Win 95 System Hijacked by about:blank[Resolved]

[bilbo]

My windows 95 system has had its homepage hijacked by about:blank. I ran the Hijackthis program an the log is posted below.

After the hijackthis scan I saw that it could not delete the O4 line HKML\..|Run:[sp]rundll32C\windows\temp\se.dll,Dllinstall
Maybe this is a clue.

Here's the log---I'd be grateful for any help.

Logfile of HijackThis v1.99.1
Scan saved at 9:26:36 PM, on 2/23/05
Platform: Windows 95 B (Win9x 4.00.1111)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\POINTER.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 95\DMHKEY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\MAIL\EUDORA.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F1 - win.ini: load=C:\WINDOWS\POINTER.EXE C:\MOUSE\POINTER.EXE
O2 - BHO: (no name) - {1D6D0271-8E86-4F3C-A4FC-3B6BFCD47AF4} - C:\WINDOWS\SYSTEM\HMCOE.DLL
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [Winkjb] C:\WINDOWS\SYSTEM\Winkjb.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Pop-Up Stopper.lnk = C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 95\DMHKEY.EXE
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .inp: C:\PROGRA~1\INTERN~1\PLUGINS\npincplg.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfromtheweb.com/install/iftwclix.cab
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://www.cancereducation.com/CFIDE/classes/CFJava.cab
O16 - DPF: {94349FB6-37A0-4385-BADA-1B48DE3CA833} (ChrtCtl Class) - http://fdl.msn.com/public/investor/v9.5/investor.cab
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v11/investor.cab
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/game...ts/y/gt2_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/game...ts/y/rt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = gte.net
O18 - Filter: text/html - {BC25A15D-1DDA-4A31-A044-6C7A2F8ADE8C} - C:\WINDOWS\SYSTEM\HMCOE.DLL
O18 - Filter: text/plain - {BC25A15D-1DDA-4A31-A044-6C7A2F8ADE8C} - C:\WINDOWS\SYSTEM\HMCOE.DLL
O21 - SSODL: OLE Automation Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)

Logfile of HijackThis v1.99.1
Scan saved at 9:26:36 PM, on 2/23/05
Platform: Windows 95 B (Win9x 4.00.1111)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\POINTER.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 95\DMHKEY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\MAIL\EUDORA.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F1 - win.ini: load=C:\WINDOWS\POINTER.EXE C:\MOUSE\POINTER.EXE
O2 - BHO: (no name) - {1D6D0271-8E86-4F3C-A4FC-3B6BFCD47AF4} - C:\WINDOWS\SYSTEM\HMCOE.DLL
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [Winkjb] C:\WINDOWS\SYSTEM\Winkjb.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Pop-Up Stopper.lnk = C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 95\DMHKEY.EXE
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .inp: C:\PROGRA~1\INTERN~1\PLUGINS\npincplg.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfromtheweb.com/install/iftwclix.cab
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://www.cancereducation.com/CFIDE/classes/CFJava.cab
O16 - DPF: {94349FB6-37A0-4385-BADA-1B48DE3CA833} (ChrtCtl Class) - http://fdl.msn.com/public/investor/v9.5/investor.cab
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v11/investor.cab
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/game...ts/y/gt2_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/game...ts/y/rt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = gte.net
O18 - Filter: text/html - {BC25A15D-1DDA-4A31-A044-6C7A2F8ADE8C} - C:\WINDOWS\SYSTEM\HMCOE.DLL
O18 - Filter: text/plain - {BC25A15D-1DDA-4A31-A044-6C7A2F8ADE8C} - C:\WINDOWS\SYSTEM\HMCOE.DLL
O21 - SSODL: OLE Automation Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)

[greyknight17]

Welcome to TSF.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download FixAgent and unzip it. Run FixAgent.exe. It should fix something. If nothing is fixed, skip to the next step for the HijackThis fixes. If something is found, also download home_missing_114 and unzip it. Run the Home winkey missing batch file. Remember: ONLY run home_missing_114 if FixAgent found something.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Don't run it yet.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F1 - win.ini: load=C:\WINDOWS\POINTER.EXE C:\MOUSE\POINTER.EXE
O2 - BHO: (no name) - {1D6D0271-8E86-4F3C-A4FC-3B6BFCD47AF4} - C:\WINDOWS\SYSTEM\HMCOE.DLL
O4 - HKLM\..\Run: [Winkjb] C:\WINDOWS\SYSTEM\Winkjb.exe
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfromtheweb.com/install/iftwclix.cab
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O18 - Filter: text/html - {BC25A15D-1DDA-4A31-A044-6C7A2F8ADE8C} - C:\WINDOWS\SYSTEM\HMCOE.DLL
O18 - Filter: text/plain - {BC25A15D-1DDA-4A31-A044-6C7A2F8ADE8C} - C:\WINDOWS\SYSTEM\HMCOE.DLL
O21 - SSODL: OLE Automation Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\SYSTEM\HMCOE.DLL
C:\WINDOWS\SYSTEM\Winkjb.exe
C:\WINDOWS\winupd.exe

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

[bilbo]

greyknight17---Thank you for your reply and suggestions.

Using HijackThis in Safe Mode I removed the elements you suggested.

The files hmcoe.dll, winkjb.exe, andwinupd.exe were not present in my computer.

I was not able to use FixAgent because after downloading and trying to run fixagent.exe, I got these 2 messages:

The FIXAGENT.EXE file is linked to missing export ADVAP132.DLL. Get NamedSecurityInfoA.

A device attached to the system is not functioning.

I was able to download KRC HijackThis Analyzer and the log is below.

Thanks for any more help you can give me.
---------------------------------------------------
Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 4:05:47 PM, on 2/27/05
Platform: Windows 95 B (Win9x 4.00.1111)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 95\DMHKEY.EXE
C:\HIJACK\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - Startup: Pop-Up Stopper.lnk = C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 95\DMHKEY.EXE
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O12 - Plugin for .inp: C:\PROGRA~1\INTERN~1\PLUGINS\npincplg.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://www.cancereducation.com/CFIDE/classes/CFJava.cab
O16 - DPF: {94349FB6-37A0-4385-BADA-1B48DE3CA833} (ChrtCtl Class) - http://fdl.msn.com/public/investor/v9.5/investor.cab
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v11/investor.cab
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/game...ts/y/gt2_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/game...ts/y/rt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = gte.net


End of KRC HijackThis Analyzer Log.
====================================================================Logfile of HijackThis v1.99.1
Scan saved at 4:05:47 PM, on 2/27/05
Platform: Windows 95 B (Win9x 4.00.1111)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 95\DMHKEY.EXE
C:\HIJACK\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - Startup: Pop-Up Stopper.lnk = C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 95\DMHKEY.EXE
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O12 - Plugin for .inp: C:\PROGRA~1\INTERN~1\PLUGINS\npincplg.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://www.cancereducation.com/CFIDE/classes/CFJava.cab
O16 - DPF: {94349FB6-37A0-4385-BADA-1B48DE3CA833} (ChrtCtl Class) - http://fdl.msn.com/public/investor/v9.5/investor.cab
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v11/investor.cab
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/game...ts/y/gt2_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/game...ts/y/rt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = gte.net


End of KRC HijackThis Analyzer Log.
====================================================================

[greyknight17]

For FixAgent, I'm not sure if it's because you have an older version of Windows that's causing the problems.

OK, it looks good now. See if anything is popping back up again after a few days. This is a new infection we are seeing and it doesn't go away that easily.

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided.

Are there any problems now? If not, you should be set to go.

[bilbo]

Strange things are happening!

After your last reply, I thought things may have settled down so I loaded ie-spyad.exe and spywareguard to help prevent infection.I then ran a HijackThis scan to see what it would say and it hung up when it got to item O15-Trusted Zone enumeration. I could not close HijackThis using the close button, but had to hit alt-ctrl-delete twice before the program would close.

I removed ie-spyad.exe and spywareguard and HijackThis.
I reinstalled HijackThis, but it still hangs up when the scan gets to O15-Trusted Zone enumeration. Other buttons on HijackThis (such as Config) still work.

And, about:blank has come back to hijack my homepage.

Any ideas about getting HijackThis scan to work and continuing the battle?

[greyknight17]

Try using an older version of HijackThis:

Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis1982.exe there. Run a scan and save the log file. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. Open up the result.txt file created. Copy the whole result.txt log and post it in the forum. Do not fix anything in HijackThis since they may be harmless.

I don't think IE-Spyad or SpywareGuard should have affected anything here. I suggest installing them back.

[bilbo]

I got HijackThis v1.99.1 running again (how that happened I'm not quite sure) and here's the Analyzer log.

Thanks for your help.
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:16:48 AM, on 3/1/05
Platform: Windows 95 B (Win9x 4.00.1111)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 95\DMHKEY.EXE
C:\MSWORKS\MSWORKS.EXE
C:\WINDOWS\winfile.exe
C:\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL (file missing)
O2 - BHO: (no name) - {9D8987F2-AAAD-45B4-AC15-C08B20A9B1AE} - C:\WINDOWS\SYSTEM\PIF.DLL
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - Startup: Pop-Up Stopper.lnk = C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 95\DMHKEY.EXE
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O12 - Plugin for .inp: C:\PROGRA~1\INTERN~1\PLUGINS\npincplg.dll
O16 - DPF: {94349FB6-37A0-4385-BADA-1B48DE3CA833} (ChrtCtl Class) - http://fdl.msn.com/public/investor/v9.5/investor.cab
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v11/investor.cab
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/game...ts/y/gt2_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/game...ts/y/rt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = gte.net
O18 - Filter: text/html - {743251D6-CE84-4D09-AA34-8CF46F69993D} - C:\WINDOWS\SYSTEM\PIF.DLL
O18 - Filter: text/plain - {743251D6-CE84-4D09-AA34-8CF46F69993D} - C:\WINDOWS\SYSTEM\PIF.DLL


End of KRC HijackThis Analyzer Log.
====================================================================

[greyknight17]

This one is still new to us. So it may take a while before we can find a fix for it. For the time being, we are just asking users to run some programs to see if it helps us identify the baddie.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Download KillBox (http://www.greyknight17.com/spy/KillBox.exe). Don't run it yet.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\winfile.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {9D8987F2-AAAD-45B4-AC15-C08B20A9B1AE} - C:\WINDOWS\SYSTEM\PIF.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O18 - Filter: text/html - {743251D6-CE84-4D09-AA34-8CF46F69993D} - C:\WINDOWS\SYSTEM\PIF.DLL
O18 - Filter: text/plain - {743251D6-CE84-4D09-AA34-8CF46F69993D} - C:\WINDOWS\SYSTEM\PIF.DLL

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\winfile.exe
C:\WINDOWS\TEMP\SE.DLL
C:\WINDOWS\SYSTEM\PIF.DLL

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

[bilbo]

I did as you suggested. The StartDreck log is below.

By the way, you suggested deleting winfile.exe file. I did so, but I can no longer see the directory tree as in DOS 3.1 (this is what the winfile.exe allows you to do). Since this is a file I've had since I first got the computer and I use it every day, I'd like to reinstall it (maybe using KillBox?) Any suggestions?

StartDreck (build 2.1.7 public stable) - 2005-03-01 @ 12:33:33 (GMT -08:00)
Platform: Windows 95 (Win 4.0.1111 B)
Internet Explorer: 5.00.2919.6307
Logged in as Windows'95 at WINDOWS'95

»Registry
»Run Keys
»Current User
»Run
+Disabled
»RunOnce
»Default User
»Run
+Disabled
»RunOnce
»Local Machine
»Run
*BrowserWebCheck=loadwc.exe
*Microsoft IntelliType Pro="C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
*WinampAgent="C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*AVG7_CC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
*AVG7_AMSVR=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
»RunOnce
»RunServices
»RunServicesOnce
**u=rundll32 C:\WINDOWS\MSDFMBP.INI,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*htm_auto_file=C:\PROGRA~1\ACCESS~1\WORDPAD.EXE "%1"
+.html
`= [key or value does not exist]
+.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe %1
+.scr
*scrfile="%1" /S
+.txt
*txtfile=C:\WINDOWS\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub
+Internet Explorer 5 and Internet Tools/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=C:\WINDOWS\SYSTEM\IE4UINIT.EXE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Internet Connection Wizard/{5A8D6EE0-3E18-11D0-821E-444553540000}
*StubPath=rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36
+Address Book 5/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
+Microsoft Outlook Express 5/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install
»Browser Helper Objects (LM)
*SpywareGuardDLBLOCK.CBrowserHelper/{4A368E80-174F-4872-96B5-0B27DDD11DB2}
`InprocServer32=C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
*{56CC3254-B1E2-469B-9489-95067829CAE4}
`InprocServer32=C:\WINDOWS\SYSTEM\DGACABA.DLL
»Internet Explorer
»Current User
*HomeOldSP=about:blank
*Local Page=C:\WINDOWS\SYSTEM\blank.htm
*Search Bar=res://C:\WINDOWS\TEMP\se.dll/sp.html
*Search Page=about:blank
*Start Page=about:blank
*SearchAssistant=about:blank
+SearchUrl
* =+
*provider=
»Default User
*HomeOldSP=about:blank
*Local Page=C:\WINDOWS\SYSTEM\blank.htm
*Search Bar=res://C:\WINDOWS\TEMP\se.dll/sp.html
*Search Page=about:blank
*Start Page=about:blank
*SearchAssistant=about:blank
+SearchUrl
* =+
*provider=
»Local Machine
*Default_Page_URL=http://www.google.com
*Default_Search_URL=http://www.google.com
*HomeOldSP=about:blank
*Local Page=C:\WINDOWS\system\blank.htm
*Search Bar=res://C:\WINDOWS\TEMP\se.dll/sp.html
*Search Page=about:blank
*Start Page=about:blank
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=about:blank
»ShellServiceObjectDelayLoad (LM)
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=C:\WINDOWS\SYSTEM\WEBCHECK.DLL
»Special NT Values
»Current User
*Load=C:\WINDOWS\POINTER.EXE C:\MOUSE\POINTER.EXE
*Run=
*Programs=
*SHELL=
»Default User
*Load=C:\WINDOWS\POINTER.EXE C:\MOUSE\POINTER.EXE
*Run=
*Programs=
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=
*Userinit=
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programs\StartUp\Pop-Up Stopper.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\InControl Desktop Manager.lnk
»Default User
*C:\WINDOWS\Start Menu\Programs\StartUp\Pop-Up Stopper.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\InControl Desktop Manager.lnk
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
`[Paths]
`WinDir=C:\WINDOWS
`WinBootDir=C:\WINDOWS
`HostWinBootDrv=C
`[Options]
`BootMulti=1
`BootGUI=1
`Network=1
`;
`;The following lines are required for compatibility with other programs.
`;Do not remove them (MSDOS.SYS needs to be >1024 bytes).
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxd
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxg
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxh
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxi
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxj
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxk
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxm
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxo
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxp
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxq
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxr
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxs
*C:\config.sys
`[common]
`device=C:\CDROMDRV.SYS /D:CDROM001
*C:\autoexec.bat
`C:\PROGRA~1\GRISOFT\AVGFRE~1\BOOTUP.EXE
`SET BLASTER=A220 I5 D1 H5 P330 T6
`EventHandlerT
`C:\WINDOWS\COMMAND\MSCDEX.EXE/D:CDROM001
*C:\WINDOWS\wininit.bak
`[RENAME]
`NUL=c:\program files\mozilla firefox\uninstall\uninstallfirefox.exe
*C:\WINDOWS\dosstart.bat
`C:\WINDOWS\CTCM
`MSCDEX.EXE /D:CDROM001 /L:D
»Program Files
*C:\io.sys
*C:\WINDOWS\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\COMMAND.COM
*C:\WINDOWS\COMMAND.PIF
*C:\WINDOWS\COMMAND.COM
*C:\WINDOWS\COMMAND\COMMAND.COM
+C:\WINDOWS\SYSTEM\TWUNK_16.EXE
*C:\WINDOWS\TWUNK_16.EXE
+C:\WINDOWS\SYSTEM\TWUNK_32.EXE
*C:\WINDOWS\TWUNK_32.EXE
+C:\WINDOWS\extract.exe
*C:\WINDOWS\COMMAND\EXTRACT.EXE
»System/Drivers
»Running Processes
+FFCFAD63=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF8253=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFF4DF=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFFDD9B=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFF0755B=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFF0643F=C:\WINDOWS\EXPLORER.EXE
+FFF060F7=C:\WINDOWS\RUNDLL32.EXE
+FFF08DB7=C:\WINDOWS\SYSTEM\LOADWC.EXE
+FFF087FF=C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
+FFF0F2BB=C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
+FFF0E5C3=C:\WINDOWS\SYSTEM\QTTASK.EXE
+FFF0DAA7=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
+FFF08CDB=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
+FFF16087=C:\WINDOWS\RUNDLL32.EXE
+FFF1859B=C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
+FFF23217=C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 95\DMHKEY.EXE
+FFF3129B=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF30263=C:\MSWORKS\MSWORKS.EXE
+FFF3F0A7=C:\WINDOWS\winfile.exe
+FFF50E87=C:\WINDOWS\SYSTEM\RPCSS.EXE
+FFF4D03B=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF4DE27=C:\STARDREK\STARTDRECK.EXE
»VMM32Files (LM)
*vdd.vxd=
*vflatd.vxd=
*vmouse.vxd=
*vshare.vxd=
*vwin32.vxd=
*vfbackup.vxd=
*vcomm.vxd=
*combuff.vxd=
*vcd.vxd=
*vpd.vxd=
*spooler.vxd=
*vfat.vxd=
*vcache.vxd=
*vcond.vxd=
*vcdfsd.vxd=
*int13.vxd=
*vxdldr.vxd=
*vdef.vxd=
*dynapage.vxd=
*configmg.vxd=
*ebios.vxd=
*vmd.vxd=
*dosnet.vxd=
*vpicd.vxd=
*vtd.vxd=
*reboot.vxd=
*vdmad.vxd=
*vsd.vxd=
*v86mmgr.vxd=
*pageswap.vxd=
*dosmgr.vxd=
*vmpoll.vxd=
*shell.vxd=
*parity.vxd=
*biosxlat.vxd=
*vmcpd.vxd=
*vtdapi.vxd=
*perf.vxd=
*bios.vxd=
*vpowerd.vxd=
*vkd.vxd=
*enable.vxd=
»%System%\VMM32
*C:\WINDOWS\SYSTEM\VMM32\IFSMGR.VXD
*C:\WINDOWS\SYSTEM\VMM32\IOS.VXD
*C:\WINDOWS\SYSTEM\VMM32\QEMMFIX.VXD
*C:\WINDOWS\SYSTEM\VMM32\MRCI2.VXD
*C:\WINDOWS\SYSTEM\VMM32\vmcpd.vxd
»%System%\IOSUBSYS
*C:\WINDOWS\SYSTEM\IoSubSys\BIGMEM.DRV
*C:\WINDOWS\SYSTEM\IoSubSys\APIX.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDFS.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDTSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDVSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DISKTSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DISKVSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\VOLTRACK.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\NECATAPI.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\AIC78XX.MPD
*C:\WINDOWS\SYSTEM\IoSubSys\AMSINT.MPD
*C:\WINDOWS\SYSTEM\IoSubSys\NCRC710.MPD
*C:\WINDOWS\SYSTEM\IoSubSys\NCRC810.MPD
*C:\WINDOWS\SYSTEM\IoSubSys\ESDI_506.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\HSFLOP.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\RMM.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\SCSIPORT.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\ATAPCHNG.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\SCSI1HLP.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\SMARTVSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\TORISAN3.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DRVSPACX.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\IOMEGA.VXD
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User

[greyknight17]

I must have confused that with another winfile (which happens to be in c:\windows also). I thought it was a virus, but should have double-checked on this one. If you want that file back, try extracting it back from the 95 CD or the .cab file if your PC manufacturer copied it to the hard drive for you. For more information, go here and scroll down to the Windows 95 section.

Where's your HijackThis log file? Please post it after doing the below fixes:

Run StartDreck with the same options checked like before. Click on each of the following and hit the Delete button in the program:

*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
**u=rundll32 C:\WINDOWS\MSDFMBP.INI,DllGetClassObject
*{56CC3254-B1E2-469B-9489-95067829CAE4}
`InprocServer32=C:\WINDOWS\SYSTEM\DGACABA.DLL
*HomeOldSP=about:blank
*Local Page=C:\WINDOWS\SYSTEM\blank.htm
*Search Bar=res://C:\WINDOWS\TEMP\se.dll/sp.html
*Search Page=about:blank
*Start Page=about:blank
*SearchAssistant=about:blank
*HomeOldSP=about:blank
*Local Page=C:\WINDOWS\SYSTEM\blank.htm
*Search Bar=res://C:\WINDOWS\TEMP\se.dll/sp.html
*Search Page=about:blank
*Start Page=about:blank
*SearchAssistant=about:blank
*HomeOldSP=about:blank
*Local Page=C:\WINDOWS\system\blank.htm
*Search Bar=res://C:\WINDOWS\TEMP\se.dll/sp.html
*Search Page=about:blank
*Start Page=about:blank
*SearchAssistant=about:blank

Download KillBox (http://www.greyknight17.com/spy/KillBox.exe). Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\TEMP\SE.DLL
C:\WINDOWS\MSDFMBP.INI
C:\WINDOWS\SYSTEM\DGACABA.DLL

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Restart and post a new HijackThis and StartDreck log.

[bilbo]

The HJT and StartDreck logs are below. I have set my Internet Explorer home page to "about:hello" It seems to keep the about:blank hijacking from happening quite so fast---but it's only a band-aid, not a fix.

Logfile of HijackThis v1.99.1
Scan saved at 5:55:21 PM, on 3/5/05
Platform: Windows 95 B (Win9x 4.00.1111)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 95\DMHKEY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MAIL\EUDORA.EXE
C:\WINDOWS\DESKTOP\ANTI-SPYWARE\STARDREK\STARTDRECK.EXE
C:\WINDOWS\DESKTOP\HIJACK\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:hello
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - Startup: Pop-Up Stopper.lnk = C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 95\DMHKEY.EXE
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .inp: C:\PROGRA~1\INTERN~1\PLUGINS\npincplg.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {94349FB6-37A0-4385-BADA-1B48DE3CA833} (ChrtCtl Class) - http://fdl.msn.com/public/investor/v9.5/investor.cab
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v11/investor.cab
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/game...ts/y/gt2_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/game...ts/y/rt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = gte.net

------------------------------------
StartDreck (build 2.1.7 public stable) - 2005-03-05 @ 17:04:44 (GMT -08:00)
Platform: Windows 95 (Win 4.0.1111
Internet Explorer: 5.00.2919.6307
Logged in as Windows'95 at WINDOWS'95

»Registry
»Run Keys
»Current User
»Run
+Disabled
»RunOnce
»Default User
»Run
+Disabled
»RunOnce
»Local Machine
»Run
*BrowserWebCheck=loadwc.exe
*Microsoft IntelliType Pro="C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
*WinampAgent="C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*AVG7_CC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
*AVG7_AMSVR=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
»RunOnce
»RunServices
»RunServicesOnce
**jck=rundll32 C:\WINDOWS\MSDFMBP.INI,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.html
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe %1
+.scr
*scrfile="%1" /S
+.txt
*txtfile=C:\WINDOWS\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub
+Internet Explorer 5 and Internet Tools/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=C:\WINDOWS\SYSTEM\IE4UINIT.EXE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Internet Connection Wizard/{5A8D6EE0-3E18-11D0-821E-444553540000}
*StubPath=rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36
+Address Book 5/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
+Microsoft Outlook Express 5/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install
»Browser Helper Objects (LM)
»Internet Explorer
»Current User
*Local Page=C:\WINDOWS\SYSTEM\blank.htm
*Start Page=about:hello
+SearchUrl
* =+
*provider=
»Default User
*Local Page=C:\WINDOWS\SYSTEM\blank.htm
*Start Page=about:hello
+SearchUrl
* =+
*provider=
»Local Machine
*Local Page=C:\WINDOWS\SYSTEM\blank.htm
*Start Page=about:blank
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
»ShellServiceObjectDelayLoad (LM)
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=C:\WINDOWS\SYSTEM\WEBCHECK.DLL
»Special NT Values
»Current User
*Load=C:\WINDOWS\POINTER.EXE C:\MOUSE\POINTER.EXE
*Run=
*Programs=
*SHELL=
»Default User
*Load=C:\WINDOWS\POINTER.EXE C:\MOUSE\POINTER.EXE
*Run=
*Programs=
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=
*Userinit=
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programs\StartUp\Pop-Up Stopper.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\InControl Desktop Manager.lnk
»Default User
*C:\WINDOWS\Start Menu\Programs\StartUp\Pop-Up Stopper.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\InControl Desktop Manager.lnk
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
`[Paths]
`WinDir=C:\WINDOWS
`WinBootDir=C:\WINDOWS
`HostWinBootDrv=C
`[Options]
`BootMulti=1
`BootGUI=1
`Network=1
`;
`;The following lines are required for compatibility with other programs.
`;Do not remove them (MSDOS.SYS needs to be >1024 bytes).
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxa
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxb
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxc
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxd
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxe
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxf
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxg
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxh
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxi
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxj
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxk
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxl
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxm
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxn
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxo
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxp
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxq
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxr
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxs
*C:\config.sys
`[common]
`device=C:\CDROMDRV.SYS /D:CDROM001
*C:\autoexec.bat
`C:\PROGRA~1\GRISOFT\AVGFRE~1\BOOTUP.EXE
`SET BLASTER=A220 I5 D1 H5 P330 T6
`EventHandlerT
`C:\WINDOWS\COMMAND\MSCDEX.EXE/D:CDROM001
`WIN
*C:\WINDOWS\wininit.bak
`[rename]
`NUL=C:\WINDOWS\TEMP\_iu14D2N.tmp
*C:\WINDOWS\dosstart.bat
`MSCDEX.EXE /D:CDROM001 /L:D
»Program Files
*C:\io.sys
*C:\WINDOWS\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\COMMAND.COM
*C:\WINDOWS\COMMAND.PIF
*C:\WINDOWS\COMMAND.COM
*C:\WINDOWS\COMMAND\COMMAND.COM
+C:\WINDOWS\SYSTEM\TWUNK_16.EXE
*C:\WINDOWS\TWUNK_16.EXE
+C:\WINDOWS\SYSTEM\TWUNK_32.EXE
*C:\WINDOWS\TWUNK_32.EXE
+C:\WINDOWS\extract.exe
*C:\WINDOWS\COMMAND\EXTRACT.EXE
»System/Drivers
»NT Services
»VMM32Files (LM)
*vdd.vxd=
*vflatd.vxd=
*vmouse.vxd=
*vshare.vxd=
*vwin32.vxd=
*vfbackup.vxd=
*vcomm.vxd=
*combuff.vxd=
*vcd.vxd=
*vpd.vxd=
*spooler.vxd=
*vfat.vxd=
*vcache.vxd=
*vcond.vxd=
*vcdfsd.vxd=
*int13.vxd=
*vxdldr.vxd=
*vdef.vxd=
*dynapage.vxd=
*configmg.vxd=
*ebios.vxd=
*vmd.vxd=
*dosnet.vxd=
*vpicd.vxd=
*vtd.vxd=
*reboot.vxd=
*vdmad.vxd=
*vsd.vxd=
*v86mmgr.vxd=
*pageswap.vxd=
*dosmgr.vxd=
*vmpoll.vxd=
*shell.vxd=
*parity.vxd=
*biosxlat.vxd=
*vmcpd.vxd=
*vtdapi.vxd=
*perf.vxd=
*bios.vxd=
*vpowerd.vxd=
*vkd.vxd=
*enable.vxd=
»%System%\VMM32
*C:\WINDOWS\SYSTEM\VMM32\IFSMGR.VXD
*C:\WINDOWS\SYSTEM\VMM32\IOS.VXD
*C:\WINDOWS\SYSTEM\VMM32\QEMMFIX.VXD
*C:\WINDOWS\SYSTEM\VMM32\MRCI2.VXD
*C:\WINDOWS\SYSTEM\VMM32\vmcpd.vxd
»%System%\IOSUBSYS
*C:\WINDOWS\SYSTEM\IoSubSys\BIGMEM.DRV
*C:\WINDOWS\SYSTEM\IoSubSys\APIX.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDFS.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDTSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDVSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DISKTSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DISKVSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\VOLTRACK.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\NECATAPI.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\AIC78XX.MPD
*C:\WINDOWS\SYSTEM\IoSubSys\AMSINT.MPD
*C:\WINDOWS\SYSTEM\IoSubSys\NCRC710.MPD
*C:\WINDOWS\SYSTEM\IoSubSys\NCRC810.MPD
*C:\WINDOWS\SYSTEM\IoSubSys\ESDI_506.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\HSFLOP.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\RMM.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\SCSIPORT.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\ATAPCHNG.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\SCSI1HLP.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\SMARTVSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\TORISAN3.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DRVSPACX.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\IOMEGA.VXD
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User

[greyknight17]

Download Win98Fix (http://www.greyknight17.com/spy/Win98Fix.zip) and unzip it.

- Double-Click on the 'RunFix.reg' file and hit 'yes' on the prompt!
- Restart computer!
- File should be visible now!
- Search for this file -->> C:\WINDOWS\MSDFMBP.INI
- Once found, delete it.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Go to C:\WINDOWS\ and open up wininit.bak in Notepad. Delete this line:

`NUL=C:\WINDOWS\TEMP\_iu14D2N.tmp

Save the file and close it

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Don't run it yet.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:hello

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\MSDFMBP.INI

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Run StartDreck with the same options checked like before. Click on each of the following and hit the Delete button in the program:

**jck=rundll32 C:\WINDOWS\MSDFMBP.INI,DllGetClassObject

Reboot into Normal Mode and run Ad-aware and Spybot now (make sure to check for updates first). Then run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

[bilbo]

The c:\windows\wininit.bak file has only the following contents:

[rename]
NUL=C:\WINDOWS\TEMP\SE.DLL

[rename]
NUL=C:\WINDOWS\TEMP\~DF9C03.TMP

[rename]
NUL=C:\WINDOWS\TEMP\~DF808.TMP

Is it safe to delete these items? I won't delete until I hear from you.
------------------------------------
Win98Fix does not run as you described on my Win95 machine. Double clicking on RunFix.reg does not result in a prompt but just gives me a message saying that "Information in RUNFIXREG has been successfully entered into the registry." It then asks me to click OK.

[greyknight17]

Yes, you may proceed and delete all those lines in the wininit.bak file.

OK, no problem. The registry file is merged then. That's ok. Continue with the fixes.

[bilbo]

Followed your instructions with these results:

When I deleted the entire contents of wininit.bak, the dread msdfmbp.ini showed up for the first time as a file in the root c:\ directory. I deleted it.

Now, things seem peaceful (at least for the time being.) I do notice that I sometimes get a file in c:\windows\temp that cannot be deleted in normal mode---it can be deleted in safe mode--and even in normal mode it sometimes disappears on its own. These files look like ~dfXXXX.tmp where XXXX is a random combination of letters and numbers.

Deleting the contents of wininit.bak and the msdfmbp.ini file seems to have really helped. What lead you to make these very effective suggestions??

Here's the analyzer log.
----------------------------------------------------------
Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 4:29:01 PM, on 3/7/05
Platform: Windows 95 B (Win9x 4.00.1111)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 95\DMHKEY.EXE
C:\MSWORKS\MSWORKS.EXE
C:\WINDOWS\DESKTOP\HIJACK\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - Startup: Pop-Up Stopper.lnk = C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 95\DMHKEY.EXE
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O12 - Plugin for .inp: C:\PROGRA~1\INTERN~1\PLUGINS\npincplg.dll
O16 - DPF: {94349FB6-37A0-4385-BADA-1B48DE3CA833} (ChrtCtl Class) - http://fdl.msn.com/public/investor/v9.5/investor.cab
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v11/investor.cab
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe


End of KRC HijackThis Analyzer Log.
====================================

[greyknight17]

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided.

Are there any problems now? If not, you should be set to go.

[bilbo]

Things seem to have settled down and the hijacking and the popups seem to have stopped.

I currently have these programs on my computer: AVG 7.0 (free edition), Spybot S & D, CWShredder, HijackThis, Spywareguard, and Spywareblaster.

Do you recommend that I install a firewall such as the free edition available from Zone Labs?

Thanks for all your help---I intend to make a contribution to the forum to help you continue your valuable public service.

[greyknight17]

Yes, if you don't have a firewall installed already, get ZoneAlarm (free version is good enough).