Newbie Eager to Learn

I need help for spyware removal. Computer is eMachines Celeron 433MHz 256K RAM
Win 98SE, IE6. PeoplePC dial-up ISP. I could not access the internet or email; when I clicked on PeoplePC icon, the connect screen came up, modem dialed, and it opened the page like expected, but not to my homepage, but to a blank res://C:\WINDOWS\SYSTEM\SHDOCLC.DLL/dnserror.htm.
Other weird things: Windows was in “audit mode” as identified by Norton SystemWorks when it would not update. I tried reinstalling my PeoplePC software, but to no avail. I gave up and bought another computer a year ago. Now I want to eradicate the nasty spyware so that I can use the old computer for backup. Fighting this spyware is like fighting the devil himself—that good vs evil thing. I want to fight back and I just want to be triumphant in getting it off the PC, too!
BTW, I also had Norton Firewall, WinPatrol, Spybot and Ad-Aware on the computer and, in all my extensive surfing for the 2+ years I could get on the internet, I tried to be careful about not visiting the wrong sites, opening attachments, and clicking links. But I got infected anyway. Also, this was a refurb computer, and I am wondering if it got something on it even before I got it. It had only 32MB RAM and was so slow it would take forever to shut down until I upgraded it. I never could defrag it--it kept restarting over and over; I realize now that means something was running in the background, only I did not know enough at the time.

I have been working on this off and on for three weeks as I find the time. If anyone can help me, I believe you can. So thanks for your time in advance.
To get to the gist of my questions at this point:
1) Since I cannot access the internet, I ran other scans instead of the online ones. SpywareGuard says a BHO has been added, do I want to keep it or delete it? I think it is probably some spyware creation that is directing my Internet Explorer Search Page to new page http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch. I should delete it, right? It may be re-created anyway by some hooks, right?
2) I ran Spysweeper in diagnostic mode safe mode and it found CWS-about blank
with 2 traces.
HKCR\protocols\filter\text/html\
HKLA\software\classes\protocols\filter\text/html
Is that the same about blank you have in your Special Removal Procedures? I don’t know yet if I am going to get that “out of memory” message when I go back to normal mode this time, so I may not be able to get a HijackThis! post. I couldn’t get a GetRunKey post for that reason. Also, I don’t think there is any Java installed on this old computer, either. So, should I go through the steps in the Special Removal Procedures for about blank right now?
3) I am thinking I have to uninstall Spybot 1.3 before I try to install Spybot 1.4. Is that right?

 

Thanks for your quick reply.
I tried to follow your steps as closely as I could. These are things I found over my attempts the last 3 weeks.
Below I document what I tried. I tried to follow your steps as closely as I could. Skip down to the end if this is too obsessive for you, but since I don't know what might catch your eye as important, I am including it all.
I did not see anything suspicious in Windows Task Manager.
In Windows Explorer I wondered about folders My WebEx Documents, NetMeeting, NZSearch (I had been getting emails about travel to NewZealand), SBApps, Viewpoint folder with Viewpoint Media Player (said to be needed by Adobe in some things I’ve read), Temporary Internet files (w Vwpt subfolder), Temp, WU Temp, Installer {A4D7B764-4140-11D4-88EB-0050PA3579C0}and Install Shield Installation Information {B67F7dBE7-2FE2-458F-A738-B10832746036}. I just looked, did not try to delete anything.
In Add/Remove Programs, I removed MSN Messenger Service 2.2—never used it. There was no Viewpoint Media Player there. Or anything else that raised my suspicion.
Computer was already in Msconfig Normal Startup mode. I rebooted anyway.
I had used Norton Antivirus 2004 in SystemWorks. When I clicked on View Report it said I did not have any Quarantined Items—showed 0. When I tried emptying Norton Protected Recycle Bin, it first said there are 59 protected files; I said no, clicked it again and it said 62 files! I said yes. Then I went back and there were 353 files, then 357—I said yes. Then it had 11 more. I emptied Recycle Bin.
I had to download CCleaner to my working computer because I cannot access internet from the infected one. I copied it to a CD-- hope that was OK—and installed it on the infected one.
I enabled viewing hidden files.
I had to download GetRunKey and ShowNew to my working computer because I cannot access internet from the infected one. I copied both to the CD with CCleaner and installed them.
I already had Spybot on the computer. I updated it (was surprised that it did), left SDhelper checked, fixed the bug and deleted quarantine files. But it is 1.3 not 1.4.
I looked at Counterspy and don’t think it will run on Win 98SE. I looked at AVG Anti-Spyware and it looks like it will run on Win 98SE, but I didn’t know if it would let me download it on the working computer and then copy it to the infected one.
I downloaded Hijack This! on the working computer and then copied it from CD to the infected one.
After following the first sections of Read Me, I unplugged the modem and I rebooted, hitting F8 for safe mode. (This was my first time ever in safe mode.)
I ran CCleaner and all it identified was 2 files—IE Temp Internet Files 134 bytes!
C\Windows\ Temporary Internet Files and C\Windows\cookies\index.dat
I ran Spybot and detected Abetterinternet, Stration.C and Numbsoft. I let it fix and I immunized.

I came back another evening and found I still could not access the internet, so I decided to go through the same steps. This time there were 24 files being protected in Norton bin --I deleted-- and 11 items emptied from Recycle Bin. In safe mode CCleaner removed 10.09 KB with files:
C\windows\temp\ (tilde or squiggle)DFCC73.TMP 3.00 KB,
C\windows\temp\PeoplePConline\StationLog.txt, and
C\windows\temp\PeoplePConline\InstallSummary.ini.
C\windows\IOS.LOG
C\windows\windows update.log
C\windows\conexantSoftK56PCIModem.log
C\windows\wininit.bak
C\windows\NDISLOG.txt
C\windows\Schedlog.txt
Since I had Spysweeper already installed from 12/2005 version 4.5, I ran it and it found
Abetterinternet (VX2 Transponder) with 2 registry keys, four traces. I quarantined and deleted quarantine files.

I came back another evening and found I still could not access the internet, so I decided to do some more. I had bought Spyware Doctor, so I installed and then ran it in safe mode. I’d made a CD with Spyware Terminator, Spyware Guard, LSPfix and some other things and ran in safe mode. LSPfix did not find a problem.

Spyware Doctor found 2 problems:
1) PeoplePC Toolbar--This is a search URL hijacker that directs searches to home.peoplepc.com/search and the br.....
File: C:\Windows\system\PPCRunOnce.exe
2) 24T Toolbar-- hijacks Internet Explorer's home page and
additionally comes bundled with other m....
File: C:\Windows\system\unPPC.exe
It almost seems like 24T toolbar was a derivative that formed after I thought Abetterinternet, Stration.C and Numbsoft had been deleted. I deleted it but left the PeoplePC toolbar because I think that is what my ISP uses; that is the search page that comes up normally.

I ran CCleaner again and it identified 5.33 KB for removal:
C\windows\temp\ DFC5A2B2.TMP 21 bytes
C\windows\temp\ (tilde or squiggle)DFA303.TMP 3.00 KB,
C\windows\temp\PeoplePConline\StationLog.txt, and
C\windows\IOS.LOG
C\windows\wininit.bak
C\windows\NDISLOG.txt
C\windows\Schedlog.txt
I ran Spysweeper again in diagnostic mode safe mode and this time it found CWS-about blank
with 2 traces.
HKCR\protocols\filter\text/html\
HKLA\software\classes\protocols\filter\text/html
I quarantined, but I don’t know if it got both files; I deleted quarantined files.
I ran Spybot again safe mode and it was clean!

I KNOW I AM PROBABLY getting tiresome to you at this point.
But there is more. I'm omitting some things here. Last night I ran SuperAntispyware after I saw you added it--found nothing. Spybot nothing, SuperAntispyware nothing, Spyware Terminator nothing, Spyware Doctor nothing, Spysweeper found again: CWS-about blank with 2 traces (back again!).
HKCR\protocols\filter\text/html\
HKLA\software\classes\protocols\filter\text/html which I quarantined.
SpywareGuard warned a BHO has been added {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} prog ID: n/a, File location: C:\Progra(squiggle)1\Spywar(squiggle)3\Tools\IESDSG.dll
I'll try to get all updated Antispyware programs that you suggested and run them again. I'll reinstall PeoplePC from its CD. Here's hoping I can access the internet at some point. I'm glad I don't have to do the about blank procedures!

 

Summary: What had been done up to 3/15/07
Spybot 1.3 detected Abetterinternet, Stration.C and Numbsoft.
Spysweeper already installed from 12/2005 version 4.5 found
Abetterinternet (VX2 Transponder) with 2 registry keys, four traces
Spyware Doctor found 24T Toolbar-- hijacks Internet Explorer's home page and
additionally comes bundled with other m....File: C:\Windows\system\unPPC.exe
Spysweeper again in diagnostic mode safe mode and it found CWS-about blank
with 2 traces.
HKCR\protocols\filter\text/html\
HKLA\software\classes\protocols\filter\text/html
CWShredder found nothing.
SuperAntispyware in Full scan found nothing.

Since I could not get on the internet, I uninstalled Spybot 1.3 and the old version of AdAware. I downloaded both Spybot 1.4 and AdAware from your website to a CD. Spybot would not run in normal mode and hung up when I tried to update it. The new AdAware found 36 running processes, 1115 process modules and 76234 files—no threats!
I uninstalled NetZero and Juno from Add/Remove Programs as PeoplePC had instructed. I then uninstalled PeoplePC same way. I also decided to uninstall Norton Firewall and Norton Systemworks (NAV 2004): had to use Norton Removal Tool to get Systemworks off. LiveUpdate from it had quit working back in late 2005 when I last tried to use the computer and my subscription had expired during 2006. So I installed ZoneAlarm 5 CD I had purchased for the computer in late 2005; figured it might be better than the expired Norton if I was able to access the internet. I first installed Zone Alarm Suite, but disabled it for the install of PeoplePC as instructed. I then reinstalled PeoplePC from a CD I had.
In the middle of installation I got "AtlBrowser caused an invalid page fault in
module kernel32.dll at 0167:bff8abff... illegal operation and will be shut down."
I clicked the close button and, to my surprise, installation proceeded. I appeared
to be connecting to the Internet with PeoplePC Online and got a screen with my user
ID and password and order #. I clicked the online chat with Monika
and tried to tell her it looked like it was signing me up for a new account, but
that I did not want a new one, I already have an account and that is the one I want
to keep. She wrote back to call member services. When I tried to dial in, the program would not go through. When I turned the computer to shutdown, I got the Windows blue screen with "Fatal exception 0E has occurred at 0028:C162491F. Current application will be terminated." I turned the computer off.
Today, there is no PeoplePC icon on desktop and the icon in systray is grayed out
with only "Exit PeoplePC" as a choice. PeoplePC Online does appear in
Add/Remove Programs, but is not in my startup programs.
SpywareGuard kept popping up boxes labeled Browser Protection Alert warning my IE homepage has been changed from home.peoplepc.com/homepage to home.peoplepc.com/websearch. Also, my IE search bar changed from peoplepc/search to my.netzero.net/s/search?r=minisearch (despite my uninstall of NetZero!) and whenever I clicked either one to say I wanted to keep the correct peoplepc choice, SpywareGuard just kept popping up boxes trying to get me to accept those 2 changes. I’d click for homepage, then search bar would come up and I’d click for it, then over and over.
I again tried to run Spybot in normal mode; it kicked me out with a fatal error. I got Getrunkey, ShowNew and HijackThis! installed in folders as you specified.
I then went thought the entire Read Me again, doing as much as I could. CCleaner removed dozens of Windows/Temp/…tmp files. Even in safe mode Spybot would not run, gave an error box that said I had to update first.

Here are your uploaded attachments. Safe mode Superantispyware found nothing. I still could not run Bitdfender or Panda—no internet.

 

Spy Sweeper and Spyware Doctor were purchased. I will just keep Spy Sweeper for now. I uninstalled SuperAntiSpyware, SpywareTerminator, WinPatrol and SpywareGuard. Got a message that remnants of WinPatrol and SpywareGuard might be left that could be manually removed.

I then uninstalled and reinstalled PeoplePC and the program went all the way through without a glitch and established the dialer and my homepage as it should be. ZoneAlarm let me complete my registration and updated antivirus definitions and then sent me a key.

I copied fixME.reg to Notepad and clicked it on the desktop as directed.

O4 - Startup: eWare Startup.lnk = C:\Program Files\eWare\iWareStart.exe refers to eWare program that eMachines installed as part of the original software. Had “TouchTiles” (shortcuts) with eBay, Weather Channel, etc., for quick access that displayed just above the bottom toolbar. I don’t have to have it. How do I delete it if I decide to get rid of it?

I really like ZoneAlarm Security Suite so far. I never knew what Norton was doing; it seemed to update and scan all the time. ZoneAlarm says it has blocked 68 attempted intrusions so far and 6 of them were high-risk!

Now that I can get on internet, should I download Java from your link? I could run the BitDefender and Panda scans them.

Latest HJT log is attached. Why does NetZero keep showing up? I had uninstalled it. Thanks!

 

My, that netzero is resistant! It looks like it just doesn't want to let go!

I did change my homepage to www.majorgeeks.com.

When I rebooted in normal mode, I lost my mouse. It was late last night, so I turned back on today--mouse was working again. I ran HJT--see attached.

Thanks!

 

Chaslang, thank you, thank you, thank you! I APPRECIATE ALL YOUR GREAT ADVICE! The last time I saw the internet on this computer was December 2005! I am thrilled to get it back online.
I also owe a debt of gratitude to Paul Koteras, who taught the eMachines Learning Course Upgrading Your PC earlier this year. Paul was the one who recommended I try your website.

Just a few last things before we close this thread…
I had shut down ALL the running programs in systray, including PeoplePC, SpySweeper and ZoneAlarm, plus I had not opened my internet browser when I ran the Hijack fix. Am I missing something, or should I have closed something else?
I could not update Spybot 1.4 I had copied from CD; it said setup files were corrupted. So I uninstalled it and downloaded from your site (files4TX), but it still will not let me update.
I downloaded Java from your site, but I got a message when I started to install that Java is not supported on Win 98SE. Not on ME either, it looks. Will it hurt anything to install Java? Why may I need it?
Again, thanks for everything.