Home Search removal for Windows 98
Please help. My husband's laptop has the Home Search garbage on it. He can't get anywhere. Unfortunately he is mostly computer illiterate and unknowingly clicked on a lot of junk in email spam. I got rid of most of the other crap (Bonzi, IstBar, etc.) with Ad-Aware, Spy-Bot and others, but can't seem to lick this one. He may also have the About:blank problem, but I'm not sure this isn't a portion of Home Search. He is running 98 and Dexter's home search removal tool is only good for 2000 or XP. Can anyone tell me how to remove it on 98? Thank you so much. 
0
This discussion has been closed.
Comments
Thank you. Here is the log:
Logfile of HijackThis v1.99.0
Scan saved at 1:40:41 PM, on 01/08/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\NOVELL\CLIENT32\NWRECMSG.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MICROSOFT IPSEC VPN\IREIKE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ATLCI.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\COMSMD.EXE
C:\WINDOWS\SYSTEM\HPNRA.EXE
C:\PROGRAM FILES\AGATE TIOMAN FOR HP\TIOMAN.EXE
C:\WINDOWS\SYSTEM\DPMW32.EXE
C:\WINDOWS\SYSTEM\HPZTSB03.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\TEMP\F1F3.TMP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\TEMP\FBA.EXE
C:\WINDOWS\SYSTEM\IMM32893.EXE
C:\IYBVTF.EXE
C:\WINDOWS\TEMP\N7.EXE
C:\WINDOWS\SYSTEM\INDICDLL.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\SYSTEM\EDHCTL.EXE
C:\PROGRAM FILES\COMMON FILES\TSA\TSM2.EXE
C:\PROGRAM FILES\WEB OFFER\WO.EXE
C:\PROGRAM FILES\COMMON FILES\TSA\TS2.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\AMSYT0W1.EXE
C:\WINDOWS\SYSTEM\TGO7E.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\alhzk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\alhzk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\alhzk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\alhzk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\alhzk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\alhzk.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\alhzk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = PROXY:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {DFE137EE-49D4-325E-05EA-9C3872B51F1A} - C:\WINDOWS\SYSTEM\APIJA32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -on
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\SYSTEM\HPNRA.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [TiomanExe] C:\Program Files\Agate Tioman for HP\Tioman.Exe
O4 - HKLM\..\Run: [NDPS] c:\windows\SYSTEM\dpmw32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\NORTON~2\vptray.exe
O4 - HKLM\..\Run: [F1F3.TMP] C:\WINDOWS\TEMP\F1F3.TMP.exe 0 10001
O4 - HKLM\..\Run: [Fba.exe] C:\WINDOWS\TEMP\FBA.EXE
O4 - HKLM\..\Run: [c1d64d3cb3e5] C:\WINDOWS\SYSTEM\IMM32893.exe
O4 - HKLM\..\Run: [2AQFCN2373JF8A] C:\WINDOWS\SYSTEM\Bmmt6jq.exe
O4 - HKLM\..\Run: [0FQwcfod] C:\IYBVTF.EXE
O4 - HKLM\..\Run: [N7.exe] C:\WINDOWS\TEMP\N7.EXE
O4 - HKLM\..\Run: [f315694d87be] C:\WINDOWS\SYSTEM\INDICDLL.exe
O4 - HKLM\..\Run: [F1F3.TMP.EXE] C:\WINDOWS\TEMP\F1F3.TMP.EXE 0 10001
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [IREIKE] C:\Program Files\Microsoft IPSec VPN\IreIKE.exe start
O4 - HKLM\..\RunServices: [IPSecMon] C:\Program Files\Microsoft IPSec VPN\IPSecMon.exe start
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [rtvscn95] c:\PROGRA~1\NORTON~2\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] c:\PROGRA~1\NORTON~2\defwatch.exe
O4 - HKLM\..\RunServices: [ATLCI.EXE] C:\WINDOWS\SYSTEM\ATLCI.EXE
O4 - HKCU\..\Run: [Lkua] C:\WINDOWS\SYSTEM\edhctl.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRAM FILES\COMMON FILES\TSA\TSM2.EXE
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://fairport-notes1.monroe.edu/iNotes.cab
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\alhzk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\alhzk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\alhzk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\alhzk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\alhzk.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\alhzk.dll/sp.html#12345
O2 - BHO: Class - {DFE137EE-49D4-325E-05EA-9C3872B51F1A} - C:\WINDOWS\SYSTEM\APIJA32.DLL
O4 - HKLM\..\Run: [F1F3.TMP] C:\WINDOWS\TEMP\F1F3.TMP.exe 0 10001
O4 - HKLM\..\Run: [Fba.exe] C:\WINDOWS\TEMP\FBA.EXE
O4 - HKLM\..\Run: [c1d64d3cb3e5] C:\WINDOWS\SYSTEM\IMM32893.exe
O4 - HKLM\..\Run: [2AQFCN2373JF8A] C:\WINDOWS\SYSTEM\Bmmt6jq.exe
O4 - HKLM\..\Run: [0FQwcfod] C:\IYBVTF.EXE
O4 - HKLM\..\Run: [N7.exe] C:\WINDOWS\TEMP\N7.EXE
O4 - HKLM\..\Run: [f315694d87be] C:\WINDOWS\SYSTEM\INDICDLL.exe
O4 - HKLM\..\Run: [F1F3.TMP.EXE] C:\WINDOWS\TEMP\F1F3.TMP.EXE 0 10001
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [Lkua] C:\WINDOWS\SYSTEM\edhctl.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRAM FILES\COMMON FILES\TSA\TSM2.EXE
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
Fix those entries then find and delete the files listed above, reboot and post a new log.
Excuse me for a dumb question, but before I begin, I want to be sure. You say fix those entries and I assume you mean check them and fix them in Hijack this. Then you say delete the files listed above, but I see no files listed above or I just don't comprehend what you mean. Please explain.
C:\WINDOWS\alhzk.dll
C:\WINDOWS\SYSTEM\APIJA32.DLL
C:\WINDOWS\TEMP\F1F3.TMP.exe
C:\WINDOWS\TEMP\FBA.EXE
C:\WINDOWS\SYSTEM\IMM32893.exe
C:\WINDOWS\SYSTEM\Bmmt6jq.exe
C:\IYBVTF.EXE
C:\WINDOWS\TEMP\N7.EXE
C:\WINDOWS\SYSTEM\INDICDLL.exe
c:\program files\180solutions\
C:\Program Files\ISTsvc\
C:\WINDOWS\SYSTEM\edhctl.exe
C:\PROGRAM FILES\COMMON FILES\TSA\
C:\PROGRAM FILES\Web Offer\
OK. Here is the new log. I notice some of the things I fixed with HJT (such as IST Service and others) are still there. Additionally, none of the .dll files I was to delete were there and all of the .exe files said I could not delete them because the"specified file was being used by windows". Should I have done this in safe mode or something? Thank you again for all the help.
Logfile of HijackThis v1.99.0
Scan saved at 5:50:20 PM, on 01/08/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\NOVELL\CLIENT32\NWRECMSG.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MICROSOFT IPSEC VPN\IREIKE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ATLCI.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\COMSMD.EXE
C:\WINDOWS\SYSTEM\HPNRA.EXE
C:\PROGRAM FILES\AGATE TIOMAN FOR HP\TIOMAN.EXE
C:\WINDOWS\SYSTEM\DPMW32.EXE
C:\WINDOWS\SYSTEM\HPZTSB03.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\IYBVTF.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\AMSYT0W1.EXE
C:\WINDOWS\SYSTEM\UNJ3QU.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
C:\WINDOWS\TEMP\JMNIEB.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = PROXY:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {CE653595-207B-961B-10FD-D19B76E881A3} - C:\WINDOWS\SYSTEM\SDKJQ32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -on
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\SYSTEM\HPNRA.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [TiomanExe] C:\Program Files\Agate Tioman for HP\Tioman.Exe
O4 - HKLM\..\Run: [NDPS] c:\windows\SYSTEM\dpmw32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\NORTON~2\vptray.exe
O4 - HKLM\..\Run: [¢‰¸ï04Ã4}¤Áœ5]C:\Program Files\ISTsvc\istsvc.exe] C:\IYBVTF.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [2AQFCN2373JF8A] C:\WINDOWS\SYSTEM\QmsPCESR.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [IREIKE] C:\Program Files\Microsoft IPSec VPN\IreIKE.exe start
O4 - HKLM\..\RunServices: [IPSecMon] C:\Program Files\Microsoft IPSec VPN\IPSecMon.exe start
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [rtvscn95] c:\PROGRA~1\NORTON~2\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] c:\PROGRA~1\NORTON~2\defwatch.exe
O4 - HKLM\..\RunServices: [ATLCI.EXE] C:\WINDOWS\SYSTEM\ATLCI.EXE
O4 - HKCU\..\Run: [Tsa2] C:\PROGRAM FILES\COMMON FILES\TSA\TSM2.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://fairport-notes1.monroe.edu/iNotes.cab
O4 - HKLM\..\Run: [¢‰¸ï0 4Ã4}¤Áœ5]C:\Program Files\ISTsvc\istsvc.exe] C:\IYBVTF.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [2AQFCN2373JF8A] C:\WINDOWS\SYSTEM\QmsPCESR.exe
O4 - HKLM\..\RunServices: [ATLCI.EXE] C:\WINDOWS\SYSTEM\ATLCI.EXE
O4 - HKCU\..\Run: [Tsa2] C:\PROGRAM FILES\COMMON FILES\TSA\TSM2.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe
Fix those entries then find and delete these files:
C:\WINDOWS\SYSTEM\SDKJQ32.DLL
C:\IYBVTF.EXE
C:\Program Files\ISTsvc\
C:\WINDOWS\SYSTEM\QmsPCESR.exe
C:\WINDOWS\SYSTEM\ATLCI.EXE
C:\PROGRAM FILES\COMMON FILES\TSA\
C:\WINDOWS\SYSTEM\maxspeed.exe
Then reboot and post a new log.
If you can't delete them, do it in Safe Mode.
Hi,
I found I could delete most all of those .exe files in safe mode, but still could not find some of the files on my computer. Here is my new log. As you see IstSrv still exists as well as some of those "trusted zones" and "trusted IP range" that you originally told me to fix with HJT.
Thanks again!
Nancy W
Logfile of HijackThis v1.99.0
Scan saved at 7:15:46 PM, on 01/08/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\NOVELL\CLIENT32\NWRECMSG.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MICROSOFT IPSEC VPN\IREIKE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\COMSMD.EXE
C:\WINDOWS\SYSTEM\HPNRA.EXE
C:\PROGRAM FILES\AGATE TIOMAN FOR HP\TIOMAN.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DPMW32.EXE
C:\WINDOWS\SYSTEM\HPZTSB03.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = PROXY:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -on
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\SYSTEM\HPNRA.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [TiomanExe] C:\Program Files\Agate Tioman for HP\Tioman.Exe
O4 - HKLM\..\Run: [NDPS] c:\windows\SYSTEM\dpmw32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\NORTON~2\vptray.exe
O4 - HKLM\..\Run: [¢‰¸ï04Ã4}¤Áœ5]C:\Program Files\ISTsvc\istsvc.exe] C:\IYBVTF.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [IREIKE] C:\Program Files\Microsoft IPSec VPN\IreIKE.exe start
O4 - HKLM\..\RunServices: [IPSecMon] C:\Program Files\Microsoft IPSec VPN\IPSecMon.exe start
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [rtvscn95] c:\PROGRA~1\NORTON~2\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] c:\PROGRA~1\NORTON~2\defwatch.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://fairport-notes1.monroe.edu/iNotes.cab
Boot into Safe Mode and fix these entries:
O4 - HKLM\..\Run: [¢‰¸ï0 4Ã4}¤Áœ5]C:\Program Files\ISTsvc\istsvc.exe] C:\IYBVTF.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Still in safe mode, find and delete C:\IYBYTF.EXE, then boot back into normal mode and post a new log.
Well...it's looking better...
Logfile of HijackThis v1.99.0
Scan saved at 8:10:58 PM, on 01/08/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\NOVELL\CLIENT32\NWRECMSG.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MICROSOFT IPSEC VPN\IREIKE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\COMSMD.EXE
C:\WINDOWS\SYSTEM\HPNRA.EXE
C:\PROGRAM FILES\AGATE TIOMAN FOR HP\TIOMAN.EXE
C:\WINDOWS\SYSTEM\DPMW32.EXE
C:\WINDOWS\SYSTEM\HPZTSB03.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = PROXY:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -on
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\SYSTEM\HPNRA.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [TiomanExe] C:\Program Files\Agate Tioman for HP\Tioman.Exe
O4 - HKLM\..\Run: [NDPS] c:\windows\SYSTEM\dpmw32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\NORTON~2\vptray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [IREIKE] C:\Program Files\Microsoft IPSec VPN\IreIKE.exe start
O4 - HKLM\..\RunServices: [IPSecMon] C:\Program Files\Microsoft IPSec VPN\IPSecMon.exe start
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [rtvscn95] c:\PROGRA~1\NORTON~2\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] c:\PROGRA~1\NORTON~2\defwatch.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://fairport-notes1.monroe.edu/iNotes.cab
www.mvps.org/winhelp2002/DelDomains.inf
Once you have it saved on your computer, right click the file and select "Install", then reboot and post a new log.
Hi,
That's done although the deldomains.inf didn't seem to do much when I clicked install -- like no install window opened or anything. Here's the log:
Logfile of HijackThis v1.99.0
Scan saved at 10:02:16 PM, on 01/08/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\NOVELL\CLIENT32\NWRECMSG.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MICROSOFT IPSEC VPN\IREIKE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\COMSMD.EXE
C:\WINDOWS\SYSTEM\HPNRA.EXE
C:\PROGRAM FILES\AGATE TIOMAN FOR HP\TIOMAN.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DPMW32.EXE
C:\WINDOWS\SYSTEM\HPZTSB03.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = PROXY:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -on
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\SYSTEM\HPNRA.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [TiomanExe] C:\Program Files\Agate Tioman for HP\Tioman.Exe
O4 - HKLM\..\Run: [NDPS] c:\windows\SYSTEM\dpmw32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\NORTON~2\vptray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [IREIKE] C:\Program Files\Microsoft IPSec VPN\IreIKE.exe start
O4 - HKLM\..\RunServices: [IPSecMon] C:\Program Files\Microsoft IPSec VPN\IPSecMon.exe start
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [rtvscn95] c:\PROGRA~1\NORTON~2\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] c:\PROGRA~1\NORTON~2\defwatch.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://fairport-notes1.monroe.edu/iNotes.cab
Thanks again!
Things seems to be better on his laptop. Turned it on and left IE on his favorite site, PGA Tour, for about a half an hour. Not a single pop-up appeared. What a difference! Previously his screen was covered with garbage...layer and layer of it. You couldn't click fast enough to close them down. A big THANK YOU for all your help. You're wonderful!
A question though. What exactly did the deldomains.inf do? Although I never saw it doing anything, even loading, it seems to have removes all those pesky 015 codes in the HJT log. Is it worth running on all of my computers?
Thanks again!
Deldomains.inf is a file that deletes the registry key which the O15 entries are stored on, then recreates it. By doing this, it removes all sites that are in your Trusted Zone and Restricted Zone. If you had Spyware Shooter installed, you will need to re install it.
Yes, we are up and running. Thank you once more!