Many thanks, magicman and SFR, for your kind suggestions. Magicman, I'm not sure I understand you--
magicman said:
Have you tried running the windows in Safe Mode and doing all the checks you talked about?
What checks did I talk about doing? Do you mean removing unwelcome Registry keys? Until about an hour ago I haven't been able to run RegEdit. I suppose the Registry files could be edited with a text editor though, could they not?
Here's what's happened since my first post. First of all, my bad: I posted my previous message before following up on a warning from one of my watchdog apps. After I clicked on the nasty link that got me into this pickle, the app (I think it was WinPatrol) periodically opened a dialog saying that NGEM.DLL had been installed in my System folder, and seeking instructions. I would click the button to get rid of it, the dialog would disappear, and in a couple of seconds a box would open saying, "Uninstall failed."
After I posted, I did a couple of things. I found the DLL and by booting to a command prompt I was able to move the DLL to a diskette. A bit later I did a cold boot and saw that the situation had improved somewhat. On bootup, Spybot reported changes to my IE start page and search page, but I hit the Deny button on these, and since then IE seems to be back to normal.
Now Spybot has stopped reporting the start page and search page changes, even at bootup, and IE seems OK.
I've done a couple of other things too. I updated AVG and Spybot, both of which were several days overdue. Soon after, AVG reported a virus infection. I clicked "Heal" and AVG reported success. If I'm reading this right, the virus, now in the Virus Vault, is a Trojan horse named Downloader.Winshow.BK with the filename web.exe.
I also downloaded HijackThis, ran it and had it fix the RegEdit disable. Then I scanned again and saved the log. It's copied below.
Finally, I ran RegEdit just to verify that it would open, and closed it without changing anything.
So here's the log. I'm thinking there are still some things in it that need attention. Am I right?
Logfile of HijackThis v1.98.2
Scan saved at 5:29:41 PM, on 1/19/05
Platform: Windows 95 (Win9x 4.00.0950)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
c:\mww\modem\mwmwin.exe
C:\MWW\DISCRIM\discapp.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
c:\mww\manager\mwsw95.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\IBMTOOLS\IBMSUSPD.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\DESKTOP\SYSTEM REPAIR\HIJACKTHIS19802.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.juno.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.juno.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IBMSuspend] c:\ibmtools\ibmsuspd.exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Juno - {0EB47E40-9FF6-11D7-9598-40CB07C10000} - juno.exe (file missing) (HKCU)
O12 - Plugin for .mp3: C:\PROGRA~1\PLUS!\MICROS~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\PLUS!\MICROS~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .004: C:\PROGRA~1\PLUS!\MICROS~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .pct: C:\PROGRA~1\PLUS!\MICROS~1\PLUGINS\npqtplugin5.dll
O12 - Plugin for .mov: C:\PROGRA~1\PLUS!\MICROS~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\PLUS!\MICROS~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .com/EncoreShowChoirHomepage/msgattachments/11: C:\PROGRA~1\PLUS!\MICROS~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .swf: C:\PROGRA~1\PLUS!\MICROS~1\PLUGINS\npqtplugin6.dll
O13 - WWW. Prefix: http://
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.juno.com/
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) -
http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} -
http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) -
http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O18 - Filter: text/html - {C5EEFA22-A3D7-48AC-BC7F-1909A07602C4} - C:\WINDOWS\SYSTEM\NGEM.DLL
O18 - Filter: text/plain - {C5EEFA22-A3D7-48AC-BC7F-1909A07602C4} - C:\WINDOWS\SYSTEM\NGEM.DLL