[coachwife6]

Please follow the instructions I provided for right now. It has worked on another machine that was a 98 after much trial and error.

[Advertisements]

I did as you said -- downloaded and ran Kaspersky with the latest definition update module. It cleaned up the WININET.DLL file on the desktop. However, Windows would not allow me to rename the file in the System folder because it said the file was in use. Once the Kaspersky scan had finished, other weird stuff started happening. On rebooting the system, I received a Kaspersky message saying:
"Process module EXPLORER.EXE\WININET.DLL is infected with a virus
Virus.Win32.Nsag.b
You are advised to delete the object."

Now, I cannot access the Windows folder from 'My Computer.'
I also had no desktop for a while there until I went to Start>Settings>Active Desktop>View as Webpage and unchecked this option. Now I at least have a somewhat normal looking desktop.
I thought that AVG and Kaspersky might be working against each other. So, I uninstalled one, then the other. Both are currently unistalled. If Kaspersky is running, I can't even get a proper Windows start up because I get ILLEGAL OPERATION (Page Fault) messages for just about every start-up process.
What's going on?!
I've just realized that I can't paste emoticons in here either, even though the ENABLE EMOTICONS option is checked.

Here is my latest HijackThis log file, if this helps at all:

Logfile of HijackThis v1.99.1
Scan saved at 11:27:30 PM, on 8/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\RICHARD\RICHARD'S FILES\HIJACKTHIS.EXE

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [KASP] "C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Spam Personal\OESpamTest.exe"
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.or...iveX/ofmctl.cab
O16 - DPF: {8731163E-77B9-4F91-9122-F112521C28AF} (MMSPlayerX Class) - http://mmbox.mtn.co....r/mmsPlayer.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://www.pandasoft...5/ASPROinst.cab

[sevicat]

I did as you said -- downloaded and ran Kaspersky with the latest definition update module. It cleaned up the WININET.DLL file on the desktop. However, Windows would not allow me to rename the file in the System folder because it said the file was in use. Once the Kaspersky scan had finished, other weird stuff started happening. On rebooting the system, I received a Kaspersky message saying:
"Process module EXPLORER.EXE\WININET.DLL is infected with a virus
Virus.Win32.Nsag.b
You are advised to delete the object."

Now, I cannot access the Windows folder from 'My Computer.'
I also had no desktop for a while there until I went to Start>Settings>Active Desktop>View as Webpage and unchecked this option. Now I at least have a somewhat normal looking desktop.
I thought that AVG and Kaspersky might be working against each other. So, I uninstalled one, then the other. Both are currently unistalled. If Kaspersky is running, I can't even get a proper Windows start up because I get ILLEGAL OPERATION (Page Fault) messages for just about every start-up process.
What's going on?!
I've just realized that I can't paste emoticons in here either, even though the ENABLE EMOTICONS option is checked.

Here is my latest HijackThis log file, if this helps at all:

Logfile of HijackThis v1.99.1
Scan saved at 11:27:30 PM, on 8/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\RICHARD\RICHARD'S FILES\HIJACKTHIS.EXE

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [KASP] "C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Spam Personal\OESpamTest.exe"
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.or...iveX/ofmctl.cab
O16 - DPF: {8731163E-77B9-4F91-9122-F112521C28AF} (MMSPlayerX Class) - http://mmbox.mtn.co....r/mmsPlayer.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://www.pandasoft...5/ASPROinst.cab

[coachwife6]

You are advised to delete the object."

Did you delete it?

[coachwife6]

Paste these instructions into notepad for use in safe mode

1. Reboot into Safe Mode.

2. Once in Safe Mode, go to Start > Run type: command Click OK

3. Please do the following in sequence:

* Please copy the following line and paste it into the black window:

CD C:\Windows\system

* Hit enter.
* It will go to the next line, then copy this line and paste it in:

rename wininet.dll wininet.old

* Hit enter.
* type exit hit enter.

4. Now try copying the one from the desktop into the system folder.

5. Once it's been copied into the system folder reboot into normal mode.

I also want you to do the following:

Make absolutely sure there is a wininet.dll in the system folder before you reboot!

1. Click HERE to get to Jotti's site.

2. At the top of the Jotti window, use the Browse button to locate the following file on your system:

c:\Windows\System\wininet.dll

3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis.

[sevicat]

Yes, I did delete it. Was that the wrong thing to do? It apears that the PS Guard thingy is gone from my computer now. It seems that the remaining problems are the infected wininet.dll file and the fact that I can't access the Windows folder from My Computer. If I re-installed Kaspersky, I'm also pretty sure that it would tell me the EXPLORER\WININET.DLL is still infected. I will do what you ahve just suggested and will send you the analysis results. Thank you, thank you and thanks again for trying

[coachwife6]

Once it's on the desktop run a full system scan with Kaspersky, then when it gets to the wininet.dll on the desktop make sure it doesn't get deleted, but that it gets cleaned.

[sevicat]

I Still have the 'clean' wininet.dll on my desktop. Rebooting in Safe Mode and trying to rename the dll through the DOS prompt still doesn't work. It says "Duplicate file or file in use." I will now submit the C:\Windows\System\wininet.dll to jotti's site and let you have the analysis ASAP. Why can't I put emoticon's in the message?

[coachwife6]

Why can't I put emoticon's in the message?

I don't know, but that is the least of our problems right now. Submit it to Jotti's and get back to posting the results. I will be gone most of the evneing but will try to check in later tonight.

Don't sweat it, we'll get it done.

[sevicat]

Here we go...it doesn't look pretty!

ArcaVir Found - Trojan.Callgate.Oleadm.3
Dr.Web Found - Trojan.DownLoader.2636
Kaspersky Found - Virus.Win32.Nsag.b
NOD32 Found - Win32/Oleloa.gen

The other scanners didn't find anything.

[sevicat]

To add:

I just tried re-installing Kaspersky. As soon as I rebooted the system, I got all those start-up process errors again - Kernel32 fault, SysTray fault, Explorer fault etc. So, now it seems that my system will not run Kaspersky. Pitty, 'cause it looked like a good program while it worked ;-) As soon as I uninstalled from Safe Mode, it was kind of good to go again. I don't know if this has anything to do with our friend wininet.dll?

On the brighter side, PS guard seems to be gone, touch wood, yeah! Good riddance! I still cannot view my desktop as a web page, though. When I select this option from Start>Settings>Active Desktop, I just get the 'Desktop Recovery' screen. I also cannot view documents in My Computer from a web page view. It would seem logical that this must be because of the infected wininet.dll. I know nothing about dll's, but the name seems to allude to the fact that it has something to do with Internet Explorer?

[coachwife6]

I'm checking something out with one of our experts who has worked on this fix. I will get back with you. Enjoy your day.

[sevicat]

A friend of mine just suggested copying the 'clean' wininet.dll from my desktop into the root directory, booting up into Command Prompt only, and then copying the 'clean' file from the root directory into the c:\windows\system directory and confirming the file replacement when prompted. Would this work? My friend knows a lot about this kind of stuff (through lots and lots of trial and error) but I prefer to run the procedure by you first

[coachwife6]

That's close to what our expert proposed to me. I was working on the instructions and sent them to him to proof, but here is what I came up with:

Do not do the following in safe mode.

Boot to command prompt:
(Press “F8” on boot to get start menu and select “Command Prompt Only”


Let's rename, rather than delete the infected file.

Type in:

ren C:\windows\system\wininet.dll wininet.old

copy c:\windows\desktop c:\windows\system

del c:\windows\system\oleext.dll

Hit enter. Reboot and tell me how it is going.

[sevicat]

Okay, I have copied the uninfected .dll via the Command Prompt screen. Everything seems to be just peachy now The only remaining little thing is that the area around the text names of my desktop icons is surrounded by color and I cannot seem to change the settings for this pattern to 'none.' In other words, where there would be no color and the text would just be sitting right on top of my desktop wallpaper. Do you have any idea why this would be the case?

Thanks so much for your time and effort. I could go on and on about what an honorable service you guys provide to your fellow man

[coachwife6]

Check out this link:

http://www.onecomput...hell_icon_cache

I thought Kellys Korner would work,, but I think that's just for xp. Let me do some more searching and see.