Options

onemoresearch.NET, hijacked

Unknown
edited January 2005 in Spyware & Virus Removal
Hi. I need some help. I've updated and run Spybot, Ad-Aware, and McAfee and HijackThis. I have no clue what to delete. Now IE will only go to the search page the Hijacker changed it to. I always get stuck cleaning up the mess. I just didn't want to start deleting willy-nilly and be worse off in the end than at the start. Thank you for any assistance.

Here's the HJT log.

Logfile of HijackThis v1.98.2
Scan saved at 9:55:50 PM, on 1/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\NOVELL\CLIENT32\NWRECMSG.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\WINVU.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\WINDOWS\SYSTEM\PDESK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IJ75P2PS.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\MAILFRONTIER\MANTISPM.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\hcbwh.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\hcbwh.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\hcbwh.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\hcbwh.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\hcbwh.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\hcbwh.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\hcbwh.dll/sp.html#93256
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: Class - {EC3AF539-7EA4-B36C-D296-F984ABDB6170} - C:\WINDOWS\ADDZN.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\SYSTEM\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [IJ75P2PSERVER] IJ75P2PS.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NNSvc] C:\PROGRAM FILES\NET NANNY\nnsvc.exe
O4 - HKLM\..\RunServices: [WINVU.EXE] C:\WINDOWS\SYSTEM\WINVU.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE
O12 - Plugin for .qt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by20fd.bay20.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = wakemed.org

Thanks again.

Comments

  • DEJE
    edited January 2005
    Would it be sufficient to fix all the R1 entries and the R3? :scratch: Thanks for any insight.

    Denise
  • SpywareShooterSpywareShooter 127.0.0.1
    edited January 2005
    Don't fix any entries unless we say so. Doing it incorrectly may make it take longer to resolve this, and if you fix the wrong entries (all the R1 and R3 entries are bad though), you can mess up your computer. Upgrade to HijackThis version 1.99.0 and post a new log so we can hel pyou easier.
  • DEJE
    edited January 2005
    Thanks, SWS! I upgraded HJT and have posted a new log. When I was removing the previous version of HJT, I noted that HSA and a search extender were listed as programs installed as well. There is no telling what's going on on that computer.


    Logfile of HijackThis v1.99.07
    Scan saved at 11:31:05 PM, on 1/4/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\NOVELL\CLIENT32\NWRECMSG.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\WINVU.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\ICSMGR.EXE
    C:\WINDOWS\SYSTEM\PDESK.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\IJ75P2PS.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\MAILFRONTIER\MANTISPM.EXE
    C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\hcbwh.dll/sp.html#93256
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\hcbwh.dll/sp.html#93256
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\hcbwh.dll/sp.html#93256
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\hcbwh.dll/sp.html#93256
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\hcbwh.dll/sp.html#93256
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\hcbwh.dll/sp.html#93256
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\hcbwh.dll/sp.html#93256
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
    O2 - BHO: Class - {EC3AF539-7EA4-B36C-D296-F984ABDB6170} - C:\WINDOWS\ADDZN.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
    O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\SYSTEM\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [IJ75P2PSERVER] IJ75P2PS.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [NNSvc] C:\PROGRAM FILES\NET NANNY\nnsvc.exe
    O4 - HKLM\..\RunServices: [WINVU.EXE] C:\WINDOWS\SYSTEM\WINVU.EXE
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE
    O12 - Plugin for .qt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by20fd.bay20.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = wakemed.org

    Thanks again.

    Denise
  • SpywareShooterSpywareShooter 127.0.0.1
    edited January 2005
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\hcbwh.dll/sp.html#93256
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\hcbwh.dll/sp.html#93256
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\hcbwh.dll/sp.html#93256
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\hcbwh.dll/sp.html#93256
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\hcbwh.dll/sp.html#93256
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\hcbwh.dll/sp.html#93256
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\hcbwh.dll/sp.html#93256
    O2 - BHO: Class - {EC3AF539-7EA4-B36C-D296-F984ABDB6170} - C:\WINDOWS\ADDZN.DLL
    O4 - HKLM\..\Run: [IJ75P2PSERVER] IJ75P2PS.EXE
    O4 - HKLM\..\RunServices: [WINVU.EXE] C:\WINDOWS\SYSTEM\WINVU.EXE

    Fix those entries then find and delete the files listed above, reboot and post a new log.
  • DEJE
    edited January 2005
    Thanks, SWS!

    Here's the new HJT log file. I got the message that the following files could not be deleted because they were being used by Windows: WINVU.EXE and IJ75P2PS.EXE. This file was not listed --> C:\WINDOWS\ADDZN.DLL. It was set to show hidden files. Yet they don't seem to be listed in the log any more. Hopefully they've been evicted.

    I really appreciate this. :D

    Denise

    Logfile of HijackThis v1.99.07
    Scan saved at 10:31:12 PM, on 1/5/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\NOVELL\CLIENT32\NWRECMSG.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\ICSMGR.EXE
    C:\WINDOWS\SYSTEM\PDESK.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\MAILFRONTIER\MANTISPM.EXE
    C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE

    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
    O2 - BHO: Class - {3B0881BE-E2CD-7DAC-3F7A-E7DDA714883E} - C:\WINDOWS\MSRR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
    O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\SYSTEM\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [NNSvc] C:\PROGRAM FILES\NET NANNY\nnsvc.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE
    O12 - Plugin for .qt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by20fd.bay20.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = wakemed.org
  • SpywareShooterSpywareShooter 127.0.0.1
    edited January 2005
    O2 - BHO: Class - {3B0881BE-E2CD-7DAC-3F7A-E7DDA714883E} - C:\WINDOWS\MSRR.DLL

    Fix that entry then find and delete MSRR.DLL, reboot and post a new log.

    Where did you get HJT version 1.99.07? I saw that in your log, so I went to upgrade, but it said that the latest version was 1.99.0.
  • DEJE
    edited January 2005
    Hi, SWS.

    Here's the new log. I'm afraid the 1.99.07 is the result of a numlock error. Sorry about that.

    Here's my newest log. After fixing the BHO attached to MSRR.dll, the file no longer appeared on the system. Thanks, so much.

    Denise

    Logfile of HijackThis v1.99.0
    Scan saved at 12:43:23 PM, on 1/6/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\NOVELL\CLIENT32\NWRECMSG.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\WINVU.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\ICSMGR.EXE
    C:\WINDOWS\SYSTEM\PDESK.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\MAILFRONTIER\MANTISPM.EXE
    C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
    O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\SYSTEM\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [NNSvc] C:\PROGRAM FILES\NET NANNY\nnsvc.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [WINVU.EXE] C:\WINDOWS\SYSTEM\WINVU.EXE
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE
    O12 - Plugin for .qt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by20fd.bay20.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = wakemed.org
  • SpywareShooterSpywareShooter 127.0.0.1
    edited January 2005
    R3 - Default URLSearchHook is missing

    Fix that entry and you should be all set. Are you still having any problems?
  • DEJE
    edited January 2005
    HI, SWS!

    I'm still having issues. I fixed the entry, ran HJT and the 03 entry did not appear in the log. I rebooted the machine and the 03 entry comes back.

    I looked under add-remove programs and saw Home Search Assistant, Search Extender, and Shopping wizard. Tried to remove them all, but unable to. Each one references a web site.

    On trying to remove HSA, I get the message "unable to open http://looking-for.cc/uninstall/HomeSearchAssistant.html" :(

    For Search Extender, I get the message "unable to open http://looking-for.cc/uninstall/SearchExtender.html" :confused:

    For Shopping Wizard, you got it -- "unable to open http://looking-for.cc/uninstall/ShoppingWizard.html" :mad:

    So, at this point, should I follow one of the guides listed to rid myself of HSA?

    By the way, when I did try to access the web, I got a 404 and in the address line it reads: res://zeobdb.dll/http_404.htm

    Here is the log as it appears after reboot.

    Thanks for hanging in there.

    Denise

    Logfile of HijackThis v1.99.0
    Scan saved at 5:27:42 PM, on 1/6/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\NOVELL\CLIENT32\NWRECMSG.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\WINVU.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\ICSMGR.EXE
    C:\WINDOWS\SYSTEM\PDESK.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\MAILFRONTIER\MANTISPM.EXE
    C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE

    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
    O2 - BHO: Class - {D7DC9791-A12E-511A-BF9B-B75A4B4A69B5} - C:\WINDOWS\ATLIR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
    O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\SYSTEM\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [NNSvc] C:\PROGRAM FILES\NET NANNY\nnsvc.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [WINVU.EXE] C:\WINDOWS\SYSTEM\WINVU.EXE
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE
    O12 - Plugin for .qt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by20fd.bay20.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = wakemed.org
  • SpywareShooterSpywareShooter 127.0.0.1
    edited January 2005
    O2 - BHO: Class - {D7DC9791-A12E-511A-BF9B-B75A4B4A69B5} - C:\WINDOWS\ATLIR.DLL
    O4 - HKLM\..\RunServices: [WINVU.EXE] C:\WINDOWS\SYSTEM\WINVU.EXE

    Fix those entries then find and delete ATLIR.DLL and WINVU.EXE, reboot and post a new log.
  • DEJE
    edited January 2005
    Hi again.

    I tried to delete winvu.exe inside windows, but had to boot to the command prompt in order to get rid of it. I could not find C:\WINDOWS\ATLIR.DLL at all. After that rebooted and here's the log.

    Another thank you.


    Logfile of HijackThis v1.99.0
    Scan saved at 7:31:30 PM, on 1/6/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\NOVELL\CLIENT32\NWRECMSG.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\ICSMGR.EXE
    C:\WINDOWS\SYSTEM\PDESK.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\MAILFRONTIER\MANTISPM.EXE

    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
    O2 - BHO: Class - {52FCC979-B558-D53B-8050-7617343C152D} - C:\WINDOWS\SYSTEM\ADDJG.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
    O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\SYSTEM\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [NNSvc] C:\PROGRAM FILES\NET NANNY\nnsvc.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE
    O12 - Plugin for .qt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by20fd.bay20.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = wakemed.org
  • SpywareShooterSpywareShooter 127.0.0.1
    edited January 2005
    O2 - BHO: Class - {52FCC979-B558-D53B-8050-7617343C152D} - C:\WINDOWS\SYSTEM\ADDJG.DLL

    Fix that entry then find and delete ADDJG.DLL, reboot and post a new log.
  • DEJE
    edited January 2005
    :) Here's the new log. Fixed the entry, searched for the file and it didn't show up.

    Denise

    Logfile of HijackThis v1.99.0
    Scan saved at 7:57:27 PM, on 1/6/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\NOVELL\CLIENT32\NWRECMSG.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\ICSMGR.EXE
    C:\WINDOWS\SYSTEM\PDESK.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\MAILFRONTIER\MANTISPM.EXE
    C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE

    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
    O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\SYSTEM\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [NNSvc] C:\PROGRAM FILES\NET NANNY\nnsvc.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE
    O12 - Plugin for .qt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by20fd.bay20.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = wakemed.org
  • SpywareShooterSpywareShooter 127.0.0.1
    edited January 2005
    Your log looks okay now. Are you still having any problems?
  • DEJE
    edited January 2005
    Hi --

    For some reason IE won't reach the web. I think I'll uninstall and reinstall. HOpefully that will help. :scratch: Dont' know what else to do.
  • SpywareShooterSpywareShooter 127.0.0.1
    edited January 2005
    What happens when you try to open IE?
  • DEJE
    edited January 2005
    it opens, says it's finding the site, then tells me it can't find the server and page cannot be displayed. I'm probably going to give it a rest for tonight, so I'll check back. Just a little frazzled.

    Thanks.

    D
  • DEJE
    edited January 2005
    Hi, SWS!

    Thanks for everything. It's working now. I had a firewall problem. We fixed that. Thanks so much. I appreciate all the effort you have put into making this work for me.

    Denise
Sign In or Register to comment.