CWS.searchx or about:search trojan removal for Win98SE???

Discussion in 'adware, spyware & hijack cleaning' started by SwirlGirl, May 18, 2004.

Thread Status:
Not open for further replies.
  1. SwirlGirl

    SwirlGirl Registered Member

    Joined:
    May 18, 2004
    Posts:
    3
    I really need some help! I've been working on getting rid of this pest for 10 days now, without success. Every remedy/removal isn't compatible with Windows 98. I've run Spybot S & D, like many other spyware removal programs, it doesn't detect this strain. CWShedder says it's fixed and removed search.x but then it's back on reboot. I believe one of these modules is the hidden DLL culprit that I've read about but which one? WDMEEA.DLL maybe? Can anyone help please? :doubt:

    Module information for 'IEXPLORE.EXE'
    MODULE BASE SIZE PATH
    IMM32.DLL bfe20000 16384 C:\WINDOWS\SYSTEM\IMM32.DLL
    MSLS31.DLL 48080000 159744 C:\WINDOWS\SYSTEM\MSLS31.DLL
    MLANG.DLL 70440000 585728 C:\WINDOWS\SYSTEM\MLANG.DLL
    SHDOCLC.DLL 2730000 540672 C:\WINDOWS\SYSTEM\SHDOCLC.DLL
    MSHTML.DLL 63580000 2818048 C:\WINDOWS\SYSTEM\MSHTML.DLL
    URLMON.DLL 1a400000 499712 C:\WINDOWS\SYSTEM\URLMON.DLL
    VERSION.DLL bfe70000 24576 C:\WINDOWS\SYSTEM\VERSION.DLL
    SHFOLDER.DLL 71930000 32768 C:\WINDOWS\SYSTEM\SHFOLDER.DLL
    BROWSELC.DLL 718e0000 73728 C:\WINDOWS\SYSTEM\BROWSELC.DLL
    BROWSEUI.DLL 71500000 1036288 C:\WINDOWS\SYSTEM\BROWSEUI.DLL
    SHELL32.DLL 66800000 1396736 C:\WINDOWS\SYSTEM\SHELL32.DLL
    o_O WDMEEA.DLL 2ae60000 131072 C:\WINDOWS\SYSTEM\WDMEEA.DLL
    IPHLPAPI.DLL 7c8e0000 32768 C:\WINDOWS\SYSTEM\IPHLPAPI.DLL
    MSAFD.DLL 7b410000 45056 C:\WINDOWS\SYSTEM\MSAFD.DLL
    IPCFGDLL.DLL 7c900000 28672 C:\WINDOWS\SYSTEM\IPCFGDLL.DLL
    DHCPCSVC.DLL 7dd90000 28672 C:\WINDOWS\SYSTEM\DHCPCSVC.DLL
    ICMP.DLL 7ce10000 24576 C:\WINDOWS\SYSTEM\ICMP.DLL
    WSOCK32.DLL 75fa0000 40960 C:\WINDOWS\SYSTEM\WSOCK32.DLL
    MSWSOCK.DLL 794d0000 86016 C:\WINDOWS\SYSTEM\MSWSOCK.DLL
    WS2_32.DLL 76000000 73728 C:\WINDOWS\SYSTEM\WS2_32.DLL
    o_O WININET.DLL 63000000 614400 C:\WINDOWS\SYSTEM\WININET.DLL
    OLEAUT32.DLL 65340000 634880 C:\WINDOWS\SYSTEM\OLEAUT32.DLL
    OLE32.DLL 7ff20000 790528 C:\WINDOWS\SYSTEM\OLE32.DLL
    CRYPT32.DLL 5cf00000 385024 C:\WINDOWS\SYSTEM\CRYPT32.DLL
    RPCRT4.DLL 7fb90000 335872 C:\WINDOWS\SYSTEM\RPCRT4.DLL
    MSOSS.DLL 79e00000 151552 C:\WINDOWS\SYSTEM\MSOSS.DLL
    WS2HELP.DLL 75fe0000 24576 C:\WINDOWS\SYSTEM\WS2HELP.DLL
    IEXPLORE.EXE 400000 102400 C:\PROGRAM\FILES\INTERNET EXPLORER\IEXPLORE.EXE
    SHDOCVW.DLL 71700000 1347584 C:\WINDOWS\SYSTEM\SHDOCVW.DLL
    COMCTL32.DLL bfb70000 557056 C:\WINDOWS\SYSTEM\COMCTL32.DLL
    SHLWAPI.DLL 70a70000 413696 C:\WINDOWS\SYSTEM\SHLWAPI.DLL
    USER32.DLL bfc00000 69632 C:\WINDOWS\SYSTEM\USER32.DLL
    GDI32.DLL bff20000 155648 C:\WINDOWS\SYSTEM\GDI32.DLL
    ADVAPI32.DLL bfe80000 65536 C:\WINDOWS\SYSTEM\ADVAPI32.DLL
    MSVCRT.DLL 78000000 286720 C:\WINDOWS\SYSTEM\MSVCRT.DLL
    KERNEL32.DLL bff70000 471040 C:\WINDOWS\SYSTEM\KERNEL32.DLL

    and my last HijackThis log after CWShedder fix and reboot:

    Logfile of HijackThis v1.97.7
    Scan saved at 5:14:41 PM, on 05/17/2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
    C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
    C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOBNZ08.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSOL08.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
    C:\WINDOWS\SYSTEM\HPZIPM12.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
    C:\WINDOWS\DESKTOP\MY BRIEFCASE\HIJACKTHIS.EXE
    C:\WINDOWS\NOTEPAD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\CBM.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8122.4887152778

    My homepage was again changed back to about:blank shortly after start up.
    Any help is greatly appreciated! :-* -Chandra
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi SwirlGirl,

    Can you try something for me?

    Open a DOS prompt (or even better, boot to DOS) and type this line, then ENTER

    dir /b /a C:\windows\system32\*.dll>1.txt

    Then find 1.txt and post the content. I want to compare it to what you posted above.

    Regards,

    Pieter
     
  3. SwirlGirl

    SwirlGirl Registered Member

    Joined:
    May 18, 2004
    Posts:
    3
    Pieter,
    I tried DOS propt and booted to DOS, I tried variants of the line... dir /b /a C:\windows\system32\*.dll>1.txt ...nothing worked! Am I doing it right? Thank you so much for your time, any other suggestions?


    By the way...HAPPY BIRTHDAY TO YOU! :D
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Did you run it from the C:\ prompt ?

    There is not much you can do wrong except a typo or running it from a different folder.

    Regards,

    Pieter

    PS Not yet. Not in my timezone anyway. ;)
    But thanks.
     
  5. SwirlGirl

    SwirlGirl Registered Member

    Joined:
    May 18, 2004
    Posts:
    3
    HAPPY BIRTHDAY PIETER!!! :-*

    Sorry about taking so long to get back to you. I tried and tried and tried some more.

    the c:\ drive always says C:\WINDOWS> would that make a difference?

    I tried to get it to just C:\ by switching to D:\ then back to C:\ but it came back C:\WINDOWS> again.

    This is what it looks like in DOS:

    C:\WINDOWS>dir /b /a C:\windows\system32\*.dll>1.txt

    Any more ideas? o_O
    Thank you so much for your time, especially on your birthday!
    -Chandra
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    When the prompt is at C:\Windows> and you enter the command
    cd ..

    Does it go and stay at C:\> ?

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.