coolsearch.biz has taken over my home page

[gregory777]

Hey,
I'm having some major problems with the stupid Coolsearch virus. It keeps on changing my homepage on me and I'm getting rather pissed. The thing is, I have a very old computer, and OS (Windows 95), and I keep on looking for something to stop this stupid thing, but I can't find squat. Somebody help me please!!! This is really driving me and my family crazy!!!
Your help would be greatly appreciated.
From,
Gregory

 

[cybertech]

Welcome to TSG!!

Make a folder on your hard drive, like My Documents\HJT
Download Hijackthis.
Unzip the file to the folder on your hard drive.

Double click on Hijackthis.exe then click on the "Scan" button, then click on "Save Log".

Copy and paste it back here and someone will be happy to review it.

Don't make any changes until instructed to do so.

 

[gregory777]

Here is what my log:
Logfile of HijackThis v1.98.2
Scan saved at 1:19:58 AM, on 9/12/04
Platform: Windows 95 B (Win9x 4.00.1212)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LABTEC\LABTEC MOUSE SOFTWARE\1.0\LWBWHEEL.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\THEWEATHERNETWORK\WEATHEREYE\WEATHEREYE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINRAR\WINRAR.EXE
C:\WINDOWS\TEMP\RAR$EX0R.8FE\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gocybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.canada.com/national/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.gaysbase.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_18_0.DLL
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Canada Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_18_0.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\PROGRAM FILES\REAL\REALJUKEBOX\tsystray.exe"
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [SENTRY] C:\WINDOWS\SENTRY.exe
O4 - HKLM\..\Run: [SUSP] C:\WINDOWS\SUSP.exe
O4 - HKLM\..\Run: [PIOLET] C:\PROGRAM FILES\PIOLET\PIOLET.exe SILENT
O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [SearchEnhancement] "C:\PROGRAM FILES\SCBAR\V9\SCBAR.EXE" /H
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\TEMP\WTUNINST.EXE remove
O4 - HKLM\..\Run: [upcfox] C:\WINDOWS\upcfox.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [WeatherCast] C:\PROGRA~1\WEATHE~1\Weather.exe /q
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WeatherEye] C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)
O9 - Extra 'Tools' menuitem: Search the Internet - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtw32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {D45FD31B-5C6E-11D1-9EC1-00C04FD70900} - http://www.freeweather.com/setup.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx

 

[cybertech]

Make a folder for hijackthis.exe and move it there.

Download AdAware SE Personal: http://www.lavasoftusa.com/support/download/

Install the program and launch it.

First, in the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.

Then, in the main window: Click Start and under Select a scan Mode tick Perform full system scan.

Then, deselect Search for negligible risk entries.

To start the scan, click the Next button.

When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

Restart your computer after you've fixed the items found.

Go here http://forums.techguy.org/t110854/s.html and run at least 2 of the on-line virus scanners.

Restart your computer and post another HJT log for review.

 

[gregory777]

There's just one slight problem with that. I can't download and install it because it says on the website that my OS has to be Windows 98 or later.
From,
Gregory

 

[cybertech]

Before you do this you need to move hijackthis into folder or you will loose the backups it creates. Make a folder like c:\program files\hjt and run hijackthis from there.


Run HJT again and put a check in the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - (no file)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [SENTRY] C:\WINDOWS\SENTRY.exe
O4 - HKLM\..\Run: [SUSP] C:\WINDOWS\SUSP.exe
O4 - HKLM\..\Run: [PIOLET] C:\PROGRAM FILES\PIOLET\PIOLET.exe SILENT
O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [SearchEnhancement] "C:\PROGRAM FILES\SCBAR\V9\SCBAR.EXE" /H
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\TEMP\WTUNINST.EXE remove
O4 - HKLM\..\Run: [upcfox] C:\WINDOWS\upcfox.exe
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)
O9 - Extra 'Tools' menuitem: Search the Internet - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)


Close all applications and browser windows before you click "fix checked".


Restart in Safe Mode

Delete these files:
C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
C:\Program Files\DownloadWare\dw.exe
C:\WINDOWS\SUSP.exe
C:\WINDOWS\BELT.exe
C:\WINDOWS\SYSUPD.EXE
C:\WINDOWS\ALCHEM.exe
C:\Program Files\Lycos\IEagent\Loader.exe
C:\WINDOWS\upcfox.exe

Delete these folders:
C:\PROGRAM FILES\PIOLET
C:\PROGRAM FILES\SAVE
C:\PROGRAM FILES\SCBAR
C:\PROGRAM FILES\ezula


Empty these folders:
c:\temp
c:\windows\temp

Empty your Temporary Internet Files and history in Internet Options.


Reboot and post another log.

 

[gregory777]

Ok, I just tried that, and well, something weird is going on...
I was able to delete the file
C:\Windows\System\Services\MSXMIDI.exe with no problems, however the following files actually have .INI commands rather than .exe commands:
C:\Windows\Susp, C:\Windows\Belt, C:\Windows\Sysupd, C:\Windows\Alchem, and C:\Windows\upcfox
Also, I wasn't able to the find the following files at all:
C:\Program Files\DownloadWare\dw.exe and
C:\Program Files\Lycos\IEagent\Loader.exe
I haven't done anything except delete the MSXMIDI.exe program file, because I don't want to make things on my computer worse.
So, anyways, should I delete the files I did find listed above even though they're .INI?
I really appreciate your time and effort in towards helping me.
From,
Gregory
P.S. Be aware, there are 2 new worms on the internet, so be careful of what you download. For more info, go to http://www.msn.com

 

[cybertech]

Yes, there are ini files that go with these, you should remove those as well.

 

[gregory777]

Thanks for the info. It's very much appreciated.
From,
Gregory

 

[gregory777]

Here is the new log:
Logfile of HijackThis v1.98.2
Scan saved at 6:00:52 AM, on 9/14/04
Platform: Windows 95 B (Win9x 4.00.1212)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LABTEC\LABTEC MOUSE SOFTWARE\1.0\LWBWHEEL.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\THEWEATHERNETWORK\WEATHEREYE\WEATHEREYE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINRAR\WINRAR.EXE
C:\WINDOWS\TEMP\RAR$EX01.BBH\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gocybersearch.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canada.com/national/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_18_0.DLL
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {3CDFDCF0-73D3-4BD3-2A46-E3F51629B121} - C:\WINDOWS\Hbkkfyeb.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL (file missing)
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Canada Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_18_0.DLL
O3 - Toolbar: Search - {9BB86D2E-5DB3-0084-4F7B-E42024593C3C} - C:\WINDOWS\Hbkkfyeb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\PROGRAM FILES\REAL\REALJUKEBOX\tsystray.exe"
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [SENTRY] C:\WINDOWS\SENTRY.exe
O4 - HKLM\..\Run: [SUSP] C:\WINDOWS\SUSP.exe
O4 - HKLM\..\Run: [PIOLET] C:\PROGRAM FILES\PIOLET\PIOLET.exe SILENT
O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [SearchEnhancement] "C:\PROGRAM FILES\SCBAR\V9\SCBAR.EXE" /H
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\TEMP\WTUNINST.EXE remove
O4 - HKLM\..\Run: [upcfox] C:\WINDOWS\upcfox.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [WeatherCast] C:\PROGRA~1\WEATHE~1\Weather.exe /q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WeatherEye] C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)
O9 - Extra 'Tools' menuitem: Search the Internet - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtw32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {D45FD31B-5C6E-11D1-9EC1-00C04FD70900} - http://www.freeweather.com/setup.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://www.008i.com//x//f//29126/msits.exe

 

[gregory777]

For some reason, I keep getting the following error, everytime I reboot computer, now I don't remember what it exactly says, but here's the general message:
RUNDLL ERROR
C:\WINDOWS\BXXSS5.DLL unspecified or something like that.
Does anybody know why I'd be getting this error?
From,
Gregory

 

[cybertech]

This log looks very much like the last one. Were you unable to delete the files?

Run HJT again and put a check in the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - (no file)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL (file missing)
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [SENTRY] C:\WINDOWS\SENTRY.exe
O4 - HKLM\..\Run: [SUSP] C:\WINDOWS\SUSP.exe
O4 - HKLM\..\Run: [PIOLET] C:\PROGRAM FILES\PIOLET\PIOLET.exe SILENT
O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [SearchEnhancement] "C:\PROGRAM FILES\SCBAR\V9\SCBAR.EXE" /H
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\TEMP\WTUNINST.EXE remove
O4 - HKLM\..\Run: [upcfox] C:\WINDOWS\upcfox.exe
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)
O9 - Extra 'Tools' menuitem: Search the Internet - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://www.008i.com//x//f//29126/msits.exe

Close all applications and browser windows before you click "fix checked".

Restart in Safe Mode

Delete these files:
C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
C:\Program Files\DownloadWare\dw.exe
C:\WINDOWS\SUSP.exe
C:\WINDOWS\BELT.exe
C:\WINDOWS\SYSUPD.EXE
C:\WINDOWS\ALCHEM.exe
C:\WINDOWS\upcfox.exe

Delete these folders:
C:\PROGRAM FILES\PIOLET
C:\PROGRAM FILES\SAVE
C:\PROGRAM FILES\SCBAR

Empty these folders:
c:\temp
c:\windows\temp

Empty your Temporary Internet Files and history in Internet Options.

Reboot and post another log.

 

[gregory777]

Well, I did everything you said to do, but don't forget, as I said, some of the things I can't even find for some reason (ie. DownloadWare).
Anyways, I think the log is the same, but I'm not sure, so here is the new log:
Logfile of HijackThis v1.98.2
Scan saved at 11:21:08 PM, on 9/14/04
Platform: Windows 95 B (Win9x 4.00.1212)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LABTEC\LABTEC MOUSE SOFTWARE\1.0\LWBWHEEL.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\THEWEATHERNETWORK\WEATHEREYE\WEATHEREYE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINRAR\WINRAR.EXE
C:\WINDOWS\TEMP\RAR$EX0D.AOF\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gocybersearch.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canada.com/national/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_18_0.DLL
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {3CDFDCF0-73D3-4BD3-2A46-E3F51629B121} - C:\WINDOWS\Hbkkfyeb.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL (file missing)
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Canada Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_18_0.DLL
O3 - Toolbar: Search - {9BB86D2E-5DB3-0084-4F7B-E42024593C3C} - C:\WINDOWS\Hbkkfyeb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\PROGRAM FILES\REAL\REALJUKEBOX\tsystray.exe"
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [SENTRY] C:\WINDOWS\SENTRY.exe
O4 - HKLM\..\Run: [SUSP] C:\WINDOWS\SUSP.exe
O4 - HKLM\..\Run: [PIOLET] C:\PROGRAM FILES\PIOLET\PIOLET.exe SILENT
O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [SearchEnhancement] "C:\PROGRAM FILES\SCBAR\V9\SCBAR.EXE" /H
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\TEMP\WTUNINST.EXE remove
O4 - HKLM\..\Run: [upcfox] C:\WINDOWS\upcfox.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [WeatherCast] C:\PROGRA~1\WEATHE~1\Weather.exe /q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WeatherEye] C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)
O9 - Extra 'Tools' menuitem: Search the Internet - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtw32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {D45FD31B-5C6E-11D1-9EC1-00C04FD70900} - http://www.freeweather.com/setup.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://www.008i.com//x//f//29126/msits.exe

 

[gregory777]

You know, I think I may have fixed it last night because I haven't had any coolsearch ads popping up nor have I had any notices about viruses popping up. Before they were popping up every few minutes, but they're not anymore, so I think they may all be gone, which is nice.

 

[cybertech]

You still have a massive amount of malware.

Download Ad-Aware SE, as you can see it's for all flavors of Windows.

http://www.majorgeeks.com/download506.html