Hi…Please help…I have Win95 and Avast4 with a dialup connection.
My modem will connect with my ISP but will not communicate with Internet Explorer 5.5. …keep getting Cannot Find Server Page. I have gone over all the connection properities and I believe they are correct.
Here are the viruses:
Trojsmall.tf cannot access C:|Windows|temp|c9hy.exe
Windows\system|nscfg.exe
windows\temp_avast4_\unp139203285
Also when computer boots up and the desk top is loaded I get 3 errors concerning my email:
Unable to protect outgoing mail SMTP error 10022
Unable to protect incoming mail (POP3) error 0
Unable to protect incoming mail (Jmapprotocal) error 10022
Any help would be much appreciated…Thanks
I’m absolutely sure that this file could be deleted (and all contents of temp folder).
Can you check if the link ‘Cleaning’ on my signature serves to you as a tutorial?
Did you try to download (in other computer), avast Cleaner and run into the infected one? (http://www.avast.com/files/eng/aswclnr.exe)
Hi…thanks for the info.
I’ll read your info as suggested and will try to download the Avast cleaner. I’ll post an update then.
Hi again…is it possible to download the Avast cleaner on 3.5" floppies??? Please advise. Thanks
Sure it is possible. Download the cleaner and split it with WinZip, WinRar, Total Commander or any other prog/util you want.
Well, in fact, avast! Virus Cleaner (version 1.0.206) has only 357kB and can fit in just one floppy 
Hi…
Ran Avast Cleaner and it showed no viruses…ran avast 4.5 again and it listed the viruses as listed in my orginal posting except I was able to put them in the “chest”.
Ran Ad-aware 6 with ref file 01R347 dated 26.10.2004 and each time shows 3 items which I delete. Have also run Spybot 1.3 with latest update 2004-03-04 and it shows no files…yet I have strange popups trying to load.
Still cannot connect to the internet.
From other postings I guess I need to run hijackthis. What does it mean to rename the file to run and place in another location? I use bigspeed zipper to unzip.
Thanks again for your help!
Get the HijackThis log analyzer from my website.
Click the link in my signature and go to the HJT section.
That is where you can find it.
It comes with the latest version of HijackThis (1.99.0)
-
Check your firewall settings (or even disable it for test)
-
Make sure your browser is not set to “Work Offline” (this option is generally in the File menu). If it doesn’t help, try switching the proxy settings from “Auto-detect” to “No proxy” (I’m assuming you’re not connecting to the Internet via proxy): left click the avast icon > Settings then Update (Basic) > Details > Proxy
- Here’s my log from Hijackthis:
Logfile of HijackThis v1.99.0
Scan saved at 1:48:56 PM, on 12/29/04
Platform: Windows 95 C (Win9x 4.00.1212)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SPOWER.DRV
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\WINDOWS\SYSTEM\TPWRMGR.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\PROGRAM FILES\NOPOPS\NOPOPS.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\IPCFG.EXE
C:\WINDOWS\SYSTEM\SCANDS32.EXE
C:\WINDOWS\SYSTEM\SNNPAPI.EXE
C:\PROGRAM FILES\IE NEW WINDOW MAXIMIZER\IEMAXIMIZER.EXE
C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOTASKBARICON.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2&b=igon
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2&b=igon
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hawk Communications
R3 - URLSearchHook: (no name) - {870538D5-2A7E-A53E-51B9-154EE75BE772} - EXE32EXE.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOFORM.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [THotkey] THotkey.Exe
O4 - HKLM..\Run: [TPwrMgr] TPwrMgr.Exe
O4 - HKLM..\Run: [TDspOff] TDspOff.Exe B
O4 - HKLM..\Run: [TFunckey] TFuncKey.exe
O4 - HKLM..\Run: [TEscKey] TEscKey.exe
O4 - HKLM..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM..\Run: [NoPops] C:\PROGRAM FILES\NOPOPS\NOPOPS.EXE
O4 - HKLM..\Run: [Pgu.exe] C:\WINDOWS\TEMP\PGU.EXE
O4 - HKLM..\Run: [5G8ZKBL3BLZZFS] C:\WINDOWS\SYSTEM\Fsm6BY.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\Run: [ipcfg.exe] C:\WINDOWS\SYSTEM\IPCFG.EXE
O4 - HKLM..\Run: [scands32.exe] C:\WINDOWS\SYSTEM\SCANDS32.EXE
O4 - HKLM..\Run: [SysTray] C:\WINDOWS\SYSTEM\SNNPAPI.EXE
O4 - HKLM..\Run: [trycrt] _ctcp.exe
O4 - HKLM..\Run: [xxtoolbar] MsNetHelper.exe
O4 - HKLM..\RunServices: [TSPower] SPower.drv
O4 - HKLM..\RunServices: [TDockNUndock] TEject.drv
O4 - HKLM..\RunServices: [TWarmBay] TWarmBay.drv
O4 - HKLM..\RunServices: [TWBrowse] TWBrowse.drv
O4 - HKLM..\RunServices: [TCDPlay] TCDPlay.drv
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - HKCU..\Run: [RoboForm] “C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\RoboTaskBarIcon.exe”
O4 - HKCU..\Run: [Windows Internet Protocol] C:\WINDOWS\SYSTEM32\WINPROC32.EXE
O4 - HKCU..\Run: [WareOut] “C:\Program Files\WareOut\WareOut.exe”
O4 - HKCU..\Run: [JAguAr] Trayz.exe
O4 - HKCU..\Run: [Bogobot] uio.exe
O4 - HKCU..\Run: [SAPSTR] SysEntry.exe
O8 - Extra context menu item: Fill Forms &] - file://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\RoboFormComSavePass.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\RoboFormComCustomizeIEMenu.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\RoboFormComShowToolbar.html
O9 - Extra ‘Tools’ menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\RoboFormComShowToolbar.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\RoboFormComFillForms.html
O9 - Extra ‘Tools’ menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\RoboFormComSavePass.html
O9 - Extra ‘Tools’ menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\RoboFormComSavePass.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O18 - Filter: text/html - {D0D33336-AB52-4C7A-A3A5-9071680D8A4F} - C:\WINDOWS\SYSTEM\SNNPAPI.DLL
O18 - Filter: text/plain - {D0D33336-AB52-4C7A-A3A5-9071680D8A4F} - C:\WINDOWS\SYSTEM\SNNPAPI.DLL
- Ref: Technical’s Posting
I changed my Avast setting as you described…no change. Still cannot connect to the internet via Internet Explorer 5.5.
I have Windows 95 , no firewall with dial-up connection.
Thanks for all your responses.
I will post the result of my HJT log analyzer here a bit later on. But I see you use the content advisor in IE. Have you tried to browse when it was disabled?
I noticed nothing in hijackthis log relating to it… But your winsock might still eb broke. It is a lot easier to fix in 2k/xp. I have had time even with hijackthis and serveral tools to fix winsock in 9x, and they couldnt fix the damage. You might need reinstalll winsock the hard way (or at least, not so automatic way).
There is quiete some malware on your system. Please visit the malware removal section on my website and follow the instructions there. After finishing that, please post a new HJT log here.
This is the result my HijackThis log analyzer is giving:
CHECKING HIJACKTHIS, INTERNET EXPLORER, WINDOWS AND SOFTWARE FIREWALL:
You are using the latest version of HijackThis.
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.
THESE ITEMS ARE HARMFULL AND SHOULD BE FIXED/REMOVED :
\windows\system\ipcfg.exe
\windows\system\scands32.exe
\windows\system\snnpapi.exe
\program files\siber systems\ai roboform\robotaskbaricon.exe
r1 - hkcu\software\microsoft\internet explorer,search = http://nkvd.us (obfuscated)
r1 - hkcu\software\microsoft\internet explorer,searchurl = http://nkvd.us (obfuscated)
r1 - hkcu\software\microsoft\internet explorer,(default) = http://fastsearchweb.com/srh.php?q=%s
r1 - hklm\software\microsoft\internet explorer,search = http://nkvd.us (obfuscated)
r1 - hkcu\software\microsoft\internet explorer\main,search bar = res://c:\windows\system\snnpapi.dll/sp.html (obfuscated)
r0 - hklm\software\microsoft\internet explorer\search,customizesearch =
r1 - hkcu\software\microsoft\internet explorer\searchurl,searchurl = http://4-counter.com/?a=2&b=igon
r1 - hklm\software\microsoft\internet explorer\searchurl,searchurl = http://4-counter.com/?a=2&b=igon
r0 - hklm\software\microsoft\internet explorer\main,local page =
r1 - hklm\software\microsoft\internet explorer\main,homeoldsp = about:blank
r3 - urlsearchhook: (no name) - {870538d5-2a7e-a53e-51b9-154ee75be772} - exe32exe.dll (file missing)
o4 - hklm..\run: [systemtray] systray.exe
o4 - hklm..\run: [5g8zkbl3blzzfs] c:\windows\system\fsm6by.exe
o4 - hklm..\run: [ipcfg.exe] c:\windows\system\ipcfg.exe
o4 - hklm..\run: [scands32.exe] c:\windows\system\scands32.exe
o4 - hklm..\run: [systray] c:\windows\system\snnpapi.exe
o4 - hklm..\run: [trycrt] _ctcp.exe
o4 - hklm..\run: [xxtoolbar] msnethelper.exe
o4 - hkcu..\run: [windows internet protocol] c:\windows\system32\winproc32.exe
o4 - hkcu..\run: [wareout] “c:\program files\wareout\wareout.exe”
o4 - hkcu..\run: [sapstr] sysentry.exe
o15 - trusted zone: http://*.63.219.181.7
o16 - dpf: {74d05d43-3236-11d4-bdcd-00c04f9a3b61} (housecall control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
o18 - filter: text/html - {d0d33336-ab52-4c7a-a3a5-9071680d8a4f} - c:\windows\system\snnpapi.dll
o18 - filter: text/plain - {d0d33336-ab52-4c7a-a3a5-9071680d8a4f} - c:\windows\system\snnpapi.dll
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY:
o4 - hklm..\run: [pgu.exe] c:\windows\temp\pgu.exe
o4 - hkcu..\run: [ie new window maximizer] c:\program files\ie new window maximizer\iemaximizer.exe
o4 - hkcu..\run: [roboform] “c:\program files\siber systems\ai roboform\robotaskbaricon.exe”
WE HAVE NO INFO ON THE FOLLOWING ITEMS. THEY CAN BE BAD OR GOOD.
YOU HAVE TO VERIFY THEM MANUALLY. PLEASE TELL US IF YOU HAVE INFO ON THEM :
\program files\nopops\nopops.exe
o4 - hklm..\run: [nopops] c:\program files\nopops\nopops.exe
o4 - hkcu..\run: [jaguar] trayz.exe
o4 - hkcu..\run: [bogobot] uio.exe
I see norton A/V and Avast as well as what looks like a cws hyjack .
lotsa work to do there .
thefixer,
you have to make a choice. NAV and Avast do not work well together. I suggest you completely remove NAV using the util they provide for it. (link to it is somewhere on this board) Having two av’s on the same system mostly leads to conflicts and may even stop them from working at all.
And install a software firewall or get a router with build in firewall. Unfortunatly that is something you really need nowadays if you want to spend time online.
After putting on my glasses ;D I see a lot more that needs to be fixed, ginblossom.
bilemke,
don’t forget he is using Windows 95. I’m not sure (have to contact Merijn for that) but it could be HJT doesn’t see all in Windows 95. But one thing is for sure. There is a lot of malware that need to be removed before we can continue in our efforts to solve the problem.
Thanks for your help everyone. Will not be able to work on the pc problem until late tonight( Thursday).
Ok, we’re waiting… Good luck 8) 
Getting late here and I had so much fun deleting NAV manually…item by item. I wasn’t able to delete the following files…told be “access is denied”
apwgmd.dll
apwutil.dll n32alert.dll
n32call.dll
n32exclu.dll
n32inoc.dll
n32pdll.dll
n32serve.dll
n32xutil.dllnavapw32.exe
To continue:
navashell.dll
s32navn.dll
v32scan.dll
When I was doing these deletes…it sounded as if my modem was trying to dial out…but I still can not connect to the internet.
In reference to my HJLog and the deletions:
Should I delete these:
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY:
o4 - hklm..\run: [pgu.exe] c:\windows\temp\pgu.exe
o4 - hkcu..\run: [ie new window maximizer] c:\program files\ie new window
Please advise and I’ll perform tomorrow AM along with the others that were specified.
Thanks!
I didn’t see which version of NAV you are trying to uninstall. If you have Norton 2003 or earlier you may want to go HERE to use their tool to remove Norton files completely. 