Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Winfixer 2k5 and searc-h.com popups [RESOLVED]

Started by Magilla , Aug 11 2005 10:51 PM

This topic is locked

#1
Magilla

Posted 11 August 2005 - 10:51 PM

Retired Staff

Retired Staff
26 posts

Between Adaware, Spybot, Trojan Hunter, and Spyware Doctor, I've managed to remove nearly 1600 spyware problems from a customers computer, however I am still getting Winfixer 2005 and searc-h popups. :tazz:

HijackThis Log(Normal boot):

Logfile of HijackThis v1.99.1
Scan saved at 12:33:58 PM, on 8/12/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP1 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\VETMSG9X.EXE
C:\VET\VETTRAY.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACK\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Vet Start Up] C:\VET\VET98.EXE /PROGRESSIVE
O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
O4 - HKLM\..\Run: [VetTray] c:\VET\VETTRAY.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .DImg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .aif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

===========================================
Hijack this log(Safe Mode):

Logfile of HijackThis v1.99.1
Scan saved at 3:50:05 PM, on 8/12/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP1 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\DESKTOP\HIJACK\HIJACKTHIS.EXE

O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .DImg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .aif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

================================================
The problem seems to be associated with the RunDLL32.exe process, which, if end-tasked, goes away, taking the popup problem with it, at least for a while. Something is then restarting the process.

The Internet Explorer install has been corrupted, so, while still working partially, thinks it is IE5, it won't repair because so many files are the wrong version, and it won't let me install ie6 over the top, because "A previous installation has pending work requiring a reboot". This means that online scanners like trendmicros housecall won't work.

Edit: I've been directed to Process Explorer by Skate_Punk (IRC). The rundll process in question looks like this:
==========================================
DLLS
Process PID CPU Description Company Name
Idle 0x0 88.30 System Idle Process
KERNEL32.DLL 0xFFEFF8ED 0.29 Win32 Kernel core component Microsoft Corporation
MSGSRV32.EXE 0xFFFFCF45 Windows 32-bit VxD Message Server Microsoft Corporation
EXPLORER.EXE 0xFFFE7EB1 1.07 Windows Explorer Microsoft Corporation
SWDOCTOR.EXE 0xFFFDA809 7.31 Spyware Doctor PCTools
RUNDLL32.EXE 0xFFFD0375 0.19 Run a DLL as an App Microsoft Corporation
PROCEXP.EXE 0xFFE15E99 2.83 Sysinternals Process Explorer Sysinternals
MPREXE.EXE 0xFFFE33B9 WIN32 Network Interface Service Process Microsoft Corporation
mmtask.tsk 0xFFFE1BF9 Multimedia background task support module Microsoft Corporation

Process: RUNDLL32.EXE Pid: FFFD0375

Name Description Company Name Version
ADVAPI32.DLL Win32 ADVAPI32 core component Microsoft Corporation 4.80.0000.1675
BROWSEUI.DLL Shell Browser UI Library Microsoft Corporation 5.00.2614.3500
COMCTL32.DLL Common Controls Library Microsoft Corporation 5.80.2614.3500
COMDLG32.DLL Common Dialogs DLL Microsoft Corporation 4.72.3510.2300
CRYPT32.DLL Crypto API32 Microsoft Corporation 5.131.1877.0004
DHCPCSVC.DLL
GDI32.DLL Win32 GDI core component Microsoft Corporation 4.10.0000.1998
ICMP.DLL ICMP DLL Microsoft Corporation 5.00.1454.0001
IPCFGDLL.DLL Ipconfig API DLL Microsoft Corporation 5.00.1717.0002
IPHLPAPI.DLL IP Helper API Microsoft Corporation 5.00.1717.0002
KERNEL32.DLL Win32 Kernel core component Microsoft Corporation 4.10.0000.2222
klg.DAT Spyware Doctor PC Tools 3.00.0000.0023
MPR.DLL WIN32 Network Interface DLL Microsoft Corporation 4.10.0000.1998
MSAFD.DLL Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation 4.10.0000.1998
MSNET32.DLL Microsoft 32-bit Network API Library Microsoft Corporation 4.10.0000.1998
MSOSS.DLL Microsoft Trust ASN APIs Microsoft Corporation 5.131.1877.0003
MSPWL32.DLL Password list management library Microsoft Corporation 4.10.0000.1998
MSVCRT.DLL Microsoft ® C Runtime Library Microsoft Corporation 6.00.8797.0000
MSVCRT20.DLL Microsoft® C Runtime Library Microsoft Corporation 2.11.0000.0000
MSWSOCK.DLL Microsoft WinSock Extension APIs Microsoft Corporation 4.10.0000.2222
NETAPI32.DLL 32-bit network API DLL Microsoft Corporation 4.10.0000.1998
NETBIOS.DLL
OLE32.DLL Microsoft OLE for Windows and Windows NT Microsoft Corporation 4.71.2900.0000
OLEAUT32.DLL Microsoft Corporation 2.40.4518.0000
OLEDLG.DLL Microsoft Windows™ OLE 2.0 User Interface Support Microsoft Corporation 5.00.1555.0000
ONBCTL32.DLL
RASAPI32.DLL Dial-Up Networking Dynamic Linked Library Microsoft Corporation 4.10.0000.2222
RNR20.DLL Windows Socket2 NameSpace DLL Microsoft Corporation 4.10.0000.2222
RPCRT4.DLL Remote Procedure Call DLL Microsoft Corporation 4.71.2900.0002
RUNDLL32.EXE Run a DLL as an App Microsoft Corporation 4.10.0000.1998
SECUR32.DLL Microsoft Win32 Security Services Microsoft Corporation 4.10.0000.2222
SHDOCVW.DLL Shell Doc Object and Control Library Microsoft Corporation 5.00.2614.3500
SHELL32.DLL Windows Shell Common Dll Microsoft Corporation 4.72.3612.1700
SHFOLDER.DLL Shell Folder Service Microsoft Corporation 5.00.2919.0200
SHLWAPI.DLL Shell Light-weight Utility Library Microsoft Corporation 5.00.2614.3500
SVRAPI.DLL 32-bit common Server API library Microsoft Corporation 4.10.0000.1998
swpg.DAT Spyware Doctor PC Tools 3.00.0000.0035
TAPI32.DLL Microsoft® Windows™ Telephony API Client DLL Microsoft Corporation 4.10.0000.2222
URLMON.DLL OLE32 Extensions for Win32 Microsoft Corporation 5.00.2614.3500
USER32.DLL Win32 USER32 core component Microsoft Corporation 4.10.0000.2222
VERSION.DLL Win32 VERSION core component Microsoft Corporation 4.10.0000.1998
WININET.DLL Internet Extensions for Win32 Microsoft Corporation 5.00.2614.3500
WINSPOOL.DRV Win32 WINSPOOL core component Microsoft Corporation 4.10.0000.1998
WS2_32.DLL Windows Socket 2.0 32-Bit DLL Microsoft Corporation 4.10.0000.2222
WS2HELP.DLL Windows Socket 2.0 Helper for Windows 98 Microsoft Corporation 4.10.0000.1998
WSOCK32.DLL BSD Socket API for Windows Microsoft Corporation 4.10.0000.1998
===============================================
Handles
Process PID CPU Description Company Name
Idle 0x0 86.80 System Idle Process
KERNEL32.DLL 0xFFEFF8ED 0.10 Win32 Kernel core component Microsoft Corporation
MSGSRV32.EXE 0xFFFFCF45 Windows 32-bit VxD Message Server Microsoft Corporation
EXPLORER.EXE 0xFFFE7EB1 1.08 Windows Explorer Microsoft Corporation
SWDOCTOR.EXE 0xFFFDA809 9.85 Spyware Doctor PCTools
RUNDLL32.EXE 0xFFFD0375 0.10 Run a DLL as an App Microsoft Corporation
PROCEXP.EXE 0xFFE15E99 2.07 Sysinternals Process Explorer Sysinternals
MPREXE.EXE 0xFFFE33B9 WIN32 Network Interface Service Process Microsoft Corporation
mmtask.tsk 0xFFFE1BF9 Multimedia background task support module Microsoft Corporation

Process: RUNDLL32.EXE Pid: FFFD0375

Type Name
Device VIP
Device WSOCK2
Device VDHCP
Event InitUMonitor
File C:\WINDOWS\SYSTEM\SKLWOA.DLL
File C:\WINDOWS\LOCALS~1\TEMPOR~1\CONTENT.IE5\INDEX.DAT
File C:\WINDOWS\COOKIES\INDEX.DAT
File C:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT
MappedFile AutoUnhookMap$fffd0375$5a000000
MappedFile AutoUnhookMap$fffd0375$010e0000
MappedFile rpcrt4sharedmem
MappedFile fileAllocatorMutex
MappedFile C:_WINDOWS_Local Settings_Temporary Internet Files_Content.IE5_index.dat_16171008
MappedFile C:_WINDOWS_Cookies_index.dat_245760
MappedFile C:_WINDOWS_History_History.IE5_index.dat_1523712
Mutex Winsock2ProtocolCatalogMutex
Mutex Winsock2ProtocolCatalogMutex
Mutex ZonesCounterMutex
Mutex ZonesCacheCounterMutex
Mutex OleCoSharedStateMtx
Mutex OLESCMSRVREGLISTMUTEX
Mutex OLESCMGETHANDLEMUTEX
Mutex OLESCMROTMUTEX
Mutex OleDfSharedMemoryMutex
Mutex ScmWIPMutex
Mutex WininetStartupMutex
Mutex WininetConnectionMutex
Mutex WininetProxyRegistryMutex
Mutex _!MSFTHISTORY!_
Mutex c:!windows!local settings!temporary internet files!content.ie5!
Mutex c:!windows!cookies!
Mutex c:!windows!history!history.ie5!
Mutex MPRMutex
Mutex svrapi
Mutex OLESCMLOCKMUTEX
Process RUNDLL32.EXE(FFFD0375)
Semaphore DocfileAllocatorMutex
Thread RUNDLL32.EXE(FFFD0375): FFFC36FD
Thread RUNDLL32.EXE(FFFD0375): FFFD5595
Thread RUNDLL32.EXE(FFFD0375): FFFD5595

Edited by Magilla, 12 August 2005 - 01:52 AM.

#2
Excal

Posted 12 August 2005 - 02:02 AM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Hi Magilla and welcome to GeeksToGo! My name is Excal and I will be helping you.

I can see that you have some malware issues. This maybe a few step process in removing it. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

Download Findit Here and unzip the contents to a folder. When it has unzipped, open that folder and double click on Find.bat. It will run for a while, so be patient, and then produce a log (ignore any File not found messages on the screen, it should continue anyway).

Please copy and paste that log here.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.

Thanks,

:tazz:

Excal

#3
Magilla

Posted 12 August 2005 - 02:32 AM

Retired Staff

Topic Starter
Retired Staff
26 posts

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C is SYSTEM
Volume Serial Number is 3579-00F3
Directory of C:\WINDOWS\SYSTEM

JTEG2X32 DLL 226,080 08-04-05 4:58p JTEG2X32.DLL
OKFIL400 DLL 226,080 08-04-05 4:58p OKFIL400.DLL
PBXPNR DLL 226,080 08-04-05 4:58p PBXPNR.DLL
AYDCXC32 DLL 226,080 08-04-05 4:58p AYDCXC32.DLL
MQRD3X40 DLL 226,080 08-04-05 4:58p MQRD3X40.DLL
MVJTER32 DLL 226,080 08-04-05 4:58p MVJTER32.DLL
SKLWOA DLL 226,080 08-04-05 4:58p SKLWOA.DLL
WXLP16T DLL 226,080 08-04-05 4:58p WXLP16T.DLL
SLORTS DLL 226,080 08-04-05 4:58p Slorts.dll
DZSTYLE DLL 226,080 08-04-05 4:58p dzstyle.dll
SSORTS DLL 226,080 08-04-05 4:58p Ssorts.dll
ACCESS CTL 6,144 07-25-99 12:41a access.ctl
12 file(s) 2,493,024 bytes
0 dir(s) 2,143.63 MB free

------- Hidden Files in System Directory -------

Volume in drive C is SYSTEM
Volume Serial Number is 3579-00F3
Directory of C:\WINDOWS\SYSTEM

WS285050 OCX 557 02-01-01 9:59a ws285050.ocx
ACCESS CTL 6,144 07-25-99 12:41a access.ctl
FOLDER HTT 13,122 07-23-99 1:03a folder.htt
DESKTOP INI 266 07-23-99 1:03a desktop.ini
4 file(s) 20,089 bytes
0 dir(s) 2,143.62 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0335E0BA-EAC0-FDD5-3FDA-B1BB9B25BDF7}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
jteg2x32.dll Thu Aug 4 2005 4:58:18p ..S.R 226,080 220.78 K
okfil400.dll Thu Aug 4 2005 4:58:18p ..S.R 226,080 220.78 K
pbxpnr.dll Thu Aug 4 2005 4:58:18p ..S.R 226,080 220.78 K
aydcxc32.dll Thu Aug 4 2005 4:58:18p ..S.R 226,080 220.78 K
mqrd3x40.dll Thu Aug 4 2005 4:58:18p ..S.R 226,080 220.78 K
mvjter32.dll Thu Aug 4 2005 4:58:18p ..S.R 226,080 220.78 K
sklwoa.dll Thu Aug 4 2005 4:58:18p ..S.R 226,080 220.78 K
wxlp16t.dll Thu Aug 4 2005 4:58:18p ..S.R 226,080 220.78 K
slorts.dll Thu Aug 4 2005 4:58:18p ..S.R 226,080 220.78 K
dzstyle.dll Thu Aug 4 2005 4:58:18p ..S.R 226,080 220.78 K
ssorts.dll Thu Aug 4 2005 4:58:18p ..S.R 226,080 220.78 K

11 items found: 11 files, 0 directories.
Total of file sizes: 2,486,880 bytes 2.37 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\hosts: 127.0.0.1 www.qoologic.com

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

#4
Excal

Posted 12 August 2005 - 02:34 AM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Please download L2m9xfix here:
http://swandog46.gee...om/l2m9xfix.exe

Save it to the desktop and run it. Extract the files, and then open the l2m9xfix folder you just created and run RunThis.bat.

A window will open, and your desktop will disappear, then reappear. Please be patient until the batch says it is completed.

Then please restart your computer, and post a new HijackThis log as well as the entire text of the log.txt file which should be in the same folder as RunThis.bat.

#5
Magilla

Posted 12 August 2005 - 03:03 AM

Retired Staff

Topic Starter
Retired Staff
26 posts

Log of L2M9XFix v1

************

Running from directory:
C:\WINDOWS\Desktop\l2m9xfix

************

Files found:

C:\WINDOWS\system\AYDCXC32.DLL
C:\WINDOWS\system\DQDIM.DLL
C:\WINDOWS\system\dzstyle.dll
C:\WINDOWS\system\JTEG2X32.DLL
C:\WINDOWS\system\MQRD3X40.DLL
C:\WINDOWS\system\MVJTER32.DLL
C:\WINDOWS\system\OKFIL400.DLL
C:\WINDOWS\system\PBXPNR.DLL
C:\WINDOWS\system\SKLWOA.DLL
C:\WINDOWS\system\Slorts.dll
C:\WINDOWS\system\Ssorts.dll
C:\WINDOWS\system\WXLP16T.DLL

************

Registry entries found:

************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!

Finished!

#6
Excal

Posted 12 August 2005 - 03:14 AM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Download Track qoo
Save it somewhere you will remember like the Desktop

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of FindIt9xME!

Thanks,

:tazz:

Excal

#7
Magilla

Posted 12 August 2005 - 03:39 AM

Retired Staff

Topic Starter
Retired Staff
26 posts

====Find it====

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C is SYSTEM
Volume Serial Number is 3579-00F3
Directory of C:\WINDOWS\SYSTEM

OQ25 DLL 226,080 08-04-05 4:58p OQ25.DLL
SKLWOA DLL 226,080 08-04-05 4:58p SKLWOA.DLL
ACCESS CTL 6,144 07-25-99 12:41a access.ctl
3 file(s) 458,304 bytes
0 dir(s) 2,144.03 MB free

------- Hidden Files in System Directory -------

Volume in drive C is SYSTEM
Volume Serial Number is 3579-00F3
Directory of C:\WINDOWS\SYSTEM

WS285050 OCX 557 02-01-01 9:59a ws285050.ocx
ACCESS CTL 6,144 07-25-99 12:41a access.ctl
FOLDER HTT 13,122 07-23-99 1:03a folder.htt
DESKTOP INI 266 07-23-99 1:03a desktop.ini
4 file(s) 20,089 bytes
0 dir(s) 2,144.03 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0335E0BA-EAC0-FDD5-3FDA-B1BB9B25BDF7}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
oq25.dll Thu Aug 4 2005 4:58:18p ..S.R 226,080 220.78 K
sklwoa.dll Thu Aug 4 2005 4:58:18p ..S.R 226,080 220.78 K

2 items found: 2 files, 0 directories.
Total of file sizes: 452,160 bytes 441.56 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\hosts: 127.0.0.1 www.qoologic.com

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

===Track qoo===
Windows Scripting Host - Script Execution Error
Line 16
Column 0
Microsoft VB Runtime script error
File name or classname not found during Automation operation: 'GetObject'

#8
Excal

Posted 12 August 2005 - 01:30 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Download the Host Here

Open up the Host program.

Make sure that the "make hosts writable?" button in the upper right corner is enabled.
Click back up Host files
then click Restore orginal host files
close program

Download Pocket KillBox from here. There is a Direct Download and a description of what the Program does inside this link.

Open Pocket Killbox and Copy & Paste the entries below into the "Full Path of File to Delete"

C:\WINDOWS\SYSTEM\SKLWOA.DLL
C:\WINDOWS\SYSTEM\OQ25.DLL
C:\WINDOWS\SYSTEM\guard.tmp

As you Paste each entry into Killbox,place a tick by any of these Selections available

"Delete on Reboot"
"Unregister .dll before Deleting"

Click the Red Circle with the White X in the Middle to Delete!

Please let me have a log from each of the programs one more time.

Thanks,

:tazz:

Excal

#9
Magilla

Posted 15 August 2005 - 01:29 AM

Retired Staff

Topic Starter
Retired Staff
26 posts

=====Hijack This=====
Logfile of HijackThis v1.99.1
Scan saved at 3:25:51 PM, on 8/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP1 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WINDOWS\DESKTOP\HIJACK\HIJACKTHIS.EXE

O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .DImg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .aif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

=====Find It=====
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C is SYSTEM
Volume Serial Number is 3579-00F3
Directory of C:\WINDOWS\SYSTEM

SKLWOA DLL 226,080 08-04-05 4:58p SKLWOA.DLL
ACCESS CTL 6,144 07-25-99 12:41a access.ctl
2 file(s) 232,224 bytes
0 dir(s) 2,133.38 MB free

------- Hidden Files in System Directory -------

Volume in drive C is SYSTEM
Volume Serial Number is 3579-00F3
Directory of C:\WINDOWS\SYSTEM

WS285050 OCX 557 02-01-01 9:59a ws285050.ocx
ACCESS CTL 6,144 07-25-99 12:41a access.ctl
FOLDER HTT 13,122 07-23-99 1:03a folder.htt
DESKTOP INI 266 07-23-99 1:03a desktop.ini
4 file(s) 20,089 bytes
0 dir(s) 2,133.38 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0335E0BA-EAC0-FDD5-3FDA-B1BB9B25BDF7}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
sklwoa.dll Thu Aug 4 2005 4:58:18p ..S.R 226,080 220.78 K

1 item found: 1 file, 0 directories.
Total of file sizes: 226,080 bytes 220.78 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\hosts: 127.0.0.1 www.qoologic.com

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

=====EoL=====

I've tried to delete SKLWOA.DLL twice with KillBox, but to no avail. Every time I fix the hosts file, it gets changed back. What next?

#10
Excal

Posted 15 August 2005 - 07:17 AM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Lets try this.

Boot into safe mode.

go to start then run. type in cmd then ok

type in the following:

cd C:\

then enter

cd windows

then enter

cd system

then enter

attrib -r -s -h SKLWOA.DLL

then enter

del SKLWOA.DLL

then enter

reboot into normal mode

I need to see a Copy of you Hosts File and a HijackThis log from Normal Mode please!

Open HijackThis-> Click Config-> Click Misc Tools-> Click Open Hosts File Manager-> Click Open in Notepad->

Copy&Paste the entire Contents of that Notepad Page to your Next Post!

Post back with a findit log from Normal Mode and the Hosts File log!

#11
Magilla

Posted 15 August 2005 - 10:45 PM

Retired Staff

Topic Starter
Retired Staff
26 posts

Logfile of HijackThis v1.99.1
Scan saved at 12:35:28 PM, on 8/16/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP1 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WINDOWS\DESKTOP\HIJACK\HIJACKTHIS.EXE

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .DImg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .aif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
=========================
I repaired the hosts file after deleting SKLWOA.dll, and it has remained the same since :tazz:

Unfortunately, not having read the instructions properly, I forgot to save a copy first. This was the original backup created by hoster:

127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 www.qoolaid.com
127.0.0.1 www.qoologic.com
127.0.0.1 www.CLKPrecision.com
127.0.0.1 www.urllogic.com
127.0.0.1 www.clkoptimizer.com
127.0.0.1 www.isearch.com
127.0.0.1 isearch.com
127.0.0.1 www.idownload.com
127.0.0.1 idownload.com
127.0.0.1 www.mytotalsearch.com
127.0.0.1 mytotalsearch.com
127.0.0.1 www.lop.com
127.0.0.1 lop.com
127.0.0.1 www.page-not-found.net
127.0.0.1 page-not-found.net
127.0.0.1 www.isearchhere.com
127.0.0.1 isearchhere.com
127.0.0.1 xads.offeroptimizer.comm
127.0.0.1 search.offeroptimizer.com
127.0.0.1 ximages.offeroptimizer.com
127.0.0.1 xlime.offeroptimizer.com
127.0.0.1 xadsj-o.offeroptimizer.com
127.0.0.1 xadsj.offeroptimizer.com
127.0.0.1 www.offeroptimizer.com
127.0.0.1 www.websearch.com
127.0.0.1 websearch.com
127.0.0.1 as.adwave.com
127.0.0.1 sr.adwave.com
127.0.0.1 www.adwave.com
127.0.0.1 adwave.com
127.0.0.1 adwave.com
127.0.0.1 adwave.com
127.0.0.1 adwave.com
127.0.0.1 adwave.com
127.0.0.1 adwave.com
127.0.0.1 adwave.com

#12
Excal

Posted 15 August 2005 - 11:09 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Can you try the host file restore in safe mode please.

Thanks,

:tazz:

Excal

#13
Magilla

Posted 15 August 2005 - 11:44 PM

Retired Staff

Topic Starter
Retired Staff
26 posts

Sorry, I wasn't very clear. I replaced it after deleting SKLWOA.dll, and it now seems to be OK...

#14
Excal

Posted 15 August 2005 - 11:56 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Great job, it appears your computer is clean :tazz:

Ensure you rehide your “hidden files and folders” back to the way they were.

I recommend that you Defrag your computer:

Go to start>all programs>accessories>system tools>Disk Defragmentor Make sure it set to the proper drive (default should be your main driver) and click on defragment

Might I suggest the following Free Spyware programs, if you don't already have them, for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE
Spybot S&D
Microsoft Anti-Spyware

If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.

AVG
Avast
AntiVir

The following free programs are great for prevention:

SpywareBlaster 3.4
Spywareguard
IE/Spyad

A Firewall is a must! Here are 3 good free versions:
(do not have more than one firewall running on your system)

Sygate
Kerio
ZoneLabs

There are other options other than Internet Explorer for a browser, which some say have better security. Two of them are:

Firefox
Opera

If you decide to keep Internet Explorer, This site is a great source for tightening up security on It's settings.

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month.

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program:

Cleanup
Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided. Also read [url=http://forums.net-

#15
Magilla

Posted 16 August 2005 - 12:05 AM

Retired Staff

Topic Starter
Retired Staff
26 posts

Thanks for the help :tazz:

Hopefully I'll be helping with you guys soon. BTW, I think you missed a bit on your post...

Cleanup
Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided. Also read [url=http://forums.net-