Running WIN98 on a Gateway P-450. All programs working normally, including NAV2003 and Norton Personal Firewall 2002. Son ran AdAware and removed vice quarantined all files/entries found. (Cannot retrieve the files/entries removed, nor do I know what they were.) The following problems I think are related to this. Firewall ceased working (Runtime Error with IAMAPP.EXE and NISSERV.EXE abnormal termination message. Fixes listed in Symantec page didn’t solve problem (uninstall/reinstall, among other steps). Also, IE not working properly. I tried upgrading to IE 6.0 to solve, but no luck. I can access web sites, but when a link in the site directs a new IE window to open, the “frame” of the window opens, but remains transparent. This also occurs when I’m trying to view my work email from Oulook Web Access. I can view my email inbox, but cannot open individual emails to read. I tried restoring the registry but got an “operation failed” for each of the old ones I tried, and now the last five stored registries are after the problem. When viewing the Symantec site, they referenced the “OLEAUT32.DLL” file. I could not find the file on my computer, so I downloaded the most current version and installed it. It still doesn’t show using the “Find file’ function. Could this be the problem? Any ideas on what to do next??? Thanks in advance.

1. What version of AdAware?

2. List any and all, specific error messages.

The error I get when I tried to run Norton Firewall was:

C++ Error (in the header of the error box...not sure of the exact wording)
Runtime Error
C;\windows\program files\Norton\IAMAPP.EXE (or NISSERV.EXE)
Abnormal Program Termination

The program would open and I'd get the "Control Panel" for the program, but when I tried to open one of the items, like "personal security" or "Status", I'd get nothing with no other indications or error messages.

Running AdAware Ver6.0. Don't know how to "unremove" the files that my son removed.

Have you tried opening ad-aware and click on the quarenteen button highlite the items in quarenteen and then click restore?? I know this sounds to simple:D

oleaut32.dll is normally in the windows/system folder and is not normally a hidden file. Funny that you cant even find a file you put somewhere yourself. Be warned that these dlls come in different versions such that the version may have been changed by upgrading to IE6; this is also true for the urlmon.dll, which also has functions related to links in IE and OE. The usual way to regegister the correct ones is to enter regsvr32 oleat32.dll and regsvr32 urlmon.dll in the run box. Copies of the originals are usually kept in a cab file on your hdd (therefore not visible in W98) or on your installation CD.

Upgrading to IE6 may just have exaccerbated your problem unfortunately but it sounds like you either need to restore these files out of quarantine or possibly by running sfc.

Both the OLEAUT32 and URLMON DLL files are in the proper place. Not sure why they weren't showing in a previous search. Anyway, SFC didn't find anything amiss when I ran it and I can't restore the files that AdAware removed unless someone can tell me how to restore them. They weren't quarantined...they were removed. Any ideas for a next step? I'm thinking that reinstalling Windows might be the next step, but want to save that as the last resort. Thanks for the previous ideas.

I take it there were no backups made.....backups are the norm for AAW.

Without knowing what was removed it will be very difficult to say where the problem is.


Although, with some of the symptoms, I would be inclined to believe that it really isn't AAW's and your son's fault but that there was really something unsavory on there to begin with.

I would recommend getting TrojanHunter or TDS-3 trial version(link in my sig) and running one of them. The disabling of NAV and NIS smells of trojan/virus and not anything AAW did.

Also posting a Hijack This log (link in the same place) would be a good idea, too.

[EDIT]

I have just seen a couple of other threads at the Lavasoft forums with similar problems as yours....

Trying to track down more info....

[additional]

It is very important to get the Hijack This log and the AdAware log, copy and paste both of them in to this thread.

It is absolutely essential to find out what AAW removed and if possible to work backwards to restore it, after reading those other threads I believe it is indeed AAW's fault!

I'm at work now, but I'll do that when I get home. Not too familiar with AdAware, but what is the "Hijack this Log"?? I'll see if I can figure out the AdAware log part. Appreciate your input on this problem.

MJC,
A novel idea, but I just posted this on the AdAware site, too. Didn't even think about doing that until I read your post about the Lavasoft site. Thanks.

Good luck over there....

They will most likely want to see the same logs, so it would be best to go ahead and get HiJack This...it can be downloaded from http://www.spywareinfo.com/~merijn/

MJC,
Just reread my last post and wanted to make sure you realized I was pointing out my own mistake by not doing the obvious and checking the AdAware website on my own...as I reread it I realized it might have sounded like I was mocking you which wasn't the case at all.
There are four logs for AdAware and I'm not sure which one contains the run my son did. I also ran Hijack This and will attempt to attach the file. I also realized that my son ran Spybot also and quarantined a bunch of files, but undid it after we started having the current problem. I can attach that file also.

Not sure if there's an easier way to attach multiple files. here's the Spybot log.

Part 2 of the log...it's big.

Part 1 of the log. I think this is the one that he ran.

part 2 of the log. As none of this makes much sense to me, if you have the time and knowledge to decipher this, I'd greatly appreciate it. Stnading by for any tiops/advice you might have.

Ok, if you posted these same logs over there then TonyK will probably say the same thing I am about to...

About the only thing there was WurldMedia, which under normal removal doesn't break things.

Hold off on lwells' suggestion until TonyK responds.

I have a couple of ideas, but I want to see what Tony says.

My thoughts are that there was something in build 160 that does not agree too well with Norton.

And after all of this it seems you still have Wurldmedia......

O2 - BHO: (no name) - {D14641FA-445B-448E-9994-209F7AF15641} - C:\WINDOWS\SYSTEM\MBHO.DLL

O16 - DPF: {9EBE0402-27C2-11D6-A9D5-00500413153C} - ttp://webpdp.gator.com/download/iegator_3090B_webpdpgeneric.cab

{BD11A280-2E73-11CF-B6CF-00AA00A74DAF}
Download location: ttp://images.bonzi.com/freebuddy/wd/bbsetupad1.exe

{DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C}
Download location: http://62.129.133.7/mt/dialers/on/NSupd9x.cab



The ones in bold are items AAW either missed or does not check for.....

One of the most worrisome is the one in italics, the dialer, manually kill it please.

For your Norton problem disable it completely, if you can get into its control panel stop it from loading a boot time, if you can't use MSconfig (enter that in the run box) and disable everything Norton. Then uninstall it, and reinstall. If the removal was complete you will have to reconfigure it.

For the other stuff....I'm sitting here scratching my head, because it may not be related.

Lets take it one step at a time.

Thanks for the feedback. I'll do what you've recommended as well as what TonyK has recommended (he mentioned some different/additional steps) and let you know what the results are. Can't tell you how much I appreciate your advice. I don't know where else I could get this kind of guidance. As an aside, when I was on the Discover Card site, when I clicked on a link to view an additional window, I got the same sympton (empty frame). I noticed that I was being directed to a Javascript block...could that be part of the problem...a Java execution error? I have no idea what that is, so I might be asking a laughable question...just a thought.

Hi guys,

I spotted some bad stuff in the Hijack This log, and I'll do a copy and paste of what I posted at the Lavasoft board (http://www.lavasoftsupport.com/index.php?act=ST&f=24&t=4138&st=0&#entry23726):

Your Hijack This log reveals that you do have some malware, notably two backdoor trojans or worms.

That ought to be at least part of the cause of your problem.

Please do this:

Run Hijack This, and check ALL of the items in bold. Doublecheck so as to be sure not to miss a single one.
Next, shut down all Internet Explorer Windows, and have HT fix all checked.

Reboot when you're done.


O2 - BHO: (no name) - {D14641FA-445B-448E-9994-209F7AF15641} - C:\WINDOWS\SYSTEM\MBHO.DLL

O4 - HKLM\..\Run: [kernel32] C:\WINDOWS\SYSTEM\KERNEL32.DLI
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\SYSTEM\EXPLORER.EXE

O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} - http://62.129.133.7/mt/dialers/on/NSupd9x.cab

After rebooting, find and DELETE the following two files:

C:\WINDOWS\SYSTEM\KERNEL32.DLI

NOTE: it's Kernel32.dli ! Do NOT touch Kernel32.dll

and

C:\WINDOWS\SYSTEM\EXPLORER.EXE

NOTE: This particular Explorer.exe file is located in your Windows\System directory, and is NOT the real C:\WindowsExplorer, which you should obviously leave alone.

Both of the files mentioned are nasties and NO Windows files.

After getting rid of these, repair Internet Explorer: Control Panel > Add/REmove Programs > MS Internet Explorer > Remove > Repair IE

Subsequently, test Internet Explorer. If the New Window issue should still exist, it's an Oleaut32 version conflict, and in that case please do this:

Go to Start/run, and type SFC.
Choose 'Extract One File From Installation Disk'.
Type oleaut32.dll, not worrying about its location. Then, click Start.

Next to 'Restore From', type in or browse for the file’s location, which is probably in the Win98 folder of your installation CD-ROM (typically D:\Win98), or in your Windows\Options\Cabs folder, as the case may be.

Then, next to 'Save File In', enter C:\Windows\System, and click OK. System File Checker looks for the file, saves it as you requested, and then tells you that 'the file has been successfully extracted'.

Reboot, and tell us whether that solves your problem.

NOTE: before doing that, make a copy of your present version of Oleaut32.dll and save it outside your Windows\System directory for safekeeping.


If you guys like, we can continue the discussion here, as I don't believe Mjc hangs at the Lavasoft board. That would make it easier to deal with this


Good luck,

Hi Tony, and welcome....another board??

I go to LS occasionally, but not that often.

I think we can continue here, try and keep it all in one place?

Isn't absolutely amazing how much "stuff" can accumulate in one machine.


Tony even got a couple I missed....Thanks, Tony :D

Hi mjc, and thank you for the welcome! :)

Yup, yet another board; I do seem to collect them without even trying... LOL

I do think it would be better to keep the discussion here. Hopefully that will allow us to solve this a little faster.

As I said in the Lavasoft thread, the first priority ought to be nuking those trojans off that computer.

And maybe change the passwords. This Netdevil trojan can be a password stealer:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.netdevil.b.html

TonyK and MJC,
Problem solved with the email. Again, I can't thank you enough. I'm glad you guys were willing to take the time and share with me your substantial knowledge to solve this. Tony, I especially appreciated your step-by-step guide. I followed it and it turns out it was an OLEAUT32.DLL conflict. After restoring that file, it worked. A couple of questions remaining:
- MJC,
You listed two additional files that TonyK didn't mention: webpdp.gator amd images.bonzi.com
Should I have HT fix these files as well??
- TonyK,
After I rebooted after running HT, the kernel32.DLI and explorer.exe files weren't anywhere to be found (I checked to make sure the "show hidden files" was checked. Should that concern me??

I'll try reinstalling the firewall and let you know if I have any problems.

They are leftovers/parts of other spyware and if they are not active they are wasting space, so you should probably kill them too.

Hi Fred,

I'ts a pleasure! :)
I'm delighted to hear that all's well again!

About the missing kernel32.DLI and explorer.exe files, I guess they may have been removed previously by a/your antivirus. It's possible that all you actually had were their startup entries.

Cheers,

I'm coming to the well of knowledge for another issue. I checked after my last reboot and all programs were working correctly. I then loaded Norton Firewall 2002 and it installed with no errors. However, after I rebooted as directed, the startup wizard screen was displayed. After I went through the wizard and clicked "close", my screen went blank for about 5 secoonds, then I got a lot of "static...blue/green colors" on the screen and an "invalid synch freq" message. Subsequent reboots repeat this error and I can't get past the Firewall startup wizard screen. I can probably reboot in the safe mode and uninstall, but I wanted to see if there was a better solution. Any ideas?

Why would the firewall want to change screen resolution/refresh rate?

It seems to me that some where in this process your vide card drivers have been affected.

You could try removing the firewall in Safe Mode, and then if get back into normal mode, check and possibly re-install the video drivers.