CWS.searchx or about:search trojan removal for Win98SE???

Discussion in 'adware, spyware & hijack cleaning' started by SwirlGirl, May 18, 2004.

Thread Status:
Not open for further replies.
  1. SwirlGirl

    SwirlGirl Registered Member

    Joined:
    May 18, 2004
    Posts:
    3
    I really need some help! I've been working on getting rid of this pest for 10 days now, without success. Every remedy/removal isn't compatible with Windows 98. I've run Spybot S & D, like many other spyware removal programs, it doesn't detect this strain. CWShedder says it's fixed and removed search.x but then it's back on reboot. I believe one of these modules is the hidden DLL culprit that I've read about but which one? WDMEEA.DLL maybe? Can anyone help please? :doubt:

    Module information for 'IEXPLORE.EXE'
    MODULE BASE SIZE PATH
    IMM32.DLL bfe20000 16384 C:\WINDOWS\SYSTEM\IMM32.DLL
    MSLS31.DLL 48080000 159744 C:\WINDOWS\SYSTEM\MSLS31.DLL
    MLANG.DLL 70440000 585728 C:\WINDOWS\SYSTEM\MLANG.DLL
    SHDOCLC.DLL 2730000 540672 C:\WINDOWS\SYSTEM\SHDOCLC.DLL
    MSHTML.DLL 63580000 2818048 C:\WINDOWS\SYSTEM\MSHTML.DLL
    URLMON.DLL 1a400000 499712 C:\WINDOWS\SYSTEM\URLMON.DLL
    VERSION.DLL bfe70000 24576 C:\WINDOWS\SYSTEM\VERSION.DLL
    SHFOLDER.DLL 71930000 32768 C:\WINDOWS\SYSTEM\SHFOLDER.DLL
    BROWSELC.DLL 718e0000 73728 C:\WINDOWS\SYSTEM\BROWSELC.DLL
    BROWSEUI.DLL 71500000 1036288 C:\WINDOWS\SYSTEM\BROWSEUI.DLL
    SHELL32.DLL 66800000 1396736 C:\WINDOWS\SYSTEM\SHELL32.DLL
    o_O WDMEEA.DLL 2ae60000 131072 C:\WINDOWS\SYSTEM\WDMEEA.DLL
    IPHLPAPI.DLL 7c8e0000 32768 C:\WINDOWS\SYSTEM\IPHLPAPI.DLL
    MSAFD.DLL 7b410000 45056 C:\WINDOWS\SYSTEM\MSAFD.DLL
    IPCFGDLL.DLL 7c900000 28672 C:\WINDOWS\SYSTEM\IPCFGDLL.DLL
    DHCPCSVC.DLL 7dd90000 28672 C:\WINDOWS\SYSTEM\DHCPCSVC.DLL
    ICMP.DLL 7ce10000 24576 C:\WINDOWS\SYSTEM\ICMP.DLL
    WSOCK32.DLL 75fa0000 40960 C:\WINDOWS\SYSTEM\WSOCK32.DLL
    MSWSOCK.DLL 794d0000 86016 C:\WINDOWS\SYSTEM\MSWSOCK.DLL
    WS2_32.DLL 76000000 73728 C:\WINDOWS\SYSTEM\WS2_32.DLL
    o_O WININET.DLL 63000000 614400 C:\WINDOWS\SYSTEM\WININET.DLL
    OLEAUT32.DLL 65340000 634880 C:\WINDOWS\SYSTEM\OLEAUT32.DLL
    OLE32.DLL 7ff20000 790528 C:\WINDOWS\SYSTEM\OLE32.DLL
    CRYPT32.DLL 5cf00000 385024 C:\WINDOWS\SYSTEM\CRYPT32.DLL
    RPCRT4.DLL 7fb90000 335872 C:\WINDOWS\SYSTEM\RPCRT4.DLL
    MSOSS.DLL 79e00000 151552 C:\WINDOWS\SYSTEM\MSOSS.DLL
    WS2HELP.DLL 75fe0000 24576 C:\WINDOWS\SYSTEM\WS2HELP.DLL
    IEXPLORE.EXE 400000 102400 C:\PROGRAM\FILES\INTERNET EXPLORER\IEXPLORE.EXE
    SHDOCVW.DLL 71700000 1347584 C:\WINDOWS\SYSTEM\SHDOCVW.DLL
    COMCTL32.DLL bfb70000 557056 C:\WINDOWS\SYSTEM\COMCTL32.DLL
    SHLWAPI.DLL 70a70000 413696 C:\WINDOWS\SYSTEM\SHLWAPI.DLL
    USER32.DLL bfc00000 69632 C:\WINDOWS\SYSTEM\USER32.DLL
    GDI32.DLL bff20000 155648 C:\WINDOWS\SYSTEM\GDI32.DLL
    ADVAPI32.DLL bfe80000 65536 C:\WINDOWS\SYSTEM\ADVAPI32.DLL
    MSVCRT.DLL 78000000 286720 C:\WINDOWS\SYSTEM\MSVCRT.DLL
    KERNEL32.DLL bff70000 471040 C:\WINDOWS\SYSTEM\KERNEL32.DLL

    and my last HijackThis log after CWShedder fix and reboot:

    Logfile of HijackThis v1.97.7
    Scan saved at 5:14:41 PM, on 05/17/2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
    C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
    C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOBNZ08.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSOL08.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
    C:\WINDOWS\SYSTEM\HPZIPM12.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
    C:\WINDOWS\DESKTOP\MY BRIEFCASE\HIJACKTHIS.EXE
    C:\WINDOWS\NOTEPAD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\CBM.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8122.4887152778

    My homepage was again changed back to about:blank shortly after start up.
    Any help is greatly appreciated! :-* -Chandra
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi SwirlGirl,

    Can you try something for me?

    Open a DOS prompt (or even better, boot to DOS) and type this line, then ENTER

    dir /b /a C:\windows\system32\*.dll>1.txt

    Then find 1.txt and post the content. I want to compare it to what you posted above.

    Regards,

    Pieter
     
  3. SwirlGirl

    SwirlGirl Registered Member

    Joined:
    May 18, 2004
    Posts:
    3
    Pieter,
    I tried DOS propt and booted to DOS, I tried variants of the line... dir /b /a C:\windows\system32\*.dll>1.txt ...nothing worked! Am I doing it right? Thank you so much for your time, any other suggestions?


    By the way...HAPPY BIRTHDAY TO YOU! :D
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Did you run it from the C:\ prompt ?

    There is not much you can do wrong except a typo or running it from a different folder.

    Regards,

    Pieter

    PS Not yet. Not in my timezone anyway. ;)
    But thanks.
     
  5. SwirlGirl

    SwirlGirl Registered Member

    Joined:
    May 18, 2004
    Posts:
    3
    HAPPY BIRTHDAY PIETER!!! :-*

    Sorry about taking so long to get back to you. I tried and tried and tried some more.

    the c:\ drive always says C:\WINDOWS> would that make a difference?

    I tried to get it to just C:\ by switching to D:\ then back to C:\ but it came back C:\WINDOWS> again.

    This is what it looks like in DOS:

    C:\WINDOWS>dir /b /a C:\windows\system32\*.dll>1.txt

    Any more ideas? o_O
    Thank you so much for your time, especially on your birthday!
    -Chandra
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    When the prompt is at C:\Windows> and you enter the command
    cd ..

    Does it go and stay at C:\> ?

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.