Coolwebsearch keeps coming back and SpywareBlaster won't open

bubba bodel · Apr 19, 2004

CoolWebSearch keeps returning on this machine and SpywareBlaser doesen't open. I've never had a problem with SpywareBlaster until this hijack. When I try to open SpywareBlaster, I get an error "This program has been damaged, possibly by a bad sector on the hard drive or a virus. Please reinstall it."

This is the second day of this hijack and I've ran the latest CWShredder several times and it removes coolwebsearch files and restores 6 Internet Explorer pages. I then run Adaware again and it usually finds another coowebsearch entry in the registry and I let Adaware delete that. I then reset my home page and all is well for awhile, then bam, homepage reverts back to about blank and coolwebsearch is back!

Would appreciate someone taking a look at my log file and see if anything jumps out at you. Before coming here, I ran Adaware (it found nothing), I rebooted and ran Hijack This. Here's the log file. I also ran CWShredder just before posting this and the CWShredder Scan Only Report is at the bottom of this post.....Thank you

Logfile of HijackThis v1.97.7
Scan saved at 9:45:51 PM, on 4/19/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\TMPROXY.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\POP3TRAP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\STARTUPMONITOR.EXE
C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DLLHOST.EXE
D:\HIJACKTHIS\HIJACKTHIS.EXE

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://chatboards.ebay.com/chat.jsp?forum=1&thread=25"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CMOZILLA.ORG%5CMOZILLA%5Csearchplugins%5CNetscapeSearch.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
O4 - HKLM\..\RunServices: [PccPfw] C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PccPfw.exe
O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
O4 - HKCU\..\RunServices: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\restrict.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: &Document Tree (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: SWF Catcher (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher (HKLM)
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O9 - Extra button: AdShield (HKCU)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.9823263889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {20AD521D-3A3E-11D4-BC32-0050040D952B} (SwIcdInstall Class) - file://C:\WINDOWS\TEMP\WZS2C3.TMP\swicdad.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?306
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {072CB141-B793-11D1-89B6-0020182C1446} (IntraLaunch.MainControl) - file://J:\Utilities\IntraLaunch.CAB
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = gulftel.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.231.160.2,216.231.160.10

I just ran CWShredder after running Hijack This and this is the report.

Windows 98 (4.10.2222 A)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system
AppData folder: C:\WINDOWS\Application Data
Username: bubba

Hosts file not present
Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2112 bytes, A)
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwebsearch.com [*] dword:4
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwwwsearch.com [*] dword:4
CWS.Googlems.2 (if value is 2) Registry value: Domains: *.xxxtoolbar.com [*] dword:4
CWS.Googlems.4 (if value is 2) Registry value: Domains: *.teensguru.com [*] dword:4
Registry value: DefaultPrefix (should be http://) [] http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (9095 bytes, -)
Found line in Win.ini: load=
Found line in Win.ini: run=
Found System.ini file: C:\WINDOWS\system.ini (2343 bytes, A)
Found line in System.ini: shell=Explorer.exe

- END OF REPORT -

dvk01 · Apr 20, 2004

please reboot and when coolwebsearch comes back please post a hjt log BUT DO NOT run shredder or fix anything, we need to see which version you have to be able to fix it and need to see all the entries in the log

bubba bodel · Apr 20, 2004

Thank you Derek for the reply and help. So far Coolwebsearch has not come back. I hope it's because I followed Paul Wilders post with the proper removal instructions (this thread). I'm thinking maybe I didn't follow the right steps to delete the hijacker at first, like maybe not rebooting when I should have.

SpywareBlaster still won't open after several uninstalls and reinstalls and that has me a little concerned. My hard drive has no bad sectors and I'm clean virus wise according to Trends PC-Cillin. Rav and Panda's online virus scanners say I'm clean too. Coolwebsearch made toast of my MS Media Player but I have it going again after a reinstall.

A big THANK YOU for the help. I will return if Coolwebsearch returns.

bubba bodel · Apr 20, 2004

Derek, anyone........It's Baaaack!! .......home page went back to about:blank. I rebooted and ran Hijack This.....Here's the log you asked for.....appreciate the help.

Logfile of HijackThis v1.97.7
Scan saved at 8:46:48 PM, on 4/20/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\TMPROXY.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCGUIDE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\POP3TRAP.EXE
C:\WINDOWS\STARTUPMONITOR.EXE
C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\AFHF.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\AFHF.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\AFHF.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\AFHF.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\AFHF.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\AFHF.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://chatboards.ebay.com/chat.jsp?forum=1&thread=25"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CMOZILLA.ORG%5CMOZILLA%5Csearchplugins%5CNetscapeSearch.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {28634E4B-92F1-11D8-909B-00800914FF99} - C:\WINDOWS\SYSTEM\AFHF.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
O4 - HKLM\..\RunServices: [PccPfw] C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PccPfw.exe
O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
O4 - HKCU\..\RunServices: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\restrict.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: &Document Tree (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: SWF Catcher (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher (HKLM)
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O9 - Extra button: AdShield (HKCU)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.9823263889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {20AD521D-3A3E-11D4-BC32-0050040D952B} (SwIcdInstall Class) - file://C:\WINDOWS\TEMP\WZS2C3.TMP\swicdad.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?306
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {072CB141-B793-11D1-89B6-0020182C1446} (IntraLaunch.MainControl) - file://J:\Utilities\IntraLaunch.CAB
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = gulftel.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.231.160.2,216.231.160.10

subratam · Apr 21, 2004

Hello bubba,

Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\AFHF.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\AFHF.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\AFHF.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\AFHF.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\AFHF.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\AFHF.DLL/sp.html (obfuscated)

Make sure you have Unhide hidden files/folders.
Reboot in Safe Mode and then delete(if found),

C:\WINDOWS\SYSTEM\AFHF.DLL,

Run CWShredder again (in safe mode) and then reboot and post a fresh log

Regards

subratam · Apr 21, 2004

Hello swat8,

Please start a new topic of yours and please do NOT post your log in between another person's thread. That leads to confusion and other problems.
No offence intended.

Regards

bubba bodel · Apr 21, 2004

Thank you Subratam,

Per your instructions I ran hijackthis and removed the 6 R1 and R0 entries.

I rebooted to safemode and deleted the AFHF.DLL

Wasn't sure if you wanted me to run CWShredder or Hijackthis here or not but I did run CWShredder in safemode and it removed CWS.SearchX

I ran hijackthis in safemode then rebooted and ran it again. The first log was run in safemode. Second log is after a regular boot

Logfile of HijackThis v1.97.7
Scan saved at 12:11:56 AM, on 4/21/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DLLHOST.EXE
D:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://chatboards.ebay.com/chat.jsp?forum=1&thread=25"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CMOZILLA.ORG%5CMOZILLA%5Csearchplugins%5CNetscapeSearch.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
O4 - HKLM\..\RunServices: [PccPfw] C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PccPfw.exe
O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\restrict.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: &Document Tree (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: SWF Catcher (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher (HKLM)
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O9 - Extra button: AdShield (HKCU)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.9823263889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {20AD521D-3A3E-11D4-BC32-0050040D952B} (SwIcdInstall Class) - file://C:\WINDOWS\TEMP\WZS2C3.TMP\swicdad.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?306
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {072CB141-B793-11D1-89B6-0020182C1446} (IntraLaunch.MainControl) - file://J:\Utilities\IntraLaunch.CAB
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = gulftel.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.231.160.2,216.231.160.10

This log was ran in regular mode

Logfile of HijackThis v1.97.7
Scan saved at 12:17:51 AM, on 4/21/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\TMPROXY.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCGUIDE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\POP3TRAP.EXE
C:\WINDOWS\STARTUPMONITOR.EXE
C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DLLHOST.EXE
D:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://chatboards.ebay.com/chat.jsp?forum=1&thread=25"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CMOZILLA.ORG%5CMOZILLA%5Csearchplugins%5CNetscapeSearch.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
O4 - HKLM\..\RunServices: [PccPfw] C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PccPfw.exe
O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
O4 - HKCU\..\RunServices: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\restrict.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: &Document Tree (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: SWF Catcher (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher (HKLM)
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O9 - Extra button: AdShield (HKCU)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.9823263889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {20AD521D-3A3E-11D4-BC32-0050040D952B} (SwIcdInstall Class) - file://C:\WINDOWS\TEMP\WZS2C3.TMP\swicdad.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?306
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {072CB141-B793-11D1-89B6-0020182C1446} (IntraLaunch.MainControl) - file://J:\Utilities\IntraLaunch.CAB
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = gulftel.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.231.160.2,216.231.160.10

subratam · Apr 21, 2004

Hello bubba,

Your log looks fine . Just check whether it comes back again. i think it shouldnt though. But if it does , do post back
Good job

Regards

bubba bodel · Apr 21, 2004

Thank you much Subratam

I've removed this mess several times but this was the first time I deleted a .dll from win/sys.

Sure is nice of WildersSecurity to have a place like this with folks that know how to help.

I'll check out your website now and then hit the sheets.

Thanks again,
Bubba

subratam · Apr 21, 2004

Hello bubba,

My pleasure and thanks for having the time to check my site.

Regards

bubba bodel · Apr 21, 2004

Hijacker Returns with a different DLL

Just notice my home page had reverted back to About:Blank

Rebooted and ran a HJT scan........appreciate any help...

Logfile of HijackThis v1.97.7
Scan saved at 6:24:43 PM, on 4/21/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\TMPROXY.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCGUIDE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\POP3TRAP.EXE
C:\WINDOWS\STARTUPMONITOR.EXE
C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\IEEOGID.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\IEEOGID.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\IEEOGID.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\IEEOGID.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\IEEOGID.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\IEEOGID.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://chatboards.ebay.com/chat.jsp?forum=1&thread=25"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CMOZILLA.ORG%5CMOZILLA%5Csearchplugins%5CNetscapeSearch.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {A3449059-9377-11D8-909B-008005A5575E} - C:\WINDOWS\SYSTEM\IEEOGID.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
O4 - HKLM\..\RunServices: [PccPfw] C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PccPfw.exe
O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
O4 - HKCU\..\RunServices: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\restrict.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: &Document Tree (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: SWF Catcher (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher (HKLM)
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O9 - Extra button: AdShield (HKCU)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.9823263889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {20AD521D-3A3E-11D4-BC32-0050040D952B} (SwIcdInstall Class) - file://C:\WINDOWS\TEMP\WZS2C3.TMP\swicdad.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?306
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {072CB141-B793-11D1-89B6-0020182C1446} (IntraLaunch.MainControl) - file://J:\Utilities\IntraLaunch.CAB
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = gulftel.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.231.160.2,216.231.160.10

snapdragin · Apr 21, 2004

subratam said:

Hello swat8,

Please start a new topic of yours and please do NOT post your log in between another person's thread. That leads to confusion and other problems.
No offence intended.

Regards
Click to expand...

I have split swat8's posts off into a thread of their own here:

https://www.wilderssecurity.com/showthread.php?t=28885

Regards,

snap

bubba bodel · Apr 21, 2004

Update: Ran HJT and fixed the 6 R1 and R0 entries

Rebooted to Safemode and deleted the IEEOGID.DLL

Ran CWShredder, here's the report
Removed from your system:
- CWS.Searchx
- 6 infected IE registry values

Windows 98 (4.10.2222 A)
CWShredder v1.56.3

Rebooted and ran HJT...log below

This thing has come back a half dozen times.....it must be hidden or it's coming back from visited websites.......whacha think?....disable java??........thank you...Bubba

Logfile of HijackThis v1.97.7
Scan saved at 9:02:31 PM, on 4/21/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\TMPROXY.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCCLIENT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\POP3TRAP.EXE
C:\WINDOWS\STARTUPMONITOR.EXE
C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://chatboards.ebay.com/chat.jsp?forum=1&thread=25"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CMOZILLA.ORG%5CMOZILLA%5Csearchplugins%5CNetscapeSearch.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
O4 - HKLM\..\RunServices: [PccPfw] C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PccPfw.exe
O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
O4 - HKCU\..\RunServices: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\restrict.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: &Document Tree (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: SWF Catcher (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher (HKLM)
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O9 - Extra button: AdShield (HKCU)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.9823263889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {20AD521D-3A3E-11D4-BC32-0050040D952B} (SwIcdInstall Class) - file://C:\WINDOWS\TEMP\WZS2C3.TMP\swicdad.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?306
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {072CB141-B793-11D1-89B6-0020182C1446} (IntraLaunch.MainControl) - file://J:\Utilities\IntraLaunch.CAB
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = gulftel.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.231.160.2,216.231.160.10

subratam · Apr 21, 2004

Hello again bubba,

Fix this entry in hijackthis,

O16 - DPF: {20AD521D-3A3E-11D4-BC32-0050040D952B} (SwIcdInstall Class) - file://C:\WINDOWS\TEMP\WZS2C3.TMP\swicdad.cab

Reboot in safe mode and navigate to C:\WINDOWS\TEMP\WZS2C3.TMP and if found delete it.
Then Reboot again.

Download this zip file and extract the files from it to the desktop:

http://www.zero.vulc4n.com/downloads/pv.zip

Be sure to have at least 1 Internet Explorer window open.

Double click on the runme.bat. Notepad will open with a log in it. Please copy and paste the log into this post.(Disable smileys while posting)
Some Expert will help you with that if any bad is hiding in your computer.

Regards

bubba bodel · Apr 21, 2004

Hello Subratam

Ran HJT and fixed O16 - DPF

Rebooted to safemode and WZS2C3.TMP wasn't found in Temp folder.....even did a find on it.....a no show

Rebooted and downloaded the pv.zip, open IE to this forum page and I'm thinking, alright!, we're gonna kill sumpin' now!......lol........butt when I double clicked on the runme.bat, all I get is a dos window with PV Menu by Shadowwar with 7 choices and an exit........ran the runme9x.bat and got a similar dos window........no notepad with a log......where did I go wrong.....thanks

subratam · Apr 22, 2004

I will wait for some other Expert to help you here, as I am yet to get aquainted with this zip. Just wait a little, someone will be on here pretty soon.

Regards

bubba bodel · Apr 22, 2004

OK Thanks for all your help Subratam

I check back in the morning. Think I'll run a couple of different online AV scanners.

Regards,
Bubba

dvk01 · Apr 22, 2004

when the dos type window is open press the option for internet explorer.dlls and then ok or return

then a notepad file willbe made, copy & post the notepad file back here please

bubba bodel · Apr 22, 2004

Hello Derek,

Doh!....I should have know know that!....Last night I tried it on the runme.bat and it didn't work but I tried it this morning on the runme9x.dat and it did!......Doh again......maybe because I'm running 98........lol

Here's the log......I sure hope you see something bad in it.....lol.....

Module information for 'EXPLORER.EXE'
MODULE BASE SIZE PATH
MSOHEV.DLL 32520000 73728 C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\MSOHEV.DLL 10.0.2609 Microsoft Office XP component
SPYWAREGUARD.DLL 22200000 126976 C:\PROGRAM FILES\SPYWAREGUARD\SPYWAREGUARD.DLL 2.02 SpywareGuard Protection
DLPROTECT.DLL 11000000 192512 C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL 2.02 SpywareGuard Download Protection
SDHELPER.DLL 1530000 733184 C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SDHELPER.DLL
OLEPRO32.DLL 695e0000 167936 C:\WINDOWS\SYSTEM\OLEPRO32.DLL 5.0.4517
ADSHIELD.DLL ad0000 208896 C:\PROGRAM FILES\ADSHIELD\ADSHIELD\ADSHIELD.DLL 3, 0, 5, 0 AdShield DLL
MFC42.DLL 5f400000 991232 C:\WINDOWS\SYSTEM\MFC42.DLL 6.00.8665.0 MFCDLL Shared Library - Retail Version
MFC42LOC.DLL 5fd00000 49152 C:\WINDOWS\SYSTEM\MFC42LOC.DLL 4.21.7022 MFC Language Specific Resources
ACROIEHELPER.OCX 10000000 32768 C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX 1, 0, 0, 1 AcroIEHelper Module
MSVBVM60.DLL 73420000 1388544 C:\WINDOWS\SYSTEM\MSVBVM60.DLL 6.00.9237 Visual Basic Virtual Machine
SHDOCLC.DLL 71810000 401408 C:\WINDOWS\SYSTEM\SHDOCLC.DLL 5.50.4807.2300 Shell Doc Object and Control Library
NSFTPCH.DLL 23000000 24576 C:\PROGRAM FILES\WS_FTP PRO\NSFTPCH.DLL
MYDOCS.DLL 792f0000 69632 C:\WINDOWS\SYSTEM\MYDOCS.DLL 4.72.3510.2300 My Documents Folder UI
URLMON.DLL 1a400000 471040 C:\WINDOWS\SYSTEM\URLMON.DLL 5.50.4936.2300 OLE32 Extensions for Win32
VERSION.DLL bfe70000 24576 C:\WINDOWS\SYSTEM\VERSION.DLL 4.10.1998 Win32 VERSION core component
SENSAPI.DLL 60000000 20480 C:\WINDOWS\SYSTEM\SENSAPI.DLL 5.50.4807.2300 SENS Connectivity API DLL
BROWSELC.DLL 71890000 45056 C:\WINDOWS\SYSTEM\BROWSELC.DLL 5.50.4807.2300 Shell Browser UI Library
ACTXPRXY.DLL 703b0000 90112 C:\WINDOWS\SYSTEM\ACTXPRXY.DLL 5.50.4807.2300 ActiveX Interface Marshaling Library
LINKINFO.DLL 7fb80000 36864 C:\WINDOWS\SYSTEM\LINKINFO.DLL 4.10.1998 Windows Volume Tracking
ES.DLL 71710000 114688 C:\WINDOWS\SYSTEM\ES.DLL 1998.09.1003.0 COM+ EventSystem Library
SENS.DLL 60100000 90112 C:\WINDOWS\SYSTEM\SENS.DLL 5.50.4807.2300 System Event Notification Service (SENS)
ESTIER2.DLL 71760000 61440 C:\WINDOWS\SYSTEM\ESTIER2.DLL 1998.09.1003.0 COM+ EventSystem Service Library
ESSHARED.DLL 71740000 65536 C:\WINDOWS\SYSTEM\ESSHARED.DLL 1998.09.1003.0 COM+ EventSystem Shared Utilities
RASAPI32.DLL 7f880000 217088 C:\WINDOWS\SYSTEM\RASAPI32.DLL 4.10.2222 Dial-Up Networking Dynamic Linked Library
SECUR32.DLL 7f870000 40960 C:\WINDOWS\SYSTEM\SECUR32.DLL 4.10.2222 Microsoft Win32 Security Services
MSVCRT20.DLL 7fc30000 282624 C:\WINDOWS\SYSTEM\MSVCRT20.DLL 2.11.000 Microsoft® C Runtime Library
SVRAPI.DLL 7f950000 32768 C:\WINDOWS\SYSTEM\SVRAPI.DLL 4.10.1998 32-bit common Server API library
MSNET32.DLL 7f300000 77824 C:\WINDOWS\SYSTEM\MSNET32.DLL 4.10.2224 Microsoft 32-bit Network API Library
MSPWL32.DLL 7fb40000 40960 C:\WINDOWS\SYSTEM\MSPWL32.DLL 4.10.1998 Password list management library
NETAPI32.DLL 7f990000 20480 C:\WINDOWS\SYSTEM\NETAPI32.DLL 4.10.1998 32-bit network API DLL
NETBIOS.DLL 7f840000 32768 C:\WINDOWS\SYSTEM\NETBIOS.DLL
MPR.DLL 7fbf0000 57344 C:\WINDOWS\SYSTEM\MPR.DLL 4.10.1998 WIN32 Network Interface DLL
MSI.DLL 1c80000 2015232 C:\WINDOWS\SYSTEM\MSI.DLL 2.0.2600.2 Windows Installer
SHFOLDER.DLL 718d0000 32768 C:\WINDOWS\SYSTEM\SHFOLDER.DLL 5.50.4807.2300 Shell Folder Service
WEBCHECK.DLL 70320000 270336 C:\WINDOWS\SYSTEM\WEBCHECK.DLL 5.50.4807.2300 Web Site Monitor
OLEAUT32.DLL 779b0000 634880 C:\WINDOWS\SYSTEM\OLEAUT32.DLL 2.40.4517
SHD401LC.DLL ac0000 61440 C:\WINDOWS\SYSTEM\SHD401LC.DLL 5.50.4807.2300 Shell Doc Object and Control Library - IE 4.01 compat
BROWSEUI.DLL 990000 823296 C:\WINDOWS\SYSTEM\BROWSEUI.DLL 5.50.4936.2300 Shell Browser UI Library
LOGK.DLL 61c00000 98304 C:\WINDOWS\SYSTEM\LOGK.DLL
IPHLPAPI.DLL 7c8e0000 32768 C:\WINDOWS\SYSTEM\IPHLPAPI.DLL 5.00.1717.2 IP Helper API
MSAFD.DLL 7b410000 45056 C:\WINDOWS\SYSTEM\MSAFD.DLL 4.10.1998 Microsoft Windows Sockets 2.0 Service Provider
IPCFGDLL.DLL 7c900000 28672 C:\WINDOWS\SYSTEM\IPCFGDLL.DLL 5.00.1717.2 Ipconfig API DLL
DHCPCSVC.DLL 7dd90000 28672 C:\WINDOWS\SYSTEM\DHCPCSVC.DLL
ICMP.DLL 7ce10000 24576 C:\WINDOWS\SYSTEM\ICMP.DLL 5.00.1454.1 ICMP DLL
WSOCK32.DLL 75fa0000 40960 C:\WINDOWS\SYSTEM\WSOCK32.DLL 4.10.1998 BSD Socket API for Windows
MSWSOCK.DLL 794d0000 86016 C:\WINDOWS\SYSTEM\MSWSOCK.DLL 4.10.2222 Microsoft WinSock Extension APIs
WS2_32.DLL 76000000 73728 C:\WINDOWS\SYSTEM\WS2_32.DLL 4.10.2222 Windows Socket 2.0 32-Bit DLL
WININET.DLL 63000000 495616 C:\WINDOWS\SYSTEM\WININET.DLL 5.50.4937.800 Internet Extensions for Win32
TAPI32.DLL 7f960000 122880 C:\WINDOWS\SYSTEM\TAPI32.DLL 4.10.2222 Microsoft® Windows(TM) Telephony API Client DLL
RPCRT4.DLL 7fb90000 335872 C:\WINDOWS\SYSTEM\RPCRT4.DLL 4.71.2900 Remote Procedure Call DLL
WS2HELP.DLL 75fe0000 24576 C:\WINDOWS\SYSTEM\WS2HELP.DLL 4.10.1998 Windows Socket 2.0 Helper for Windows 98
SHDOC401.DLL 50000000 507904 C:\WINDOWS\SYSTEM\SHDOC401.DLL 5.50.4807.2300 Shell Doc Object and Control Library - IE 4.01 compat
OLE32.DLL 7ff20000 790528 C:\WINDOWS\SYSTEM\OLE32.DLL 4.71.2900 Microsoft OLE for Windows and Windows NT
SHDOCVW.DLL 71500000 1163264 C:\WINDOWS\SYSTEM\SHDOCVW.DLL 5.50.4937.800 Shell Doc Object and Control Library
MSVCRT.DLL 78000000 286720 C:\WINDOWS\SYSTEM\MSVCRT.DLL 6.10.9359.0 Microsoft (R) C Runtime Library
SHELL32.DLL 66800000 1396736 C:\WINDOWS\SYSTEM\SHELL32.DLL 4.72.3812.600 Windows Shell Common Dll
EXPLORER.EXE 400000 180224 C:\WINDOWS\EXPLORER.EXE 4.72.3110.1 Windows Explorer
COMCTL32.DLL bfb70000 581632 C:\WINDOWS\SYSTEM\COMCTL32.DLL 5.81 Common Controls Library
SHLWAPI.DLL 63180000 311296 C:\WINDOWS\SYSTEM\SHLWAPI.DLL 5.50.4930.1200 Shell Light-weight Utility Library
USER32.DLL bff50000 69632 C:\WINDOWS\SYSTEM\USER32.DLL 4.10.2222 Win32 USER32 core component
GDI32.DLL bff20000 155648 C:\WINDOWS\SYSTEM\GDI32.DLL 4.10.1998 Win32 GDI core component
ADVAPI32.DLL bfe80000 65536 C:\WINDOWS\SYSTEM\ADVAPI32.DLL 4.80.1675 Win32 ADVAPI32 core component
KERNEL32.DLL bff70000 471040 C:\WINDOWS\SYSTEM\KERNEL32.DLL 4.10.2222 Win32 Kernel core component

dvk01 · Apr 22, 2004

Please download TheKillbox from here: http://download.broadbandmedic.com/VbStuff/KillBox.zip

Unzip the files to a folder, then double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\SYSTEM\LOGK.DLL

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The C:\WINDOWS\SYSTEM\LOGK.DLL listing should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

When you're back in windows, check to see if there's any change in the search problem and report back. Please also post a new Hijack This log. along with a new explorer.bat log.

bubba bodel · Apr 22, 2004

Derek,

I did a search on that LOGK.DLL before you posted and it was a no show.....I do have "show all files" checked

I ran the kill and all went well

rebooted

and on reboot got the "please wait while setup updates your configuration files

you say "check to see if there's a change in the search problem"....not sure what you mean there but my homepage was still set to google.com. I'm on dsl and haven't noticed any problems other than the homepage reverting back to about:blank.....and my SpywareBlaster quit working after getting this bug.....Ms Media Player quit too but I got it reinstalled.

Here's the logs........I see the LOGK.DLL on the pv log.....:0(

Logfile of HijackThis v1.97.7
Scan saved at 10:31:18 AM, on 4/22/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\TMPROXY.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCGUIDE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PCCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\POP3TRAP.EXE
C:\WINDOWS\STARTUPMONITOR.EXE
C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\DLLHOST.EXE
D:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://chatboards.ebay.com/chat.jsp?forum=1&thread=25"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CMOZILLA.ORG%5CMOZILLA%5Csearchplugins%5CNetscapeSearch.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ei5nwmjx.slt\prefs.js)
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
O4 - HKLM\..\RunServices: [PccPfw] C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2003\PccPfw.exe
O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
O4 - HKCU\..\RunServices: [FreeMem Pro] "C:\PROGRAM FILES\FREEMEM PROFESSIONAL\FMEMPRO.EXE" autostart
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\restrict.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: &Document Tree (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: SWF Catcher (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher (HKLM)
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O9 - Extra button: AdShield (HKCU)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.9823263889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?306
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {072CB141-B793-11D1-89B6-0020182C1446} (IntraLaunch.MainControl) - file://J:\Utilities\IntraLaunch.CAB
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = gulftel.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.231.160.2,216.231.160.10

Here's the Explorer log

Module information for 'EXPLORER.EXE'
MODULE BASE SIZE PATH
MSOHEV.DLL 32520000 73728 C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\MSOHEV.DLL 10.0.2609 Microsoft Office XP component
DLPROTECT.DLL 11000000 192512 C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL 2.02 SpywareGuard Download Protection
ACROIEHELPER.OCX 10000000 32768 C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX 1, 0, 0, 1 AcroIEHelper Module
SPYWAREGUARD.DLL 22200000 126976 C:\PROGRAM FILES\SPYWAREGUARD\SPYWAREGUARD.DLL 2.02 SpywareGuard Protection
MSVBVM60.DLL 73420000 1388544 C:\WINDOWS\SYSTEM\MSVBVM60.DLL 6.00.9237 Visual Basic Virtual Machine
SDHELPER.DLL 2f90000 733184 C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SDHELPER.DLL
OLEPRO32.DLL 695e0000 167936 C:\WINDOWS\SYSTEM\OLEPRO32.DLL 5.0.4517
SENSAPI.DLL 60000000 20480 C:\WINDOWS\SYSTEM\SENSAPI.DLL 5.50.4807.2300 SENS Connectivity API DLL
ACTXPRXY.DLL 703b0000 90112 C:\WINDOWS\SYSTEM\ACTXPRXY.DLL 5.50.4807.2300 ActiveX Interface Marshaling Library
LINKINFO.DLL 7fb80000 36864 C:\WINDOWS\SYSTEM\LINKINFO.DLL 4.10.1998 Windows Volume Tracking
ES.DLL 71710000 114688 C:\WINDOWS\SYSTEM\ES.DLL 1998.09.1003.0 COM+ EventSystem Library
SENS.DLL 60100000 90112 C:\WINDOWS\SYSTEM\SENS.DLL 5.50.4807.2300 System Event Notification Service (SENS)
ESTIER2.DLL 71760000 61440 C:\WINDOWS\SYSTEM\ESTIER2.DLL 1998.09.1003.0 COM+ EventSystem Service Library
ESSHARED.DLL 71740000 65536 C:\WINDOWS\SYSTEM\ESSHARED.DLL 1998.09.1003.0 COM+ EventSystem Shared Utilities
ADSHIELD.DLL 2300000 208896 C:\PROGRAM FILES\ADSHIELD\ADSHIELD\ADSHIELD.DLL 3, 0, 5, 0 AdShield DLL
URLMON.DLL 1a400000 471040 C:\WINDOWS\SYSTEM\URLMON.DLL 5.50.4936.2300 OLE32 Extensions for Win32
MFC42.DLL 5f400000 991232 C:\WINDOWS\SYSTEM\MFC42.DLL 6.00.8665.0 MFCDLL Shared Library - Retail Version
MFC42LOC.DLL 5fd00000 49152 C:\WINDOWS\SYSTEM\MFC42LOC.DLL 4.21.7022 MFC Language Specific Resources
VERSION.DLL bfe70000 24576 C:\WINDOWS\SYSTEM\VERSION.DLL 4.10.1998 Win32 VERSION core component
RASAPI32.DLL 7f880000 217088 C:\WINDOWS\SYSTEM\RASAPI32.DLL 4.10.2222 Dial-Up Networking Dynamic Linked Library
SECUR32.DLL 7f870000 40960 C:\WINDOWS\SYSTEM\SECUR32.DLL 4.10.2222 Microsoft Win32 Security Services
MSVCRT20.DLL 7fc30000 282624 C:\WINDOWS\SYSTEM\MSVCRT20.DLL 2.11.000 Microsoft® C Runtime Library
SVRAPI.DLL 7f950000 32768 C:\WINDOWS\SYSTEM\SVRAPI.DLL 4.10.1998 32-bit common Server API library
MSNET32.DLL 7f300000 77824 C:\WINDOWS\SYSTEM\MSNET32.DLL 4.10.2224 Microsoft 32-bit Network API Library
MSPWL32.DLL 7fb40000 40960 C:\WINDOWS\SYSTEM\MSPWL32.DLL 4.10.1998 Password list management library
NETAPI32.DLL 7f990000 20480 C:\WINDOWS\SYSTEM\NETAPI32.DLL 4.10.1998 32-bit network API DLL
NETBIOS.DLL 7f840000 32768 C:\WINDOWS\SYSTEM\NETBIOS.DLL
MPR.DLL 7fbf0000 57344 C:\WINDOWS\SYSTEM\MPR.DLL 4.10.1998 WIN32 Network Interface DLL
MSI.DLL 1ce0000 2015232 C:\WINDOWS\SYSTEM\MSI.DLL 2.0.2600.2 Windows Installer
BROWSELC.DLL 71890000 45056 C:\WINDOWS\SYSTEM\BROWSELC.DLL 5.50.4807.2300 Shell Browser UI Library
SHFOLDER.DLL 718d0000 32768 C:\WINDOWS\SYSTEM\SHFOLDER.DLL 5.50.4807.2300 Shell Folder Service
WEBCHECK.DLL 70320000 270336 C:\WINDOWS\SYSTEM\WEBCHECK.DLL 5.50.4807.2300 Web Site Monitor
OLEAUT32.DLL 779b0000 634880 C:\WINDOWS\SYSTEM\OLEAUT32.DLL 2.40.4517
SHD401LC.DLL ac0000 61440 C:\WINDOWS\SYSTEM\SHD401LC.DLL 5.50.4807.2300 Shell Doc Object and Control Library - IE 4.01 compat
BROWSEUI.DLL 990000 823296 C:\WINDOWS\SYSTEM\BROWSEUI.DLL 5.50.4936.2300 Shell Browser UI Library
LOGK.DLL 61c00000 98304 C:\WINDOWS\SYSTEM\LOGK.DLL
IPHLPAPI.DLL 7c8e0000 32768 C:\WINDOWS\SYSTEM\IPHLPAPI.DLL 5.00.1717.2 IP Helper API
MSAFD.DLL 7b410000 45056 C:\WINDOWS\SYSTEM\MSAFD.DLL 4.10.1998 Microsoft Windows Sockets 2.0 Service Provider
IPCFGDLL.DLL 7c900000 28672 C:\WINDOWS\SYSTEM\IPCFGDLL.DLL 5.00.1717.2 Ipconfig API DLL
DHCPCSVC.DLL 7dd90000 28672 C:\WINDOWS\SYSTEM\DHCPCSVC.DLL
ICMP.DLL 7ce10000 24576 C:\WINDOWS\SYSTEM\ICMP.DLL 5.00.1454.1 ICMP DLL
WSOCK32.DLL 75fa0000 40960 C:\WINDOWS\SYSTEM\WSOCK32.DLL 4.10.1998 BSD Socket API for Windows
MSWSOCK.DLL 794d0000 86016 C:\WINDOWS\SYSTEM\MSWSOCK.DLL 4.10.2222 Microsoft WinSock Extension APIs
WS2_32.DLL 76000000 73728 C:\WINDOWS\SYSTEM\WS2_32.DLL 4.10.2222 Windows Socket 2.0 32-Bit DLL
WININET.DLL 63000000 495616 C:\WINDOWS\SYSTEM\WININET.DLL 5.50.4937.800 Internet Extensions for Win32
TAPI32.DLL 7f960000 122880 C:\WINDOWS\SYSTEM\TAPI32.DLL 4.10.2222 Microsoft® Windows(TM) Telephony API Client DLL
RPCRT4.DLL 7fb90000 335872 C:\WINDOWS\SYSTEM\RPCRT4.DLL 4.71.2900 Remote Procedure Call DLL
WS2HELP.DLL 75fe0000 24576 C:\WINDOWS\SYSTEM\WS2HELP.DLL 4.10.1998 Windows Socket 2.0 Helper for Windows 98
SHDOC401.DLL 50000000 507904 C:\WINDOWS\SYSTEM\SHDOC401.DLL 5.50.4807.2300 Shell Doc Object and Control Library - IE 4.01 compat
OLE32.DLL 7ff20000 790528 C:\WINDOWS\SYSTEM\OLE32.DLL 4.71.2900 Microsoft OLE for Windows and Windows NT
SHDOCVW.DLL 71500000 1163264 C:\WINDOWS\SYSTEM\SHDOCVW.DLL 5.50.4937.800 Shell Doc Object and Control Library
MSVCRT.DLL 78000000 286720 C:\WINDOWS\SYSTEM\MSVCRT.DLL 6.10.9359.0 Microsoft (R) C Runtime Library
SHELL32.DLL 66800000 1396736 C:\WINDOWS\SYSTEM\SHELL32.DLL 4.72.3812.600 Windows Shell Common Dll
EXPLORER.EXE 400000 180224 C:\WINDOWS\EXPLORER.EXE 4.72.3110.1 Windows Explorer
COMCTL32.DLL bfb70000 581632 C:\WINDOWS\SYSTEM\COMCTL32.DLL 5.81 Common Controls Library
SHLWAPI.DLL 63180000 311296 C:\WINDOWS\SYSTEM\SHLWAPI.DLL 5.50.4930.1200 Shell Light-weight Utility Library
USER32.DLL bff50000 69632 C:\WINDOWS\SYSTEM\USER32.DLL 4.10.2222 Win32 USER32 core component
GDI32.DLL bff20000 155648 C:\WINDOWS\SYSTEM\GDI32.DLL 4.10.1998 Win32 GDI core component
ADVAPI32.DLL bfe80000 65536 C:\WINDOWS\SYSTEM\ADVAPI32.DLL 4.80.1675 Win32 ADVAPI32 core component
KERNEL32.DLL bff70000 471040 C:\WINDOWS\SYSTEM\KERNEL32.DLL 4.10.2222 Win32 Kernel core component

bubba bodel · Apr 22, 2004

Update:

I ran a full Adaware shortly after doing what Derek instructed above and it found 1 coolwedsearch registry entry. Adaware killed that.

I ran Spybot and it found nothing.

I rebooted, ran adaware again and it immediately found a coolwebsearch registry entry. I stopped adaware and let adaware delete that registry entry.

I rebooted and I'm running a full Adaware scan now and so far, it's found nothing.

Hope I haven't got ahead of the game here.

dvk01 · Apr 22, 2004

This version of cws that you have is extremely difficult to totally eradicate,

some of the best brains in the anti malware industry are working around the clock to develop a fix for it.

Take a look here https://www.wilderssecurity.com/showthread.php?t=28658
specificaly post 4 to see what we are up against and the problems we are encountering inn this one.

bubba bodel · Apr 22, 2004

Thank you for the reply Derek...I have to leave but will check back tonight.

BTW, nice site you have....left the hedgehogs a little something..:0)

.and thanks to all that are helping with this

Bubba

Shadowwar · Apr 23, 2004

Ok on 9x this gets a little tricky. It uses the runservices once key and writes this key on shutdown.

Boot up and get to the boot menu( tap f8 at bootup before windows starts to load)

Select command prompt only.

you can also use a dos boot floppy disk. (www.bootdisk.com)

once you get to dos at c:\ prompt do the following:

cd windows

at the next prompt

cd SYSTEM

at the C:\WINDOWS\SYSTEM\> prompt type this

del LOGK.DLL

its should delete fine. it will just go to the next prompt with no error message.

if not type this than try again.

attrib -h -r -s

after thats done power off and on the computer.

Boot to normal windows.

You may get one error message on startup looking for the dll. This will only happen once. on the next boot you will not get it.

After windows is booted rerun shredder.

Post a new pv log and hijackthis log.

Log in or Sign up

Coolwebsearch keeps coming back and SpywareBlaster won't open

bubba bodel Registered Member

dvk01 Global Moderator

bubba bodel Registered Member

bubba bodel Registered Member

subratam Registered Member

subratam Registered Member

bubba bodel Registered Member

subratam Registered Member

bubba bodel Registered Member

subratam Registered Member

bubba bodel Registered Member

snapdragin Registered Member

bubba bodel Registered Member

subratam Registered Member

bubba bodel Registered Member

subratam Registered Member

bubba bodel Registered Member

dvk01 Global Moderator

bubba bodel Registered Member

dvk01 Global Moderator

bubba bodel Registered Member

bubba bodel Registered Member

dvk01 Global Moderator

bubba bodel Registered Member

Shadowwar Spyware Expert

Log in or Sign up

Coolwebsearch keeps coming back and SpywareBlaster won't open

bubba bodel Registered Member

dvk01 Global Moderator

bubba bodel Registered Member

bubba bodel Registered Member

subratam Registered Member

subratam Registered Member

bubba bodel Registered Member

subratam Registered Member

bubba bodel Registered Member

subratam Registered Member

bubba bodel Registered Member

snapdragin Registered Member

bubba bodel Registered Member

subratam Registered Member

bubba bodel Registered Member

subratam Registered Member

bubba bodel Registered Member

dvk01 Global Moderator

bubba bodel Registered Member

dvk01 Global Moderator

bubba bodel Registered Member

bubba bodel Registered Member

dvk01 Global Moderator

bubba bodel Registered Member

Shadowwar Spyware Expert

Useful Searches