Ok... I personally tried to do everything that you said to do an here are the results.
The files
C:\Windows\Control.exe is gone
C:\Windows\System\Shell.dll shows in system and in sysbckup
When started in safe mode
Could run Hijack and Buster - the following is the results from those
Hijack is first
Logfile of HijackThis v1.99.1
Scan saved at 2:46:35 PM, on 3/28/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\COMPAQ\ACCESS\ENCOMPASS\MONITOR.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\IPQM32.EXE
C:\WINDOWS\IEUV.EXE
C:\WINDOWS\SYSTEM\CRFA32.EXE
C:\WINDOWS\SYSTEM\NTYM32.EXE
C:\WINDOWS\SYSTEM\SDKMB.EXE
C:\WINDOWS\IENX.EXE
C:\WINDOWS\IEIU32.EXE
C:\WINDOWS\CRZH.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\IEBU.EXE
C:\WINDOWS\WINLC32.EXE
C:\WINDOWS\SYSTEM\SYSIL.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\ATLHE.EXE
C:\WINDOWS\NETPQ.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\ATLVO.EXE
C:\PROGRAM FILES\DEFENDER\DEFENDER PRO FIREWALL\KAVPF.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\IENX.EXE
C:\WINDOWS\SYSTEM\MSAJ32.EXE
C:\WINDOWS\SYSTEM\SYSIL.EXE
C:\WINDOWS\IPQM32.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.yahoo.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\gyajf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\gyajf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\gyajf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\gyajf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\gyajf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\gyajf.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\gyajf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://www.yahoo.comR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {E4F78A3B-E4C9-A50B-F62B-9CD76792AA50} - C:\WINDOWS\IENY.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Antispy] C:\Program Files\Defender Pro\AntiSpy\Dpas.exe startup
O4 - HKLM\..\Run: [ATLVO.EXE] C:\WINDOWS\SYSTEM\ATLVO.EXE
O4 - HKLM\..\RunServices: [EncMonitor] c:\compaq\access\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [IPQM32.EXE] C:\WINDOWS\IPQM32.EXE /s
O4 - HKLM\..\RunServices: [IEUV.EXE] C:\WINDOWS\IEUV.EXE /s
O4 - HKLM\..\RunServices: [CRFA32.EXE] C:\WINDOWS\SYSTEM\CRFA32.EXE /s
O4 - HKLM\..\RunServices: [NTYM32.EXE] C:\WINDOWS\SYSTEM\NTYM32.EXE /s
O4 - HKLM\..\RunServices: [SDKMB.EXE] C:\WINDOWS\SYSTEM\SDKMB.EXE /s
O4 - HKLM\..\RunServices: [IENX.EXE] C:\WINDOWS\IENX.EXE /s
O4 - HKLM\..\RunServices: [IEIU32.EXE] C:\WINDOWS\IEIU32.EXE /s
O4 - HKLM\..\RunServices: [CRZH.EXE] C:\WINDOWS\CRZH.EXE /s
O4 - HKLM\..\RunServices: [IEBU.EXE] C:\WINDOWS\IEBU.EXE /s
O4 - HKLM\..\RunServices: [WINLC32.EXE] C:\WINDOWS\WINLC32.EXE /s
O4 - HKLM\..\RunServices: [SYSIL.EXE] C:\WINDOWS\SYSTEM\SYSIL.EXE /s
O4 - HKLM\..\RunServices: [ATLHE.EXE] C:\WINDOWS\SYSTEM\ATLHE.EXE /s
O4 - HKLM\..\RunServices: [NETPQ.EXE] C:\WINDOWS\NETPQ.EXE /s
O4 - HKLM\..\RunServices: [MSAJ32.EXE] C:\WINDOWS\SYSTEM\MSAJ32.EXE /s
O4 - Startup: Defender Pro Firewall.lnk = C:\Program Files\Defender\Defender Pro Firewall\KAVPF.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) -
http://chat.msn.com/bin/msnchat45.cabO16 - DPF: ChatSpace Full Java Client 4.0.0.320 -
http://63.102.226.240:8000/Java/cfs40320.cabO16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) -
http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoftware.com/activescan/as5/asinst.cabThen Buster
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 25
ADS not scanned System(FAT)
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 25
ADS not scanned System(FAT)
Scan Aborted
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 25
ADS not scanned System(FAT)
When tried to run cwshredder is says that
OLEACC.dll File cannot start check the file to determine the problem
I have no idea what that means since I downloaded it from where you said to.
Also checked to see how many files have been modified recently
3-21-05 to 3-22-05 = 138
3-22-05 to 3-23-05 = 164
3-23-05 to 3-24-05 = 7163
3-24-05 to 3-25-05 = Exceeds 10,000
3-25-05 to 3-26-05 = 5765
3-26-05 to 3-27-05 = 977
3-27-05 to 3-28-05 = 1275
Also ran Panda...after an hour and a half it had only checked 345 files and it stated that 26 were infected.
Tried to install Defender Pro and got this error messege
DPAS caused an invalid page fault in
module DPAS.EXE at 0177:0041389d.
Registers:
EAX=00000000 CS=0177 EIP=0041389d EFLGS=00010297
EBX=7801065d SS=017f ESP=0283de38 EBP=004320ac
ECX=00000046 DS=017f ESI=00000000 FS=59b7
EDX=00001beb ES=017f EDI=0283e45b GS=0000
Bytes at CS:EIP:
8a 84 14 dd 05 00 00 42 3a c3 75 f4 42 3b d1 7c
Stack dump:
0283eab7 02a7be90 00bad0c0 000000e6 0283de34 656e6567 00006972 0000000c 00000001 7270253c 6172676f 0000206d 005c3a43 00000000 00000000 00429fa0
Would it better to just crash the system and start over?
There is thousands upon thousands of dll's now with new exe files showing up every day.
I am ready to blow this thing up!!!
Any other ideas?
Show Posts