View Full Version : CoolWWWSearch
PROBLEMMy internet connection has slowed considerably. After performing netstat -a to view the connections that were opened, I saw coolwwwsearch open on at least 4 ports consistently.
ACTIONS:
I have run various programs including spybot, the CWSShredder, the CWS Cleaner posted on this site to no avail.
I have reviewed installed HIJACKTHIS and attach a copy of my reg file. Please assist as I'm lost on how to proceed. Thx in advance.
NETWORK CONFIG- On an ADSL router (ethernet connection).
Logfile of HijackThis v1.99.1
Scan saved at 8:12:29, on 09/01/07
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\AOPEN\MOUSE\AMOUMAIN.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\BROTHER\CONTROLCENTER2\BRCTRCEN.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\BRMFRSMG.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\NETSTAT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\SOFTWARE\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\PROGRAM FILES\SPYCATCHER 2006\SCACTIVEBLOCK.DLL (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\AOPEN\MOUSE\AMOUMAIN.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrmfRmPA.exe] C:\WINDOWS\BrmfRmPA.exe -startup
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [ccleaner] "C:\PROGRAM FILES\CCLEANER\CCLEANER.exe" /AUTO
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O13 - WWW. Prefix: http://
O18 - Protocol: wavetop - (no CLSID) - (no file)
Hello and sorry for the wait.
If you have not resolved the problem, we do have this sticky topic:
If you have waited four days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)
Still UNRESOLVED - I will post per your guidance
pskelley
2007-01-13, 14:00
Sorry about the wait, I am not sure I can help but I will do my best. Some information first.
1) As I know you are aware, Microsoft has stopped supporting this Operating System. No updates means any new exploits the hackers come up with for that OS will not be blocked. Firewalls, spyware programs and antivirus programs can do only so much when the exploits can get onboad when you visit the wrong website.
2) Most of the tools being created will not work on this operating system, severely limiting what we have to work with.
3) The only item I would have questioned in the HJT log:
C:\WINDOWS\NETSTAT.EXE appears to be valid: http://www.liutilities.com/products/wintaskspro/processlibrary/netstat/
4) This item: O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\PROGRAM FILES\SPYCATCHER 2006\SCACTIVEBLOCK.DLL (file missing)
has a file missing and is either not working right, or at all. If you depend on it I would install it again.
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O13 - WWW. Prefix: http://
O18 - Protocol: wavetop - (no CLSID) - (no file)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) Unless I am missing something I do not see Spybot S&D on this computer. Spybot does a good job of removing most CWS infections. Here is a download and tutorial:
http://www.bleepingcomputer.com/tutorials/tutorial43.html
7) This malware removal program is supposed to run on Windows 98, give it a try. * Download Dr.Web CureIt to the desktop: http://www.freedrweb.com/cureit/
Follow the directions and post the log that is created or scan results.
Thanks
Thanks for the response.
1. I understand W98 is now old, however, I have comfort with the system as I'm aware of alot of holes which have been locked down. For instance, NetBios over TCP is inactive, microsoft network drivers removed, disabled java etc etc
2. n/a
3. netstat is valid. I had the connection open when running HJT
4. I uninstalled SpyCathcher. The reg settings did not remove the path for some reason.
5. I cannot remove 018 - WAVETOP. It keeps reappearing after runnings "scan only" having been fixed.
6. I have uninstalled spy bot and other software just in case they were contributing to the coolwwwsearch problem for some reason. spy bot did not pick up the problem whatsoever.
7. The scan with cureit returned no problems.
HJT SCAN POSTED BELOW ----->
*****note --- cannot remove the last reg setting regarding wavetop *****
Logfile of HijackThis v1.99.1
Scan saved at 9:49:07, on 16/01/07
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\AOPEN\MOUSE\AMOUMAIN.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\BROTHER\CONTROLCENTER2\BRCTRCEN.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SKYPE\PHONE\SKYPE.EXE
C:\WINDOWS\SYSTEM\BRMFRSMG.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\CIMOM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\SOFTWARE\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\AOPEN\MOUSE\AMOUMAIN.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrmfRmPA.exe] C:\WINDOWS\BrmfRmPA.exe -startup
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [ccleaner] "C:\PROGRAM FILES\CCLEANER\CCLEANER.exe" /AUTO
O4 - HKCU\..\Run: [Skype] "C:\PROGRAM FILES\SKYPE\PHONE\SKYPE.EXE" /nosplash /minimized
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 203.0.178.191
O18 - Protocol: wavetop - (no CLSID) - (no file)
pskelley
2007-01-15, 13:35
G'Day mate and thanks for the feedback and returning the information. I wanted to say I have an old Compaq 7360 with Windows 98SE on it that runs like a new computer. I take it out about once a month on a sunny Sunday for a drive.
5. I cannot remove 018 - WAVETOP. It keeps reappearing after runnings "scan only" having been fixed.I would not be concerned, not showing a CLSID # or a file so it is probably nothing. It might take a registry edit to remove it and I have never seen the item before. Try a scan for that word "wavetop" just to see if search turns up anything.
http://whois.domaintools.com/203.0.178.191
Looks like you are in or around Perth.
Is it possible the program showing these ports being opened is falsely identifying CWS? Have you considered running other port scans?
Spybot does not find the CWS (if it is even there), it will not always remove it but it usually locates it if it is there. Are any other programs finding the CWS?
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=free+port+scan
Let's see if CWShredder will run on your computer. You would want to try this:
Click here to download the stand-alone version of CWShredder.
http://www.intermute.com/spysubtract/cwshredder_download.html
Let me know what you find out.
Cheers
Hi Champ,
Thanks for the swift feedback. The W98 machine I have runs like a GT Ford at the moment. Looks clean, runs nice, but it still has a small scratch that is to be buffed out (i.e coolwwwsearch).
I have scanned for wavetop through regedit.exe and removed all instances. While doing this, I ran netstat.exe at the same time to find that 2 ports were open for coolwwwsearch.com. It seems to use port 10110 consistently now.
Removal of 018 - wavetop
No instances of wavetop exist, however, I cannot remove this mongrel of a reference by using HJT.
1. I'm based in Brisbane. I use iinet which is Perth based so there gateway must be based in Perth?
2. I continually scanned the ports by performing stealth tests from syngate, shieldsup from grc.com, etc etc. However, this only performs an incoming port scan.
My understanding with coolwwwsearch is that it is an outgoing connection (like that of iexplore which uses port 80) and send information to the central server or uses the bandwith to perform a DOS attack on a specific machine. Effectively there are hundreds of this bot on ppls machine which are controlled by one server somewhere out there to do as it requests.
3. Standalone CWSshredder has been used 3 times throughout the process to no avail. It cannot find the coolwwwsearch problem.
:sad:
I'm out of ideas and struggling. All i know is that wavetop seems to be memory resident as it keeps reappearing all the time in reg settings.
I have managed to remove the 018 - wavetop reference. It was a file in c:\windows\inf\wavetop.inf.
HJT LOG
Logfile of HijackThis v1.99.1
Scan saved at 1:30:44, on 17/01/07
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\AOPEN\MOUSE\AMOUMAIN.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\BROTHER\CONTROLCENTER2\BRCTRCEN.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SKYPE\PHONE\SKYPE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\CIMOM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\SOFTWARE\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\AOPEN\MOUSE\AMOUMAIN.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrmfRmPA.exe] C:\WINDOWS\BrmfRmPA.exe -startup
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [ccleaner] "C:\PROGRAM FILES\CCLEANER\CCLEANER.exe" /AUTO
O4 - HKCU\..\Run: [Skype] "C:\PROGRAM FILES\SKYPE\PHONE\SKYPE.EXE" /nosplash /minimized
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 203.0.178.191
pskelley
2007-01-16, 12:22
I am not sure on this on this one, you can remove these if you wish. They are not malware so removal is optional:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
You may find something to help you here:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=port+10110+
or here:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=how+to+block+a+port
I do not know if this scan will run on Windows 98 or not. It is a very good scan if it will and normally will scan but not clean. I use it once in a while to get a look at the in depth scan results. Until Fed 15, it is free and will scan and clean. If you can get it to run, I would like to see the results if possible. I would only be interested in the information in the bottom pane.
Download MWAV from here: http://www.mwti.net/products/mwav/mwav.asp
Just download and run. No installation of this software required.
New Year Bonanza - MicroWorld is offering this FREE MWAV Toolkit to help you to "Scan and Clean" your PC/Computer for FREE upto 15th Feb. 2007.
select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane. Highlight it, CTRL C and paste it in your next reply.
OK...looks like it will run, but you might want to have a look at the specs required prior to giving it a try:
http://www.mwti.net/products/escan/escan_iss/escaniss.asp
Thanks
Firstly I would like to thank you for getting me to use mware from microworld.
I have performed a scan and the following are the results:
-----------
Object "kazaa Spyware/Adware" found in File System! Action Taken: Entries Removed.
Object "grokster Spyware/Adware" found in File System! Action Taken: Entries Removed.
Object "medload Adware" found in File System! Action Taken: Entries Removed.
Object "grokster Spyware/Adware" found in File System! Action Taken: Entries Removed.
Object "kraze.b Virus" found in File System! Action Taken: Entries Removed.
Entry "HKCR\AcroIEHelper.AcroIEHlprObj.1" refers to invalid object "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}". Action Taken: Entries Removed.
Entry "HKCR\AcroIEHelper.AcroIEHlprObj" refers to invalid object "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}". Action Taken: Entries Removed.
Entry "HKCR\SCActiveBlock.SpywareBlock.1" refers to invalid object "{0A87E45F-537A-40B4-B812-E2544C21A09F}". Action Taken: Entries Removed.
Entry "HKCR\SCActiveBlock.SpywareBlock" refers to invalid object "{0A87E45F-537A-40B4-B812-E2544C21A09F}". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\Install.dll". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Trend Micro\Internet Security\". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Trend Micro\". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Trend Micro\Internet Security\Profile\". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\tcpIQ\Line Speed Meter\". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\tcpIQ\". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\tcpIQ\Line Speed Meter\ExcelAnalysisTemplate\". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\tcpIQ\Line Speed Meter\ExcelAnalysisOutput\". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Trend Micro\Internet Security 2005\". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Shared Tools\xlrec.dll" refers to invalid object "C:\WINDOWS\SYSTEM\XLREC.DLL". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Shared Tools\recncl.dll" refers to invalid object "C:\WINDOWS\SYSTEM\RECNCL.DLL". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Shared Tools\osa.exe" refers to invalid object "C:\Program Files\Microsoft Office\Office\OSA.EXE". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Shared Tools\mso97.dll" refers to invalid object "C:\Program Files\Microsoft Office\Office\MSO97.DLL". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Shared Tools\msoc.dll" refers to invalid object "C:\Program Files\Microsoft Office\Office". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Shared Tools\osaintl.dll" refers to invalid object "C:\Program Files\Microsoft Office\Office\OSAINTL.DLL". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Shared Tools\hlink.srg" refers to invalid object "C:\Program Files\Microsoft Office\Office\HLINK.SRG". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Shared Tools\misc.srg" refers to invalid object "C:\Program Files\Microsoft Office\Office\MISC.SRG". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Shared Tools\clippit.act" refers to invalid object "C:\Program Files\Microsoft Office\Office\Actors\CLIPPIT.ACT". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Shared Tools\msroute.dll" refers to invalid object "C:\Program Files\Microsoft Office\Office\MSROUTE.DLL". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Shared Tools\VBA Off97 Help" refers to invalid object "C:\Program Files\Microsoft Office\Office\VBAOFF8.HLP". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Shared Tools\DAO" refers to invalid object "C:\Program Files\Common Files\Microsoft Shared\DAO\DAO3032.DLL". Action Taken: Entries Removed.
--------
I'm amazed that viruses have been found considering I'm running AVG which automatically updates each time the machine boots. It also runs a memory scan when booting. Hmmm.
Secondly, I have used various reg cleaners to tidy up my reg settings. Yet this beauty of a program has found more.
Not sure if coolwwwsearch has disappeared as yet. It may be captured in one of the above viruses. Thoughts/comments appreciated.
David
pskelley
2007-01-17, 15:55
Hi David, the MWAV scan is one of the best, we like to use freeware and let the users decide what they want to pay for. I believe it uses Kaspersky databases. As I said the program would normally find stuff but it then had to be deleted manually. Nice of them to allow this free period. Can you tell me if there is a choice to decide what to remove prior to it happening? Keep me posted, If all is well I will close the topic.
Thanks...Phil
Hi,
I chose scan and fix rather than just scan.
coolwwwsearch is still popping up after the clean. see below ->
TCP coolwwwsearch.com:4159 bne:0 Listening
TCP coolwwwsearch.com:10110 bne:0 Listening
UDP coolwwwsearch.com:4159 ***** -
TCP coolwwwsearch.com:4337 bne:0 Listening
UDP coolwwwsearch.com:4337 ***** -
I will restart my machine and then boot in safe mode and run scan and fix again.
All option selected. System scan is greyed out though :sad: I cannot change this.
pskelley
2007-01-17, 17:37
David, I have about exausted my knowledge in this area (which was limited anyway).
We can try some tools to look for a possible hidden rootkit if we can find one that will run on Windows 98.
These say they are free to try, but I know nothing about them:
http://downloads.zdnet.com/download.aspx?&tags=rootkit&docid=252613
http://downloads.zdnet.com/download.aspx?&tags=rootkit&docid=271942
http://downloads.zdnet.com/download.aspx?&tags=rootkit&docid=222288
another option might be to run a registry editor, this one should work on Windows 98, is user friendly and has lots of screenshots and tutorials to help you. http://www.hoverdesk.net/freeware.htm
Backup your Registry...
- Press "CTRL - ALT - DEL" keys all at the same time to start "Task Manager"
- In the Task Manager window click on "File", then from the drop-down menu select "New Task (Run...)"
- In the "Create New Task" window enter\type "regedit" (without quotes)
- Once Regedit opens click on the FILE menu and select Export
- Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL _____________________________________________________
Download RegSeeker. Extract it to it's own folder,
open and double click RegSeeker.exe to start the program.
Maximize the window and click clean registry. Check all sections and click OK.
When the scan is complete, verify the backup box in lower left corner is checked
and click the select all button, then select all again. Then right click within
the search results and select delete. Run it again and again, deleting everything
it finds until it finds nothing. Reboot and make sure your programs are working properly,
control panel and add/remove programs windows open, etc (basically just do a quick check of everything).
In the event anything was 'broken', you can open RegSeeker, click backups and double click
any/all files to put the information back. A reboot may be required for the effects to be seen.
Reboot When done.
Let me know if it helps, you know what you are looking for.
Thanks
This topic has been closed to prevent others with similar issues posting in it.
If you have not resolved the problem, please send me a private message (pm) to re-open the thread and provide a link.