Jump to content


Photo

Here is a fix for Windows 98


  • This topic is locked This topic is locked
68 replies to this topic

#1 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 27 June 2004 - 07:14 AM

Hi everyone,

Three days ago I used this fix to clean my machine of CWSearchx. I posted my experiences here. Since then a number of people have reported that these steps worked for them too, and so I’m posting a step-by-step how-to for everyone to take a look at. I don’t have a WinXP machine, so I don’t know if it will work in XP. But it does work in Win 98.

This technique uses a scalpel, not a machete. No essential system files will be accidentally deleted. The task is to find the hidden file that regenerates the CWS infection after CWS Shredder, Adaware, Spybot, and Hijack This have removed the visible symptoms.


1. Make sure that Windows Explorer is set to display all hidden and system files: go to Tools>Folder Options>View and click the button for Show All Files.

2. Run Adaware. Make sure you instruct it to scan your \Windows, \Program Files, and \My Documents folders. Then run Shredder. Remove every suspicious thing they find.

3. Next take your computer offline – unplug your modem, whatever. No Web connection.

4. Run the Windows utility "System Information." It’s on your Start Menu under System Tools, or just click Start>Run and on the command line type msinfo32.

5. Expand the Software Environment section, and select System Hooks.

6. If you are infected with CWSearchx, you will see a suspicious file there. Hook type “Windows Procedure.” File name will be a nonsense string of characters, ending in .dll. The dll Path will be \Windows\System. WRITE THE NAME OF THIS FILE DOWN.

7. Close MS Info. Open Windows Explorer, go to \Windows\System and look for this file. IF YOU CAN SEE IT, IT’S THE WRONG FILE. But if you can’t see it, this is the one.

8. Shut down, and reboot into Command Prompt Safe Mode. On the C:\ command line, type cd\Windows\System.

9. Once inside \Windows\System, type dir, a space, and the name of the file you wrote down. (like this: dir ghyth.dll). When the file shows up, take a look at its size. It will probably be 57,344 bytes.

10. Type ren, a space, and the name of the file you wrote down, and then a new name for the file. (like this: ren ghyth.dll ghyth.bob). Make sure you change the extension of the file from .dll to something else. Do not delete the file.

11. Restart your computer in Windows Safe Mode. Windows may complain that it can’t find the .dll, but click OK and keep going.

12. Once in Safe Mode, run Adaware again. This time it will find the renamed file in your System folder and will identify it as CWS. If it does, have Adaware delete it.

13. Run Shredder, Spybot, and Hijack This for good measure. Clean house.

14. Reconnect your Internet connection and restart Windows normally. Reset your IE home page to whatever you want. You’re done.


I would also recommend you get a good firewall and set your browser for High Security.

Good luck! If it works for you, post a reply to this message to keep it bumped.

Thanks.
BobO

Edited by BobO, 28 June 2004 - 06:27 AM.


#2 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 28 June 2004 - 08:33 AM

Hey it really works!

It's been four days since I scrubbed CWS from my system. Four days without popups, without about:blank, without anything showing up in either Spybot or Adaware. It's gone.

If you have Win 98, and nothing else seems to work, this is definitely worth a try. And it's easy too.

Let me know.

BobO

#3 The Fist

The Fist

    Member

  • Full Member
  • Pip
  • 50 posts

Posted 28 June 2004 - 10:43 AM

I'm running Windows ME. I can't find the "System Hooks" under the "Software Environment" while runningSystem Information. Can anyone suggest where I should look in Windows ME for the hidden file?

#4 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 28 June 2004 - 11:55 AM

I have checked the System Information listings from an unifected Windows XP machine at work, so I can't be sure. But you could look under Loaded Modules in the Software Environment section. There will be a large number of files listed, but you can click on the File Date column header and sort them by date, newest at the top. The suspect file will be one from May or June 2004.

If you find a file that fits the description, I would suggest you follow the rest of the steps above, first to confirm its identify as a CWS file and then to remove it.

Good luck!

#5 sights0d

sights0d

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 28 June 2004 - 03:38 PM

INCREDIBLE! Bob0, you are THE MAN! I fixed mine finally, instead of having to wipe my comp!

If you're ever in Sacramento, my house is your house!

#6 wop

wop

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 28 June 2004 - 04:54 PM

could the file be in the windows/system32 folder? if so i have found a .dll that was 'downloaded' on my comp about when this started happening and it's called kbiieba.dll could that be it?...im running win xp but im going to try this and see if it works also it shows that the version/manufacture is not available, it's the only weird looking one with the date right.

Edited by wop, 28 June 2004 - 04:55 PM.


#7 wop

wop

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 28 June 2004 - 05:05 PM

i dont know if this is going to work because it's in the sys32 folder, so for step number 7 i cant see it in the windows/system but I CAN see it in the windows/system/32

#8 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 28 June 2004 - 05:41 PM

wop -- that could be it... all these files have weird names.

Heck you could always rename the kbiieba.dll to kbiieba.d$$ or something, and then restart your machine and see what happens...

and get Adaware to scan the file, too. If it's CWS, then Adaware will say so.


sights0d -- let me humbly say "you're very welcome!" I couldn't be happier that the method worked for you!

BobO

#9 wop

wop

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 28 June 2004 - 06:33 PM

ah i really found it now it's called res.dll and it's locked and is the same file size the other file was only 30k now to try the rest of the steps.........thanks again

#10 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 28 June 2004 - 08:19 PM

wop -- please let us know how it works out -- the .dll file I removed in Win 98 was 57,344 bytes. What's the size and date of res.dll? If res.dll *is* the culprit, where did you locate it in Win XP System Information?

Thanks on behalf of everyone.

Edited by BobO, 28 June 2004 - 08:19 PM.


#11 MTC

MTC

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 28 June 2004 - 10:24 PM

Hi Bob..thanks for all your hard work. this pc I am working on is infected but in system hooks I am showing only one file and it is the d3d.dll. Not the infected file I am looking for. Can't seem to find the file causing all the problems.

Dave C

#12 MTC

MTC

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 28 June 2004 - 10:28 PM

in fact here is a hijack this log file:

Logfile of HijackThis v1.97.7
Scan saved at 11:28:48 PM, on 6/28/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\MONEY EXPRESS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\MY DOCUMENTS\DO NOT DELETE.BOOKEND'S TECH SUPPORT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = The Romano's Internet Explorer
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {0961A886-112B-40C8-9060-DE2AC3A2A4B1} - C:\WINDOWS\SYSTEM\HEHK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Dell Home (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab

Any help would be appreciated...

cheers..

Dave

#13 Reg

Reg

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 28 June 2004 - 11:14 PM

I say again, "BobO is god." Win 98 - file "Wdmbce.dll" - 57,344 bytes - nuked with Ad-aware - life is good (so far).

#14 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 29 June 2004 - 03:36 AM

MTC (Dave),

Some suggestions,

That \temp\sp.html file has got to go. So does the \system\hehk.dll. Manually delete those files yourself, and have Hijack This remove the references in the Registry.

I notice that your browser is an earlier version -- mine is 6.0.2800.1106. Go to Windows Update (in IE click Tools>Windows Update) and download all the latest security fixes that the site prescribes for your machine.

When you run adaware, make sure you choose Custom Scanning Options, and have it scan your \Windows, \Program Files, and \My Documents folders. Also make sure it unloads recognized processes before scanning. Run CWS Shredder and Spybot as well.

If all else fails, reboot into Command Line Safe Mode, navigate to \Windows\System, and type dir *.dll | more. You will get a page-by-page readout of all the dlls in that folder, along with their date and size. Write down all the dlls that have a size of exactly 57,344 bytes (there are a number of them). If you find one with a weird name, and a date within May or June 2004, it is suspect. Rename it, reboot Windows into Safe Mode, and scan it with Adaware. If it's harmless, rename it back.

If you've done all this, and you still have no suspicious dll's showing up in your System Hooks section, and the problems keep coming back, I can only suggest you start a new thread and post your latest log there.

Best of luck,
BobO

#15 MTC

MTC

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 29 June 2004 - 03:38 AM

excellent BobO..thanks for your help.

DC

#16 Bobc

Bobc

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 29 June 2004 - 10:10 PM

This works.

#17 marcbry81

marcbry81

    Member

  • New Member
  • Pip
  • 1 posts

Posted 01 July 2004 - 04:18 PM

The file that I found was msdll.dll
How original they are getting. It was 57,344 bytes just like the other files. I am running AdAware in safe mode now. Thanks much!

#18 Archon_Wing

Archon_Wing

    Donut Patron

  • Trusted Advisor
  • PipPipPipPip
  • 368 posts

Posted 01 July 2004 - 04:29 PM

I'm running Windows ME.  I can't find the "System Hooks" under the "Software Environment" while runningSystem Information.  Can anyone suggest where I should look in Windows ME for the hidden file?

Maybe Dr. Watson can help for Windows ME

http://support.micro...&NoWebContent=1

Edited by Archon_Wing, 01 July 2004 - 04:29 PM.

Rights are never important until you don't have them.

#19 The Fist

The Fist

    Member

  • Full Member
  • Pip
  • 50 posts

Posted 01 July 2004 - 07:41 PM

Archon Wing:

I actually found the offending file manually based on a suggestion of ideaphorian. I posted the step by step for getting rid of this thing for Windows ME HERE. Thanks for the response.

#20 invis_tres

invis_tres

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 02 July 2004 - 08:41 AM

hey bobo ,
i had this infection and i removed it myself sometime ago using brute force (that is deleting any thing that hjt shows )and going into registry and deleting all run ,runservices,runonce,runservices once values
then running adaware ,cws etc and saying yesto any delete that it pops up ;)
i ve been free of this popups and hijacks for some time

but i happened to read this pinned today so i thought why not give it a try


i tried this in normal mode not safe mode

the result are as follows

Microsoft® Windows 98
  ©Copyright Microsoft Corp 1981-1999.

C:\WINDOWS>cd system

C:\WINDOWS\SYSTEM>dir hlpdeg.dll

Volume in drive C has no label
Volume Serial Number is 1663-1805
Directory of C:\WINDOWS\SYSTEM

HLPDEG  DLL        57,344  06-20-04  2:40a hlpdeg.dll
        1 file(s)        57,344 bytes
        0 dir(s)  1,125,449,728 bytes free

C:\WINDOWS\SYSTEM>ren hlpdeg.dll bugga.got
Duplicate file name or file in use

C:\WINDOWS\SYSTEM>



eventhough i seem to have this dll running i am not facing any hijack problems

just in case iam attaching my latest hjt log

Logfile of HijackThis v1.98.0
Scan saved at 6:46:04 AM, on 7/2/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HCWS\HIJACKTHIS.EXE

O4 - HKCU\..\Run: [] C:\PROGRA~1\WEBFONE\WebFone.exe -auto
O4 - Startup: Virtual Drive Manager Network.lnk = C:\Program Files\FarStone\VirtualDrive\mgr.exe
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)


this is an unedited log it is very lean coz i run every thing when ineed i dont let windows run anything automatic except the bare minimum it needs to run


what do you say as to why i dont have any popups and hijacks

#21 The Fist

The Fist

    Member

  • Full Member
  • Pip
  • 50 posts

Posted 02 July 2004 - 09:00 AM

invis_tres:

How long have you been without being redirected? The most I was able to do was about half a day before I deleted the offending file as provided in BobO's instructions. Try copying HLPDEG.dll to HLPDEG.tst by typing "copy HLPDEG.dll HLPDEG.tst" (you may have to do this by starting up with a system disk). Then run Ad-Aware. If Ad-Aware identifies HLPDEG.tst as CWS, I would go through the process of renaming the .dll and following the steps in BobO's instructions.

The Fist

Edited by The Fist, 02 July 2004 - 09:00 AM.


#22 invis_tres

invis_tres

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 02 July 2004 - 09:15 AM

fist it has been tendays almost i think
ref my first post
http://www.spywarein...t=0
that was the day i managedto delete almost all shit but still i had some rare popups (no hijacks)
whereupon atri asked me to post the log here (we were chatting in #privacy)

it seems many had a look at it and i think zero and atri asked me whether the dd****.exe is an i know i said i dunno but its hidden some where and autostarting (i had my startup,run,etc clean by then couldnt find who was starting this shit exe)

they asked me to rename and quarentine it and submit a copy to them which i did and from then onwards there is no popups or hijacks

well zeros nod32 told him its trojan agent z blah so i deleted the renamed file

well now i remember the complaints i had about not being able to read or find hlpdeg.dll when i was playing with a file which had SetWindowsHook

Edited by invis_tres, 02 July 2004 - 09:33 AM.


#23 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 02 July 2004 - 11:07 AM

invis_tres,

hlpdeg.dll sounds awfully suspicious to me. I don't have any such file on *my* system, and a Google search yields nothing. So its legitimate sounding name could just be random. (Unless you installed some new software package at the same time as it appeared?)

I don't know why it's dormant, but I agree with The Fist: get into Command Prompt Safe Mode, and rename it, and scan it with Adaware. 5'll getcha 10 its a baddie.

Even if its just taking up space, when it comes to CWS less is more.

BobO

#24 invis_tres

invis_tres

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 03 July 2004 - 07:34 AM

hey bobo get me 5 balance amount that you said ill get :D :thumbsup:
yeah today before booting i went into safe mode and did what you had posted and
yes adaware recognises this file as coolweb search

Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
this is copy of the file i made in safe mode just in case
CoolWebSearch Object recognized!
    Type               : File
    Data               : bugga.got
    Category           : Malware
    Comment            :
    Object             : C:\WINDOWS\Desktop\
    FileSize           : 56 KB
    Created on         : 1/1/01
    Last accessed      : 7/1/04 6:30:00 PM
    Last modified      : 6/19/04 9:10:38 PM  <----- notice this 19/6 i think my 1st post is on 20/6 if i remember correctly



Disk scan result for C:\WINDOWS\Desktop\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 1

CoolWebSearch Object recognized!
    Type               : File
    Data               : bugga.got
    Category           : Malware
    Comment            :
    Object             : C:\WINDOWS\SYSTEM\
    FileSize           : 56 KB
    Created on         : 6/19/04 9:10:25 PM
    Last accessed      : 7/1/04 6:30:00 PM
    Last modified      : 6/19/04 9:10:38 PM


well it seems to be packed by upx but even the latest upx[1.25w] couldnt decompress it probably upx headers have been modified
i have this file is anyone interested in getting it for analysis pl reply or pm

:thumbsup: bob0

regards

Edited by invis_tres, 03 July 2004 - 07:36 AM.


#25 Daddy G

Daddy G

    Member

  • New Member
  • Pip
  • 3 posts

Posted 03 July 2004 - 10:52 AM

Has worked for me! Thank you!!!

#26 daz1000

daz1000

    Member

  • New Member
  • Pip
  • 1 posts

Posted 06 July 2004 - 12:07 PM

THANK YOU!!!!!!!!!!!!!!!!!!!THANK YOU!!!!!!!!!!!!!!!!!!!THANK YOU!!!!!!!!!!!!!!!!!!!THANK YOU!!!!!!!!!!!!!!!!!!!

Your a genious!!!!!!!!!!!!!!


I don't know too much, and after hours of reading complex emails which didn't work, I tried yours, and fingers crossed........semms to have worked!

I really owe you one!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


THANKS!

#27 Abro

Abro

    Member

  • New Member
  • Pip
  • 1 posts

Posted 07 July 2004 - 03:28 AM

It worked!

Thank You so much BobO!
Thanks also to daz1000 for posting the instructions to computercops, where I found them. I´ve spent several days trying to remove cws a:b without success. Finally, it seems to be gone, thanks to You!

As said before, BobO is God!

#28 troman

troman

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 07 July 2004 - 12:08 PM

BobO!

Here is another recovered patient of yours!

Spent about 10 hours trying to fix this crap until I stumbled upon your post.

Can't thank you enough!

Thanks again!!!!!!!!!

Tony

#29 michaelb

michaelb

    Member

  • New Member
  • Pip
  • 1 posts

Posted 08 July 2004 - 08:57 PM

Has anybody who's fixed on their computer later searched the registry to see where that file is adding itself to do all its nasty stuff? Might help disable it that way too!

-Michael

#30 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 14 July 2004 - 09:07 AM

Hi everyone,

I've noticed that a number of people are struggling with this thing in Windows 98. Because it's relatively easy to apply this fix, I'm bumping the topic.

Good luck!

Thanks
BobO

#31 grampaneedshelp

grampaneedshelp

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 14 July 2004 - 02:37 PM

BobO, when you say:
2. Run Adaware. Make sure you instruct it to scan your \Windows, \Program Files, and \My Documents folders. Then run Shredder. Remove every suspicious thing they find.

How exactly do you select ad-aware to scan these distinct files?

#32 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 14 July 2004 - 03:42 PM

grandpaneedshelp,

You can select which folders Adaware scans using Custom Scanning Options. But there is a LOT more to knowing how to get the most out of Adaware, so much so in fact that the instructions on how to do it are pinned to the top of the Malware Removal discussion group.

See this thread for specifics.

And good luck!

BobO

#33 grampaneedshelp

grampaneedshelp

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 14 July 2004 - 04:24 PM

thanks for the advice BobO. I have read and now understand. I intend to try your fix at the end of the work day today. I will post here on the morrow to let you know if it worked for me. thanks for the advice -
Gramps

#34 jackowat

jackowat

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 14 July 2004 - 08:34 PM

Thanks SO much BobO. It was great move by you to bump your post otherwise I would never have found it. I have had a post out there for a few days without any joy and your neat solution has solved my problem in a few minutes.
FYI, my file was also res.dll and exactly 57,344 bytes. The only difference I found from your instructions was that after renaming it, Adaware 6 did not recognise it as CWS. So I deleted it manually. It seems to have done the job anyway.

Thanks again for, hopefully, ending weeks of frustration. You are a star!

#35 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 14 July 2004 - 08:56 PM

Hey jackowat,

I'm really glad it worked for you! This bug is a bear to remove, but luckily in Win 98 the solution is easier than in Win 2K and XP. Hang in there Rubber Ducky! :)

I hope that cnm and the other dedicated people who maintain this board will decide to pin this solution for the benefit of Win 98 users. In the meantime, I'll bump it regularly to help keep it in front of everyone.

Best,
BobO

#36 MTC

MTC

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 14 July 2004 - 09:00 PM

Hi all..seems the the .dll is a litttle different for everyone (name of file). Removed it from two machines with the help of bob o. Thought it was going to take forever though.

Hang in there...

DC

#37 seth17

seth17

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 14 July 2004 - 11:05 PM

i am running windows xp home edition. i was wondering if anyone could help me remove my coolwebsearch spyware!?!?

#38 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 15 July 2004 - 03:49 PM

Hey seth17,

The fix described in this thread only seems to work in Win 98 -- but it works well.

Since you're an XP user, I would suggest that you start a new thread with a HJT log. I also recommend that you try out RubbeR DuckY's excellent About:Buster.

See here for more information about it.

Good luck!

BobO

#39 JMNL

JMNL

    Member

  • New Member
  • Pip
  • 4 posts

Posted 16 July 2004 - 11:12 PM

OMFG! This works! MODS .. sticky this. I did it 2 days ago and have been clean since. Thank you!!!!!!!!!!!!!

#40 roukun

roukun

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 19 July 2004 - 11:31 AM

Hi,
sorry for my english if you want help a french guy...
you seem to have a good knowledge of this problem. one of my users is infected by this spyware under Windows 98. when i launch internet explorer the computer launch an "about:blank" page on a search website and pop up and anti-spyware pub.
i found the file name c:\windows\system\reshbdl.dll with the same size, but i delete it in dos mode, after I had well the error message of Windows, but adware found nothing (probably because i delete the file instead of rename it)
so my problem isn't resolve when i run internet explorer.
and the command line in msinfo32 is not present any more now.
any ideas ?
thanks for your help

#41 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 19 July 2004 - 06:15 PM

i found the file name c:\windows\system\reshbdl.dll with the same size, but i delete it in dos mode, after I had well the error message of Windows, but adware found nothing (probably because i delete the file instead of rename it)
so my problem isn't resolve when i run internet explorer.
and the command line in msinfo32 is not present any more now.
any ideas ?
thanks for your help

roukun,

It appears that you did everything right. You identified and deleted the offending .dll file. Adaware did not find anything else (did you scan in Safe Mode? Did you make sure to scan the C:\Windows folder and subfolders?).

Did you also run CWShredder? Did you also run Spybot? If you did, and they did not find anything either, you can now set the home page of Internet Explorer to anything you like (but note that YOU have to change it; it will stay set to about:blank until you do.)

The good news is that the spyware will not change it back to about:blank again!

Best,
BobO

#42 fleuve

fleuve

    Member

  • New Member
  • Pip
  • 1 posts

Posted 19 July 2004 - 10:41 PM

Thanks, Bobo! May I call you Bobo the Great? Had this about:blank for almost a month, tried almost everything, including About buster. Your thraed wasn't easy to find. I don't no why no one told me to do what you suggest, even i posted my hijackthis log and it showed that I use Win 98. Your solution, quite simple, should be post on other forums. Thanks again! :D :D :D :D :D

#43 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 20 July 2004 - 09:35 AM

fleuve,

Thank you for your kind words. Personally, I would like to see this solution pinned in this forum, because it works very well for Windows 98 users. But until it is, I will continue to bump it occasionally to keep it in front of visitors.

Glad it worked for you!

BobO

#44 roukun

roukun

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 20 July 2004 - 11:21 AM

Thanks to BobO,
The problem is almost solved, very hard to remove, after remove the DLL file, the spyware always changed my web start page !!!
so i executed CWShredder, it found some CWS and enter registry but it doesn't delete the spyware again !!!
So i update IE 5.5 to version 6, execute CWShredder and spybot and CWShredder again and fine, the blank page does not appear any more, ouf, thanks god Bob0 the spyware and popud are kill
But (sorry, there is always a "but") there remains a problem, when i launch and close internet explorer, my computer slows down and I am forced to reboot !!
strange there is always somethink but spybot, adaware and CWShreeder found nothink in safe mode.
other ideas ?
cheers

#45 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 20 July 2004 - 03:27 PM

Hi roukun,

You mentioned that your computer slows down and/or crashes when you try to shut down Internet Explorer. You may want to re-install IE 6, making sure you have the latest security updates. And if after that the start page is still being changed, then it appears that there is still a hidden .dll file that has to be removed.

I would suggest that you:

1. Make sure you have the latest Windows security updates for IE installed

2. Look to see (using msinfo32>Software Environment>System Hooks from my original method at the start of this thread) whether there is a mysterious dll file still installed in your system

3. If you're still having problems, try rebooting in Command Line Safe Mode, navigate to your C:\windows\system folder in DOS (type cd \windows\system at the prompt), and then type dir *.dll | more (the | character is the "pipe" character, above the backslash key on the right). You will get page after page of .dll files which are in your system folder, displayed one page at a time. Make a note of those .dll files that are 57,344 bytes in size (there will be a number of them -- and some of them are supposed to be there!). But if any of them are dated within the last two months, and have a nonsense name, rename them with a different extension (DO NOT DELETE THEM) and then scan them with Adaware in Windows Safe Mode. I think that's how you'll find your culprit.

Important ==> do not delete files yourself. Rename them instead, and then scan them with Adaware. If they are not spyware, you can rename them back and no harm is done.

Bon chance! :)

BobO

Edited by BobO, 20 July 2004 - 03:34 PM.


#46 Sapphire

Sapphire

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 22 July 2004 - 04:57 AM

HELP!!

My pc won't let me see system hooks!!!!

#47 roukun

roukun

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 22 July 2004 - 10:41 AM

Bonjour,
here the continuation after your councils:
1) i checked latest Windows security updates for IE installed - all is ok
2) there is nothing else in msinfo32>Software Environment>System Hooks since i have delete the first dll file
3) effectively i found one dll name ICMfilter.dll (57344, 06/2004), so i rename it and search with adaware without success...

My pc is always slowdown when i launch/exit IE 6,
but now there is no popup and no spyware there is just 5 sites adding in my favorite files (like viagra, search...) when i launch IE, so there is always something doesn't find by adaware,spybot dll search and CWShreeder
another idea ?
thanks very much BoB0 for all your great informations.

#48 roukun

roukun

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 22 July 2004 - 10:45 AM

Sapphire,

It's because you don't use Windows 98
which system uses you ?

#49 BobO

BobO

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 22 July 2004 - 10:49 AM

Hi roukun,

I'm not sure what is causing your PC slowdown, and why the favorites are being returned to your favorites menu. Perhaps there are one or more BHO's that need to be edited/removed.

At this point, my best advice is to start a new thread and post a Hijack This log. Sorry that I have no better suggestions.

BobO

#50 lilbuddha

lilbuddha

    Member

  • New Member
  • Pip
  • 1 posts

Posted 26 July 2004 - 09:33 PM

k, I just wanted to give everyone a heads up, but I might be wrong. Recently I too contracted that crap tackular about:blank stuff, I listend to Bob0 and tried all dat good stuff. I still couldn't find the reproducing file. Nothing ever showed up in my hooks, and all the files that I renamed turned up nothin.
What I did do is run cwshredder when all of my files were unhidden, an udated version compared to that in which would have been used when this thread was created. I am now almost 24 hrs without seeing anything. I have rebooted my computer 10+ times and nothin. adaware, hijack this, and some unknown product were also run on my comp when I was cleaning it.
I hope I am not misleading people, but I think the updates have done the trick.

your friendly neighbor
buddha




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button