Coolwebsearch keeps coming back and SpywareBlaster won't open

Discussion in 'adware, spyware & hijack cleaning' started by bubba bodel, Apr 19, 2004.

Thread Status:
Not open for further replies.
  1. bubba bodel

    bubba bodel Registered Member

    Joined:
    Apr 19, 2004
    Posts:
    20
    CoolWebSearch keeps returning on this machine and SpywareBlaser doesen't open. I've never had a problem with SpywareBlaster until this hijack. When I try to open SpywareBlaster, I get an error "This program has been damaged, possibly by a bad sector on the hard drive or a virus. Please reinstall it."

    This is the second day of this hijack and I've ran the latest CWShredder several times and it removes coolwebsearch files and restores 6 Internet Explorer pages. I then run Adaware again and it usually finds another coowebsearch entry in the registry and I let Adaware delete that. I then reset my home page and all is well for awhile, then bam, homepage reverts back to about blank and coolwebsearch is back!

    Would appreciate someone taking a look at my log file and see if anything jumps out at you. Before coming here, I ran Adaware (it found nothing), I rebooted and ran Hijack This. Here's the log file. I also ran CWShredder just before posting this and the CWShredder Scan Only Report is at the bottom of this post.....Thank you

    Logfile of HijackThis v1.97.7
    Scan saved at 9:45:51 PM, on 4/19/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCIOMON.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\TMPROXY.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCPFW.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCGUIDE.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCCLIENT.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\POP3TRAP.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\STARTUPMONITOR.EXE
    C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DLLHOST.EXE
    D:\HIJACKTHIS\HIJACKTHIS.EXE

    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://chatboards.ebay.com/chat.jsp?forum=1&thread=25"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CMOZILLA.ORG%5CMOZILLA%5Csearchplugins%5CNetscapeSearch.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCIOMON.exe"
    O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    O4 - HKLM\..\RunServices: [PccPfw] C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PccPfw.exe
    O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
    O4 - HKCU\..\RunServices: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
    O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
    O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
    O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
    O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
    O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
    O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
    O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\restrict.htm
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: &Document Tree (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: SWF Catcher (HKLM)
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher (HKLM)
    O9 - Extra button: Trace (HKLM)
    O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
    O9 - Extra button: AdShield (HKCU)
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.9823263889
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {20AD521D-3A3E-11D4-BC32-0050040D952B} (SwIcdInstall Class) - file://C:\WINDOWS\TEMP\WZS2C3.TMP\swicdad.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?306
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
    O16 - DPF: {072CB141-B793-11D1-89B6-0020182C1446} (IntraLaunch.MainControl) - file://J:\Utilities\IntraLaunch.CAB
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = gulftel.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.231.160.2,216.231.160.10

    I just ran CWShredder after running Hijack This and this is the report.

    Windows 98 (4.10.2222 A)
    Windows dir: C:\WINDOWS
    Windows system dir: C:\WINDOWS\system
    AppData folder: C:\WINDOWS\Application Data
    Username: bubba

    Hosts file not present
    Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2112 bytes, A)
    CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwebsearch.com [*] dword:4
    CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwwwsearch.com [*] dword:4
    CWS.Googlems.2 (if value is 2) Registry value: Domains: *.xxxtoolbar.com [*] dword:4
    CWS.Googlems.4 (if value is 2) Registry value: Domains: *.teensguru.com [*] dword:4
    Registry value: DefaultPrefix (should be http://) [] http://
    Registry value: WWW Prefix (should be http://) [www] http://
    Registry value: Mosaic Prefix (should be http://) [mosaic] http://
    Registry value: Home Prefix (should be http://) [home] http://
    Found Win.ini file: C:\WINDOWS\win.ini (9095 bytes, -)
    Found line in Win.ini: load=
    Found line in Win.ini: run=
    Found System.ini file: C:\WINDOWS\system.ini (2343 bytes, A)
    Found line in System.ini: shell=Explorer.exe

    - END OF REPORT -
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    please reboot and when coolwebsearch comes back please post a hjt log BUT DO NOT run shredder or fix anything, we need to see which version you have to be able to fix it and need to see all the entries in the log
     
  3. bubba bodel

    bubba bodel Registered Member

    Joined:
    Apr 19, 2004
    Posts:
    20
    Thank you Derek for the reply and help. So far Coolwebsearch has not come back. I hope it's because I followed Paul Wilders post with the proper removal instructions (this thread). I'm thinking maybe I didn't follow the right steps to delete the hijacker at first, like maybe not rebooting when I should have.

    SpywareBlaster still won't open after several uninstalls and reinstalls and that has me a little concerned. My hard drive has no bad sectors and I'm clean virus wise according to Trends PC-Cillin. Rav and Panda's online virus scanners say I'm clean too. Coolwebsearch made toast of my MS Media Player but I have it going again after a reinstall.

    A big THANK YOU for the help. I will return if Coolwebsearch returns.
     
  4. bubba bodel

    bubba bodel Registered Member

    Joined:
    Apr 19, 2004
    Posts:
    20
    Derek, anyone........It's Baaaack!! .......home page went back to about:blank. I rebooted and ran Hijack This.....Here's the log you asked for.....appreciate the help.

    Logfile of HijackThis v1.97.7
    Scan saved at 8:46:48 PM, on 4/20/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCIOMON.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\TMPROXY.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCPFW.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCGUIDE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCCLIENT.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\POP3TRAP.EXE
    C:\WINDOWS\STARTUPMONITOR.EXE
    C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    D:\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\AFHF.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\AFHF.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\AFHF.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\AFHF.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\AFHF.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\AFHF.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://chatboards.ebay.com/chat.jsp?forum=1&thread=25"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CMOZILLA.ORG%5CMOZILLA%5Csearchplugins%5CNetscapeSearch.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {28634E4B-92F1-11D8-909B-00800914FF99} - C:\WINDOWS\SYSTEM\AFHF.DLL
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCIOMON.exe"
    O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    O4 - HKLM\..\RunServices: [PccPfw] C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PccPfw.exe
    O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
    O4 - HKCU\..\RunServices: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
    O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
    O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
    O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
    O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
    O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
    O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
    O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\restrict.htm
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: &Document Tree (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: SWF Catcher (HKLM)
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher (HKLM)
    O9 - Extra button: Trace (HKLM)
    O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
    O9 - Extra button: AdShield (HKCU)
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.9823263889
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {20AD521D-3A3E-11D4-BC32-0050040D952B} (SwIcdInstall Class) - file://C:\WINDOWS\TEMP\WZS2C3.TMP\swicdad.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?306
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
    O16 - DPF: {072CB141-B793-11D1-89B6-0020182C1446} (IntraLaunch.MainControl) - file://J:\Utilities\IntraLaunch.CAB
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = gulftel.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.231.160.2,216.231.160.10
     
  5. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hello bubba,

    Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\AFHF.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\AFHF.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\AFHF.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\AFHF.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\AFHF.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\AFHF.DLL/sp.html (obfuscated)

    Make sure you have Unhide hidden files/folders.
    Reboot in Safe Mode and then delete(if found),

    C:\WINDOWS\SYSTEM\AFHF.DLL,

    Run CWShredder again (in safe mode) and then reboot and post a fresh log

    Regards
     
  6. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hello swat8,

    Please start a new topic of yours and please do NOT post your log in between another person's thread. That leads to confusion and other problems.
    No offence intended.

    Regards
     
  7. bubba bodel

    bubba bodel Registered Member

    Joined:
    Apr 19, 2004
    Posts:
    20
    Thank you Subratam,

    Per your instructions I ran hijackthis and removed the 6 R1 and R0 entries.

    I rebooted to safemode and deleted the AFHF.DLL

    Wasn't sure if you wanted me to run CWShredder or Hijackthis here or not but I did run CWShredder in safemode and it removed CWS.SearchX

    I ran hijackthis in safemode then rebooted and ran it again. The first log was run in safemode. Second log is after a regular boot

    Logfile of HijackThis v1.97.7
    Scan saved at 12:11:56 AM, on 4/21/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\DLLHOST.EXE
    D:\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://chatboards.ebay.com/chat.jsp?forum=1&thread=25"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CMOZILLA.ORG%5CMOZILLA%5Csearchplugins%5CNetscapeSearch.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCIOMON.exe"
    O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    O4 - HKLM\..\RunServices: [PccPfw] C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PccPfw.exe
    O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
    O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
    O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
    O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
    O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
    O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
    O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
    O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\restrict.htm
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: &Document Tree (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: SWF Catcher (HKLM)
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher (HKLM)
    O9 - Extra button: Trace (HKLM)
    O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
    O9 - Extra button: AdShield (HKCU)
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.9823263889
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {20AD521D-3A3E-11D4-BC32-0050040D952B} (SwIcdInstall Class) - file://C:\WINDOWS\TEMP\WZS2C3.TMP\swicdad.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?306
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
    O16 - DPF: {072CB141-B793-11D1-89B6-0020182C1446} (IntraLaunch.MainControl) - file://J:\Utilities\IntraLaunch.CAB
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = gulftel.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.231.160.2,216.231.160.10

    This log was ran in regular mode

    Logfile of HijackThis v1.97.7
    Scan saved at 12:17:51 AM, on 4/21/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCIOMON.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\TMPROXY.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCPFW.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCGUIDE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCCLIENT.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\POP3TRAP.EXE
    C:\WINDOWS\STARTUPMONITOR.EXE
    C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DLLHOST.EXE
    D:\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://chatboards.ebay.com/chat.jsp?forum=1&thread=25"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CMOZILLA.ORG%5CMOZILLA%5Csearchplugins%5CNetscapeSearch.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCIOMON.exe"
    O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    O4 - HKLM\..\RunServices: [PccPfw] C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PccPfw.exe
    O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
    O4 - HKCU\..\RunServices: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
    O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
    O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
    O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
    O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
    O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
    O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
    O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\restrict.htm
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: &Document Tree (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: SWF Catcher (HKLM)
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher (HKLM)
    O9 - Extra button: Trace (HKLM)
    O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
    O9 - Extra button: AdShield (HKCU)
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.9823263889
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {20AD521D-3A3E-11D4-BC32-0050040D952B} (SwIcdInstall Class) - file://C:\WINDOWS\TEMP\WZS2C3.TMP\swicdad.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?306
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
    O16 - DPF: {072CB141-B793-11D1-89B6-0020182C1446} (IntraLaunch.MainControl) - file://J:\Utilities\IntraLaunch.CAB
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = gulftel.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.231.160.2,216.231.160.10
     
  8. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hello bubba,

    Your log looks fine :). Just check whether it comes back again. i think it shouldnt though. But if it does , do post back
    Good job

    Regards
     
  9. bubba bodel

    bubba bodel Registered Member

    Joined:
    Apr 19, 2004
    Posts:
    20
    Thank you much Subratam

    I've removed this mess several times but this was the first time I deleted a .dll from win/sys.

    Sure is nice of WildersSecurity to have a place like this with folks that know how to help.

    I'll check out your website now and then hit the sheets.

    Thanks again,
    Bubba
     
  10. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hello bubba,

    My pleasure and thanks for having the time to check my site.

    Regards
     
  11. bubba bodel

    bubba bodel Registered Member

    Joined:
    Apr 19, 2004
    Posts:
    20
    Hijacker Returns with a different DLL

    Just notice my home page had reverted back to About:Blank

    Rebooted and ran a HJT scan........appreciate any help...

    Logfile of HijackThis v1.97.7
    Scan saved at 6:24:43 PM, on 4/21/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCIOMON.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\TMPROXY.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCPFW.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCGUIDE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCCLIENT.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\POP3TRAP.EXE
    C:\WINDOWS\STARTUPMONITOR.EXE
    C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    D:\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\IEEOGID.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\IEEOGID.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\IEEOGID.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\IEEOGID.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\IEEOGID.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\IEEOGID.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://chatboards.ebay.com/chat.jsp?forum=1&thread=25"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CMOZILLA.ORG%5CMOZILLA%5Csearchplugins%5CNetscapeSearch.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {A3449059-9377-11D8-909B-008005A5575E} - C:\WINDOWS\SYSTEM\IEEOGID.DLL
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCIOMON.exe"
    O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    O4 - HKLM\..\RunServices: [PccPfw] C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PccPfw.exe
    O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
    O4 - HKCU\..\RunServices: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
    O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
    O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
    O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
    O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
    O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
    O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
    O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\restrict.htm
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: &Document Tree (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: SWF Catcher (HKLM)
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher (HKLM)
    O9 - Extra button: Trace (HKLM)
    O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
    O9 - Extra button: AdShield (HKCU)
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.9823263889
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {20AD521D-3A3E-11D4-BC32-0050040D952B} (SwIcdInstall Class) - file://C:\WINDOWS\TEMP\WZS2C3.TMP\swicdad.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?306
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
    O16 - DPF: {072CB141-B793-11D1-89B6-0020182C1446} (IntraLaunch.MainControl) - file://J:\Utilities\IntraLaunch.CAB
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = gulftel.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.231.160.2,216.231.160.10
     
  12. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    I have split swat8's posts off into a thread of their own here:

    https://www.wilderssecurity.com/showthread.php?t=28885

    Regards,

    snap
     
  13. bubba bodel

    bubba bodel Registered Member

    Joined:
    Apr 19, 2004
    Posts:
    20
    Update: Ran HJT and fixed the 6 R1 and R0 entries

    Rebooted to Safemode and deleted the IEEOGID.DLL

    Ran CWShredder, here's the report
    Removed from your system:
    - CWS.Searchx
    - 6 infected IE registry values

    Windows 98 (4.10.2222 A)
    CWShredder v1.56.3

    Rebooted and ran HJT...log below

    This thing has come back a half dozen times.....it must be hidden or it's coming back from visited websites.......whacha think?....disable java??........thank you...Bubba


    Logfile of HijackThis v1.97.7
    Scan saved at 9:02:31 PM, on 4/21/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCIOMON.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\TMPROXY.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCPFW.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCGUIDE.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCCLIENT.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\POP3TRAP.EXE
    C:\WINDOWS\STARTUPMONITOR.EXE
    C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    D:\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://chatboards.ebay.com/chat.jsp?forum=1&thread=25"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CMOZILLA.ORG%5CMOZILLA%5Csearchplugins%5CNetscapeSearch.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCIOMON.exe"
    O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    O4 - HKLM\..\RunServices: [PccPfw] C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PccPfw.exe
    O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
    O4 - HKCU\..\RunServices: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
    O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
    O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
    O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
    O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
    O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
    O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
    O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\restrict.htm
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: &Document Tree (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: SWF Catcher (HKLM)
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher (HKLM)
    O9 - Extra button: Trace (HKLM)
    O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
    O9 - Extra button: AdShield (HKCU)
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.9823263889
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {20AD521D-3A3E-11D4-BC32-0050040D952B} (SwIcdInstall Class) - file://C:\WINDOWS\TEMP\WZS2C3.TMP\swicdad.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?306
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
    O16 - DPF: {072CB141-B793-11D1-89B6-0020182C1446} (IntraLaunch.MainControl) - file://J:\Utilities\IntraLaunch.CAB
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = gulftel.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.231.160.2,216.231.160.10
     
  14. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hello again bubba,

    Fix this entry in hijackthis,

    O16 - DPF: {20AD521D-3A3E-11D4-BC32-0050040D952B} (SwIcdInstall Class) - file://C:\WINDOWS\TEMP\WZS2C3.TMP\swicdad.cab

    Reboot in safe mode and navigate to C:\WINDOWS\TEMP\WZS2C3.TMP and if found delete it.
    Then Reboot again.

    Download this zip file and extract the files from it to the desktop:

    http://www.zero.vulc4n.com/downloads/pv.zip

    Be sure to have at least 1 Internet Explorer window open.

    Double click on the runme.bat. Notepad will open with a log in it. Please copy and paste the log into this post.(Disable smileys while posting)
    Some Expert will help you with that if any bad is hiding in your computer.

    Regards
     
  15. bubba bodel

    bubba bodel Registered Member

    Joined:
    Apr 19, 2004
    Posts:
    20
    Hello Subratam

    Ran HJT and fixed O16 - DPF

    Rebooted to safemode and WZS2C3.TMP wasn't found in Temp folder.....even did a find on it.....a no show

    Rebooted and downloaded the pv.zip, open IE to this forum page and I'm thinking, alright!, we're gonna kill sumpin' now!......lol........butt when I double clicked on the runme.bat, all I get is a dos window with PV Menu by Shadowwar with 7 choices and an exit........ran the runme9x.bat and got a similar dos window........no notepad with a log......where did I go wrong.....thanks
     
  16. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    I will wait for some other Expert to help you here, as I am yet to get aquainted with this zip. Just wait a little, someone will be on here pretty soon.

    Regards
     
  17. bubba bodel

    bubba bodel Registered Member

    Joined:
    Apr 19, 2004
    Posts:
    20
    OK Thanks for all your help Subratam

    I check back in the morning. Think I'll run a couple of different online AV scanners.

    Regards,
    Bubba
     
  18. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    when the dos type window is open press the option for internet explorer.dlls and then ok or return

    then a notepad file willbe made, copy & post the notepad file back here please
     
  19. bubba bodel

    bubba bodel Registered Member

    Joined:
    Apr 19, 2004
    Posts:
    20
    Hello Derek,

    Doh!....I should have know know that!....Last night I tried it on the runme.bat and it didn't work but I tried it this morning on the runme9x.dat and it did!......Doh again......maybe because I'm running 98........lol

    Here's the log......I sure hope you see something bad in it.....lol.....

    Module information for 'EXPLORER.EXE'
    MODULE BASE SIZE PATH
    MSOHEV.DLL 32520000 73728 C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\MSOHEV.DLL 10.0.2609 Microsoft Office XP component
    SPYWAREGUARD.DLL 22200000 126976 C:\PROGRAM FILES\SPYWAREGUARD\SPYWAREGUARD.DLL 2.02 SpywareGuard Protection
    DLPROTECT.DLL 11000000 192512 C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL 2.02 SpywareGuard Download Protection
    SDHELPER.DLL 1530000 733184 C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SDHELPER.DLL
    OLEPRO32.DLL 695e0000 167936 C:\WINDOWS\SYSTEM\OLEPRO32.DLL 5.0.4517
    ADSHIELD.DLL ad0000 208896 C:\PROGRAM FILES\ADSHIELD\ADSHIELD\ADSHIELD.DLL 3, 0, 5, 0 AdShield DLL
    MFC42.DLL 5f400000 991232 C:\WINDOWS\SYSTEM\MFC42.DLL 6.00.8665.0 MFCDLL Shared Library - Retail Version
    MFC42LOC.DLL 5fd00000 49152 C:\WINDOWS\SYSTEM\MFC42LOC.DLL 4.21.7022 MFC Language Specific Resources
    ACROIEHELPER.OCX 10000000 32768 C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX 1, 0, 0, 1 AcroIEHelper Module
    MSVBVM60.DLL 73420000 1388544 C:\WINDOWS\SYSTEM\MSVBVM60.DLL 6.00.9237 Visual Basic Virtual Machine
    SHDOCLC.DLL 71810000 401408 C:\WINDOWS\SYSTEM\SHDOCLC.DLL 5.50.4807.2300 Shell Doc Object and Control Library
    NSFTPCH.DLL 23000000 24576 C:\PROGRAM FILES\WS_FTP PRO\NSFTPCH.DLL
    MYDOCS.DLL 792f0000 69632 C:\WINDOWS\SYSTEM\MYDOCS.DLL 4.72.3510.2300 My Documents Folder UI
    URLMON.DLL 1a400000 471040 C:\WINDOWS\SYSTEM\URLMON.DLL 5.50.4936.2300 OLE32 Extensions for Win32
    VERSION.DLL bfe70000 24576 C:\WINDOWS\SYSTEM\VERSION.DLL 4.10.1998 Win32 VERSION core component
    SENSAPI.DLL 60000000 20480 C:\WINDOWS\SYSTEM\SENSAPI.DLL 5.50.4807.2300 SENS Connectivity API DLL
    BROWSELC.DLL 71890000 45056 C:\WINDOWS\SYSTEM\BROWSELC.DLL 5.50.4807.2300 Shell Browser UI Library
    ACTXPRXY.DLL 703b0000 90112 C:\WINDOWS\SYSTEM\ACTXPRXY.DLL 5.50.4807.2300 ActiveX Interface Marshaling Library
    LINKINFO.DLL 7fb80000 36864 C:\WINDOWS\SYSTEM\LINKINFO.DLL 4.10.1998 Windows Volume Tracking
    ES.DLL 71710000 114688 C:\WINDOWS\SYSTEM\ES.DLL 1998.09.1003.0 COM+ EventSystem Library
    SENS.DLL 60100000 90112 C:\WINDOWS\SYSTEM\SENS.DLL 5.50.4807.2300 System Event Notification Service (SENS)
    ESTIER2.DLL 71760000 61440 C:\WINDOWS\SYSTEM\ESTIER2.DLL 1998.09.1003.0 COM+ EventSystem Service Library
    ESSHARED.DLL 71740000 65536 C:\WINDOWS\SYSTEM\ESSHARED.DLL 1998.09.1003.0 COM+ EventSystem Shared Utilities
    RASAPI32.DLL 7f880000 217088 C:\WINDOWS\SYSTEM\RASAPI32.DLL 4.10.2222 Dial-Up Networking Dynamic Linked Library
    SECUR32.DLL 7f870000 40960 C:\WINDOWS\SYSTEM\SECUR32.DLL 4.10.2222 Microsoft Win32 Security Services
    MSVCRT20.DLL 7fc30000 282624 C:\WINDOWS\SYSTEM\MSVCRT20.DLL 2.11.000 Microsoft® C Runtime Library
    SVRAPI.DLL 7f950000 32768 C:\WINDOWS\SYSTEM\SVRAPI.DLL 4.10.1998 32-bit common Server API library
    MSNET32.DLL 7f300000 77824 C:\WINDOWS\SYSTEM\MSNET32.DLL 4.10.2224 Microsoft 32-bit Network API Library
    MSPWL32.DLL 7fb40000 40960 C:\WINDOWS\SYSTEM\MSPWL32.DLL 4.10.1998 Password list management library
    NETAPI32.DLL 7f990000 20480 C:\WINDOWS\SYSTEM\NETAPI32.DLL 4.10.1998 32-bit network API DLL
    NETBIOS.DLL 7f840000 32768 C:\WINDOWS\SYSTEM\NETBIOS.DLL
    MPR.DLL 7fbf0000 57344 C:\WINDOWS\SYSTEM\MPR.DLL 4.10.1998 WIN32 Network Interface DLL
    MSI.DLL 1c80000 2015232 C:\WINDOWS\SYSTEM\MSI.DLL 2.0.2600.2 Windows Installer
    SHFOLDER.DLL 718d0000 32768 C:\WINDOWS\SYSTEM\SHFOLDER.DLL 5.50.4807.2300 Shell Folder Service
    WEBCHECK.DLL 70320000 270336 C:\WINDOWS\SYSTEM\WEBCHECK.DLL 5.50.4807.2300 Web Site Monitor
    OLEAUT32.DLL 779b0000 634880 C:\WINDOWS\SYSTEM\OLEAUT32.DLL 2.40.4517
    SHD401LC.DLL ac0000 61440 C:\WINDOWS\SYSTEM\SHD401LC.DLL 5.50.4807.2300 Shell Doc Object and Control Library - IE 4.01 compat
    BROWSEUI.DLL 990000 823296 C:\WINDOWS\SYSTEM\BROWSEUI.DLL 5.50.4936.2300 Shell Browser UI Library
    LOGK.DLL 61c00000 98304 C:\WINDOWS\SYSTEM\LOGK.DLL
    IPHLPAPI.DLL 7c8e0000 32768 C:\WINDOWS\SYSTEM\IPHLPAPI.DLL 5.00.1717.2 IP Helper API
    MSAFD.DLL 7b410000 45056 C:\WINDOWS\SYSTEM\MSAFD.DLL 4.10.1998 Microsoft Windows Sockets 2.0 Service Provider
    IPCFGDLL.DLL 7c900000 28672 C:\WINDOWS\SYSTEM\IPCFGDLL.DLL 5.00.1717.2 Ipconfig API DLL
    DHCPCSVC.DLL 7dd90000 28672 C:\WINDOWS\SYSTEM\DHCPCSVC.DLL
    ICMP.DLL 7ce10000 24576 C:\WINDOWS\SYSTEM\ICMP.DLL 5.00.1454.1 ICMP DLL
    WSOCK32.DLL 75fa0000 40960 C:\WINDOWS\SYSTEM\WSOCK32.DLL 4.10.1998 BSD Socket API for Windows
    MSWSOCK.DLL 794d0000 86016 C:\WINDOWS\SYSTEM\MSWSOCK.DLL 4.10.2222 Microsoft WinSock Extension APIs
    WS2_32.DLL 76000000 73728 C:\WINDOWS\SYSTEM\WS2_32.DLL 4.10.2222 Windows Socket 2.0 32-Bit DLL
    WININET.DLL 63000000 495616 C:\WINDOWS\SYSTEM\WININET.DLL 5.50.4937.800 Internet Extensions for Win32
    TAPI32.DLL 7f960000 122880 C:\WINDOWS\SYSTEM\TAPI32.DLL 4.10.2222 Microsoft® Windows(TM) Telephony API Client DLL
    RPCRT4.DLL 7fb90000 335872 C:\WINDOWS\SYSTEM\RPCRT4.DLL 4.71.2900 Remote Procedure Call DLL
    WS2HELP.DLL 75fe0000 24576 C:\WINDOWS\SYSTEM\WS2HELP.DLL 4.10.1998 Windows Socket 2.0 Helper for Windows 98
    SHDOC401.DLL 50000000 507904 C:\WINDOWS\SYSTEM\SHDOC401.DLL 5.50.4807.2300 Shell Doc Object and Control Library - IE 4.01 compat
    OLE32.DLL 7ff20000 790528 C:\WINDOWS\SYSTEM\OLE32.DLL 4.71.2900 Microsoft OLE for Windows and Windows NT
    SHDOCVW.DLL 71500000 1163264 C:\WINDOWS\SYSTEM\SHDOCVW.DLL 5.50.4937.800 Shell Doc Object and Control Library
    MSVCRT.DLL 78000000 286720 C:\WINDOWS\SYSTEM\MSVCRT.DLL 6.10.9359.0 Microsoft (R) C Runtime Library
    SHELL32.DLL 66800000 1396736 C:\WINDOWS\SYSTEM\SHELL32.DLL 4.72.3812.600 Windows Shell Common Dll
    EXPLORER.EXE 400000 180224 C:\WINDOWS\EXPLORER.EXE 4.72.3110.1 Windows Explorer
    COMCTL32.DLL bfb70000 581632 C:\WINDOWS\SYSTEM\COMCTL32.DLL 5.81 Common Controls Library
    SHLWAPI.DLL 63180000 311296 C:\WINDOWS\SYSTEM\SHLWAPI.DLL 5.50.4930.1200 Shell Light-weight Utility Library
    USER32.DLL bff50000 69632 C:\WINDOWS\SYSTEM\USER32.DLL 4.10.2222 Win32 USER32 core component
    GDI32.DLL bff20000 155648 C:\WINDOWS\SYSTEM\GDI32.DLL 4.10.1998 Win32 GDI core component
    ADVAPI32.DLL bfe80000 65536 C:\WINDOWS\SYSTEM\ADVAPI32.DLL 4.80.1675 Win32 ADVAPI32 core component
    KERNEL32.DLL bff70000 471040 C:\WINDOWS\SYSTEM\KERNEL32.DLL 4.10.2222 Win32 Kernel core component
     
  20. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Please download TheKillbox from here: http://download.broadbandmedic.com/VbStuff/KillBox.zip

    Unzip the files to a folder, then double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

    C:\WINDOWS\SYSTEM\LOGK.DLL

    Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The C:\WINDOWS\SYSTEM\LOGK.DLL listing should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

    When you're back in windows, check to see if there's any change in the search problem and report back. Please also post a new Hijack This log. along with a new explorer.bat log.
     
  21. bubba bodel

    bubba bodel Registered Member

    Joined:
    Apr 19, 2004
    Posts:
    20
    Derek,

    I did a search on that LOGK.DLL before you posted and it was a no show.....I do have "show all files" checked

    I ran the kill and all went well

    rebooted

    and on reboot got the "please wait while setup updates your configuration files

    you say "check to see if there's a change in the search problem"....not sure what you mean there but my homepage was still set to google.com. I'm on dsl and haven't noticed any problems other than the homepage reverting back to about:blank.....and my SpywareBlaster quit working after getting this bug.....Ms Media Player quit too but I got it reinstalled.

    Here's the logs........I see the LOGK.DLL on the pv log.....:0(


    Logfile of HijackThis v1.97.7
    Scan saved at 10:31:18 AM, on 4/22/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCIOMON.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\TMPROXY.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCPFW.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCGUIDE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCCLIENT.EXE
    C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\POP3TRAP.EXE
    C:\WINDOWS\STARTUPMONITOR.EXE
    C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\SYSTEM\DLLHOST.EXE
    D:\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://chatboards.ebay.com/chat.jsp?forum=1&thread=25"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CMOZILLA.ORG%5CMOZILLA%5Csearchplugins%5CNetscapeSearch.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCIOMON.exe"
    O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    O4 - HKLM\..\RunServices: [PccPfw] C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PccPfw.exe
    O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
    O4 - HKCU\..\RunServices: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
    O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
    O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
    O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
    O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
    O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
    O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
    O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\restrict.htm
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: &Document Tree (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: SWF Catcher (HKLM)
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher (HKLM)
    O9 - Extra button: Trace (HKLM)
    O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
    O9 - Extra button: AdShield (HKCU)
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.9823263889
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?306
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
    O16 - DPF: {072CB141-B793-11D1-89B6-0020182C1446} (IntraLaunch.MainControl) - file://J:\Utilities\IntraLaunch.CAB
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = gulftel.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.231.160.2,216.231.160.10


    Here's the Explorer log

    Module information for 'EXPLORER.EXE'
    MODULE BASE SIZE PATH
    MSOHEV.DLL 32520000 73728 C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\MSOHEV.DLL 10.0.2609 Microsoft Office XP component
    DLPROTECT.DLL 11000000 192512 C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL 2.02 SpywareGuard Download Protection
    ACROIEHELPER.OCX 10000000 32768 C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX 1, 0, 0, 1 AcroIEHelper Module
    SPYWAREGUARD.DLL 22200000 126976 C:\PROGRAM FILES\SPYWAREGUARD\SPYWAREGUARD.DLL 2.02 SpywareGuard Protection
    MSVBVM60.DLL 73420000 1388544 C:\WINDOWS\SYSTEM\MSVBVM60.DLL 6.00.9237 Visual Basic Virtual Machine
    SDHELPER.DLL 2f90000 733184 C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SDHELPER.DLL
    OLEPRO32.DLL 695e0000 167936 C:\WINDOWS\SYSTEM\OLEPRO32.DLL 5.0.4517
    SENSAPI.DLL 60000000 20480 C:\WINDOWS\SYSTEM\SENSAPI.DLL 5.50.4807.2300 SENS Connectivity API DLL
    ACTXPRXY.DLL 703b0000 90112 C:\WINDOWS\SYSTEM\ACTXPRXY.DLL 5.50.4807.2300 ActiveX Interface Marshaling Library
    LINKINFO.DLL 7fb80000 36864 C:\WINDOWS\SYSTEM\LINKINFO.DLL 4.10.1998 Windows Volume Tracking
    ES.DLL 71710000 114688 C:\WINDOWS\SYSTEM\ES.DLL 1998.09.1003.0 COM+ EventSystem Library
    SENS.DLL 60100000 90112 C:\WINDOWS\SYSTEM\SENS.DLL 5.50.4807.2300 System Event Notification Service (SENS)
    ESTIER2.DLL 71760000 61440 C:\WINDOWS\SYSTEM\ESTIER2.DLL 1998.09.1003.0 COM+ EventSystem Service Library
    ESSHARED.DLL 71740000 65536 C:\WINDOWS\SYSTEM\ESSHARED.DLL 1998.09.1003.0 COM+ EventSystem Shared Utilities
    ADSHIELD.DLL 2300000 208896 C:\PROGRAM FILES\ADSHIELD\ADSHIELD\ADSHIELD.DLL 3, 0, 5, 0 AdShield DLL
    URLMON.DLL 1a400000 471040 C:\WINDOWS\SYSTEM\URLMON.DLL 5.50.4936.2300 OLE32 Extensions for Win32
    MFC42.DLL 5f400000 991232 C:\WINDOWS\SYSTEM\MFC42.DLL 6.00.8665.0 MFCDLL Shared Library - Retail Version
    MFC42LOC.DLL 5fd00000 49152 C:\WINDOWS\SYSTEM\MFC42LOC.DLL 4.21.7022 MFC Language Specific Resources
    VERSION.DLL bfe70000 24576 C:\WINDOWS\SYSTEM\VERSION.DLL 4.10.1998 Win32 VERSION core component
    RASAPI32.DLL 7f880000 217088 C:\WINDOWS\SYSTEM\RASAPI32.DLL 4.10.2222 Dial-Up Networking Dynamic Linked Library
    SECUR32.DLL 7f870000 40960 C:\WINDOWS\SYSTEM\SECUR32.DLL 4.10.2222 Microsoft Win32 Security Services
    MSVCRT20.DLL 7fc30000 282624 C:\WINDOWS\SYSTEM\MSVCRT20.DLL 2.11.000 Microsoft® C Runtime Library
    SVRAPI.DLL 7f950000 32768 C:\WINDOWS\SYSTEM\SVRAPI.DLL 4.10.1998 32-bit common Server API library
    MSNET32.DLL 7f300000 77824 C:\WINDOWS\SYSTEM\MSNET32.DLL 4.10.2224 Microsoft 32-bit Network API Library
    MSPWL32.DLL 7fb40000 40960 C:\WINDOWS\SYSTEM\MSPWL32.DLL 4.10.1998 Password list management library
    NETAPI32.DLL 7f990000 20480 C:\WINDOWS\SYSTEM\NETAPI32.DLL 4.10.1998 32-bit network API DLL
    NETBIOS.DLL 7f840000 32768 C:\WINDOWS\SYSTEM\NETBIOS.DLL
    MPR.DLL 7fbf0000 57344 C:\WINDOWS\SYSTEM\MPR.DLL 4.10.1998 WIN32 Network Interface DLL
    MSI.DLL 1ce0000 2015232 C:\WINDOWS\SYSTEM\MSI.DLL 2.0.2600.2 Windows Installer
    BROWSELC.DLL 71890000 45056 C:\WINDOWS\SYSTEM\BROWSELC.DLL 5.50.4807.2300 Shell Browser UI Library
    SHFOLDER.DLL 718d0000 32768 C:\WINDOWS\SYSTEM\SHFOLDER.DLL 5.50.4807.2300 Shell Folder Service
    WEBCHECK.DLL 70320000 270336 C:\WINDOWS\SYSTEM\WEBCHECK.DLL 5.50.4807.2300 Web Site Monitor
    OLEAUT32.DLL 779b0000 634880 C:\WINDOWS\SYSTEM\OLEAUT32.DLL 2.40.4517
    SHD401LC.DLL ac0000 61440 C:\WINDOWS\SYSTEM\SHD401LC.DLL 5.50.4807.2300 Shell Doc Object and Control Library - IE 4.01 compat
    BROWSEUI.DLL 990000 823296 C:\WINDOWS\SYSTEM\BROWSEUI.DLL 5.50.4936.2300 Shell Browser UI Library
    LOGK.DLL 61c00000 98304 C:\WINDOWS\SYSTEM\LOGK.DLL
    IPHLPAPI.DLL 7c8e0000 32768 C:\WINDOWS\SYSTEM\IPHLPAPI.DLL 5.00.1717.2 IP Helper API
    MSAFD.DLL 7b410000 45056 C:\WINDOWS\SYSTEM\MSAFD.DLL 4.10.1998 Microsoft Windows Sockets 2.0 Service Provider
    IPCFGDLL.DLL 7c900000 28672 C:\WINDOWS\SYSTEM\IPCFGDLL.DLL 5.00.1717.2 Ipconfig API DLL
    DHCPCSVC.DLL 7dd90000 28672 C:\WINDOWS\SYSTEM\DHCPCSVC.DLL
    ICMP.DLL 7ce10000 24576 C:\WINDOWS\SYSTEM\ICMP.DLL 5.00.1454.1 ICMP DLL
    WSOCK32.DLL 75fa0000 40960 C:\WINDOWS\SYSTEM\WSOCK32.DLL 4.10.1998 BSD Socket API for Windows
    MSWSOCK.DLL 794d0000 86016 C:\WINDOWS\SYSTEM\MSWSOCK.DLL 4.10.2222 Microsoft WinSock Extension APIs
    WS2_32.DLL 76000000 73728 C:\WINDOWS\SYSTEM\WS2_32.DLL 4.10.2222 Windows Socket 2.0 32-Bit DLL
    WININET.DLL 63000000 495616 C:\WINDOWS\SYSTEM\WININET.DLL 5.50.4937.800 Internet Extensions for Win32
    TAPI32.DLL 7f960000 122880 C:\WINDOWS\SYSTEM\TAPI32.DLL 4.10.2222 Microsoft® Windows(TM) Telephony API Client DLL
    RPCRT4.DLL 7fb90000 335872 C:\WINDOWS\SYSTEM\RPCRT4.DLL 4.71.2900 Remote Procedure Call DLL
    WS2HELP.DLL 75fe0000 24576 C:\WINDOWS\SYSTEM\WS2HELP.DLL 4.10.1998 Windows Socket 2.0 Helper for Windows 98
    SHDOC401.DLL 50000000 507904 C:\WINDOWS\SYSTEM\SHDOC401.DLL 5.50.4807.2300 Shell Doc Object and Control Library - IE 4.01 compat
    OLE32.DLL 7ff20000 790528 C:\WINDOWS\SYSTEM\OLE32.DLL 4.71.2900 Microsoft OLE for Windows and Windows NT
    SHDOCVW.DLL 71500000 1163264 C:\WINDOWS\SYSTEM\SHDOCVW.DLL 5.50.4937.800 Shell Doc Object and Control Library
    MSVCRT.DLL 78000000 286720 C:\WINDOWS\SYSTEM\MSVCRT.DLL 6.10.9359.0 Microsoft (R) C Runtime Library
    SHELL32.DLL 66800000 1396736 C:\WINDOWS\SYSTEM\SHELL32.DLL 4.72.3812.600 Windows Shell Common Dll
    EXPLORER.EXE 400000 180224 C:\WINDOWS\EXPLORER.EXE 4.72.3110.1 Windows Explorer
    COMCTL32.DLL bfb70000 581632 C:\WINDOWS\SYSTEM\COMCTL32.DLL 5.81 Common Controls Library
    SHLWAPI.DLL 63180000 311296 C:\WINDOWS\SYSTEM\SHLWAPI.DLL 5.50.4930.1200 Shell Light-weight Utility Library
    USER32.DLL bff50000 69632 C:\WINDOWS\SYSTEM\USER32.DLL 4.10.2222 Win32 USER32 core component
    GDI32.DLL bff20000 155648 C:\WINDOWS\SYSTEM\GDI32.DLL 4.10.1998 Win32 GDI core component
    ADVAPI32.DLL bfe80000 65536 C:\WINDOWS\SYSTEM\ADVAPI32.DLL 4.80.1675 Win32 ADVAPI32 core component
    KERNEL32.DLL bff70000 471040 C:\WINDOWS\SYSTEM\KERNEL32.DLL 4.10.2222 Win32 Kernel core component
     
  22. bubba bodel

    bubba bodel Registered Member

    Joined:
    Apr 19, 2004
    Posts:
    20
    Update:

    I ran a full Adaware shortly after doing what Derek instructed above and it found 1 coolwedsearch registry entry. Adaware killed that.

    I ran Spybot and it found nothing.

    I rebooted, ran adaware again and it immediately found a coolwebsearch registry entry. I stopped adaware and let adaware delete that registry entry.

    I rebooted and I'm running a full Adaware scan now and so far, it's found nothing.

    Hope I haven't got ahead of the game here.
     
  23. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    This version of cws that you have is extremely difficult to totally eradicate,

    some of the best brains in the anti malware industry are working around the clock to develop a fix for it.

    Take a look here https://www.wilderssecurity.com/showthread.php?t=28658
    specificaly post 4 to see what we are up against and the problems we are encountering inn this one.
     
  24. bubba bodel

    bubba bodel Registered Member

    Joined:
    Apr 19, 2004
    Posts:
    20
    Thank you for the reply Derek...I have to leave but will check back tonight.

    BTW, nice site you have....left the hedgehogs a little something..:0)

    .and thanks to all that are helping with this

    Bubba
     
  25. Shadowwar

    Shadowwar Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    305
    Ok on 9x this gets a little tricky. It uses the runservices once key and writes this key on shutdown.

    Boot up and get to the boot menu( tap f8 at bootup before windows starts to load)

    Select command prompt only.

    you can also use a dos boot floppy disk. (www.bootdisk.com)


    once you get to dos at c:\ prompt do the following:

    cd windows

    at the next prompt

    cd SYSTEM

    at the C:\WINDOWS\SYSTEM\> prompt type this

    del LOGK.DLL

    its should delete fine. it will just go to the next prompt with no error message.

    if not type this than try again.

    attrib -h -r -s

    after thats done power off and on the computer.

    Boot to normal windows.

    You may get one error message on startup looking for the dll. This will only happen once. on the next boot you will not get it.

    After windows is booted rerun shredder.

    Post a new pv log and hijackthis log.
     
Thread Status:
Not open for further replies.