Hi

I have been hijacked with a new homepage thing and want to get rid of it but not pay for a spyware program. I have scanned with free version of Adawre or something and it found the nasties. I have CWShredder but it won't update. When I try to install the update it comes with a message " A required .DLL file OLEACC.DLL was not found" I am not sure how to use the HiJack this. I am not great with computers.
Can any one help?
Thanks

That file can be downloaded from http://www.dll-files.com/dllindex/dll-files.shtml?oleacc

To use Hijack this, copy it into its own folder, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, do Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

Sounds like you have definitely been hijacked. One of the experts will be along and help you. You need to be careful what you do with HijackThis. At this time, the only thing to do is run HJT (make sure it is in its own folder, not in temp or on the desktop), SAVE the log (do not fix antything). Then post your log back here in this thread for the experts to see. You post the log by doing a reply to this thread, copy and paste the log(do not send attachment) here in you post. Someone will check it and advise you.

You should be sure you have all patches and service packs for you OS installed; have a running and up-to-date antivirus program, and have either a hardware or software firewall, or both. These are minimums.

While I do not disagree in principle with pop pop,that keeping your system fully updated is important, trying to install SP2 on an infected machine can be a recipe for disaster! Leave updates until you know the computer is clear of malware/hijackers.

This is Hijack this log.
I had to do it from the desktop that's where it is.
Logfile of HijackThis v1.97.7
Scan saved at 13:18:24, on 8/11/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\TREND PC-CILLIN 98\IOMON98.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\APPHA.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 98\WEBTRAP.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\MEDIASCAPE\TOUCH MANAGER\MEDIACTR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\MEDIASCAPE\TOUCH MANAGER\TOUCHMGR.EXE
C:\PROGRA~1\MEDIAS~1\ONSCRE~1\OSD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tubps.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tubps.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tubps.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tubps.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tubps.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tubps.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tubps.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {A9DBFCDF-AFF2-11A7-49FB-BA932BD2618D} - C:\WINDOWS\SYSUS.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [KBD MediaCenter] C:\Program Files\Mediascape\Touch Manager\MediaCtr.exe
O4 - HKLM\..\Run: [IOMON98.EXE] "C:\Program Files\Trend PC-cillin 98\IOMON98.EXE"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [IOMON98.EXE] "C:\Program Files\Trend PC-cillin 98\IOMON98.EXE"
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [APPHA.EXE] C:\WINDOWS\SYSTEM\APPHA.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Offline (HKLM)
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone (HKLM)
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone (HKLM)
O9 - Extra button: Wallpaper (HKLM)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\NPCHIME.DLL
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: BBSetup - http://www.bonzi.com/freebuddy/bbsetup.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37890.6237615741
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Macromedia Shockwave Director Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bc f1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b 37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

Thanks :)

David,

Somehow I did not see your post before mine. Sorry. And you are correct, of course, about SP2 installs on unclean machines. I'll be more careful in the future.

I don't think this will work. We may have to download another program to deal with this, but let's give it a try.

Boot into safe mode and have HJT fix the following
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tubps.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tubps.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tubps.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tubps.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tubps.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tubps.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tubps.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O2 - BHO: (no name) - {A9DBFCDF-AFF2-11A7-49FB-BA932BD2618D} - C:\WINDOWS\tubps.dll
O4 - HKLM\..\RunServices: [APPHA.EXE] C:\WINDOWS\SYSTEM\APPHA.EXE
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...8a29296baabe1d6
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/...nfo/webscan.cab

Delete the following files:

C:\WINDOWS\SYSTEM\APPHA.EXE
C:\WINDOWS\tubps.dll

Re-boot into regular mode and re-post your HJT log. We need help from Budfred on this but the worst that can happen is it will come back. In that case we will need to use a different tool before cleaing with HJT.

You are right classicsoftware, that won't work and it may even make cleanup more difficult.... This is a really nasty CWS variant that take a rather complex fix to kill.... I will give it a shot, but it requires that you follow the directions precisely K1wial or it will simply morph and we will have to start over....

This is a variant of CoolWebSearch that redirects your homepage to about:blank. It also installs a malicious service that prevents it from being fixed. We need to eliminate that service.

Prepare GetService for use:

Please download GetService (http://www.bleepingcomputer.com/files/spyware/getservices.zip).
Unzip getservice.zip to your hard drive or desktop.
Double-click on Getservice.bat.
It will open a text file that lists all of your active services.
Press Ctrl + A simultaneously to select all of the text.
Copy and paste the whole thing into your next post.


From the time you run Getservice.bat until you run the fix that I will post back in response to your log, it is VERY important that you do not reboot your computer or log off and back on again... If you do, the service will morph and we have to start over.... I will probably be able to post the fix back to you tomorrow evening if you can post the log before then... I am in the USA, so that will give you an idea of what time evening is.... :)

Thanks Budfred

But the program didn't work. It came up with message "PSSERVICE.EXE file is linked to missing export NETAP132.DLL NetServer Enum. Is this because this nasty thing has deleted files I need to get rid of it?

I am not sure what that means... I will have to ask if anyone else knows in the forum it comes from unless someone here knows what that is about...

In the meanwhile... Try downloading it on another computer if you can and try running it again... It may be that the download was corrupted somehow...

Hope this helps

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HACDEF.73.B&VSect=T

And this

http://forums.thetechguys.com/archive/index.php/t-9267.html

Well, based on those links and the info at SWI, it would probably be a good idea to run the Housecall online virus scan and try again... If it doesn't work, use the regedit in the second post to run GetServices... If you have trouble figuring out how to set it up, post back... Start with the online virus scan and a run of GetServices though since that is easier....

I couldn't open the Housecall online scan. It just went not found page. I did the Bitdefender scan and this is some of what it did:

C:\WINDOWS\SYSTEM\q78kdov0.dll: infected with Trojan.Dialer.Coulom.B
C:\WINDOWS\SYSTEM\q78kdov0.dll: disinfection failed
C:\WINDOWS\SYSTEM\appha.exe: infected with Trojan.Downloader.Agent.BQ
C:\WINDOWS\SYSTEM\appha.exe: disinfection failed
C:\WINDOWS\SYSTEM\ipyn32.exe: infected with Trojan.Downloader.Agent.CD
C:\WINDOWS\SYSTEM\ipyn32.exe: disinfection failed
C:\WINDOWS\SYSTEM\sdklp32.exe: infected with Trojan.Downloader.Agent.CD
C:\WINDOWS\SYSTEM\sdklp32.exe: disinfection failed
C:\WINDOWS\SYSTEM\msaf32.exe: infected with Trojan.Downloader.Agent.CD
C:\WINDOWS\SYSTEM\msaf32.exe: disinfection failed
C:\WINDOWS\SYSTEM\msaf.exe: infected with Trojan.Downloader.Agent.CD
C:\WINDOWS\SYSTEM\msaf.exe: disinfection failed
C:\WINDOWS\SYSTEM\ntde.exe: infected with Trojan.Downloader.Agent.CD
C:\WINDOWS\SYSTEM\ntde.exe: disinfection failed
C:\WINDOWS\SYSTEM\atlik.exe: infected with Trojan.Downloader.Agent.CD
C:\WINDOWS\SYSTEM\atlik.exe: disinfection failed
C:\WINDOWS\SYSTEM\atlew.exe: infected with Trojan.Downloader.Agent.CD
C:\WINDOWS\SYSTEM\atlew.exe: disinfection failed
C:\WINDOWS\SYSTEM\winsm.exe: infected with Trojan.Downloader.Agent.CD
C:\WINDOWS\SYSTEM\winsm.exe: disinfection failed
C:\WINDOWS\SYSTEM\addga.exe: infected with Trojan.Downloader.Agent.CD
C:\WINDOWS\SYSTEM\addga.exe: disinfection failed
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom.zip=>alan stuart@advertising[4].txt: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom.zip=>sbRecovery.ini: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom1.zip=>alan stuart@servedby.advertising[7].txt: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom1.zip=>sbRecovery.ini: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom2.zip=>alan stuart@servedby.advertising[6].txt: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom2.zip=>sbRecovery.ini: password protected
C:\Destroy\Recovery\Advertisingcom10.zip=>sbRecovery.ini: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom11.zip=>alan stuart@rd.advertising[2].txt: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom12.zip=>alan stuart@servedby.advertising[1].txt: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom12.zip=>sbRecovery.ini: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom13.zip=>alan stuart@servedby.advertising[4].txt: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom13.zip=>sbRecovery.ini: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>RELATED.HTM: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>sbRecovery.ini: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc.zip=>alan stuart@atdmt[3].txt: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc.zip=>sbRecovery.ini: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc1.zip=>alan stuart@atdmt[2].txt: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc1.zip=>sbRecovery.ini: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\BFast.zip=>alan stuart@bfast[1].txt: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\BFast.zip=>sbRecovery.ini: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\BFast1.zip=>anyuser@bfast[1].txt: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\BFast1.zip=>sbRecovery.ini: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\BonziBuddy.zip=>sbRecovery.ini: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction.zip=>alan stuart@www.qksrv[2].txt: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction.zip=>sbRecovery.ini: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction1.zip=>alan stuart@www.qksrv[1].txt: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction1.zip=>sbRecovery.ini: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction2.zip=>alan stuart@qksrv[1].txt: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction2.zip=>sbRecovery.ini: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction3.zip=>alan stuart@commission-junction[1].txt: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction3.zip=>sbRecovery.ini: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoreMetrics.zip=>alan stuart@data.coremetrics[1].txt: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoreMetrics.zip=>sbRecovery.ini: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick.zip=>alan stuart@doubleclick[2].txt: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick.zip=>sbRecovery.ini: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick1.zip=>alan stuart@doubleclick[1].txt: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick1.zip=>sbRecovery.ini: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\EngageInc.zip=>alan stuart@engage[1].txt: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\EngageInc.zip=>sbRecovery.ini: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip=>sbRecovery.reg: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip=>sbRecovery.ini: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\eGroup.zip=>sbRecovery.reg: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\eGroup.zip=>sbRecovery.ini: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\EngageInc1.zip=>alan stuart@engage[2].txt: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\EngageInc1.zip=>sbRecovery.ini: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\EngageInc2.zip=>anyuser@engage[1].txt: password protected
C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\EngageInc2.zip=>sbRecovery.ini: password protected
C:\RECYCLED\DC14.$$$: infected with Trojan.Downloader.Agent.Z
C:\RECYCLED\DC14.$$$: disinfection failed
C:\spmario\gate.exe: infected with Trojan.StartPage.OZ
C:\spmario\gate.exe: disinfection failed
It actually was more than this but it wouldn't fit in message.
So it doesn't look like anything is fixed. I'm not sure I know what you mean about using regedit in the second post and I can't run Getright.
Cheers

Did you use the Housecall link in my signature?? I just tried it and it worked.... Try that again, but it would probably also be a good idea to download and run the trial version of TDS3 or TrojanHunter since they specialize in trojans....

TDS3:

http://tds.diamondcs.com.au/index.php?page=download

TrojanHunter:

http://www.trojanhunter.com/

I believe you have to manually update both of them...

Don't worry about the listings with Spybot in them, that is just where they are cached until you clear the Spybot cache...

You won't be able to run GetServices until something changes and nothing has yet... I will post the Regedit if needed later...

I am a bit embarrassed. I seem to have fixed my problem by running the AVG antivirus I have loaded on my computer. When I first did this I hadn't updated it and it didn't pick up the Trojans. But after updating it, it did and got rid of them. I hope this is sorted now. Thanks for your help. I wasn't really aware there was so much of this crap going on but it strikes me that there is big business for the anti spyware programmers. Do these people invent the very spyware that they fix? I did notice that the pop ups that came up with my about blank "home page" were for Adaware!

I did get the housecall online to open from your signature today Budfred.

Ad-Aware (Lavasoft) doesn't do popups... If you saw them with that name, they probably led to a rogue program like NoAdware... The rogues often use spoofs of the legit programs names to get you to download their trash... And no, the people that write the legitimate anti-spyware programs are not the same as the people writing the spyware... The people that write the rogue programs may write some of it however, one jerk even bragged that he might do that when his ripoff program was challenged... Go here to learn more about rogues:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

As for AVG fixing the problem... unless it has had a major update, it is unlikely that it has dealt with this problem... Trendmicro was working on a fix, but I haven't heard of AVG having one... It would be a good idea to post a fresh HJT log anyway since there was some other malware there that needed attention, but it would also be good to check for any remaining signs of the main problem....

You should be checking AVG, Spybot, and Adaware no more than about every three days for updates, and running them no less than that. If you are doing a lot of game, gambling, and other such sites--run them before shut down. Consider downloading installing and updating Spyware Blaster, and MRU Blaster. Some of us also like A-Squared, and Script Sentry. Try also http://www.grc.com/freepopular.htm , I use Decombobulator, LeakTest, and UnplugnPray. There is also a good browser tests at Jason's Tool Box.

Yes Budfred I think you are right, I haven't got rid of the lot yet. There is one virus that AVG listed that it couldn't get rid of. It comes up with the message on boot up. i 'll put the Hijack this log to see if you can pin point the problems. I'll have a go with the Trojan Hunter also. I'm obviously not vigilant enough in keeping the crap out of my computer.

Here's the Hijack this log anyway

Logfile of HijackThis v1.97.7
Scan saved at 21:38:44, on 13/11/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\TREND PC-CILLIN 98\IOMON98.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 98\WEBTRAP.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\MEDIASCAPE\TOUCH MANAGER\MEDIACTR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\MEDIASCAPE\TOUCH MANAGER\TOUCHMGR.EXE
C:\PROGRA~1\MEDIAS~1\ONSCRE~1\OSD.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tubps.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tubps.dll/sp.html#29126
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.realenz.co.nz/misc/menumapOK.cfm?district=17
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tubps.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tubps.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tubps.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tubps.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tubps.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {A9DBFCDF-AFF2-11A7-49FB-BA932BD2618D} - C:\WINDOWS\SYSUS.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [KBD MediaCenter] C:\Program Files\Mediascape\Touch Manager\MediaCtr.exe
O4 - HKLM\..\Run: [IOMON98.EXE] "C:\Program Files\Trend PC-cillin 98\IOMON98.EXE"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [IOMON98.EXE] "C:\Program Files\Trend PC-cillin 98\IOMON98.EXE"
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [APPHA.EXE] C:\WINDOWS\SYSTEM\APPHA.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Offline (HKLM)
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone (HKLM)
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone (HKLM)
O9 - Extra button: Wallpaper (HKLM)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\NPCHIME.DLL
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: BBSetup - http://www.bonzi.com/freebuddy/bbsetup.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37890.6237615741
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Macromedia Shockwave Director Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bc f1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b 37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: ppctlcab - http://www3.ca.com/securityadvisor/pest/ppctlcab.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

Cheers

There is a new tool now that can simplify identifying the bad service, so let's try that instead... Follow the instructions for GetService, but use this instead... Be sure to not reboot or log off until I can get the complete fix back to you...

http://home.comcast.net/~rand1038/vbscript/ServiceFilter.zip

Budfred that service filter didn't work either - it doesn't work for windows 98. The AVG comes up with Trojan being WINDOWS\SYSTEM\APPHA\EXE

Doh!! I missed that you have Win98... I apologize... that explains why neither program works.... The good news is that this will be easier to fix because of that...

Download this:

http://www.malwarebytes.biz/AboutBuster.zip

Download this too, although you may not need it:

http://www.bleepingcomputer.com/files/shell98.php

Use the link in my signature to download the latest version of HJT (yours if very much outdated) and CWShredder...

Boot to Safe Mode... Run About Buster at least twice, run CWShredder a couple of times, run Ad-Aware SE (assuming you updated it earlier)... and then boot to Normal mode and run the updated HJT and then post the fresh log...

I have tried to follow your instructions but i goofed. I forgot to do the Aboutbuster in safe mode. it did pick up stuff though. i can't run Coolweb Search as discussed earlier - I tried to get the required .dll file but I don't know how to save to Windows\system as is required. Sorry that I'm so inept.
I did download the updated Hijack this And will post the log now before going to bed. It's not late here but I'm very tired. (9pm) Oh, I don't have Ad-Aware SE. I have been downloading all these fixes and things ther's so bloody many.

Logfile of HijackThis v1.98.2
Scan saved at 20:57:22, on 14/11/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\TREND PC-CILLIN 98\IOMON98.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 98\WEBTRAP.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\MEDIASCAPE\TOUCH MANAGER\MEDIACTR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\MEDIASCAPE\TOUCH MANAGER\TOUCHMGR.EXE
C:\PROGRA~1\MEDIAS~1\ONSCRE~1\OSD.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tubps.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tubps.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tubps.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tubps.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {A9DBFCDF-AFF2-11A7-49FB-BA932BD2618D} - C:\WINDOWS\SYSUS.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [KBD MediaCenter] C:\Program Files\Mediascape\Touch Manager\MediaCtr.exe
O4 - HKLM\..\Run: [IOMON98.EXE] "C:\Program Files\Trend PC-cillin 98\IOMON98.EXE"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [IOMON98.EXE] "C:\Program Files\Trend PC-cillin 98\IOMON98.EXE"
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [APPHA.EXE] C:\WINDOWS\SYSTEM\APPHA.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\SYSTEM\OLINE.DLL
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\SYSTEM\WEBZONE.DLL
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\SYSTEM\WEBZONE.DLL
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\SYSTEM\WEBZONE.DLL
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\SYSTEM\WEBZONE.DLL
O9 - Extra button: Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\PROGRA~1\INTERN~1\Toolbar\toolbar.hta
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\PROGRA~1\INTERN~1\Toolbar\toolbar.hta
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\NPCHIME.DLL
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: BBSetup - http://www.bonzi.com/freebuddy/bbsetup.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bc f1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b 37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: ppctlcab - http://www3.ca.com/securityadvisor/pest/ppctlcab.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\MSOPT.DLL (file missing)

Have you tried downloading and running CWShredder since you started the cleanup... if not, do so... Also, do the same with the other scans... The more we clean up, the more the various programs should work...

Please open HJT and check these items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tubps.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tubps.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tubps.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tubps.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Class - {A9DBFCDF-AFF2-11A7-49FB-BA932BD2618D} - C:\WINDOWS\SYSUS.DLL (file missing)
O4 - HKLM\..\RunServices: [APPHA.EXE] C:\WINDOWS\SYSTEM\APPHA.EXE
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...8a29296baabe1d6
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\MSOPT.DLL (file missing)


I couldn't confirm if these are good or bad... if you don't recognize them, check them too:

O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\SYSTEM\OLINE.DLL
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\SYSTEM\WEBZONE.DLL
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\SYSTEM\WEBZONE.DLL
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\SYSTEM\WEBZONE.DLL
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\SYSTEM\WEBZONE.DLL
O9 - Extra button: Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\PROGRA~1\INTERN~1\Toolbar\toolbar.hta
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\PROGRA~1\INTERN~1\Toolbar\toolbar.hta

Now close all open windows except HJT and click on Fix Checked... Reboot and post a fresh log... We may need to do more digging to get out the hidden DLL, but I am hoping the scans will take care of it, especially Trendmicro and/or CWShredder 2.0....

Logfile of HijackThis v1.98.2
Scan saved at 20:55:40, on 15/11/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\TREND PC-CILLIN 98\IOMON98.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 98\WEBTRAP.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\MEDIASCAPE\TOUCH MANAGER\MEDIACTR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\MEDIASCAPE\TOUCH MANAGER\TOUCHMGR.EXE
C:\PROGRA~1\MEDIAS~1\ONSCRE~1\OSD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [KBD MediaCenter] C:\Program Files\Mediascape\Touch Manager\MediaCtr.exe
O4 - HKLM\..\Run: [IOMON98.EXE] "C:\Program Files\Trend PC-cillin 98\IOMON98.EXE"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [IOMON98.EXE] "C:\Program Files\Trend PC-cillin 98\IOMON98.EXE"
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\NPCHIME.DLL
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: BBSetup - http://www.bonzi.com/freebuddy/bbsetup.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bc f1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b 37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: ppctlcab - http://www3.ca.com/securityadvisor/pest/ppctlcab.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\MSOPT.DLL (file missing)

I followed those instructions and above is the new scan.
I still can't get CoolWeb update to install to use.

Did you try to fix these items??

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...8a29296baabe1d6
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\MSOPT.DLL (file missing)

If not, please do so....

Where are you trying to download CWShredder?? The new version is not available in all the same sites as the old one and it is now distributed by InterMute which will try to sell you other products... Also, Cool Web is the problem, not the fix... CWShredder is the fix... Download it from here:

http://www.intermute.com/spysubtract/cwshredder_download.html

I must have missed those items.I have now scanned and fixed them. I meant CW Shredder. I did try to download it from intermute.com, also the Spy Subtract but when I try to intall either of these is when the message " required .DLL file OLEACC.DLL was not found".

Well just post a fresh log and we will see if you are still clean... If so, you may not need the other programs... You may have some OS repair to do though....

Here is the fresh HiJack log. The searchmiracle one is dodgy isn't it.

Logfile of HijackThis v1.98.2
Scan saved at 20:50:40, on 18/11/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\TREND PC-CILLIN 98\IOMON98.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 98\WEBTRAP.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\MEDIASCAPE\TOUCH MANAGER\MEDIACTR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\MEDIASCAPE\TOUCH MANAGER\TOUCHMGR.EXE
C:\PROGRA~1\MEDIAS~1\ONSCRE~1\OSD.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [KBD MediaCenter] C:\Program Files\Mediascape\Touch Manager\MediaCtr.exe
O4 - HKLM\..\Run: [IOMON98.EXE] "C:\Program Files\Trend PC-cillin 98\IOMON98.EXE"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [IOMON98.EXE] "C:\Program Files\Trend PC-cillin 98\IOMON98.EXE"
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\NPCHIME.DLL
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: BBSetup - http://www.bonzi.com/freebuddy/bbsetup.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: ppctlcab - http://www3.ca.com/securityadvisor/pest/ppctlcab.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

It appears that I missed something... sorry...

Open HJT and check this:

O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab

Close all windows except HJT and click Fix Checked...

Otherwise the log looks clean... is the computer running okay??

The computer seems to be running OK. Thanks for your help to all who responded. What OS repairs do you mean Budfred?

Sometimes when you clean up this particular garbage, it can leave things like Notepad and other aspects of Windows disabled, so you need to replace and fix these issues....