stubborn adware or something taking over IE

I'm running Windows 95, and something keeps resetting the IE home page. Once it does this, it puts a slick cover screen over everything with a button in the middle that says "Click Here." I don't click it, but other IE windows are open at that point (with a banner description on one of "Powered by vBullein "), and that is obviously a gateway to a **** site. In some ways it reminds me of a problem posted below at

http://www.windowsbbs.com/showthread.php?t=8351&highlight=home+page

but I cannot be sure because I don't think we have an msconfig to look at in Win 95.

Other characteristics are that this puts two files on the desktop, called o and o.bat. o has no extension, and is 174 bytes long. I've "edited" o.bat, and it has several command lines in it starting off with IF EXIST, followed by various file names like
Infamous_downloader.exe
cs4po28.exe
install2.exe
silent.exe

I've tried cleaning this off with Startup Manager, but nothing there looks unusual. I've reset the home page and deleted o and o.bat, but usually on the next boot it will reappear. I've run Ad-aware and cleaned off things with it, and it didn't fix it. I'm running it again now. I've also run Norton Anti-virus, but cannot find anything wrong. But I'm rerunning it also. I've tried Spybot and deleted what it recommended, and the problem still returned.

This seems to be very stubborn and nasty. I'm not aware that it has yet caused any damage, just annoyance.

Do any of these descriptions suggest what this is to anyone. Any suggestions on what to try next?

Terry

 

Download Hijackthis. Put it in a folder all it's own (so not temp or desktop or similar).

Run Hijackthis and let it create a scan log - should open up in notepad when you do. Paste a copy here.


Note that your Spybot version should be 1.3 with updates before you run it. Also you need the latest updates for Ad-aware.

 

Results of Hijack run

Here is what I got. Anything weird?:

Logfile of HijackThis v1.97.7
Scan saved at 11:00:18 PM, on 6/15/2004
Platform: Windows 95 B (Win9x 4.00.1212)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WIN95\SYSTEM\KERNEL32.DLL
C:\WIN95\SYSTEM\MSGSRV32.EXE
C:\WIN95\SYSTEM\SPOOL32.EXE
C:\WIN95\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WIN95\SYSTEM\mmtask.tsk
C:\WIN95\EXPLORER.EXE
C:\MEDIA95\VI_GRM.EXE
C:\WIN95\SYSTEM\SYSTRAY.EXE
C:\WIN95\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WIN95\SYSTEM\LVCOMS.EXE
C:\WIN95\LOADQM.EXE
C:\PROGRAM FILES\TASKBAR ACTIVATE\TASKBARACTIVATE.EXE
D:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WIN95\SYSTEM\PSTORES.EXE
C:\WIN95\SYSTEM\DDHELP.EXE
C:\UTILITY\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mtco.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
F1 - win.ini: load=C:\MEDIA95\vi_grm.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN95\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LVComs] C:\WIN95\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /service
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\defwatch.exe
O4 - Startup: S3 Video Manager.lnk = C:\MEDIA95\VI_GRM.EXE
O4 - Startup: Taskbar Activate.lnk = C:\Program Files\Taskbar Activate\TaskbarActivate.exe
O4 - Startup: HotSync Manager.lnk = D:\Program Files\palm\HOTSYNC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .dr: C:\PROGRA~1\INTERN~1\PLUGINS\npDRDW.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .bat: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .do: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com/download/nm1228.cab
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.3.5.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {60F47E29-4A42-11D2-83ED-02608CA10990} (SmartLOOK CAD Viewer Control) - http://www.i-markinc.com/SmartLOOKX/SmartLOOKX.cab

 

Downloadand and run CWShredder
http://www.net-integration.net/tools/hijackthis.html#cwshredder <<from there
Click Fix, don't just scan. You have several CoolWebSearch components which it should remove.
If you already have it, just download another copy and overwrite the old one..
To ensure its the latest version. currently its ver CWShredder 1.59 6/5/2004

Then restart the PC

start Hijackthis and fix these

fix all the unwanted R1's and R0's and any with = sign at the end.
and about blanks
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
=============
Close Hijackthis and find then delete the Lycos folder in program files.
You might have to reboot before deleteing the folder.

Come back than make and post a new log.

 

New log after making fixes proposed by Lonny Jones

I'll see if this does the trick. Thanks!!! Terry


Logfile of HijackThis v1.97.7
Scan saved at 6:33:25 AM, on 6/16/2004
Platform: Windows 95 B (Win9x 4.00.1212)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WIN95\SYSTEM\KERNEL32.DLL
C:\WIN95\SYSTEM\MSGSRV32.EXE
C:\WIN95\SYSTEM\SPOOL32.EXE
C:\WIN95\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WIN95\SYSTEM\mmtask.tsk
C:\WIN95\EXPLORER.EXE
C:\MEDIA95\VI_GRM.EXE
C:\WIN95\SYSTEM\SYSTRAY.EXE
C:\WIN95\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WIN95\SYSTEM\LVCOMS.EXE
C:\WIN95\LOADQM.EXE
C:\PROGRAM FILES\TASKBAR ACTIVATE\TASKBARACTIVATE.EXE
D:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\WIN95\SYSTEM\DDHELP.EXE
C:\WIN95\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UTILITY\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mtco.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
F1 - win.ini: load=C:\MEDIA95\vi_grm.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN95\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LVComs] C:\WIN95\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /service
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\defwatch.exe
O4 - Startup: S3 Video Manager.lnk = C:\MEDIA95\VI_GRM.EXE
O4 - Startup: Taskbar Activate.lnk = C:\Program Files\Taskbar Activate\TaskbarActivate.exe
O4 - Startup: HotSync Manager.lnk = D:\Program Files\palm\HOTSYNC.EXE
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .dr: C:\PROGRA~1\INTERN~1\PLUGINS\npDRDW.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .bat: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .do: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com/download/nm1228.cab
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.3.5.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {60F47E29-4A42-11D2-83ED-02608CA10990} (SmartLOOK CAD Viewer Control) - http://www.i-markinc.com/SmartLOOKX/SmartLOOKX.cab

 

Hi tquinn

Close all browser's and fix these with hijackthis.
(Item's in blue are optional)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
====
I dont see this as being marked as bad anywhere, but I cannot get there, its safe to fix, if needed again they should prompt you when next needed.O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-d...zard3.0.3.5.cab
=====

Restart the PC surf a few hours if those about:blanks return. post back with a new log.

 

Thanks

Okay, I've cleaned these off too. So far, no re-appearance. Thank you for the help.

Terry