[Feverpitch]

OK. I'll get this information to you by tomorrow a.m. I'm not currently in the same location as the infected computer.

[Advertisements]

No problem. I'll be around. They have me chained to the wall here.

Regards,

[Metallica]

No problem. I'll be around. They have me chained to the wall here.

Regards,

[Feverpitch]

I copied and pasted the two lines of data as you asked 2x, and each time the Notepad file that was opened (document called "files") was blank.

[Metallica]

Did you wait until the command prompt closed?

If so, do a Find Files for: wininet.dll

Let me know where it is found. There should be at least a few.

Regards,

[Feverpitch]

According to Find, wininet.dll is located at C:\WINDOWS\SYSTEM. I did another post-Internet-usage Ad-Aware SE search last night and, for the first time in 6 months, it found no Coolwwwsearch virus residue.

[Metallica]

Sounds good, but I'd like to make sure you are clean.

Please surf to: http://virusscan.jotti.org/ and upload C:\WINDOWS\SYSTEM\wininet.dll there

Let me know the results

Regards,

[Feverpitch]

Pieter. would you believe I can't find wininet.dll manually? I do a Find and the computer finds it under C:/WINDOWS/SYSTEM but when I browse there to upload it, there's no wininet.dll anywhere.

[Metallica]

Well. The system folder is pretty big.

You can copy & paste the full path in the box at jotti's
C:\WINDOWS\SYSTEM\wininet.dll

And then click only the Submit button.


Regards,

[Feverpitch]

OK. That method of downloading worked. Here's the result:

File: wininet.dll
Status: INFECTED/MALWARE
MD5 7fe9320eae5d318ac419fb33dfecf992

AntiVir
Found nothing

ArcaVir
Found nothing

Avast
Found nothing

AVG Antivirus
Found nothing

BitDefender
Found nothing

ClamAV
Found nothing

Dr.Web
Found Trojan.DownLoader.2636

F-Prot Antivirus
Found nothing

Fortinet
Found Nsag.A

Kaspersky Anti-Virus
Found Virus.Win32.Nsag.a

NOD32
Found Win32/Oleloa.A

Norman Virus Control
Found nothing

VBA32
Found nothing

[Metallica]

Ok, so that is indeed infected.

In any case see if you can get this update:
http://www.microsoft...n/MS05-020.mspx

Installing that will replace your infected file with the latest available version of wininet.dll

Regards,

[Feverpitch]

Thanks for the info. But I don't understand how to get the update for Windows 98. Wwhat should I be looking for on this page? The page does not have a direct download for Windows 98. It directs me to the FAQs and this Q&A:

Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by one or more of the vulnerabilities that are addressed in this security bulletin?
Yes. Windows 98, Windows 98 Second Edition, and Windows Millennium Edition are critically affected by the vulnerabilities that are addressed in this security bulletin. Critical security updates for these platforms are available, are provided as part of this security bulletin, and can be downloaded only from the Windows Update Web site. For more information about severity ratings, visit the following Web site.


When I click either Windows Update Web site or Web site (links missing here), I'm taken to yet another site. When I click "Download the latest version of Internet Explorer," I'm taken to a page where I guess I should click, "Install Critical Updates ..." When I click that, it takes me back to the previous page. Argh!

So what am I supposed to be downloading from the original page? All of the downloads appear available only for other versions of Windows. I don't want Internet Explorer 6.0 unless it's absolutely necessary. It's too easily affected (of course, the caveat is that I can no longer play online games now that I'm using Mozilla).

[Metallica]

You don't have to use IE, but you will have to get the updates for it.

The files, like wininet.dll are also used in explorer, so you use them every moment your computer is on, regardless of which browser you use on the internet.

Regards,

[Feverpitch]

Well, I downloaded IE6 again (apparently I had already downloaded it a while ago) and also IE6-2. Then I reran the wininet.dll file at the virus scan site you mentioned earlier. It told that the scan was performed before and listed the same infections. Should I be doing something different this time?

Here's my latest Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 12:22:06 PM, on 6/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\CARPSERV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\DIALER.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\CSS.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O16 - DPF: {6BE6BDA4-394F-11D3-B6AF-00105AA51E4C} - http://www.dash.com/DashInst.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

[Metallica]

Copy everything in the code box below and paste it into notepad. Go up to "File > Save As..." and click the drop-down box to change the "Save As Type" to "All Files". Save it as wininet.bat on your desktop.

dir %Systemdrive%\wininet.dll /a h /s > files.txt
start notepad files.txt

Double click wininet.bat and when it is ready it will open files.txt
Copy the content of files.txt and paste it here.

Regards,

[Feverpitch]

Hi, Pieter. Well, I followed those directions precisely as before and the files.txt file came up blank - I waited approximately 5 minutes and did it twice. On the original file where I pasted the two line items, the words too many parameters - h" appear on the line after this first command.