Member Avatar for cparky

Hi All

I posted this on the Internet Explorer Forum but I think it may be more of a Security issue so if anyone can help me I would be very grateful.

I have a desktop PC - W98, 256 Mem, 40G HD. Internet Explorer has always worked well on the PC. A week ago it stopped working. IE opens but I get the Connot Find Page message. However, Outlook Express continues to work (thank goodness) and I am able to play Radio Stations on Media Player.

Here is the background. A month ago the machine got a Virus, perhaps more than one. Various Free and Shareware tools could identify Virus or Spyware infections but none seemed to actually permanently fix it/them. The tools I have used in varying degrees of frustration have been AVG Free, AVG Professional, HijackThis, Kaspersky, Lavasoft, XCleaner Free and The Cleaner.

The Virus names on C: were/are identified as Backdoor.Small.d, PSW.BispyA and B with bi.dll and biprep.exe associated with them, then later PSW.BispyA and C with C having preInsBI.exe associated with it. The latest tool, The Cleaner, found Downloader.KenvalC and B on my original hard drive D: in an old Norton Recycled directory - so that might be a left over from who knows when.

Last week my partner ran XCleaner which identified a file for deletion. She OK'd the file for deletion. She rebooted later and when she tried to fire up IE it would not connect. She cannot remember what the file was called. She associates this event with the loss of IE but I assume it could also be virus related, or some combination?

As of yesterday I started to check out various things. I have reinstalled IE from Microsoft (got the startup file via my laptop, transferred it to the desktop and downloaded the latest version of IE from Microsoft) and reinstalled the connection to my ISP. This did not result in IE connecting, although OE and Media Player connected again as before. I have had no messages from the anti-virus programs so far over the last 2 days telling me there is a problem but I haven't used it much - the only problem is that the Internet Explorer loads but will not connect to the internet and I continue to get the 'Cannot Find Page' message. The anti-virus tools usually identified a virus when IE initally connected to the internet.

Can anyone suggest any software and/or series of steps to isolate and fix whatever is causing the problem, (whether a missing file as a result of the deletion or some other reason as a result of the Virus problem)?

Thanks in advance - Chris

  • 3 Contributors
  • 16 Replies
  • 199 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by crunchie

Recommended Answers

All 16 Replies

Member Avatar for crunchie

Use system restore (if you have it) & go back to B4 the problem happened. Download hijackthis & post a log.

Member Avatar for cparky

Thanks crunchie for the reply

Have W98... can't do a system restore .. here is the hijackthis log ...

Logfile of HijackThis v1.97.7
Scan saved at 1:59:44 PM, on 5/13/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAVSVC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAV.EXE
C:\PROGRAM FILES\THE CLEANER\TCA.EXE
C:\PROGRAM FILES\THE CLEANER\TCM.EXE
C:\PROGRAM FILES\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
D:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\VIRUS STUFF\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OSSProxy] C:\WINDOWS\SYSTEM\OSSPROXY.EXE -boot
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [tcactive] C:\PROGRAM FILES\THE CLEANER\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\PROGRAM FILES\THE CLEANER\tcm.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [kavsvc] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38077.0756712963
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01dad4cd3d29af0c6206/netzip/RdxIE601.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/Flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab


Use system restore (if you have it) & go back to B4 the problem happened. Download hijackthis & post a log.

Member Avatar for crunchie

Don't think there is anything there causing your problem.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01dad4c...ip/RdxIE601.cab

Reboot into safe mode following the instructions here & navigate to & delete

C:\Program Files\Common files\updater< folder

Reboot normally.

Regarding this entry: C:\WINDOWS\SYSTEM\OSSPROXY.EXE

Click on Start -> Run and enter %Windows%\SYSTEM\NSCheck.exe /uninstall followed by enter - this removes all registry entries and a box appears saying "uninstall successful. Find and delete the files nscheck.exe, ossproxy.exe.rvt & ossproxy.exe

Member Avatar for cparky

I have done all the changes and am now rebooting in Normal Mode. Before I get rid of the OSS entries do you know what they related to? I use a lot of Excel-type software and I wonder whether they relate to this?

I will send this off to you and then switch the connection to the Desktop and check if the changes so far have resulted in a connection by IE to the internet

Member Avatar for cparky

Nope :( ... still no connection ... but thanks for the help so far, crunchie... I will make the OSS changes if you think they may help with the IE connection issue...

Member Avatar for crunchie

Here is some of the info I have on it:
Part of Nettsetter - a "market research" program intended to track your Internet usage and buying habits.
To remove click on Start -> Run and enter "%WinDir%\SYSTEM\NSCheck.exe /uninstall" (where %windir% is the Windows directory - C:\Windows or C:\Winnt) followed by enter - this removes all registry entries and a box appears saying "uninstall successful. Find and delete the files nscheck.exe, ossproxy.exe.rvt & ossproxy.exe

Seems like some sort of work at home scheme?

Member Avatar for cparky

The uninstall string does not work ... The error message is

Cannot find the file '%Windows%\SYSTEM\NSCheck.exe' (or one of its components). Make sure the path and filename are correct and that all required libraries are available.

I am going to install Opera and see what happens...

Member Avatar for crunchie

Have you tried it without those % signs??

Member Avatar for TKSS

I'm not sure if it would be this simple...but have you checked to see if the virus wrote to your internet options settings in the tools drop down? I've seen it where mine has changed to use a proxy when I don't even have one running.

Of course, it probably isn't this simple...but just the same, it can happen.

Member Avatar for cparky

I will try removing the % signs ... but the good news is ....
Opera works !!!!! So, to some extent, the pressure is off to find out exactly why IE is not working... but still want to find out what is causing it..

Member Avatar for cparky

Thanks for the suggestion ... I think everything is OK in terms of automatic detection of settings.... is there anything I should be checking anywhere else that might generate proxy-type stuff? (I'm not that technical, I'm afraid :) ) ... and as Opera is now working the pressure is off a bit .... I quite like what I see of Opera ... thanks to crunchie for that ... the link was on his sign-off :)

Member Avatar for cparky

thanks for the Opera link, crunchie !! :)

Member Avatar for crunchie

I found Opera to be quite ugly out of the box, but because it is so customisable, it looks great now (to my eyes N E way). You may have problems on some sites that write their code as IE specific & some that actually totally block non IE browsers.
No answers here regarding the proxy.
Anyway, glad to have been of some service.

MyOpera._.jpg 37.71 KB
Member Avatar for cparky

Just to let you know that I have only just noticed that the IE URL Address line/box is no longer present when IE fires up and I get the 'Page cannot be displayed' error message ... the IE Tech guys think that this (plus the fact that Opera works) means that the Virus/spyware has messed things up in the IE settings and that it is a security issue ... but not sure what to do next. I will try reinstalling IE again from scratch ... delete and then download the whole thing... see what happens ... thanks for all the help so far

I found Opera to be quite ugly out of the box, but because it is so customisable, it looks great now (to my eyes N E way). You may have problems on some sites that write their code as IE specific & some that actually totally block non IE browsers.
No answers here regarding the proxy.
Anyway, glad to have been of some service.

Member Avatar for cparky

Don't think there is anything there causing your problem.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01dad4c...ip/RdxIE601.cab

Reboot into safe mode following the instructions here & navigate to & delete

C:\Program Files\Common files\updater< folder

Reboot normally.

Regarding this entry: C:\WINDOWS\SYSTEM\OSSPROXY.EXE

Click on Start -> Run and enter %Windows%\SYSTEM\NSCheck.exe /uninstall followed by enter - this removes all registry entries and a box appears saying "uninstall successful. Find and delete the files nscheck.exe, ossproxy.exe.rvt & ossproxy.exe

I tried to remove the NSCheck by taking out the % signs and I got 'could not find file nscheck.exe' - I checked and it is not on C: anywhere...

Is there a virus that changes specific elements of IE? I thought I had lost the URL Address Line but found it had been locked ... not by me either ... this remained the same when I went to Control Panel/AddRemove Programs ... and Repaired IE (you can only Add or Repair ... not delete and start from scratch... ) ... the lock was still on... anyone come across this before?

Member Avatar for crunchie

I would just remove this file then. OSSPROXY.EXE

Is there an option in IE to hide the address bar? I really don't know much about it.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.