[Feverpitch]

Warning! Your computer is infected AND Coolwwwsearch

I have two Malware problems, one current and one recurring:

1) My desktop has been overtaken by line after line of the message, "Warning! Your Computer is Infected." Plus, every five minutes or so, I get a popup window: "Spyware alert. Check your system for viruses and Spyware. By clicking Yes ... (includes checkbox for Terms and Conditions)" I located the file that holds the warning message (/c:WP), but deleting it has only been a temporary fix. The desktop background turns black only for a short while. Then when I go to Display properties to change the desktop pattern, the Desktop tab is missing (I can only change the Screensaver). After a few minutes, the warning comes back.

2) Every time I run Spybot and/or Adaware SE, I get nothing but Coolwwwsearch virus-related files. I can delete the files (each time I disconnect from the Net, Adaware finds about 50 of them), but I'm not getting rid of the source file because the files keep coming back. Adaware SE appears to find it, but it freezes when I try to delete the source file.

Edited by Feverpitch, 01 June 2005 - 06:43 AM.

[Advertisements]

Please follow the instructions here:
http://www.geekstogo..._Log-t2852.html

I will gladly have a look at the resulting log.

Regards,

[Metallica]

Please follow the instructions here:
http://www.geekstogo..._Log-t2852.html

I will gladly have a look at the resulting log.

Regards,

[Feverpitch]

Thanks. I have performed AdAware SE and Spybot scans previously, but I did so again. CWShredder always finds nothing. I have Windows 98, so Ewide Security Suite does not apply. Here's my Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 7:46:23 PM, on 6/9/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\CARPSERV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\ZLOADER3.EXE
C:\WINDOWS\SYSTEM\LLHUWHYTTN5L8.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O2 - BHO: (no name) - {0388EC16-BA98-416f-9D9B-B9A031E427AF} - C:\WINDOWS\SYSTEM\t55nw72du6sgl8.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\ZLOADER3.EXE
O4 - HKLM\..\Run: [FX] C:\WINDOWS\SYSTEM\CZYNP0FWEU.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKCU\..\Run: [romahere3] C:\WINDOWS\SYSTEM\LLHUWHYTTN5L8.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {01569B00-A2DF-11D9-9AD2-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {01569B00-A2DF-11D9-9AD2-444553540000} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {0D94C2C0-A2DF-11D9-9AD2-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0D94C2C0-A2DF-11D9-9AD2-444553540000} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C90EB520-A455-11D9-9AD2-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C90EB520-A455-11D9-9AD2-444553540000} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {2676C180-A456-11D9-9AD2-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2676C180-A456-11D9-9AD2-444553540000} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {67E4ADA0-ADEB-11D9-9AD2-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {67E4ADA0-ADEB-11D9-9AD2-444553540000} - (no file) (HKCU)
O16 - DPF: {6BE6BDA4-394F-11D3-B6AF-00105AA51E4C} - http://www.dash.com/DashInst.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {C738EA53-97C2-441B-AC52-DFBC597BCBE5} (Chess Control) - http://www.worldwinn...chess/chess.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O19 - User stylesheet: (file missing)

[Metallica]

Before you fix anything can you do me a favor and surf to:
http://www.thespykil...x.php?topic=5.0
Follow the instructions there to upload:
C:\WINDOWS\SYSTEM\t55nw72du6sgl8.dll
C:\WINDOWS\ZLOADER3.EXE
C:\WINDOWS\SYSTEM\CZYNP0FWEU.EXE
C:\WINDOWS\SYSTEM\LLHUWHYTTN5L8.EXE

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {0388EC16-BA98-416f-9D9B-B9A031E427AF} - C:\WINDOWS\SYSTEM\t55nw72du6sgl8.dll

O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\ZLOADER3.EXE
O4 - HKLM\..\Run: [FX] C:\WINDOWS\SYSTEM\CZYNP0FWEU.EXE

O4 - HKCU\..\Run: [romahere3] C:\WINDOWS\SYSTEM\LLHUWHYTTN5L8.EXE

O9 - Extra button: Microsoft AntiSpyware helper - {01569B00-A2DF-11D9-9AD2-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {01569B00-A2DF-11D9-9AD2-444553540000} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {0D94C2C0-A2DF-11D9-9AD2-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0D94C2C0-A2DF-11D9-9AD2-444553540000} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C90EB520-A455-11D9-9AD2-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C90EB520-A455-11D9-9AD2-444553540000} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {2676C180-A456-11D9-9AD2-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2676C180-A456-11D9-9AD2-444553540000} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {67E4ADA0-ADEB-11D9-9AD2-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {67E4ADA0-ADEB-11D9-9AD2-444553540000} - (no file) (HKCU)

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab

O19 - User stylesheet: (file missing)

Reboot and post a new log.

Regards,

[Feverpitch]

Thanks. I did as you asked. Two of the files were uploaded to the other forum. However, I was not able to find c:\\WINDOWS\SYSTEM\t55nw72du6sgl8.dll or c:\\WINDOWS\SYSTEM\CZYNPOFWEU.EXE

I performed the fixes. Here's my new Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 9:57:24 PM, on 6/10/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\CARPSERV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\DIALER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\CSS.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O16 - DPF: {6BE6BDA4-394F-11D3-B6AF-00105AA51E4C} - http://www.dash.com/DashInst.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {C738EA53-97C2-441B-AC52-DFBC597BCBE5} (Chess Control) - http://www.worldwinn...chess/chess.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

[Metallica]

Thanks for the files.

We will be able to help others easier thanks to those.

Your log looks good now.
Is your computer behaving as well?

Please do have a look at my site about removing and preventing spyware.

[Feverpitch]

Well, here's the update. I'm still getting the WP bitmap file that contains the message that is on my desktop: Warning! Your computer is infected! When I manually delete the WP file, it just comes back the next time I reboot. Also, I'm still unable to get the Display tab that allows for desktop wallpaper changes.

I ran AdAware SE again just now and the search found 85 problems, which it quarantined. Here's the log:

ArchiveData(auto-quarantine- 2005-06-11 19-18-49.bckp)
Referencefile : SE1R49 31.05.2005
======================================================

COOLWEBSEARCH
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Regkey : software\microsoft\windows\currentversion\uninstall\bluescreen warning
obj[1]=RegValue : software\microsoft\windows\currentversion\uninstall\bluescreen warning "UninstallString"
obj[2]=RegValue : software\microsoft\windows\currentversion\uninstall\bluescreen warning "Display Name"
obj[3]=RegValue : software\microsoft\internet explorer\main "Enable Browser Extensions"
obj[4]=RegValue : software\microsoft\windows\currentversion\policies\explorer "NoActiveDesktopChanges"
obj[5]=RegValue : software\microsoft\windows\currentversion\policies\system "NoDispBackgroundPage"
obj[6]=File : C:\WINDOWS\yzprn4249h.exe
obj[7]=File : C:\WINDOWS\zulxin6eld.exe
obj[8]=File : C:\WINDOWS\fimz79fvti.exe
obj[9]=File : C:\WINDOWS\v9jh006m0o.exe
obj[10]=File : C:\WINDOWS\rnyj3jh2bu.exe
obj[11]=File : C:\WINDOWS\5hecav5u3c.exe
obj[12]=File : C:\WINDOWS\ej8ifkezt3.exe
obj[13]=File : C:\WINDOWS\jvrvr4dy22.exe
obj[14]=File : C:\WINDOWS\hkjtvzybd6.exe
obj[15]=File : C:\WINDOWS\fp3m8ks89s.exe
obj[16]=File : C:\WINDOWS\1ftpfvbd8j.exe
obj[17]=File : C:\WINDOWS\wl2ac51f32.exe
obj[18]=File : C:\WINDOWS\4t2t72922z.exe
obj[19]=File : C:\WINDOWS\2j7vawvpyw.exe
obj[20]=File : C:\WINDOWS\eln7kao6rx.exe
obj[21]=File : C:\WINDOWS\imrsdsrczd.exe
obj[22]=File : C:\WINDOWS\bb6lwh3xts.exe
obj[23]=File : C:\WINDOWS\yl9vrta247.exe
obj[24]=File : C:\WINDOWS\57j90l0ogz.exe
obj[25]=File : C:\WINDOWS\jis5fgvr9o.exe
obj[26]=File : C:\WINDOWS\zxbgw3gt4a.exe
obj[27]=File : C:\WINDOWS\2597wl3fvp.exe
obj[28]=File : C:\WINDOWS\cmg1egj0v1.exe
obj[29]=File : C:\WINDOWS\auhg3nkoza.exe
obj[30]=File : C:\WINDOWS\x9kj8d1c5y.exe
obj[31]=File : C:\WINDOWS\6rxrez2cl5.exe
obj[32]=File : C:\WINDOWS\7v7o6yg8n0.exe
obj[33]=File : C:\WINDOWS\xoahl7i7iv.exe
obj[34]=File : C:\WINDOWS\vap888p4ux.exe
obj[35]=File : C:\WINDOWS\wjjaal8rd2.exe
obj[36]=File : C:\WINDOWS\iocjopkpza.exe
obj[37]=File : C:\WINDOWS\8yjmmoygzv.exe
obj[38]=File : C:\WINDOWS\8hbuun9vpt.exe
obj[39]=File : C:\WINDOWS\xg9lw9enuf.exe
obj[40]=File : C:\WINDOWS\SYSTEM\os6dvysee59.dll
obj[41]=File : C:\WINDOWS\SYSTEM\fhw5fzrjx1v.dll
obj[42]=File : C:\WINDOWS\SYSTEM\vrxw83zxpxukr.dll
obj[43]=File : C:\WINDOWS\SYSTEM\no5g18oojrthd.exe
obj[44]=File : C:\WINDOWS\SYSTEM\zdnhypm8zb2sthd.exe
obj[45]=File : C:\WINDOWS\SYSTEM\f16m6skxfe772thd.exe
obj[46]=File : C:\WINDOWS\SYSTEM\ouvw1knu3f4ede.dll
obj[47]=File : C:\WINDOWS\SYSTEM\1p3k5vbx4y.dll
obj[48]=File : C:\WINDOWS\SYSTEM\1rgn7m5xumthd.exe
obj[49]=File : C:\WINDOWS\SYSTEM\2ipwoomteethd.exe
obj[50]=File : C:\WINDOWS\SYSTEM\15srh8e4tp5thd.exe
obj[51]=File : C:\WINDOWS\SYSTEM\x2fc76c5p5ukghthd.exe
obj[52]=File : C:\WINDOWS\SYSTEM\tbz0ihui2xcwhthd.exe
obj[53]=File : C:\WINDOWS\SYSTEM\f0od03jndv8txthd.exe
obj[54]=File : C:\WINDOWS\SYSTEM\y9vt6hv84xi12wthd.exe
obj[55]=File : C:\WINDOWS\SYSTEM\kzk5n4kenveyipthd.exe
obj[56]=File : C:\WINDOWS\SYSTEM\8y3t6cuyj39ipthd.exe
obj[57]=File : C:\WINDOWS\SYSTEM\dv0w6exn2608wthd.exe
obj[58]=File : C:\WINDOWS\SYSTEM\4jgd9yitx6thd.exe
obj[59]=File : C:\WINDOWS\SYSTEM\nnikjto9g7thd.exe
obj[60]=File : C:\WINDOWS\SYSTEM\1obhden00f3othd.exe
obj[61]=File : C:\WINDOWS\SYSTEM\5cxypi2owr2l8fthd.exe
obj[62]=File : C:\WINDOWS\SYSTEM\wfx9rhss5bu0fr.dll
obj[63]=File : C:\WINDOWS\SYSTEM\yzs7cxmci4.dll
obj[64]=File : C:\WINDOWS\SYSTEM\r0m17mbgul9l5thd.exe
obj[65]=File : C:\WINDOWS\SYSTEM\tjw9v1ulo3ll48thd.exe
obj[66]=File : C:\WINDOWS\SYSTEM\tuc5mh731rdtb5.dll
obj[67]=File : C:\WINDOWS\SYSTEM\tkmw9ir8mhy.dll
obj[68]=File : C:\WINDOWS\SYSTEM\r9dkw5rc5ny.dll
obj[69]=File : C:\WINDOWS\SYSTEM\xhoz14c8z9lgux.dll
obj[70]=File : C:\WINDOWS\SYSTEM\mbodcyppjcpzthd.exe
obj[71]=File : C:\WINDOWS\SYSTEM\dxp3o3jepc3.dll
obj[72]=File : C:\WINDOWS\SYSTEM\t1tn1o5p6355.dll
obj[73]=File : C:\WINDOWS\SYSTEM\rp6v33zx4kj3thd.exe
obj[74]=File : C:\WINDOWS\SYSTEM\fie0fxif498kwjthd.exe
obj[75]=File : C:\WINDOWS\SYSTEM\2zffzf2y8scnthd.exe
obj[76]=File : C:\WINDOWS\SYSTEM\t0847p9ozpthd.exe
obj[77]=File : C:\WINDOWS\SYSTEM\npu1w7u3sp45ewthd.exe
obj[78]=File : C:\WINDOWS\SYSTEM\w5fev07l8ws9thd.exe
obj[79]=File : C:\WINDOWS\SYSTEM\285oi21in719thd.exe
obj[80]=File : C:\WINDOWS\SYSTEM\cicglm7yshdh1ithd.exe
obj[81]=File : C:\WINDOWS\SYSTEM\iv0svhysppsputhd.exe
obj[82]=File : C:\WINDOWS\SYSTEM\zs6hom5cueyyu4thd.exe
obj[83]=File : C:\WINDOWS\SYSTEM\pph1kvubg6vp.dll
obj[84]=File : C:\WINDOWS\SYSTEM\kn3jjzkouze.dll

[Metallica]

It looks like you have a new problem.

Can you post a new HijackThis log?

Regards,

[Feverpitch]

Sure. Here it is. By the way, I was able to change my desktop pattern a few minutes ago (Background tab has magically reappeared). First time that's happened in a while!

Logfile of HijackThis v1.99.1
Scan saved at 9:39:50 PM, on 6/12/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\CARPSERV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\DIALER.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\CSS.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O16 - DPF: {6BE6BDA4-394F-11D3-B6AF-00105AA51E4C} - http://www.dash.com/DashInst.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {C738EA53-97C2-441B-AC52-DFBC597BCBE5} (Chess Control) - http://www.worldwinn...chess/chess.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

[Metallica]

False alarm. Looks like AdAware took care of it.

Please have a look at my site for some tips on how to remove and prevent spyware.

Regards,

[Metallica]

Can you please do as Mosaic1 asked you here:
http://www.thespykil...php?topic=346.0

Regards,

[Feverpitch]

Thanks. I posted that file on the other site, as you requested. Hopefully, it's another Malware file that could eliminate the constant Coolweb file generations. the desktop wallpaper problem appears solved.

[Metallica]

Cope the part below into notepad and save it as searchwininet.bat
Set filetype to "All files"

dir %Systemdrive%\wininet.dll /a h /s > files.txt
start notepad files.txt


Double click the file and when it is ready it will open files.txt
Post the content of that file

Regards,

[Feverpitch]

LePlease bear with me. Sorry, but I'm not too familiar with Notepad so I'm a little lost on this instruction.

So, you're saying that I should open a blank Notepad file and past this bolded text into the file. then save the Notepad file as searchwininet.bat (filetype All Files). Then I should close the Notepad file and reopen it and wait for it to open files.txt? Whatever is the result (I assume another file named files.txt will appear), I should post that to the forum?

[Metallica]

That is correct. After you save the file as searchwininet.bat (which is in fact a tiny program) doubleclick it to run it.
It will open the command prompt and close that when finished. The results will be written to a file calles files.txt which opens automatically.

The content of that file will show all instances of wininet.dll on your drive.

I want to see if you have a spare copy to replace the (probably) infected one.

Regards,