Hullo everyone!
I'm hoping someone out there can give me some advice about nasties.
A few weeks ago I began to suspect my computer had been hijacked. None of the symptoms mentioned in this forum occurred, eg pop-ups, but I could not close down Windows (98) and when I tried to go into my control panel to investigate, I discovered that I cannot access anything in the control panel.
Following advice on these threads, I've used Spy-bot, Adaware, and installed EZ armour (previously used zone alarm). I've also uninstalled Kazaa-Lite. I've downloaded Hijack This and gone through the tutorial - nothing seems suspicious (though I cannot copy and paste log).
Can a virus change my settings like this? If this is possible, and I've removed the virus, can I change settings back without doing a complete reboot?

Any help would be very much appreciated!

I'd suggest running SFC and see if it helps:
http://support.microsoft.com/default...b;en-us;185836

Thank you for that dlh6213 - it's pointed me in the right direction. I've found the culprit!

http://info.ahnlab.com/securityinfo/...sp?SEQ_NO=2169

But NOT the solution!

Has anyone heard of this (Dropper/Yinwin.49577) or have any ideas how to eradicate all the nasties it's caused?

Are you still unable to copy and paste the highjackthis log?

Hullo again!

I've figured out how to paste the log (I hope!) after reading the bleeping computer tutorial. Here it is...

Logfile of HijackThis v1.99.1
Scan saved at 14:49:26, on 18/05/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2014.0200)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\ZIPCD\DIRECTCD.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE
C:\HIJACK THIS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080;gopher=http://www-cache.freeserve.net:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ZIPCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Vet Alert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETTRAY.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKLM\..\Run: [Runtt1] C:\WINDOWS\SYSTEM\Internat.exe
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O4 - Startup: PowerReg SchedulerV2.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.net/
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://hani.contents.mylinker.co.kr/module/MyLinker.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab

PS the 'hani' entry near the end enables my girlfriend to use korean text. Reckon I can blame her for this mess?

First of all you should go to Windows Update and get all the Critical Updates for your system.

Then, get about:Buster from here:
http://www.majorgeeks.com/download4289.html

Unzip it to your desktop, run it, and:

Click Update, and then Check For Update, and Download Update; wait for the updates to be installed.

After the udates have been installed, click Start
(Wait for the initial ADS scan to complete.)

Click Yes to shutdown any IE session currently open when asked
(Wait for the about:blank scan to complete.)

Click OK to scan once more when prompted

Click Yes to shutdown any IE sessions currently open, and then Yes to begin the second pass

Click Save log

Click Exit, and then Exit again

Reboot

Scan with hijackthis and have it fix the following entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080;gopher=http://www-cache.freeserve.net:8080
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.net/

Be sure to close all windows, other then hijackthis, before hitting Fix checked.

Reboot, close any open browser windows, scan with hijackthis, and post a new hijackthis log and the about:Buster log.

Can you tell us where Dropper/Yinwin.49577 is located on your computer?

Thank you very much!

I will get busy on this....

In the meantime, rundll32.exe is in C:\WINDOWS , and hzdll.dll and hoo.dll are both in C:\WINDOWS\SYSTEM.

1. C:\Windows\rundll32.exe and C:\Windows\System\Internat.exe are real Windows files. The virus may have overwritten or altered them, which means that you may have to install fresh copies of the originals to replace the infected versions of the files. We should determine that before going any further.

Please do the following:

- Open Windows Explorer and locate rundll32.exe.
- Right click on the file and click Properties.
- In the Properties window, note the file's exact size, its version, and its creation date. Post that information here.

On my Win98 (SE) machine I show the following information for the "real" rundll32.exe:

size: 24,576 Bytes
version: 4.10.0.1998
created: Fri. 4/23/99 10.22.PM

- Repeat for Internat.exe. This is the info I have for that file:

size: 28,672 Bytes
version: 4.10.0.2222
created: no date listed

In addition to what DMR has suggested, try to delete hzdll.dll and hoo.dll (you may need to boot into Safe Mode)

Also, do a search for internet.exe and, if found, give us the same info as requested for internat.exe and rundll32.exe.

One more thing you may want to try... do a search by size for any files that are 49577 bytes, and give us the results (unless there's a looong list) -- actually looking for rundll32 and/or internet.exe files this size, but it's possible there could be a new name.

Oops- I forgot that part...

If you can't delete the ddls even in safe mode, try unregistering them before attempting deletion:

Open a DOS window, type the following two commands at the prompt, hitting enter after each:

regsvr32 /u C:\WINDOWS\SYSTEM\hzdll.dll
regsvr32 /u C:\WINDOWS\SYSTEM\hoo.dll