Tech Support Forum - View Single Post

MelanieMcKenzie · 07-08-2005, 11:43 PM

I've spent almost the whole day trying to get rid of this pest of a virus that keeps coming back no matter what. I followed your instruction, downloaded the Spybot Search & Destroy program, downloaded the VX2 addon for Ad Aware SE, downloaded Silent runner and the mwav.exe file.

Here is what the Silent runner pulled up in its 'Startup Programs' log:

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CountrySelection" = "pctptt.exe" [null data]
"MMTray" = "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe" ["MUSICMATCH, Inc."]
"LXSUPMON" = "C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN" ["Lexmark"]
"LexStart" = "Lexstart.exe" ["Lexmark International, Inc."]
"LexmarkPrinTray" = "PrinTray.exe" ["Lexmark"]
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]
"ViewMgr" = "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" ["Viewpoint Corporation"]
"PTSNOOP" = "ptsnoop.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" ["("]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ahead\Nero\neroshx.dll" ["ahead software gmbh im stoeckmaedle 6 76307 karlsbad, germany Fax: ++49-7248-911-888 e-mail: info@ahead.de"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

WIN.INI & SYSTEM.INI launch points:
-----------------------------------

SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DTEXT~1.SCR" (3D Text.scr) [MS]

Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"RUTASK" -> launches: "C:\WINDOWS\ru.exe" [null data]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{43F02779-6D88-4958-8AD3-83C12D86ADC7}" = "Advanced Searchbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "blank" [file not found]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL" ["Yahoo! Inc."]

"{43F02779-6D88-4958-8AD3-83C12D86ADC7}" = "Advanced Searchbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "blank" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL" ["Yahoo! Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL" ["Yahoo! Inc."]

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 10 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 20 seconds.
---------- (total run time: 59 seconds)

When I ran the eScan program this is what it found:

Object "DealHelper Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\System32\mfc42.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\System32\msvcrt.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\System32\olepro32.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ScanFile.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\asinst.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ActiveX.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\popcaploader.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ScanFile.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\asinst.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ActiveX.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D3B1DE00-6B94-1069-8754-08002B2BD64F}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4CB63E61-C611-11D0-83AA-000092900184}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4CB63E62-C611-11D0-83AA-000092900184}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{34C9990F-CBD7-11D2-AE0E-00C04FAEA83F}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{00024512-0000-0000-c000-000000000046}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{000c0114-0000-0000-c000-000000000046}" refers to invalid object "E:\OFFICE\MSO97.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA3}" refers to invalid object "D:\PROGRAM\32\MCI32.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CCE598AC-6F44-40F6-9CAF-0B44E92D91B1}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E5828A3F-CC30-4BBD-AE9B-F910540C9697}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2698707D-8E34-4419-8857-7D39E6C91ECF}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6C78F520-093A-4BE5-835E-B10A154E79B7}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3F80DF75-DC58-4C97-BEC1-7B537D3C7638}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{355942B4-F4BD-4E52-BB99-BA47D54A5290}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1B6FF182-BB12-4593-9CCE-01E77CC9CBEB}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C52AA105-192E-4323-80FE-BE530F534BB3}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D38D306E-F673-4FF3-9A3A-A51C381964D1}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{AE286D4E-ECD6-493B-AEDD-9EFC9BBB2F27}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CA8DDC8E-7CEE-4679-80A8-8C9E97972C13}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{78CB6B0C-3CA6-4E1B-8E32-1D39B613BBFF}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{45D2B671-7F6E-4943-BEDD-81B115BCB856}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1F217046-17D9-4BD4-9216-B66DD7865B61}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{809F805E-9967-4948-B265-0BD8190E260C}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C4B962A6-4789-46F3-AC41-087049097D65}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1626520F-8CFC-4EEE-8A0C-B1D4B5F6B135}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{006762EE-7806-47D8-BF63-174BB599E265}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4043D27A-99EB-4FC1-87D4-44AA02AB7B09}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{06DFF208-D911-44EA-8631-4C29329467AB}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4A963577-C27B-4164-A9BF-E1D1738E61B8}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5B2A5B4E-6665-419D-8808-680CD852B3B9}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3AEE3932-59BB-11D3-A8CC-005004A0F323}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5F6B2D5A-CFEB-11D3-A74E-0050DA126772}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0410820E-D7CB-11D3-A74F-0050DA126772}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{66DD4567-DA5C-11D3-A74F-0050DA126772}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F5E941E8-DA94-11D3-8B69-00105AA31C20}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CD961C04-E3BC-11D3-A74F-0050DA126772}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F0CABE45-0484-11D4-B137-00C04FA03009}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F0CABE48-0484-11D4-B137-00C04FA03009}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F09500A4-0A08-11D4-B137-00C04FA03009}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8BBDA254-CE76-11D3-A2CE-00108335731F}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{80373D03-D993-11D3-A2CE-00108335731F}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1EFD6A40-3999-11CF-9150-00AA0059F70D}" refers to invalid object "D:\PROGRAM\32\MCI32.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3775D2E0-7C5D-11CF-899E-00AA00688B10}" refers to invalid object "D:\PROGRAM\32\MCI32.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2418A360-9707-11D9-9144-0004BABBBC80}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{43F02779-6D88-4958-8AD3-83C12D86ADC7}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5A61B58E-2B0A-4B67-A882-FFC6FEAF12EE}" refers to invalid object "C:\KASPERSKY\KAVVLG.DLL". Action Taken: No Action Taken.
Entry "HKCR\Overview.Document" refers to invalid object "{DA23B9C9-6893-11D0-8534-00C04FD7AD0C}". Action Taken: No Action Taken.
Entry "HKCR\TSHOOT.TSHOOTCtrl.1" refers to invalid object "{4B106874-DD36-11D0-8B44-00A024DD9EFF}". Action Taken: No Action Taken.
Entry "HKCR\AOLCoach.TrainerOCXCtrl" refers to invalid object "{E04EAE82-14Ad-41CB-BF5A-45556ABB8347}". Action Taken: No Action Taken.
Entry "HKCR\ELNK.PnIEBrowserHelperObj.1" refers to invalid object "{4B5F2E08-6F39-479a-B547-B2026E4C7EDF}". Action Taken: No Action Taken.
Entry "HKCR\ELNK.PnIEBrowserHelperObj" refers to invalid object "{4B5F2E08-6F39-479a-B547-B2026E4C7EDF}". Action Taken: No Action Taken.
Entry "HKCR\ELNK.PnIETools.1" refers to invalid object "{0A630752-8FAE-4b5d-B42C-AB1DE5E589E2}". Action Taken: No Action Taken.
Entry "HKCR\ELNK.PnIETools" refers to invalid object "{0A630752-8FAE-4b5d-B42C-AB1DE5E589E2}". Action Taken: No Action Taken.
Entry "HKCR\ELNK.PnIEUrlManager.1" refers to invalid object "{FFEBB637-61A0-4597-884F-ED234C6C2AB8}". Action Taken: No Action Taken.
Entry "HKCR\ELNK.PnIEUrlManager" refers to invalid object "{FFEBB637-61A0-4597-884F-ED234C6C2AB8}". Action Taken: No Action Taken.
Entry "HKCR\PN.PnDeskband.1" refers to invalid object "{D7F30B62-8269-41AF-9539-B2697FA7D77E}". Action Taken: No Action Taken.
Entry "HKCR\PN.PnDeskband" refers to invalid object "{D7F30B62-8269-41AF-9539-B2697FA7D77E}". Action Taken: No Action Taken.
Entry "HKCR\WebP2PInstaller.Installer.1" refers to invalid object "{1D6711C8-7154-40BB-8380-3DEA45B69CBF}". Action Taken: No Action Taken.
Entry "HKCR\WebP2PInstaller.Installer" refers to invalid object "{1D6711C8-7154-40BB-8380-3DEA45B69CBF}". Action Taken: No Action Taken.
Entry "HKCR\JCDE_Stack" refers to invalid object "{CC7A6223-3759-4075-8CEA-971F5CFC0ED2}". Action Taken: No Action Taken.
Entry "HKCR\JCDE_Stack.1" refers to invalid object "{CC7A6223-3759-4075-8CEA-971F5CFC0ED2}". Action Taken: No Action Taken.
Entry "HKCR\SWin32.SDWin32.1" refers to invalid object "{5FA6752A-C4A0-4222-88C2-928AE5AB4966}". Action Taken: No Action Taken.
Entry "HKCR\SWin32.SDWin32" refers to invalid object "{5FA6752A-C4A0-4222-88C2-928AE5AB4966}". Action Taken: No Action Taken.
Entry "HKCR\ToolBand.posHelp.1" refers to invalid object "{CDEEC43D-3572-4E95-A2A5-F519D29F00C0}". Action Taken: No Action Taken.
Entry "HKCR\ToolBand.posHelp" refers to invalid object "{CDEEC43D-3572-4E95-A2A5-F519D29F00C0}". Action Taken: No Action Taken.
File C:\WINDOWS\Buddy.exe tagged as "not-a-virus:AdWare.BetterInternet.d". Action Taken: No Action Taken.
File C:\WINDOWS\newdevin.exe tagged as "not-a-virus:AdWare.BookedSpace.c". Action Taken: No Action Taken.
File C:\WINDOWS\ru.exe tagged as "not-a-virus:AdWare.PurityScan.w". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\in10b6s.dll infected by "Trojan-Dropper.Win32.Mudrop.k" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\dosxpd.exe tagged as "not-a-virus:AdWare.Msnagent.a". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\SWin32.dll tagged as "not-a-virus:AdWare.Adstart.j". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\sprmove.exe infected by "Trojan-Dropper.Win32.Agent.hy" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\istinstall_adlogix.exe infected by "Trojan-Downloader.Win32.IstBar.er" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\fixmapirs.exe tagged as "not-a-virus:AdWare.FindSpy.a". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\cekqmu.exe infected by "Trojan.Win32.Agent.ay" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\diantzpt.exe infected by "Trojan.Win32.DNSChanger.o" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\dwcrnt.exe infected by "HackTool.Win32.Hidd.h" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.
File C:\WINDOWS\Windows Update Setup Files\searchbarsetup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\My Documents\My Music\From Internet\plvx2cleaner.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\My Documents\My Music\From Internet\aawsepersonal.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\DFX\MUSICMATCH\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Yahoo!\Installs\ymsgrie.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Yahoo!\Common\unypsr.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Yahoo!\YPSR\Unwise32.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Yahoo!\YPSR\unypsr.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Yahoo!\YPSR\updates\ypsr_prog_01.14.00_us_setup3_.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Lavasoft\Ad-Aware SE Personal\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Plugins\vx2cleaner\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

This is my new HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:34:35 AM, on 7/9/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SKYTOWN.EXE
C:\WINDOWS\SYSTEM\SKYTOWN.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab

I've deleted everything in virus vaults, that was quarantined and set my deleted files not to go to the recycle bin. I still don't know what's the going on (obviously eh?) because I had performed the Ad Aware scan and the Spybot and removed and purged all the viruses it pulled up, but the mwav.exe still pulled up all of what it did. This is very frustrating. Again, I thank you for all your help.

07-08-2005, 11:43 PM	#5 (permalink)
MelanieMcKenzie Registered User Join Date: Jul 2005 Posts: 16 OS: Win98SE	Long Day I've spent almost the whole day trying to get rid of this pest of a virus that keeps coming back no matter what. I followed your instruction, downloaded the Spybot Search & Destroy program, downloaded the VX2 addon for Ad Aware SE, downloaded Silent runner and the mwav.exe file. Here is what the Silent runner pulled up in its 'Startup Programs' log: "Silent Runners.vbs", revision 39, http://www.silentrunners.org/ Operating System: Windows 98 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "CountrySelection" = "pctptt.exe" [null data] "MMTray" = "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe" ["MUSICMATCH, Inc."] "LXSUPMON" = "C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN" ["Lexmark"] "LexStart" = "Lexstart.exe" ["Lexmark International, Inc."] "LexmarkPrinTray" = "PrinTray.exe" ["Lexmark"] "AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."] "AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."] "ViewMgr" = "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" ["Viewpoint Corporation"] "PTSNOOP" = "ptsnoop.exe" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++} "KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL" ["Yahoo! Inc."] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" ["("] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ahead\Nero\neroshx.dll" ["ahead software gmbh im stoeckmaedle 6 76307 karlsbad, germany Fax: ++49-7248-911-888 e-mail: info@ahead.de"] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] HKLM\Software\Classes\\shellex\ContextMenuHandlers\ WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState WIN.INI & SYSTEM.INI launch points: ----------------------------------- SYSTEM.INI [boot] "SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DTEXT~1.SCR" (3D Text.scr) [MS] Enabled Scheduled Tasks: ------------------------ "Tune-up Application Start" -> launches: "walign" [MS] "RUTASK" -> launches: "C:\WINDOWS\ru.exe" [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range: C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1 C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4 C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{43F02779-6D88-4958-8AD3-83C12D86ADC7}" = "Advanced Searchbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "blank" [file not found] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL" ["Yahoo! Inc."] "{43F02779-6D88-4958-8AD3-83C12D86ADC7}" = "Advanced Searchbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "blank" [file not found] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL" ["Yahoo! Inc."] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL" ["Yahoo! Inc."] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL" ["Yahoo! Inc."] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome Missing lines (compared with English-language version): [Strings]: 1 line ---------- + This report excludes default entries except where indicated. + To see everywhere* the script checks and everything it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 10 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 20 seconds. ---------- (total run time: 59 seconds) When I ran the eScan program this is what it found: Object "DealHelper Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "Kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\System32\mfc42.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\System32\msvcrt.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\System32\olepro32.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ScanFile.ocx". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\asinst.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ActiveX.ocx". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\popcaploader.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ScanFile.ocx". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\asinst.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ActiveX.ocx". Action Taken: No Action Taken. Entry "HKCR\CLSID\{D3B1DE00-6B94-1069-8754-08002B2BD64F}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{4CB63E61-C611-11D0-83AA-000092900184}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{4CB63E62-C611-11D0-83AA-000092900184}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{34C9990F-CBD7-11D2-AE0E-00C04FAEA83F}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{00024512-0000-0000-c000-000000000046}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{000c0114-0000-0000-c000-000000000046}" refers to invalid object "E:\OFFICE\MSO97.DLL". Action Taken: No Action Taken. Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA3}" refers to invalid object "D:\PROGRAM\32\MCI32.OCX". Action Taken: No Action Taken. Entry "HKCR\CLSID\{CCE598AC-6F44-40F6-9CAF-0B44E92D91B1}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{E5828A3F-CC30-4BBD-AE9B-F910540C9697}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{2698707D-8E34-4419-8857-7D39E6C91ECF}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{6C78F520-093A-4BE5-835E-B10A154E79B7}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{3F80DF75-DC58-4C97-BEC1-7B537D3C7638}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{355942B4-F4BD-4E52-BB99-BA47D54A5290}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{1B6FF182-BB12-4593-9CCE-01E77CC9CBEB}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{C52AA105-192E-4323-80FE-BE530F534BB3}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{D38D306E-F673-4FF3-9A3A-A51C381964D1}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{AE286D4E-ECD6-493B-AEDD-9EFC9BBB2F27}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{CA8DDC8E-7CEE-4679-80A8-8C9E97972C13}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{78CB6B0C-3CA6-4E1B-8E32-1D39B613BBFF}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{45D2B671-7F6E-4943-BEDD-81B115BCB856}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{1F217046-17D9-4BD4-9216-B66DD7865B61}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{809F805E-9967-4948-B265-0BD8190E260C}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{C4B962A6-4789-46F3-AC41-087049097D65}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{1626520F-8CFC-4EEE-8A0C-B1D4B5F6B135}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{006762EE-7806-47D8-BF63-174BB599E265}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{4043D27A-99EB-4FC1-87D4-44AA02AB7B09}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{06DFF208-D911-44EA-8631-4C29329467AB}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{4A963577-C27B-4164-A9BF-E1D1738E61B8}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{5B2A5B4E-6665-419D-8808-680CD852B3B9}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{3AEE3932-59BB-11D3-A8CC-005004A0F323}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{5F6B2D5A-CFEB-11D3-A74E-0050DA126772}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{0410820E-D7CB-11D3-A74F-0050DA126772}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{66DD4567-DA5C-11D3-A74F-0050DA126772}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{F5E941E8-DA94-11D3-8B69-00105AA31C20}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{CD961C04-E3BC-11D3-A74F-0050DA126772}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{F0CABE45-0484-11D4-B137-00C04FA03009}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{F0CABE48-0484-11D4-B137-00C04FA03009}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{F09500A4-0A08-11D4-B137-00C04FA03009}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{8BBDA254-CE76-11D3-A2CE-00108335731F}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{80373D03-D993-11D3-A2CE-00108335731F}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{1EFD6A40-3999-11CF-9150-00AA0059F70D}" refers to invalid object "D:\PROGRAM\32\MCI32.OCX". Action Taken: No Action Taken. Entry "HKCR\CLSID\{3775D2E0-7C5D-11CF-899E-00AA00688B10}" refers to invalid object "D:\PROGRAM\32\MCI32.OCX". Action Taken: No Action Taken. Entry "HKCR\CLSID\{2418A360-9707-11D9-9144-0004BABBBC80}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{43F02779-6D88-4958-8AD3-83C12D86ADC7}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{5A61B58E-2B0A-4B67-A882-FFC6FEAF12EE}" refers to invalid object "C:\KASPERSKY\KAVVLG.DLL". Action Taken: No Action Taken. Entry "HKCR\Overview.Document" refers to invalid object "{DA23B9C9-6893-11D0-8534-00C04FD7AD0C}". Action Taken: No Action Taken. Entry "HKCR\TSHOOT.TSHOOTCtrl.1" refers to invalid object "{4B106874-DD36-11D0-8B44-00A024DD9EFF}". Action Taken: No Action Taken. Entry "HKCR\AOLCoach.TrainerOCXCtrl" refers to invalid object "{E04EAE82-14Ad-41CB-BF5A-45556ABB8347}". Action Taken: No Action Taken. Entry "HKCR\ELNK.PnIEBrowserHelperObj.1" refers to invalid object "{4B5F2E08-6F39-479a-B547-B2026E4C7EDF}". Action Taken: No Action Taken. Entry "HKCR\ELNK.PnIEBrowserHelperObj" refers to invalid object "{4B5F2E08-6F39-479a-B547-B2026E4C7EDF}". Action Taken: No Action Taken. Entry "HKCR\ELNK.PnIETools.1" refers to invalid object "{0A630752-8FAE-4b5d-B42C-AB1DE5E589E2}". Action Taken: No Action Taken. Entry "HKCR\ELNK.PnIETools" refers to invalid object "{0A630752-8FAE-4b5d-B42C-AB1DE5E589E2}". Action Taken: No Action Taken. Entry "HKCR\ELNK.PnIEUrlManager.1" refers to invalid object "{FFEBB637-61A0-4597-884F-ED234C6C2AB8}". Action Taken: No Action Taken. Entry "HKCR\ELNK.PnIEUrlManager" refers to invalid object "{FFEBB637-61A0-4597-884F-ED234C6C2AB8}". Action Taken: No Action Taken. Entry "HKCR\PN.PnDeskband.1" refers to invalid object "{D7F30B62-8269-41AF-9539-B2697FA7D77E}". Action Taken: No Action Taken. Entry "HKCR\PN.PnDeskband" refers to invalid object "{D7F30B62-8269-41AF-9539-B2697FA7D77E}". Action Taken: No Action Taken. Entry "HKCR\WebP2PInstaller.Installer.1" refers to invalid object "{1D6711C8-7154-40BB-8380-3DEA45B69CBF}". Action Taken: No Action Taken. Entry "HKCR\WebP2PInstaller.Installer" refers to invalid object "{1D6711C8-7154-40BB-8380-3DEA45B69CBF}". Action Taken: No Action Taken. Entry "HKCR\JCDE_Stack" refers to invalid object "{CC7A6223-3759-4075-8CEA-971F5CFC0ED2}". Action Taken: No Action Taken. Entry "HKCR\JCDE_Stack.1" refers to invalid object "{CC7A6223-3759-4075-8CEA-971F5CFC0ED2}". Action Taken: No Action Taken. Entry "HKCR\SWin32.SDWin32.1" refers to invalid object "{5FA6752A-C4A0-4222-88C2-928AE5AB4966}". Action Taken: No Action Taken. Entry "HKCR\SWin32.SDWin32" refers to invalid object "{5FA6752A-C4A0-4222-88C2-928AE5AB4966}". Action Taken: No Action Taken. Entry "HKCR\ToolBand.posHelp.1" refers to invalid object "{CDEEC43D-3572-4E95-A2A5-F519D29F00C0}". Action Taken: No Action Taken. Entry "HKCR\ToolBand.posHelp" refers to invalid object "{CDEEC43D-3572-4E95-A2A5-F519D29F00C0}". Action Taken: No Action Taken. File C:\WINDOWS\Buddy.exe tagged as "not-a-virus:AdWare.BetterInternet.d". Action Taken: No Action Taken. File C:\WINDOWS\newdevin.exe tagged as "not-a-virus:AdWare.BookedSpace.c". Action Taken: No Action Taken. File C:\WINDOWS\ru.exe tagged as "not-a-virus:AdWare.PurityScan.w". Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM\in10b6s.dll infected by "Trojan-Dropper.Win32.Mudrop.k" Virus! Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM\dosxpd.exe tagged as "not-a-virus:AdWare.Msnagent.a". Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM\SWin32.dll tagged as "not-a-virus:AdWare.Adstart.j". Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM\sprmove.exe infected by "Trojan-Dropper.Win32.Agent.hy" Virus! Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM\istinstall_adlogix.exe infected by "Trojan-Downloader.Win32.IstBar.er" Virus! Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM\fixmapirs.exe tagged as "not-a-virus:AdWare.FindSpy.a". Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM\cekqmu.exe infected by "Trojan.Win32.Agent.ay" Virus! Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM\diantzpt.exe infected by "Trojan.Win32.DNSChanger.o" Virus! Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM\dwcrnt.exe infected by "HackTool.Win32.Hidd.h" Virus! Action Taken: No Action Taken. File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken. File C:\WINDOWS\Windows Update Setup Files\searchbarsetup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\My Documents\My Music\From Internet\plvx2cleaner.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\My Documents\My Music\From Internet\aawsepersonal.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\DFX\MUSICMATCH\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\Yahoo!\Installs\ymsgrie.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\Yahoo!\Common\unypsr.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\Yahoo!\YPSR\Unwise32.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\Yahoo!\YPSR\unypsr.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\Yahoo!\YPSR\updates\ypsr_prog_01.14.00_us_setup3_.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\Lavasoft\Ad-Aware SE Personal\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Plugins\vx2cleaner\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. This is my new HJT Log: Logfile of HijackThis v1.99.1 Scan saved at 12:34:35 AM, on 7/9/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE C:\WINDOWS\SYSTEM\LXSUPMON.EXE C:\WINDOWS\SYSTEM\PRINTRAY.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\SKYTOWN.EXE C:\WINDOWS\SYSTEM\SKYTOWN.EXE C:\PROGRAM FILES\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab I've deleted everything in virus vaults, that was quarantined and set my deleted files not to go to the recycle bin. I still don't know what's the going on (obviously eh?) because I had performed the Ad Aware scan and the Spybot and removed and purged all the viruses it pulled up, but the mwav.exe still pulled up all of what it did. This is very frustrating. Again, I thank you for all your help.