Hello all,

new member today. I get illegal operation when i run explorer, other programs run okay. Downloaded Hijack This but came across with CRC error, so i thought i should post here. Help. Thanks much

steve

Hi and welcome
Try.
Dowload the following program

cwshredder http://www.spywareinfo.com/~merijn/downloads.html

It should be the current version, but check for updates

Run Program cwshredder and have it fix anything it finds

Next

Download Adaware from here http://www.lavasoftusa.com/ CHECK FOR UPDATES

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:

check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:

Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"

- Check option "Activate In-Depth Scan"

- Press "Select drives\folders to scan"

- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...

It will find a number of "bad" files and registry keys.

Right-click in that pane and choose "select all"





Now press "Next" again.

It will ask you whether you'd like to remove all checked items. Click OK."

Reboot your computer

See if you can get HJT to run then
Post back let us know how you make out

Hi Don77,

thanks for reply. I remember thread by annmarie that she had hihack exe and i downloaded but as it was running, i got illegal operation message, which i ignore and let it finish.

I wonder if any new *.exe that i bring up will cause same problem (although i have old dos version of pkunzip and loaded that onto my drive and this was program that said the hijack zip file had CRC error).

Anyhow, i will try to get hijack to run, if not, try some of your suggestions. Thanks

steve

All,

was able to get hijack to run. please let me know if you see anything. Thanks.

Logfile of HijackThis v1.97.7
Scan saved at 11:21:36 AM, on 6/13/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\CUSTOMAX 4\CMLAUNCH.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT REFERENCE\BOOKSHELF 2000\QSHELF2K.EXE
C:\AMERICA ONLINE 6.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\SR64\EAAGAHEM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
D:\HIJ\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.topsearcher.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://0-OL1OIZ-XOLXII1-OXLI10OZL1L1-O-L-11-IIZXP-L-0O-OLL11IZ0OIL-OL.COM/725ca17629/97681342/ogsearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.topsearcher.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.topsearcher.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.topsearcher.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://awebfind.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.topsearcher.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.topsearcher.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://awebfind.biz/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://awebfind.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://awebfind.biz/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://awebfind.biz/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://awebfind.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://awebfind.biz/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://awebfind.biz/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.topsearcher.com/ie/
O1 - Hosts: 66.40.16.234 auto.search.msn.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PowerQuest Startup Utility] C:\Program Files\PowerQuest\PartitionMagic5\UTILITY\MMOVER32\ PQINIT.EXE
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [sp] regedit -s C:\WINDOWS\sp.dll
O4 - HKLM\..\Run: [CMLaunch] C:\Program Files\CustoMax 4\CMLaunch.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: QuickShelf 2000.lnk = C:\Program Files\Microsoft Reference\Bookshelf 2000\qshelf2k.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0\aoltray.exe
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Dell Home (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/

Please restart HJT put a check next to the following, close all open windows and click fix.


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = <http://www.topsearcher.com/ie/>
R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://0-OL1OIZ-XOLXII1-OXLI10OZL1L...2/ogsearch.html <http://0-OL1OIZ-XOLXII1-OXLI10OZL1L1-O-L-11-IIZXP-L-0O-OLL11IZ0OIL-OL.COM/725ca17629/97681342/ogsearch.html>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = <http://www.topsearcher.com/ie/>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = <http://www.topsearcher.com/ie/>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <http://www.topsearcher.com/ie/>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <http://awebfind.biz/>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = <http://www.topsearcher.com/ie/>
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = <http://www.topsearcher.com/ie/>
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = <http://awebfind.biz/sp.htm>
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = <http://awebfind.biz/sp.htm>
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <http://awebfind.biz/>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = <http://awebfind.biz/sp.htm>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = <http://awebfind.biz/sp.htm>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <http://awebfind.biz/>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = <http://awebfind.biz/sp.htm>
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = <http://awebfind.biz/sp.htm>
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = <http://www.topsearcher.com/ie/>


O4 - HKLM\..\Run: [sp] regedit -s C:\WINDOWS\sp.dll


O4 - Startup: PowerReg Scheduler.exe

Reboot to safe mode ( by tapping the F8 key on start up ) make sure you can view all hidden folders/files http://www.xtra.co.nz/help/0,,4155-1916458,00.html search for and delete the following in BOLD


C:\WINDOWS\sp.dll


Restart your computer, restart HJT and post back a fresh log.

Don

Hi Don,

followed the instructions. when reboot, message say cannot import sp.dll,

here is new hijack.

Logfile of HijackThis v1.97.7
Scan saved at 1:04:39 PM, on 6/13/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\CUSTOMAX 4\CMLAUNCH.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT REFERENCE\BOOKSHELF 2000\QSHELF2K.EXE
C:\AMERICA ONLINE 6.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\SR64\IFCDDIBB.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
D:\HIJ\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.topsearcher.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://0-OL1OIZ-XOLXII1-OXLI10OZL1L1-O-L-11-IIZXP-L-0O-OLL11IZ0OIL-OL.COM/725ca17629/97681342/ogsearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.topsearcher.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.topsearcher.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.topsearcher.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://awebfind.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.topsearcher.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.topsearcher.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://awebfind.biz/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://awebfind.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://awebfind.biz/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://awebfind.biz/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://awebfind.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://awebfind.biz/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://awebfind.biz/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.topsearcher.com/ie/
O1 - Hosts: 66.40.16.234 auto.search.msn.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PowerQuest Startup Utility] C:\Program Files\PowerQuest\PartitionMagic5\UTILITY\MMOVER32\ PQINIT.EXE
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [sp] regedit -s C:\WINDOWS\sp.dll
O4 - HKLM\..\Run: [CMLaunch] C:\Program Files\CustoMax 4\CMLaunch.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: QuickShelf 2000.lnk = C:\Program Files\Microsoft Reference\Bookshelf 2000\qshelf2k.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0\aoltray.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Dell Home (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/

Please review my 2nd hijack run. I followed Don's intstructions and posted the results. Look same to me, but do not understand what i am reading.

some more info. install latest virus scanners, found NOCLOSE and IEstart.gen.d trojans but info says not to malicious. Explorer runs now and rate of "illegal operations" is reduced, but still have some. Unless someone sees something in the hijack run, i assume just wear and tear from Bill Gates and will try to find fixit programs. Thanks for the help.

steve

Lets see if this will help us out a bit

http://www.majorgeeks.com/download.php?det=2471

Dowload the latest version of spybot.

Check for updates then run it and have it fix anything it finds in red.
Post back a fresh log after you have done this please