About:blank - Hijack This Log: HELP PLEASE!

My original problem was browser hijacking by about:blank. You know the story by now - my home page (Alta Vista) was removed and replaced by about:blank. I was unable to permanently change back to Alta Vista; about:blank kept reappearing no matter what I did.

I downloaded and used a number of programs - AdAdware, Spy Sweeper, CWShredder and Hijack This among them.

Spy Sweeper found and removed 21 items from my computer, one of which was a trojan virus and the rest of which were spyware or adware.

In spite of all this, about:blank keeps trying to recapture my home page. Two of my programs (WinPatrol and Spy Sweeper) warn me whenver any attempted changes are being made to my home page and allows me to click on "no," which prevents the hijacking from taking place. By using these warnings, I am able to prevent the hijacking.

But the very fact that these warnings keep coming up, indicates to me that even though Spy Sweeper and AdAdware now tell me I am clean, I guess I am not.

Add in that, whenever I get one of these warnings about an attempted home page hijack, if I run CWShredder right after it, CWShredder always finds and removes 1 infected registry entry or it will tell me that it has removed a CWSearchX incident and fixed 6, infected registry entries.

Acting on your instructions, I have cleaned my system (Windows 98SE) with both Ad Adware and Spy Sweeper. I used the most recent versions of these programs and updated both of them prior to use.

Here is my Hijack This log:

Logfile of HijackThis v1.97.7
Scan saved at 9:58:02 PM, on 5/23/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE
E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
E:\WEBROOT\SPYSWEEPER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NTS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\NEIOHF.DLL/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.altavista.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.altavista.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sbcglobal.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC}_ - (no file)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\r04rsiff.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [WinPatrol Plus] E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpySweeper] E:\Webroot\SpySweeper.exe /0
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sbcglobal.net
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx

I need help in two areas: (1) I want these about:blank, attempted hijackings of my home page to stop and (2) ever since these attacks started, it takes anywhere from 30 to 60 seconds for a program to activate following a double click on any desktop icon. I would like to have normal speed restored in this area.

Any suggestions would be GREATLY appreciated! Thanks in advance.

pdmike

 

Hi pdmike,

Start with following these instructions :

download :


http://tools.zerosrealm.com/dllfix.exe

Doubleclick it and install in folder of choice but on the root drive, most likely C:\

1.Run start.bat and press option 1. A search will start, let it finish

'output.txt' will be created in the folder you installed dllfix in

Copypaste the complete contents of the txt file here pelase

Thnx

Cheers,

 

I did as instructed with regard to downloading and attempting to use dllfix.
It downloaded and installed OK, but when I tried to run start.bat, I got a message which said: "This is for Windows 2000 or XP only."

I am running Windows 98 SE (as I stated in my original post and as the Hijack This log also indicates).

Is there another version which I can use with my Windows 98 system and, if so, how do I get there?

(By the way - while I was attempting to use dllfix, I was advised by my trusty WinPatol on four, separate occasions, that a "browser helper" had been installed on my system and did I want my home page changed.)

Awaiting further instructions with thanks,

pdmike

 

Ah Sorry my bad!

Use these instructions for windows 98 :

Download: "StartDreck",

http://members.blackbox.net/hp_links/21/nikolaus.rameis/download/startdreck.htm

unzip to folder of choice

DoubleClick: 'StartDreck.exe'
Hit: config
hit: Unmark all

Check these boxes only:

Registry->run keys
System/drivers-> Running processes

hit >ok.

Post the complete log here please

Thnx

Cheers,

 

Ah - that works much better. Here is the StartDreck log as requested:

StartDreck (build 2.1.5 public BETA) - 2004-05-24 @ 05:47:15
Platform: Windows 98 SE (Win 4.10.2222 A)

»Registry
»Run Keys
»Current User
»Run
*H/PC Connection Agent="C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
*SpySweeper=E:\Webroot\SpySweeper.exe /0
»RunOnce
»Default User
»Run
*H/PC Connection Agent="C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
*SpySweeper=E:\Webroot\SpySweeper.exe /0
»RunOnce
»Local Machine
»Run
*SystemTray=SysTray.Exe
*RealTray=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*AudioHQ=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
*ccRegVfy="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
*ccApp=C:\Program Files\Common Files\Symantec Shared\ccApp.exe
*GhostStartTrayApp=C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
*NPROTECT=C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
*WinPatrol Plus=E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
*Installed=1
*NoChange=1
*Installed=1
*Installed=1
»RunOnce
»RunServices
*AolAcsDaemon1="C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
*CSINJECT.EXE=C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
*ccEvtMgr=C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
*ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*NPROTECT=C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
*SymTray - Norton SystemWorks=C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
*GhostStartService=C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
»RunServicesOnce
**n=rundll32 C:\WINDOWS\SYSTEM\MSPEP.DLL,StreamingDeviceSetup
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
*FF8FA481=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFFFE8D=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFFE675=C:\WINDOWS\SYSTEM\SPOOL32.EXE
*FFFFDE0D=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFF69F9=C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
*FFFEF0A1=C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
*FFFEE3F9=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
*FFFE0115=C:\WINDOWS\SYSTEM\MSTASK.EXE
*FFFECDD5=C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
*FFFE54ED=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
*FFFDAC91=C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
*FFFDEE8D=C:\WINDOWS\RUNDLL32.EXE
*FFFCE8C9=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFC3E19=C:\WINDOWS\EXPLORER.EXE
*FFFBFB95=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFFB0A55=C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
*FFFB44C9=C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
*FFF99B8D=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
*FFFE31B5=C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE
*FFF90835=E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
*FFFAF969=C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
*FFFAC889=E:\WEBROOT\SPYSWEEPER.EXE
*FFFA5939=C:\WINDOWS\SYSTEM\WMIEXE.EXE
*FFF74435=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFFBABA1=C:\PROGRAM FILES\NTS\ENTERNET 300\APP\ENTERNET.EXE
*FFF73FD1=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFF7A975=G:\STARTDRECK\STARTDRECK.EXE
»Application specific

Awaiting further . . .

pdmike

 

Ok,

Proceed with the following :

-Download: "Win98Fix.zip" :

http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

Unzip to folder if choice

-DoubleClick on: 'RunFix.reg' file, hit 'yes'
on the prompt!
-Restart computer!
-File should be visible!

C:\WINDOWS\SYSTEM\MSPEP.DLL <- nuke this one

Get the latest updates for IE at windowsupdate.com

Keep us posted

Cheers,

 

Boy, nothing is ever easy with computers, is it?

I downloaded Win98Fix and unzipped it into a folder of my choice. When I double click on RunFix.reg, nothing happens. The little hour glass flashes once, then goes away, and I could sit here, looking at the RunFix.reg icon until four weeks from now, and nothing would ever appear by way of any type of application.

I checked the properties for RunFix.reg. It shows 177 bytes with 2,048 bytes used. BYTES? Have I downloaded everything I should have downloaded?

Have to go to work now. Will pick this up later in the day or when I get home. I hope we can get back on track - we seem to be so close now.

pdmike

 

I got to work and, on my computer at work, I went to the Web site where you instructed me to go for downloading Win98Fix (www10.brinkster.com). I was able to get there but, at the bottom of the screen, it says: "Done but with errors on page." When I had tried to go to that same Web site at home, I got "Unknown zone" on the lower right while the site was trying to load. "Unknown zone" never went away.

I suspect there may be something wrong with the Web site and that may be why I cannot execute RunFix.reg. Just thought I would add this in for your further consideration.

Is there any way you could simply send me an email and attach Win98Fix (or the program itself, RunFix.reg) to it? My email address is pdmike@aol.com if that is an option.

pdmike

 

Well, I think I solved the problem with RunFix.reg. When I used WinZip to extract the file from the Win98Fix.zip file, double clicking on the RunFix.reg icon produced nothing. So I tried double clicking on it prior to extraction, i.e., while it (the RunFix.reg icon) was just sitting there in the WinZip window. When I did that, a window came up warning me that proceeding further could seriously damage my registry.

Never one to be scared by that kind of bolshoi, I promptly clicked on Yes and forged ahead. Then I rebooted. Then I went hunting in Windows/System for mspep.dll. It was now visible! Cackling with glee, I happily nuked that little bad boy into oblivion. No more mspep.dll in my
Windows/System folder.

Was that all I needed to do? I restarted my computer once again and ran a quick Hijack This log:

Logfile of HijackThis v1.97.7
Scan saved at 9:25:09 PM, on 5/24/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE
E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
E:\WEBROOT\SPYSWEEPER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\BEFOGN.DLL/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.altavista.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.altavista.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sbcglobal.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC}_ - (no file)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\r04rsiff.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [WinPatrol Plus] E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpySweeper] E:\Webroot\SpySweeper.exe /0
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sbcglobal.net
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx

I note that the dreaded about:blank is still present in this log. That makes me nervous. Is there more work to do?

pdmike

 

Take a look at my latest CWShredder scan:

CWShredder v1.57.0 scan only report
Please understand that a CWShredder 'Scan only' report
might not be sufficient to troubleshoot an infected system.
You can use HijackThis for that:
http://www.merijn.org/files/hijackthis.zip
http://www.spywareinfoforum.com/~merijn/files/hijackthis.zip

Windows 98 (4.10.2222 A)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system
AppData folder: C:\WINDOWS\Application Data
Username: Michael R. Coghlan

Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: res://C:\WINDOWS\SYSTEM\BEFOGN.DLL/sp.html (obfuscated)
Found Hosts file: C:\WINDOWS\hosts (117 bytes, R)
Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2112 bytes, A)
Registry value: DefaultPrefix (should be http://) [] http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (10454 bytes, A)
Found line in Win.ini: load=
Found line in Win.ini: run=
Found System.ini file: C:\WINDOWS\system.ini (2277 bytes, A)
Found line in System.ini: shell=Explorer.exe

- END OF REPORT -

Note this one entry: "Infected data: res://C:\WINDOWS\SYSTEM\BEFOGN.DLL/sp.html (obfuscated)"

I was getting a WinPatrol warning that befogn.dll was trying to change my home page. Apparently, that sucker is still around on my computer. What do you make of that?

pdmike

 

I think I should take some action with Hijack This but, before I do, I want to run it by you:

First, take a look at a CWShredder report:

CWShredder v1.57.0 scan only report
Please understand that a CWShredder 'Scan only' report
might not be sufficient to troubleshoot an infected system.
You can use HijackThis for that:
http://www.merijn.org/files/hijackthis.zip
http://www.spywareinfoforum.com/~merijn/files/hijackthis.zip

Windows 98 (4.10.2222 A)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system
AppData folder: C:\WINDOWS\Application Data
Username: Michael R. Coghlan

Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: res://C:\WINDOWS\SYSTEM\BEFOGN.DLL/sp.html (obfuscated)
Found Hosts file: C:\WINDOWS\hosts (117 bytes, R)
Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2112 bytes, A)
Registry value: DefaultPrefix (should be http://) [] http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (10454 bytes, A)
Found line in Win.ini: load=
Found line in Win.ini: run=
Found System.ini file: C:\WINDOWS\system.ini (2277 bytes, A)
Found line in System.ini: shell=Explorer.exe

- END OF REPORT -

Next, take a look at my Hijack This log:

Logfile of HijackThis v1.97.7
Scan saved at 7:43:38 AM, on 5/25/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE
E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
E:\WEBROOT\SPYSWEEPER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\CWSHREDDER.EXE
C:\PROGRAM FILES\NTS\ENTERNET 300\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
D:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\BEFOGN.DLL/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.altavista.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.altavista.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sbcglobal.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC}_ - (no file)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\r04rsiff.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [WinPatrol Plus] E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpySweeper] E:\Webroot\SpySweeper.exe /0
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sbcglobal.net
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx

Notice that CWShredder is identifying a dll file called befogn.dll:
"Infected data: res://C:\WINDOWS\SYSTEM\BEFOGN.DLL/sp.html (obfuscated)"

Notice also that Hijack This makes mention of the same culprit:
"R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\BEFOGN.DLL/sp.html (obfuscated)"

(1) CWShredder is identifying this dll file as "Infected data." (2) Hijack This includes the same dll file in its log. (3) Also, WinPatrol has been flashing messages to me that "Befogn.dll" is trying to change my home page and do I want to approve that?

Based on all this, it would seem appropriate to check the Befogn.dll entry in Hijack This and get rid of it.

But I don't want to do that without your blessing.

Can I go ahead?

pdmike

 

I'm afraid it will not be enough to get rid of it, but you have my blessing.

First make sure Windows and IE are fully updated.

Download and unzip: http://www.rokop-security.de/main/download.php?op=getit&lid=59
Then close as many programs as possible and click *Desinfektion starten*

Your computer wil reboot and start with the same program.
Close it and run HijackThis again. Post the new log.
There will be some more left to do.

Regards,

Pieter

 

Pieter:

Thanks for the prompt reply. I will not be able to do what you suggest until I get home from work, which will be 3:00 a.m. your time.

Be assured that I will follow your instructions to the best of my ability and will post the resultant log.

See you soon.

pdmike

 

I downloaded and unzipped the program (SpHjfix.exe). I closed as many programs as possible and clicked on "Start Disinfection." I sat there and waited for my computer to reboot but nothing happened. So I went to
Start/Shut Down/Restart and did it myself. My computer rebooted.

You said "Your computer will reboot and start with the same program." After my computer rebooted, I waited for the program to appear, but it never did. So I was not able to close it.

I then ran Hijack This. The log appears below.

But, before we get to the log, I am wondering if there might be a language problem here. When you say that "Your computer will reboot" after I click on Start Disinfection, are you saying my computer will reboot AUTOMATICALLY (i.e., because the program does it for me) OR are you saying that I should reboot the computer MYSELF (i.e., manually) after clicking on Start Disinfection? It makes a big difference.

I am not confident that this program is working properly for me because it does not seem to do many of the things you say it should, such as (1) reboot my computer for me automatically and (2) open on startup when I reboot.

Remember, I am running Windows 98SE. Is this program appropriate for my operating system?

Anyway - here is the Hijack This log, for what it may be worth:

Logfile of HijackThis v1.97.7
Scan saved at 6:17:31 PM, on 5/25/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE
E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
E:\WEBROOT\SPYSWEEPER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\BEFOGN.DLL/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.altavista.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.altavista.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sbcglobal.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC}_ - (no file)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\r04rsiff.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [WinPatrol Plus] E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpySweeper] E:\Webroot\SpySweeper.exe /0
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sbcglobal.net
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx

Awaiting your further instructions, I remain . . .

pdmike
Southern California - Los Angeles area, actually . . .

 

No you understood me correctly. The program should have done that.

I think we will have to be blunt.

Boot to DOS and delete:
C:\WINDOWS\SYSTEM\MSPEP.DLL
from there.

Then boot normally and use: http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe
Use the Fix button and follow the instructions you will receive.

Then use AdAware as described here: https://www.wilderssecurity.com/showthread.php?t=15913

Regards,

Pieter

 

Pieter:

I have already gotten rid of mspep.dll in my Windows/System folder (see Post No. 9, above). I guess I really haven't, and we have to do it in DOS mode, right?

I am not as computer literate as you may have assumed. I can reboot in DOS mode - and did so. That's about it. I have totally forgotten the DOS commands to move from directory to directory, to delete files, etc. In fact, I was lucky to be able to get back, into Windows. I was able to remember that you get back by typing EXIT after the prompt.

Anyway, would you be so kind as to tell me the various DOS commands so I can get mspep.dll deleted from my Windows/System folder in DOS mode?
When I first get to DOS, I am looking at C:\Windows. Where do I go from there?

Also, while I have you on the line, so to speak - I have been running CWShredder dozens of times each day for the past month or so and it has not done anything for me except make the same repairs and/or corrections each time I run it. I guess you want me to run it AFTER nuking mspep.dll in the DOS mode, right?

I hope you can get back to me before closing up shop today so that I can work on the problem later on today (here).

I do appreciate all your help, Pieter - thanks!

pdmike

 

Pieter:

Well, I may be more computer literate than I thought. I went back and tried it again. I am able to get as far as C:\Windows\System\dir. Then, when I hit Enter, it scrolls (VERY rapidly) through all of the files in my Windows\System directory.

As I recall, there is a command for making it scroll through a lengthy directory very slowly or page by page - that's the one I cannot remember.

So I guess the question now is: Once I am in the directory, how do I find mspep.dll and, once I have found it, what is the command to delete it?
Or do I even have to find it to delete it?

I know - what if I were to get to the root directory for C drive and type in:
del C:\Windows\System\mspep.dll. Would that do it? Or would that cause my computer to explode in my face?

Help!

pdmike

 

When the prompt is at C:\Windows\System> you can use
del mspep.dll
It will "complain" if it is not found

I make it a habit never to delete a full path in DOS or advise anyone to do so. One mistake and... It wil not explode, but having to format is another thikng we want to avoid.

Another thing you can do is
dir /b /a C:\windows\system32\*.dll>1.txt
from the C:> prompt. This will make a text file containing all the dll's in the folder. If the file is not found please do that.

Regards,

Pieter

 

Pieter:

I did exactly as you instructed. When I entered del mspep.dll at the Windows/System prompt, I got "File not found."

So I then did the following. At the C prompt, I typed in:

dir/b/aC:\windows\system32\*.dll>1.txt and hit Enter. It took me right back to a blinking, C prompt with nothing behind it.

I really think that we took mspep.dll out of my system several days ago (see Post No. 9 above).

What does "dir/b/a" have to do with anything in your suggested entry in the event the file did not turn up when I tried to delete it? Did you mean I should have merely entered C:\windows\system32\*.dll>1.txt?

pdmike

 

Do a Find Files for 1.txt and post it please

Regards,

Pieter

 

How do I do that? Give me the exact command, please. Thanks.

pdmike

 

Start > Find > Files > 1.txt

Regards,

Pieter

 

Oh, you mean in WINDOWS mode - I thought we were still in DOS mode. Don't be afraid to remind me of the obvious, Pieter - as I said, I am not all that computer literate . . .

I went to Start/Find/Files and typed in 1.txt. One file turned up. There is a 1.txt file on my C drive. When I double click on it, it comes up as an empty, white text window in Notepad, I think.

Well, your day is ending and mine is just beginning. I am now 35 minutes late to work and have to go.

I suspect that what I discovered is not what you were looking for. I can communicate with you while I am at work, but I will not be at my personal, home computer - which is the one we are trying to fix.

Please get back to me before you go home, if possible, and tell me what I should do next.

pdmike

 

Well I am curious what this will turn up:

This time in Windows but from the Command Prompt

dir /b /a C:\windows\system32\*.dll>2.txt

Then repeat the part in DOS (don't forget to delete the old 1.txt)
but this time include the spaces in the command that I forgot :blushing:

dir /b /a C:\windows\system32\*.dll>1.txt

Regards,

Pieter

 

Hi Pieter -

I am at work now and have just read your most recent post. I will not be able to attend to that until I get home, but will do so as soon as I can at the end of my day here.

In passing, I should also mention that I have a partitioned hard drive, if you haven't figured that out already. My hard drive is partitioned into 5 drives:
C,D,E,F and G. All of my Windows folders are on C drive, of course.

One quick question - do you want me to delete the 1.txt file while I am in Windows, BEFORE I get into DOS? That is the only way I am going to be able to do it, I think.

Also, in the long, command you want me to use, I have a space after dir, a space after /a, a space after /b and then no more spaces from that point on. Is that correct?

Mike