9 replies to this topic

[sfshaza]

Hi there! What a great resource! My Windows Explorer has been behaving strangely, it frequently dies, often when I just click on a file or when I click on a file and then try to delete it. Also, my active desktop will no longer run and attempting to restore it has no effect. I have run a complete virus scan using the latest definitions and it's OK. I have run AdAware using the latest definitions and its OK. I am using Windows 2000. I downloaded HijackThis to my C drive and ran it from the "unzipped" directory. It created the dummy file, but I got an error that I would have to fix the C:\WINNT\system32=drivers\etc\hosts file manually, if needed. Then I selected "Run scan and save logfile." I got the following error: An unexpected error has occurred at procedure: cmdScan_Click (Save log)() Error #48 - Error in loading DLL Please email me at merijn@spywareinfo.com, reporting the following: * What you were trying to fix when the error occurred, if applicable * How you can reproduce the error * A complete HijackThis scan log, if possible Windows version: Windows NT 5.00.2195 MSIE version: 6.0.2800.1106 HijackThis version: 1.99.1 This message has been copied to your clipboard. Click OK to continue the rest of the scan. I can reproduce this problem by quitting hjt and trying again. I'm not sure how to proceed. Thanks for ANY help!!! sfshaza

[Doug]

Are you experiencing unwanted Highjack/redirection of your Browsing when attempting to browse the internet?

Please look for the following on your machine:
Does the following file location exist on your machine?
C:\WINNT\Help\Hosts
C:\Windows\Help\Hosts


It may turn out that you have a CoolWebSearch infection.
The answer to the above questions will help determine this.

Please let us know in your next reply.

_____________________

You can repair/restore your Hosts file to its Original content with "Hoster 3.1"
http://www.majorgeek...ster_d4626.html


You can download CWShredder.exe (identifies and removes CoolWebSearch infections)
Get the tool at Radiosplace.com, Here:
http://www.radiosplace.com

Please let us know how you are progressing.
Depending on your answers to the above, we may be sending you over to the HJT Forum for further assistance from the Trained and Trusted Advisors.

Best Regards

[sfshaza]

Thanks for your response. And on a holiday weekend, too! I am no longer able to view these folders using "My Computer" via explorer, but I can view them using Start->Cmd. I do not have either "Hosts" file. When I try to use explorer, I get this dialog: ------------------------------------------------ An error has occurred in the script on this page. Line: 361 Char: 13 Error: 'gFolder.HaveToShowWebViewBarricade' is null or not an object Code: 0 URL: file://C:\WINNT\Folder.htt Do you want to continue running scripts on this page? ------------------------------------------------ Whether I click Yes or No, the window is blank - no files are listed, no matter what type of view I select. I get a similar error when viewing many different folders. I have not noticed my browser being hijacked when I view the internet. I use Mozilla and Firefox -- I very rarely use IE, though I did notice recently that when I try to view pages using IE I often get a blank page and the status bar reports that the page contains errors. In both cases when this occurred, I could view the same page using Mozilla. This was especially frustrating when I tried to view the update page on Microsoft - Microsoft insists that you use IE to view the update page. But when I try to use IE, I get a blank page. (I have IE version 6.) Thanks for your help! Back to hiding Easter eggs. :-) Sharon

[Doug]

Hi Sharon,

While there are some general tools that can be used here in your situation, it would be far better to be able to specifically identify the culprit (almost certainly a malware) that is causing your problem.

For the time being and until you have this resolved, it will be best to avoid logging onto the internet with IE, and use Firefox for any communication to this board, or for downloads.

Please create a New Folder in Windows Explorer and Rename it so that it looks like this:
C:\HighJackThis\

If you are unable to "Create a New Folder" in your Windows Explorer, please notify us right away, without continuing with the other directions in this post.

Next, I'd like you to download a fresh copy of HighHackThis.exe from:
http://www.radiosplace.com

From the possible downloads listed in the left column of that page select and click on HighJackThis.exe.
In the dialogue box that appears, select Save.
In the file structure screen that appears next, navigate to your newly created folder C:\HighjackThis\, and click on it to open it as the target location for the download. Click Save to complete the download.

Next, when downloaded, click on C:\HighJackThis\HighJackThis.exe

On the HJT screen that appears, press "Do a system scan and save a logfile".

Allow HJT to complete it's scan, which may take a few minutes.
When HJT is finished scanning, it will create a NotePad copy of the HJT Log. Click: File - Save

Next, still in Notepad, click on Edit - Select All - Copy

Now open Firefox and log in here to TomCoyote and navigate to the "HijackThis Logs and Spyware/Malware Removal" Forum, here:
http://forums.tomcoy...hp?showforum=27
Click on New Topic, and post your HJT Log for assistance from a Trusted Advisor.

If you're not able to get that far, please post back here with a description of the problem that stopped you, so we can give you further recommendations.

[sfshaza]

Thanks, Dough. I followed your instructions and, basically, am getting the same problem. (I am using Mozilla, I virtually never use IE.) I was able to create C:HighJackThis and to download to it from radiospace.com. (The problem where explorer dies is inconsistent, but frequent.) However, when I clicked on HighJackThis.exe, it first told me that I'm running it from a non-writable disk. (As it reported that, I could see the ~dummy file being created in the open explorer window.) I told it to continue and it then started to run the scan and it gave me a dialog that said: C:\WINNT\System32\drivers\etc\hosts can't be modified. You may need to do this manually. (or something to that effect) It then finished the scan, fairly quickly. The window contains a long list of files. There is a logfile in the directory, but it's empty. It did not open Notepad. The "Fix Checked" button is bolded. This is the same as I ws getting before. Thanks! Sharon

[Doug]

Please consider running Hoster, to restore your Hosts File to Original content.
This is a "non-harmful" procedure. Host File is a list of known-bad URL sites that your browser consults before navigating to your requested site. If the site you click or type is "known-bad" Hosts File prompts your browser, which will then display "This site cannot be viewed".

[b]You can repair/restore your Hosts file to its Original content with "Hoster 3.1"
http://www.majorgeek...ster_d4626.html

After running Hoster 3.1, please try your HJT: "Do a system scan and save a log file"

Doug

[Doug]

Hi Sharon,

I was looking for an online scan that can be run from FireFox.

Here we go! Courtesy of Teacup61 from over in the Classroom.

http://www.trendmicr...tro/default.asp


Please run Housecall from the above link and allow it to clean what it finds.
You'll probably be able to save the scan log.
Please post the log in your next reply.

This recommendation to run HouseCall does not interfere with the prior recommendation to run Hoster, which should still be run.

Best Regards

[Jacee]

You may have a corrupted copy of HJT....delete the current HJT, then download from here:

http://www.merijn.or...ackthis_sfx.exe

Double click HijackThis_sfx.exe and select Unzip. When done click "OK".
Close the WinZip self Extractor window. You can now delete HijackThis_sfx.exe.

Navigate to C:\Program Files\HijackThis and double click HijackThis.exe. Click "Do a system scan and save a logfile" then post the new log in the HJT forums that dough linked for you.

[sfshaza]

OK, I had quite a bit of advice to follow, so here's what I did (basically, to no effect): 1. I ran Hoster, from the site specified, using the specified instructions. It seemed to have no effect - at least it didn't report anything. I tried twice, just to be sure. 2. I then ran HJT again, getting the same results as before. (I do get a listing of files in the window, but it won't create a log and that window isn't, apparently, copy-able. 3. I then went to HouseCall and ran it on my system. It came back with 4 malware problems, but again, no log. I remember one was called NoCheat. During this scan, my Symantec Antivirus Notification popped up a dialog stating that it found a virus named Trojan.ByteVerify in C:\Documents and Settings\<me>\Local Settings\Temp\VNHCFHa01784 and that the virus was successfully quarantined (& access denied). I then tried to open my Symantec Firewall Client to see what it had to say and it now consistently gives me a popup dialog similar to what I've seen in explorer. "An error has occurred in a script on this page. Error in loading DLL. Do you want to continue running scripts on this page?" And then it will not display my status. 4. Meanwhile, the HouseCall cleanup had completed (and suggested files were removed) and it suggested that I run HouseCall again. So I did. This time it completed without error. 5. Next, I followed the advice to delete HijackThis.exe and re-install from the specified location. I was unable to delete the file using explorer (explorer died consistently when I clicked on that file) so I deleted it using the Start->cmd facility. (First time I'd ever done this.) 6. I re-installed HJT as per directions and unzipped it, allowing it to put the executable into the suggested default: C:\ProgramFiles\HijackThis. 7. I ran it again, from the newly installed location. Same problems as before. It first reports that it's a read-only system (while creating a dummy file). It then complains about the first file in the list (I've included this info before). It then completes the scan, and the window is full of file names, but it will not create a logfile. My system is apparently cleaner, but my symptoms are no better. Thanks again for your help! Sharon

[Juliet]

Clean out some temp files.....
Close all windows and programs, then:

Clean out all the temporary files and cookies on your system. Go to Start > Run and enter: cleanmgr. Let it scan your system for files to remove. Check these three boxes and then press ok to remove: Temporary Files, Temporary Internet Files, Recycle Bin.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.
Note: If you cannot delete them all at once because you have too many, then click and hold ctrl and highlight a batch of them at a time. Once highlighted, R-click over the highlight and select delete.

Then use "Start > Run" and type in "%temp%" (without the quotes). Delete the entire contents of that "temp" folder (use "Edit > Select All", press "Delete", click "Yes").

Then, Empty your Temporary Internet Cache completely. Close all instances of Outlook and and Internet Explorer, then use "Control Panel > Internet Options > General tab" and click the "Delete File" button. When prompted place a check in: "Delete all offline content", then click OK.
A good free program to use is CleanUp!
Use the standard option
How to use CleanUp

by Steven R. Gould

And delete the temp cache files in your Java....
Clearing the Java Runtime Environment (JRE) Cache

Verify which Java version your using.....
Java Runtime Environment

Lets see if we can find out whats happened to your Nortons....
There is a quick scan for errors found here....which will supply help links....
Help Me Solve It

Edited by Juliet, 17 April 2006 - 09:09 AM.