3
Contributors
16
Replies
17
Views
13 Years
Discussion Span
Last Post by crunchie

Use system restore (if you have it) & go back to B4 the problem happened. Download hijackthis & post a log.

Have W98... can't do a system restore .. here is the hijackthis log ...

Logfile of HijackThis v1.97.7
Scan saved at 1:59:44 PM, on 5/13/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAVSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAV.EXE
C:\PROGRAM FILES\THE CLEANER\TCA.EXE
C:\PROGRAM FILES\THE CLEANER\TCM.EXE
C:\PROGRAM FILES\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
D:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\VIRUS STUFF\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OSSProxy] C:\WINDOWS\SYSTEM\OSSPROXY.EXE -boot
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [tcactive] C:\PROGRAM FILES\THE CLEANER\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\PROGRAM FILES\THE CLEANER\tcm.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [kavsvc] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38077.0756712963
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01dad4cd3d29af0c6206/netzip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab

Use system restore (if you have it) & go back to B4 the problem happened. Download hijackthis & post a log.

Don't think there is anything there causing your problem.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01dad4c...ip/RdxIE601.cab

Reboot into safe mode following the instructions here & navigate to & delete

C:\Program Files\Common files\updater< folder

Reboot normally.

Regarding this entry: C:\WINDOWS\SYSTEM\OSSPROXY.EXE

Click on Start -> Run and enter %Windows%\SYSTEM\NSCheck.exe /uninstall followed by enter - this removes all registry entries and a box appears saying "uninstall successful. Find and delete the files nscheck.exe, ossproxy.exe.rvt & ossproxy.exe

I have done all the changes and am now rebooting in Normal Mode. Before I get rid of the OSS entries do you know what they related to? I use a lot of Excel-type software and I wonder whether they relate to this?

I will send this off to you and then switch the connection to the Desktop and check if the changes so far have resulted in a connection by IE to the internet

Nope :( ... still no connection ... but thanks for the help so far, crunchie... I will make the OSS changes if you think they may help with the IE connection issue...

Here is some of the info I have on it:
Part of Nettsetter - a "market research" program intended to track your Internet usage and buying habits.
To remove click on Start -> Run and enter "%WinDir%\SYSTEM\NSCheck.exe /uninstall" (where %windir% is the Windows directory - C:\Windows or C:\Winnt) followed by enter - this removes all registry entries and a box appears saying "uninstall successful. Find and delete the files nscheck.exe, ossproxy.exe.rvt & ossproxy.exe

Seems like some sort of work at home scheme?

The uninstall string does not work ... The error message is

Cannot find the file '%Windows%\SYSTEM\NSCheck.exe' (or one of its components). Make sure the path and filename are correct and that all required libraries are available.

I am going to install Opera and see what happens...

Have you tried it without those % signs??

I'm not sure if it would be this simple...but have you checked to see if the virus wrote to your internet options settings in the tools drop down? I've seen it where mine has changed to use a proxy when I don't even have one running.

Of course, it probably isn't this simple...but just the same, it can happen.

I will try removing the % signs ... but the good news is ....
Opera works !!!!! So, to some extent, the pressure is off to find out exactly why IE is not working... but still want to find out what is causing it..

Thanks for the suggestion ... I think everything is OK in terms of automatic detection of settings.... is there anything I should be checking anywhere else that might generate proxy-type stuff? (I'm not that technical, I'm afraid :) ) ... and as Opera is now working the pressure is off a bit .... I quite like what I see of Opera ... thanks to crunchie for that ... the link was on his sign-off :)

thanks for the Opera link, crunchie !! :)

I found Opera to be quite ugly out of the box, but because it is so customisable, it looks great now (to my eyes N E way). You may have problems on some sites that write their code as IE specific & some that actually totally block non IE browsers.
No answers here regarding the proxy.
Anyway, glad to have been of some service.

Attachments

Just to let you know that I have only just noticed that the IE URL Address line/box is no longer present when IE fires up and I get the 'Page cannot be displayed' error message ... the IE Tech guys think that this (plus the fact that Opera works) means that the Virus/spyware has messed things up in the IE settings and that it is a security issue ... but not sure what to do next. I will try reinstalling IE again from scratch ... delete and then download the whole thing... see what happens ... thanks for all the help so far

I found Opera to be quite ugly out of the box, but because it is so customisable, it looks great now (to my eyes N E way). You may have problems on some sites that write their code as IE specific & some that actually totally block non IE browsers.
No answers here regarding the proxy.
Anyway, glad to have been of some service.

Don't think there is anything there causing your problem.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01dad4c...ip/RdxIE601.cab

Reboot into safe mode following the instructions here & navigate to & delete

C:\Program Files\Common files\updater< folder

Reboot normally.

Regarding this entry: C:\WINDOWS\SYSTEM\OSSPROXY.EXE

Click on Start -> Run and enter %Windows%\SYSTEM\NSCheck.exe /uninstall followed by enter - this removes all registry entries and a box appears saying "uninstall successful. Find and delete the files nscheck.exe, ossproxy.exe.rvt & ossproxy.exe

I tried to remove the NSCheck by taking out the % signs and I got 'could not find file nscheck.exe' - I checked and it is not on C: anywhere...

Is there a virus that changes specific elements of IE? I thought I had lost the URL Address Line but found it had been locked ... not by me either ... this remained the same when I went to Control Panel/AddRemove Programs ... and Repaired IE (you can only Add or Repair ... not delete and start from scratch... ) ... the lock was still on... anyone come across this before?

I would just remove this file then. OSSPROXY.EXE

Is there an option in IE to hide the address bar? I really don't know much about it.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.