Need HJT help - persistent possible WCS variant on win98 machine

Symptoms:
Computer was working severely slowly. Lost access to the ZoneAlarm firewall user interface; though ZoneAlarm seemed to be running after having the usual load on start up. The Internet Explorer 5.0 Browser had changed homepage to something to the effect of "coolsearch.com".

Response:
Turned off computer. Removed internet cable from the back. Restarted computer. Killed a never before seen winproc32 process. Computer kept crawling. Uninstalled ZoneAlarm in safe mode. Compiled a list of files created within the last 1 day. Using another computer connected to the internet, googled several suspicious looking files. Linked some of the files to trojans and browser hijacks. Manually deleted (sent to recycle bin) several "funny feeling" files including these:
winproc32.exe,dc28.exe,,dc29.bin,,dc30.exe, dc32.exe,,winpcr64.exe, favico.dat, q.exe.
Proceeded to read up on adware removal. Possible culprit: a CWS.variant.

Reinstalled ZoneAlarm 3.7 from a back up. Connected computer back to the internet. The computer seemed to function properly - except for a few attempts by Explorer to access the internet on its own, as well as the change in the homepage.

Scans:
Downloaded several spyware killers. Carried out some scans (with some repeats). The entire process included runs of Trend Micro's "HouseCall" online scan, Symantec Virus Check, Panda ActiveScan (with heuristic trojan detection), McAfee AVERT Stinger (in safe mode), Ccleaner, Ad-Aware (and VX2 cleane). Claria and Alexa were also removed along with several other suspicious items. Some trojans were eliminated (including troj_wintrim.w, troj-small.ac, troj_startpage.m and troj_keyhost.da as catalogued by HouseCall). Unfortunately for future reference, CCleaner cleared all the files that were in the recycling bin. Attempts to run SpywareBlaster in normal mode failed.

More:
Used Internet Explorer, in the infected computer, to read up on the problem and find out what else could be done. There were problems accessing some wepages - including google's - which seemed to have no dns entry. Computer slowed down severely - again. A check of the available resources showed very minimal usage though the system was clearly crawling. Once again the ZoneAlarm interface was not accessible though ZoneAlarm seemed to be running. Uninstalled ZoneAlarm in safe mode.
Started CWShredder - in normal boot. Update attempts failed due to unavailable servers. Use of the "fix" button appeared to stall the system completely completely. Decided to hit control-alt-delete to reboot and run CWShredder in safe mode. Before going off, a message indicated that CWShredder had changed bar title, because a variant of CWS.smartsearch had attempted to block it, and that also the message would not be displayed again. The process may never finished because the computer shut down.
Disconnected the computer again from internet. Set Netscape into default browser. Internet Explorer (marked as "Iexplore" in the process list) continued to start on its own (apparently trying to access the internet) without actually opening the browser. Of course there was no internet to access.
Managed to get into safe mode. Ran CWShredder under safe mode -but now it indicated the system as clean (including an absence of cws.smartsearch). Also ran Ad-aware, Spybot, AVERT Stinger, Ccleaner under safe mode. Installed and ran SpywareBlaster in safe mode, but being in safe mode the internet updates were not downloadable. SpywareBlaster could not be run in normal mode since it caused an invalid page fault in an unknown module.
Reinstalled ZoneAlarm in normal mode. Problems returned. Uninstalled ZoneAlarm.
Connected computer back to internet. During various occasions, Internet explorer auto started and attempted to run in a very covert fashion. In some cases, it asked to be reset to default browser. The only other generally running processes were: Explorer, mdm, systray, Notepad, and Netscape. The processes was sometimes listed as Iexplore and other times listed as Internet Explorer in the process window that pops up after presing cntrl-alt-delte. The Iexplore process was manually killed each time, but the Internet Explorer process seemed to die on its own.

Ran HiijackThis:
In normal mode, applied CWShredder and obtained a clean bill of health. Also ran Ccleaner. Then, applied a HijackThis scan:

Logfile of HijackThis v1.98.2
Scan saved at 11:24:23 AM, on 09/10/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
E:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>;localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\3hbsn0fw.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\3hbsn0fw.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\AOL INSTANT MESSENGER 4.7\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O15 - Trusted Zone: http://www.pcpitstop.com
O15 - Trusted Zone: http://security.symantec.com
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4273/mcfscan.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O21 - SSODL: Web Event Logger - {7CFEFEF1-ED03-1337-ABCD-526492F5D679} - C:\WINDOWS\SYSTEM\Cicihp32.dll

Unresolved Issues From Previous Scans:
1)From the Instant Online Pest Scan (scan only and only available to Internet Explorer users) at the zonelabs website.
Indicated the presence of "Download Accelerator Plus - Browser Helper Object" with several registry keys:
hkey_local_machine\software\classes\typelib\{82351433-9094-11d1-a24b-00a0c932c7df}
hkey_local_machine\software\classes\interface\{82351440-9094-11d1-a24b-00a0c932c7df}
hkey_local_machine\software\classes\interface\{5252ac41-94bb-11d1-b2e7-444553540000}
hkey_local_machine\software\classes\clsid\{82351441-9094-11d1-a24b-00a0c932c7df}
hkey_local_machine\software\classes\clsid\{6dc82d15-92f2-11d1-a255-00a0c932c7df}
hkey_local_machine\software\classes\clsid\{61ab12e1-a5ff-11d1b2e9-444553540000}
hkey_local_machine\software\classes\anigifppg2.anigifppg2\curver
hkey_local_machine\software\classes\anigifppg2.anigifppg2.1
hkey_local_machine\software\classes\anigifppg2.anigifppg2
hkey_local_machine\software\classes\anigifppg.anigifppg\curver
hkey_local_machine\software\classes\anigifppg.anigifppg.1
hkey_local_machine\software\classes\anigifppg.anigifppg
hkey_local_machine\software\classes\anigifctrl.anigif
2)Symantec Security Check:
Hacker Exposure Results: ping, ssh, telnet, and http ports open.
Trojan Horse Check: 1025 unused windows services block
3)The Messenger Control Plug-in for Ad-aware could not determine the state of Microsoft's Messenger Service in order to turn it off/on.
4)Cannot run SpywareBlaster in normal mode

ZoneAlarm remains uninstalled. kill2me and about:buster have not been applied. I have the feeling that the 021 entry is the culprit and the registry keys above may be connected. Can someone please help me figure this out? Should I let the Iexplore process run freely and run a HijackThis scan during that time? I dont think there is much more I can do on my own.

My understanding is that this bug has taken advantage of Microsoft's Java Virtual Machine vulnerabilities. I am also currently trying to find a way to remove the MS virtual machine and replace it with the sun java virtual machine. I know my Microsoft Java Virtual Machine is operating because I typed "jview" into an MS-DOS Command window and that brought up some info on the "Microsoft (R) Command-Line Loader for Java Version 4.79.2405."

Thanks in advance, I am sure someone will lend a hand.

 

Thanks for the help,

Sorry about the log, I didnt know I shouldnt simply paste in a HJT log. I had not seen the first sticky thread before.
I tried following the second sticky thread as best as I could before posting this request for help.

The problem has been resolved. The culprit was a Cicihp32l.dll [7KB] and a related Fmhepl32.exe [28KB]. These bugs had persisted and continued to cause the ZoneAlarm firewall (and other antispyware applications to fail) because they had been installed in the hidden c:\windows\system folder.

After someone pointed out that the "O21 - SSODL: Web Event Logger ... Cicih32.dll" entry in the HJT log indicated the possible culprit, I followed their instructions - which were very much like yours. At first I couldnt find the cicih32.dll on the computer. It was pointed out that I had to enter safe mode after enabling view of all files and folders - including system and hidden files and folders. I did so and then I was able to locate Cicihp32.dll file and the Fmhepl32.exe that had been installed at the very same time. I googled the Fmhepl32.exe extensively to ensure it was not by chance a legitimate system file - I concluded that it was not. I deleted the two files and while still in safe mode I ran HJT used it to fix the "021 ..." registry key entry. Then i rebooted the computer back to normal mode.

The computer has had no problems after that. Subsequent HJT logs appeared clean. I was able to reinstall, update and use the firewall, all other antispyware applications, etc.

Thanks for your help. I'll come back to at a later time to see if you have any more comments/help/advice.