About:blank - Hijack This Log: HELP PLEASE!

Discussion in 'adware, spyware & hijack cleaning' started by pdmike, May 24, 2004.

Thread Status:
Not open for further replies.
  1. pdmike

    pdmike Registered Member

    Joined:
    May 9, 2004
    Posts:
    40
    Location:
    Southern California
    My original problem was browser hijacking by about:blank. You know the story by now - my home page (Alta Vista) was removed and replaced by about:blank. I was unable to permanently change back to Alta Vista; about:blank kept reappearing no matter what I did.

    I downloaded and used a number of programs - AdAdware, Spy Sweeper, CWShredder and Hijack This among them.

    Spy Sweeper found and removed 21 items from my computer, one of which was a trojan virus and the rest of which were spyware or adware.

    In spite of all this, about:blank keeps trying to recapture my home page. Two of my programs (WinPatrol and Spy Sweeper) warn me whenver any attempted changes are being made to my home page and allows me to click on "no," which prevents the hijacking from taking place. By using these warnings, I am able to prevent the hijacking.

    But the very fact that these warnings keep coming up, indicates to me that even though Spy Sweeper and AdAdware now tell me I am clean, I guess I am not.

    Add in that, whenever I get one of these warnings about an attempted home page hijack, if I run CWShredder right after it, CWShredder always finds and removes 1 infected registry entry or it will tell me that it has removed a CWSearchX incident and fixed 6, infected registry entries.

    Acting on your instructions, I have cleaned my system (Windows 98SE) with both Ad Adware and Spy Sweeper. I used the most recent versions of these programs and updated both of them prior to use.

    Here is my Hijack This log:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:58:02 PM, on 5/23/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE
    E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
    E:\WEBROOT\SPYSWEEPER.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\NTS\ENTERNET 300\APP\ENTERNET.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    D:\HIJACK THIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\NEIOHF.DLL/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.altavista.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.altavista.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sbcglobal.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC}_ - (no file)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\r04rsiff.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [WinPatrol Plus] E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [ccEvtMgr] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [SpySweeper] E:\Webroot\SpySweeper.exe /0
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sbcglobal.net
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
    O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx

    I need help in two areas: (1) I want these about:blank, attempted hijackings of my home page to stop and (2) ever since these attacks started, it takes anywhere from 30 to 60 seconds for a program to activate following a double click on any desktop icon. I would like to have normal speed restored in this area.

    Any suggestions would be GREATLY appreciated! Thanks in advance.

    pdmike
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi pdmike,

    Start with following these instructions :

    download :


    http://tools.zerosrealm.com/dllfix.exe

    Doubleclick it and install in folder of choice but on the root drive, most likely C:\

    1.Run start.bat and press option 1. A search will start, let it finish

    'output.txt' will be created in the folder you installed dllfix in

    Copypaste the complete contents of the txt file here pelase

    Thnx

    Cheers,
     
  3. pdmike

    pdmike Registered Member

    Joined:
    May 9, 2004
    Posts:
    40
    Location:
    Southern California
    I did as instructed with regard to downloading and attempting to use dllfix.
    It downloaded and installed OK, but when I tried to run start.bat, I got a message which said: "This is for Windows 2000 or XP only."

    I am running Windows 98 SE (as I stated in my original post and as the Hijack This log also indicates).

    Is there another version which I can use with my Windows 98 system and, if so, how do I get there?

    (By the way - while I was attempting to use dllfix, I was advised by my trusty WinPatol on four, separate occasions, that a "browser helper" had been installed on my system and did I want my home page changed.)

    Awaiting further instructions with thanks,

    pdmike
     
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
  5. pdmike

    pdmike Registered Member

    Joined:
    May 9, 2004
    Posts:
    40
    Location:
    Southern California
    Ah - that works much better. Here is the StartDreck log as requested:

    StartDreck (build 2.1.5 public BETA) - 2004-05-24 @ 05:47:15
    Platform: Windows 98 SE (Win 4.10.2222 A)

    »Registry
    »Run Keys
    »Current User
    »Run
    *H/PC Connection Agent="C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    *SpySweeper=E:\Webroot\SpySweeper.exe /0
    »RunOnce
    »Default User
    »Run
    *H/PC Connection Agent="C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    *SpySweeper=E:\Webroot\SpySweeper.exe /0
    »RunOnce
    »Local Machine
    »Run
    *SystemTray=SysTray.Exe
    *RealTray=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    *ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *AudioHQ=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    *ccRegVfy="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    *ccApp=C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    *GhostStartTrayApp=C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    *NPROTECT=C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    *WinPatrol Plus=E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    *Installed=1
    *NoChange=1
    *Installed=1
    *Installed=1
    »RunOnce
    »RunServices
    *AolAcsDaemon1="C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
    *CSINJECT.EXE=C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    *ccEvtMgr=C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    *ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *SchedulingAgent=mstask.exe
    *NPROTECT=C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    *SymTray - Norton SystemWorks=C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    *GhostStartService=C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
    »RunServicesOnce
    **n=rundll32 C:\WINDOWS\SYSTEM\MSPEP.DLL,StreamingDeviceSetup
    »RunOnceEx
    »RunServicesOnceEx
    »Files
    »System/Drivers
    »Running Processes
    *FF8FA481=C:\WINDOWS\SYSTEM\KERNEL32.DLL
    *FFFFFE8D=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    *FFFFE675=C:\WINDOWS\SYSTEM\SPOOL32.EXE
    *FFFFDE0D=C:\WINDOWS\SYSTEM\MPREXE.EXE
    *FFFF69F9=C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
    *FFFEF0A1=C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    *FFFEE3F9=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    *FFFE0115=C:\WINDOWS\SYSTEM\MSTASK.EXE
    *FFFECDD5=C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
    *FFFE54ED=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    *FFFDAC91=C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
    *FFFDEE8D=C:\WINDOWS\RUNDLL32.EXE
    *FFFCE8C9=C:\WINDOWS\SYSTEM\mmtask.tsk
    *FFFC3E19=C:\WINDOWS\EXPLORER.EXE
    *FFFBFB95=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    *FFFB0A55=C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    *FFFB44C9=C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
    *FFF99B8D=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    *FFFE31B5=C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE
    *FFF90835=E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    *FFFAF969=C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
    *FFFAC889=E:\WEBROOT\SPYSWEEPER.EXE
    *FFFA5939=C:\WINDOWS\SYSTEM\WMIEXE.EXE
    *FFF74435=C:\WINDOWS\SYSTEM\DDHELP.EXE
    *FFFBABA1=C:\PROGRAM FILES\NTS\ENTERNET 300\APP\ENTERNET.EXE
    *FFF73FD1=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    *FFF7A975=G:\STARTDRECK\STARTDRECK.EXE
    »Application specific

    Awaiting further . . .

    pdmike
     
  6. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Ok,

    Proceed with the following :

    -Download: "Win98Fix.zip" :

    http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

    Unzip to folder if choice

    -DoubleClick on: 'RunFix.reg' file, hit 'yes'
    on the prompt!
    -Restart computer!
    -File should be visible!

    C:\WINDOWS\SYSTEM\MSPEP.DLL <- nuke this one

    Get the latest updates for IE at windowsupdate.com

    Keep us posted

    Cheers,
     
  7. pdmike

    pdmike Registered Member

    Joined:
    May 9, 2004
    Posts:
    40
    Location:
    Southern California
    Boy, nothing is ever easy with computers, is it?

    I downloaded Win98Fix and unzipped it into a folder of my choice. When I double click on RunFix.reg, nothing happens. The little hour glass flashes once, then goes away, and I could sit here, looking at the RunFix.reg icon until four weeks from now, and nothing would ever appear by way of any type of application.

    I checked the properties for RunFix.reg. It shows 177 bytes with 2,048 bytes used. BYTES? Have I downloaded everything I should have downloaded?

    Have to go to work now. Will pick this up later in the day or when I get home. I hope we can get back on track - we seem to be so close now.

    pdmike
     
  8. pdmike

    pdmike Registered Member

    Joined:
    May 9, 2004
    Posts:
    40
    Location:
    Southern California
    I got to work and, on my computer at work, I went to the Web site where you instructed me to go for downloading Win98Fix (www10.brinkster.com). I was able to get there but, at the bottom of the screen, it says: "Done but with errors on page." When I had tried to go to that same Web site at home, I got "Unknown zone" on the lower right while the site was trying to load. "Unknown zone" never went away.

    I suspect there may be something wrong with the Web site and that may be why I cannot execute RunFix.reg. Just thought I would add this in for your further consideration.

    Is there any way you could simply send me an email and attach Win98Fix (or the program itself, RunFix.reg) to it? My email address is pdmike@aol.com if that is an option.

    pdmike
     
  9. pdmike

    pdmike Registered Member

    Joined:
    May 9, 2004
    Posts:
    40
    Location:
    Southern California
    Well, I think I solved the problem with RunFix.reg. When I used WinZip to extract the file from the Win98Fix.zip file, double clicking on the RunFix.reg icon produced nothing. So I tried double clicking on it prior to extraction, i.e., while it (the RunFix.reg icon) was just sitting there in the WinZip window. When I did that, a window came up warning me that proceeding further could seriously damage my registry.

    Never one to be scared by that kind of bolshoi, I promptly clicked on Yes and forged ahead. Then I rebooted. Then I went hunting in Windows/System for mspep.dll. It was now visible! Cackling with glee, I happily nuked that little bad boy into oblivion. No more mspep.dll in my
    Windows/System folder.

    Was that all I needed to do? I restarted my computer once again and ran a quick Hijack This log:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:25:09 PM, on 5/24/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE
    E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
    E:\WEBROOT\SPYSWEEPER.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    D:\HIJACK THIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\BEFOGN.DLL/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.altavista.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.altavista.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sbcglobal.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC}_ - (no file)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\r04rsiff.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [WinPatrol Plus] E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [ccEvtMgr] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [SpySweeper] E:\Webroot\SpySweeper.exe /0
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sbcglobal.net
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
    O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx

    I note that the dreaded about:blank is still present in this log. That makes me nervous. Is there more work to do?

    pdmike
     
  10. pdmike

    pdmike Registered Member

    Joined:
    May 9, 2004
    Posts:
    40
    Location:
    Southern California
    Take a look at my latest CWShredder scan:

    CWShredder v1.57.0 scan only report
    Please understand that a CWShredder 'Scan only' report
    might not be sufficient to troubleshoot an infected system.
    You can use HijackThis for that:
    http://www.merijn.org/files/hijackthis.zip
    http://www.spywareinfoforum.com/~merijn/files/hijackthis.zip

    Windows 98 (4.10.2222 A)
    Windows dir: C:\WINDOWS
    Windows system dir: C:\WINDOWS\system
    AppData folder: C:\WINDOWS\Application Data
    Username: Michael R. Coghlan

    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
    Infected data: res://C:\WINDOWS\SYSTEM\BEFOGN.DLL/sp.html (obfuscated)
    Found Hosts file: C:\WINDOWS\hosts (117 bytes, R)
    Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2112 bytes, A)
    Registry value: DefaultPrefix (should be http://) [] http://
    Registry value: WWW Prefix (should be http://) [www] http://
    Registry value: Mosaic Prefix (should be http://) [mosaic] http://
    Registry value: Home Prefix (should be http://) [home] http://
    Found Win.ini file: C:\WINDOWS\win.ini (10454 bytes, A)
    Found line in Win.ini: load=
    Found line in Win.ini: run=
    Found System.ini file: C:\WINDOWS\system.ini (2277 bytes, A)
    Found line in System.ini: shell=Explorer.exe

    - END OF REPORT -

    Note this one entry: "Infected data: res://C:\WINDOWS\SYSTEM\BEFOGN.DLL/sp.html (obfuscated)"

    I was getting a WinPatrol warning that befogn.dll was trying to change my home page. Apparently, that sucker is still around on my computer. What do you make of that?

    pdmike
     
  11. pdmike

    pdmike Registered Member

    Joined:
    May 9, 2004
    Posts:
    40
    Location:
    Southern California
    I think I should take some action with Hijack This but, before I do, I want to run it by you:

    First, take a look at a CWShredder report:

    CWShredder v1.57.0 scan only report
    Please understand that a CWShredder 'Scan only' report
    might not be sufficient to troubleshoot an infected system.
    You can use HijackThis for that:
    http://www.merijn.org/files/hijackthis.zip
    http://www.spywareinfoforum.com/~merijn/files/hijackthis.zip

    Windows 98 (4.10.2222 A)
    Windows dir: C:\WINDOWS
    Windows system dir: C:\WINDOWS\system
    AppData folder: C:\WINDOWS\Application Data
    Username: Michael R. Coghlan

    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
    Infected data: res://C:\WINDOWS\SYSTEM\BEFOGN.DLL/sp.html (obfuscated)
    Found Hosts file: C:\WINDOWS\hosts (117 bytes, R)
    Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2112 bytes, A)
    Registry value: DefaultPrefix (should be http://) [] http://
    Registry value: WWW Prefix (should be http://) [www] http://
    Registry value: Mosaic Prefix (should be http://) [mosaic] http://
    Registry value: Home Prefix (should be http://) [home] http://
    Found Win.ini file: C:\WINDOWS\win.ini (10454 bytes, A)
    Found line in Win.ini: load=
    Found line in Win.ini: run=
    Found System.ini file: C:\WINDOWS\system.ini (2277 bytes, A)
    Found line in System.ini: shell=Explorer.exe

    - END OF REPORT -

    Next, take a look at my Hijack This log:

    Logfile of HijackThis v1.97.7
    Scan saved at 7:43:38 AM, on 5/25/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE
    E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
    E:\WEBROOT\SPYSWEEPER.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\MY DOCUMENTS\CWSHREDDER.EXE
    C:\PROGRAM FILES\NTS\ENTERNET 300\APP\ENTERNET.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    D:\HIJACK THIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\BEFOGN.DLL/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.altavista.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.altavista.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sbcglobal.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC}_ - (no file)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\r04rsiff.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [WinPatrol Plus] E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [ccEvtMgr] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [SpySweeper] E:\Webroot\SpySweeper.exe /0
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sbcglobal.net
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
    O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx

    Notice that CWShredder is identifying a dll file called befogn.dll:
    "Infected data: res://C:\WINDOWS\SYSTEM\BEFOGN.DLL/sp.html (obfuscated)"

    Notice also that Hijack This makes mention of the same culprit:
    "R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\BEFOGN.DLL/sp.html (obfuscated)"

    (1) CWShredder is identifying this dll file as "Infected data." (2) Hijack This includes the same dll file in its log. (3) Also, WinPatrol has been flashing messages to me that "Befogn.dll" is trying to change my home page and do I want to approve that?

    Based on all this, it would seem appropriate to check the Befogn.dll entry in Hijack This and get rid of it.

    But I don't want to do that without your blessing.

    Can I go ahead?

    pdmike
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    I'm afraid it will not be enough to get rid of it, but you have my blessing.

    First make sure Windows and IE are fully updated.

    Download and unzip: http://www.rokop-security.de/main/download.php?op=getit&lid=59
    Then close as many programs as possible and click *Desinfektion starten*

    Your computer wil reboot and start with the same program.
    Close it and run HijackThis again. Post the new log.
    There will be some more left to do.

    Regards,

    Pieter
     
  13. pdmike

    pdmike Registered Member

    Joined:
    May 9, 2004
    Posts:
    40
    Location:
    Southern California
    Pieter:

    Thanks for the prompt reply. I will not be able to do what you suggest until I get home from work, which will be 3:00 a.m. your time.

    Be assured that I will follow your instructions to the best of my ability and will post the resultant log.

    See you soon.

    pdmike
     
  14. pdmike

    pdmike Registered Member

    Joined:
    May 9, 2004
    Posts:
    40
    Location:
    Southern California
    I downloaded and unzipped the program (SpHjfix.exe). I closed as many programs as possible and clicked on "Start Disinfection." I sat there and waited for my computer to reboot but nothing happened. So I went to
    Start/Shut Down/Restart and did it myself. My computer rebooted.

    You said "Your computer will reboot and start with the same program." After my computer rebooted, I waited for the program to appear, but it never did. So I was not able to close it.

    I then ran Hijack This. The log appears below.

    But, before we get to the log, I am wondering if there might be a language problem here. When you say that "Your computer will reboot" after I click on Start Disinfection, are you saying my computer will reboot AUTOMATICALLY (i.e., because the program does it for me) OR are you saying that I should reboot the computer MYSELF (i.e., manually) after clicking on Start Disinfection? It makes a big difference.

    I am not confident that this program is working properly for me because it does not seem to do many of the things you say it should, such as (1) reboot my computer for me automatically and (2) open on startup when I reboot.

    Remember, I am running Windows 98SE. Is this program appropriate for my operating system?

    Anyway - here is the Hijack This log, for what it may be worth:

    Logfile of HijackThis v1.97.7
    Scan saved at 6:17:31 PM, on 5/25/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE
    E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
    E:\WEBROOT\SPYSWEEPER.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    D:\HIJACK THIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\BEFOGN.DLL/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.altavista.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.altavista.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sbcglobal.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC}_ - (no file)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\r04rsiff.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [WinPatrol Plus] E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [ccEvtMgr] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [SpySweeper] E:\Webroot\SpySweeper.exe /0
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sbcglobal.net
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
    O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx

    Awaiting your further instructions, I remain . . .

    pdmike
    Southern California - Los Angeles area, actually . . .
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  16. pdmike

    pdmike Registered Member

    Joined:
    May 9, 2004
    Posts:
    40
    Location:
    Southern California
    Pieter:

    I have already gotten rid of mspep.dll in my Windows/System folder (see Post No. 9, above). I guess I really haven't, and we have to do it in DOS mode, right?

    I am not as computer literate as you may have assumed. I can reboot in DOS mode - and did so. That's about it. I have totally forgotten the DOS commands to move from directory to directory, to delete files, etc. In fact, I was lucky to be able to get back, into Windows. I was able to remember that you get back by typing EXIT after the prompt.

    Anyway, would you be so kind as to tell me the various DOS commands so I can get mspep.dll deleted from my Windows/System folder in DOS mode?
    When I first get to DOS, I am looking at C:\Windows. Where do I go from there?

    Also, while I have you on the line, so to speak - I have been running CWShredder dozens of times each day for the past month or so and it has not done anything for me except make the same repairs and/or corrections each time I run it. I guess you want me to run it AFTER nuking mspep.dll in the DOS mode, right?

    I hope you can get back to me before closing up shop today so that I can work on the problem later on today (here).

    I do appreciate all your help, Pieter - thanks!

    pdmike
     
  17. pdmike

    pdmike Registered Member

    Joined:
    May 9, 2004
    Posts:
    40
    Location:
    Southern California
    Pieter:

    Well, I may be more computer literate than I thought. I went back and tried it again. I am able to get as far as C:\Windows\System\dir. Then, when I hit Enter, it scrolls (VERY rapidly) through all of the files in my Windows\System directory.

    As I recall, there is a command for making it scroll through a lengthy directory very slowly or page by page - that's the one I cannot remember.

    So I guess the question now is: Once I am in the directory, how do I find mspep.dll and, once I have found it, what is the command to delete it?
    Or do I even have to find it to delete it?

    I know - what if I were to get to the root directory for C drive and type in:
    del C:\Windows\System\mspep.dll. Would that do it? Or would that cause my computer to explode in my face?

    Help!

    pdmike
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    When the prompt is at C:\Windows\System> you can use
    del mspep.dll
    It will "complain" if it is not found

    I make it a habit never to delete a full path in DOS or advise anyone to do so. One mistake and... It wil not explode, but having to format is another thikng we want to avoid. ;)

    Another thing you can do is
    dir /b /a C:\windows\system32\*.dll>1.txt
    from the C:> prompt. This will make a text file containing all the dll's in the folder. If the file is not found please do that.

    Regards,

    Pieter
     
  19. pdmike

    pdmike Registered Member

    Joined:
    May 9, 2004
    Posts:
    40
    Location:
    Southern California
    Pieter:

    I did exactly as you instructed. When I entered del mspep.dll at the Windows/System prompt, I got "File not found."

    So I then did the following. At the C prompt, I typed in:

    dir/b/aC:\windows\system32\*.dll>1.txt and hit Enter. It took me right back to a blinking, C prompt with nothing behind it.

    I really think that we took mspep.dll out of my system several days ago (see Post No. 9 above).

    What does "dir/b/a" have to do with anything in your suggested entry in the event the file did not turn up when I tried to delete it? Did you mean I should have merely entered C:\windows\system32\*.dll>1.txt?

    pdmike
     
  20. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Do a Find Files for 1.txt and post it please ;)

    Regards,

    Pieter
     
  21. pdmike

    pdmike Registered Member

    Joined:
    May 9, 2004
    Posts:
    40
    Location:
    Southern California
    How do I do that? Give me the exact command, please. Thanks.

    pdmike
     
  22. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Start > Find > Files > 1.txt

    Regards,

    Pieter
     
  23. pdmike

    pdmike Registered Member

    Joined:
    May 9, 2004
    Posts:
    40
    Location:
    Southern California
    Oh, you mean in WINDOWS mode - I thought we were still in DOS mode. Don't be afraid to remind me of the obvious, Pieter - as I said, I am not all that computer literate . . .

    I went to Start/Find/Files and typed in 1.txt. One file turned up. There is a 1.txt file on my C drive. When I double click on it, it comes up as an empty, white text window in Notepad, I think.

    Well, your day is ending and mine is just beginning. I am now 35 minutes late to work and have to go.

    I suspect that what I discovered is not what you were looking for. I can communicate with you while I am at work, but I will not be at my personal, home computer - which is the one we are trying to fix.

    Please get back to me before you go home, if possible, and tell me what I should do next.

    pdmike
     
  24. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Well I am curious what this will turn up:

    This time in Windows but from the Command Prompt

    dir /b /a C:\windows\system32\*.dll>2.txt

    Then repeat the part in DOS (don't forget to delete the old 1.txt)
    but this time include the spaces in the command that I forgot :blushing: :oops:

    dir /b /a C:\windows\system32\*.dll>1.txt

    Regards,

    Pieter
     
  25. pdmike

    pdmike Registered Member

    Joined:
    May 9, 2004
    Posts:
    40
    Location:
    Southern California
    Hi Pieter -

    I am at work now and have just read your most recent post. I will not be able to attend to that until I get home, but will do so as soon as I can at the end of my day here.

    In passing, I should also mention that I have a partitioned hard drive, if you haven't figured that out already. My hard drive is partitioned into 5 drives:
    C,D,E,F and G. All of my Windows folders are on C drive, of course.

    One quick question - do you want me to delete the 1.txt file while I am in Windows, BEFORE I get into DOS? That is the only way I am going to be able to do it, I think.

    Also, in the long, command you want me to use, I have a space after dir, a space after /a, a space after /b and then no more spaces from that point on. Is that correct?

    Mike
     
Thread Status:
Not open for further replies.