CoolWWWSearch.Feat2DLL

T

Tomlin

New member
I couldn't figure out why my win2000 machine would be locked up every morning when I sat down at the keyboard. The screen was black (screensaver), so I couldn't see anything. I took the screen saver off and just turned the monitor off. The next morning, it was frozen up again. It had been in the middle of it's scheduled AVG virus scan.

Long story short, using Spybot (1.4) it freezes while scanning "CoolWWWSearch.Feat2DLL". As I mentoned, AVG freezes. So does Ad-Aware (when NOT in safe mode - it doesn't freeze when IN safe mode, and it found and removed 16 critical objects). CWShredder says there is no instance of "CoolWebSearch". However, it's CoolWWWSearch that Spybot freezes on. I also ran Ewido and it found a few "medium" risk cookies, but NO CoolWWWSearch.

Pandasoft also froze during the scan. It had found 2 cookies and when I clicked the button it basically said I needed to buy the product to secure my PC (it appears to just be an add for the product).

HJK gives me this:

Logfile of HijackThis v1.99.1
Scan saved at 4:05:57 PM, on 6/25/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Downloads\WallWatcher\WallWatcher.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Downloads\t\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wall Watcher.lnk = C:\Downloads\WallWatcher\WallWatcher.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: http://*.suse9
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} -
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: Domain = wildblue.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: NameServer = 12.213.112.61
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = wildblue.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: Domain = wildblue.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: NameServer = 12.213.112.61
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = wildblue.net
O17 - HKLM\System\CS3\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: Domain = wildblue.net
O17 - HKLM\System\CS3\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: NameServer = 12.213.112.61
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wildblue.net
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

My browsers haven't been redirected anywhere. I wouldn't have known I was iinfected except for the nightly freeze when scanning with AVG.

Any help would be appreciated, I've been at this for 2 days now.
 
We will need to disable Edwido's real time protection.
From the system tray: Right-click the system tray icon and uncheck real time protection.
Or from within Edwido -
Under 'Your security status', if the real time protection is active.
Deactivate it by clicking 'real time protection' until the status says 'inactive'.

Disable SpywareGuard for now:
Right click the running icon of Spywareguard, it will open the program.
Then go to Menu, file, exit.
Then confirm the program is closed.

Close all Browser and Program Windows and have HijackThis fix the following.
Do this by checking the box beside each and then clicking on Fix checked.

O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} -
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) -

Reboot

Be sure to keep SunJava, updated

In Add/Remove programs click on these and press *remove* if listed:
J2SE Runtime Environment 5.0 - 97.99Mb
J2SE Runtime Environment 5.0 Update 2 - 143.00Mb
J2SE Runtime Environment 5.0 Update 4 - 144.00Mb
J2SE Runtime Environment 5.0 Update 5- 151.00Mb
Java 2 Runtime Environment, SE v1.4.2_04 - 130.00Mb
Or any other outdated J2SE


It is important to remove older versions as these are the ones with the holes in them. You will be surprised when you go to add/remove to see all of the versions sitting there.

Download Newest >>>> http://www.java.com/en/download/index.jsp

Once installed you can test to see that it is in fact installed >>>>

Sun Java Test

Rescan with HJT and post a new log here.
Also please describe how your computer behaves at the moment
 
Thanks for your response.

I followed your instructions. After fixing the "016" entries and removeing the old JREs I downloaded the latest JRE (update 7).

I ran Spybot (1.4) and it froze at:

Running bot-check 7963/41392:CoolWWWSearch.Feat2DLL

the 1st "CoolWWWSearch.Feat2DLL" shows up @ approx. 7348/41392.

I ran it again in Safe Mode and it got as far as 8629/41392.

When it freezes...it literally "locks up". I can't use the mouse or keyboard. Even the power button doesn't work. I have to reboot by flipping the toggle switch on the back of the computer off, then back on.

I ran HJT in regular and safe modes, after the lockup. Here are the results.

Safe Mode:

Logfile of HijackThis v1.99.1
Scan saved at 9:04:36 AM, on 6/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\Downloads\t\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phase1.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wall Watcher.lnk = C:\Downloads\WallWatcher\WallWatcher.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O15 - Trusted Zone: http://*.suse9
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: Domain = wildblue.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: NameServer = 12.213.112.61
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = wildblue.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: Domain = wildblue.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: NameServer = 12.213.112.61
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = wildblue.net
O17 - HKLM\System\CS3\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: Domain = wildblue.net
O17 - HKLM\System\CS3\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: NameServer = 12.213.112.61
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wildblue.net
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Regular Mode:

Logfile of HijackThis v1.99.1
Scan saved at 9:18:04 AM, on 6/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Downloads\WallWatcher\WallWatcher.exe
C:\Downloads\t\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phase1.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wall Watcher.lnk = C:\Downloads\WallWatcher\WallWatcher.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O15 - Trusted Zone: http://*.suse9
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: Domain = wildblue.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: NameServer = 12.213.112.61
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = wildblue.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: Domain = wildblue.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: NameServer = 12.213.112.61
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = wildblue.net
O17 - HKLM\System\CS3\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: Domain = wildblue.net
O17 - HKLM\System\CS3\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: NameServer = 12.213.112.61
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wildblue.net
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

The computer seems to run fine after a reboot, I just can't run ANY spyware or antivirus programs.

Again, thanks for helping.
 
Please download Winhelp2002's deldomain.inf to your desktop. http://www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'
It will not appear to have done anything, thats ok.

***Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.

Make a restore point.

Then backup your Registry.
click start > run > enter\type "regedit" (without quotes)
- Once Regedit opens click on the FILE menu and select Export
- Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL

Then download RegSeeker http://www.hoverdesk.net/freeware.htm.
Extract it to it's own folder, open and double click RegSeeker.exe to start the program.
Maximize the window and click clean registry. Check all sections and click OK.
When the scan is complete, verify the backup box in lower left corner is checked and click the select all button, then select all again.
Then right click within the search results and select delete.
Run it again and again, deleting everything it finds until it finds nothing.
Reboot and make sure your programs are working properly, control panel and add/remove programs windows open, etc (basically just do a quick check of everything).
In the event anything was 'broken', you can open RegSeeker, click backups and double click any/all files to put the information back.
A reboot may be required for the effects to be seen. Reboot When done.
 
Well.....

Spybot is now freezing at:

Running bot-check (16281/41392:TNS-Search)

I guess I'm closer than b4.

Here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:32:35 PM, on 6/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Downloads\WallWatcher\WallWatcher.exe
C:\Downloads\t\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phase1.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wall Watcher.lnk = C:\Downloads\WallWatcher\WallWatcher.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: Domain = wildblue.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: NameServer = 12.213.112.61
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = wildblue.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: Domain = wildblue.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: NameServer = 12.213.112.61
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = wildblue.net
O17 - HKLM\System\CS3\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: Domain = wildblue.net
O17 - HKLM\System\CS3\Services\Tcpip\..\{0E6227A7-F167-42CB-BA28-B3559461BF40}: NameServer = 12.213.112.61
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wildblue.net
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
 
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.
 
It freezes about 6 minutes in @ 20% complete after scanning 22,508 files. No disk activity and mouse and keyboard completly useless. I let it sit for another 20 minutes, just to make sure it wasn't a temporary thing.
 
Download EVEREST Free Edition 1.51 and lets see how hot you running check in sensor tab.

sensor.jpg
 
Last edited:
Last weekend. I clean it out once a month.

It never locks up unless I run an anti virus/anti spy/anti adware program.
 
Tomlin said:
Last weekend. I clean it out once a month.
Click to expand...
Thats more than I do :) your mother board is running hot
Tomlin said:
It never locks up unless I run an anti virus/anti spy/anti adware program.
Click to expand...
Can you clean out your quarantined files (backups)from all them.
Then try to run spybot
 
You got me thinking. I'm wondering if the added heat of the disks spinning for 15+ minutes may be locking the machine up?

I'm going to run Everest along with Spybot. When it locks up (and it will), I can check the temp.

Thanks again for all your help. I'll let you know what happens.
 
I'm back

Been out of town for a week.

Here's what I've found out.

Using Everest, I start out with a CPU temp of 38 degrees C & mobo temp of 63 degrees C.

Running Spybot, within 2 minutes, the mobo temp has increased to 113 degrees C, and @ 6:23 minutes in and mobo temp @ 125 degrees C, it freezes. CPU temp is @ 41 degrees C. There seems to be little or no disk activity. What exactly is it doing that would cause the mobo temp to rise that much, but the CPU temp to only go up 3 degrees C?

When running AVG, the disks spin continuously for 42 min 55 sec, then the machine freezes with Everest showing mobo @ 125 C and CPU @ 41 C.

Looks like it's not a spyware/virus problem at all, but an overheating problem.
 
You must log in or register to reply here.
Back
Top