IE not working after spyware cleanout

Hi,

Basic info: i have Windows XP with Service pack 2, and IE 6.0something

I've been barraged by spyware this past month or so. I've followed the great tutorial here (http://forums.majorgeeks.com/showthread.php?t=35407) to rid myself of these buggers, and most times i've been successful. After the first time I did all that, I was able to go to microsoft sites, more specifically MSN, something I had not been able to do for months.

About a week ago I did the above scans again, plus I installed service pack 2. And now my IE doesn't work, but FireFox does. MSN messenger doesn't work either. And I can't go to hotmail again. When I try to go to a site on IE it says Cannot find server, the page cannot be displayed - as if it doesn't realize that I am online.

I tried all those scans again today, except for the online ones at Trend and Symantec because they will not run on FireFox. And still I cannot use IE. Also, I ran Hijackthis and put it into that site mentioned that checks the log. Some things there I know were wrong, the searchpage.html ones, and I deleted them. But there are others, involving windows media player that I don't know what/if to do about. I can post the log if wanted.

Apart from all the anti spyware programs listed in the tutorial, I also have SpySweeper (trying it out). And Norton Antivirus.

Any idea how to fix it? I would love to just use FireFox instead of IE but unfortunately there are lots of sites - especially Israeli ones - that don't work on it.

Thanks,

Vered
Tel Aviv, Israel

 

Thanks. Here is the log file.

You might see that I have a2 installed, but I haven't been able to activate it - I received my login and password but it keeps saying it cannot connect to the account server and to check my internet settings. probably another one of my problems.

Vered

 

I deleted the P2P folder yesterday (the Hijack this log is from AFTER me doing that) so when I now went to Add/Remove programs it told me it may have been uninstalled already and to click if I wanted to remove it from the file list.

C:\files\door.html IS my 'homepage' - should I really delete these lines?

I do know what
O4 - Startup: Onemail Indicator.lnk = C:\Program Files\Onemail\TrayIndicator.exe[/QUOTE]
is but not what
C:\WINDOWS\system32\CAPRPCSK.EXE is.

I am waiting to hear if I should delete the lines with C:\files\door.html before I run hijack this again.

Thanks a lot!

Vered

 

Well, I decided I could always redefine door.html as my homepage and deleted those rows, and the P2P one. I rebooted and then Spyware Guard informed me that my homepage had been changed from door.html to <none>. Not thinking, really, I automatically told it to change it back. So in the Hijack this log you will see that these files are back. Since I DO want my homepage to be door.html, I'm assuming they aren't a problem.

Anyhoooo, here is the new log after doing what you said.

And one other thing. I have been battling a mtwirl.dll file in c:\windows\system32 - Norton keeps deleting it but every time I reboot it reappears. Every so often Norton says it cannot delete it, and then I go into safe mode and delete it. And every so often I cannot delete it in safe mode so I MOVE it to a different folder in safe mode, and then Norton CAN delete it. Even now as I restarted Norton found it and deleted it.

Thanks a lot,

Vered

 

Found it - Canon Advanced Printing Technology RPC Server Process

So is there nothing else in the file? I will fix the mtwirl according to the instructions on the Symantec site later on (I need the computer now, can't afford the time to do a full scan in safe mode). But I still cannot use my internet explorer or my MSN messenger or go to MSN sites even with FireFox. Something does NOT want me using microsoft <g>. Do you think fixing mtwirl will help that?

Once again, thank you,

Vered

 

the hosts file is empty (and is 1kb). The lmhosts.sam file is similar to what you posted but not exactly. It is 4kb.

Not good that it is empty?

Vered

 

I checked the restricted sites - it's a wonder my bf can go on any porn sites at all with that list! <g>. But it didn't seem like there were any extra sites, and none were in numbers.

Also, IE does not work *at all* right now. It is FireFox that cannot go to msn sites - but you know what, I just checked and it CAN go there - including hotmail. So SOMETHING we did here must have helped . I still cannot use MSN messenger although other messenger programs (ICQ, Yahoo) do work. And of course the biggie - I can't use IE.

Could this possibly not be spyware related at all? If IE were a regular program I would simply uninstall and reinstall.



Vered

 

No, not yet, I forgot to set it to scan last night - I'm doing some work on the computer and can't take 2 hours off to scan. I'll do it tonight . I'll get back to you with results tomorrow (could be this evening for you, I'm at least 7 hours ahead of you depending on where you are in the US).

Thanks

Vered

 

Oh yes, duh, it DOES say New Jersey. So 7 hours difference.

Ok, I ran it last night - that is, I first deleted those lines in the registry, then booted into safe mode and ran Norton. It didn't find anything. Then when I rebooted back upon startup, as is usual here, I got a message saying that c:\windows\system32\mtrwirl.dll could not be found and a message from Norton saying the same file was a virus and had been deleted. So something is STILL calling it up with startup.

And I still can't use IE...

Any ideas?

Vered

 

Ok, I did what you said. When I pasted
regsvr32 /u c:\windows\system32\mtwirl.dll
into the Run box (in safe mode) I got a notice saying the specified module could not be found. I still went into c:\windows\system32 and could not find mtwirl.dll . I rebooted and lo and behold, I got a windows message telling me 'error loading c:\windows\system32\mtwirl.dll specified module could not be found, AND a Norton message telling me it HAD found c:\windows\system32\mtwirl.dll (virus name Trojan.Startpage) and had automatically deleted it.

As I mentioned before, this sort of thing has been going on for a while. Sometimes I *do* find the dll when I am in safe mode and delete it, sometimes I don't.

Registry - I searched for mtwirl.dll and found it. I think it's exactly where it was before I deleted it the other day following the instructions on the Symantec site you sent me to. Well, it's back there now. I can follow those steps again but what's to keep it from coming back (immediately) again?

And, once again I am not able to go to hotmail. It says that Redirection limit for this URL exceeded. And IE still doesn't work.

This is frustrating...

Anything else I can try?

Thanks so much,

Vered

 

Yes, I did this according to the symantec page:

# Disable System Restore (Windows Me/XP).
# Update the virus definitions.
# Remove the registry value that loads the Trojan. *** see below
# Restart the computer in Safe mode or VGA mode.
# Run a full system scan and delete all the files detected as Trojan.StartPage, and then restart in normal mode. (did not find any)
# Reset the Internet Explorer home page.
# Reset the Internet Explorer Search page.

*** this is how I did this # Remove the registry value that loads the Trojan. : (according to the instructions on that same page):

# Click Start, and then click Run. (The Run dialog box appears.)
# Type regedit

Then click OK. (The Registry Editor opens.)

# Navigate to the key:

HKEY_CLASSES_ROOT\CLSID

# In the left pane, delete the subkey:

{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}

# Do one of the following:

* If you are running Windows NT/2000/XP, navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

* If you are running Windows 95/98/Me, navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

# In the right pane, delete the value:

"{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}" = "DDE Control Module"

****************

I will do what you suggested tomorrow, it's too late now . Thanks as usual.

Vered