cws.searchx problem!!!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by specialk128, Jun 17, 2004.

  1. specialk128

    specialk128 Private E-2

    my computer is acting up...based on my research, i belive it is the cws.searchx problem. it will reset my IE to about:blank, and it is constantly being removed by cwsshredder, only to come back a short time later...here is my hijackthis log file...please help!

    Logfile of HijackThis v1.97.7
    Scan saved at 10:27:41 PM, on 6/16/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
    O2 - BHO: (no name) - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
    O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EEB4C} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [$EnterNet] C:\PROGRA~1\EFFICI~1\ENTERN~1\APP\ENTERNET.EXE -AutoStart
    O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: SideStep (HKLM)
    O9 - Extra 'Tools' menuitem: ?????? ??????? ?????? (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {BF207D61-D7E0-11D3-9FF6-00C04F37B9BD} (McAfee Smart Shop - Analyzer Class) - http://download.mcafee.com/molbin/mcaeng/mcsmtshp.cab
    O16 - DPF: {0C98419E-324F-11D3-9A23-00C04FF40D52} (McAfee Clinic AV Installer Control) - http://download.mcafee.com/molbin/clini...avinst.cab
    O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://www.ea.com/downloads/games/commo...snoopy.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://download.sidestep.com/get/k26617/sb01f.cab
    O16 - DPF: {9F0F185C-B50B-11D2-B53F-00A0C98684AC} (McAfee PC Clinic OilChange Class) - http://download.mcafee.com/molbin/OilCh...tl_new.cab
    O16 - DPF: {BF31FA5E-AE8A-11D2-A1BD-0800300004C2} (McAfee PC Clinic Internet Class) - http://download.mcafee.com/molbin/Shared/MCInet_new.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003...scan53.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtangent.com/install/wdri...wtinst.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/017b344310588e0c6e...xIE601.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200...taller.exe
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...5855787037
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/...mv9VCM.CAB
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.net
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,206.13.28.12
     
    specialk128, Jun 17, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I do not see the about blank problem in your log. Did you delete it already before posting. There are some other things there you should get rid of (like Wild Tangent).

    If you are sure you are having an about:blank problem following the below steps:

    We are going to use a program called DLLFIX.EXE to try to fix this about:blank problem.
    However before starting, I want you to make sure you have the following programs installed and UPDATED (very important) on your PC for later use:
    1) Ad-aware
    2) SpyBot S&D
    3) CWShredder
    4) Hijaak This
    All of these are available here: http://www.majorgeeks.com/downloads31.html

    Now get DLLFIX.EXE from: http://tools.zerosrealm.com/dllfix.exe
    1) Save the file to your Desktop, double click dllfix.exe and follow the prompts. This will create a folder called dllfix on your desktop.
    2) Click on this folder and then double click on start.bat.
    3) Select option 1 Run Find-All to scan your PC. This will create a log file.
    4) Post this log back here before running any fixes.
     
    chaslang, Jun 17, 2004
    #2
  3. specialk128

    specialk128 Private E-2

    i can't run the dllfix program, because i am using windows 98...here is the log from hijackthis...i just ran it right now, so it is as accurate as possible...


    Logfile of HijackThis v1.97.7
    Scan saved at 12:54:30 AM, on 6/17/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
    O2 - BHO: (no name) - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
    O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EEB4C} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [$EnterNet] C:\PROGRA~1\EFFICI~1\ENTERN~1\APP\ENTERNET.EXE -AutoStart
    O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: SideStep (HKLM)
    O9 - Extra 'Tools' menuitem: ?????? ??????? ?????? (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {BF207D61-D7E0-11D3-9FF6-00C04F37B9BD} (McAfee Smart Shop - Analyzer Class) - http://download.mcafee.com/molbin/mcaeng/mcsmtshp.cab
    O16 - DPF: {0C98419E-324F-11D3-9A23-00C04FF40D52} (McAfee Clinic AV Installer Control) - http://download.mcafee.com/molbin/clinic/virusscan/mgavinst.cab
    O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://download.sidestep.com/get/k26617/sb01f.cab
    O16 - DPF: {9F0F185C-B50B-11D2-B53F-00A0C98684AC} (McAfee PC Clinic OilChange Class) - http://download.mcafee.com/molbin/OilChange/MGOcCtl_new.cab
    O16 - DPF: {BF31FA5E-AE8A-11D2-A1BD-0800300004C2} (McAfee PC Clinic Internet Class) - http://download.mcafee.com/molbin/Shared/MCInet_new.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtangent.com/install/wdriver/arcadegames/meteormadness/eacom/wtinst.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/017b344310588e0c6e01/netzip/RdxIE601.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38119.5855787037
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.net
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,206.13.28.12
     
    specialk128, Jun 17, 2004
    #3
  4. specialk128

    specialk128 Private E-2

    also, what else should i get rid of? my computer has been acting up a lot and i would like to just get it cleaned up for good...please let me know what else you think can be erased
     
    specialk128, Jun 17, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Shut down all browsers and win explorer session and run HijaakThis again and fix the following:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
    O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EEB4C} - (no file)
    O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://download.sidestep.com/get/k26617/sb01f.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtangent.com/install/...acom/wtinst.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/017b344310588e...ip/RdxIE601.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -


    I'm not 100% sure about SBCIE026.DLL but I do feel good about it. Can you just find this DLL with
    Windows Explorer and try renaming to SBCIE026.OLD for now. You may have to boot in safe mode to do that:
    O2 - BHO: (no name) - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL


    Now reset your web settings, if you do not know how to do that go here:
    http://www.pestpatrol.com/Support/HowTo/How_To_Clear_a_Hijack.asp
    and under the Search Hijacks section see the info on "Reset Web Settings".



    Note: If you don't know how to start in safe mode, see the following link:

    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406


    Are you still being sent to about:blank now?
     
    chaslang, Jun 17, 2004
    #5
  6. specialk128

    specialk128 Private E-2

    ok, i fixed all those problems...i guess that took care of it...im not sure because it didn't load the about:blank everytime, but it did it a few times a day. hopefully when i restart next time, it wont happen, and it will be cleaned up for good. my computer still runs slow, but i;m hoping its not virus related. thank you for your help
     
    specialk128, Jun 17, 2004
    #6
  7. specialk128

    specialk128 Private E-2

    ok, all sorts of new problems now...IE opened to about:blank again, even after deleting what you suggested. on top of that, i cannot open "my briefcase"...when the solitare game is opened, all the letters are strange symbols and it wont play...the start menu is now compressed down where you cannot read anything, just see symbols.

    i ran ad-aware, and it found a file named llmapia.dll .... also, ad-aware had previously told me about a file named "sp" that was in the windows/temp folder...i have deleted it, and it replicates itself and comes back, as it has done again. as you see below, its all over the place. deleting the file will solve the problem temporarily...but im looking for a permanent fix...here is the hijackthis log from right now, when IE opens to about:blank and when I have all the other problems mentioned above....please help...there is something nasty in this computer and i just want to get this solved.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:33:20 AM, on 6/17/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
    O2 - BHO: (no name) - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL
    O2 - BHO: (no name) - {12D34477-C003-11D8-83E5-00502B728ECC} - C:\WINDOWS\SYSTEM\LLMAPIA.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [$EnterNet] C:\PROGRA~1\EFFICI~1\ENTERN~1\APP\ENTERNET.EXE -AutoStart
    O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: SideStep (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {BF207D61-D7E0-11D3-9FF6-00C04F37B9BD} (McAfee Smart Shop - Analyzer Class) - http://download.mcafee.com/molbin/mcaeng/mcsmtshp.cab
    O16 - DPF: {0C98419E-324F-11D3-9A23-00C04FF40D52} (McAfee Clinic AV Installer Control) - http://download.mcafee.com/molbin/clinic/virusscan/mgavinst.cab
    O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {9F0F185C-B50B-11D2-B53F-00A0C98684AC} (McAfee PC Clinic OilChange Class) - http://download.mcafee.com/molbin/OilChange/MGOcCtl_new.cab
    O16 - DPF: {BF31FA5E-AE8A-11D2-A1BD-0800300004C2} (McAfee PC Clinic Internet Class) - http://download.mcafee.com/molbin/Shared/MCInet_new.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38119.5855787037
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.net
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,206.13.28.12
     
    specialk128, Jun 17, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Get DLLFIX.EXE from: http://tools.zerosrealm.com/dllfix.exe

    1) Save the file to your Desktop, double click dllfix.exe and follow the prompts. This will create a folder called dllfix on your desktop.
    2) Click on this folder and then double click on start.bat.
    3) Select option 1 Run Find-All to scan your PC. This will create a log file.
    4) Post this log back here before running any fixes.
     
    chaslang, Jun 17, 2004
    #8
  9. specialk128

    specialk128 Private E-2

    i cant use dllfix because i am running on windows 98
     
    specialk128, Jun 17, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Ooops! Sorry! I forgot that. Try installing and running PrcView: http://www.majorgeeks.com/download4246.html

    After installing click on the runme9x.bat file and select option 2 for Internet Explorer DLL's

    Post the log back here.
     
    chaslang, Jun 17, 2004
    #10
  11. specialk128

    specialk128 Private E-2

    when i run that and select option 2, it says bad command or file name, then opens up a blank log in notepad
     
    specialk128, Jun 17, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay get to an MS-DOS command prompt in the directory where you installed PrcView.
    Do a DIR command and make sure you see the pv.exe file.

    Type this command: pv -m iexplorer.exe > ielog.txt

    Now open that ielog.txt file with notepad and copy it into your next message.
     
    chaslang, Jun 17, 2004
    #12
  13. specialk128

    specialk128 Private E-2

    i see the pv.exe file...but i type in the pv -m iexplorer.exe and it says bad command or file name again. it might just be that i'm not 100% sure what i'm doing in ms-dos...the prompt is on c:windows, and it wont change...i cant change the directory. so maybe i'm not doing something right, but i cant get the log open that you want to see
     
    specialk128, Jun 17, 2004
    #13
  14. specialk128

    specialk128 Private E-2

    i have no idea if this is helpful in any way, but i opened something else...prcview.exe...i was looking at another website, and it kinda directed me there...this is the log from that...if its no help, sorry to take up room here.

    AIM.EXE 4294740627 C:\PROGRAM FILES\AIM95\AIM.EXE AOL Instant Messenger 5.5.3572. Copyright © 1996-2004 America Online, Inc.
    DDHELP.EXE 4294542927 C:\WINDOWS\SYSTEM\DDHELP.EXE Microsoft DirectX Helper 4.09.00.0900. Copyright © Microsoft Corp. 1994-2002
    EXPLORER.EXE 4294497331 C:\WINDOWS\EXPLORER.EXE Windows Explorer 4.72.3110.1. Copyright (C) Microsoft Corp. 1981-1997
    HH.EXE 4294742231 C:\WINDOWS\HH.EXE Microsoft® HTML Help Executable 5.2.3644.0. © Microsoft Corporation. All rights reserved.
    KERNEL32.DLL 4293864839 C:\WINDOWS\SYSTEM\KERNEL32.DLL Win32 Kernel core component 4.10.2222. Copyright (C) Microsoft Corp. 1991-1999
    MMTASK 4294886383 C:\WINDOWS\SYSTEM\mmtask.tsk Multimedia background task support module 4.03.1998. Copyright © Microsoft Corp. 1991-1998
    MPREXE.EXE 4294929575 C:\WINDOWS\SYSTEM\MPREXE.EXE WIN32 Network Interface Service Process 4.10.1998. Copyright (C) Microsoft Corp. 1993-1998
    MSGSRV32 4294924855 C:\WINDOWS\SYSTEM\MSGSRV32.EXE Windows 32-bit VxD Message Server 4.10.2222. Copyright (C) Microsoft Corp. 1992-1998
    MSTASK.EXE 4294893439 C:\WINDOWS\SYSTEM\MSTASK.EXE Task Scheduler Engine 4.71.1959.1. Copyright (C) Microsoft Corp. 1997
    PRCVIEW.EXE 4294389863 C:\WINDOWS\TEMP\PRCVIEW.EXE Process Viewer Application 3.7.3.1. Developed by Igor Nys, 1995-2003
    TASKMON.EXE 4294795947 C:\WINDOWS\TASKMON.EXE Task Monitor 4.10.1998. Copyright (C) Microsoft Corp. 1998
    WINHLP32.EXE 4294683943 C:\WINDOWS\WINHLP32.EXE WinHelp 4.10.1998. Copyright (C) Microsoft Corp. 1998
    WINZIP32.EXE 4294794755 C:\PROGRAM FILES\WINZIP\WINZIP32.EXE WinZip Executable 7.0. Copyright (c) Nico Mak Computing, Inc. 1991-1998 - All Rights Reserved
    WINZIP32.EXE 4294814603 C:\PROGRAM FILES\WINZIP\WINZIP32.EXE WinZip Executable 7.0. Copyright (c) Nico Mak Computing, Inc. 1991-1998 - All Rights Reserved
     
    specialk128, Jun 17, 2004
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The original file was pv.zip. Where did you unzip it to? You have to be in that directory (it creates a directory where ever you unzip to called pv). Inside the pv directory you should see a total of 9 files (10 if it already created a log.txt file from running).
     
    chaslang, Jun 17, 2004
    #15
  16. specialk128

    specialk128 Private E-2

    i now have that folder...when i run the runme9x program now, and choose option 2, it says pv:no matching processes found. i just cant get ms-dos to change from c:\windows...the pv stuff is in my documents folder, then in a separate folder called pv
     
    specialk128, Jun 17, 2004
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    When you get to the DOS prompt which probably show c:\windows, type:

    cd \mydocu~1

    Then cd to the folder where you put PV.
    Once there run as indicated in previous message.
     
    chaslang, Jun 17, 2004
    #17
  18. specialk128

    specialk128 Private E-2

    ok, solved the ms-dos prompt issue:) ...and i see the pv.exe file when i get a directory...however, i type the command pv -m iexplorer.exe and it says pv:no matching processes found...not sure if im still doing something wrong, or if that tells you something about my computer
     
    specialk128, Jun 17, 2004
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Ooops! My bad! I forgot to tell you to have one internet explorer session running when you execute that command. Sorry about that. Give it a try now!
     
    chaslang, Jun 17, 2004
    #19
  20. specialk128

    specialk128 Private E-2

    i have the majorgeeks.com window open, so i can follow the directions. when i type in the command, i still get the pv:no matching processes found
     
    specialk128, Jun 17, 2004
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Damn!!! Look at all these logs is making my eyes go! Again my fault. It's iexplore.exe not iexplorer.exe.

    pv -m iexplore.exe
     
    chaslang, Jun 17, 2004
    #21
  22. specialk128

    specialk128 Private E-2

    finally...thank you thank you thank you...we have made it over this hurdle...here is the log finally...now what...


    Module information for 'IEXPLORE.EXE'
    MODULE BASE SIZE PATH
    SQLNA.DLL 2ae60000 131072 C:\WINDOWS\SYSTEM\SQLNA.DLL
    IPHLPAPI.DLL 7c8e0000 32768 C:\WINDOWS\SYSTEM\IPHLPAPI.DLL
    MSAFD.DLL 7b410000 45056 C:\WINDOWS\SYSTEM\MSAFD.DLL
    IPCFGDLL.DLL 7c900000 28672 C:\WINDOWS\SYSTEM\IPCFGDLL.DLL
    DHCPCSVC.DLL 7dd90000 28672 C:\WINDOWS\SYSTEM\DHCPCSVC.DLL
    ICMP.DLL 7ce10000 24576 C:\WINDOWS\SYSTEM\ICMP.DLL
    WSOCK32.DLL 75fa0000 40960 C:\WINDOWS\SYSTEM\WSOCK32.DLL
    MSWSOCK.DLL 794d0000 86016 C:\WINDOWS\SYSTEM\MSWSOCK.DLL
    WS2_32.DLL 76000000 73728 C:\WINDOWS\SYSTEM\WS2_32.DLL
    WININET.DLL 63000000 614400 C:\WINDOWS\SYSTEM\WININET.DLL
    OLEAUT32.DLL 65340000 634880 C:\WINDOWS\SYSTEM\OLEAUT32.DLL
    OLE32.DLL 7ff20000 790528 C:\WINDOWS\SYSTEM\OLE32.DLL
    CRYPT32.DLL 5cf00000 385024 C:\WINDOWS\SYSTEM\CRYPT32.DLL
    RPCRT4.DLL 7fb90000 335872 C:\WINDOWS\SYSTEM\RPCRT4.DLL
    MSOSS.DLL 79e00000 151552 C:\WINDOWS\SYSTEM\MSOSS.DLL
    WS2HELP.DLL 75fe0000 24576 C:\WINDOWS\SYSTEM\WS2HELP.DLL
    IEXPLORE.EXE 400000 102400 C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    SHDOCVW.DLL 71700000 1347584 C:\WINDOWS\SYSTEM\SHDOCVW.DLL
    COMCTL32.DLL bfb70000 557056 C:\WINDOWS\SYSTEM\COMCTL32.DLL
    SHLWAPI.DLL 70a70000 413696 C:\WINDOWS\SYSTEM\SHLWAPI.DLL
    USER32.DLL bff50000 69632 C:\WINDOWS\SYSTEM\USER32.DLL
    GDI32.DLL bff20000 155648 C:\WINDOWS\SYSTEM\GDI32.DLL
    ADVAPI32.DLL bfe80000 65536 C:\WINDOWS\SYSTEM\ADVAPI32.DLL
    MSVCRT.DLL 78000000 286720 C:\WINDOWS\SYSTEM\MSVCRT.DLL
    KERNEL32.DLL bff70000 471040 C:\WINDOWS\SYSTEM\KERNEL32.DLL
    Module information for 'IEXPLORE.EXE'
    MODULE BASE SIZE PATH
    IMGUTIL.DLL 70510000 40960 C:\WINDOWS\SYSTEM\IMGUTIL.DLL
    CONTROL.DLL 3f10000 585728 C:\WINDOWS\SYSTEM\MACROMED\SHOCKWAVE 10\CONTROL.DLL
    SWDIR.DLL 69200000 53248 C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
    DXTMSFT.DLL 35cb0000 364544 C:\WINDOWS\SYSTEM\DXTMSFT.DLL
    DDRAWEX.DLL 65000000 36864 C:\WINDOWS\SYSTEM\DDRAWEX.DLL
    DXTRANS.DLL 35c50000 208896 C:\WINDOWS\SYSTEM\DXTRANS.DLL
    ATL.DLL 5f3e0000 73728 C:\WINDOWS\SYSTEM\ATL.DLL
    DCPR.DLL 16e0000 139264 C:\PROGRAM FILES\JAVA\J2RE1.4.2_04\BIN\DCPR.DLL
    NET.DLL 16d0000 61440 C:\PROGRAM FILES\JAVA\J2RE1.4.2_04\BIN\NET.DLL
    JPICOM32.DLL 6d2f0000 81920 C:\PROGRAM FILES\JAVA\J2RE1.4.2_04\BIN\JPICOM32.DLL
    D3DIM700.DLL 56660000 917504 C:\WINDOWS\SYSTEM\D3DIM700.DLL
    SOFTPUB.DLL 47a80000 73728 C:\WINDOWS\SYSTEM\SOFTPUB.DLL
    RSABASE.DLL 7ca00000 110592 C:\WINDOWS\SYSTEM\RSABASE.DLL
    MSCAT32.DLL 7b3a0000 49152 C:\WINDOWS\SYSTEM\MSCAT32.DLL
    DDRAW.DLL baaa0000 389120 C:\WINDOWS\SYSTEM\DDRAW.DLL
    FONTMANAGER.DLL 3ec0000 327680 C:\PROGRAM FILES\JAVA\J2RE1.4.2_04\BIN\FONTMANAGER.DLL
    AWT.DLL 6c20000 1110016 C:\PROGRAM FILES\JAVA\J2RE1.4.2_04\BIN\AWT.DLL
    ZIP.DLL 1250000 53248 C:\PROGRAM FILES\JAVA\J2RE1.4.2_04\BIN\ZIP.DLL
    JAVA.DLL 1230000 102400 C:\PROGRAM FILES\JAVA\J2RE1.4.2_04\BIN\JAVA.DLL
    VERIFY.DLL 1220000 57344 C:\PROGRAM FILES\JAVA\J2RE1.4.2_04\BIN\VERIFY.DLL
    HPI.DLL 10d0000 28672 C:\PROGRAM FILES\JAVA\J2RE1.4.2_04\BIN\HPI.DLL
    JVM.DLL 8000000 1277952 C:\PROGRAM FILES\JAVA\J2RE1.4.2_04\BIN\CLIENT\JVM.DLL
    JPISHARE.DLL 6d380000 98304 C:\PROGRAM FILES\JAVA\J2RE1.4.2_04\BIN\JPISHARE.DLL
    JPIEXP32.DLL 6d310000 94208 C:\PROGRAM FILES\JAVA\J2RE1.4.2_04\BIN\JPIEXP32.DLL
    NPJPI142_04.DLL 6d440000 65536 C:\PROGRAM FILES\JAVA\J2RE1.4.2_04\BIN\NPJPI142_04.DLL
    OLEPRO32.DLL 5f300000 167936 C:\WINDOWS\SYSTEM\OLEPRO32.DLL
    MSHTMLED.DLL 70f30000 450560 C:\WINDOWS\SYSTEM\MSHTMLED.DLL
    LINKINFO.DLL 7fb80000 36864 C:\WINDOWS\SYSTEM\LINKINFO.DLL
    ACTXPRXY.DLL 703d0000 110592 C:\WINDOWS\SYSTEM\ACTXPRXY.DLL
    IDLEMON.DLL 1c000000 24576 C:\PROGRAM FILES\AIM95\IDLEMON.DLL
    IMM32.DLL bfe20000 16384 C:\WINDOWS\SYSTEM\IMM32.DLL
    MSLS31.DLL 48080000 159744 C:\WINDOWS\SYSTEM\MSLS31.DLL
    JSCRIPT.DLL 6b700000 589824 C:\WINDOWS\SYSTEM\JSCRIPT.DLL
    MLANG.DLL 70440000 585728 C:\WINDOWS\SYSTEM\MLANG.DLL
    SHDOCLC.DLL 3fb0000 540672 C:\WINDOWS\SYSTEM\SHDOCLC.DLL
    MSHTML.DLL 63580000 2818048 C:\WINDOWS\SYSTEM\MSHTML.DLL
    LLMAPIA.DLL 3d90000 45056 C:\WINDOWS\SYSTEM\LLMAPIA.DLL
    RNR20.DLL 783c0000 61440 C:\WINDOWS\SYSTEM\RNR20.DLL
    URLMON.DLL 1a400000 499712 C:\WINDOWS\SYSTEM\URLMON.DLL
    RASAPI32.DLL 7f880000 217088 C:\WINDOWS\SYSTEM\RASAPI32.DLL
    SECUR32.DLL 7f870000 40960 C:\WINDOWS\SYSTEM\SECUR32.DLL
    MSVCRT20.DLL 7fc30000 282624 C:\WINDOWS\SYSTEM\MSVCRT20.DLL
    SVRAPI.DLL 7f950000 32768 C:\WINDOWS\SYSTEM\SVRAPI.DLL
    MSNET32.DLL 7f300000 77824 C:\WINDOWS\SYSTEM\MSNET32.DLL
    MSPWL32.DLL 7fb40000 40960 C:\WINDOWS\SYSTEM\MSPWL32.DLL
    TAPI32.DLL 7f960000 122880 C:\WINDOWS\SYSTEM\TAPI32.DLL
    NETAPI32.DLL 7f990000 20480 C:\WINDOWS\SYSTEM\NETAPI32.DLL
    NETBIOS.DLL 7f840000 32768 C:\WINDOWS\SYSTEM\NETBIOS.DLL
    SBCIE026.DLL 10000000 229376 C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL
    WINTRUST.DLL 71410000 57344 C:\WINDOWS\SYSTEM\WINTRUST.DLL
    YCOMP5_2_3_0.DLL 68000000 299008 C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
    WINMM.DLL bfdf0000 65536 C:\WINDOWS\SYSTEM\WINMM.DLL
    SETUPAPI.DLL 77ea0000 421888 C:\WINDOWS\SYSTEM\SETUPAPI.DLL
    MPR.DLL 7fbf0000 57344 C:\WINDOWS\SYSTEM\MPR.DLL
    CFGMGR32.DLL 7f810000 45056 C:\WINDOWS\SYSTEM\CFGMGR32.DLL
    WINSPOOL.DRV 7fe40000 36864 C:\WINDOWS\SYSTEM\WINSPOOL.DRV
    COMDLG32.DLL 7fe10000 184320 C:\WINDOWS\SYSTEM\COMDLG32.DLL
    LZ32.DLL bfe60000 24576 C:\WINDOWS\SYSTEM\LZ32.DLL
    NTDLL.DLL bfee0000 20480 C:\WINDOWS\SYSTEM\NTDLL.DLL
    MYDOCS.DLL 792f0000 69632 C:\WINDOWS\SYSTEM\MYDOCS.DLL
    VERSION.DLL bfe70000 24576 C:\WINDOWS\SYSTEM\VERSION.DLL
    SHFOLDER.DLL 71930000 32768 C:\WINDOWS\SYSTEM\SHFOLDER.DLL
    BROWSELC.DLL 718e0000 73728 C:\WINDOWS\SYSTEM\BROWSELC.DLL
    BROWSEUI.DLL 71500000 1036288 C:\WINDOWS\SYSTEM\BROWSEUI.DLL
    SHELL32.DLL 7fcb0000 1400832 C:\WINDOWS\SYSTEM\SHELL32.DLL
    SQLNA.DLL 2ae60000 131072 C:\WINDOWS\SYSTEM\SQLNA.DLL
    IPHLPAPI.DLL 7c8e0000 32768 C:\WINDOWS\SYSTEM\IPHLPAPI.DLL
    MSAFD.DLL 7b410000 45056 C:\WINDOWS\SYSTEM\MSAFD.DLL
    IPCFGDLL.DLL 7c900000 28672 C:\WINDOWS\SYSTEM\IPCFGDLL.DLL
    DHCPCSVC.DLL 7dd90000 28672 C:\WINDOWS\SYSTEM\DHCPCSVC.DLL
    ICMP.DLL 7ce10000 24576 C:\WINDOWS\SYSTEM\ICMP.DLL
    WSOCK32.DLL 75fa0000 40960 C:\WINDOWS\SYSTEM\WSOCK32.DLL
    MSWSOCK.DLL 794d0000 86016 C:\WINDOWS\SYSTEM\MSWSOCK.DLL
    WS2_32.DLL 76000000 73728 C:\WINDOWS\SYSTEM\WS2_32.DLL
    WININET.DLL 63000000 614400 C:\WINDOWS\SYSTEM\WININET.DLL
    OLEAUT32.DLL 65340000 634880 C:\WINDOWS\SYSTEM\OLEAUT32.DLL
    OLE32.DLL 7ff20000 790528 C:\WINDOWS\SYSTEM\OLE32.DLL
    CRYPT32.DLL 5cf00000 385024 C:\WINDOWS\SYSTEM\CRYPT32.DLL
    RPCRT4.DLL 7fb90000 335872 C:\WINDOWS\SYSTEM\RPCRT4.DLL
    MSOSS.DLL 79e00000 151552 C:\WINDOWS\SYSTEM\MSOSS.DLL
    WS2HELP.DLL 75fe0000 24576 C:\WINDOWS\SYSTEM\WS2HELP.DLL
    IEXPLORE.EXE 400000 102400 C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    SHDOCVW.DLL 71700000 1347584 C:\WINDOWS\SYSTEM\SHDOCVW.DLL
    COMCTL32.DLL bfb70000 557056 C:\WINDOWS\SYSTEM\COMCTL32.DLL
    SHLWAPI.DLL 70a70000 413696 C:\WINDOWS\SYSTEM\SHLWAPI.DLL
    USER32.DLL bff50000 69632 C:\WINDOWS\SYSTEM\USER32.DLL
    GDI32.DLL bff20000 155648 C:\WINDOWS\SYSTEM\GDI32.DLL
    ADVAPI32.DLL bfe80000 65536 C:\WINDOWS\SYSTEM\ADVAPI32.DLL
    MSVCRT.DLL 78000000 286720 C:\WINDOWS\SYSTEM\MSVCRT.DLL
    KERNEL32.DLL bff70000 471040 C:\WINDOWS\SYSTEM\KERNEL32.DLL
     
    specialk128, Jun 17, 2004
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Looks like some duplicate info is this and it is a little hard to read this way. Could you do this again but this time:

    1) make sure everything is shut down except one iexplore.exe session
    2) then execute the command this way (I'm adding another command line option for more info and also sorting it) Note: the | sign is on the Shifted \ key above the Enter key.

    pm -e -m iexplore.exe | sort > log.txt

    3) But this time do not cut and paste the log.txt file. Attach the whole log.txt file as an attachment.
     
    chaslang, Jun 18, 2004
    #23
  24. specialk128

    specialk128 Private E-2

    ok, did that...and the log is attached...good luck
     

    Attached Files:

    specialk128, Jun 18, 2004
    #24
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I do not see anything strange in there. Okay can you do the following:

    1) download CrapCleaner from http://www.majorgeeks.com/download4191.html
    2) install it and run it.
    3) On the Windows tab just accept the defaults and click the Run Cleaner on the bottom right.
    4) Now run HijaakThis and fix if still there from previous log:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank


    Now find these two files with Win Explorer and rename them as below:
    C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL ------> SBCIE026DLL.BAD
    C:\WINDOWS\SYSTEM\LLMAPIA.DLL ------> LLMAPIADLL.BAD

    If you cannot do that right now, boot to safe mode and rename them.

    Then reboot in normal mode and let's see what's up.
     
    chaslang, Jun 18, 2004
    #25
  26. specialk128

    specialk128 Private E-2

    ok..ran crapcleaner...deleted a lot of files...then ran hijackthis...all those files were there, so i fixed them all. looked in both normal mode, then in safe mode for those two files to rename, but neither of them existed...restarted again in normal mode (where i am right now)...IE opened right back to about:blank...that "sp" file is still in the temp folder, meaning it has replicated itself again...not to mention i keep having random popups saying i have spyware on my computer, which are extremely annoying...this is the hijackthis log from right now, after doing everything you told me to, then restarting...as you can see, its all right back where it was before...not sure what all this means...i must have something nasty floating around in here...

    Logfile of HijackThis v1.97.7
    Scan saved at 2:09:15 AM, on 6/18/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
    O2 - BHO: (no name) - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL
    O2 - BHO: (no name) - {12D34477-C003-11D8-83E5-00502B728ECC} - C:\WINDOWS\SYSTEM\LLMAPIA.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [$EnterNet] C:\PROGRA~1\EFFICI~1\ENTERN~1\APP\ENTERNET.EXE -AutoStart
    O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: SideStep (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {BF207D61-D7E0-11D3-9FF6-00C04F37B9BD} (McAfee Smart Shop - Analyzer Class) - http://download.mcafee.com/molbin/mcaeng/mcsmtshp.cab
    O16 - DPF: {0C98419E-324F-11D3-9A23-00C04FF40D52} (McAfee Clinic AV Installer Control) - http://download.mcafee.com/molbin/clinic/virusscan/mgavinst.cab
    O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {9F0F185C-B50B-11D2-B53F-00A0C98684AC} (McAfee PC Clinic OilChange Class) - http://download.mcafee.com/molbin/OilChange/MGOcCtl_new.cab
    O16 - DPF: {BF31FA5E-AE8A-11D2-A1BD-0800300004C2} (McAfee PC Clinic Internet Class) - http://download.mcafee.com/molbin/Shared/MCInet_new.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38119.5855787037
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.net
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,206.13.28.12
     
    specialk128, Jun 18, 2004
    #26
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Exactly how did you look for those two files?
     
    chaslang, Jun 18, 2004
    #27
  28. specialk128

    specialk128 Private E-2

    i looked in the folders, where they would be...then i searched using the find feature...i'm not sure of any other way to go about finding them
     
    specialk128, Jun 18, 2004
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Have you enabled viewing of hidden files and have you turned off the hiding of extensions for know file types. You do this from Windows Explorer, Tools, Folder Options, View
     
    chaslang, Jun 18, 2004
    #29
  30. specialk128

    specialk128 Private E-2

    yeah, i did both of those, then restarted in safe mode...i was able to change the llmapia file...but the other one is not there...i changed both the tools settings and its still not in that folder...i was able to change the other file though to make it .bad
     
    specialk128, Jun 18, 2004
    #30
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay, so now give me another HijaakThis log
     
    chaslang, Jun 18, 2004
    #31
  32. specialk128

    specialk128 Private E-2

    Logfile of HijackThis v1.97.7
    Scan saved at 2:46:29 AM, on 6/18/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
    O2 - BHO: (no name) - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL
    O2 - BHO: (no name) - {12D34477-C003-11D8-83E5-00502B728ECC} - C:\WINDOWS\SYSTEM\LLMAPIA.DLL (file missing)
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [$EnterNet] C:\PROGRA~1\EFFICI~1\ENTERN~1\APP\ENTERNET.EXE -AutoStart
    O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: SideStep (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {BF207D61-D7E0-11D3-9FF6-00C04F37B9BD} (McAfee Smart Shop - Analyzer Class) - http://download.mcafee.com/molbin/mcaeng/mcsmtshp.cab
    O16 - DPF: {0C98419E-324F-11D3-9A23-00C04FF40D52} (McAfee Clinic AV Installer Control) - http://download.mcafee.com/molbin/clinic/virusscan/mgavinst.cab
    O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {9F0F185C-B50B-11D2-B53F-00A0C98684AC} (McAfee PC Clinic OilChange Class) - http://download.mcafee.com/molbin/OilChange/MGOcCtl_new.cab
    O16 - DPF: {BF31FA5E-AE8A-11D2-A1BD-0800300004C2} (McAfee PC Clinic Internet Class) - http://download.mcafee.com/molbin/Shared/MCInet_new.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38119.5855787037
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.net
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,206.13.28.12
     
    specialk128, Jun 18, 2004
    #32
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do not have IE or any browsers running nor Win Explorer when using HijaakThis. See these lines:
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

    Have HijaakThis fix

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {12D34477-C003-11D8-83E5-00502B728ECC} - C:\WINDOWS\SYSTEM\LLMAPIA.DLL (file missing)

    Then run CWShredder, Ad-aware, & SpyBot S&D. Reboot let me know the results. I'll be back later today. Gotta get some sleep now! It's almost 4am by me.
     
    chaslang, Jun 18, 2004
    #33
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Ooooo! One more thing before reboot. Set your home page via Internet Explorer to something. Like www.majorgeeks.com
     
    chaslang, Jun 18, 2004
    #34
  35. specialk128

    specialk128 Private E-2

    ok, deleted the stuff from hijackthis...ran cwsshredder...it removed the cws.searchx.....ran adaware...it removed the same things it has for awhile, the "sp" file, and other related items...ran spybot, it just found 1 tracking cookie, which i erased. i reset the home page, and i am going to shut down my computer now, but when i restart in the morning, we'll see what happens. thank you so much for all your help the last two days...hopefully this will solve the problem once and for all...this is so frustrating, i thank you so much for helping me through it.
     
    specialk128, Jun 18, 2004
    #35
  36. specialk128

    specialk128 Private E-2

    well...just turned my computer on this morning...and i'm right back to the about:blank screen...meaning it all came right back with a restart. i thought it might have actually been gone, but this damn problem just won't disappear...any other ideas how to go about tracking this thing down?
     
    specialk128, Jun 18, 2004
    #36
  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are the exact same lines back in the HijaakThis log or did they change?
     
    chaslang, Jun 18, 2004
    #37
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    A couple more items to try that could help us find this piece of crap:

    1) Security Task Manager. Download it from http://www.neuber.com/taskmanager/download.html Check it out. Maybe we can find some process running that is suspicious. This is 30 day trial software use it quickly.

    2) Also download this http://www.sysinternals.com/ntw2k/source/regmon.shtml and have it running. Maybe we can catch registry activity too.

    With the above two items running lets see if we can catch what goes on when you open up internet explorer.
     
    chaslang, Jun 18, 2004
    #38
  39. specialk128

    specialk128 Private E-2

    here you go...appears to be the same to me...although i cant help but notice that where the llmapia file was before...now there is one called IIO.dll...my untrained eye says that could be a problem. but everything else looks the same...Logfile of HijackThis v1.97.7
    Scan saved at 12:10:58 PM, on 6/18/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
    O2 - BHO: (no name) - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL
    O2 - BHO: (no name) - {8BF69AC3-C118-11D8-83E5-005035C9ABAE} - C:\WINDOWS\SYSTEM\IIO.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [$EnterNet] C:\PROGRA~1\EFFICI~1\ENTERN~1\APP\ENTERNET.EXE -AutoStart
    O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: SideStep (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {BF207D61-D7E0-11D3-9FF6-00C04F37B9BD} (McAfee Smart Shop - Analyzer Class) - http://download.mcafee.com/molbin/mcaeng/mcsmtshp.cab
    O16 - DPF: {0C98419E-324F-11D3-9A23-00C04FF40D52} (McAfee Clinic AV Installer Control) - http://download.mcafee.com/molbin/clinic/virusscan/mgavinst.cab
    O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {9F0F185C-B50B-11D2-B53F-00A0C98684AC} (McAfee PC Clinic OilChange Class) - http://download.mcafee.com/molbin/OilChange/MGOcCtl_new.cab
    O16 - DPF: {BF31FA5E-AE8A-11D2-A1BD-0800300004C2} (McAfee PC Clinic Internet Class) - http://download.mcafee.com/molbin/Shared/MCInet_new.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38119.5855787037
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.net
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,206.13.28.12
     
    specialk128, Jun 18, 2004
    #39
  40. specialk128

    specialk128 Private E-2

    the security task manager found three files im not sure about...one is the IIO.dll file, another is in the system folder (same place as the IIO one) and is SQLNA.dll, and the third is in an IM folder and is called Idle Monitor DLL (listed as IDLemon.dll)...

    and im not quite sure what to be looking at/for on the registry monitor, but it did find almost 58000 results...
     
    specialk128, Jun 18, 2004
    #40
  41. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! I think the starting problem may be the sqlna.dll file and it may spawn the IIO.dll file. I remember on a name similar to that (if not the same) on someone else's system having this about blank problem. They had WinXP though and it was found in the registy in AppInit_DLLs which made it easier to work on resolving the problem.

    IDLdemon.dll is a hack some one made to use with AOL Instant Messenger to make you look like you idle when you on line.

    The IIO.dll and sqlna.dll may both be hidden from viewing normally. First I want to have your search the registry to see if you can find either of these two DLLs in it. In fact search for the previous (LLMAPIA.DLL ) file too. To do this, click Start, Run, and then enter regedit and click OK. Now with the registry editor open, click Edit, Find, and then enter the DLL filename, then click Find Next. If found, make note or the full path to the registry key were it is found (this full path appear in the bottom of the window). After finding it continue searching until you hit the end of the registry. We need to make sure that there aren't multiple occurrences. Do the same for each DLL? You will have to click in the left hand part of the Registry Editor window and get yourself back to the top by clicking on the MyComputer icon in the editor. You need to do that before beginning the next search so you start at the beginning each time.
     
    chaslang, Jun 18, 2004
    #41
  42. specialk128

    specialk128 Private E-2

    sorry about the slow response time, but after having the last two days off of work, i had to go back today.

    anyway, i searched the registry and here's what i found...

    NO SQLNA.dll files
    NO LLMAPIA.dll files
    4 IIO.dll files (here are the locations if that means anything):

    MyComputer\HKEY_CLASSES_ROOT\CLSID\{8BF69AC2-C118-11D8-83E5-00505A850E35}\InProcServer32
    MyComputer\HKEY_CLASSES_ROOT\CLSID\{8BF69AC3-C118-11D8-83E5-005035C9ABAE}\InProcServer32
    MyComputer\HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{8BF69AC2-C118-11D8-83E5-00505A850E35}\InProcServer32
    MyComputer\HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{8BF69AC3-C118-11D8-83E5-005035C9ABAE}\InProcServer32
     
    specialk128, Jun 19, 2004
    #42
  43. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Get a tool for backing up your registry. Check RegCleaner out: http://www.majorgeeks.com/download460.html

    Use it and make backup of your registry.

    First try booting in safe mode (or even DOS mode if necessary) and see if you can locate those three dlls we are talking about and move them to a new folder like c:\junk.
     
    chaslang, Jun 19, 2004
    #43
  44. specialk128

    specialk128 Private E-2

    ok, moved the IIO file to the c:junk folder...still cant find the sqlna file, either in normal mode or safe mode. and the llmapia file is gone too. also, just as a side note, i can't run the security task manager you had me download yesterday...it just gives me an error each time...don't know if thats related. downloaded the regcleaner too...dont know if i can use that to help...not sure how to make a backup with it either...but i do know that sqlna file is hidden away really well.
     
    specialk128, Jun 19, 2004
    #44
  45. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not sure why Security Task Manager will not work. It is supposed to be for all Win OS's. You could try process explorer for win9x: http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

    Also try downloading Registrar lite and install it: http://www.resplendence.com/reglite
    Do a search with it to see if you can find the sqlna.dll file

    This crap is a real bear to find. Have you made sure you enable view of Hidden Files and folders in Windows Explorer. Also make sure you have not check "hide extensions for known file types". You do this with Win Explorer, Tools, Folder Options, View. We need to find that DLL and get rid of it. It is the root of all problems.

    Sounds like similar issues to what I had in this thread: http://www.majorgeeks.com/vb/showthread.php?t=34456&page=1&pp=20

    But again that was WinXp which had the AppInit_DLLs location in the registry. Once we deleted that we could see the DLL and remove it.
     
    chaslang, Jun 19, 2004
    #45
  46. specialk128

    specialk128 Private E-2

    downloaded registrar lite...didn't find sqlna there either...

    i get this message when i try to open task manager...

    TASKMAN caused an invalid page fault in
    module KERNEL32.DLL at 0167:bff98adb.
    Registers:
    EAX=00000001 CS=0167 EIP=bff98adb EFLGS=00010246
    EBX=00000010 SS=016f ESP=0149ff88 EBP=0149ffcc
    ECX=fffd9da1 DS=016f ESI=0053f134 FS=3fcf
    EDX=81634b6c ES=016f EDI=004f9f3c GS=0000
    Bytes at CS:EIP:
    89 b4 8a 90 00 00 00 5f 5e 5b c2 04 00 56 a1 e0
    Stack dump:
    81634b6c 8162b938 81683398 bff87caa 8162b938 00000008 bff88f1a 81634b6c 00000008 81683398 00000007 0149ffa4 0149fdb8 ffffffff bffc05b4 bff79050

    it worked before, thats how i found this file in the first place...now it doesnt.

    ive got all the hidden files turned on, so everything should be showing....somehow, this file still isnt. do you think if we remove the sqlna file this will all disappear? is there any way to track this thing down?
     
    specialk128, Jun 19, 2004
    #46
  47. specialk128

    specialk128 Private E-2

    one more thing...i can run the task manager, just with the message over it...and i click on the sqlna file that it finds, and there is an option to remove it...do you think thats worth trying, or will that do more harm then good.
     
    specialk128, Jun 19, 2004
    #47
  48. specialk128

    specialk128 Private E-2

    ok...so at the same time i made the first post here, i also posted on another forum (hoping multiple forums would produce one answer). someone finally got back to me on the other one and gave me a different suggestion. i decided to try it out tonight, just frustrated with this damn file...it made the file appear. i immediately deleted it, ran adaware and cwsshredder, and cleaned up the rest of the files. so the sqlna file is now gone from my computer (at least for now). however, every other time ive deleted things and thought i fixed the problem, a computer restart brought it all back. i'll let you know what happens when i turn my computer back on in the morning, but hopefully this will all be coming to an end soon. thank you again for all your help...hopefully the bug will be gone for good...if not, i'll be right back here tomorrow, racking your brain for help some more. thank you! :)
     
    specialk128, Jun 19, 2004
    #48
  49. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you update and run Ad-aware today. They just added new references and I have had some luck fixing other peoples problems with it and a little HijaakThis clean up. Although to be positive it's fixed, we have to wait a while.
     
    chaslang, Jun 19, 2004
    #49

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds