Two Goddamn Bloody .dll Files

[The Soup Nazi]

Dearly Beloved,

My first time posting here. Here's the thing: in my PC (which uses
Windows 98), Internet Explorer has a bad case of hijackin' fever. After
running Norton in safe mode, there are two files the anti-virus cannot
remove:

dydmo.dll
wuadmoe.dll

_________________________________________

Likewise, Spybot Search & Destroy is unable to delete these files:


Common hijacker
Redirected host
auto.search.msn.com=69.20.16.183

CoolWWWSearch.Loadbat
Redirected host
auto.search.msn.com=69.20.16.183

CoolWWWSearch.Msconfd
auto.search.msn.com=69.20.16.183

CoolWWWSearch.Oslogo
auto.search.msn.com=69.20.16.183

CoolWWWSearch.Tapicfg
auto.search.msn.com=69.20.16.183

CoolWWWSearch.Xmlmimefilter
auto.search.msn.com=69.20.16.183

_________________________________________

What does HijackThis! have to say about it, you wonder? Here's the log:


Logfile of HijackThis v1.98.2
Scan saved at 08:38:52 p.m., on 27-01-05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYMANTEC SHARED\NMAIN.EXE
C:\ARCHIVOS DE PROGRAMA\NORTON SYSTEMWORKS\NAVW32.EXE
C:\BADASS FILES\PROGRAMAS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\llupj.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://eartharcade.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
= Vínculos
R3 - Default URLSearchHook is missing
F1 - win.ini: load=ptsnoop.exe
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
- C:\Archivos de programa\Norton SystemWorks\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos
comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Archivos de programa\EPSON\Ink
Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [mouseElf] C:\ARCHIV~1\GENIUS~1\MOUSEELF.EXE
O4 - HKLM\..\Run: [a-winpoet-service] C:\Archivos de
programa\WinPoET\WinPPPoverEthernet.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Archivos de
programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Archivos de
programa\Archivos comunes\Symantec Shared\SymTray.exe "Norton
SystemWorks"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Archivos de
programa\Archivos comunes\Symantec Shared\Script Blocking\SBServ.exe"
-reg
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Archivos de programa\Archivos
comunes\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Archivos de programa\Archivos
comunes\Symantec Shared\ccEvtMgr.exe"
O4 - HKCU\..\Run: [a9sERWZmU] IMMML3A.EXE
O4 - Startup: Inicio de Office.lnk = C:\Archivos de programa\Microsoft
Office\Office\OSA.EXE
O4 - Startup: Búsqueda rápida de Microsoft.lnk = C:\Archivos de
programa\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk =
C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O9 - Extra button: Coches - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} -
c:\pillamusica-over\entrar.html (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Consola de Sun Java -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\ARCHIV~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .asp: C:\ARCHIV~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio
Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX
Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/msnmessengersetupdownloader.cab

_________________________________________

I recently deleted another vicious .dll file called aklsp.dll, using
LSP-Fix. I have no idea if this is relevant, but now the "Keep" window
of LSP-Fix shows the following:

rnr20.dll
DNS Name Space Provider

mswsosp.dll
(Protocol Handler)

msafd.dll
(Protocol Handler)

rsvpsp.dll
(Protocol Handler)

_________________________________________

And, just in case this info may help, here are the active items shown
at msconfig - start (some stuff is in Spanish, but I don't think that's
gonna be a problem):

a9sERWZmU
IMMML3A.EXE

SystemTray
SysTray.Exe

LoadPowerProfile
Rundll32.exe powrprof,LoadCurrentPwrScheme

CountrySelection
pctptt.exe

LoadQM
loadqm.exe

ccApp
"C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"

Ink Monitor
C:\Archivos de programa\EPSON\Ink Monitor\InkMonitor.exe

mouseElf
C:\ARCHIV~1\GENIUS~1\NOUSEELF.EXE

a-winpoet-service
C:\Archivos de programa\WinPoET\WinPPPoverEthernet.exe

LoadPowerProfile
Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

SchedulingAgent
mstask.exe

SAgent2ExePath
C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe

SysmTray - Norton SystemWorks
C:\Archivos de programa\Archivos comunes\Symantec Shared\SymTray.exe
"Norton SystemWorks"

ScriptBlocking
"C:\Archivos de programa\Archivos comunes\Symantec Shared\Script
Blocking\SBServ.exe" -reg

ccSetMgr
"C:\Archivos de programa\Archivos comunes\Symantec
Shared\ccSetMgr.exe"

ccEvtMgr
"C:\Archivos de programa\Archivos comunes\Symantec
Shared\ccEvtMgr.exe"

Inicio de Office
C:\ARCHIV~1\MICROS~1\OFFICE\OSA.EXE

Búsqueda rápida de Microsoft
C:\ARCHIV~1\MICROS~1\OFFICE\FINDFAST.EXE

EPSON Status Monitor 3 Environment Check
C:\WINDOWS\SYSTEM\E_SRCV03.EXE

load=
ptsnoop.exe

run=
C:\WINDOWS\SYSTEM\cmmpu.exe

_________________________________________
Thanks A MILLION for any help you can post!

Cheers,
-The Soup Nazi

 

[David H. Lipman]

Dump the contents of the IE Temporary Internet Folder cache (TIF)

start --> settings --> control panel --> internet options --> delete files

1) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
2) Reboot your PC into Safe Mode and shutdown as many applications as possible
3) Using your NAV software, perform a Full Scan of your platform and clean/delete any
infectors found
4) Restart your PC and perform a "final" Full Scan of your platform
5) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 200 ~ 400MB),
6) Reboot your PC.
7) If you are using WinME or WinXP, create a new Restore point


* * * Please report back your results * * *

--
Dave
http://www.claymania.com/removal-trojan-adware.html







Dearly Beloved,

My first time posting here. Here's the thing: in my PC (which uses
Windows 98), Internet Explorer has a bad case of hijackin' fever. After
running Norton in safe mode, there are two files the anti-virus cannot
remove:

dydmo.dll
wuadmoe.dll

_________________________________________

Likewise, Spybot Search & Destroy is unable to delete these files:


Common hijacker
Redirected host
auto.search.msn.com=69.20.16.183

CoolWWWSearch.Loadbat
Redirected host
auto.search.msn.com=69.20.16.183

CoolWWWSearch.Msconfd
auto.search.msn.com=69.20.16.183

CoolWWWSearch.Oslogo
auto.search.msn.com=69.20.16.183

CoolWWWSearch.Tapicfg
auto.search.msn.com=69.20.16.183

CoolWWWSearch.Xmlmimefilter
auto.search.msn.com=69.20.16.183

_________________________________________

What does HijackThis! have to say about it, you wonder? Here's the log:


Logfile of HijackThis v1.98.2
Scan saved at 08:38:52 p.m., on 27-01-05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYMANTEC SHARED\NMAIN.EXE
C:\ARCHIVOS DE PROGRAMA\NORTON SYSTEMWORKS\NAVW32.EXE
C:\BADASS FILES\PROGRAMAS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\llupj.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://eartharcade.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
= Vínculos
R3 - Default URLSearchHook is missing
F1 - win.ini: load=ptsnoop.exe
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
- C:\Archivos de programa\Norton SystemWorks\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos
comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Archivos de programa\EPSON\Ink
Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [mouseElf] C:\ARCHIV~1\GENIUS~1\MOUSEELF.EXE
O4 - HKLM\..\Run: [a-winpoet-service] C:\Archivos de
programa\WinPoET\WinPPPoverEthernet.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Archivos de
programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Archivos de
programa\Archivos comunes\Symantec Shared\SymTray.exe "Norton
SystemWorks"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Archivos de
programa\Archivos comunes\Symantec Shared\Script Blocking\SBServ.exe"
-reg
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Archivos de programa\Archivos
comunes\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Archivos de programa\Archivos
comunes\Symantec Shared\ccEvtMgr.exe"
O4 - HKCU\..\Run: [a9sERWZmU] IMMML3A.EXE
O4 - Startup: Inicio de Office.lnk = C:\Archivos de programa\Microsoft
Office\Office\OSA.EXE
O4 - Startup: Búsqueda rápida de Microsoft.lnk = C:\Archivos de
programa\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk =
C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O9 - Extra button: Coches - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} -
c:\pillamusica-over\entrar.html (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Consola de Sun Java -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\ARCHIV~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .asp: C:\ARCHIV~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio
Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX
Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/msnmessengersetupdownloader.cab

_________________________________________

I recently deleted another vicious .dll file called aklsp.dll, using
LSP-Fix. I have no idea if this is relevant, but now the "Keep" window
of LSP-Fix shows the following:

rnr20.dll
DNS Name Space Provider

mswsosp.dll
(Protocol Handler)

msafd.dll
(Protocol Handler)

rsvpsp.dll
(Protocol Handler)

_________________________________________

And, just in case this info may help, here are the active items shown
at msconfig - start (some stuff is in Spanish, but I don't think that's
gonna be a problem):

a9sERWZmU
IMMML3A.EXE

SystemTray
SysTray.Exe

LoadPowerProfile
Rundll32.exe powrprof,LoadCurrentPwrScheme

CountrySelection
pctptt.exe

LoadQM
loadqm.exe

ccApp
"C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"

Ink Monitor
C:\Archivos de programa\EPSON\Ink Monitor\InkMonitor.exe

mouseElf
C:\ARCHIV~1\GENIUS~1\NOUSEELF.EXE

a-winpoet-service
C:\Archivos de programa\WinPoET\WinPPPoverEthernet.exe

LoadPowerProfile
Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

SchedulingAgent
mstask.exe

SAgent2ExePath
C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe

SysmTray - Norton SystemWorks
C:\Archivos de programa\Archivos comunes\Symantec Shared\SymTray.exe
"Norton SystemWorks"

ScriptBlocking
"C:\Archivos de programa\Archivos comunes\Symantec Shared\Script
Blocking\SBServ.exe" -reg

ccSetMgr
"C:\Archivos de programa\Archivos comunes\Symantec
Shared\ccSetMgr.exe"

ccEvtMgr
"C:\Archivos de programa\Archivos comunes\Symantec
Shared\ccEvtMgr.exe"

Inicio de Office
C:\ARCHIV~1\MICROS~1\OFFICE\OSA.EXE

Búsqueda rápida de Microsoft
C:\ARCHIV~1\MICROS~1\OFFICE\FINDFAST.EXE

EPSON Status Monitor 3 Environment Check
C:\WINDOWS\SYSTEM\E_SRCV03.EXE

load=
ptsnoop.exe

run=
C:\WINDOWS\SYSTEM\cmmpu.exe

_________________________________________
Thanks A MILLION for any help you can post!

Cheers,
-The Soup Nazi

 

[The Soup Nazi]

2) Reboot your PC into Safe Mode and shutdown as many applications
as possible
3) Using your NAV software, perform a Full Scan of your platform and
clean/delete any infectors found <<

Thanks for the reply, Dave. Now, here's the thing: I rebooted the PC
into safe mode and the only application left to shutdown was Rundll32,
which resurrected a couple of seconds after I shut it down. The vicious
wuadmoe.dll file (located in C:\WINDOWS\SYSTEM\, by the way) still
cannot be deleted.

Before I do something I might regret, here's what I was thinking: what
if I run msconfig - start and "untick"

LoadPowerProfile
Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

LoadPowerProfile
Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

and then try to manually delete this wuadmoe.dll clown? Or is this a
stupid idea and by unticking those boxes the PC won't even start? Or
what?

Thanks again!
-Soup

 

[David H. Lipman]

No. The following is normal.

| LoadPowerProfile
| Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

Read the following URL and scan again...

http://support.microsoft.com/kb/310353

http://www.claymania.com/removal-trojan-adware.html

--
Dave




| >> 2) Reboot your PC into Safe Mode and shutdown as many applications
| as possible
| 3) Using your NAV software, perform a Full Scan of your platform and
| clean/delete any infectors found <<
|
| Thanks for the reply, Dave. Now, here's the thing: I rebooted the PC
| into safe mode and the only application left to shutdown was Rundll32,
| which resurrected a couple of seconds after I shut it down. The vicious
| wuadmoe.dll file (located in C:\WINDOWS\SYSTEM\, by the way) still
| cannot be deleted.
|
| Before I do something I might regret, here's what I was thinking: what
| if I run msconfig - start and "untick"
|
| LoadPowerProfile
| Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
|
| LoadPowerProfile
| Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
|
| and then try to manually delete this wuadmoe.dll clown? Or is this a
| stupid idea and by unticking those boxes the PC won't even start? Or
| what?
|
| Thanks again!
| -Soup
|

 

[The Soup Nazi]

No. The following is normal.

| LoadPowerProfile
| Rundll32.exe powrprof.dll,LoadCurrentPwrScheme <<


I understand it's normal - I just thought (from my utterly ingnorant
point of view, mind you) that by unticking it the wuadmoe.dll file
wouldn't be, um, activated after the next reboot into safe mode. Is
that an option?

Anyway, I downloaded the recommended software and have used it (and
Norton) three more times, but wuadmoe.dll is still alive and kicking.
DANG!

A non-virus-related question: I uninstalled Mozilla Firefox but when I
click on links in, say, Outlook Express, I get a message asking for
Firefox again. How can I make IE my default browser again?
Thanks again!

 

[David H. Lipman]

start --> settings --> control panel --> internet options --> programs
check the box for - "Internet explorer should check..."

--
Dave




| >> No. The following is normal.
|
| | LoadPowerProfile
| | Rundll32.exe powrprof.dll,LoadCurrentPwrScheme <<
|
|
| I understand it's normal - I just thought (from my utterly ingnorant
| point of view, mind you) that by unticking it the wuadmoe.dll file
| wouldn't be, um, activated after the next reboot into safe mode. Is
| that an option?
|
| Anyway, I downloaded the recommended software and have used it (and
| Norton) three more times, but wuadmoe.dll is still alive and kicking.
| DANG!
|
| A non-virus-related question: I uninstalled Mozilla Firefox but when I
| click on links in, say, Outlook Express, I get a message asking for
| Firefox again. How can I make IE my default browser again?
| Thanks again!
|

 

[Beauregard T. Shagnasty]

A non-virus-related question: I uninstalled Mozilla Firefox but
when I click on links in, say, Outlook Express, I get a message
asking for Firefox again. How can I make IE my default browser
again? Thanks again!

Mind telling us why you uninstalled Firefox?

It is a far more secure browser than IE...

 

[The Soup Nazi]

Mind telling us why you uninstalled Firefox?
It is a far more secure browser than IE... <<

My PC has a very slow processor and Firefox -at least in this machine-
runs slower than IE. I would've stayed with Firefox anyway, but this
virus crap opens IE even when I'm not using it, so what's the point.
I CANNOT KILL WUADMOE.DLL. I THINK I'M GONNA LOSE IT.

 

[The Soup Nazi]

All right, here's the latest HijackThis log in normal mode. ANY info on
what to delete will be greatly appreciated. Thanks a lot.


Logfile of HijackThis v1.98.2
Scan saved at 06:10:23 p.m., on 29-01-05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\EPSON\EBAPI\SAGENT2.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYMANTEC SHARED\SYMTRAY.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYMANTEC SHARED\CCSETMGR.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYMANTEC SHARED\CCAPP.EXE
C:\ARCHIVOS DE PROGRAMA\EPSON\INK MONITOR\INKMONITOR.EXE
C:\ARCHIVOS DE PROGRAMA\GENIUS NETSCROLL + SERIES MOUSE\MOUSEELF.EXE
C:\ARCHIVOS DE PROGRAMA\WINPOET\WINPPPOVERETHERNET.EXE
C:\ARCHIVOS DE PROGRAMA\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\ARCHIVOS DE PROGRAMA\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\E_SICN03.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\BADASS FILES\PROGRAMAS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\llupj.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://eartharcade.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
= Vínculos
R3 - Default URLSearchHook is missing
F1 - win.ini: load=ptsnoop.exe
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
- C:\Archivos de programa\Norton SystemWorks\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos
comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Archivos de programa\EPSON\Ink
Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [mouseElf] C:\ARCHIV~1\GENIUS~1\MOUSEELF.EXE
O4 - HKLM\..\Run: [a-winpoet-service] C:\Archivos de
programa\WinPoET\WinPPPoverEthernet.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Archivos de
programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Archivos de
programa\Archivos comunes\Symantec Shared\SymTray.exe "Norton
SystemWorks"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Archivos de
programa\Archivos comunes\Symantec Shared\Script Blocking\SBServ.exe"
-reg
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Archivos de programa\Archivos
comunes\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Archivos de programa\Archivos
comunes\Symantec Shared\ccEvtMgr.exe"
O4 - HKCU\..\Run: [a9sERWZmU] IMMML3A.EXE
O4 - Startup: Inicio de Office.lnk = C:\Archivos de programa\Microsoft
Office\Office\OSA.EXE
O4 - Startup: Búsqueda rápida de Microsoft.lnk = C:\Archivos de
programa\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk =
C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O9 - Extra button: Coches - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} -
c:\pillamusica-over\entrar.html (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Consola de Sun Java -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\ARCHIV~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .asp: C:\ARCHIV~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio
Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX
Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/msnmessengersetupdownloader.cab

 

[Will James]

It is a far more secure browser than IE... <<

My PC has a very slow processor and Firefox -at least in this machine-
runs slower than IE. I would've stayed with Firefox anyway, but this
virus crap opens IE even when I'm not using it, so what's the point.
I CANNOT KILL WUADMOE.DLL. I THINK I'M GONNA LOSE IT.

I also found Firefox slightly slow- try the Mozilla suite from the same
people as Firefox..I find it works faster + you can configure it to load in
memory under advanced preferences (like IE does) so it loads fast when you
click it.

Will

 

[Will James]

| LoadPowerProfile
| Rundll32.exe powrprof.dll,LoadCurrentPwrScheme <<


I understand it's normal - I just thought (from my utterly ingnorant
point of view, mind you) that by unticking it the wuadmoe.dll file
wouldn't be, um, activated after the next reboot into safe mode. Is
that an option?

Anyway, I downloaded the recommended software and have used it (and
Norton) three more times, but wuadmoe.dll is still alive and kicking.
DANG!

A non-virus-related question: I uninstalled Mozilla Firefox but when I
click on links in, say, Outlook Express, I get a message asking for
Firefox again. How can I make IE my default browser again?
Thanks again!

looks like you have CoolWWW search and About Blank infections did you try CW
shredder http://www.intermute.com/spysubtract/cwshredder_download.html

and About Buster http://www.majorgeeks.com/download4289.html

it might be worth posting your Hijackthis log and the Spybot results (that
mentioned CoolWWW search) here on the Hijackthis forum here 1st:
http://castlecops.com/forums.html

Will

 

[The Soup Nazi]

Thanks David and Will... You know, it seems like the problem is always
the same: wuadmoe.dll cannot be deleted because it's being used by
Windows, whether the PC is in normal or safe mode. I can't deal with
this bastard. If it won't go, I'm gonna smash the hard drive with a
hammer! I'll do it!

Now, I think I'm having a problem with AdAware - it finds about 50
pieces of crap, but it freezes once the "Deleting Selection" message
appears. Well, it doesn't freeze *completely*; I can still view, say,
the Help info and all, but the "Deleting Selection" box just stays
there forever. What the hell is up with that?

Always grateful,
-Soup

 

[me]

message
.

I also found Firefox slightly slow- try the Mozilla suite
from the same people as Firefox..I find it works faster +
you can configure it to load in memory under advanced
preferences (like IE does) so it loads fast when you click
it.

Will

FF now has a preloader as well. I don't know how much much it
helps (I did not try it).

J

 

[Beauregard T. Shagnasty]

Now, I think I'm having a problem with AdAware - it finds about 50
pieces of crap,

Makes me wonder what you're doing wrong... I run AdAware every so
often, and it never finds anything.

Unless these (didn't we go over this?) pieces of crap are MRU lists.
Most Recently Used files of various programs, which of course are
absolutely harmless and should be ignored.

 

[The Soup Nazi]

Unless these (didn't we go over this?) pieces of crap are MR­U
lists. Most Recently Used files of various programs, which of cours­e
are absolutely harmless and should be ignored. <<

Of the 50 pieces of crap found by AdAware, only THREE are MRU lists.
The rest seem to be pure evil, including (you guessed) the degenerate
wuadmoe.dll.

The software that finds nothing is CWShredder. "CoolWebSearch is not
present in this computer"... yeah, right.

 

[Will James]

lists. Most Recently Used files of various programs, which of cours­e
are absolutely harmless and should be ignored. <<

Of the 50 pieces of crap found by AdAware, only THREE are MRU lists.
The rest seem to be pure evil, including (you guessed) the degenerate
wuadmoe.dll.

The software that finds nothing is CWShredder. "CoolWebSearch is not
present in this computer"... yeah, right.did you try it in safe mode with the latest version?? Did you try About
Buster? When you finish the Adaware scan do you tick everything then click
next that should delete them....??

Will

 

[The Soup Nazi]

did you try it in safe mode with the latest version?? <<

Yes.

Yes.

next that should delete them....?? <<

Yes.

It's not your fault. I'm a heartbeat away from giving up and handing
the PC to an expert - that's all that's left, I guess.

 

[Gabriele Neukam]

On that special day, The Soup Nazi, ([email protected])
said...

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\llupj.dll/sp.html#37680

I don't like this one. What is it (properties)?

And if you want to give your computer some better performance, please
disable the OSA.EXE (Microsoft Office indexer). Only large companies
really use this, or do you create several dozens of office documents?


Gabriele Neukam

(e-mail address removed)

 

[The Soup Nazi]

ALL RIGHT, thank you very much to everyone who replied; none of the
suggestions I received helped me kill the virus, but of course I
appreciate all of them. Nevertheless, there IS light at the end of the
tunnel: after giving up and thinking well, I guess I'll have to live
with this troll for the rest of this machine's life, I began looking
for software that could prevent further disgusting crap. First I
downloaded SpyBlaster, suggested by SpyBot - Search & Destroy. And
then, browsing stuff at download.com, I came across this beauty called
ZoneAlert, which -for lack of a better explanation- locks the bastard
in by making it impossible for it to access the web. Each time a
program needs internet access, ZoneAlert shows you this neat warning
that asks you to decide whether you give it the green light or not, and
you can save your preferences so the next time that program runs, ZA
already knows what to do. So far the ZA performance has been mighty
bitchin' and I'm pretty damn happy with it.
programs
check the box for - "Internet explorer should check..." <<

This didn't do the trick - unless I'm in IE, when I click on a link I
still get a message asking for the Firefox file. Any thoughts?
Thanks again!

 

[The Soup Nazi]

Zone alert or Zone alarm? The latter is legitimate, the former I
can't seem to find on the web, but it sounds like a knock-off. <<
ZONE ALARM, Zone Alarm, sorry...