PDA

View Full Version : CoolWWWSearch.Feat2DLL



Tomlin
2006-06-25, 23:17
I couldn't figure out why my win2000 machine would be locked up every morning when I sat down at the keyboard. The screen was black (screensaver), so I couldn't see anything. I took the screen saver off and just turned the monitor off. The next morning, it was frozen up again. It had been in the middle of it's scheduled AVG virus scan.

Long story short, using Spybot (1.4) it freezes while scanning "CoolWWWSearch.Feat2DLL". As I mentoned, AVG freezes. So does Ad-Aware (when NOT in safe mode - it doesn't freeze when IN safe mode, and it found and removed 16 critical objects). CWShredder says there is no instance of "CoolWebSearch". However, it's CoolWWWSearch that Spybot freezes on. I also ran Ewido and it found a few "medium" risk cookies, but NO CoolWWWSearch.

Pandasoft also froze during the scan. It had found 2 cookies and when I clicked the button it basically said I needed to buy the product to secure my PC (it appears to just be an add for the product).

HJK gives me this:

Logfile of HijackThis v1.99.1
Scan saved at 4:05:57 PM, on 6/25/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Downloads\WallWatcher\WallWatcher.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Downloads\t\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wall Watcher.lnk = C:\Downloads\WallWatcher\WallWatcher.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: http://*.suse9
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} -
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: Domain = wildblue.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: NameServer = 12.213.112.61
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = wildblue.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: Domain = wildblue.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: NameServer = 12.213.112.61
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = wildblue.net
O17 - HKLM\System\CS3\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: Domain = wildblue.net
O17 - HKLM\System\CS3\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: NameServer = 12.213.112.61
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wildblue.net
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

My browsers haven't been redirected anywhere. I wouldn't have known I was iinfected except for the nightly freeze when scanning with AVG.

Any help would be appreciated, I've been at this for 2 days now.

little eagle
2006-06-26, 07:11
We will need to disable Edwido's real time protection.
From the system tray: Right-click the system tray icon and uncheck real time protection.
Or from within Edwido -
Under 'Your security status', if the real time protection is active.
Deactivate it by clicking 'real time protection' until the status says 'inactive'.

Disable SpywareGuard for now:
Right click the running icon of Spywareguard, it will open the program.
Then go to Menu, file, exit.
Then confirm the program is closed.

Close all Browser and Program Windows and have HijackThis fix the following.
Do this by checking the box beside each and then clicking on Fix checked.

O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} -
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) -

Reboot

Be sure to keep SunJava, updated

In Add/Remove programs click on these and press *remove* if listed:
J2SE Runtime Environment 5.0 - 97.99Mb
J2SE Runtime Environment 5.0 Update 2 - 143.00Mb
J2SE Runtime Environment 5.0 Update 4 - 144.00Mb
J2SE Runtime Environment 5.0 Update 5- 151.00Mb
Java 2 Runtime Environment, SE v1.4.2_04 - 130.00Mb
Or any other outdated J2SE


It is important to remove older versions as these are the ones with the holes in them. You will be surprised when you go to add/remove to see all of the versions sitting there.

Download Newest >>>> http://www.java.com/en/download/index.jsp

Once installed you can test to see that it is in fact installed >>>>

Sun Java Test (http://www.java.com/en/download/installed.jsp)

Rescan with HJT and post a new log here.
Also please describe how your computer behaves at the moment

Tomlin
2006-06-26, 16:40
Thanks for your response.

I followed your instructions. After fixing the "016" entries and removeing the old JREs I downloaded the latest JRE (update 7).

I ran Spybot (1.4) and it froze at:

Running bot-check 7963/41392:CoolWWWSearch.Feat2DLL

the 1st "CoolWWWSearch.Feat2DLL" shows up @ approx. 7348/41392.

I ran it again in Safe Mode and it got as far as 8629/41392.

When it freezes...it literally "locks up". I can't use the mouse or keyboard. Even the power button doesn't work. I have to reboot by flipping the toggle switch on the back of the computer off, then back on.

I ran HJT in regular and safe modes, after the lockup. Here are the results.

Safe Mode:

Logfile of HijackThis v1.99.1
Scan saved at 9:04:36 AM, on 6/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\Downloads\t\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phase1.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wall Watcher.lnk = C:\Downloads\WallWatcher\WallWatcher.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O15 - Trusted Zone: http://*.suse9
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: Domain = wildblue.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: NameServer = 12.213.112.61
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = wildblue.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: Domain = wildblue.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: NameServer = 12.213.112.61
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = wildblue.net
O17 - HKLM\System\CS3\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: Domain = wildblue.net
O17 - HKLM\System\CS3\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: NameServer = 12.213.112.61
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wildblue.net
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Regular Mode:

Logfile of HijackThis v1.99.1
Scan saved at 9:18:04 AM, on 6/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Downloads\WallWatcher\WallWatcher.exe
C:\Downloads\t\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phase1.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wall Watcher.lnk = C:\Downloads\WallWatcher\WallWatcher.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O15 - Trusted Zone: http://*.suse9
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: Domain = wildblue.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: NameServer = 12.213.112.61
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = wildblue.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: Domain = wildblue.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: NameServer = 12.213.112.61
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = wildblue.net
O17 - HKLM\System\CS3\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: Domain = wildblue.net
O17 - HKLM\System\CS3\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: NameServer = 12.213.112.61
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wildblue.net
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

The computer seems to run fine after a reboot, I just can't run ANY spyware or antivirus programs.

Again, thanks for helping.

little eagle
2006-06-26, 20:20
Please download Winhelp2002's deldomain.inf to your desktop. http://www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'
It will not appear to have done anything, thats ok.

***Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.

Make a restore point.

Then backup your Registry.
click start > run > enter\type "regedit" (without quotes)
- Once Regedit opens click on the FILE menu and select Export
- Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL

Then download RegSeeker http://www.hoverdesk.net/freeware.htm.
Extract it to it's own folder, open and double click RegSeeker.exe to start the program.
Maximize the window and click clean registry. Check all sections and click OK.
When the scan is complete, verify the backup box in lower left corner is checked and click the select all button, then select all again.
Then right click within the search results and select delete.
Run it again and again, deleting everything it finds until it finds nothing.
Reboot and make sure your programs are working properly, control panel and add/remove programs windows open, etc (basically just do a quick check of everything).
In the event anything was 'broken', you can open RegSeeker, click backups and double click any/all files to put the information back.
A reboot may be required for the effects to be seen. Reboot When done.

Tomlin
2006-06-27, 00:40
Well.....

Spybot is now freezing at:

Running bot-check (16281/41392:TNS-Search)

I guess I'm closer than b4.

Here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:32:35 PM, on 6/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Downloads\WallWatcher\WallWatcher.exe
C:\Downloads\t\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phase1.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wall Watcher.lnk = C:\Downloads\WallWatcher\WallWatcher.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: Domain = wildblue.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: NameServer = 12.213.112.61
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = wildblue.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: Domain = wildblue.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: NameServer = 12.213.112.61
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = wildblue.net
O17 - HKLM\System\CS3\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: Domain = wildblue.net
O17 - HKLM\System\CS3\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: NameServer = 12.213.112.61
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wildblue.net
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

little eagle
2006-06-27, 02:52
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Tomlin
2006-06-27, 18:37
It freezes about 6 minutes in @ 20% complete after scanning 22,508 files. No disk activity and mouse and keyboard completly useless. I let it sit for another 20 minutes, just to make sure it wasn't a temporary thing.

little eagle
2006-06-28, 01:19
Download and run - ATF Cleaner instructions here. (http://forums.security-central.us/showthread.php?t=1925)

Then try to run spybot.

Tomlin
2006-06-28, 06:53
Running bot-check (14592/41392:ISearchTech.SideFind)

I'm losing ground.

I appreciate your help.

little eagle
2006-06-28, 08:17
Remove and reinstall spybot. Then try a scan.

Tomlin
2006-06-28, 15:30
Running bot-check (14564/41392:ISearchTech.SideFind)

FREEZE

little eagle
2006-06-28, 16:44
Download EVEREST Free Edition 1.51 (http://www.oldversion.com/program.php?n=everesthome) and lets see how hot you running check in sensor tab.

http://security-central.us/pimg/sensor.jpg

Tomlin
2006-06-28, 18:16
http://phase1.com/images/scan.jpg

little eagle
2006-06-28, 18:20
When is the last time you cleaned out the dust in your PC?

Tomlin
2006-06-28, 18:48
Last weekend. I clean it out once a month.

It never locks up unless I run an anti virus/anti spy/anti adware program.

little eagle
2006-06-28, 18:56
Last weekend. I clean it out once a month.Thats more than I do :) your mother board is running hot


It never locks up unless I run an anti virus/anti spy/anti adware program.Can you clean out your quarantined files (backups)from all them.
Then try to run spybot

Tomlin
2006-06-29, 22:18
You got me thinking. I'm wondering if the added heat of the disks spinning for 15+ minutes may be locking the machine up?

I'm going to run Everest along with Spybot. When it locks up (and it will), I can check the temp.

Thanks again for all your help. I'll let you know what happens.

little eagle
2006-06-30, 04:34
As it scans you may need to refresh Everest

tashi
2006-07-05, 14:59
How is it going Tomlin :)

Tomlin
2006-07-07, 07:27
Been out of town for a week.

Here's what I've found out.

Using Everest, I start out with a CPU temp of 38 degrees C & mobo temp of 63 degrees C.

Running Spybot, within 2 minutes, the mobo temp has increased to 113 degrees C, and @ 6:23 minutes in and mobo temp @ 125 degrees C, it freezes. CPU temp is @ 41 degrees C. There seems to be little or no disk activity. What exactly is it doing that would cause the mobo temp to rise that much, but the CPU temp to only go up 3 degrees C?

When running AVG, the disks spin continuously for 42 min 55 sec, then the machine freezes with Everest showing mobo @ 125 C and CPU @ 41 C.

Looks like it's not a spyware/virus problem at all, but an overheating problem.

little eagle
2006-07-07, 13:31
Might try hardwaresecrets (http://www.hardwaresecrets.com/article/142) tips.

Tomlin
2006-07-07, 20:14
OK, here's the latest. I downloaded Motherboard Monitor (MBM 5) and ran it in conjunction with Everest. The 'system/mobo' and CPU temps were reversed. So I shut windows down and checked the BIOS settings and found out that the Everest readings ARE reversed. The CPU is what is overheating, NOT the mobo/system.

I've run the system with the sides off. It has a CPU fan as well as 2 80mm fans - one on the back/top of the case pulling hot air out, and one on the front/bottom pulling cooler air in, so I can't believe it's a case problem. Looks like it's time for a new CPU huh?

Tomlin
2006-07-07, 20:31
That should read "new CPU fan".:bigthumb:

Tomlin
2006-07-07, 22:34
Well...that should read "new motherboard"!!!!:(

I checked things out and the "retension module" - the plastic clip that's attached to the mobo and allows the heatsink and fan to firmly attach to the CPU is broken. Two of the four corners are broken, not allowing the heatsink to make contact with the CPU. I'm surprised the computer ran at all!!!

I appreciate your help little eagle, thanks again.

I guess it's off to my local computer store for a little shopping spree.

little eagle
2006-07-08, 15:23
Sorry it wasn't spyware we might have been able to fix it :blush:

Tomlin
2006-07-08, 17:49
Yeah. But, it's nice to know that Spybot IS keeping bad stuff off my computer. I was thinking that all my efforts to keep a 'clean machine' were wasted and Spybot wasn't doing it's job. It'll be back to work once I get my PC going again.

Thanks for all your help.

Tomlin

LonnyRJones
2006-07-11, 12:31
Im Glad we could help

Regards
Lonny