Followed your steps, STILL NEED HELP!

I posted about my CWS problem yesterday. I've been working since then to try and fix my computer. I've done all of the scans from your list (at least all of the ones that would work). I feel like I've tried everything, and I'm not seeing any progress. Please help me!
Here's what I've done so far...

_______________________________________________
Ran CCleaner, worked fine.

_______________________________________________
When running AdAware SE, it will scan, and quaranine, but freezes during the deletion stage.
_______________________________________________
Spybot ran but was unable to remove all of the infected files, it suggested a restart and then running again, this still did not fix all problems.. all of the listed problems were CoolWWWSearch.... and common hijacker
_______________________________________________
Ran Kill2Me, this removed the "Look2Me" infection
When I attempted to run AboutBuster I received the error message that the database was corrupted or missing
_______________________________________________
I'm still getting popups, and IE still opens to Cool Web Search
______________________________________________
I ran the SmartKiller but it gave me the "not detected" message (which someone said meant that there wasn't a virus), when I ran CWShredder these were my results...

Done!
Removed from your system:
- CWS.Bootconf
- Hosts file redirections

Windows 98 (4.10.1998 )
CWShredder v1.59.1
Written by Merijn - merijn@spywareinfo.com

For any additional help with this program or removing CWS, visit:
http://forums.spywareinfo.com/

For information and documentation on the Coolwebsearch
trojan and its variants, visit:
http://www.spywareinfo.com/~merijn/cwschronicles.html

For donations to help support CWShredder, visit:
http://www.spywareinfo.com/~merijn/donate.html

_____________________________________________

I then ran spybot

These were the viruses it was unable to fix
coolWWWsearch.bootconf
coolWWWsearch.loadbat
coolWWWsearch.Msconfd
coolWWWsearch.oslogo
coolWWWsearch.tapicfg
coolWWWsearch.xmlmimefilter

_____________________________________________

I'm continuing to get error messages from a number of programs (the most popular being Explorer has preformed an illegal operation and will now shut down)
_____________________________________________

when I hit control alt delete to
see all of the programs they are listed as...

saie
rundll32 (appears twice)
gmt
Ipclient (2x)
ZIclient
Webrebates0
cmesys
Wzqkpick
Rrew
Ipmon32 (2X)
Rundll
motivesb
Winpppoverethernet
Mpbtn
Rnaapp
sed
Winupat1
Csv10p070
Webrebates1
Lch
___________________________________________

I also ran HijackThis, here is the logfile

Logfile of HijackThis v1.99.0
Scan saved at 3:08:20 PM, on 12/22/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSCHED.EXE
C:\PROGRAM FILES\VERIZON ONLINE\SUPPORTCENTER\SMARTBRIDGE\MOTIVESB.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\SYSTIME.EXE
C:\PROGRAM FILES\SED\SED.EXE
C:\WINDOWS\SYSTEM\WINUPDTL.EXE
C:\PROGRAM FILES\CSBB\CSV10P070.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\SYSTIME.EXE
C:\WINDOWS\APPLICATION DATA\RREW.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\VERIZON ONLINE\SUPPORTCENTER\BIN\MPBTN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\KALVFSL32.EXE

--> unable to fix WinsockLSP
I ran the program again and it listed even more problems.

_____________________________________________

Bit Defender - ran for two hours, still not complete, so far 14 infected objects

C:\WINDOWS\SYSTEM\error32.dat: infected with Trojan.Startpage.NK
C:\WINDOWS\SYSTEM\error32.dat: disinfection failed
C:\WINDOWS\SYSTEM\systime.exe: infected with Trojan.StartPage.PU
C:\WINDOWS\SYSTEM\systime.exe: disinfection failed
C:\WINDOWS\SYSTEM\kalvfsl32.exe: infected with Trojan.Startpage.NK
C:\WINDOWS\SYSTEM\kalvfsl32.exe: disinfection failed
C:\WINDOWS\SYSTEM\kalvtnh32.exe: infected with Trojan.Startpage.NK
C:\WINDOWS\SYSTEM\kalvtnh32.exe: disinfection failed
C:\WINDOWS\SYSTEM\winupdtl.exe: infected with Trojan.Downloader.WinU.ST
C:\WINDOWS\SYSTEM\winupdtl.exe: disinfection failed
C:\WINDOWS\SYSTEM\idhuhx.exe=>(Upx): infected with Trojan.Downloader.Agent.AE
C:\WINDOWS\SYSTEM\idhuhx.exe=>(Upx): disinfection failed
C:\WINDOWS\SYSTEM\Cache\cxtpls_loader.exe: infected with Adware.Apropos
C:\WINDOWS\SYSTEM\Cache\cxtpls_loader.exe: disinfection failed
C:\WINDOWS\SYSTEM\saiehook.dll: infected with Adware.1088
C:\WINDOWS\SYSTEM\saiehook.dll: disinfection failed
C:\WINDOWS\SYSTEM\dsypjd.exe: infected with Adware.Adlogix
C:\WINDOWS\SYSTEM\dsypjd.exe: disinfection failed
C:\WINDOWS\SYSTEM\dsypjc.exe: infected with Adware.Adlogix.A
C:\WINDOWS\SYSTEM\dsypjc.exe: disinfection failed
C:\WINDOWS\SYSTEM\akupd.dll: infected with Trojan.Downloader.Agent.BR
C:\WINDOWS\SYSTEM\akupd.dll: deleted
C:\WINDOWS\SYSTEM\akrules.dll: infected with Trojan.Downloader.Agent.BT
C:\WINDOWS\SYSTEM\akrules.dll: disinfection failed
C:\WINDOWS\SYSTEM\aklsp.dll: infected with Trojan.Downloader.Agent.BR
C:\WINDOWS\SYSTEM\aklsp.dll: disinfection failed
:\WINDOWS\SYSTEM32\randreco.exe=>(ASPack 2.12): infected with Trojan.Downloader.Agent.AF
C:\WINDOWS\SYSTEM32\randreco.exe=>(ASPack 2.12): disinfection failed
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>RELATED.HTM: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>sbRecovery.ini: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Altnet.zip=>sbRecovery.ini: password protected
(remaining were the same gain problems)


Please HELP me! This is starting to frustrate me. I'm not a technical person, but I've tried everything I can....

 

Hi PleaseHelp,

Looks like you have the Nasty baddie that's been going around lately. It is hard to remove from Windows 98 Machines, but we can give it a go! But first, we need to clean up your machine a bit.

Please ATTACH a complete HijackThis Log. Be sure to follow the instructions below:

Note that your HijackThis MUST be extracted to its own safe folder – C:\Program Files\HijackThis!

Also, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’ve been pretty busy with work lately, but will try to take a look when I get some free time - Holidays a bit hectic!

Best
PP

 

Attached is the HijackThis logfile. I made sure to run it from a safe location. Thanks again for helping!

 

PP,

What are you thoughts on this?
This is what I saw as baddies:

C:\WINDOWS\SYSTEM32\XPSP2FW.EXE


R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe

O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O15 - Trusted IP range: 213.159.117.133
O15 - Trusted IP range: (HKLM)

 

Jedi5 - Looks like you ID'd everything - Good Eye! Are you comfortable running PleaseHelp through LSP-Fix and the rest of the removal steps? Be sure to Delete that trojan - It sometimes refuses to die easily!
Let me know if you need any assistance.

PP

 

Thank you for your interest guys!
If I'm still trying to run AdAware and such should I post you a new updated HijackThis file, or will the old one be sufficient?

 

Hi PleaseHelp,

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


To start, please run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the aklsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move aklsp.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.


Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see it, try to END it if possible:

XPSP2FW.EXE

Now scan with HijackThis and Check the Boxes for the following:

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe

O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll ---> These should be gone due to LSP-Fix
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll

O15 - Trusted IP range: 213.159.117.133
O15 - Trusted IP range: (HKLM)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode and navigate to and DELETE the following if it should remain:

C:\WINDOWS\SYSTEM32\XPSP2FW.EXE

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

Best luck
PP

 

Thank PhilliePhan!

____________________

Because I'm running Windows 98 I could not use a system restore feature (the tutorial said only XP or ME). I remembered to show my hidden files - should I check them back to being hidden now?

Everything ran well with the LSP-fix.

XPSP2FW.EXE was running in my task manager so I ended it as you said.

I ran HJT and removed the files I checked - non of the 010 files were listed (gone from the LSP-fix).

I booted in safe mode and deleted the XPSP2FW.EXE.

CCleaner ran fine, and Spybot S&D said "no immediate threats"

I ran the cleanmgr having those three boxes clecked

Following your directions I rebooted and ran HJT in normal mode... attached is the new log file.

____________________

The computer is running much quicker now, and I'm not getting as many pop-up allerts from ZoneAlarm. Thanks so much again for helping, especially during this busy time of year!

 

Hi PleaseHelp,

Sorry about the System Restore bit - I use a copy and paste boilerplate for many fixes and forgot to take that part out! On a positive note, you do not have the really nasty baddie that I first thought you had!

You still have a few remainders in your HJT Log to deal with. Have HijackThis fix these lines:

O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe

O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe

O15 - Trusted IP range: 213.159.117.133
O15 - Trusted IP range: (HKLM)

Make sure all browser windows are closed when you click FIX.

Then, boot to Safe Mode with the viewing of hidden files enabled and delete the following, if found:

C:\WINDOWS\system32\xpsp2fw.exe

C:\WINDOWS\system32\wuclient.exe

Then, please reboot and attach a fresh log and we'll see if we got them this time!

Also, you are running HijackThis from the Desktop. Personally, I prefer to see it in a SAFER folder such as the example I gave in my first post. While the Desktop is not the worst place for it, you must be careful not to inadvertantly delete the backups created by HJT.

PP

 

here's the new log - those two 015 buggers won't go away...

 

Hi PleaseHelp,

I hope this is not a new "Hard to Remove" baddie! We've seen a few recently!

Try this:

Open HijackThis and select the Open Misc Tools Section button.

Now, select Open hosts file manager.

Look in the Hosts file and DELETE All entries below this one:

127.0.0.1 localhost


Then rescan with HJT and remove the 015 entries, should they remain.

Then reboot, rescan and attach a fresh log. I will have to check back tonight some time - probably in the wee hours. I'll try to find out a bit more about what we are dealing with.

PP

 

I'm getting an error message :

"Cannot find the hosts file.
Do you want to create a new, default hosts file?"

 

Hi PleaseHelp,

Don't know what I was thinking - Confused the Trusted Zone with the Hosts File . . . I would blame it on my unfamiliarity with Windows 98, except it has nothing to do with that!!

Please look for the Hosts file in C:\WINDOWS\Hosts. If you find it, open it using Notepad and let me know what it says.

If you do not find it, then do the bit with HijackThis and allow it to create a default Hosts file. Then, check C:\WINDOWS directory and make sure it is there.


For the trusted zone items, open IE and select Tools > Internet Options > Security > Trusted Sites. Look in Trusted Sites and see if you are able to manually remove all items. Let me know how you fare - I'll try to check back when time permits.

PP

 

The C:\WINDOWS\Hosts file was not in WExplorer, so I had HJT create a default hosts file, I also couldn't find this in WExplorer though. I've attached the hosts file HJT created (I saved it as a txt file).

In the security section of IE I found 213.159.117.133 as a trusted site (the only one listed actually) and manually removed it.

I then ran HJT again to see if it would be removed. 213.159.117.133 was no longer there, but the 015 - Trusted IP range: (HKLM) is still there. I've posted that log as well.

 

Hi PleaseHelp,

You shouldn't need to use Windows Explorer to find the Hosts file. Just Click My Computer > Local Disc C: > and click on the Windows directory and browse to the Hosts file. It should be OK if you had HJT create one.

Try having HijackThis remove the O15 - Trusted IP range: (HKLM) entry. I've not seen those two before - Hopefully, this'll do the trick! Now that your trusted zone is empty, your machine is likely OK.
How are things running now?

PP

 

Everything seems to be working fine, that HKLM won't go away. But if you think the computer is ok with it, I'll just leave it go... doesn't appear to be affecting it very much.

Thanks for everything

 

Hi PleaseHelp,

I don't like the idea of leaving that hanging - Keep an eye on your Trusted Zone and make sure that no iffy items creep back in! If you have problems down the road, please check back and reference this thread. Hopefully we'll have an idea what that baddie is.

Please take a look at Chaslang's suggestions and apply the ones that fit your OS!

How to Protect yourself from malware!

Best
PP

 

Thanks PP, I'll keep my eye on things and check back if something goes wrong. Thanks for everthing Happy New Year!

 

Oops, sorry guys for not checking back with this thread.

My bad. Got caught up with last minute Christmas shopping and what not.

I see that everything turned out well though.

Rafael