Hi,

A labmate has been having problems with her laptop so I offered to take a look as I know more about computers than she does. There was no AV or firewall and upon opening IE directed to protect.advancedcleaner.com. So I installed AVG, ZoneAlarm firewall, did scan with AVG and found/removed a few virus. The laptop is old, running Windows ME so it was difficult to find a supported virus/firewall. Also did the Windows updates (there were lots!). The Spybot scan only pulled up 2 hits - a CoolWWWsearch and mySoft. Clicked fix and hoped that would be the end of it.

But unfortunately IE isn't working well. Cannot change the homepage (it is grayed out). Upon trying to go to a site, e.g. www.bbc.co.uk the page fails to load, but a pseudo-security bar at the top of the page says "The page you are looking for is probably blocked by adware/spyware on your PC. Remove it with AntiSpywareControl software. Click here [link]" the address bar changes from the "www.bbc.co.uk" that I enter to "http://windowsdnserror.com/?s=2&u=bbc.co.uk". Try google.com and it does the same. But not Yahoo...?

So I run the Spybot again (and again and again) and the same 2 problems are still there, even after I click fix. I go to the registry where the problems are, delete th offending keys and try to open the bbc page again, but the registry keys appear once again.

Below is a HJT log; I can't get the online scanner to work with the current IE issues.

Thank you in advance for any help that you can offer,

Dave


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:59 AM, on 5/9/2008
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\WINDOWS\SYSTEM\ICO.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\APOINT\APOINT.EXE
C:\PROGRAM FILES\SUPPORT.COM\CLIENT\BIN\TGCMD.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\WINDOWS\WHLPSV.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\APOINT\APWHEEL.EXE
C:\PROGRAM FILES\NETGEAR\MA111 CONFIGURATION UTILITY\WLANCFG4.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://protect.advancedcleaner.com/NDk3MA==/2/1498/2/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windowsdnserror.com/?s=2&u=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
O2 - BHO: {A4BFB634-44AC-4bce-8994-4806B7091EE1} - {A4BFB634-44AC-4bce-8994-4806B7091EE1} - C:\WINDOWS\TSWAIN.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ZTgServerSwitch] C:\Program Files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\Client\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [whlpsv] C:\WINDOWS\whlpsv.exe
O4 - HKLM\..\Run: [DriverMagicSchedule] "C:\Program Files\SymplisIT\DriverMagic\dmschedule.exe" /boot
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\.DEFAULT\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (User 'Default user')
O4 - .DEFAULT Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe (User 'Default user')
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O13 - DefaultPrefix: http://windowsdnserror.com/?s=2&u=
O13 - WWW Prefix: http://windowsdnserror.com/?s=2&u=
O13 - WWW. Prefix: http://windowsdnserror.com/?s=2&u=
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt5_x.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = cornell.edu
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = Berkeley.EDU,HIP.Berkeley.EDU
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 128.253.180.2,132.236.56.250

--
End of file - 6037 bytes

Hi

As you probably know Microsoft doesn't support Windows ME anymore. That means there won't be patches available making it vulnerable to internet threats. I'd recommend upgrading to supported operating system (OS) (if system is powerful enough to run it) or install some Linux distro if buying a new computer with supported OS is not an option.

Download CWShredder (http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe) to your desktop but don't run it yet.

Start hjt, do a system scan, check:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://protect.advancedcleaner.com/NDk3MA==/2/1498/2/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windowsdnserror.com/?s=2&u=
O4 - HKLM\..\Run: [whlpsv] C:\WINDOWS\whlpsv.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O13 - DefaultPrefix: http://windowsdnserror.com/?s=2&u=
O13 - WWW Prefix: http://windowsdnserror.com/?s=2&u=
O13 - WWW. Prefix: http://windowsdnserror.com/?s=2&u=

Close browsers and fix checked.

Make hidden files visible (http://www.bleepingcomputer.com/tutorials/tutorial62.html#winme).

Delete following file if found:
C:\WINDOWS\whlpsv.exe


Run CWShredder and reboot after that. Post a fresh hjt log.

Hi Blade,

Thanks for your suggestions, which I have followed. I will tell my colleague your suggestion , I'm not sure that a new system is an option for her right now and I"m not sure if she'll like Linux but I certainly agree with you and will tell her.

The HJT log is below. Before running the CWShredder, I was unable to make all files visible...on the Tools toolbar the only options are Mat network drive, Disconnect network drive and Syncronize. I'm not sure if this could be a problem, but the CWShredder did not find any problem.

Anyway, here is the HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:33 PM, on 5/13/2008
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\WINDOWS\SYSTEM\ICO.EXE
C:\PROGRAM FILES\APOINT\APOINT.EXE
C:\PROGRAM FILES\SUPPORT.COM\CLIENT\BIN\TGCMD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\APOINT\APWHEEL.EXE
C:\PROGRAM FILES\NETGEAR\MA111 CONFIGURATION UTILITY\WLANCFG4.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
O2 - BHO: {A4BFB634-44AC-4bce-8994-4806B7091EE1} - {A4BFB634-44AC-4bce-8994-4806B7091EE1} - C:\WINDOWS\TSWAIN.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ZTgServerSwitch] C:\Program Files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\Client\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [DriverMagicSchedule] "C:\Program Files\SymplisIT\DriverMagic\dmschedule.exe" /boot
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\.DEFAULT\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (User 'Default user')
O4 - .DEFAULT Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe (User 'Default user')
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt5_x.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = cornell.edu
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = Berkeley.EDU,HIP.Berkeley.EDU
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 128.253.180.2,132.236.56.250

--
End of file - 5365 bytes

Hi

Well, the log looks clean to me :) How's the system running? Does Spybot still find something?

Edit: Could you upload C:\WINDOWS\TSWAIN.DLL file to http://virusscan.jotti.org and post back the results?

Hi Blade,

The Spybot scan and online scan of the TSWAIN file were both clean. Also good news in that she is going to upgrade to Windows 2000 so hopefully no more problems in the future.

Thanks for all of your help!

Dave

Good news :) I wish her safe surfing.


Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Hi Dave

I reopened the case since it turned out that C:\WINDOWS\TSWAIN.DLL file is bad after all and should be removed.

So, do following:
Start hjt, do a system scan, check:
O2 - BHO: {A4BFB634-44AC-4bce-8994-4806B7091EE1} - {A4BFB634-44AC-4bce-8994-4806B7091EE1} - C:\WINDOWS\TSWAIN.DLL

Close browsers and fix checked.

Delete C:\WINDOWS\TSWAIN.DLL file (if found). Reboot and post a fresh hjt log.

Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.