Hi Guys,

On a colleagues home computer, when it is started up is says that the DLL "PSAPI.dll" is missing.

Does anyone know what this is used for and how to restore it?

Also, I do not know if this is related, but he also says that some of the desktop icons keep disappearing.

Any ideas or suggestions appreciated.

Has he tried scanning for Viruses and spyware?

what os is he using?

Psapi.dll is a Windows NT file!

Microsoft process status helper (PSAPI.DLL) is a small dynamic link library that makes it easier to obtain information about processes and device drivers running under Microsoft® Windows NT®.

A psapi.dll error on a Windows 9x machine is caused by Spyware... may be cws.

Please post the hijack log.

Download 'Hijack This!'. Unzip, doubleclick HijackThis.exe, and hit "Scan".
When the scan is finished, click "Save Log", and copy and paste it in a reply.
Hijack This (http://216.180.252.218/~spywareinfo.com/downloads/tools/hijackthis.zip)
CWS shredder (http://216.180.252.218/~spywareinfo.com/downloads/tools/cwshredder.zip)

Guys,

Thanks for your help so far, attahced is the log file, I can already see evidence of CWS and also looks like there is a dialler program as well "O4 - HKCU\..\Run: [od-teen204] c:\program files\Webdialer\od-teen204.exe -m"".

Boy, is there some rubbish on my colleagues home computer, glad it is not my computer.

Anyway, is there any other problems you can see in the log.

Logfile of HijackThis v1.97.5
Scan saved at 12:42:53, on 12/11/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = hxxp://acc.count-all.com/--/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = hxxp://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acc.count-all.com/-/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://acc.count-all.com/--/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = hxxp://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = hxxp://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = hxxp://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.adulthyperlinks.com/favorites/8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://yourbookmarks.ws/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = hxxp://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = hxxp://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hxxp://images.only-virgins.com/cgi-bin/warning.cgi
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = hxxp://193.125.201.50
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = hxxp://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = hxxp://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = hxxp://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = hxxp://acc.count-all.com/--/?bzbjr (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = hxxp://acc.count-all.com/--/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://ie-search.com/srchasst.html (obfuscated)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=C:\WINDOWS\svcinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {FFD2825E-0785-40C5-9A41-518F53A8261F} - C:\WINDOWS\SITEHLPR.DLL
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM214.DLL
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\WSEM216.DLL
O2 - BHO: MSM Helper - {1E1B2879-88FF-11D2-8D96-000000000003} - C:\WINDOWS\SYSTEM\SSOCKS5.DLL
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - C:\WINDOWS\MSCHGL.DLL
O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\SYSTEM\DREPLACE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Shell] c:\tray.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O7 "EPUSB1:" /M "Stylus C42"
O4 - HKLM\..\Run: [transex] C:\TRANSEX\TRANSEX.EXE /nostart
O4 - HKLM\..\Run: [Adult_Chat] C:\WINDOWS\Adult_Chat.exe -n
O4 - HKLM\..\Run: [sexotransexualgb] C:\sexotransexualgb\SEXOTRANSEXUALGB[1].EXE -t
O4 - HKLM\..\Run: [SysPnP] rundll32 setupapi,InstallHinfSection OemSysPnP 128 oemsyspnp.inf
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\WINUPDATE.EXE

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set -- by windows setup --
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [SVC Service] C:\WINDOWS\SYSTEM\svcinit.exe
O4 - HKCU\..\Run: [5-1-25-484] c:\windows\young_girls.exe -m
O4 - HKCU\..\Run: [Windows Update] C:\WINDOWS\WINUPDATE.EXE
O4 - HKCU\..\Run: [sws.exe] c:\program files\HaldexLtd\teen273\OD-TEEN273_GB[1].EXE -remove
O4 - HKCU\..\Run: [od-teen204] c:\program files\Webdialer\od-teen204.exe -m
O4 - Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe
O4 - Startup: Lotus SmartSuite Release 9 Registration.lnk = C:\lotus\register\remind32.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - User Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - User Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe
O4 - User Startup: Lotus SmartSuite Release 9 Registration.lnk = C:\lotus\register\remind32.exe
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Search - c:\windows\ex.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.waitsex.com
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - [url]hxxp://66.230.143.209/loader/dploader.cab[/url]
O16 - DPF: {4CBBC676-507F-11D0-B98B-000000000000} - [url]hxxp://www.bc777.com/software/SiteHlpr.cab[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} (MultiDist) - [url]hxxp://xbs.mtree.com/mt/dialers/fc/MultiDistFC.CAB[/url]
O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} (eConn Class) - [url]hxxp://econnect.libereco.net/econnect.cab[/url]
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - [url]hxxp://directplugin.com/tl4000.dll[/url]
O16 - DPF: {50A28604-52F2-11D6-8F0F-5254AB11D5C2} - [url]hxxp://www.movie-browser.com/plugin/109544.exe[/url]
O16 - DPF: {A0F0D762-D1DE-43AF-B70E-D87864743EB3} (NSLiteUpdateCtrl Class) - [url]hxxp://217.145.76.16/nslite/nslite.cab[/url]
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} (EPlugin Control) - [url]hxxp://64.200.22.225/EPlugin.cab[/url]
O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - [url]hxxp://63.217.31.12/dial/058361uk.exe[/url]
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - [url]hxxp://63.219.181.7/MaConnect.cab[/url]
O19 - User stylesheet: C:\WINDOWS\Web\win.def
O19 - User stylesheet: C:\WINDOWS\default.css (HKLM)

Have never studied hijack this so I would leave it to others - but you certainly have the CWS baby! (http://www.spywareinfo.com/~merijn/cwschronicles.html)

LOL - but you knew that anyways. :)

Yup, Paul is right about CWS. other things too but to deal with the CWS, download CWShredder (http://www.spywareinfo.com/~merijn/files/cwshredder.zip)

Unzip and run it.
Also download SPYBOT (http://tomcoyote.org/SPYBOT/) .
Unzip the program, run it and before scanning, search for and install all updates.
Then run a scan, and fix everything it labels inred

Then run Hijack this again, and post fresh log so we can see what's left.