About:blank - Hijack This Log: HELP PLEASE!

No rush. I'm off to bed anyway.

That is irrelevant, so do what is easiest for you.

That is correct.

Regards,

Pieter

 

Pieter -

(1) Using Windows explorer, I deleted 1.txt from C drive.

(2) I then went to the command prompt (Start/Run), entered
dir /b /a C:\windows\system32\*.dll>2.txt and hit OK. I got a message stating: "Cannot find the file 'dir' or one of its components. Make sure the path and file name are correct and that all required libraries are available."
I also ran a search for 2.txt all by itself. Nothing.

(3) I then restarted my computer in DOS mode. At the C prompt, I entered:
dir /b /a C:\windows\system32\*.dll>1.txt. "File not found."

(4) I then (still at the C prompt in DOS mode) entered:
dir /b /a C:\windows\system32\*.dll>2.txt. "File not found."

(5) Still at the C prompt, I then entered:
dir windows\system32\*.dll>2.txt. "File not found." I did this because I thought it might work - for no other reason.

Just for drill, here is my Hijack This log at this point:

Logfile of HijackThis v1.97.7
Scan saved at 6:25:33 PM, on 5/26/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE
E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
E:\WEBROOT\SPYSWEEPER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NTS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
D:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\BEFOGN.DLL/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.altavista.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.altavista.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sbcglobal.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC}_ - (no file)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\r04rsiff.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [WinPatrol Plus] E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpySweeper] E:\Webroot\SpySweeper.exe /0
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sbcglobal.net
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx

The general status of things at this point is as follows: I have not had my IE home page hijacked in 3 or 4 days in spite of numerous openings and closings of IE. I have had three or four alert messages from WinPatrol, informing me that there has been a change in my IE home page and do I approve of it? I always click "No" and that seems to be the end of it, i.e., the home page stays the same (Alta Vista).

BUT - the fact that I am still getting the alerts from WinPatrol indicates that I still have problems.

Things are still not operating properly either. My main complaint has to do with speed of operation. It usually (not always, but most of the time) takes anywhere from 30 to 60 seconds for a desktop shortcut to open up a program once I double click on it. That never used to happen prior to the onset of my spyware/adware/browser hijacking problems several weeks ago.

So - that's all I can report at this point. Awaiting further instructions.

Mike

 

Well, isn't that interesting . . .

I note that our old pal, Befogn.dll appears in the first R1 entry in the Hijack This log I just sent you.

This morning, I used Hijack This to GET RID OF that particular item (Befogn.dll). Apparently, it is baaaaccckkkkkk!!!!!!!

I have opened and closed IE a number of times since nuking befogn.dll this morning. Do you think we are dealing with a trojan virus in addition to adware/spyware problems?

Just an added thought. Be sure and respond to both this post and the one just above it. I need to know what to do next!

I can't thank you enough for all the time you are devoting to my problem, by the way.

Mike

 

Trust me, this is as frustrating for me as it must be for you.
Everything that works for others has failed to eradicate the hidden dll

I am wondering if indeed something else is going on simultaneously.
Download VX2Finder from this link:
http://www.downloads.subratam.org/VX2Finder9x.exe
Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

Copy and paste the contents of the log into your next reply here.

Regards,

Pieter

 

The most important thing is that you UPDATE internet explorer as well!

Cheers,

 

Its possible winpatrol is putting back the entry.
Can you disable it. Fix it with hijackthis and then reenable winpatrol.

 

Here is my Vx2Finder log:

Log for VX2.BetterInternet File Finder

Files Found---


User Agent String---

Mike

 

I did as instructed. We'll see what happens.

You folks don't seem to be that familiar with WinPatrol. I think it is a totally legitimate program. Here is the site - check it out and see what you think:

http://www.winpatrol.com/

pdmike

 

Unzy:

OK - I am about to update Internet Explorer. A quick note to y'all before I start:

I am the kind of guy who generally can be counted upon to crash his computer whenever a new program is installed - certainly a complicated and central program such as IE. Don't ask me why. Some people are just unlucky with computers and I guess that's me.

The point of all this is, if, all of a sudden, we can't communicate any more, it means that in the attempt to update IE, something horrible has happened. In that case, I will have to get my guru over here and won't be able to get back to you until next week some time.

So if I suddenly am not here any more, it doesn't mean I have decided to stop trying to solve this problem. Be patient.

Here I go!

pdmike

 

Well, not quite yet - I see that it is going to take over an hour to downoad and update. I don't have an hour right now, so I will defer that one until later today when I get home from work and you guys are all sleeping soundly.

You're sure I can do this - install IE 6.0 over my existing 5.0 when I am running Windows 98? It says that 6.0 is compatible with W98. I hope so.

I am standing by for the next 45 minutes or so and then I have to be off to work.

pdmike

 

One other thing while I am thinking about it . . . .

All of my problems started when my IE hom page was hijacked by something that called itself about:blank.

I am going to post my most recent Hijack This log. You will notice that befogn.dll is gone (I think) because I just got rid of it using Hijack This on Shadowar's suggestion.

But you will also notice that about:blank is in there - it is the 10th entry down, from the top in the R section, bigger than life. Seems to me I ought to get rid of that one with Hijack This - Is that OK?

Here's the log:

Logfile of HijackThis v1.97.7
Scan saved at 7:04:47 AM, on 5/27/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
E:\WEBROOT\SPYSWEEPER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NTS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
D:\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.altavista.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.altavista.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sbcglobal.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC}_ - (no file)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\r04rsiff.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [WinPatrol Plus] E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpySweeper] E:\Webroot\SpySweeper.exe /0
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sbcglobal.net
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx

pdmike

 

GUESS WHAT!!!! As mentioned a post or so above, I disabled WinPatrol. I then deleted befogn.dll using Hijack This.

I then started up WinPatrol. When I did, I instantly got the now-familiar, WinPatrol alert, telling me that my IE homepage was about to be changed. As usual, I clicked on No, and the alert went away.

But then I ran Hijack This and - you guessed it - befogn.dll was BACK.

You may be right, Shadowwar - this may be the source of the problem, at least insofar as befogn.dll is concerned.

Any suggestions now?

pdmike

 

Hi pdmike,

I am not sure if you understand what is going on. You change something and Winpatrol tells you about it. So you deny it and Winpatrol puts back the old value. Sounds like a neverending circle.

Regards,

Pieter

 

Peter:

Your logic is inescapable.

1. If befogn.dll is my only problem, then the obvious solution is to get rid of WinPatrol - which I would have no trouble at all doing if that's what it takes.
Is befogn.dll my only problem?

2. What about using Hijack This to wipe out about:blank. Can I do that?

Mike

 

WinPatrol is not the problem. I think the way you use it is.

You should allow the changes that you made yourself using other programs.

If we can successfully delete befogn.dll about blank should be back to standard.

Regards,

Pieter

 

Pieter -

I don't understand what you are trying to tell me.

What do you mean I should allow the changes I have made myself using other programs? What does that mean?

It appears as if we CAN successfully delete befogn.dll by using Hijack This.
What does "about:blank should be back to standard" mean?

Mike

 

Pieter -

The only thing that gives me pause on this type of analysis is, that if I nuke befogn.dll with Hijack This and then deactivate WinPatrol, so long as I keep WinPatrol deactivated, befogn.dll never comes back. With WinPatrol deactivated, I can run Hijack This every hour for five days, and defogn.dll will never return.

And then, to boot, one of the other moderators on this forum (Shadowwar) chipped in with his thinking and said: "Its possible winpatrol is putting back the entry. Can you disable it. Fix it with hijackthis and then reactivate winpatrol."

I did that - and befogn.dll went away and did not come back again (as verified by Hijack This) until AFTER I reactivated WinPatrol.

So that would kind of indicate that there IS a connection between WinPatrol and the return of befogn.dll.

pdmike

 

Let me try this from a different angle. What do you think happens when you click NO.

Regards,

Pieter

 

Pieter -

I sense your exasperation. Don't give up on me.

What do I think happens when I click on NO at the WinPartol warning? I think that WinPatrol somehow sees to it that my IE home page stays the same (Alta Vista) and is not changed to the about:blank home page.
I don't think WinPatol accomplishes this by DELETING befogn.dll (or whatever is causing the problem). Possibly it PREVENTS the malicious file from ever opening or executing.

I have fired an awful lot of posts your way. Let's sum up:

NUMBER 1:

You wrote:

I am wondering if indeed something else is going on simultaneously.
Download VX2Finder from this link:
http://www.downloads.subratam.org/VX2Finder9x.exe
Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.
Copy and paste the contents of the log into your next reply here.
Regards,
Pieter

I responded with:

Here is my Vx2Finder log:
Log for VX2.BetterInternet File Finder
Files Found---
User Agent String---
Mike

Does this show us anything that we should be acting upon?

NUMBER 2:

I posted a Hijack This log that has an about:blank entry in it and asked if I could delete that entry using Hijack This.

Can I do that?

NUMBER 3:

Could I have some specific clarification as to what I should do with regard to WinPatrol and the befogn.dll file? I think you are telling me that we need to get rid of befogn.dll by using some method other than WinPatrol (which clearly does not get rid of it - only warns about it). Is that what you are saying? If so, how do we accomplish that?

Sorry for being so dense. If possible, please try to respond to all 3 of the above points of clarification.

Thanks!

Mike

 

When you hit deny on winpatrol you are letting withpatrol put back the bad value. You need to fix with hijackthis and allow the change when winpatrol alerts you. Winpatrol is a great program. The problem is when you are hitting deny its putting back the bad entry. Understand now? fix it with hijackthis then tell winpatrol to allow the change.

Basically the two programs are fighting each other and winpatrol thinks the bad entry is good and tries to restore the bad entry.
You have to allow the change.

 

1. It told me you were not infected with L2M/VX2, which was a relief, but I wanted to make sure.

2. Yes you can, but I wonder why you think that helps.

3. What if WinPatrol warned you about R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\BEFOGN.DLL/sp.html (obfuscated)
being removed?
That is a change in your browser settings.

4. <= OK I invented that one.
Is the file C:\WINDOWS\SYSTEM\BEFOGN.DLL still present in your system?

Regards,

Pieter

 

Pieter and Shadowwar -

First to Pieter: Why do I think nuking about:blank would be a good thing? Because, when my home page was getting hijacked, "about:blank" always appeared in the lower, left hand portion of my IE screen as the offending home page loaded and then moved in as my new (and unwanted) home page.

So, I just naturally thought that if I was able to remove about:blank using HJT, it might help solve the problem. Wrong, huh?

Befogn.dll is still on my computer - but only because that is where I currently am in the HJT-WinPatrol-Befogn.dll cycle that I have been in. When I get home tonight, I will delete Befogn.dll once again with HJT, activate WinPatrol and, when WinPatrol asks if I want to endorse the change to my home page, I will click on YES instead of no. I will then check my home page to make sure that it is Alta Vista (instead of about:blank). I will then run HJT make sure that Befogn.dll is gone.

Second to Shadowwar: THANK YOU for telling me what to do here. As noted above, I will delete befogn.dll with HJT and then tell WinPatrol that YES, I do want to endorse the proposed change.

I did think about clicking on YES with the WinPatrol alert instead of on No, but the reason I was afraid to do that was that Alta Vista is, in fact, my home page. There have been no actual hijackings for the past week or so, in spite of numerous openings and closings of IE and even though befogn.dll has been in my system. So I thought that if I authorized any change while Alta Vista was actually there as my home page, it would result in wiping Alta Vista out.

I trust that will not happen and will go ahead with your instructions.

So thanks to both of you guys - full report to follow when I get off work and get a chance to hit the home computer in four hours or so.

Regards,
Mike

 

To Pieter and Shadowwar -

I think we are getting somewhere. When I got home, I ran Hijack This and DELETED the befogen.dll entry. I then closed Hijack This. Almost immediately, I got the WinPatrol message ("Woof!" ) , warning me that my browser home page was about to be changed and did I approve of that or not. This time, I hit YES.

I then opened up IE. It opened to Alta Vista. I then ran a Hijack This scan. Befogen.dll was GONE. I opened and closed IE four or five times. Alta Vista came up for the home page each time.

Then I ran a NoAdware scan. Clean. Then I ran an AdAdware 6.0 scan. This scan turned up a Cool Web file which the program quarantined and I deleted.

As a final test, I ran CWShredder. First I ran the CWShredder scan. Nothing unusual or bad looking appeared. Then I ran the CWShredder fix.
This was the acid test because, always before, whenever I ran the CWShredder fix after the WinPatrol alert, it always fixed 1 registry error. When I ran it this time, it fixed nothing, because there was nothing to fix. "Your system is completely clean" was the final message from CWShredder.

That's where we now stand. I hope my problems are over. Here is my most recent HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 7:59:22 PM, on 5/27/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE
E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
E:\WEBROOT\SPYSWEEPER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NTS\ENTERNET 300\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.altavista.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.altavista.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sbcglobal.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC}_ - (no file)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\r04rsiff.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [WinPatrol Plus] E:\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpySweeper] E:\Webroot\SpySweeper.exe /0
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sbcglobal.net
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx

Know what? I don't see about:blank in this log - and I didn't delete it. Could it be that about:blank got wiped out along with befogen.dll? I don't know - and I don't care, just so long as my computer is back to normal.

Please tell me that it is. Of course, if there is more to do, let me know what is needed, and I will do it. As I said, everything seems ok now.

After reviewing the log and my comments, what do you guys think?

Regards,
Mike

 

I think you learned a lot and your computer is clean.

That's

about:blank is a perfectly normal StartPage. Many people prefer it. But it is supposed to be blank and not hijacked by CWS.
That is why fixing about:blank did not help one bit. It was one of the results of the hijack not the cause or the running guardian.

Regards,

Pieter

 

To Pieter and Shadowwar (and Unzy too) -

I cannot thank you guys enough. Your are right, Pieter - I did learn a lot. The main thing I learned is how important it is for something like this to NEVER happen again. No more KaZaA for me, you can bet on that! (And to think I PAID those jerks for KaZaA.)

All I have on this computer in the way of security right now is Norton Anti Virus and a whole bunch of spyware prevention programs. No firewall. I will be looking into a firewall forthwith, as we lawyers say.

Before I got in touch with your forum, I had my guru come over to try and fix the problem. He was here 5 hours (at $25 per hour, you do the math). He couldn't figure out what to do. We called Microsoft ($35 for that one) and talked to the guy in Bombay. He couldn't figure out what to do. Next, I downloaded (and paid for at the obligatory $29.95 per program), at least two, anti spyware programs. They could not fix the problem.

So, you see, I cannot say enough about your wonderful forum and the tireless way in which you stay after a problem like this until, finally, it is eradicated.

At least, that's how it worked here. Thanks again!

Regards,
Mike