I seem to have a prob with the windows explorer on win 98. The computer boots up ok but on the desktop the following icons, do not respond - my computer, my documents and I cannot access the control panel. I have to access documents via new office document. The run command works and I have tried msconfig and even tried a full reload on win98 but to no avail
When the machine freezes I use ctrl-alt-del as this is the only way the computer will switch off. (it sometimes says explorer not responding)
The problem does not occur when booted up in safe mode. Any suggestions???

Hi Frazhm,

Please download 'Hijack This!' from here (http://thespykiller.co.uk/hjttut.htm), unzip, and place it in it’s own folder, (not in the temp folder, or on the desktop) doubleclick HijackThis.exe, check for updates by clicking on Config | Misc. Tools | Check for Updates and follow the prompts. Once updated click on Scan. When the scan is finished, click "Save Log", and copy and paste it in a reply.

This will give us a rundown of what’s going on in your PC. One of us here will be glad to analyse it for you. Don’t fix anything yourself yet, as a lot of the stuff on that list will be harmless or required.

Cheers

Liam

Well Liam here is the log- it all seems double dutch to me. I have been plaguedwith the "about blank" virus/trojan and eventually reverted to mozilla firefox to rid myself of it- but I KNOW IT IS STILL THERE (may the f###er who invented that particular nasty with its hidden files die in a rat infested wheelie bin dumped in the Straits of Hormuz)

Any how good luck and many thanks

Frazhm

Logfile of HijackThis v1.99.0
Scan saved at 19:53:36, on 23/01/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\SBPCI\CTMIX32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MY DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\tiscali.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {30F6FB6A-DE57-4F8C-AC26-D599168BC714} - C:\WINDOWS\SYSTEM\HKMC.DLL
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\SYSTEM\DSMANA~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CreativeMixer] C:\SBPCI\ctmix32.exe /T
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/24f46740744e333abd15/netzip/RdxIE601.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:oo.mht!http://195.225.177.13/31381/online.chm::/on-line.exe
O18 - Filter: text/html - {86AD4E3A-9A5E-47F6-99F7-A008A191D6D7} - C:\WINDOWS\SYSTEM\HKMC.DLL
O18 - Filter: text/plain - {86AD4E3A-9A5E-47F6-99F7-A008A191D6D7} - C:\WINDOWS\SYSTEM\HKMC.DLL

Hi,

Sorry, but as you can see there are a few logs being posted, and I'm really the only one here who does them.. and I'm just off out. :( You've been hijacked by CoolWebSearch.

Download Shredder from..

http://cwshredder.net/bin/CWShredder.exe

update it and run it, and post a new log. I'll do a manual clean up when I get in, if you haven't read this in the meantime.

Cheers

Liam

Hi Frazhm,

Apologies for not getting back sooner. I thought I'd be able to yours and Aiglons in my dinner break, but his turned out to be more complex than at first glance. Still, I'm here now.. :)

Please print these instructions, and download all the programs listed before you start, as once you get going, you must not open a browser window until you're done.

You’ve been hijacked by CoolWebSearch. Please go here (http://www.thepykiller.co.uk) and download, unzip and then open CoolWebShredder. Then click on the Updates button and follow the prompts. Next, run the program by clicking on the Fix-> button.

Then please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. (please note that after running Shredder, some may no longer appear) Next, close all browser windows and click the Fix checked button…

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :NavigationFailure

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about :blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :NavigationFailure

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about :blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank

O2 - BHO: (no name) - {30F6FB6A-DE57-4F8C-AC26-D599168BC714} - C:\WINDOWS\SYSTEM\HKMC.DLL

O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\SYSTEM\DSMANA~1.DLL

O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/24f4674...ip/RdxIE601.cab

O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab

O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab

O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C: oo.mht!http://195.225.177.13/31381/online.chm::/on-line.exe

O18 - Filter: text/html - {86AD4E3A-9A5E-47F6-99F7-A008A191D6D7} - C:\WINDOWS\SYSTEM\HKMC.DLL

O18 - Filter: text/plain - {86AD4E3A-9A5E-47F6-99F7-A008A191D6D7} - C:\WINDOWS\SYSTEM\HKMC.DLL

Next, please double click on the My Computer icon on the desktop. Go to View | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.

Then boot into safe mode, (see here (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406) for info if needed) and delete the entire contents of the C:\Windows\Temp (or C:\WINNT\Temp) folder, but not the folder itself. Next please find and delete the following bolded files...

C:\WINDOWS\SYSTEM\HKMC.DLL

C:\WINDOWS\SYSTEM\DSMANA~1.DLL

Then please boot back into normal mode and download AdAware SE from here (http://www.lavasoftusa.com/support/download/).

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
· Automatically save log-file
· Automatically quarantine objects prior to removal
· Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :
· Scan Within Archives
· Scan Active Processes
· Scan Registry
· Deep Scan Registry
· Scan my IE favorites for banned URL’s
· Scan my Hosts file

· Under Click here to select drives + folders, choose:
· All of your hard drives | Proceed

3. Click on the Advanced button on the left and select:
· Include additional process information
· Include additional file information
· Include environment information

4. Click the Tweak button and select:
· Under the Scanning Engine:
· Unload recognized processes & modules during scan
· Include additional Ad-aware settings in logfile
· Under the Cleaning Engine:
· Let Windows remove files in use at next reboot

5. Click on Proceed to save the settings.

6. Click Start and on the next screen choose:
· Use Custom Scanning Options

7. Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Next, please reboot again and download Spybot - Search & Destroy 1.3 from here (http://security.kolla.de): if you haven't already got the program.

Click on Updates | Download Updates, and follow the prompts.

Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.

Next, download and run CCleaner (http://www.ccleaner.com/). If you have certain cookies you want to retain, then click on the Options button before running, and move across the ones that you want to keep...

Next reboot and go here (http://housecall.trendmicro.com/housecall/start_corp.asp), and run the online virus scan; choosing the Autoclean option just before clicking the Scan button. Then please post a new log and we'll see how it's going. There's a good chance that we won't get this on the first attempt, as with many variants of CWS, but we will do it.. :)

Cheers

Liam

Hi Liam
I have been away for a few weeks and so I have not had time to respond.

The good news is that after following your instructions my computer is behaving normally.

I have not had chance to run Hijackthis and post the log. I am just relieved everything is ok. However I am eternally grateful and should anything similar happen I feel I now know what to do.


Many thanks
frazhm

You're welcome frazhm,

If you get a chance, post up a new log, and I'll give it the once over for you.. :ok: :)

Cheers

Liam