I would greatly appreciate your assistance. You helped me about two years ago. I have done my best to keep my computer clean from viruses and infections. However, I now have another infection/virus that is disrupting my promgrams and causing problems with Internet Explorer. I have run a few spware related programs, but am still having problems. I have copied my HijackThis log below.
Thank you,
Duane
Logfile of HijackThis v1.99.1
Scan saved at 12:08:40 PM, on 5/19/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\V7.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\WINDOWS\APPLICATION DATA\UOEH\MSCONFIG.EXE
C:\IPWINDOWS\IPWINS.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.starwars.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NetZero, Inc.
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NETZERO\SEARCHENH1.DLL
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b98qzcnc.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (disabled by BHODemon)
O2 - BHO: (no name) - {5684BCD2-FC60-EF0A-E53F-06693B9233BB} - C:\WINDOWS\SYSTEM\crxilpf.dll
O2 - BHO: (no name) - {B538083B-EF8E-8601-F1D9-B2DEBDB00F93} - (no file)
O2 - BHO: (no name) - {45E0D662-3186-0803-A34C-6BE33EE9F89E} - C:\WINDOWS\SYSTEM\YQDKXO.DLL (file missing)
O2 - BHO: (no name) - {49E48689-139E-80B4-A342-05A2041FE57B} - C:\WINDOWS\SYSTEM\PLZAHKG.DLL
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\SYSTEM\OPNOPON.DLL
O2 - BHO: (no name) - {46EFDA64-66D5-5F5E-A34C-6BE33EE7FB9E} - C:\WINDOWS\SYSTEM\WDXHUE.DLL (file missing)
O2 - BHO: (no name) - {11B3DF31-3186-0A04-A34C-6BE33EE7F3CF} - C:\WINDOWS\SYSTEM\XQYZIO.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AttuneDiscovery] C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_di.exe
O4 - HKLM\..\Run: [AttuneSysTray] C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_st.exe
O4 - HKLM\..\Run: [AttuneContentUpdater] C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_cu.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [WINVAW32] rundll32 WINVAW32.DLL,run
O4 - HKLM\..\Run: [{07D00216-0000-1033--popo0001}] "\{07D00216-0000-1033--popo0001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKLM\..\Run: [lyiomki.dll] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\lyiomki.dll,kjmorje
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3D1DC7E4638E8323A15806F97BDE4417E50EE5C27069974E2C2832210359926231A8C
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [NetZero_uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Ssoo] "C:\WINDOWS\Application Data\uoeh\msconfig.exe" -vt yazb
O4 - HKCU\..\Run: [IpWins] \Ipwindows\ipwins.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
Full Version: Infection Unknown to Me
Hello Duane,
Regards,
tea
QUOTE
You helped me about two years ago.
Since then 98 SE is not supported at all any more. This will be difficult at best to clean up, as there are very few tools to run on this machine to help with the cleanup. My best recommendation would be to go out and get XP or higher and reformat. With what you have I cannot promise you a smooth running computer afterwards. :( Please let me know what you wish to do.Regards,
tea
Hi Tea,
Thank you for your prompt response. :) I appreciate it. The administrators such as yourself at this site are wonderful! :thumbup: You are correct in that I should upgrade and/or invest in a new system. I am operating on an outdated system and software. However, I am on a very tight budget. If you don't mind, if you would help me clean-up my computer as best as possible--even if it does not run real smooth--that would be great. Then, later this year, I hope to have enough to purchase an upgrade.
Below is a log from HijackThis that I ran in Safe Mode. The first log I posted was run in Normal Mode.
Thank-you again,
Duane
Logfile of HijackThis v1.99.1
Scan saved at 4:49:04 PM, on 5/19/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.starwars.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NetZero, Inc.
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NETZERO\SEARCHENH1.DLL
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b98qzcnc.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (disabled by BHODemon)
O2 - BHO: (no name) - {5684BCD2-FC60-EF0A-E53F-06693B9233BB} - C:\WINDOWS\SYSTEM\crxilpf.dll
O2 - BHO: (no name) - {B538083B-EF8E-8601-F1D9-B2DEBDB00F93} - (no file)
O2 - BHO: (no name) - {45E0D662-3186-0803-A34C-6BE33EE9F89E} - C:\WINDOWS\SYSTEM\YQDKXO.DLL (file missing)
O2 - BHO: (no name) - {49E48689-139E-80B4-A342-05A2041FE57B} - C:\WINDOWS\SYSTEM\PLZAHKG.DLL
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\SYSTEM\OPNOPON.DLL
O2 - BHO: (no name) - {46EFDA64-66D5-5F5E-A34C-6BE33EE7FB9E} - C:\WINDOWS\SYSTEM\WDXHUE.DLL (file missing)
O2 - BHO: (no name) - {11B3DF31-3186-0A04-A34C-6BE33EE7F3CF} - C:\WINDOWS\SYSTEM\XQYZIO.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AttuneDiscovery] C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_di.exe
O4 - HKLM\..\Run: [AttuneSysTray] C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_st.exe
O4 - HKLM\..\Run: [AttuneContentUpdater] C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_cu.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [WINVAW32] rundll32 WINVAW32.DLL,run
O4 - HKLM\..\Run: [{07D00216-0000-1033--popo0001}] "\{07D00216-0000-1033--popo0001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKLM\..\Run: [lyiomki.dll] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\lyiomki.dll,kjmorje
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3D1DC7E4638E8323A15806F97BDE4417E50EE5C27069974E2C2832210359926231A8C
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [NetZero_uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Ssoo] "C:\WINDOWS\Application Data\uoeh\msconfig.exe" -vt yazb
O4 - HKCU\..\Run: [IpWins] \Ipwindows\ipwins.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
Thank you for your prompt response. :) I appreciate it. The administrators such as yourself at this site are wonderful! :thumbup: You are correct in that I should upgrade and/or invest in a new system. I am operating on an outdated system and software. However, I am on a very tight budget. If you don't mind, if you would help me clean-up my computer as best as possible--even if it does not run real smooth--that would be great. Then, later this year, I hope to have enough to purchase an upgrade.
Below is a log from HijackThis that I ran in Safe Mode. The first log I posted was run in Normal Mode.
Thank-you again,
Duane
Logfile of HijackThis v1.99.1
Scan saved at 4:49:04 PM, on 5/19/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.starwars.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NetZero, Inc.
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NETZERO\SEARCHENH1.DLL
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b98qzcnc.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (disabled by BHODemon)
O2 - BHO: (no name) - {5684BCD2-FC60-EF0A-E53F-06693B9233BB} - C:\WINDOWS\SYSTEM\crxilpf.dll
O2 - BHO: (no name) - {B538083B-EF8E-8601-F1D9-B2DEBDB00F93} - (no file)
O2 - BHO: (no name) - {45E0D662-3186-0803-A34C-6BE33EE9F89E} - C:\WINDOWS\SYSTEM\YQDKXO.DLL (file missing)
O2 - BHO: (no name) - {49E48689-139E-80B4-A342-05A2041FE57B} - C:\WINDOWS\SYSTEM\PLZAHKG.DLL
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\SYSTEM\OPNOPON.DLL
O2 - BHO: (no name) - {46EFDA64-66D5-5F5E-A34C-6BE33EE7FB9E} - C:\WINDOWS\SYSTEM\WDXHUE.DLL (file missing)
O2 - BHO: (no name) - {11B3DF31-3186-0A04-A34C-6BE33EE7F3CF} - C:\WINDOWS\SYSTEM\XQYZIO.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AttuneDiscovery] C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_di.exe
O4 - HKLM\..\Run: [AttuneSysTray] C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_st.exe
O4 - HKLM\..\Run: [AttuneContentUpdater] C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_cu.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [WINVAW32] rundll32 WINVAW32.DLL,run
O4 - HKLM\..\Run: [{07D00216-0000-1033--popo0001}] "\{07D00216-0000-1033--popo0001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKLM\..\Run: [lyiomki.dll] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\lyiomki.dll,kjmorje
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3D1DC7E4638E8323A15806F97BDE4417E50EE5C27069974E2C2832210359926231A8C
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [NetZero_uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Ssoo] "C:\WINDOWS\Application Data\uoeh\msconfig.exe" -vt yazb
O4 - HKCU\..\Run: [IpWins] \Ipwindows\ipwins.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
Hello,
Okay, as long as you know it won't be easy, and I can't promise I can get it all.
Look in your control panel's add/remove programs for PuritySCAN By OIN, OuterInfo, OIN, Cowabanga, SnowballWars or similar. Click on it and then click remove.
Reboot and if found, delete this folder:
C:\Program Files\PurityScan
If not listed, download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe
http://www.outerinfo.com/howto.html
Tutorial for the uninstaller if needed
Reboot when done and if found, delete this folder:
C:\Program Files\PurityScan
Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:
O2 - BHO: (no name) - {5684BCD2-FC60-EF0A-E53F-06693B9233BB} - C:\WINDOWS\SYSTEM\crxilpf.dll
O2 - BHO: (no name) - {B538083B-EF8E-8601-F1D9-B2DEBDB00F93} - (no file)
O2 - BHO: (no name) - {45E0D662-3186-0803-A34C-6BE33EE9F89E} - C:\WINDOWS\SYSTEM\YQDKXO.DLL (file missing)
O2 - BHO: (no name) - {49E48689-139E-80B4-A342-05A2041FE57B} - C:\WINDOWS\SYSTEM\PLZAHKG.DLL
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\SYSTEM\OPNOPON.DLL
O2 - BHO: (no name) - {46EFDA64-66D5-5F5E-A34C-6BE33EE7FB9E} - C:\WINDOWS\SYSTEM\WDXHUE.DLL (file missing)
O2 - BHO: (no name) - {11B3DF31-3186-0A04-A34C-6BE33EE7F3CF} - C:\WINDOWS\SYSTEM\XQYZIO.DLL
O4 - HKLM\..\Run: [AttuneDiscovery] C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_di.exe
O4 - HKLM\..\Run: [AttuneSysTray] C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_st.exe
O4 - HKLM\..\Run: [AttuneContentUpdater] C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_cu.exe
O4 - HKLM\..\Run: [{07D00216-0000-1033--popo0001}] "\{07D00216-0000-1033--popo0001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKLM\..\Run: [lyiomki.dll] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\lyiomki.dll,kjmorje
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3D1DC7E4638E8323A15806F97BDE4417E50EE5C27069974E2C2832210359926231A8C
O4 - HKCU\..\Run: [Ssoo] "C:\WINDOWS\Application Data\uoeh\msconfig.exe" -vt yazb
O4 - HKCU\..\Run: [IpWins] \Ipwindows\ipwins.exe
Close all browsers and other windows except for HijackThis!, and click "Fix checked".
Navigate to and delete the following folders/files (if they exist):
*Ipwindows << This folder
C:\WINDOWS\Application Data\uoeh << This folder
C:\WINDOWS\retadpu1000272.exe << This file
* smanager.7.exe << This file
C:\WINDOWS\ C:\WINDOWS\SYSTEM\lyiomki.dll << This file
* v7 << This file
*{07D00216-0000-1033--popo0001} << This folder
C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_cu.exe << This file
C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_st.exe << This file
C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_di.exe << This file
C:\WINDOWS\SYSTEM\XQYZIO.DLL << This file
C:\WINDOWS\SYSTEM\WDXHUE.DLL << This file
C:\WINDOWS\SYSTEM\OPNOPON.DLL << This file
C:\WINDOWS\SYSTEM\PLZAHKG.DLL << This file
C:\WINDOWS\SYSTEM\YQDKXO.DLL << This file
C:\WINDOWS\SYSTEM\crxilpf.dll << This file
* Locate via Start > Search
Reboot your computer.
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Thanks,
tea
Okay, as long as you know it won't be easy, and I can't promise I can get it all.
Look in your control panel's add/remove programs for PuritySCAN By OIN, OuterInfo, OIN, Cowabanga, SnowballWars or similar. Click on it and then click remove.
Reboot and if found, delete this folder:
C:\Program Files\PurityScan
If not listed, download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe
http://www.outerinfo.com/howto.html
Tutorial for the uninstaller if needed
Reboot when done and if found, delete this folder:
C:\Program Files\PurityScan
Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:
O2 - BHO: (no name) - {5684BCD2-FC60-EF0A-E53F-06693B9233BB} - C:\WINDOWS\SYSTEM\crxilpf.dll
O2 - BHO: (no name) - {B538083B-EF8E-8601-F1D9-B2DEBDB00F93} - (no file)
O2 - BHO: (no name) - {45E0D662-3186-0803-A34C-6BE33EE9F89E} - C:\WINDOWS\SYSTEM\YQDKXO.DLL (file missing)
O2 - BHO: (no name) - {49E48689-139E-80B4-A342-05A2041FE57B} - C:\WINDOWS\SYSTEM\PLZAHKG.DLL
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\SYSTEM\OPNOPON.DLL
O2 - BHO: (no name) - {46EFDA64-66D5-5F5E-A34C-6BE33EE7FB9E} - C:\WINDOWS\SYSTEM\WDXHUE.DLL (file missing)
O2 - BHO: (no name) - {11B3DF31-3186-0A04-A34C-6BE33EE7F3CF} - C:\WINDOWS\SYSTEM\XQYZIO.DLL
O4 - HKLM\..\Run: [AttuneDiscovery] C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_di.exe
O4 - HKLM\..\Run: [AttuneSysTray] C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_st.exe
O4 - HKLM\..\Run: [AttuneContentUpdater] C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_cu.exe
O4 - HKLM\..\Run: [{07D00216-0000-1033--popo0001}] "\{07D00216-0000-1033--popo0001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKLM\..\Run: [lyiomki.dll] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\lyiomki.dll,kjmorje
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3D1DC7E4638E8323A15806F97BDE4417E50EE5C27069974E2C2832210359926231A8C
O4 - HKCU\..\Run: [Ssoo] "C:\WINDOWS\Application Data\uoeh\msconfig.exe" -vt yazb
O4 - HKCU\..\Run: [IpWins] \Ipwindows\ipwins.exe
Close all browsers and other windows except for HijackThis!, and click "Fix checked".
Navigate to and delete the following folders/files (if they exist):
*Ipwindows << This folder
C:\WINDOWS\Application Data\uoeh << This folder
C:\WINDOWS\retadpu1000272.exe << This file
* smanager.7.exe << This file
C:\WINDOWS\ C:\WINDOWS\SYSTEM\lyiomki.dll << This file
* v7 << This file
*{07D00216-0000-1033--popo0001} << This folder
C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_cu.exe << This file
C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_st.exe << This file
C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_di.exe << This file
C:\WINDOWS\SYSTEM\XQYZIO.DLL << This file
C:\WINDOWS\SYSTEM\WDXHUE.DLL << This file
C:\WINDOWS\SYSTEM\OPNOPON.DLL << This file
C:\WINDOWS\SYSTEM\PLZAHKG.DLL << This file
C:\WINDOWS\SYSTEM\YQDKXO.DLL << This file
C:\WINDOWS\SYSTEM\crxilpf.dll << This file
* Locate via Start > Search
Reboot your computer.
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
- Doubleclick the drweb-cureit.exe file and Allow to run the express scan
- This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, mark the drives that you want to scan.
- Select all drives. A red dot shows which drives have been chosen.
- Click the green arrow at the right, and the scan will start.
- Click 'Yes to all' if it asks if you want to cure/move the file.
- When the scan has finished, look if you can click next icon next to the files found:
- If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) - After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
- After reboot, post the contents of the log from Dr.Web you saved previously, along with a new HijackThis log in your next reply.
Thanks,
tea
Thank you Tea. I understand this may not be easy. I will follow your instructions to the best of my ability. As for your first series of recommendations, I will work on it this evening or temorrow evening and post the results.
Thanks again,
Duane
Thanks again,
Duane
Hi Tea,
I followed your instructions and have posted a Dr. Web log and a new HiJackThis log below. Of the various files and folders I searched for manually as per the early part of your instructions, I located the file C:\WINDOWS\SYSTEM\crxilpf.dll but could not delete it because it was "in use." Also, when I attempted the final reboot my computer crashed, so I had to force a restart with the power o my tower rather than the Start command on my desktop. I noticed a few of the files that you indicated I should delete have reappeared, but many are gone. Nonetheless, here are the two logs.
Thank-you,
Duane
--------------------
Dr. Web log:
opnopon.dll;c:\windows\system;Trojan.Virtumod;Will be cured after reboot.;
v7.exe;c:\windows\system;Trojan.Click.2172;Deleted.;
homereg111.reg;C:\WINDOWS;Trojan.StartPage.1505;Deleted.;
irmzxe.dat;C:\WINDOWS;Trojan.MulDrop.1653;Deleted.;
od-gays20.exe;C:\WINDOWS;Dialer.Online;Incurable.Moved.;
fqiosx.dat;C:\WINDOWS;Trojan.MulDrop.1653;Deleted.;
vwsrv.exe;C:\WINDOWS;Probably BACKDOOR.Trojan;Incurable.Moved.;
avp.exe;C:\WINDOWS;Trojan.DownLoader.22755;Deleted.;
ddcdawx.dll;C:\WINDOWS\SYSTEM;Trojan.Virtumod;Deleted.;
ppwnhhi.dll;C:\WINDOWS\SYSTEM;Trojan.DownLoader.based;Deleted.;
rqrsqpm.dll;C:\WINDOWS\SYSTEM;Trojan.Virtumod;Deleted.;
rqrooll.dll;C:\WINDOWS\SYSTEM;Trojan.Virtumod;Deleted.;
opnopon.dll;C:\WINDOWS\SYSTEM;Trojan.Virtumod;Will be cured after reboot.;
rqomj.dll;C:\WINDOWS\SYSTEM;Trojan.Virtumod;Deleted.;
qtmjbq.dll;C:\WINDOWS\SYSTEM;Adware.ClickSpring;Incurable.Moved.;
efcdb.dll;C:\WINDOWS\SYSTEM;Trojan.Virtumod;Deleted.;
optimize.exe;C:\WINDOWS\TEMP;Trojan.Dyfuca;Deleted.;
saD374.TMP.exe;C:\WINDOWS\TEMP;Trojan.DownLoader.1878;Deleted.;
sa6013.TMP.exe;C:\WINDOWS\TEMP;Trojan.DownLoader.1878;Deleted.;
sa7302.TMP.exe;C:\WINDOWS\TEMP;Trojan.DownLoader.1878;Deleted.;
sa3165.TMP.exe;C:\WINDOWS\TEMP;Trojan.DownLoader.1878;Deleted.;
sa5092.TMP.exe;C:\WINDOWS\TEMP;Trojan.DownLoader.1878;Deleted.;
sa1042.TMP.exe;C:\WINDOWS\TEMP;Trojan.DownLoader.1878;Deleted.;
saA2C3.TMP.exe;C:\WINDOWS\TEMP;Trojan.DownLoader.1878;Deleted.;
winB1A1.TMP.exe;C:\WINDOWS\TEMP;Trojan.Click.2228;Incurable.Moved.;
win53.TMP.exe;C:\WINDOWS\TEMP;Trojan.DownLoader.based;Deleted.;
win1395.TMP.exe;C:\WINDOWS\TEMP;Adware.Akella;Incurable.Moved.;
win30E0.TMP.exe;C:\WINDOWS\TEMP;Trojan.Mezzia;Deleted.;
win6192.TMP.exe;C:\WINDOWS\TEMP;Trojan.DownLoader.11009;Deleted.;
win8100.TMP.exe;C:\WINDOWS\TEMP;Trojan.Click.2172;Deleted.;
win8362.TMP.exe;C:\WINDOWS\TEMP;Trojan.DownLoader.based;Deleted.;
winB343.TMP.exe;C:\WINDOWS\TEMP;Adware.Akella;Incurable.Moved.;
winD050.TMP.exe;C:\WINDOWS\TEMP;Trojan.MulDrop.5059;Deleted.;
win3174.TMP.exe;C:\WINDOWS\TEMP;Trojan.Mezzia;Deleted.;
mst7234.TMP;C:\WINDOWS\TEMP;Trojan.Fakealert.249;Deleted.;
win7244.TMP.exe;C:\WINDOWS\TEMP;Adware.Akella;Incurable.Moved.;
win7366.TMP.exe;C:\WINDOWS\TEMP;Trojan.DownLoader.21844;Deleted.;
cmdinst.exe;C:\WINDOWS\TEMP;Adware.IESearch;Incurable.Moved.;
backup-20050224-213304-521.dll;C:\WINDOWS\TEMP\backups;Trojan.MulDrop.1653;Deleted.;
MovieNetworks.exe;C:\WINDOWS\Downloaded Program Files;Dialer.Charger;Incurable.Moved.;
n[1]\JavaScript.0;C:\WINDOWS\Temporary Internet Files\Content.IE5\0T2JSH63\n[1];Trojan.Click.2105;;
n[1];C:\WINDOWS\Temporary Internet Files\Content.IE5\0T2JSH63;Archive contains infected objects;Moved.;
lo1[1];C:\WINDOWS\Temporary Internet Files\Content.IE5\MHBGX872;Trojan.Virtumod;Deleted.;
backup-20070521-193935-434.dll;C:\unzipped\hijackthis\backups;Trojan.Virtumod;Deleted.;
Yazzle1162OinAdmin.exe;C:\Program Files\Common Files;Adware.ClickSpring;Incurable.Moved.;
Yazzle1122OinAdmin.exe\data001;C:\Program Files\Common Files\Yazzle1122OinAdmin.exe;Adware.ClickSpring;;
Yazzle1122OinAdmin.exe\data002;C:\Program Files\Common Files\Yazzle1122OinAdmin.exe;Adware.MediaTicket;;
Yazzle1122OinAdmin.exe\data003;C:\Program Files\Common Files\Yazzle1122OinAdmin.exe;Adware.ClickSpring;;
Yazzle1122OinAdmin.exe;C:\Program Files\Common Files;Archive contains infected objects;Moved.;
rkoqm.exe;C:\Program Files\Common Files\rkoq;Adware.TargetServer;Incurable.Moved.;
rkoql.exe;C:\Program Files\Common Files\rkoq;Adware.TargetServer;Incurable.Moved.;
rkoqa.exe;C:\Program Files\Common Files\rkoq;Trojan.DownLoader.5289;Deleted.;
rkoqp.exe;C:\Program Files\Common Files\rkoq;Adware.TargetServer;Incurable.Moved.;
rkoqc.dll;C:\Program Files\Common Files\rkoq\rkoqd;Adware.TargetServer;Incurable.Moved.;
ycomp4
--------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:19:12 PM, on 5/21/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\MY DOCUMENTS\UOEH\SERVICES.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\BHODEMON 2\BHODEMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.starwars.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NetZero, Inc.
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NETZERO\SEARCHENH1.DLL
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b98qzcnc.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\SYSTEM\OPNOPON.DLL
O2 - BHO: (no name) - {CB583E1B-80FF-EA2D-D90B-8FADDAB97295} - C:\WINDOWS\SYSTEM\XFSDOYE.DLL
O2 - BHO: BandBHO Class - {6CA1C00B-90FC-4F3E-911F-95306ABA49AA} - C:\PROGRAM FILES\ADSPONSOROI\ADSPONSOROI.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [WINVAW32] rundll32 WINVAW32.DLL,run
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [NetZero_uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Ssoo] "C:\My Documents\uoeh\services.exe" -vt yazb
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
I followed your instructions and have posted a Dr. Web log and a new HiJackThis log below. Of the various files and folders I searched for manually as per the early part of your instructions, I located the file C:\WINDOWS\SYSTEM\crxilpf.dll but could not delete it because it was "in use." Also, when I attempted the final reboot my computer crashed, so I had to force a restart with the power o my tower rather than the Start command on my desktop. I noticed a few of the files that you indicated I should delete have reappeared, but many are gone. Nonetheless, here are the two logs.
Thank-you,
Duane
--------------------
Dr. Web log:
opnopon.dll;c:\windows\system;Trojan.Virtumod;Will be cured after reboot.;
v7.exe;c:\windows\system;Trojan.Click.2172;Deleted.;
homereg111.reg;C:\WINDOWS;Trojan.StartPage.1505;Deleted.;
irmzxe.dat;C:\WINDOWS;Trojan.MulDrop.1653;Deleted.;
od-gays20.exe;C:\WINDOWS;Dialer.Online;Incurable.Moved.;
fqiosx.dat;C:\WINDOWS;Trojan.MulDrop.1653;Deleted.;
vwsrv.exe;C:\WINDOWS;Probably BACKDOOR.Trojan;Incurable.Moved.;
avp.exe;C:\WINDOWS;Trojan.DownLoader.22755;Deleted.;
ddcdawx.dll;C:\WINDOWS\SYSTEM;Trojan.Virtumod;Deleted.;
ppwnhhi.dll;C:\WINDOWS\SYSTEM;Trojan.DownLoader.based;Deleted.;
rqrsqpm.dll;C:\WINDOWS\SYSTEM;Trojan.Virtumod;Deleted.;
rqrooll.dll;C:\WINDOWS\SYSTEM;Trojan.Virtumod;Deleted.;
opnopon.dll;C:\WINDOWS\SYSTEM;Trojan.Virtumod;Will be cured after reboot.;
rqomj.dll;C:\WINDOWS\SYSTEM;Trojan.Virtumod;Deleted.;
qtmjbq.dll;C:\WINDOWS\SYSTEM;Adware.ClickSpring;Incurable.Moved.;
efcdb.dll;C:\WINDOWS\SYSTEM;Trojan.Virtumod;Deleted.;
optimize.exe;C:\WINDOWS\TEMP;Trojan.Dyfuca;Deleted.;
saD374.TMP.exe;C:\WINDOWS\TEMP;Trojan.DownLoader.1878;Deleted.;
sa6013.TMP.exe;C:\WINDOWS\TEMP;Trojan.DownLoader.1878;Deleted.;
sa7302.TMP.exe;C:\WINDOWS\TEMP;Trojan.DownLoader.1878;Deleted.;
sa3165.TMP.exe;C:\WINDOWS\TEMP;Trojan.DownLoader.1878;Deleted.;
sa5092.TMP.exe;C:\WINDOWS\TEMP;Trojan.DownLoader.1878;Deleted.;
sa1042.TMP.exe;C:\WINDOWS\TEMP;Trojan.DownLoader.1878;Deleted.;
saA2C3.TMP.exe;C:\WINDOWS\TEMP;Trojan.DownLoader.1878;Deleted.;
winB1A1.TMP.exe;C:\WINDOWS\TEMP;Trojan.Click.2228;Incurable.Moved.;
win53.TMP.exe;C:\WINDOWS\TEMP;Trojan.DownLoader.based;Deleted.;
win1395.TMP.exe;C:\WINDOWS\TEMP;Adware.Akella;Incurable.Moved.;
win30E0.TMP.exe;C:\WINDOWS\TEMP;Trojan.Mezzia;Deleted.;
win6192.TMP.exe;C:\WINDOWS\TEMP;Trojan.DownLoader.11009;Deleted.;
win8100.TMP.exe;C:\WINDOWS\TEMP;Trojan.Click.2172;Deleted.;
win8362.TMP.exe;C:\WINDOWS\TEMP;Trojan.DownLoader.based;Deleted.;
winB343.TMP.exe;C:\WINDOWS\TEMP;Adware.Akella;Incurable.Moved.;
winD050.TMP.exe;C:\WINDOWS\TEMP;Trojan.MulDrop.5059;Deleted.;
win3174.TMP.exe;C:\WINDOWS\TEMP;Trojan.Mezzia;Deleted.;
mst7234.TMP;C:\WINDOWS\TEMP;Trojan.Fakealert.249;Deleted.;
win7244.TMP.exe;C:\WINDOWS\TEMP;Adware.Akella;Incurable.Moved.;
win7366.TMP.exe;C:\WINDOWS\TEMP;Trojan.DownLoader.21844;Deleted.;
cmdinst.exe;C:\WINDOWS\TEMP;Adware.IESearch;Incurable.Moved.;
backup-20050224-213304-521.dll;C:\WINDOWS\TEMP\backups;Trojan.MulDrop.1653;Deleted.;
MovieNetworks.exe;C:\WINDOWS\Downloaded Program Files;Dialer.Charger;Incurable.Moved.;
n[1]\JavaScript.0;C:\WINDOWS\Temporary Internet Files\Content.IE5\0T2JSH63\n[1];Trojan.Click.2105;;
n[1];C:\WINDOWS\Temporary Internet Files\Content.IE5\0T2JSH63;Archive contains infected objects;Moved.;
lo1[1];C:\WINDOWS\Temporary Internet Files\Content.IE5\MHBGX872;Trojan.Virtumod;Deleted.;
backup-20070521-193935-434.dll;C:\unzipped\hijackthis\backups;Trojan.Virtumod;Deleted.;
Yazzle1162OinAdmin.exe;C:\Program Files\Common Files;Adware.ClickSpring;Incurable.Moved.;
Yazzle1122OinAdmin.exe\data001;C:\Program Files\Common Files\Yazzle1122OinAdmin.exe;Adware.ClickSpring;;
Yazzle1122OinAdmin.exe\data002;C:\Program Files\Common Files\Yazzle1122OinAdmin.exe;Adware.MediaTicket;;
Yazzle1122OinAdmin.exe\data003;C:\Program Files\Common Files\Yazzle1122OinAdmin.exe;Adware.ClickSpring;;
Yazzle1122OinAdmin.exe;C:\Program Files\Common Files;Archive contains infected objects;Moved.;
rkoqm.exe;C:\Program Files\Common Files\rkoq;Adware.TargetServer;Incurable.Moved.;
rkoql.exe;C:\Program Files\Common Files\rkoq;Adware.TargetServer;Incurable.Moved.;
rkoqa.exe;C:\Program Files\Common Files\rkoq;Trojan.DownLoader.5289;Deleted.;
rkoqp.exe;C:\Program Files\Common Files\rkoq;Adware.TargetServer;Incurable.Moved.;
rkoqc.dll;C:\Program Files\Common Files\rkoq\rkoqd;Adware.TargetServer;Incurable.Moved.;
ycomp4
--------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:19:12 PM, on 5/21/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\MY DOCUMENTS\UOEH\SERVICES.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\BHODEMON 2\BHODEMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.starwars.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NetZero, Inc.
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NETZERO\SEARCHENH1.DLL
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b98qzcnc.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\SYSTEM\OPNOPON.DLL
O2 - BHO: (no name) - {CB583E1B-80FF-EA2D-D90B-8FADDAB97295} - C:\WINDOWS\SYSTEM\XFSDOYE.DLL
O2 - BHO: BandBHO Class - {6CA1C00B-90FC-4F3E-911F-95306ABA49AA} - C:\PROGRAM FILES\ADSPONSOROI\ADSPONSOROI.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [WINVAW32] rundll32 WINVAW32.DLL,run
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [NetZero_uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Ssoo] "C:\My Documents\uoeh\services.exe" -vt yazb
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
Hello,
Open HijackThis. It should open to a "New users quickstart" menu
Click "Open the Misc Tools section"
Click "Delete a file on reboot..."
In the "Enter file to delete on reboot..." window, navigate to:
C:\WINDOWS
And select the file
retadpu1000272.exe
Then click Open. After you click Open, HiJackThis will ask you if you want to restart your computer now. You do, so click Yes.
This one has to go if there is to be any success. It worries me most.
Delete all cookies, temp files, and the recycle bin.
Run Dr. Web again, and post the report. Of course, I need a new HijackThis log as well. Keep letting me know how it's running also. It really does help. :)
Thanks,
tea
Open HijackThis. It should open to a "New users quickstart" menu
Click "Open the Misc Tools section"
Click "Delete a file on reboot..."
In the "Enter file to delete on reboot..." window, navigate to:
C:\WINDOWS
And select the file
retadpu1000272.exe
Then click Open. After you click Open, HiJackThis will ask you if you want to restart your computer now. You do, so click Yes.
This one has to go if there is to be any success. It worries me most.
Delete all cookies, temp files, and the recycle bin.
Run Dr. Web again, and post the report. Of course, I need a new HijackThis log as well. Keep letting me know how it's running also. It really does help. :)
Thanks,
tea
Hi Tea,
Here is the most recent Dr. Web and HiJackThis logs:
------------------
Dr. Web log:
opnopon.dll;c:\windows\system;Trojan.Virtumod;Will be cured after reboot.;
opnopon.dll;C:\WINDOWS\SYSTEM;Trojan.Virtumod;Will be cured after reboot.;
-----------------
Logfile of HijackThis v1.99.1
Scan saved at 10:04:03 PM, on 5/22/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\MY DOCUMENTS\UOEH\SERVICES.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\BHODEMON 2\BHODEMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.starwars.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NetZero, Inc.
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NETZERO\SEARCHENH1.DLL
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b98qzcnc.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\SYSTEM\OPNOPON.DLL
O2 - BHO: (no name) - {CB583E1B-80FF-EA2D-D90B-8FADDAB97295} - C:\WINDOWS\SYSTEM\XFSDOYE.DLL
O2 - BHO: BandBHO Class - {6CA1C00B-90FC-4F3E-911F-95306ABA49AA} - C:\PROGRAM FILES\ADSPONSOROI\ADSPONSOROI.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [WINVAW32] rundll32 WINVAW32.DLL,run
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [NetZero_uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Ssoo] "C:\My Documents\uoeh\services.exe" -vt yazb
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
Here is the most recent Dr. Web and HiJackThis logs:
------------------
Dr. Web log:
opnopon.dll;c:\windows\system;Trojan.Virtumod;Will be cured after reboot.;
opnopon.dll;C:\WINDOWS\SYSTEM;Trojan.Virtumod;Will be cured after reboot.;
-----------------
Logfile of HijackThis v1.99.1
Scan saved at 10:04:03 PM, on 5/22/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\MY DOCUMENTS\UOEH\SERVICES.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\BHODEMON 2\BHODEMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.starwars.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NetZero, Inc.
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NETZERO\SEARCHENH1.DLL
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b98qzcnc.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\SYSTEM\OPNOPON.DLL
O2 - BHO: (no name) - {CB583E1B-80FF-EA2D-D90B-8FADDAB97295} - C:\WINDOWS\SYSTEM\XFSDOYE.DLL
O2 - BHO: BandBHO Class - {6CA1C00B-90FC-4F3E-911F-95306ABA49AA} - C:\PROGRAM FILES\ADSPONSOROI\ADSPONSOROI.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [WINVAW32] rundll32 WINVAW32.DLL,run
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [NetZero_uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Ssoo] "C:\My Documents\uoeh\services.exe" -vt yazb
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
Hello,
Boot into safe mode and run Dr. Web in safe mode, please. Post the report.
Boot into safe mode and run Dr. Web in safe mode, please. Post the report.
Hi Tea,
Below is the Dr. Web log that I ran in Safe Mode after starting my computer in Safe Mode as well. I also ran a HiJackThis log in Safe Mode, if you wanted to see that as well.
I appreciate your patience and the time you are spending with me.
Duane
-----------------------------------------
Dr. Web log:
opnopon.dll;c:\windows\system;Trojan.Virtumod;Deleted.;
-----------------------------------------
HiJackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 9:07:53 PM, on 5/23/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.starwars.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NetZero, Inc.
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NETZERO\SEARCHENH1.DLL
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b98qzcnc.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\SYSTEM\OPNOPON.DLL (file missing)
O2 - BHO: BandBHO Class - {6CA1C00B-90FC-4F3E-911F-95306ABA49AA} - C:\PROGRAM FILES\ADSPONSOROI\ADSPONSOROI.DLL
O2 - BHO: (no name) - {910E3F14-D5F9-EC28-D90B-8FADDAB972C1} - C:\WINDOWS\SYSTEM\THKRB.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [WINVAW32] rundll32 WINVAW32.DLL,run
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [NetZero_uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Ssoo] "C:\My Documents\uoeh\services.exe" -vt yazb
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\SYSTEM\MACROMED\FLASH\GetFlash.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
Below is the Dr. Web log that I ran in Safe Mode after starting my computer in Safe Mode as well. I also ran a HiJackThis log in Safe Mode, if you wanted to see that as well.
I appreciate your patience and the time you are spending with me.
Duane
-----------------------------------------
Dr. Web log:
opnopon.dll;c:\windows\system;Trojan.Virtumod;Deleted.;
-----------------------------------------
HiJackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 9:07:53 PM, on 5/23/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.starwars.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NetZero, Inc.
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NETZERO\SEARCHENH1.DLL
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b98qzcnc.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\SYSTEM\OPNOPON.DLL (file missing)
O2 - BHO: BandBHO Class - {6CA1C00B-90FC-4F3E-911F-95306ABA49AA} - C:\PROGRAM FILES\ADSPONSOROI\ADSPONSOROI.DLL
O2 - BHO: (no name) - {910E3F14-D5F9-EC28-D90B-8FADDAB972C1} - C:\WINDOWS\SYSTEM\THKRB.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [WINVAW32] rundll32 WINVAW32.DLL,run
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [NetZero_uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Ssoo] "C:\My Documents\uoeh\services.exe" -vt yazb
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\SYSTEM\MACROMED\FLASH\GetFlash.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
Hi Duane,
Please forgive my delayed response. :( I really have to ask you to consider a reformat here. The infections you have require powerful tools to remove, and they don't work on systems as old as yours. I mean no disrespect by that, just stating a fact and explanation.
Regards,
tea
Please forgive my delayed response. :( I really have to ask you to consider a reformat here. The infections you have require powerful tools to remove, and they don't work on systems as old as yours. I mean no disrespect by that, just stating a fact and explanation.
Regards,
tea
Hi Tea,
I appreciate your comments. No disrespect taken at all. I know my system is old. I am obliged to your guidance and assistance. If reformatting is the process, that is fine. However, I will be leaving for a conference until the end of the week. I will then need a little time to save my files to disk and then I can re-format. May I then bother you about reformatting. I know "what" that means, but I am not sure "how" to do that.
Thanks again,
Duane
I appreciate your comments. No disrespect taken at all. I know my system is old. I am obliged to your guidance and assistance. If reformatting is the process, that is fine. However, I will be leaving for a conference until the end of the week. I will then need a little time to save my files to disk and then I can re-format. May I then bother you about reformatting. I know "what" that means, but I am not sure "how" to do that.
Thanks again,
Duane
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.