yet another coolsearch hijack

I've been hijacked by coolsearch. i've run CW Shredder, Spybot, Ad-aware, Spy Sweeper and Hijack This (in and out of safe mode) multiple times. All to no avail. Below is my HijackThis log. This is my first post on this forum, so I hope I haven't broken any rules. I would appreciate any help.

Logfile of HijackThis v1.97.7
Scan saved at 10:57:09 AM, on 9/15/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
C:\PROGRAM FILES\INTUIT\QAGENT\QAGENT.EXE
C:\PROGRAM FILES\OLD EARTHLINK5.0\CONMGR.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\OLD EARTHLINK5.0\UPDATEMGR.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\TOOLS_95\IOWATCH.EXE
C:\TOOLS_95\IMGICON.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\EARTHLINK\CONNMON.EXE
C:\PROGRAM FILES\EUDORA4\EUDORA.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\UTILITIES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\OLD EARTHLINK5.0\CONMGR.EXE"
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\PROGRAM FILES\OLD EARTHLINK5.0\UPDATEMGR.EXE" /NOCM
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\SYSTEM\LVCOMS.EXE
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~4\NAVAPW32.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wrl: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npcosmop.dll
O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .com/d/sr?xargs=02u3hs9yoajkUOyzCCRRClf5Yr8qULjD4WbiBMTAf0dsbGwMUyNFa9/hgIeWbuc9OdYy8EV0N5AD8A3MCXH3uBbiHUgjwE03nhUieLkXeID: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...14f9bb93ddd5:061a5725d1c04e478de72640af5cb44d
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38244.4282638889

 

at first You should run cwshredder - in the mean while I`ll look trhough your log and find the lines that are to be fixed.

http://www.spywareinfo.com/~merijn/files/CWShredder.exe

 

thanks for your prompt attention. as i noted in my initial posting cwshredder was the first thing i ran.

 

These lines must be fixed with hijackthis:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" –atboottime
O12 - Plugin for .com/d/sr?xargs=02u3hs9yoajkUOyzCCRRClf5Yr8qULjD4WbiBMTAf0dsbGwMUyNFa9/hgIeWbuc9OdYy8EV0N5AD8A3MCXH3uBbiHUgjwE03nhUieLkXeID: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab


These files must be deleted I safe mode – restart your pc and press F8 – choose safe mode:
C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

Then you should empty your temporary internet files and choose a new default internet page-

also run this onetimescanner:
http://www.mwti.net/antivirus/free_utilities.asp

restart and a new log to check plz

 

These don't need to be fixed:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/search/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab

Those three are all legit.


Here is a complete list of what you need to do:

Go to Add/Remove programs and uninstall Winad Client if it is there.


Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz

R3 - Default URLSearchHook is missing

F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)

O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE

O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...72 640af5cb44d

Restart to safe mode.

How to start your computer in safe mode

First in safe mode click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"

Now find and delete these folders:

C:\WINDOWS\SYSTEM\SERVICES
C:\PROGRAM FILES\WINAD CLIENT

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Empty the Recycle Bin

 

Thank you both for your help. I used the suggestions from both DannyBoy and Firman1 and below is what the HijackThis log now shows. Thanks again for your help. Does it look clean?

Logfile of HijackThis v1.97.7
Scan saved at 1:07:29 PM, on 9/17/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\INTUIT\QAGENT\QAGENT.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\OLD EARTHLINK5.0\CONMGR.EXE
C:\PROGRAM FILES\OLD EARTHLINK5.0\UPDATEMGR.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\TOOLS_95\IOWATCH.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\TOOLS_95\IMGICON.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\UTILITIES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\OLD EARTHLINK5.0\CONMGR.EXE"
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\PROGRAM FILES\OLD EARTHLINK5.0\UPDATEMGR.EXE" /NOCM
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\SYSTEM\LVCOMS.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~4\NAVAPW32.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wrl: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npcosmop.dll
O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38244.4282638889

 

uh oh. i dont think my purge worked. i just got a spy sweeper message that HotasHell exe has been installed on my computer. i will remove that, but obviously i have not closed all the doors to hijack hell. any suggestions.

 

did you run this one ?
also run this onetimescanner:
http://www.mwti.net/antivirus/free_utilities.asp

fix the lines which we have listed
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE

O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

use a new version of hijakcthis:
Download newest Hijackthis software and scan – save log – paste it here again.
http://danborg.org/spy/HJT/hijackthis.exe

Have you got a firewall?

new log plz

 

Make sure you have deleted these folders:

C:\WINDOWS\SYSTEM\SERVICES
C:\PROGRAM FILES\WINAD CLIENT

 

This has been a long, hard slog. I did not have a firewall; I now have ZoneAlert. I downloaded a newer version of HijackThis. I also ran the virus software from www.mwti.net/antivirus/free_utilities.asp. I repeated all the steps DannyBoy and Firman1 recommended and have this new log from HijackThis. I'm not new to computers (i've been an amateur programmer since the mid-80's), but battling these kinds of invasions is new to me. Please excuse my newbie errors. How does the log look?

Logfile of HijackThis v1.98.2
Scan saved at 8:58:48 PM, on 9/19/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\INTUIT\QAGENT\QAGENT.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\OLD EARTHLINK5.0\CONMGR.EXE
C:\PROGRAM FILES\OLD EARTHLINK5.0\UPDATEMGR.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\APPLICATION DATA\RTCC.EXE
C:\WINDOWS\SYSTEM\IPNBHN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\TOOLS_95\IOWATCH.EXE
C:\TOOLS_95\IMGICON.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\UTILITIES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {6CDE110D-B530-18E6-8753-60550DA97542} - C:\WINDOWS\SYSTEM\RTJS.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\OLD EARTHLINK5.0\CONMGR.EXE"
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\PROGRAM FILES\OLD EARTHLINK5.0\UPDATEMGR.EXE" /NOCM
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\SYSTEM\LVCOMS.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~4\NAVAPW32.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Rtae] C:\WINDOWS\Application Data\rtcc.exe
O4 - HKCU\..\Run: [Gpsw] C:\WINDOWS\SYSTEM\ipnbhn.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Dell Home - {E9A12E20-8080-11D3-96CF-90A244C1CF08} - http://www.dell.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wrl: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npcosmop.dll
O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll

 

Remove
O4 - HKCU\..\Run: [Gpsw] C:\WINDOWS\SYSTEM\ipnbhn.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
and this :
C:\WINDOWS\SYSTEM\IPNBHN.EXE is highly suspicious
good luck

 

These lines must be fixed with hijackthis:
O2 - BHO: (no name) - {6CDE110D-B530-18E6-8753-60550DA97542} - C:\WINDOWS\SYSTEM\RTJS.DLL
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKCU\..\Run: [Gpsw] C:\WINDOWS\SYSTEM\ipnbhn.exe
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Dell Home - {E9A12E20-8080-11D3-96CF-90A244C1CF08} - http://www.dell.com/ (file missing) (HKCU)


These files must be deleted I safe mode – restart your pc and press F8 – choose safe mode:
C:\WINDOWS\SYSTEM\IPNBHN.EXE

If you are using something called realtime cookie cleaner then keep it – otherwise delete this .?
C:\WINDOWS\APPLICATION DATA\RTCC.EXE
And if – then fix this:
O4 - HKCU\..\Run: [Rtae] C:\WINDOWS\Application Data\rtcc.exe

retstart and a new log to check

 

Go to Add/Remove programs and uninstall 180solutions if it is there.

Delete this folder too:

c:\program files\180solutions

Also this is most likely LOP and not Real Time Cookie Cleaner:

O4 - HKCU\..\Run: [Rtae] C:\WINDOWS\Application Data\rtcc.exe

To summarize here is what you need to do:

Go to Add/Remove programs and uninstall 180solutions if it is there.

Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O2 - BHO: (no name) - {6CDE110D-B530-18E6-8753-60550DA97542} - C:\WINDOWS\SYSTEM\RTJS.DLL

O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe

O4 - HKCU\..\Run: [Rtae] C:\WINDOWS\Application Data\rtcc.exe

O4 - HKCU\..\Run: [Gpsw] C:\WINDOWS\SYSTEM\ipnbhn.exe

O9 - Extra button: Dell Home - {E9A12E20-8080-11D3-96CF-90A244C1CF08} - http://www.dell.com/ (file missing) (HKCU)

Restart to safe mode.

First in safe mode click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"

Delete these files in safe mode:

C:\WINDOWS\Application Data\rtcc.exe
C:\WINDOWS\SYSTEM\ipnbhn.exe

Delete this folder:

c:\program files\180solutions


Go here and download Adaware SE.

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.

 

i downloaded and ran the new adaware per instructions in addition to following your newest instructions. everything seems to be working now except my free eudora, which only wants to run in safe mode. but it think i can get past that. thanks again for all the help. and hopefully this is my last HijackThis log.

Logfile of HijackThis v1.98.2
Scan saved at 1:31:51 PM, on 9/20/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\INTUIT\QAGENT\QAGENT.EXE
C:\PROGRAM FILES\OLD EARTHLINK5.0\CONMGR.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\OLD EARTHLINK5.0\UPDATEMGR.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\TOOLS_95\IOWATCH.EXE
C:\TOOLS_95\IMGICON.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UTILITIES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\OLD EARTHLINK5.0\CONMGR.EXE"
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\PROGRAM FILES\OLD EARTHLINK5.0\UPDATEMGR.EXE" /NOCM
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\SYSTEM\LVCOMS.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~4\NAVAPW32.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wrl: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npcosmop.dll
O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll

 

Clean!

Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.