Worms-Cannot Connect to Internet

Hi,

I have a Compaq Pentium III, win 98, 128 MB RAM (soon to add more RAM).

I had tons of pop-ups in Internet Explorer, downloaded adAware got rid of them pretty much, then they started coming back. So I saw a post on a site that said to uncheck a bunch of files in msconfig, I found them and unchecked them. That seemed to work for one or two times opening IE, then I got tons of pop-ups, more than ever. The next time the machine booted up, I couldn't connect to the internet. I called my provider who had me put the IP in again, but I couldn't connect. He had me ping in dos and said it seemed to be connected, but couldn't connect via my browsers (IE 6 and Netscape 7) and both browsers will crash every time I quit them. My IE also still has a toolbar on it that I didn't install - though I had tried to get rid of it and had changed my default home back to google, it still tries to go to incredifind.com and times out then crashes. It won't let me open internet options either.

So, could I have unchecked something in MSConfig that should be running, that may be keeping me from connecting?

I guess I still have some worms on the system. What should I do to get rid of the rest. I installed another spybot search and destroy program but that hasn't helped.

I have the Compaq Restore CD, but this machine was actually set up by my former employer (that has gone out of business) and I have none of the apps that were installed, so whatever I do, I'd like to keep from wiping them all out. If I have to, then I will do it and start all over.

Is there a file or two that I just need to reinstall that would allow me to connect again so that I can download something to get rid of the worms, or reinstall Netscape and IE, etc.

What other info do you need from me?

Thanks,

Yevri

 

Since you didn't mention anything about an anti-virus program, guess you're not running one. I think now, since you can't get connected to the net, you're going to need an anti-virus program on CD, load it and scan. You might be surprised.

 

It's possible that you unchecked something in msconfig that causes you not to be able to use your browsers. If so, it's most likely something you don't want. I'd go back and recheck everything, reboot and then see if your browsers work. If so, you can get use an online virus scanner if you don't have one.

HouseCall

 

Try a repair of IE. If memory serves me correctly, click start>programs>accessories>system tools>system information then tools on toolbar. If that gets you back online, post back and someone will give further instructions for cleaning up.

 

I did run a virus scan and it didn't find any, but my virus software hasn't been updated in a year or more - so there could be viruses.

Do you that a virus is what has caused this?

Yevri

 

It is possible. Zander's post has a link to Housecall on it, it will do an up to date, free online virus scan.

 

Thanks, everyone, for your advice. Here's what I've done: I checked to include all of the startup items again and rebooted - that didn't help me connect again, so I unchecked them again, ran the repair option on IE, and rebooted. I still can't connect. I now have a new toolbar I haven't seen before that shows up on my desktop with home, links, news, games, music and search as the choices - similar thing is on my IE toolbar too.

Since I can't connect, I can't run the housecall virus scan. My anti-virus is probably too old (if it's a virus). Should I go buy a new virus product, or is there a way to load parts of windows that would allow me to connect again without wiping out my apps? What about the Norton utilities or even Compaq's utilities? Should I be able to restore parts of windows with those?

What next?

Yevri

 

When's the last time you ran spybot or adaware? If you ran one or the other just before this occured, it's possible something got broke in the removal process (it happens occasionally). If so, they both make backups by default and you can use the backup to undo whatever the program did to cause this. You'd have the junk back but at least it would get you up and running and we could go from there. If that doesn't get you going, you could try restoring your registry. Boot to a dos prompt and type scanreg /restore and choose a cabfile in the list that predates this problem.

 

Thanks, Zander. Wow! That worked. I tried to restore via Ad-Aware, that didn't work. But then I did the scanreg/restore you mentioned, and that worked. I opened netscape and connected right away. As I'm typing this (on my Mac) IE has just opened on it's own and the pop-ups are opening again.

What do you think I should do now? Run Ad-aware? Run SpyBot? Run Housecall (and how do I do that?)

Yevri

 

I decided to run Spybot and it got most of the worms. There is still something (at least one) on there because when I started up IE, the home was zestyfind.com. I switched that to google, but at least one time it jumped from google to somewhere else for a split second (I think for a pop-up that was blocked) and then landed on a blank page.

It's much better now, though. Any advice on how to prevent new ones and/or get rid of any remaining ones? I've already gotten rid of KaZaa and Limewire and won't be using those - and Realone. Also, spybot quarantined Windows Media Player. Is that a problematic one and should I keep that off my machine? I got rid of RealOne because I knew it was allowing spware, but some of the online radio, etc. requires Windows Media or Realone and I want to be able to listen.

Should I get a firewall? Will that eliminate these problems? What problems will a firewall cause?

Thanks,

Yevri

 

"Any advice on how to prevent new ones and/or get rid of any remaining ones? "

Certainly a firewall would help, and a continually up to date
antivirus used regularly would also.

You could also consider what browsing habits you have that may
be the reason for your problems.
regards

 

Go here and download Hijack This. Run the file and when it's done scanning you can save the results as a text file. Copy and paste the contents of it here so we can have a look at it. Don't remove anything with it just yet as some of the stuff you will see is legitimate.

 

Run Housecall (and how do I do that?) Just go here. Under virus protection, free online scan. Get an antivirus program!! Here's a free one.

Someone else posted recently that the version of Adaware they had wouldn't update. They downloaded the most recent one.

 

Log

Thanks, Zander. AS you requested, here is the log from HiJackThis:

Logfile of HijackThis v1.97.7
Scan saved at 12:21:03 AM, on 1/27/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\BROWSER PAL\ADBLCK.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\VBOUNCER\VIRTUALBOUNCER.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS KEYBOARD\MEDIACTR.EXE
C:\PROGRAM FILES\ADDESTROYER\ADDESTROYER.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sidebar.smarter.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.smarter.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.smarter.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.smarter.com/index.php
R3 - URLSearchHook: eUnivBHO Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.DLL
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD1.DLL
O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - (no file)
O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)
O2 - BHO: (no name) - {000000F1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM\FONE.DLL
O2 - BHO: (no name) - {5F5564AC-DE7A-4DCD-9296-32E71A35DCB7} - C:\PROGRA~1\BROWSE~1\BPTLB.DLL
O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINDOWS\SYSTEM\EMESX.DLL
O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1311.DLL
O2 - BHO: (no name) - {FAC6E0E1-5D45-4907-BC00-302D702DCC73} - C:\WINDOWS\SYSTEM\cpr.dll
O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\PROGRA~1\CLIENT~1\RUN\2IN188~1.DLL (file missing)
O2 - BHO: (no name) - {96BE1D9A-9E54-4344-A27A-37C088D64FB4} - C:\PROGRAM FILES\CLIENTMAN\RUN\DNSREP242EA1D.DLL (file missing)
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\PROGRA~1\CLIENT~1\RUN\TAGGER~1.DLL (file missing)
O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\PROGRA~1\CLIENT~1\RUN\METAHE~1.DLL (file missing)
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL
O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\PROGRAM FILES\CLIENTMAN\RUN\URLCLIA30956DE.DLL (file missing)
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\ADROAR.DLL
O2 - BHO: (no name) - {D34F641F-5210-4EB0-8ED5-9179F47E15B7} - C:\PROGRA~1\BROWSE~1\BLCKBHO.DLL
O3 - Toolbar: Browser Pal Toolbar - {337D0C1D-4053-4FAB-AF2B-45C2F7B0FAA7} - C:\PROGRA~1\BROWSE~1\BPTLB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\ADROAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [EASY ACCESS KEYBOARD] C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [Browser Pal] C:\PROGRAM FILES\BROWSER PAL\ADBLCK.EXE -s
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Browser Pal Toolbar (HKLM)
O9 - Extra button: Sidesearch (HKLM)
O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
O16 - DPF: {8C28EFD7-767B-11D1-8400-000000000000} - http://reportflyr2.navigant.com/components/Brio.Insight.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37858.1398148148
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - https://owaeast.dcma.mil/tsweb/EAST/msrdp.cab

Thanks,

Yevri

 

Thanks, Aleekat. I ran housecall, but it had me download an exe and install, then said to open Netscape again. When I did and went back into the site, it said I still didn't have the required software - should I be doing something else?

Thanks,

Yevri

 

O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
This is difficult to repair, this spyware got into networking.

http://www.pestpatrol.com/PestInfo/s/sahagent.asp

 

Thanks for the help. At this point, do you think I should get PestPatrol, a firewall, a certain virus protection package, all of the above or what? I have an old version of Norton Anti-virus, Spybot, Ad-Aware, HjackThis, Google Toolbar, HouseCall (though I had trouble installing it), and just found a new one in my Programs menu called AdDestroyer, that I don't know anything about - could that be spyware?

Is there one I should be using to get rid of what's left on my machine? Will a Firewall stop these? I am connected now and it seems to be working pretty well (though I still get a pop-up with about: blank and http://69.20.62.53/yyy5.html keeps trying to open but I think Ad-Aware is stopping it). I'd like a solution that I don't have to spend a lot of time maintaining if that's possible.

Thanks,

Yevri

 

Looking at your hijack this log, I guess what I would do is download the newer versions of Adaware and Spybot and run them and see what they get rid of for you. If you already have the newer versions download the newest reference files for them, install them and run the programs. I'd run Adaware first and then reboot and see if you still have your internet access. If so, run Spybot, reboot again and check once again for internet access. I recommend this because if you do lose access, you'll know which one caused it and can then restore the backup from that program. After doing this, you should get a good firewall and an up to date antivirus program. You can purchase one or use one of the free ones that are available on the net. I'd recommend uninstalling Norton and then download the free version of AVG Antivirus . You can also have a look at Etrust Antivirus. I've been using it for years and personally have nothing but good things to say for it. Here is a link to Etrusts homepage . This products not free but at this time you can get it for free for 1 year. This is for Etrust Armor which is the antivirus program and also includes a firewall. After a year you can choose to pay for it or go elseware. Here is a link for the free offer. http://www.my-etrust.com/microsoft/
I personally think the price is a bit steep for Etrust Armor as it's a yearly thing, but I think the price for the antivirus program alone is reasonable. If after a year, you decide you want to keep it but don't like the price, you can just purchase the antivirus program and then download the free version of Zone Alarm . You'd be using basically the same firewall as the one that comes with Etrust Armor. The one that comes with it is just a rebranded version of Zone Alarm Pro. ZA Pro has some features that the free version doesn't but as a firewall the free one provides the same functions. If you decide to use AVG you'll also have to download a firewall of some sort. I'd recommend either the free version of Zone Alarm or else Kerio Persoanl Firewall . Kerio is free for personal and home use. Personally, for less experienced users I tend to recommend Zone Alarm as there's fewer choices to make than with Kerio which makes it a bit easier to configure. I'll probably get arguements about this however. Kerio does seem to be less taxing on the system.

Once you get an antivirus program, do a complete scan. After doing this, run hijack this again and then once again post the contents here.

You asked about AdDestroyer. It's something that displays ads and if you're getting a lot of popups, is probably the source of at least some of them. From what I've been able to gather, it seems that it is somehow connected to virtualbouncer.exe which I also see in your log. From what I can find it's something you want to get rid of. You can take a peek at this thread if you want to see what you're up against. It's three pages long but it wouldn't hurt to take the time to read through it.

http://ivorey.net/forum/viewtopic.php?t=2

On the second page of the thread there's a link to a page that tells how to uninstall it. Don't know if it works or not. I thought I'd post it in case you missed it.

<http://answers.google.com/answers/main?cmd=threadview&id=246173>

It seems that when you remove it with spybot or Adaware it manages to put itself back. This thread however, is from last August so it may be that by this time it's taken care of properly by Adaware or Spybot. I don't know.

 

Thanks, Zander, for your thorough and considerate help. I will do these things and post my log when finished.

Thanks again,

Yevri

 

You have a little work in front of you
Here is what Norton say's about
Virtualbouncer

You may want to do a Ctrl-Alt-Del and end task on everything
you have running beforehand (Except for Explorer and Systray) before removing program in the Add/remove panel

You can also look for any of these in the add/remove panel

"Search Toolbar" "Internet 404" "Tools for Internet
Explorer" "Orbit" "F1" "ZZ" "MSCMAN "
"Incredifind Dynamic Toolbar" "Keenvalue Toolbar "
"Powersearch Toolbar for Ie"
Not sure if you purposely installed the Lycos sidesearch sidebar but that also has the spyware stamp on it
Look for "Lycos Sidesearch" in Add/remove
Restart your computer regularly
After removal do a search on your computer for leftover
program files in your computer, such as Keenvalue and
Incredifind

Download either cwshredder or you may need LSP Fix
Unzip and run it. Check all instances of lsp.dll (and nothing else) , and move them to the "Remove" pane.
You will have to click the "I know what I'm doing" button.
LSP Fix

You may want to backup up your registry beforehand
Post another Hijackthis log afterwards