[fallchaser]

Hi. I read another thread where someone was able to resolve this but I'm not having their luck. I found lots of hidden icon files and deleted them in System 32 folder and I tried a couple of other things before I ran all of your steps and still had the same problem. So I must have missed something. I've done the AdAware (etc) steps outlined on the site before posting here and yet--I still get redirected windows to some very yucky sites. The home page on my browser is reset and the whole thing is frustrating. Hoping someone here can help me out. Thank goodness for the kind hearted people here who help the not-so-bright types like myself.

Ok...here's the log file....

Logfile of HijackThis v1.99.1
Scan saved at 10:30:44 PM, on 4/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\EFAX MESSENGER PLUS 3.3\J2GDLLCMD.EXE
C:\PROGRAM FILES\EFAX MESSENGER PLUS 3.3\J2GTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0230/
R3 - URLSearchHook: transURL Class - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - C:\WINDOWS\SYSTEM32\SEARCH~1.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\PROGRAM FILES\IEMENUEXTENSION\TBEXTN.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [netcfgi] C:\WINDOWS\SYSTEM\netcfgi.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - http://download.howu...nload/appdl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {6781FF2E-7452-11D4-84D4-0040F60CE591} (Integral RV Video Control) - http://www.canyon-ga...p.com/rvctl.dll
O16 - DPF: {F3D69634-67FF-4CA6-B39E-7DC11ED9676F} (VoiceRecCtrl Class) - http://members.audio...dRecControl.cab
O16 - DPF: {4AA40B45-EC35-45C3-B4EA-D04E85917DA2} (WDCapture Class) - https://wip3.webdial...nts/WDATL63.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://viewers.multi...MINIBrowser.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb03.pog...aploader_v6.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/loader2.ocx
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://bin.wordsx.cc...m::/on-line.exe
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://c:default.mht!http://www.realizeit...m::/dropper.exe

[Advertisements]

Let's try this - we'll see if your luck gets any better :

I need you to copy all of the Killbox instructions below and paste them into Notepad and save it for use while in Safe Mode.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.
Unzip it to the desktop but do NOT run it yet.

* Please reboot into Safe Mode by restarting your computer and tapping F8 continuously as your computer is booting up until a menu appears. use your up arrow key to highlight "Safe Mode", then hit enter

* Once in Safe Mode, please run Killbox.

* Select "Delete on Reboot".

* Open the Notepad file where you saved these instructions earlier, and copy the file names below to the clipboard by highlighting them and pressing CTRL + C:

C:\WINDOWS\System\param32.dll
C:\WINDOWS\system\guninst.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

After your computer reboots download, install, and run CleanUp!

Post a new HiJackThis log.

Edited by bananafanafo, 27 April 2005 - 11:48 PM.

[Michelle]

Let's try this - we'll see if your luck gets any better :

I need you to copy all of the Killbox instructions below and paste them into Notepad and save it for use while in Safe Mode.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.
Unzip it to the desktop but do NOT run it yet.

* Please reboot into Safe Mode by restarting your computer and tapping F8 continuously as your computer is booting up until a menu appears. use your up arrow key to highlight "Safe Mode", then hit enter

* Once in Safe Mode, please run Killbox.

* Select "Delete on Reboot".

* Open the Notepad file where you saved these instructions earlier, and copy the file names below to the clipboard by highlighting them and pressing CTRL + C:

C:\WINDOWS\System\param32.dll
C:\WINDOWS\system\guninst.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

After your computer reboots download, install, and run CleanUp!

Post a new HiJackThis log.

Edited by bananafanafo, 27 April 2005 - 11:48 PM.

[fallchaser]

Oh my. Things are worse than I thought. After I posted the thread last night, I shut down the computer. I'm writing to you now from our laptop which is not infected (yet...? ). So I have this thread with instructions open on the laptop and I'm sitting next to the dinosaur with fleas trying to download the program you've suggested and I have a whole new set of issues. Tons of programs are trying to access the internet which zonealarm keeps asking me about... and I can't go anywhere online. Then when I tried to shut down and restart, the machine wouldn't let me because there are so many background program running...that they won't stop no matter how many times I hit "end program". So I finally just pushed the big button. Forced the thing to shut down.

I am trying to restart it now. Wondering if I restart it in safe mode, if I can go online and download the program that way?

Also noticed the home page has been set to a whole other group of jerks with info in the title... can't recall the name because so much crazy stuff was happening at the same time...but it was different than the first one I orginally wrote about.

I can tell this will be a multiple cup of coffee morning and I may start smoking again.

[fallchaser]

answered my own question about downloading in safe mode...didn't work. After giving tons of horrible programs access to the internet upon my latest restart, I'm able to get online again. I am downloading the version of KillBox you suggested now. Just wanted to tell you the new name of my home page is often webforuser.com now although sometimes it takes turns with the original new gen offender.

[fallchaser]

sorry to keep replying but I'm in [bleep] apparently. When I accessed the link you gave me to download KillBox, the browser would not launch the download of the application. So I went through this site and found other ways to get to that same download and every time I clicked on those links, I got a fake Google page not found screen. The fake Google logo is really quite pathetic looking. Not sure who they think they are fooling with that. Still, the frustration it causes is real.

I am sort of at an impass. I can't get the dowload on that machine and my laptop isn't networked to the infected PC so I'm not real sure how to proceed. I'd suggest sending the install file to me in email but I can't get any of my inboxes to show up once I log in from that box either.

I continually get these small "Microsoft Network information" windows now popping up all over with things like "weight loss?" "xanax?" "credit card debt?" and an ok or cancel button. Lovely. Oh and a message that lau.exe has performed an illegal operation and will be shut down. Great.

I know I need to be patient but sometimes I just want to reformat C and just be done with it. I can't imagine what my husband clicked on to give me this joy...but of course his comment is "honey, just fix it for me."

Ok too much info for you. Off to smoke and think happy thoughts. Will check back here for ideas periodically but won't continually post. <not shutting down the infected computer again..but will lock internet access while I am away so more junk doesn't get embedded in there to further complicate things>

Oh and thanks for holding my hand (virtually speaking)

[Michelle]

Sounds like you're having fun this morning!!

Ok, reboot into safe mode, find the following files (in bold):

C:\WINDOWS\System\param32.dll
C:\WINDOWS\system\guninst.exe

Delete them!

Edited by bananafanafo, 28 April 2005 - 08:57 AM.

[fallchaser]

:mad:
the param32 file...I can locate it but the machine won't let me delete it because it's "in use" I checked its properties, removed the check by archive, and tried to delete but was shot down because it's in use. I tried the CNTRL ALT DEL to see if I could "see" it and shut it down from being used and much to my nonexistent surprise, I could not see it.

The guninst executable is not found on my system. It was there before. But I think I deleted it with one of those programs earlier on in this process.

headache.

By the way, thank you so much for the speedy response. I appreciate it.

[Michelle]

When you're in safe mode, if you right-click on the file does it give you a "security" tab? If it does, click on the security tab, change the permissions to full control, right-click on the file to rename it, and try to delete it that way. If there isn't a security tab, just right-click on it and rename it and try to delete it.

[Michelle]

Also, did you try right-clicking on the link to Killbox and going to "Save target as" to download it instead of just clicking on it? Try that!

[fallchaser]

can't rename..file is in use... can't see that it's in use but the PC assures me it is. ugh

old OS.... On XP it will show processes and I would be able to end process...but not WIN 98. hmmm

Got something called iau or lau.exe trying to act as a server.

No matter what I do...windows launch and try to access the web. So even if I block all web activity...those little programs and running and coming up with tons of page can't be displayed. On broadband connection so the fact that they continue to go even if unplugged....doesn't help me come up with a new approach to the problem.

tried save target as.... the box that usually comes up to allow you to save it somewhere barely flashes on the screen and disappears.

Whoever programmed this bug really is covering the bases.

Gotta pick my boy up from preschool. Is it time to reformat C? hades sure is hot lol

[fallchaser]

since I have so many new infections I thought I'd run hijack this again and show you the current log. Some of it looks obvious to me that it needs to be deleted...or "fixed" in hijack this terminology. I'm about to start clicking them off because it is getting so out of hand. But I will wait an hour because you guys know a lot and I'd hate to make a bigger mess of things. So here- for your enjoyment is the latest log file:
Logfile of HijackThis v1.99.1
Scan saved at 1:36:38 PM, on 4/28/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\MSERVICE.EXE
C:\WINDOWS\LSSAS.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\PROGRAM FILES\EFAX MESSENGER PLUS 3.3\J2GDLLCMD.EXE
C:\PROGRAM FILES\EFAX MESSENGER PLUS 3.3\J2GTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\STISVSQ.EXE
C:\WINDOWS\SVSHOST.EXE
C:\WINDOWS\MSQDEVL.EXE
C:\WINDOWS\LOADCLEAN.EXE
C:\PROGRAM FILES\WEBSITEVIEWER\128301.DLR
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\IAU.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0230/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:8080
R3 - URLSearchHook: transURL Class - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - C:\WINDOWS\SYSTEM32\SEARCH~1.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\PROGRAM FILES\IEMENUEXTENSION\TBEXTN.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [netcfgi] C:\WINDOWS\SYSTEM\netcfgi.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - http://download.howu...nload/appdl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {6781FF2E-7452-11D4-84D4-0040F60CE591} (Integral RV Video Control) - http://www.canyon-ga...p.com/rvctl.dll
O16 - DPF: {F3D69634-67FF-4CA6-B39E-7DC11ED9676F} (VoiceRecCtrl Class) - http://members.audio...dRecControl.cab
O16 - DPF: {4AA40B45-EC35-45C3-B4EA-D04E85917DA2} (WDCapture Class) - https://wip3.webdial...nts/WDATL63.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://viewers.multi...MINIBrowser.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb03.pog...aploader_v6.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/loader2.ocx
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://bin.wordsx.cc...m::/on-line.exe
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://c:default.mht!http://www.realizeit...m::/dropper.exe

And only more windows have opened up since I started this addition to the thread. I'm dying here... soon nothing will work on the machine any more. It was a collossal effort to get notepad to open and show the log file. Yikes.

[Michelle]

Open HiJackThis. Click on "none of the above, just start the program", then click on "config" (bottom right), then click on "Misc Tools".

Click on the button that says "Delete a file on reboot". Browse to this file:

C:\WINDOWS\System\param32.dll

Click on that file (param32.dll), then click "open".

Answer "yes" to the 'are you sure' prompt, then click "yes" to restart your computer (if it doesn't automatically restart please restart it).

PLEASE don't "fix" anything in HiJackThis as that will not rid it from your system, it'll just make it harder to fix...

[Michelle]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.