My home page keeps changing, etc.
OK, my problem is that my home page keeps changing to the same thing and unwanted websites keep popping up in my "favorites" section. Here is the log that I got:
Logfile of HijackThis v1.98.2
Scan saved at 5:06:11 PM, on 8/19/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\COMPAQ\INTERNET\ISDBDC.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM32\WINPROC32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\JUNO\EXEC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\JUNO\EXEC.EXE
C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://gimli.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://gimli.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://gimli.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://4-counter.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.juno.com/s/sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://gimli.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://gimli.directwebsearch.net/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://gimli.directwebsearch.net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://gimli.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*profiles.yahoo.com;*.pogo.com;*test-speed.com;<local>
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\PROGRAM FILES\JUNO\QSACC\X1IEBHO.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe
O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [axjnnpkx] C:\WINDOWS\hmcspeks.exe
O4 - HKLM\..\Run: [aka] C:\WINDOWS\SYSTEM\afvbkb.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System\
O4 - HKLM\..\Run: [FMW] C:\WINDOWS\FMW.exe
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System\zzb.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe \DeadAIM.ocm,ExportedCheckODLs
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKLM\..\Run: [SpyBlocs] C:\PROGRAM FILES\SPYBLOCS\SpyBlocs.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [isdbdc] c:\compaq\internet\isdbdc.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunOnce: [untd_recovery] C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [] c:\WINDOWS\System\
O4 - HKCU\..\Run: [Mjrxfamw] C:\WINDOWS\SYSTEM\oacnmlks.exe
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKCU\..\Run: [SpywareGuard] C:\WINDOWS\SYSTEM32\WINPROC32.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - User Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/227
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=1c00&lc=0409 (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.juno.com/s/sp
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://carpoint.msn.com/components/ocx/autopricer/autopricer.cab
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservices.msn.com/us/smtptool/MailCfg.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {8100A35F-FFA1-471F-AC9A-2A8847BE78DF} (IberoDialer Class) - http://213.201.69.103/data/dialercab/DialerDLLRTB.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
Logfile of HijackThis v1.98.2
Scan saved at 5:06:11 PM, on 8/19/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\COMPAQ\INTERNET\ISDBDC.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM32\WINPROC32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\JUNO\EXEC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\JUNO\EXEC.EXE
C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://gimli.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://gimli.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://gimli.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://4-counter.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.juno.com/s/sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://gimli.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://gimli.directwebsearch.net/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://gimli.directwebsearch.net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://gimli.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*profiles.yahoo.com;*.pogo.com;*test-speed.com;<local>
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\PROGRAM FILES\JUNO\QSACC\X1IEBHO.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe
O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [axjnnpkx] C:\WINDOWS\hmcspeks.exe
O4 - HKLM\..\Run: [aka] C:\WINDOWS\SYSTEM\afvbkb.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System\
O4 - HKLM\..\Run: [FMW] C:\WINDOWS\FMW.exe
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System\zzb.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe \DeadAIM.ocm,ExportedCheckODLs
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKLM\..\Run: [SpyBlocs] C:\PROGRAM FILES\SPYBLOCS\SpyBlocs.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [isdbdc] c:\compaq\internet\isdbdc.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunOnce: [untd_recovery] C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [] c:\WINDOWS\System\
O4 - HKCU\..\Run: [Mjrxfamw] C:\WINDOWS\SYSTEM\oacnmlks.exe
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKCU\..\Run: [SpywareGuard] C:\WINDOWS\SYSTEM32\WINPROC32.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - User Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/227
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=1c00&lc=0409 (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.juno.com/s/sp
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://carpoint.msn.com/components/ocx/autopricer/autopricer.cab
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservices.msn.com/us/smtptool/MailCfg.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {8100A35F-FFA1-471F-AC9A-2A8847BE78DF} (IberoDialer Class) - http://213.201.69.103/data/dialercab/DialerDLLRTB.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
0
This discussion has been closed.
Comments
Reboot into SAFE MODE. Run HJT. Fix:
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://gimli.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://gimli.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://gimli.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://4-counter.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.juno.com/s/sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://gimli.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://gimli.directwebsearch.net/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://gimli.directwebsearch.net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://gimli.directwebsearch.net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
(Basically, we are going to toss all of those except the Proxy Overrides, which I think are there for a purpose in your case.)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
(Kazaa has adware built in, and is often the source of many bogus files which turn out to be adware, spyware, viruses or trojans. If you must P2P, please use Kazaa Lite, and ber very cautious of what you download.)
O4 - HKLM\..\Run: [axjnnpkx] C:\WINDOWS\hmcspeks.exe
O4 - HKLM\..\Run: [aka] C:\WINDOWS\SYSTEM\afvbkb.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System\
O4 - HKLM\..\Run: [FMW] C:\WINDOWS\FMW.exe
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System\zzb.exe
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKCU\..\Run: [] c:\WINDOWS\System\
O4 - HKCU\..\Run: [Mjrxfamw] C:\WINDOWS\SYSTEM\oacnmlks.exe
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
(Likely the causes of your problems, a bunch of randomly names files that are probably re-loaders.)
O4 - HKLM\..\Run: [SpyBlocs] C:\PROGRAM FILES\SPYBLOCS\SpyBlocs.exe
(Not a well recognized anti-spyware app. I would recommend using Ad Aware, Spybot S&D, SpywareBlaster, and nothing else....)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=1c00&lc=0409 (file missing)
(The files are missing on all those, so remove the entries.)
Stay in safe mode, locate the exe files in those entries, as well as this file: c:\windows\system32\blank.htm. Then, quarantine them.
Reboot normally, check things out, and post a fresh log for review.
Dexter...
For Windows 98, which you have, there are 2 ways to get there:
To use the F8 method
Restart the computer.
As the computer restarts, press and hold down the F8 key until the Windows 98 startup menu appears.
Choose Safe mode from the startup menu, and then press Enter. Windows starts in Safe mode.
To use the System Configuration Utility method
Close all open programs.
Click Star > Run. The Run dialog box appears.
Type msconfig and then click OK.
In the System Configuration Utility, click "Advanced."
In the Advanced Troubleshooting Settings dialog box, check Enable Startup Menu. Click OK. Click OK again when the System Configuration Utility reappears.
You will be prompted to restart the computer. Click Yes. The computer will restart in Safe mode. (This can take several minutes.)
Perform the troubleshooting steps for which you are using Safe Mode.
When you are finished with troubleshooting in Safe mode repeat these steps but uncheck "Enable Start-up Menu."
Close all programs and restart the computer as you normally would.
Tutorial with images at:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
I have just added that to our How-To list: How To Boot In Safe Mode.
Dexter....
Dexter...
Now, we'll do this together.
Look at the instructions for locating the files to quarantine:
O2 - BHO: (no name) - {5EA09FEA-707B-FB28-AF23-9B7F1EA97C20} - C:\WINNT\mfcwz32.dll
O3 - Toolbar: sitemove - {45084689-F2B1-ACD4-5C96-37D71CCC71D7} - C:\PROGRAM FILES\VC JUNK\FIVE MAPI.DLL
O4 - HKLM\..\Run: [sdkql.exe] C:\WINNT\sdkql.exe
Anything in red is the actual file location. Don't worry about HKLM and HKCU. Those are shorthand for where the Registry entries are on your system: H-Key Local Machine and H-Key Current User. Just ignore that part, look only at the part that says C:\whatever\wherever\thingamajig.exe.
As indicated, make sure you are set to view hidden files and folders:
http://www.short-media.com/forum/showpost.php?p=172588&postcount=3
Now, if you don't know where to look for a file, you can always just do a SEARCH from your Start menu. Search for thingamajig.exe and it will show you where it is.
Try that, then reboot and post a fresh log so we can check your progress.
Dexter...
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://gimli.directwebsearch.net/search.php
/\ I didn't see the location on any of those kinds of files, that's why I was so confused. BUT, I scanned it again and came up with a fresh log that didn't contain any of those files, so somehow I think it worked when i fixed them the last time. Perhaps I forgot something the first time? Anyway, here's my newly updated log:
Logfile of HijackThis v1.98.2
Scan saved at 1:37:06 PM, on 8/21/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\COMPAQ\INTERNET\ISDBDC.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\JUNO\EXEC.EXE
C:\PROGRAM FILES\JUNO\EXEC.EXE
C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blazefind.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*profiles.yahoo.com;*.pogo.com;*test-speed.com;<local>
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\PROGRAM FILES\JUNO\QSACC\X1IEBHO.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe \DeadAIM.ocm,ExportedCheckODLs
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [isdbdc] c:\compaq\internet\isdbdc.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunOnce: [untd_recovery] C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [] c:\WINDOWS\System\
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKCU\..\Run: [SpywareGuard] C:\WINDOWS\SYSTEM32\WINPROC32.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - User Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/227
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.juno.com/s/sp
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://carpoint.msn.com/components/ocx/autopricer/autopricer.cab
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservices.msn.com/us/smtptool/MailCfg.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {8100A35F-FFA1-471F-AC9A-2A8847BE78DF} (IberoDialer Class) - http://213.201.69.103/data/dialercab/DialerDLLRTB.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
Thanks a lot, by the way!
Anything that starts with http:// is located on the internet, so you cannot really quarantine it
Just a couple of more itmes to fix. SAFE MODE -> HJT -> FIX:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
(Find and quarantine that file.)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKCU\..\Run: [] c:\WINDOWS\System\
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
(Find and quarantine that file.)
Reboot in normal mode, check things out, and let us know.
Dexter...