Explorer error message

I am running Win98SE & IE6. I have an Explorer error
message: "This program has perfored an illegal operation
and will be shut down. If the problem persists, contact
the program vendor." The 'Details' button
reveals: "Explorer caused an invalid page fault in module
DONDI.DLL at Ola:10017d44." and then what looks like
memory locations. When I 'Close' the error message
window, it shuts down the computer. Not suprizingly, I am
now swamped with popups... it constantly loads web pages,
etc. I have run SpyBot, Adaware & Spy Sweeper. How can
I get the DONDI.DLL problem fixed? Then I will
concentrate on the spyware/adware problem. I keep NAV
updated. I connect via RoadRunner cable modem. Any help
will be greatly appreciated! Thanks!

Dondi.dll is most likely installed by malware.

There are many people who have helped this FAQ improve over time - MVPs and
newsgroup users. I thank all of you who have made the newsgroups,
anti-malware websites and dedicated mailing lists into such a wonderful
resource.

Read the advice at my prevention link
(http://inetexplorer.mvps.org/data/prevention.htm) to reduce the chances of
your computer being infected.

IMPORTANT: Before trying to remove spyware, download a copy of LSPFIX from
the URL below - some malware can kill your internet connection when it is
removed, and this software should get things going for you again:
http://www.cexx.org/lspfix.htm

Also get a copy of WINSOCKFIX available at:
http://www.spychecker.com/program/winsockxpfix.html

**Note, if you are using XP SP2 the following command, run from start/run,
may get your computer going again - it will reset the winsock catalogue:

netsh winsock reset

The software you should download and have ready to use is:

AdAware [..Warning: AdAware has now released Ad-Aware SE Personal Edition,
available from http://www.lavasoftusa.com/support/download/ Version 6.181
is, at the time of writing, still supported. All previous versions are NO
LONGER SUPPORTED and will not be updated...]

Spybot Search and Destroy - http://spybot.eon.net.au

HijackThis - http://209.133.47.12/~merijn/files/HijackThis.exe

CWShredder - http://www.merijn.org/files/CWShredder.exe

HackerDefender Disabler - http://www.aumha.org/downloads/unhackdef.zip
Extract the BAT file to your desktop.

Trend Micro's 'Damage Cleanup Engine / Template
http://www.trendmicro.com/download/dcs.asp and the latest pattern file
http://www.trendmicro.com/download/pattern.asp

IMPORTANT: After obtaining the required software above, make sure you check
for updates and run the programmes in safe mode.

Malware removal (beginner's guide):

Go to Control Panel, Folder Options, View Tab. Turn on the option to show
hidden files. Turn off the option to hide protected system files.
***WARNING!! Files are hidden by Windows for a very good reason. It is not
wise to 'experiment' with these files. Unfortunately, to successfully
remove modern malware we must turn this protection off. There is a risk to
doing this. Please turn the protection back on when you have finished
cleaning your system.***

Run HackerDefener Disabler by doubleclicking. A DOS window will flash onto
your screen and then disappear. This is normal.

First, go to Control Panel, add/remove programs. Check for malware entries
and use the uninstall programs, then reboot. Check all 'startup' folders
at ..\Documents and Settings\All Users\Start Menu\Programs\Startup or
...\Documents and Settings\username\Start Menu\Startup

Go to start/run and type MSCONFIG. Go to the startup tab. Disable
everything that you do not recognise as legitimate (do not disable any power
profile options).

Now go to the Services tab. Turn on the option to 'hide all Microsoft
Services'. Disable everything that remains. If you don't have this option,
don't worry about it.

Reboot your computer and hold down the F8 key until the boot menu options
appear. Choose Safe Mode as your startup choice. You will find
information about what safe mode is, and what it does, at this link
[http://inetexplorer.mvps.org/data/safe_mode.htm]

Empty your IE cache and your other temporary file folders, eg: c:\temp,
c:\windows\temp or C:\Documents and Settings\name\Local Settings\Temp (the
path to your temp folder will change depending on your name) - sometimes
programmes can be hidden in there - watch out for mysterious *.exe files or
*.dll files in those folders.

Go to IE Tools, Internet Options, Temporary Internet Files {Settings
Button}, View Objects, Downloaded Program Files. Delete anything you don't
recognise (hint: check the object's properties by right clicking the object
and select 'properties'. You will often be able to easily recognise
legitimate objects such as those related to java, or Windows Update, and
will even see what URL the object was downloaded from.

Go to IE Tools, Internet Options, Accessibility. Make sure there is no style
sheet chosen (under User Style Sheet - format documents using my style
sheet). If the option is turned on, turn it OFF.

Start CWSHREDDER. Fix anything it finds. Reboot back into safe mode.

Start AdAware.

AdAware SE...

Remember to update using the 'check for updates now' button. Update, then
select 'start' option.

Make sure that 'search for negligible risk entries' is turned on. Select
'use custom scanning options' then select 'customise'. Make sure the
following options are enabled: 'scan within archives', 'scan active
processes', 'scan registry', 'deep scan registry', 'scan my IE favorites for
banned URLs', 'scan my Hosts file'.

Select the 'tweak' option. Under 'scanning engine', make sure 'unload
recognized processes and modules during scan' is enabled. Enable 'scan
registry for all users instead of current users'.

Under 'cleaning engine' turn on 'always try to unload modules..', 'during
removal unload explorer and IE if necessary', 'let windows remove files in
use at next reboot', 'delete quarantined items after restoring'.

Use the 'select drives and folders to scan' option to ensure that your
ENTIRE hard drive is scanned (if you have more than one hard drive, scan all
of them (of course, do not include floppy and CD/DVD).

Adaware 6.181 (versions older than 6.181 are unsupported and useless)

Note that when run using default settings, older versions of AdAware do not
cope with new 'intelligent' malware. Make the following changes to the
default settings.

Use the option 'select drives/folders to scan'. Set AdAware to scan your
entire hard drive.

Make sure 'activate in depth scan' is enabled.

Select 'use custom scanning options' and then click on the 'customize'
button. Turn on the following scan options - scan within archives, scan
active processes, scan registry, deep registry scan, scan [my] IE favorites
for banned URLs, and scan [my] hosts file.

Use the 'tweak' button. Turn on the following options:

Cleaning engine: 'automatically try to unregister objects prior to
deletion', 'let windows remove files in use at next reboot', 'delete
quarantined objects after restoring'.

Scanning engine: 'unload recognized processes during scan'.

After you have finished with AdAware run Spybot to pick up any leftovers.
Fix anything marked in red.

If the problem comes back, start all over again but with the following
changes (this section requires advanced computer skills - inexperienced
users will require assistance, available via the public newsgroups or
various anti-spyware forums, my preferred forum being
http://forum.aumha.org/)

Use Trend Micro's 'Damage Cleanup Engine / Template. Note: You must follow
*all* instructions provided by Trend Micro:
http://www.trendmicro.com/ftp/products/tsc/readme.txt

Turn off the option to automatically clean or delete detected files. Run
the utility. Remove anything that is *not* in 'system volume information'
(thanks for the warning Mow).

Run Adaware etc etc as per above.

The following is for advanced users and professional technical support -
these steps are NOT recommended for the inexperienced. I have not
provided detailed instructions or advance and have assumed a higher than
average level of skill...

Remember, do as much as you can in safe mode. Use the HackerDefender
Disabler above before starting indepth diagnosis.

Go to MSCONFIG and go to the General tab. Turn off the options to process
win.ini file, load system services and load startup items. Restart Windows
and run AdAware etc once more.

The following is by no means exhaustive. Without the amazing brain of Tony
Klein (in particular) and other MVPs I simply could not keep up with what to
learn and where to look when trying to keep on top of malware. Guys, I
simply couldn't do it without you!!! I have learned a lot about where to
look for malware from Tony in a private web forum. If there was a publicly
available URL I would point to it, but as far as I know there isn't, and the
information is critically important to those of us doing at the sharp end of
the cleanup brigade.

Note: I have provided a list of utilities further down that will do a lot of
the following gruntwork for you. Examine win.ini, autoexec.bat, system.ini,
config.nt, autoexec.nt as relevant. Use services.msc. Search for unusual or
unexpected *.bat files and unexpected autostart entries in the Run, RunOnce,
RunOnceEx, RunServices, Services, Winlogon and Scripts registry keys.
Search the rest of the registry for any further references to discovered
malware. Invariably if you find a malware key in one of those keys, you'll
find a further reference to the component elsewhere.

Also watch out for entries at
HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion\ Windows\AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser
Helper Objects

I strongly recommend that unless you have a lot of experience working in
this area that until such time as I am able to track down a comprehensive
list of legitimate services (or put one together myself), that you post
details of the services revealed by services.msc to a microsoft.public
newsgroup for professional guidance. If you turn off the wrong service you
could cause serious problems, and at the very worst, leave the computer
unbootable.

An experienced computer technician can use programme such as AutoStart
Viewer for in-depth diagnosis:
http://www.diamondcs.com.au/index.php?page=asviewer

Or Process Viewer for Windows:
http://www.teamcti.com/pview/

Or 'Silent Runners':
http://www.aaronoff.com/silent_runners/

Or APM (Advanced Process Manipulation):
http://www.diamondcs.com.au/index.php?page=apm

Once the computer is clean, and if it applies to the operating system,
create a new restore point. The old ones may, of course, be infected with
the malware and cannot be used. Run disk cleanup to remove old restore
points (if your operating system has this option you will find it on the
'more options' tab of the disk cleanup utility. If the option to remove old
restore points is not available, stop and restart the restore service which
will flush out old restore points and prevent accidental reloading of
malware.

MS have released a limited KB article regarding what they call 'deceptive
software'.
http://support.microsoft.com/default...b;EN-US;827315

Here is advice specific to:

home page hijackings
http://inetexplorer.mvps.org/answers.htm#home_page

pop-up ads
http://inetexplorer.mvps.org/data/popup.htm

search engine hijackings
http://inetexplorer.mvps.org/answers4.htm#search_engine


--
Hyperlinks are used to ensure advice remains current
_______________________________________
Sandi - Microsoft MVP since 1999 (IE/OE)
http://inetexplorer.mvps.org/




DanS wrote:
I am running Win98SE & IE6. I have an Explorer error
message: "This program has perfored an illegal operation
and will be shut down. If the problem persists, contact
the program vendor." The 'Details' button
reveals: "Explorer caused an invalid page fault in module
DONDI.DLL at Ola:10017d44." and then what looks like
memory locations. When I 'Close' the error message
window, it shuts down the computer. Not suprizingly, I am
now swamped with popups... it constantly loads web pages,
etc. I have run SpyBot, Adaware & Spy Sweeper. How can
I get the DONDI.DLL problem fixed? Then I will
concentrate on the spyware/adware problem. I keep NAV
updated. I connect via RoadRunner cable modem. Any help
will be greatly appreciated! Thanks!

Sandi,
Thank you very much for your reply & the information you
gave! I will begin the process once I get home today. I
hope that I can get past this mess soon. I did notice in
\Windows\System that there are 29 "DLL" files all with the
date of 9/20/04. I am really loaded-up with junk & I don't
do games or risky sites... go figure?
Thanks again! I hope you have a great day!!
DanS
-----Original Message-----
Dondi.dll is most likely installed by malware.

There are many people who have helped this FAQ improve
over time - MVPs and
newsgroup users. I thank all of you who have made the
newsgroups,
anti-malware websites and dedicated mailing lists into
such a wonderful
resource.

Read the advice at my prevention link
(http://inetexplorer.mvps.org/data/prevention.htm) to
reduce the chances of
your computer being infected.

IMPORTANT: Before trying to remove spyware, download a
copy of LSPFIX from
the URL below - some malware can kill your internet
connection when it is
removed, and this software should get things going for
you again:
http://www.cexx.org/lspfix.htm

Also get a copy of WINSOCKFIX available at:
http://www.spychecker.com/program/winsockxpfix.html

**Note, if you are using XP SP2 the following command,
run from start/run,
may get your computer going again - it will reset the
winsock catalogue:

netsh winsock reset

The software you should download and have ready to use is:

AdAware [..Warning: AdAware has now released Ad-Aware SE
Personal Edition,
available from
http://www.lavasoftusa.com/support/download/ Version 6.181
is, at the time of writing, still supported. All previous
versions are NO
LONGER SUPPORTED and will not be updated...]

Spybot Search and Destroy - http://spybot.eon.net.au

HijackThis -
http://209.133.47.12/~merijn/files/HijackThis.exe

CWShredder - http://www.merijn.org/files/CWShredder.exe

HackerDefender Disabler -
http://www.aumha.org/downloads/unhackdef.zip
Extract the BAT file to your desktop.

Trend Micro's 'Damage Cleanup Engine / Template
http://www.trendmicro.com/download/dcs.asp and the latest
pattern file
http://www.trendmicro.com/download/pattern.asp

IMPORTANT: After obtaining the required software above,
make sure you check
for updates and run the programmes in safe mode.

Malware removal (beginner's guide):

Go to Control Panel, Folder Options, View Tab. Turn on
the option to show
hidden files. Turn off the option to hide protected
system files.
***WARNING!! Files are hidden by Windows for a very good
reason. It is not
wise to 'experiment' with these files. Unfortunately, to
successfully
remove modern malware we must turn this protection off.
There is a risk to
doing this. Please turn the protection back on when you
have finished
cleaning your system.***

Run HackerDefener Disabler by doubleclicking. A DOS
window will flash onto
your screen and then disappear. This is normal.

First, go to Control Panel, add/remove programs. Check
for malware entries
and use the uninstall programs, then reboot. Check
all 'startup' folders
at ..\Documents and Settings\All Users\Start
Menu\Programs\Startup or
...\Documents and Settings\username\Start Menu\Startup

Go to start/run and type MSCONFIG. Go to the startup
tab. Disable
everything that you do not recognise as legitimate (do
not disable any power
profile options).

Now go to the Services tab. Turn on the option to 'hide
all Microsoft
Services'. Disable everything that remains. If you
don't have this option,
don't worry about it.

Reboot your computer and hold down the F8 key until the
boot menu options
appear. Choose Safe Mode as your startup choice. You
will find
information about what safe mode is, and what it does, at
this link
[http://inetexplorer.mvps.org/data/safe_mode.htm]

Empty your IE cache and your other temporary file
folders, eg: c:\temp,
c:\windows\temp or C:\Documents and Settings\name\Local
Settings\Temp (the
path to your temp folder will change depending on your
name) - sometimes
programmes can be hidden in there - watch out for
mysterious *.exe files or
*.dll files in those folders.

Go to IE Tools, Internet Options, Temporary Internet
Files {Settings
Button}, View Objects, Downloaded Program Files. Delete
anything you don't
recognise (hint: check the object's properties by right
clicking the object
and select 'properties'. You will often be able to easily
recognise
legitimate objects such as those related to java, or
Windows Update, and
will even see what URL the object was downloaded from.

Go to IE Tools, Internet Options, Accessibility. Make
sure there is no style
sheet chosen (under User Style Sheet - format documents
using my style
sheet). If the option is turned on, turn it OFF.

Start CWSHREDDER. Fix anything it finds. Reboot back
into safe mode.

Start AdAware.

AdAware SE...

Remember to update using the 'check for updates now'
button. Update, then
select 'start' option.

Make sure that 'search for negligible risk entries' is
turned on. Select
'use custom scanning options' then select 'customise'.
Make sure the
following options are enabled: 'scan within
archives', 'scan active
processes', 'scan registry', 'deep scan registry', 'scan
my IE favorites for
banned URLs', 'scan my Hosts file'.

Select the 'tweak' option. Under 'scanning engine', make
sure 'unload
recognized processes and modules during scan' is
enabled. Enable 'scan
registry for all users instead of current users'.

Under 'cleaning engine' turn on 'always try to unload
modules..', 'during
removal unload explorer and IE if necessary', 'let
windows remove files in
use at next reboot', 'delete quarantined items after
restoring'.

Use the 'select drives and folders to scan' option to
ensure that your
ENTIRE hard drive is scanned (if you have more than one
hard drive, scan all
of them (of course, do not include floppy and CD/DVD).

Adaware 6.181 (versions older than 6.181 are unsupported
and useless)

Note that when run using default settings, older versions
of AdAware do not
cope with new 'intelligent' malware. Make the following
changes to the
default settings.

Use the option 'select drives/folders to scan'. Set
AdAware to scan your
entire hard drive.

Make sure 'activate in depth scan' is enabled.

Select 'use custom scanning options' and then click on
the 'customize'
button. Turn on the following scan options - scan within
archives, scan
active processes, scan registry, deep registry scan, scan
[my] IE favorites
for banned URLs, and scan [my] hosts file.

Use the 'tweak' button. Turn on the following options:

Cleaning engine: 'automatically try to unregister objects
prior to
deletion', 'let windows remove files in use at next
reboot', 'delete
quarantined objects after restoring'.

Scanning engine: 'unload recognized processes during
scan'.

After you have finished with AdAware run Spybot to pick
up any leftovers.
Fix anything marked in red.

If the problem comes back, start all over again but
with the following
changes (this section requires advanced computer
skills - inexperienced
users will require assistance, available via the
public newsgroups or
various anti-spyware forums, my preferred forum being
http://forum.aumha.org/)

Use Trend Micro's 'Damage Cleanup Engine / Template.
Note: You must follow
*all* instructions provided by Trend Micro:
http://www.trendmicro.com/ftp/products/tsc/readme.txt

Turn off the option to automatically clean or delete
detected files. Run
the utility. Remove anything that is *not* in 'system
volume information'
(thanks for the warning Mow).

Run Adaware etc etc as per above.

The following is for advanced users and professional
technical support -
these steps are NOT recommended for the
inexperienced. I have not
provided detailed instructions or advance and have
assumed a higher than
average level of skill...

Remember, do as much as you can in safe mode. Use the
HackerDefender
Disabler above before starting indepth diagnosis.

Go to MSCONFIG and go to the General tab. Turn off the
options to process
win.ini file, load system services and load startup
items. Restart Windows
and run AdAware etc once more.

The following is by no means exhaustive. Without the
amazing brain of Tony
Klein (in particular) and other MVPs I simply could not
keep up with what to
learn and where to look when trying to keep on top of
malware. Guys, I
simply couldn't do it without you!!! I have learned a
lot about where to
look for malware from Tony in a private web forum. If
there was a publicly
available URL I would point to it, but as far as I know
there isn't, and the
information is critically important to those of us doing
at the sharp end of
the cleanup brigade.

Note: I have provided a list of utilities further down
that will do a lot of
the following gruntwork for you. Examine win.ini,
autoexec.bat, system.ini,
config.nt, autoexec.nt as relevant. Use services.msc.
Search for unusual or
unexpected *.bat files and unexpected autostart entries
in the Run, RunOnce,
RunOnceEx, RunServices, Services, Winlogon and Scripts
registry keys.
Search the rest of the registry for any further
references to discovered
malware. Invariably if you find a malware key in one of
those keys, you'll
find a further reference to the component elsewhere.

Also watch out for entries at
HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion \Windows\
AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersi
on\Explorer\SharedTaskScheduler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersi
on\Explorer\Browser
Helper Objects

I strongly recommend that unless you have a lot of
experience working in
this area that until such time as I am able to track down
a comprehensive
list of legitimate services (or put one together myself),
that you post
details of the services revealed by services.msc to a
microsoft.public
newsgroup for professional guidance. If you turn off the
wrong service you
could cause serious problems, and at the very worst,
leave the computer
unbootable.

An experienced computer technician can use programme such
as AutoStart
Viewer for in-depth diagnosis:
http://www.diamondcs.com.au/index.php?page=asviewer

Or Process Viewer for Windows:
http://www.teamcti.com/pview/

Or 'Silent Runners':
http://www.aaronoff.com/silent_runners/

Or APM (Advanced Process Manipulation):
http://www.diamondcs.com.au/index.php?page=apm

Once the computer is clean, and if it applies to the
operating system,
create a new restore point. The old ones may, of course,
be infected with
the malware and cannot be used. Run disk cleanup to
remove old restore
points (if your operating system has this option you will
find it on the
'more options' tab of the disk cleanup utility. If the
option to remove old
restore points is not available, stop and restart the
restore service which
will flush out old restore points and prevent accidental
reloading of
malware.

MS have released a limited KB article regarding what they
call 'deceptive
software'.
http://support.microsoft.com/default.aspx?scid=kb;EN-
US;827315

Here is advice specific to:

home page hijackings
http://inetexplorer.mvps.org/answers.htm#home_page

pop-up ads
http://inetexplorer.mvps.org/data/popup.htm

search engine hijackings
http://inetexplorer.mvps.org/answers4.htm#search_engine


--
Hyperlinks are used to ensure advice remains current
_______________________________________
Sandi - Microsoft MVP since 1999 (IE/OE)
http://inetexplorer.mvps.org/




DanS wrote:
I am running Win98SE & IE6. I have an Explorer error
message: "This program has perfored an illegal operation
and will be shut down. If the problem persists,
contact
the program vendor." The 'Details' button
reveals: "Explorer caused an invalid page fault in
module
DONDI.DLL at Ola:10017d44." and then what looks like
memory locations. When I 'Close' the error message
window, it shuts down the computer. Not suprizingly, I
am
now swamped with popups... it constantly loads web
pages,
etc. I have run SpyBot, Adaware & Spy Sweeper. How
can
I get the DONDI.DLL problem fixed? Then I will
concentrate on the spyware/adware problem. I keep NAV
updated. I connect via RoadRunner cable modem. Any help
will be greatly appreciated! Thanks!

.