My IE can't browse sites

[mashimaro]

Hi,

recently my pc just got infected with RS32net.exe, at that same time my keyboard can't do alt+tab function properly, but the button works fine separately. Don't know what to do, so I decided to do formatting, reinstalling Windows XP SP3 and necessary drivers, antivirus and antispyware. That keyboard still got the same problem with alt+tab function, don't know what's the problem.

The main problem is that my IE can't browse 1 site (so far) which is site for online game.
Strange, because I still can logon and play that game.
The XP network diagnostics says that Windows did not detect any problems with your Internet connection. If your browser cannot display the page try following: blah blah...
Another strange thing is If I click link to that site from other site, I can enter..

My Spec is:
X2 4200, 2GB DDR 800, HD3200 onboard, XP SP3, and AVG 8 free for antivirus.

I hope someone can help, and I'm sorry for my bad English.

Thanks

 

[Bobbye]

RS32net.exe is identified as a Trojan/Backdoor, variant of the Trojan.Win32.Agent.aecm malware. You do not tell us how you know you have this infection or what you have done to remove it.

You can try doing this first:
Kill the process rs32net.exe : Right click on the Taskbar> Task Manager> find rs32net.exe> highlight> Click on End Task.

Then remove from Windows startup:
Start> Run> msconfig> enter> Selective Startup> Startup tab> find rs32net.exe and UNCHECK it> Apply> OK> Reboot.

Ignore the nag message that comes up and close after clicking on 'don't show this message again.' Stay in Selective Startup.

Now do the following:
Please follow the steps here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

When you have completed running the programs, please attach the three logs here for review.

 

[mashimaro]

I know my pc got infected by this RS32net.exe by press ctrl+alt and it shows strange program and I google it and foung that it is some kind of malware.

I remove it by formatting, and reinstall. Do 8 steps and no virus/malware found, and here's my hijackthis log.

Now what's left is browsing problem as I mentioned before.

 

[Bobbye]

I would like to see the logs from MalwareBytes and SuperAntispyware.
Did you do what I suggested about killing the RS32net?
Did you scan with AVG?

I can't eliminate a malware-related cause until I know these things. Getting rid of a Trojan Backdoor is just not that easy. The only suspicious entry in the HijackThis logs is:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

If you have set up a homepage to come up with a blank page, then it's not a problem. If you have not, then you have the about blank malware.

 

[mashimaro]

I already did all that you have suggested before.

About the homepage, yes I have set homepage to come up with a blank page.
If I set homepage to site that I can't enter before, I can browse that site. After enter that site, I have to use "open in new window" to open that site menu.

Here's the 3 logs.

 

[Bobbye]

Okay, here's the culprit in the HijackThis log:

Remove bad HijackThis entries
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - https://www.ragnarok.co.id/nprotect/nprotect/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - https://www.ragnarok.co.id/nprotect/nPKeyCrypt/npkcx.cab

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into Safe Mode:

Open Internet Explorer> Tools> Manage Add-ons> find the following entries> click to highlight> click on Disable:

NPX Control
nPKeyCrypt

When through, reboot into Normal Mode.
Run SDFix:
Download SDFix here: http://www.bleepingcomputer.com/files/sdfix.php

* Save it to your Desktop.
* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Boot into Safe Mode

* Restart your computer and start pressing the F8 key on your keyboard.
* Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run SDFix

* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• When completed, close the application

* Attach Report.txt back here. Rescan with HijackThis and attach new log.

Reset your homepage to where you want. Go to the site> then click on Tools> Internet Options> General tab> Homepage section> check 'use current.'

 

[mashimaro]

I open manage add-ons on IE, and I can't find those two.

Here's the logs.

 

[Bobbye]

The log is clean and the entries are gone.

Did you try this?

Reset your homepage to where you want. Go to the site> then click on Tools> Internet Options> General tab> Homepage section> check 'use current.'

Result?

 

[mashimaro]

The result for that site is:
res://C:\WINDOWS\system32\xpsp3res.dll/dnserror.htm

 

[Bobbye]

res://C:\WINDOWS\system32\xpsp3res.dll/dnserror.htm

Here is a well laid out troubleshooting for the problem you are experiencing. It is not malware, but something within IE itself. Go step by step here:
http://support.microsoft.com/?scid=kb;en-us;813444&x=9&y=15

 

[mashimaro]

Thanks Bobbye.

My IE still can't open that site, but Firefox can.
Using Firefox from now on, and surprisingly my old keyboard works fine again (strange but true).

 

[Bobbye]

Then it's an IE problem, not system. I won't discourage you from using Firefox. I've been using it for over 4 years and absolutely hate it if I have to open IE. Incidentally I also have IE6.

Do you remember if you did any Windows Updates before this problem started? There was one that combined with a specific version of ZoneAlarm prevented the connection. I'll see if I can find the update number for you. I don't see ZA one your system though.

 

[mashimaro]

Actually, after reinstalling Windows, I never did any Windows Updates before this problem started.

Just installed IE7 and updates for that, maybe it can solve the problem, but still no luck.

Sadly because I like IE and the reason is I already get used to its menu, but I think I'm gonna like this Firefox, since it can open the some sites that IE can't. And surprisingly it opens faster than IE.

Yes, I don't have ZoneAlarm installed.

Thank you Bobbye

 

[Bobbye]

Please give me the URL for the page that is giving you this error:

res://C:\WINDOWS\system32\xpsp3res.dll/dnserror.htm

I'm going to use both Firefox and IE6 and see if I can find any content that might cause the error.

 

[mashimaro]

www.ragnarok.co.id

 

[Bobbye]

What an interesting turn of events!

Back in Post #6 , I had you remove these 2 entries:
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - https://www.ragnarok.co.id/nprotect/nprotect/npx.cab
{CFCB7308-782F-11D4-BE27-000102598CE4} NProtect http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453075446 X

O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - https://www.ragnarok.co.id/nprotect/...rypt/
Adware: Software that displays pop-up/pop-under advertisements when the primary user interface is not visible, or which do not appear to be associated with the product.

Registry items:

HKEY_CLASSES_ROOT\clsid\{9a19966f-ae0e-4699-8cce-9b6f5f1c352c}
HKEY_CLASSES_ROOT\typelib\{9a19966f-ae0e-4699-8cce-9b6f5f1c352c}

And then disable these Active X Objects.:
NPX Control
nPKeyCrypt

I did this because Computer Associates classifies nprotect as Adware.

Give this URL a try: http://iro.ragnarokonline.com/

This is the ID page. Is this where you want to be? If so, the URL you were using was not good.

Here is information-according to the vendor on nProtect:

nProtect™ is a new conceptweb-based anti-hacking & anti-virusutility tool designed to protect PCterminals from being infected byviruses or hacking tools.It helps toensure that allin for mationentered into thePCterminals from being infected by viruses or hacking tools.
It helps to ensure that all information entered into the PC terminals during web access will not fall into the hands of hackers

By deploying nProtect™ on their websites,financial institutions
offering e-services, portals and e-commerce sites can increase the security level for the end-users when they perform electronic transactions.

http://eng.nprotect.com/

Let me know.

 

[mashimaro]

Thanks for the information.

iro.ragnarokonline.com works fine, but not www.ragnarok.co.id

 

[Bobbye]

So use what I left. This one is no good> www.ragnarok.co.id

It's possible that work was done on the site and a slight change was made, making the original URL you used no good. You might want to delete your temporary internet files and the Cookies for the site as that could cause a problem.

 

[mashimaro]

I can enter that site from the link that you gave me, but after that, the link on that page doesn't working.

 

[Bobbye]

Okay, let's do "steps"
1. You use the link I gave to access the log on page.
2. You fill in your log on information.
3. You press Enter>>>>> what happens?
Do you get any kind of message

but after that, the link on that page doesn't working.

Steps again:
1. You are now logged on.
2. You are finished and close the site using the X at top right of screen.
3. You decide to go back to the logon page>>> what happens?
IF you sign in and if you have the 'remember me' checked and if you keep the Cookie that has your log on information, then you should be able to start typing your logon name and the system will regognize your IP and complete the information. You should then be logged on.

At this point, look in the Address Bar and see what the URL is. Copy it. Now close he page> go back to the page and paste in the URL you copied. Does that work?

Did you delete the temporary internet files? Delete any shortcuts and Favorites or Bookmarks you have for this site. Type the address I gave you and set a NEW shortcut.

Here is the Contact page for that site. If the problem persist, please use one of the contact methods to email the webmaster, tell of the problem you're having and ask for help.

 

[mashimaro]

The log on page is http://www.ragnarok.co.id/member/login.asp

 

[mashimaro]

2. You fill in your log on information.
3. You press Enter>>>>> what happens?
Do you get any kind of message

The page cannot be displayed
.......Diagnose Connection Problems....

Diagnose, the result is :
Windows did not detect any problems with your Internet connection. If your browser cannot display the page try the following: refresh page, check spelling, access from a link.

 

[Bobbye]

I cannot load the page either. I'm sorry but I can't spend any more time on this one site. Please use the contact information I left. Maybe their webmaster can help you. I am confident that the problem is with the site itself and not your (or mine) system.

 

[mashimaro]

Thanks Bobbye for all your help and information.
God bless you.

 

[Bobbye]

You're welcome. I'll be interested to hear what the webmaster says.