Posts by caperjack

To delete CAGWIZ.DLL ,You could us a win98 boot disk and at the dos prompt type '
DEL c:\windows\CAGWIZ.DLL or whatever the full path to the dll file is .like it could be something like c:\wimdows\system\ or system32\CAGWIZ.DLL

I sure spybotand Ad-aware would remove most if not all of those files wouldn't it

I have a .dat file which is actually an mp3. It plays with all my audio players (winamp pro 5.1, windows media 9.0, etc), but i want to convert it to an mp3 so i can compile it to a disc. By renaming "Klubbheads - Let the party begin" to "Klubbheads - Let the party begin.mp3" it still recognises it as a .dat file, and doesn't auto change the recocognition to wimamp! Right click -> Properties says that it is still a .dat file. How can i convert it to a "real" mp3.

Thanks in advance!

Ok,you say you changed Klubbheads - Let the party begin tp Klubbheads - Let the party begin.mp3 and nothing happens .the orignal before you changed it reads Klubbheads - Let the party begin.DAT ,correct so all you are changeing is the .dat to .mp3 correct .

A Format is the quickest way sometimes ,and will leave you fresh and clean !!

Can you connect with IE

is it the only mp3 file that you have, that is showing as a .dat .

System restore only restores windows system file anyway ,not files you created like documents and stuff

Please run the free online firus scan in my signature ,make sure to check auto fix before you run the scan.
Also download and run the trojan hunter demo in my signature .
then post a new log

And this program.

Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

reboot computer and post a new log

just save the hijacklog and copy and paste it here

not a full full,post full log !

I think we need to ascertain if that old PC has an IDE or a Panasonic CD-ROM in there! If it's a Panasonic drive, hooked up to an old soundcard, then some preparation needs to occur befor the Windows setup can proceed. ;)

AH ! your spoiling all the fun!! :)

Right click on the desktop /properties/desktop/customize desktop/desktop icond IE on the destop

.................................. :o

Try the trojanHunter in my signature ,its a full working Demo .Recomender by the pro's at SWI fourm

I look over my sholder doing banking at the BANK ,i couldn't imaging doing online Banking .
As for missing ie icons what version of windows are you using .

Uninstall ME!:) just kidding ,Reallt though ,format and reload windows ,starting fresh will always help speed up a computer.

With the win98 boot disk boot computer ,at the prompt type ,Format c:\,
after format ,with the win98 cd in the cdrom drive ,type ,SETUP and follow on screen instructions .and get ready to do some searching for Drivers ,unless they supplied them with the computer .there is a way to install 98 over 95 keepind all file now on the computer intact ,if you wish to do this let me know and i will help you do it that way .

Go here and download the XP boot disks

http://www.bootdisk.com/bootdisk.htm

............................................ :o

You really should have you log looked as not alla re the same .

The two links in my signature are for free online scans ,you must run the scan while online .

You shouldn't be doing anything else when runnning scans on you computer .

........................... :mrgreen:
Sometimes CWShredder needs to be run in safe mode i think this is one of those time '

Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

reboot computer and post a new log

Have you tried Booting [hold down the f8 key on bootup,choose safe mode and hit enter ] into safe mode ,and doing a spybot restore od a system restore

To get to safe mode ,
To get into the Windows 2000 / XP Safe mode as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press your Enter key.

did you miss fixing this one and uninstalling it ! if so follow the fix /delete directions again!

O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe

Fix these 2 also
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL

O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll

O3 - Toolbar: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)

O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe

HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe

O4 - Global Startup: Search.vbs

O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab

O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binari...dtc32_EN_XP.cab

O16 - DPF: {9E1089BC-1AE8-4685-8D77-6721E5C318A8} - http://dload.ipbill.com/del/loader.cab
-Coulomb Dialer Variant

O16 - DPF: {FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} (Dhsigned Control) - http://ads.dealhelper.com/updates/DealHelperNew.cab

O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://www.dikai.com/em-meuk.exe

Now reboot into safe mode and delete the following files and folders if found .

C:\Program Files\ClearSearch ... delete folder

C:\WINDOWS\System32\automove.exe ...delete file

O4 - Global Startup: Search.vbs ..delete file

to delete the above files and folder you will need to do the following
go to
Show hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

reboot computer and post a new log,you can just copy and paste the log here ,makes reading it easier than scroling around the code !!thanks

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.

Sorry You got lost !

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

O4 - HKLM\..\Run: [gbypmdip] C:\WINDOWS\gbypmdip.exe

O4 - HKLM\..\Run: [jybsj] C:\WINDOWS\jybsj.exe

O4 - Startup: PowerReg Scheduler.exe

Do you intentually have this running at startup,if not fix it
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE

O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab

Now reboot into safe mode and delete the following files and folders if found .

C:\WINDOWS\gbypmdip.exe ...delete file

C:\WINDOWS\jybsj.exe ...delete file

to delete the above files and folder you will need to do the following
go to
Show hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

reboot computer and post a new log

The Over View of this tutorial should answer you ?'s.
http://www.spywareinfo.com/~merijn/htlogtutorial.html

post your hjthis log here .

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

F0 - system.ini: Shell=Explorer.exe D:\WINDOWS\services.exe

F1 - win.ini: load=D:\WINDOWS\serv ices.exe

F1 - win.ini: run=D:\WINDOWS\servi ces.exe

Reboot and dun hijack and post new log .

The 04's in the hijack log are all of what would be in Msconfig /startup and its not there !!

This is a rescource hog and not needed at startup,and suggested fix ,
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R0 - HKCU\Software\Micros oft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Micros oft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - (no file)
O1 - Hosts: 64.200.25.145 gator.com #cooklop
O1 - Hosts: 64.200.25.145 www.gator.com #cooklop
O1 - Hosts: 64.200.25.145 tripod.com #cooklop
O1 - Hosts: 64.200.25.145 www.tripod.com #cooklop
O1 - Hosts: 64.200.25.145 adultfriendfinder.com #cooklop
O1 - Hosts: 64.200.25.145 www.adultfriendfinder.com #cooklop
O1 - Hosts: 64.200.25.145 cj.com #cooklop
O1 - Hosts: 64.200.25.145 www.cj.com #cooklop
O1 - Hosts: 64.200.25.145 paypopup.com #cooklop
O1 - Hosts: 64.200.25.145 www.paypopup.com #cooklop
O1 - Hosts: 64.200.25.145 trafficmp.com #cooklop
O1 - Hosts: 64.200.25.145 www.trafficmp.com #cooklop

Unless you used A program called Spy-Bot to set this, fix IT.

O6 - HKCU\Software\Polici es\Microsoft\Interne t Explorer\Control Panel present

This is a weierd looking extra button[extra button on the IE toolbar] fix it unless you know what button it is and want to keep it .

O9 - Extra button: 3721ÖÎÄÓÊ (HKLM)

Reboot and …

YZK,do you have any instructions or comments to go with you post !

Just type, eventvwr.msc, into start/Run ,event viewer will open

Popup blockers are great but sometime you also need to remove the programs ,or bad DLL's that are generating the popups ,check out our Security Fourm .,

Log ,looks clean /OK.

Check how i got infected in the first place .

http://www.computercops.biz/postlite7736-.html

You Have A Variant of the CoolWebSearch Trojan.

Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

Then these 2 programs .
Ad-Aware and Spybot

Download the latest version of Ad-Aware at ADAWARE

Setup Ad-Aware .
After installing AAW, and before running the program, update reference files by using the bottom right button in the program, labeled "Check for Updates."

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed

Download …

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O4 - HKLM\..\Run: [SNP32M] C:\WINDOWS\SYSTEM\SN P32M.exe

A couple of rescource hoggs ,not need at startyp.fix them

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFA ST.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

this is not need at startup'
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPIC K.EXE

Now reboot into safe mode and delete the following files and folders if found .

C:\WINDOWS\SYSTEM\SN P32M.exe ...delete file

to delete the above files and folder you will need to do the following
go to
Show hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

reboot computer and post a new log

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O2 - BHO: (no name) - {6F93ED36-40DD-3100-BF68-64BD39DBA372} - (no file)

O3 - Toolbar: (no name) - {702AD576-FDDB-4d0f-9811-A43252064684} - (no file)

Uninstall this from Control panel,add and remove programs also .
O4 - HKLM\..\Run: [LimeShop] javaw -cp "C:\Program Files\LimeShop\Syste m\Code" Main lp: "C:\Program Files\LimeShop"

O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe

O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe

O4 - HKLM\..\Run: [cpejrmarnzrs] C:\WINDOWS\System32\ fzvaeqkg.exe

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\ bridge.dll",Load

O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1012.dll,InstantAccess

O4 - Global Startup: Search.vbs

O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binari...dtc32_EN_XP.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab

O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binari...tia32_EN_XP.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0666257...ip/RdxIE601.cab

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binari..._1012_EN_XP.cab

Now reboot into safe mode and delete the following files and folders if found .

C:\Program Files\Orbit\ ...delete folder

C:\WINDOWS\System32\ fzvaeqkg.exe ..delete file

Global Startup: Search.vbs...delete file

to delete the above files and folder you will need to …

I do believe you uncle will have to create a new password ,for granma

Re-download it and try again

Get in touch with your ISP/Email service provider .

hi. i dont know if i did this correctly but i had the bridge.dll problem too. so if you could please tell me what to do itd be wonderful.. thank you very much. ;)

No you didn't do it correctly ,please start your own Thread / click the new Thread icon at the top of the security page .and post your log there .

just for starters incase you haven't all ready . a trip to windows updates might be needed for critical updates and SP1's .the error message i think refers to a Driver conflict .
WINDOWS UPDATES

Edit: also what Operating system are u using ,

Try CWShredder again make sure its the latest version ..and also run the free online virus scan in my signature .

You Have A Variant of the CoolWebSearch Trojan.

Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

reboot computer and post a new log

am I just being dumb, or if it couldn't be found on startup, why should it be in the log?!

Because the log also consists of registry entries!

I don't know enough about networking to respond but maybe you could post your problem in the networking fourm .You allready posted it twice here in the windows fourm.If you lose a post just click on you name in this post and click view other post by Leg.
Networking Fourm
http://www.daniweb.com/techtalkforums/forum13.html