1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

coolsearch.biz has taken over my home page

Discussion in 'Virus & Other Malware Removal' started by gregory777, Sep 11, 2004.

Thread Status:
Not open for further replies.
Page 1 of 2
Advertisement
  1. gregory777

    gregory777 Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    27
    Hey,
    I'm having some major problems with the stupid Coolsearch virus. It keeps on changing my homepage on me and I'm getting rather pissed. The thing is, I have a very old computer, and OS (Windows 95), and I keep on looking for something to stop this stupid thing, but I can't find squat. Somebody help me please!!! This is really driving me and my family crazy!!!
    Your help would be greatly appreciated.
    From,
    Gregory
     
    gregory777, Sep 11, 2004
    #1
  3. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Welcome to TSG!! :)

    Make a folder on your hard drive, like My Documents\HJT
    Download Hijackthis.
    Unzip the file to the folder on your hard drive.

    Double click on Hijackthis.exe then click on the "Scan" button, then click on "Save Log".

    Copy and paste it back here and someone will be happy to review it.

    Don't make any changes until instructed to do so.
     
    cybertech, Sep 11, 2004
    #2
  4. gregory777

    gregory777 Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    27
    Here is what my log:
    Logfile of HijackThis v1.98.2
    Scan saved at 1:19:58 AM, on 9/12/04
    Platform: Windows 95 B (Win9x 4.00.1212)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\LABTEC\LABTEC MOUSE SOFTWARE\1.0\LWBWHEEL.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
    C:\PROGRAM FILES\THEWEATHERNETWORK\WEATHEREYE\WEATHEREYE.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
    C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINRAR\WINRAR.EXE
    C:\WINDOWS\TEMP\RAR$EX0R.8FE\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gocybersearch.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.canada.com/national/index.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.gaysbase.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_18_0.DLL
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Yahoo! Canada Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_18_0.DLL
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\PROGRAM FILES\REAL\REALJUKEBOX\tsystray.exe"
    O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
    O4 - HKLM\..\Run: [SENTRY] C:\WINDOWS\SENTRY.exe
    O4 - HKLM\..\Run: [SUSP] C:\WINDOWS\SUSP.exe
    O4 - HKLM\..\Run: [PIOLET] C:\PROGRAM FILES\PIOLET\PIOLET.exe SILENT
    O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
    O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
    O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
    O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [SearchEnhancement] "C:\PROGRAM FILES\SCBAR\V9\SCBAR.EXE" /H
    O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\TEMP\WTUNINST.EXE remove
    O4 - HKLM\..\Run: [upcfox] C:\WINDOWS\upcfox.exe
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\1.0\lwbwheel.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
    O4 - HKCU\..\Run: [WeatherCast] C:\PROGRA~1\WEATHE~1\Weather.exe /q
    O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [WeatherEye] C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)
    O9 - Extra 'Tools' menuitem: Search the Internet - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtw32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O13 - WWW. Prefix: http://
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {D45FD31B-5C6E-11D1-9EC1-00C04FD70900} - http://www.freeweather.com/setup.exe
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
     
    gregory777, Sep 12, 2004
    #3
  5. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Make a folder for hijackthis.exe and move it there.

    Download AdAware SE Personal: http://www.lavasoftusa.com/support/download/

    Install the program and launch it.

    First, in the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.

    Then, in the main window: Click Start and under Select a scan Mode tick Perform full system scan.

    Then, deselect Search for negligible risk entries.

    To start the scan, click the Next button.

    When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

    Restart your computer after you've fixed the items found.

    Go here http://forums.techguy.org/t110854/s.html and run at least 2 of the on-line virus scanners.

    Restart your computer and post another HJT log for review.
     
    cybertech, Sep 12, 2004
    #4
  6. gregory777

    gregory777 Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    27
    There's just one slight problem with that. I can't download and install it because it says on the website that my OS has to be Windows 98 or later.
    From,
    Gregory
     
    gregory777, Sep 12, 2004
    #5
  7. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Before you do this you need to move hijackthis into folder or you will loose the backups it creates. Make a folder like c:\program files\hjt and run hijackthis from there.


    Run HJT again and put a check in the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - (no file)
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
    O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
    O4 - HKLM\..\Run: [SENTRY] C:\WINDOWS\SENTRY.exe
    O4 - HKLM\..\Run: [SUSP] C:\WINDOWS\SUSP.exe
    O4 - HKLM\..\Run: [PIOLET] C:\PROGRAM FILES\PIOLET\PIOLET.exe SILENT
    O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
    O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
    O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
    O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [SearchEnhancement] "C:\PROGRAM FILES\SCBAR\V9\SCBAR.EXE" /H
    O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\TEMP\WTUNINST.EXE remove
    O4 - HKLM\..\Run: [upcfox] C:\WINDOWS\upcfox.exe
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)
    O9 - Extra 'Tools' menuitem: Search the Internet - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)


    Close all applications and browser windows before you click "fix checked".


    Restart in Safe Mode

    Delete these files:
    C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    C:\Program Files\DownloadWare\dw.exe
    C:\WINDOWS\SUSP.exe
    C:\WINDOWS\BELT.exe
    C:\WINDOWS\SYSUPD.EXE
    C:\WINDOWS\ALCHEM.exe
    C:\Program Files\Lycos\IEagent\Loader.exe
    C:\WINDOWS\upcfox.exe

    Delete these folders:
    C:\PROGRAM FILES\PIOLET
    C:\PROGRAM FILES\SAVE
    C:\PROGRAM FILES\SCBAR
    C:\PROGRAM FILES\ezula


    Empty these folders:
    c:\temp
    c:\windows\temp

    Empty your Temporary Internet Files and history in Internet Options.


    Reboot and post another log.
     
    cybertech, Sep 13, 2004
    #6
  8. gregory777

    gregory777 Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    27
    Ok, I just tried that, and well, something weird is going on...
    I was able to delete the file
    C:\Windows\System\Services\MSXMIDI.exe with no problems, however the following files actually have .INI commands rather than .exe commands:
    C:\Windows\Susp, C:\Windows\Belt, C:\Windows\Sysupd, C:\Windows\Alchem, and C:\Windows\upcfox
    Also, I wasn't able to the find the following files at all:
    C:\Program Files\DownloadWare\dw.exe and
    C:\Program Files\Lycos\IEagent\Loader.exe
    I haven't done anything except delete the MSXMIDI.exe program file, because I don't want to make things on my computer worse.
    So, anyways, should I delete the files I did find listed above even though they're .INI?
    I really appreciate your time and effort in towards helping me.
    From,
    Gregory
    P.S. Be aware, there are 2 new worms on the internet, so be careful of what you download. For more info, go to http://www.msn.com
     
    gregory777, Sep 13, 2004
    #7
  9. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Yes, there are ini files that go with these, you should remove those as well.
     
    cybertech, Sep 14, 2004
    #8
  10. gregory777

    gregory777 Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    27
    Thanks for the info. It's very much appreciated.
    From,
    Gregory
     
    gregory777, Sep 14, 2004
    #9
  11. gregory777

    gregory777 Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    27
    Here is the new log:
    Logfile of HijackThis v1.98.2
    Scan saved at 6:00:52 AM, on 9/14/04
    Platform: Windows 95 B (Win9x 4.00.1212)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\LABTEC\LABTEC MOUSE SOFTWARE\1.0\LWBWHEEL.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
    C:\PROGRAM FILES\THEWEATHERNETWORK\WEATHEREYE\WEATHEREYE.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINRAR\WINRAR.EXE
    C:\WINDOWS\TEMP\RAR$EX01.BBH\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gocybersearch.com/ie/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canada.com/national/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_18_0.DLL
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O2 - BHO: (no name) - {3CDFDCF0-73D3-4BD3-2A46-E3F51629B121} - C:\WINDOWS\Hbkkfyeb.dll
    O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL (file missing)
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Yahoo! Canada Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_18_0.DLL
    O3 - Toolbar: Search - {9BB86D2E-5DB3-0084-4F7B-E42024593C3C} - C:\WINDOWS\Hbkkfyeb.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\PROGRAM FILES\REAL\REALJUKEBOX\tsystray.exe"
    O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
    O4 - HKLM\..\Run: [SENTRY] C:\WINDOWS\SENTRY.exe
    O4 - HKLM\..\Run: [SUSP] C:\WINDOWS\SUSP.exe
    O4 - HKLM\..\Run: [PIOLET] C:\PROGRAM FILES\PIOLET\PIOLET.exe SILENT
    O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
    O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
    O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
    O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [SearchEnhancement] "C:\PROGRAM FILES\SCBAR\V9\SCBAR.EXE" /H
    O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\TEMP\WTUNINST.EXE remove
    O4 - HKLM\..\Run: [upcfox] C:\WINDOWS\upcfox.exe
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\1.0\lwbwheel.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
    O4 - HKCU\..\Run: [WeatherCast] C:\PROGRA~1\WEATHE~1\Weather.exe /q
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [WeatherEye] C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)
    O9 - Extra 'Tools' menuitem: Search the Internet - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtw32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O13 - WWW. Prefix: http://
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {D45FD31B-5C6E-11D1-9EC1-00C04FD70900} - http://www.freeweather.com/setup.exe
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://www.008i.com//x//f//29126/msits.exe
     
    gregory777, Sep 14, 2004
    #10
  12. gregory777

    gregory777 Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    27
    For some reason, I keep getting the following error, everytime I reboot computer, now I don't remember what it exactly says, but here's the general message:
    RUNDLL ERROR
    C:\WINDOWS\BXXSS5.DLL unspecified or something like that.
    Does anybody know why I'd be getting this error?
    From,
    Gregory
     
    gregory777, Sep 14, 2004
    #11
  13. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    This log looks very much like the last one. Were you unable to delete the files?

    Run HJT again and put a check in the following:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - (no file)
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL (file missing)
    O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
    O4 - HKLM\..\Run: [SENTRY] C:\WINDOWS\SENTRY.exe
    O4 - HKLM\..\Run: [SUSP] C:\WINDOWS\SUSP.exe
    O4 - HKLM\..\Run: [PIOLET] C:\PROGRAM FILES\PIOLET\PIOLET.exe SILENT
    O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
    O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
    O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
    O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [SearchEnhancement] "C:\PROGRAM FILES\SCBAR\V9\SCBAR.EXE" /H
    O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\TEMP\WTUNINST.EXE remove
    O4 - HKLM\..\Run: [upcfox] C:\WINDOWS\upcfox.exe
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)
    O9 - Extra 'Tools' menuitem: Search the Internet - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://www.008i.com//x//f//29126/msits.exe

    Close all applications and browser windows before you click "fix checked".

    Restart in Safe Mode

    Delete these files:
    C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    C:\Program Files\DownloadWare\dw.exe
    C:\WINDOWS\SUSP.exe
    C:\WINDOWS\BELT.exe
    C:\WINDOWS\SYSUPD.EXE
    C:\WINDOWS\ALCHEM.exe
    C:\WINDOWS\upcfox.exe

    Delete these folders:
    C:\PROGRAM FILES\PIOLET
    C:\PROGRAM FILES\SAVE
    C:\PROGRAM FILES\SCBAR

    Empty these folders:
    c:\temp
    c:\windows\temp

    Empty your Temporary Internet Files and history in Internet Options.

    Reboot and post another log.
     
    cybertech, Sep 14, 2004
    #12
  14. gregory777

    gregory777 Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    27
    Well, I did everything you said to do, but don't forget, as I said, some of the things I can't even find for some reason (ie. DownloadWare).
    Anyways, I think the log is the same, but I'm not sure, so here is the new log:
    Logfile of HijackThis v1.98.2
    Scan saved at 11:21:08 PM, on 9/14/04
    Platform: Windows 95 B (Win9x 4.00.1212)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\LABTEC\LABTEC MOUSE SOFTWARE\1.0\LWBWHEEL.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
    C:\PROGRAM FILES\THEWEATHERNETWORK\WEATHEREYE\WEATHEREYE.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINRAR\WINRAR.EXE
    C:\WINDOWS\TEMP\RAR$EX0D.AOF\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gocybersearch.com/ie/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canada.com/national/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_18_0.DLL
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O2 - BHO: (no name) - {3CDFDCF0-73D3-4BD3-2A46-E3F51629B121} - C:\WINDOWS\Hbkkfyeb.dll
    O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL (file missing)
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Yahoo! Canada Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_18_0.DLL
    O3 - Toolbar: Search - {9BB86D2E-5DB3-0084-4F7B-E42024593C3C} - C:\WINDOWS\Hbkkfyeb.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\PROGRAM FILES\REAL\REALJUKEBOX\tsystray.exe"
    O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
    O4 - HKLM\..\Run: [SENTRY] C:\WINDOWS\SENTRY.exe
    O4 - HKLM\..\Run: [SUSP] C:\WINDOWS\SUSP.exe
    O4 - HKLM\..\Run: [PIOLET] C:\PROGRAM FILES\PIOLET\PIOLET.exe SILENT
    O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
    O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
    O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
    O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [SearchEnhancement] "C:\PROGRAM FILES\SCBAR\V9\SCBAR.EXE" /H
    O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\TEMP\WTUNINST.EXE remove
    O4 - HKLM\..\Run: [upcfox] C:\WINDOWS\upcfox.exe
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\1.0\lwbwheel.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
    O4 - HKCU\..\Run: [WeatherCast] C:\PROGRA~1\WEATHE~1\Weather.exe /q
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [WeatherEye] C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)
    O9 - Extra 'Tools' menuitem: Search the Internet - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtw32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O13 - WWW. Prefix: http://
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {D45FD31B-5C6E-11D1-9EC1-00C04FD70900} - http://www.freeweather.com/setup.exe
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://www.008i.com//x//f//29126/msits.exe
     
    gregory777, Sep 14, 2004
    #13
  15. gregory777

    gregory777 Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    27
    You know, I think I may have fixed it last night because I haven't had any coolsearch ads popping up nor have I had any notices about viruses popping up. Before they were popping up every few minutes, but they're not anymore, so I think they may all be gone, which is nice.
     
    gregory777, Sep 14, 2004
    #14
  16. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    cybertech, Sep 15, 2004
    #15

  17. Sponsor

Page 1 of 2
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - coolsearch taken home
  1. Wiktor1

    My computer seems to be taken over by something

    Wiktor1, Feb 19, 2019, in forum: Virus & Other Malware Removal
    Replies:
    0
    Views:
    563
    Wiktor1
    Feb 19, 2019
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/272875

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice