROGRAM FILES\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [F-STOPW.EXE] "C:\Program Files\F-Prot Antivirus\F-STOPW.EXE" O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: ICQ Lite (HKLM) O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM) O9 - Extra button: Yahoo! Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O11 - Options group: [TB] Toolbar O14 - IERESET.INF: START_PAGE_URL=http://www.ukonline.co.uk O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll [Reply or follow-up to this message] re: CW-Shredder help, please? Thursday, March 18, 2004 at 11:10 am Posted by Ms. Eagle (33640 messages posted) Hi Lina, Is this your ISP's URL: http://www.ukonline.co.uk ? If so, don't fix the 014 entry. You checked the tutorial, so you may know that. For the DPF entries, if you intend to use Panda and Housecall scans regularly, leaving those will save time downloading the scanners next time you run them. Go ahead and run Hijack This and have these fixed. Reboot. Then run the IEFix.reg file from the link I posted. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com O14 - IERESET.INF: START_PAGE_URL=http://www.ukonline.co.uk O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll After fixing those, download this .reg file to your Desktop. Double-click on it and answer Yes, to merge into your registry. It will restore all the default Search settings for IE. IEFIX.reg Note: The download for the IEFix.reg is from SpywareInfo website, so it's safe. Let me know, if you still have problems. If so, it might be a good idea to use the StartupList option in 'HT'. It'll show what's listed in every startup location on your system. There may be something that's not necessarily spyware, just a bad application. To produce a StartupList log, run HijackThis, press Config... > Misc Tools > Generate StartupList log. (then copy/paste the same way) Carol [Reply or follow-up to this message] re: CW-Shredder help, please? Thursday, March 18, 2004 at 5:53 pm Posted by lina (209 messages posted) HI, Carol, I will do all you said and will write back. Thank you again. Ukonline is a provider I use from time to time, otherwise my default one should be BT. I don't think I plan to do anymore Panda and Housecall Online Scans as I had errors downloading them the last few times I tried. I downloaded the trial version of F-Prot for checking for virsus - none at present.where are you from by the way, if you don't mind me asking? I'm Bulgarian but I live in England. lina [Reply or follow-up to this message] re: CW-Shredder help, please? Thursday, March 18, 2004 at 6:38 pm Posted by Ms. Eagle (33640 messages posted) Hi Lina, You're welcome. I'm in the USA, Pacific NW section. It's interesting to hear where people are from, so I don't mind your asking me. If you only use UKonline occassionally, I think you should fix that 014 entry. I don't know, in this case, whether it hijacked your start page or not, since you use it once in awhile. You saw the tutorial on the description. BT doesn't show anywhere in your log. You can manually type in the home page you want after fixing those. O14 - IERESET.INF: START_PAGE_URL=http://www.ukonline.co.uk Any of those DPF entries can be removed, so if you don't intend on using those virus scans, you can either fix in Hijack This or remove manually in Internet Options or from C:\Windows\Download Programs. Carol [Reply or follow-up to this message] re: CW-Shredder help, please? Friday, March 19, 2004 at 8:48 am Posted by lina (209 messages posted) Hi Carol, I fixed those you said about. Rebooted. Then ran the .reg file. Then tried the CW-Shredder, still I have that variant Smartsearch.2 on my computer and still closes the CW-Shredder on me. Here is a copy of the startup list: StartupList report, 19/03/04, 16:41:17 StartupList version: 1.52 Started from : C:\PROGRAM FILES\HIJACKTHIS.EXE Detected: Windows 98 Gold (Win9x 4.10.1998) Detected: Internet Explorer v4.72 SP1 (4.72.3110.0000) * Using default options ================================================== Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\F-PROT ANTIVIRUS\F-STOPW.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\HIJACKTHIS.EXE -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SystemTray = SysTray.Exe F-STOPW.EXE = "C:\Program Files\F-Prot Antivirus\F-STOPW.EXE" -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=Explorer.exe SCRNSAVE.EXE= drivers=mmsystem.dll power.drv -------------------------------------------------- C:\WINDOWS\WININIT.INI listing: (Created 19/3/2004, 16:30:16) [Rename] NUL=c:\windows\cookies\pc-user@atdmt(1).txt NUL=c:\windows\cookies\pc-user@valueclick(1).txt NUL=c:\windows\cookies\pc-user@mediaplex.txt NUL=c:\windows\cookies\pc-user@questionmarket.txt NUL=c:\windows\cookies\pc-user@doubleclick.txt -------------------------------------------------- C:\WINDOWS\WININIT.BAK listing: (Created 19/3/2004, 16:17:6) [Rename] NUL=C:\WINDOWS\DOWNLO~1\YMMAPI.INF NUL=C:\WINDOWS\DOWNLO~1\YMMAPI.DLL -------------------------------------------------- C:\AUTOEXEC.BAT listing: mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi) mode con codepage select=850 keyb uk,,C:\WINDOWS\COMMAND\keyboard.sys -------------------------------------------------- Enumerating Task Scheduler jobs: Tune-up Application Start.job -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL -------------------------------------------------- End of report, 2,869 bytes Report generated in 1.666 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only (I had to write this post again as I got again that LEXPLORE illegal operation freezing the Explorer window and closes it.) I wanted to ask you about a few things that appear in the running processes such as: RNAAPP.exe seems to be always there just before something will cause a problem. And do the rest of the items in the running process necessarily have to be there, like for example that Program Files/INTERNET? I remember in the past I had my dial-up connection take over by a connection that called itself INTERNET(1) having downloaded itself on the computer. Thank you for your help. lina [Reply or follow-up to this message] it's all ok now! Friday, March 19, 2004 at 10:36 am Posted by lina (209 messages posted) Carol, I rebooted again and ran the latest CW-Shredder downloaded today and it passed through it. It's all clear now. Thanks a lot for your help. I wonder if you would know about LEXPLORE, it's been closing the explorer window all day today and freezes the whole system now and again as well. When I click onto Details from the LEXPLORE - has performed illegal operation, this is what it shows: IEXPLORE caused an invalid page fault in module KERNEL32.DLL at 015f:bff87eb5. Registers: EAX=c002f8d0 CS=015f EIP=bff87eb5 EFLGS=00010212 EBX=ffffffff SS=0167 ESP=0053ffdc EBP=00540048 ECX=00000000 DS=0167 ESI=81560310 FS=368f EDX=c002f8d4 ES=0167 EDI=8156e060 GS=0000 Bytes at CS:EIP: 53 56 57 8b 30 83 7d 10 01 8b 4e 38 89 4d f8 75 Stack dump: (it's lexplore, not iexplore what appears on the message unlike in the detailed information above.) lina [Reply or follow-up to this message] re: it's all ok now! Friday, March 19, 2004 at 12:38 pm Posted by Ms. Eagle (33640 messages posted) That's great, and I was at a loss as to what could be the problem. It must be something new going on, because I haven't seen anyone have that problem. Now, this really has me stumped, because LEXPLORE.exe is this worm, I believe: W32.HLLW.Sodabot Your StartupList shows no problems and your HijackThis log showed no sign of that Lexplore. You should run an online virus scan to verify, that's on your system. It's one of those that an AV program can't clean. It will identify it. Lina, I really don't think it's on your system, because it would show in StartupList and Hijack This. Worms and trojans run in startup locations. That is, unless you got infected after running those! Run one of these, if possible and let me know. Panda Active Scan Bitdefender To answer your question, in your previous post, concerning the entry in your StartupList showing Internet....This is Internet Explorer, not just Internet. It's supposed to be like this: C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE Notice it shows IEXPLORE.EXE without the R on the end? Carol [Reply or follow-up to this message] lexplore Saturday, March 20, 2004 at 3:26 am Posted by lina (209 messages posted) Carol, I can't run no online scans lately, it always fails, why. I don't do the Panda and Housecall because of failed scan. (since I re-unstalled Windows a couple of weeks ago because of problems on the desktop.) And now I tried this Bitdefender and after it install its components and it started scanning, right away I got this Memomry check failed (as I had selected Memory Check) and I got again the LEXPLORE message which closed the whole Bitdefender window. Is it possible that you don't see the lexplore on my computer because I did read in the past about that worm W32.HLLW.Sodabot and I read how to take its name off from the regisitry, so its name is deleted from there, and it was in the Run. And even now sometimes when I press Ctrl-Alt-Del I can see lexplore there! I don't know... I will have to try the Bitdefender again. lina [Reply or follow-up to this message] re: lexplore Saturday, March 20, 2004 at 1:52 pm Posted by Ms. Eagle (33640 messages posted) Dear Lina, what problems you're having. If you'd already told me you couldn't run a virus scan, forgive me for forgetting about that. Since you did have that Lexplore issue previously, the executable file may still be in your directories somewhere. The Lexplore.exe must be deleted, and obvously it wasn't. Run a search using Find - Files or Folder. Look in box, make sure C drive shows. In the named box, type: Lexplore.exe. hit Enter. Note the location/s, and I'll bet it's in the Windows or Windows\System folder. I'm not sure, if it'll work to delete it within Windows, if it's running in task manager. It might be better to boot into Safe mode, and delete it. That's often the case. Get back to me and let me know. You probably need to run the IE repair tool also, if thigs are goofed up with downloading those ActiveX virus scans. The IE installation often gets messed up, when removing baddies or just from use. It's so integrated into Windows. I'll post instructions, in case you get a chance to do it. To repair Internet Explorer: Go to Start - Run - in the Open box, type: msinfo32 - click OK. From Tools the menu - choose IE Repair Tool -- Repair IE. If you get an error message saying it can't be repaired, you'll need to reinstall it by running the IESetup.exe again. Carol [Reply or follow-up to this message] re: lexplore Saturday, March 20, 2004 at 3:44 pm Posted by lina (209 messages posted) Hi, Carol, I cannot run virus online scans, either download fails or the scan itself. That's why I still have that lexplore worm, I guess. I tried again with Bitdefender and again the scan gets interrupted by the lexplore message. Unfortunately I could not find lexplore on the hard drive, I had looked for it before when I deleted its entries from the registry editor. Where can the executable file be then because I do keep getting this lexplore message when loading some Inet pages like www.autotrader.co.uk or computer forums, not when checking mail. (I don't know if it may have something to do with what's on those pages that makes the lexplore kicks in.) In the MSINFO32 where you told me to look for the IE repair tool, I do not have such an option. What's there are things like: Windows Report Tool, System File Checker, Registry Checker, System Configuration Utility, Scan Disk, Version Conflict Manager... I regulary run Ad-adware, Spybot, CW-Shredder and HijackThis. I thought you might want to know also that on almost every Inet page I have to press Yes to continue to Internet Script Error. I don't know... It must be like you said that I need to have the Inet Explorer fixed and then get rid of that worm. Thanks again so much for your help, Carol. lina [Reply or follow-up to this message] re: lexplore Saturday, March 20, 2004 at 4:18 pm Posted by Ms. Eagle (33640 messages posted) Hi again, You have a lot of different issues, it seems. This is lengthy, because I don't know where to begin or end. he he I can't understand why that Lexplore message comes up, if you don't have any sign of it. Plus, it didn't show in either your Hijack This log or StartupList. I had you clear out all temp files, etc. How about running Hijack This again and posting another log, just so to double check. It's easy enough to do. Also, you said you went in the registry and deleted an entry for it? Do you think you're up to searching the registry for Lexplore? It has an excellent search feature, and I have detailed Step by Step instructions on how to go about it. Please don't try without the instructions. Let me know. You may have the old IE 5.0 version still. That's the version installed with Win98. Do you have a high speed connection? I ask, because IE 5.5 is not available for download on MS any longer. There's a full download to it elsewhere. I'm afraid you'd have problems trying to download or install IE 6.0. Another option, if you want to take it on, is to completely remove IE with IEradicator and reinstall it. It can only be removed with a third party program. We'll deal with that, after the other things. Carol [Reply or follow-up to this message] re: lexplore Saturday, March 20, 2004 at 6:27 pm Posted by Ms. Eagle (33640 messages posted) Lina, I didn't think about this, when I had you use Find to search for Lexplore. Do you have hidden files showing in Windows Explorer? Go into Folder Options and make sure 'Show all Files' is selected, and 'Hide known File Types' isn't. Similar to that. Then run another search for Lexplore.exe again. It must be there somewhere. Perhaps it doesn't show in those logs, because it's only running when IE is open? The instructions are to close your browser before running HijackThis. Carol [Reply or follow-up to this message] re: lexplore Sunday, March 21, 2004 at 3:05 am Posted by lina (209 messages posted) Hi, Carol, That's gone a long correspondence, init? :} Thanks for being willing to help me. I tried deleting the files in Windows/Temp today and this one I am denied access to today. ~dff776.tmp Otherwise, he is the saved log from Hijack as well as the startup list: Logfile of HijackThis v1.97.7 Scan saved at 11:14:51, on 21/03/04 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v4.72 SP1 (4.72.3110.0000) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\F-PROT ANTIVIRUS\F-STOPW.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [F-STOPW.EXE] "C:\Program Files\F-Prot Antivirus\F-STOPW.EXE" O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: ICQ Lite (HKLM) O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM) O9 - Extra button: Yahoo! Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O11 - Options group: [TB] Toolbar O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab and StartupList report, 21/03/04, 11:15:24 StartupList version: 1.52 Started from : C:\PROGRAM FILES\HIJACKTHIS.EXE Detected: Windows 98 Gold (Win9x 4.10.1998) Detected: Internet Explorer v4.72 SP1 (4.72.3110.0000) * Using default options ================================================== Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\F-PROT ANTIVIRUS\F-STOPW.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\HIJACKTHIS.EXE -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SystemTray = SysTray.Exe F-STOPW.EXE = "C:\Program Files\F-Prot Antivirus\F-STOPW.EXE" -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=Explorer.exe SCRNSAVE.EXE= drivers=mmsystem.dll power.drv -------------------------------------------------- C:\WINDOWS\WININIT.BAK listing: (Created 20/3/2004, 18:24:20) [Rename] NUL=c:\windows\cookies\pc-user@ehg-autotrader_hitbox(1).txt NUL=c:\windows\cookies\pc-user@valueclick.txt NUL=c:\windows\cookies\pc-user@adviva(1).txt NUL=c:\windows\cookies\pc-user@overture(1).txt NUL=c:\windows\cookies\pc-user@doubleclick(1).txt NUL=c:\windows\cookies\pc-user@hitbox.txt NUL=c:\windows\cookies\pc-user@bluestreak.txt NUL=c:\windows\cookies\pc-user@atdmt(1).txt -------------------------------------------------- C:\AUTOEXEC.BAT listing: mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi) mode con codepage select=850 keyb uk,,C:\WINDOWS\COMMAND\keyboard.sys -------------------------------------------------- Enumerating Task Scheduler jobs: Tune-up Application Start.job -------------------------------------------------- Enumerating Download Program Files: [AvxScanOnline Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\BITDEF~1.OCX CODEBASE = http://www.bitdefender.com/scan/Msie/bitdefender.cab -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL -------------------------------------------------- End of report, 3,001 bytes Report generated in 1.317 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only Please, do tell me how to search the Registry editor properly. I had done through the Find button before. It's a pity I can't run no online scan, cause you said that lexplore is a worm and can be removed by them. Shall try downloading a worm removing program? Carol, I am surprised and you will be, I checked - I have IE 4.0! My connection is a dial-up and it's not extremely fast but it's quite good when downloading programs. Good morning! lina [Reply or follow-up to this message] re: lexplore Sunday, March 21, 2004 at 12:20 pm Posted by Ms. Eagle (33640 messages posted) Hi Lina, believe it or not, this thread is short compared to some. :) Did you see my second reply about going into folder options? Click here: 1079836032 Hidden files when visible, are pale almost transparent. I suggest checking that out, and just one more time, see if that Lexplore.exe comes up. It would probably be in Windows folder. It couldn't execute, if it weren't there and if it were only in the registry, it couldn't execute. Both your logs are clean. I asked someone about that 'memory check failed' message you get when trying to run a scan. That may be, because your own AV program is still running. You must turn it off (temporarily disable), while the online scanner runs. You misunderstood me about AV programs cleaning worms. They "don't" clean them, but some worms have removal tools, but this isn't one of them. You may be denied access to this ~dff776.tmp, only because it's currently in use. I have those at times, and once your browser's closed, it won't be needed. Who knows, what it's there for. As for IE. 4.0, I don't get it, because ver. 5.0 is part of the 98 install! Even 5.0 is ancient and should be upgraded. The full download for IE 5.5 SP2 is about 84 MB, which takes hours to download. If you have a good connection, it may work. If you happen to have a friend with a high speed connection that could burn it to a CD, or an "older" AOL, or another ISP CD laying around, they have the complete IE install files on them. They're compressed IE CAB files. The CD can be "explored", then you can Copy the CABS to a new folder on the drive and run the IESetup.exe from there. You'd want to be sure your CD's aren't set to Auto Run, when you stick them in the drive. Wait on this IE upgrade for now. P.S. I'll post registry edit instructions seperately, but that may not be necessary if you can run a scan, etc. Let me know. Carol [Reply or follow-up to this message] found it! Sunday, March 21, 2004 at 2:30 pm Posted by lina (209 messages posted) Carol, I unticked Hide Known Files and in the normal Find search it didn't come up but in the Registry search it did! I deleted lexplore.exe and w32.hll (I hope this one was alright to delete, oh!?). It was under Current User/////Explorer/DocFindSpecMRU. WHat shall I do with the other entries there, do they have anything to do with lexpore:w32, me2.dll,*.tmp, downloaded, hcagijfeb. It makes sense to take off F-Prot real-time protector temporarily, then the online scan should work. Thanks, Carol.... lina [Reply or follow-up to this message] re: found it! Sunday, March 21, 2004 at 5:33 pm Posted by Ms. Eagle (33640 messages posted) Lina, that's a no no to just delete entries in RegEdit. One wrong move and you can make your OS inoperable. Not to worry, yet... :) This DocFindSpec MRU is only "most recently used" entries. Deleting those won't fix anything or affect anything. Is that where you found Lexplore listed, in MRU? There is no w32.Hll. It's w32.Dll. That's a Winsock file, and I hope you only deleted entries in MRU. I have no idea what this might be: me2.dll. Note: it's important to spell file names correctly, and you can probably see why. Leave all of those alone, and follow just the below instructions. As for the scan, I didn't think about that, even though I know you should disable your AV. They should have a note about that, before the scan starts. PC Pitstop does. WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Using the Registry editor, you can do a search for {name of program or word} and delete everything found. First, backup the registry. Start - Run - type: SCANREGW. Hit enter. Click Yes. How to use Regedit: Go to Start - Run - type: Regedit. Press Enter or click OK. On the toolbar - click Registry - Export registry file. In the Window that opens, where it says 'Export Range', make sure "All" is ticked. In the named box, type: backup. In the "Save In" window with the drop down menu - Select Desktop. Choose Save. This will export the Registry file to your desktop. (In case you make a mistake or there's a problem, you'd be able to 'merge' the file back into the registry). You can delete it, once you know there's no problem. Save it for a few reboots. (keep in mind, double clicking that backup, will merge those entries back into the Registry. You'd need to start over) Then choose Edit on the toolbar - Find - In Find what, type: Lexplore (Type it correctly). It'll start the search, and when it stops, a key or value will be highlighted. Right click and choose delete (or hit the delete key). Continue the search by pressing the F3 key. Proceed the same way, until you get a message that the search is finished. Then follow the same instructions to search for the next word or name, etc. Be sure to type it exactly as instructed, if you're following removal instructions. Close and Reboot for the changes to have effect. P.S. Caution do NOT change or delete anything, unless you positively know what you're doing. Carol [Reply or follow-up to this message] lexplore Monday, March 22, 2004 at 8:18 am Posted by lina (209 messages posted) Hi, Carol, Unfortunately, the search continues as I followed the instructions very carefully and the registry search could not find anything under the name of Lexplore... Regarding deleting entries from the Registry Editor one should think one learns from mistakes, I had deleted rundl32 (or something like that) before and I had to re-install the whole Windows anew. What a trouble it was! It just that last night when the search finally found again the lexplore, I could hardly be stopped but eliminate it. All I can do now is try one of the links you gave me for online scan, after I disable F-Prot Real Time Protector. Will write to let you know what happened. Onward, lina [Reply or follow-up to this message] lexplore Monday, March 22, 2004 at 8:39 am Posted by lina (209 messages posted) I had taken F-Prot off from the running process (Ctrl-Alt-Del) and still the memory check failed again on Bitdefender and the moment I was notified that, the Lexplore messega appeared about to close the window anyways. Panda Online Scan fails as early as the downloading of its components. I thought I would post again what says in Details of the lexplore message box: IEXPLORE caused an invalid page fault in module KERNEL32.DLL at 015f:bff9d709. Registers: EAX=c002f8d0 CS=015f EIP=bff9d709 EFLGS=00010216 EBX=00000000 SS=0167 ESP=0377feb8 EBP=03780154 ECX=00000000 DS=0167 ESI=02520180 FS=5957 EDX=01ca6c30 ES=0167 EDI=01c98638 GS=0000 Bytes at CS:EIP: 53 8b 15 dc 9c fc bf 56 89 4d e4 57 89 4d dc 89 Stack dump: lina [Reply or follow-up to this message] re: lexplore Monday, March 22, 2004 at 1:34 pm Posted by Ms. Eagle (33640 messages posted) Lina, You shouldn't close out a program by Ctrl-Alt-Del, unless it's necessary. If it won't exit (not responding), then that's the way to do it. You should exit programs by right clicking the icon in Systray and choosing exit. You probably need to disable F Prot temporarily, by removing it completely from startup. Check within the program's options for that choice. If it has no option, as with any program, you can uncheck it in MSConfig. Then reboot and make sure it's not running. That error indicates IExplore not Lexplore, and those errors in Kernel32.dll can mean quite a number of different things. It's a core component of Windows. If you can't locate an Lexplore after all this, it's not there. Obviously, there's a problem somewhere. I need to ask you, what was the reason you did a reinstall? You said problems on the desktop and a lot of spyware issues. This shows possibilites for Kernel32.dll errors: Troubleshooting KERNEL32.DLL Errors Try this app to kill all running processes: EnditAll 1 It's been recommended a lot here on the forums, but only if other things fail. I suggest you first exit the programs in Systray area, then run this to get anything else still running in the background. Then try again. Otherwise, forget the virus scan for now and make sure F Prot is up to date. Btw, AVG is a highly recommended, freeware anti virus program. For future reference, when F-Prot expires and you'd rather use that, you will need to make sure F-Prot is completely uninstalled first. Many require some manual removal also. I wouldn't doubt that old version of Internet Explorer isn't helping anything. Plus, since it's not been updated or upgraded, there's no option to run the repair tool. IE has a repair option, in later versions. See if you can find a way to load a newer version of IE. Considering the problems you're having, I'm unsure whether a lengthy download is the way to go. It would be a shame, if the download were to be corrupt, after all that also. Is the virus scan the only problem you have while online? Do you, or did you use a P2P file sharing program prior to these problems showing up? It's coming down to more of a Windows issue now, rather than spyware. Your system is clean of junk apps, according to your logs, etc. I can only go by what I see in those logs, as far as spyware and other baddies. It might be a good idea to run scan disk to correct errors on the drive then defrag, clearing out temps first and exiting programs. You've had a lot of problems with errors, is one reason. Carol [Reply or follow-up to this message] re: lexplore Monday, March 22, 2004 at 11:31 pm Posted by Ms. Eagle (33640 messages posted) Lina, one option for your IE issue, is to download and install a different browser, so you can get on the net. Then remove IE and install a newer version however. JmC's instructions here: Annoyances - r1075608605 ftp://ftp.opera.com/pub/opera Mozilla.org Carol [Reply or follow-up to this message] re: lexplore Tuesday, March 23, 2004 at 8:19 am Posted by lina (209 messages posted) Hi, Carol, I disabled F-Prot by removing it from the startup, then I rebooted and still Bitdefender cannot scan: the first time I tried, an Explorer illegal operation message interrupted the scan, the second time I tried scanning the Lexplore illegal operation message stopped it and closed the window. Like you said, I will leave online scanning for now. Regarding Lexplore, against all signs that it is nowhere on the computer, it still must be somewhere. I know that Details show a problem with Iexplore and errors with Kernel32.dll but I am sure the title of the message box says "lexplore". Plus, I had deleted lexplore from the Registry Editor before I met you and the other day it re-appeared in the Registry in those Recent Used Docs, so it must be there. I know that for it to run, we must have the executable file but can it be lurking somewhere? It's so strange... You are right I have a lot of errors with Internet Explorer (to add more Internet Script Error comes up very often while waiting to load a page) . I looked up one of the links you gave me (JimC's post) about an IE 6.0 download & IEradicator, but why does he say as a last resort, because of the download might be corrup after all or because after I have eliminated the old version and I cannot run the new version, I am without Internet, having no brower?! Or should I download Opera or Netscape just in case I cannot set up the new version of IE? I will read through the Kernel32.dll troubleshooting. The reason why I had to reinstall Windows 98 was because the desktop would always be frozen all the time from start-up till shut down and I could hardly do anything, I had lots of Spyware then and had only Ad-aware to run, so I opened the Registry Editor and the mouse was having problems and I was trying to use it as well as the keyboard, accidentally somehow it deleted something without asking for confirmation. So it could not load Windows anymore. Anyway, after re-installation things have been alright and yea, I do have problems only online and with IE. I have used AVG in the past and after re-installation of Windows some of its files were corrupt, so I uninstalled it and set up F-Prot (trial version), in case I had any viruses. I don't know what is P2P files sharing program but no, I don't think I have any such. I ran defrag after I re-installed Win, I will do scan disk as well now. Thanks, Carol. lina [Reply or follow-up to this message] re: lexplore Tuesday, March 23, 2004 at 10:55 am Posted by Ms. Eagle (33640 messages posted) By, as a last resort, he probably means if other suggestions fail to get IE functioning properly. It's often the best thing to do, because it de-integrates IE from the OS, making Windows more stable. It may be best, in your case, to set up a different browser first. Then download IE, or find another way to load and install it ie a CD. That IE 6.0 Setup file is small, and you need to run it while on the net, so the rest of the components can be downloaded. You'd still need to do a lengthy download. That's why the backup browser, in case something goes wrong, you'll have a way to get on the net, until you get things sorted out. It's not mandatory to have IE installed at all, but many pages can only be viewed correctly in IE, so whether or not you decide to keep and use a different browser as your main browser, you may still some version of IE. Something to consider, do you have a way to back up your data so you can format/wipe out the drive and reload Windows? That may be what it comes down to, if you still have problems, unless someone else has an idea. I'd go ahead and try the IEradicator and be sure to follow instructions correctly. Keep in mind, if you use Outlook Express, that will be removed also. Check the Readme file that comes with IEradicator. Carol [Reply or follow-up to this message] Tip: Use one of the [Reply or follow-up to this message] links above to add a message to this thread Search this forum Start a new thread on a different subject Report abuse of the forum Return to the Windows 98 Discussion Forum