Thanks for taking the time to read this.
As the 'username' shows, I am in the darkages when it comes to technical issues ... so please go easy on me guys. :D

Windows 98SE

I ran Adaware (safe mode) and it came up clean.
I ran SpyBot S&D (safe mode) and it showed the presence of UrlSearchHook.atlpz.
I made a note of the registry location:

Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Uninstall\SW\UninstallString

When I click on the fix in S&D it says it removes it but when I reboot back to normal mode it is still there.

I tried running HJT but it reports a missing file on my computer (MSVBVM60.DLL) and will not run.

What I am wondering is if I can go into the registry and manually delete the SW folder containing the "Shopping Wizard" and associated files or would I have to go about this another route. The "Shopping Wizard" is also showing in my Add/Remove Programs list.

It is not causing major problems right now as I have stopped using IE and I am now using OPERA so whatever problem I do have on my computer it isn't being compounded.

Sorry if I haven't explained this well enough or provided you with enough information but I played sports at school and my vcr still flashes 12 o'clock so it gives you some idea of what you are up against.

Thanks for any help you can offer.

Recommended Answers

All 15 Replies

Thanks so much for the reply crunchie

Just a quick question first:

Will installing the VB6 Library files cause any conflicts or damage to my current system? The reason I ask is becasuse the last time I installed something from Microsoft (a Windows Update Security file) it damaged my computer as the Update was flawed.

I really appreciate your help.

No guarantees, but it works fine on my pc and without it you cannot run hjackthis :).

Apologies first for taking so long in getting back to you. I just had to do some work on my computer before I installed those library files as I wasn't sure what I would have to work with once they were installed.

So the files are now installed and this is my HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 5:36:00 PM, on 5/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\WINWZ.EXE
C:\WINDOWS\SYSTEM\APIFQ32.EXE
C:\WINDOWS\SDKXH.EXE
C:\WINDOWS\SDKIY.EXE
C:\WINDOWS\SYSTEM\IPRC.EXE
C:\WINDOWS\SYSTEM\NTMA32.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SYMPATICO CONSUMER\IPCLIENT.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SYMPATICO CONSUMER\IPMON32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\NTQA32.EXE
C:\WINDOWS\SDKXH.EXE
C:\WINDOWS\WINWZ.EXE
C:\WINDOWS\SYSTEM\APIFQ32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jcbdz.dll/sp.html#93256
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jcbdz.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jcbdz.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jcbdz.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico Internet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {99078794-6831-1765-763B-9566D3697899} - C:\WINDOWS\NTVT.DLL
O2 - BHO: Class - {4D8797FF-B288-55C5-B63F-50A8708A241F} - C:\WINDOWS\SYSTEM\ADDRS.DLL
O2 - BHO: Class - {D3698457-5E93-2115-32A6-711A2255B851} - C:\WINDOWS\SYSTEM\ADDIT32.DLL
O2 - BHO: Class - {EC181F69-6F9B-E0B5-49A6-720AC3A3C6BF} - C:\WINDOWS\SYSTEM\WINZG.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SYMPATICO CONSUMER\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SYMPATICO CONSUMER\IPMon32.exe"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NTQA32.EXE] C:\WINDOWS\NTQA32.EXE
O4 - HKLM\..\RunServices: [ADDJB32.EXE] C:\WINDOWS\ADDJB32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [MFCDD.EXE] C:\WINDOWS\MFCDD.EXE
O4 - HKLM\..\RunServices: [ADDCE32.EXE] C:\WINDOWS\ADDCE32.EXE
O4 - HKLM\..\RunServices: [JAVAXH.EXE] C:\WINDOWS\JAVAXH.EXE
O4 - HKLM\..\RunServices: [JAVAJM32.EXE] C:\WINDOWS\JAVAJM32.EXE
O4 - HKLM\..\RunServices: [WINWZ.EXE] C:\WINDOWS\WINWZ.EXE /s
O4 - HKLM\..\RunServices: [APIFQ32.EXE] C:\WINDOWS\SYSTEM\APIFQ32.EXE /s
O4 - HKLM\..\RunServices: [SDKXH.EXE] C:\WINDOWS\SDKXH.EXE /s
O4 - HKLM\..\RunServices: [SDKIY.EXE] C:\WINDOWS\SDKIY.EXE /s
O4 - HKLM\..\RunServices: [IPRC.EXE] C:\WINDOWS\SYSTEM\IPRC.EXE /s
O4 - HKLM\..\RunServices: [NTMA32.EXE] C:\WINDOWS\SYSTEM\NTMA32.EXE /s
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca

I hope you will be able to sort through all that.
I really appreciate your help on this. :D

No problem at all. I had plenty to get on with :cheesy:.

-

Go to www.trendmicro.com, and then:

1. Click "Free Online Scan".
2. Click "Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:

1. Select all available drives.
2. Check(tick) "Auto Clean".
3. Click "Scan".

When it completes, post back the full filename of any files that cannot be cleaned or deleted.

===============

Download CWShredder 2.14 from here. Run it and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.

===============

Download, unzip to your desktop About:Buster and run it, then:

1. Click "Update".
2. Click "Check For Update"

(If no new version is available, skip to step #4.)

3. Click "Download Update", and wait for it to be installed.
4. Click "Start".

(Wait for the initial ADS scan to complete.)

5. Click "Yes", to shutdown any IE session currently open.

(Wait for the about:blank scan to complete.)

6. Click "Ok", to scan once more.
7. Click "Yes", to shutdown any IE sessions currently open.
8. Click "Yes", to begin the second pass.

9. Click "Save log", and post this log back along with your new log.
10. Click "Exit".
11. Click "Exit".
12. "Reboot"..


===============

Now, let's open a command prompt by going to the start menu and then select 'Run'.

In the box that pops up type in 'cmd'. The command prompt will open.

OR

You can go to Start -> Programs -> Accessories -> Command Prompt. Unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u NTVT.DLL
regsvr32 /u ADDRS.DLL
regsvr32 /u ADDIT32.DLL
regsvr32 /u WINZG.DLL

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save typing them in.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\WINWZ.EXE
C:\WINDOWS\SYSTEM\APIFQ32.EXE
C:\WINDOWS\SDKXH.EXE
C:\WINDOWS\SDKIY.EXE
C:\WINDOWS\SYSTEM\IPRC.EXE
C:\WINDOWS\SYSTEM\NTMA32.EXE
C:\WINDOWS\NTQA32.EXE

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Still in HiJackThis, click "Scan", then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jcbdz.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jcbdz.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jcbdz.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jcbdz.dll/sp.html#93256

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {99078794-6831-1765-763B-9566D3697899} - C:\WINDOWS\NTVT.DLL
O2 - BHO: Class - {4D8797FF-B288-55C5-B63F-50A8708A241F} - C:\WINDOWS\SYSTEM\ADDRS.DLL
O2 - BHO: Class - {D3698457-5E93-2115-32A6-711A2255B851} - C:\WINDOWS\SYSTEM\ADDIT32.DLL
O2 - BHO: Class - {EC181F69-6F9B-E0B5-49A6-720AC3A3C6BF} - C:\WINDOWS\SYSTEM\WINZG.DLL

O4 - HKLM\..\Run: [NTQA32.EXE] C:\WINDOWS\NTQA32.EXE
O4 - HKLM\..\RunServices: [ADDJB32.EXE] C:\WINDOWS\ADDJB32.EXE
O4 - HKLM\..\RunServices: [MFCDD.EXE] C:\WINDOWS\MFCDD.EXE
O4 - HKLM\..\RunServices: [ADDCE32.EXE] C:\WINDOWS\ADDCE32.EXE
O4 - HKLM\..\RunServices: [JAVAXH.EXE] C:\WINDOWS\JAVAXH.EXE
O4 - HKLM\..\RunServices: [JAVAJM32.EXE] C:\WINDOWS\JAVAJM32.EXE
O4 - HKLM\..\RunServices: [WINWZ.EXE] C:\WINDOWS\WINWZ.EXE /s
O4 - HKLM\..\RunServices: [APIFQ32.EXE] C:\WINDOWS\SYSTEM\APIFQ32.EXE /s
O4 - HKLM\..\RunServices: [SDKXH.EXE] C:\WINDOWS\SDKXH.EXE /s
O4 - HKLM\..\RunServices: [SDKIY.EXE] C:\WINDOWS\SDKIY.EXE /s
O4 - HKLM\..\RunServices: [IPRC.EXE] C:\WINDOWS\SYSTEM\IPRC.EXE /s
O4 - HKLM\..\RunServices: [NTMA32.EXE] C:\WINDOWS\SYSTEM\NTMA32.EXE /s


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to "view system and hidden files/ folders:"

files...

C:\WINDOWS\WINWZ.EXE
C:\WINDOWS\SYSTEM\APIFQ32.EXE
C:\WINDOWS\SDKXH.EXE
C:\WINDOWS\SDKIY.EXE
C:\WINDOWS\SYSTEM\IPRC.EXE
C:\WINDOWS\SYSTEM\NTMA32.EXE
C:\WINDOWS\NTQA32.EXE
C:\WINDOWS\jcbdz.dll
C:\WINDOWS\NTVT.DLL
C:\WINDOWS\SYSTEM\ADDRS.DLL
C:\WINDOWS\SYSTEM\ADDIT32.DLL
C:\WINDOWS\SYSTEM\WINZG.DLL
C:\WINDOWS\ADDJB32.EXE
C:\WINDOWS\MFCDD.EXE
C:\WINDOWS\ADDCE32.EXE
C:\WINDOWS\JAVAXH.EXE
C:\WINDOWS\JAVAJM32.EXE

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting your PC, rescan with hijackthis and post a new log.
Let me know how things are now.

Thanks for all your help so far.
I think we are fighting a losing battle :)

I was unable to do an online scan through Trend Micro. I think probably because I am using Opera. But I did download PC-cillin from them and did a full scan. It was clean of any viruses but had 2 spyware:

ADW_HISCLEAN.A (adware.winpup (symantec))
ADW_SEARCHAID.A (trojandownloader)

I removed both.

Downloaded CWShredder v2.14 and ran the fix.
- restoring internet explorer pages ... 3 restored
- restoring hidden IE options tab ... done
- removing hosts file redirections ... none infected
- done
- cws not found

Downloaded About:Buster
- attempted to run it but received a run-time error 339
Component 'MSCOMCTL.OCX' or one of its dependencies not correctly registered: a file is missing or invalid

I went to the Command Prompt.
I'm using Windows 98se so I have to type in 'command' to get that. It's in DOS too.
I checked for the files but just received errors. I hope I did it correctly.

Ran HJT and killed sellected items and fixed sellected files.

Deleted files from C:\Windows and C:\Windows\system in safe mode.

Ran HJT again and it produced the following log. As you can see, some of the files are still present.


Logfile of HijackThis v1.99.1
Scan saved at 2:36:41 AM, on 5/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\WINJO.EXE
C:\WINDOWS\SYSTEM\D3RE32.EXE
C:\WINDOWS\SYSTEM\IEBZ.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
C:\WINDOWS\ADDAQ.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCIOMON.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SYMPATICO CONSUMER\IPCLIENT.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SYMPATICO CONSUMER\IPMON32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCGUIDE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\msdnu.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\msdnu.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\msdnu.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\msdnu.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\msdnu.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\msdnu.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico Internet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {90BB5985-3171-89A4-7540-8EDF7335AF47} - C:\WINDOWS\JAVACO.DLL
O2 - BHO: Class - {6E0B6255-FB2C-DFA1-E742-F2910FA50150} - C:\WINDOWS\CRME.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SYMPATICO CONSUMER\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SYMPATICO CONSUMER\IPMon32.exe"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [NTQA32.EXE] C:\WINDOWS\NTQA32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [WINJO.EXE] C:\WINDOWS\WINJO.EXE /s
O4 - HKLM\..\RunServices: [D3RE32.EXE] C:\WINDOWS\SYSTEM\D3RE32.EXE /s
O4 - HKLM\..\RunServices: [IEBZ.EXE] C:\WINDOWS\SYSTEM\IEBZ.EXE /s
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
O4 - HKLM\..\RunServices: [ADDAQ.EXE] C:\WINDOWS\ADDAQ.EXE /s
O4 - HKLM\..\RunServices: [APIFQ32.EXE] C:\WINDOWS\SYSTEM\APIFQ32.EXE /s
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca

Download the MSCOMCTL.OCX file here.

Boot into safe mode and run about:buster twice. Run hijackthis and delete the files associated with this infection. You will recognise them by their random letter names.

The scan here does not require an active X install, but uses java instead.
http://fr.trendmicro-europe.com/consumer/products/housecall_launch.php

Reboot normally and post another log.

Downloaded the missing file and ran AboutBuster.


Scanned at: 11:04:03 AM on: 5/20/05


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 25


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 25


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

Just want to double check on the files I have highlighted.
Are these the ones I need to tick and fix' in HJT ?
Any other files you can see which I should also include ?

Logfile of HijackThis v1.99.1
Scan saved at 11:05:31 AM, on 5/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\odeor.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\odeor.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\odeor.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico Internet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {90BB5985-3171-89A4-7540-8EDF7335AF47} - C:\WINDOWS\JAVACO.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SYMPATICO CONSUMER\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SYMPATICO CONSUMER\IPMon32.exe"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WINPI32.EXE] C:\WINDOWS\SYSTEM\WINPI32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [WINJO.EXE] C:\WINDOWS\WINJO.EXE /s
O4 - HKLM\..\RunServices: [D3RE32.EXE] C:\WINDOWS\SYSTEM\D3RE32.EXE /s
O4 - HKLM\..\RunServices: [IEBZ.EXE] C:\WINDOWS\SYSTEM\IEBZ.EXE /s
O4 - HKLM\..\RunServices: [ADDAQ.EXE] C:\WINDOWS\ADDAQ.EXE /s
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca

Yes. These also;

O2 - BHO: Class - {90BB5985-3171-89A4-7540-8EDF7335AF47} - C:\WINDOWS\JAVACO.DLL

O4 - HKLM\..\RunServices: [WINJO.EXE] C:\WINDOWS\WINJO.EXE /s
O4 - HKLM\..\RunServices: [D3RE32.EXE] C:\WINDOWS\SYSTEM\D3RE32.EXE /s
O4 - HKLM\..\RunServices: [IEBZ.EXE] C:\WINDOWS\SYSTEM\IEBZ.EXE /s
O4 - HKLM\..\RunServices: [ADDAQ.EXE] C:\WINDOWS\ADDAQ.EXE /s

If you have rebooted, the names may be different.

Here is the latest log file after fixing the previous listings.
I have highlighted the two files I think are the last to be fixed ... Am I right ?
Everything else look ok ?

Logfile of HijackThis v1.99.1
Scan saved at 8:02:02 PM, on 5/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico Internet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Class - {BE0D8EA0-8960-8DE8-30E4-E8710ED84A81} - C:\WINDOWS\WINVV32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SYMPATICO CONSUMER\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SYMPATICO CONSUMER\IPMon32.exe"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WINPI32.EXE] C:\WINDOWS\SYSTEM\WINPI32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [APILY32.EXE] C:\WINDOWS\SYSTEM\APILY32.EXE /s
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca

Was the hijackthis log done in safe mode? If so, I will need one in normal mode.


Download Killbox v2.0.0.175 and unzip the file to your Desktop and have it ready to use.

-

Save all the below files to a text document (notepad) to be used shortly.

C:\WINDOWS\WINVV32.DLL
C:\WINDOWS\SYSTEM\WINPI32.EXE
C:\WINDOWS\SYSTEM\APILY32.EXE

-

Reboot into safe mode following the instructions here.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows and hit the "Fix checked" button.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

O2 - BHO: Class - {BE0D8EA0-8960-8DE8-30E4-E8710ED84A81} - C:\WINDOWS\WINVV32.DLL

O4 - HKLM\..\Run: [WINPI32.EXE] C:\WINDOWS\SYSTEM\WINPI32.EXE
O4 - HKLM\..\RunServices: [APILY32.EXE] C:\WINDOWS\SYSTEM\APILY32.EXE /s

-

Open the text file you saved previously and right click and drag your cursor over the files to highlight them and then use Control+C to copy them to the clipboard..
Open KILLBOX and go to File...."Paste From Clipboard". All the files should now appear in the box (click on the Tab and check to make sure that only the files I have identified as malware and marked for deletion are there) . Then checkmark the "Delete on Reboot" box..and click the red X. You will get a message saying "File will be deleted on next reboot" , Process and Reboot now?" Click "Yes" and post a new log when you have rebooted.

I ran HJT in safe mode and fixed the files as well as some others which had appeared. I think I am getting the hang of this now, lol. I ran KillBox with the 3 designated files and did a Reboot. Both the safe and normal mode HJT logs are below. The listings appear to be the same with the exception of the reference to Mmmtask.tsk on the normal mode log. I am not sure what this one is. What do you think?

The programs/applications (Task Manager) running now have been reduced to only 4. Before there must have been 12 running in the background and slowing my system right down. Hopefully this will be the end of it.


SAFE MODE:

Logfile of HijackThis v1.99.1
Scan saved at 2:23:54 PM, on 5/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico Internet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SYMPATICO CONSUMER\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SYMPATICO CONSUMER\IPMon32.exe"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca


NORMAL MODE:

Logfile of HijackThis v1.99.1
Scan saved at 2:29:45 PM, on 5/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SYMPATICO CONSUMER\IPCLIENT.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SYMPATICO CONSUMER\IPMON32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico Internet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SYMPATICO CONSUMER\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SYMPATICO CONSUMER\IPMon32.exe"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca

mmtask is a system file and is safe :).

Congratulations! Your log looks clean - good work!

===============

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, Ad-Aware SE, and Spybot S&D.
Run them both on a regular basis, following the manufacturer's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Clear your Temp folders.
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.

Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

-

If you have any more problems, post back.

-

Happy surfing,

crunchie.

HURRAY!!!
Everything appears to be working fine now. :D

Thank you so much crunchie for taking the time to help me out.
You really know your stuff.
I just hope you don't waste all your talents working for the likes of Microsoft.
You are too good for them.

Couldn't agree more on using a different browser than IE. I have been using OPERA for a little while now without any problems ... apart from what we just worked through courtesy of the holes in Internet Explorer. The last problem I had was a flawed security update from Microsoft that caused my CPU to spike continuously at 100%. MACs look so tempting..

Thanks again for all your help.
I really do appreciate it.

Have a great weekend. :)

You are welcome :).

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.