Gimme back my browser!

[bard]

My surfing machine is a secondhand IBM Aptiva 2176-C6B with the factory Pentium I, Windows 95 (4.00.950a) from the Product Recovery CD, and IE (5.00.2314.1003IS) from a Juno CD.

The other day I clicked the wrong link and now Spybot keeps reporting that my start page and my search page have been changed to about:blank (and I keep hitting the Deny button) and that a new Browser Helper Object has been installed (and I hit the No button). WinPatrol reports a couple of the same things.

AVG also reported a virus installed in four different locations in two archives, which I moved to the vault and removed. But on shutting down and rebooting, the problem is still there.

I had the same sort of problem once before and fixed it by removing registry entries, but this time when I run RegEdit, the little box says editing has been disabled by the administrator (I of course am not on any network). I unplugged the phone line, shut down AVG, Spybot and WinPatrol, and tried RegEdit again. Still no dice.

Is there a way to take back IE, short of formatting?

Thanks!

 

[magicman]

Have you tried running the windows in Safe Mode and doing all the checks you talked about? Often it's a program that runs on each startup to undo the fixes you've made. If so, and safe mode doesn't work, I'd run a search on any file that's been created since the bad link was clicked. Might give you a lead.

 

[SFR]

A little program called HijackThis might help.

http://www.merijn.org/index.html


You can post the printout on this thread and someone will be able to help you weed through the list and pinpoint all of the problematic "nasty" entries.

 

[bard]

Many thanks, magicman and SFR, for your kind suggestions. Magicman, I'm not sure I understand you--

Have you tried running the windows in Safe Mode and doing all the checks you talked about?

What checks did I talk about doing? Do you mean removing unwelcome Registry keys? Until about an hour ago I haven't been able to run RegEdit. I suppose the Registry files could be edited with a text editor though, could they not?

Here's what's happened since my first post. First of all, my bad: I posted my previous message before following up on a warning from one of my watchdog apps. After I clicked on the nasty link that got me into this pickle, the app (I think it was WinPatrol) periodically opened a dialog saying that NGEM.DLL had been installed in my System folder, and seeking instructions. I would click the button to get rid of it, the dialog would disappear, and in a couple of seconds a box would open saying, "Uninstall failed."

After I posted, I did a couple of things. I found the DLL and by booting to a command prompt I was able to move the DLL to a diskette. A bit later I did a cold boot and saw that the situation had improved somewhat. On bootup, Spybot reported changes to my IE start page and search page, but I hit the Deny button on these, and since then IE seems to be back to normal.

Now Spybot has stopped reporting the start page and search page changes, even at bootup, and IE seems OK.

I've done a couple of other things too. I updated AVG and Spybot, both of which were several days overdue. Soon after, AVG reported a virus infection. I clicked "Heal" and AVG reported success. If I'm reading this right, the virus, now in the Virus Vault, is a Trojan horse named Downloader.Winshow.BK with the filename web.exe.

I also downloaded HijackThis, ran it and had it fix the RegEdit disable. Then I scanned again and saved the log. It's copied below.

Finally, I ran RegEdit just to verify that it would open, and closed it without changing anything.

So here's the log. I'm thinking there are still some things in it that need attention. Am I right?

Logfile of HijackThis v1.98.2
Scan saved at 5:29:41 PM, on 1/19/05
Platform: Windows 95 (Win9x 4.00.0950)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
c:\mww\modem\mwmwin.exe
C:\MWW\DISCRIM\discapp.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
c:\mww\manager\mwsw95.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\IBMTOOLS\IBMSUSPD.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\DESKTOP\SYSTEM REPAIR\HIJACKTHIS19802.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.juno.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.juno.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IBMSuspend] c:\ibmtools\ibmsuspd.exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Juno - {0EB47E40-9FF6-11D7-9598-40CB07C10000} - juno.exe (file missing) (HKCU)
O12 - Plugin for .mp3: C:\PROGRA~1\PLUS!\MICROS~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\PLUS!\MICROS~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .004: C:\PROGRA~1\PLUS!\MICROS~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .pct: C:\PROGRA~1\PLUS!\MICROS~1\PLUGINS\npqtplugin5.dll
O12 - Plugin for .mov: C:\PROGRA~1\PLUS!\MICROS~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\PLUS!\MICROS~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .com/EncoreShowChoirHomepage/msgattachments/11: C:\PROGRA~1\PLUS!\MICROS~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .swf: C:\PROGRA~1\PLUS!\MICROS~1\PLUGINS\npqtplugin6.dll
O13 - WWW. Prefix: http://
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.juno.com/
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O18 - Filter: text/html - {C5EEFA22-A3D7-48AC-BC7F-1909A07602C4} - C:\WINDOWS\SYSTEM\NGEM.DLL
O18 - Filter: text/plain - {C5EEFA22-A3D7-48AC-BC7F-1909A07602C4} - C:\WINDOWS\SYSTEM\NGEM.DLL

 

[Bobo]

I had trouble with trojans and they started eating system files, then my cpu fan failed, the cpu overheated, and the mobo crashed. Then I built a new comp

Back on topic:

Most of the stuff you posted looks like harmless unneeded crap that you have downloaded, but a few suspicious ones:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe

and some useless crap (i think)

O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Juno - {0EB47E40-9FF6-11D7-9598-40CB07C10000} - juno.exe (file missing) (HKCU)
O12 - Plugin for .mp3: C:\PROGRA~1\PLUS!\MICROS~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\PLUS!\MICROS~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .004: C:\PROGRA~1\PLUS!\MICROS~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .pct: C:\PROGRA~1\PLUS!\MICROS~1\PLUGINS\npqtplugin5.dll
O12 - Plugin for .mov: C:\PROGRA~1\PLUS!\MICROS~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\PLUS!\MICROS~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .com/EncoreShowChoirHomepage/msgattachments/11: C:\PROGRA~1\PLUS!\MICROS~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .swf: C:\PROGRA~1\PLUS!\MICROS~1\PLUGINS\npqtplugin6.dll

I don't see any bad stuff that jumps out at me....but I don't like some of them, they make me uneasy

 

[bard]

Thanks, Bobo!

Wow, thanks for the quick reply!

I'm needing to decide whether to build a new PC or if I can get by for a while on a hotter chip, another stick of RAM and Win 98. My needs aren't all that great, and I love holding on to that $$$$.

I'm thinking I really want to fix this line in the log:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

When I click Search, the pane that opens looks a lot like the start page I was getting hijacked to, the past couple of days. If I have HijackThis fix this line, what happens? Does it change to the url in this line--

O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp

I could live with that.

I'm not so sure about this one:

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

My recollection is a bit dim, but pcpitstop seemed to be a pretty straight-shooting site, performed as advertised, no weird things happening afterward. Is there something particular about that O16 line that weems suspicious?

On the other hand, there's the next O16 line:

O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe

I don't remember that at all, so I'm thinking it might be something sneaky.

How about the last two lines in the log--

O18 - Filter: text/html - {C5EEFA22-A3D7-48AC-BC7F-1909A07602C4} - C:\WINDOWS\SYSTEM\NGEM.DLL
O18 - Filter: text/plain - {C5EEFA22-A3D7-48AC-BC7F-1909A07602C4} - C:\WINDOWS\SYSTEM\NGEM.DLL

My system seemed to get quite a bit better right after I removed NGEM.DLL, and WinPatrol didn't like the file either.