Cannot delete program in my start up file

[catshere]

I have tried to delete these but had no success.  My spyware program finds them but everytime i delete them they come back.  I downloaded the HJT program you recommended in another forum and here is the log.
Please tell me what I can do...


Logfile of HijackThis v1.99.0
Scan saved at 3:06:55 PM, on 1/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\KNBVRK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\CALC.EXE
C:\WMCONNECT\WWM.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\LOCALNRD.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [knbvrk] c:\windows\system\knbvrk.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {405BBF5B-2FD8-4614-AC51-D8566F635B94} (SafeWallet Class) - http://idsm.citadelprocessing.com/SafeComm...s/WalletCab.CAB

[guestolo]

Try this catshere

Access your Add/Remove Programs via Control Panel
Uninstall if found
WebSearch Toolbar
WebSearch Tools
Search Assistant
Win-Tools Easy Installer

# Do not reboot until they have all been removed even if prompted.

# When you are uninstalling the last program you can then reboot when prompted

When your back in Windows

You said

My spyware program finds them but everytime i delete them they come back

Can you let me know what Spyware program your using

I do trust these 2 spyware removal programs
Both have a free version

If your not using them could you please
Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates

Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

Download and Install Spybot S&D 1.3
When Installing, please don't enable TEA TIMER, it's a great addon to Spybot but it can get in our way to do any manual fixes.. This can be enabled at a later time if you want it
After installation--Click the Update button on the left, in the window on the right click the
SEARCH FOR UPDATES button, Check and download all updates
Click the "Search and Destroy" Button
In the right window, click the
Check for Problems Let it complete it's scanning---Ensure to check and FIX everything in RED---they should be checked by default

RESTART your computer to finish the Cleaning process

When your back In Windows, I just want to ensure you don't have VX2 infection
Download and save to desktop
VX2 Finder
Open it and click the
"Click to Find VX2.BetterInternet" button
Let it finish scanning>>Won't take long
When it's done make a log and post it back here

Could you also post back with a fresh Hijackthis log, thanks

[catshere]

Thank you so much for your assistance.  Here is the log file from the HJT scan. I did notice files referring to the VX2 that you referred to in the scan of my pc. I curretly use Spy Sweeper, it found the files but as soon as it deleted them they would come back.
I downloaded the VX2 finder and I am about to download the spybot program.  One question.. What is this VX2 that you referred to, and what are the risks to my system and privacy with my not knowing it is on my pc?


ArchiveData(adwarequarantine.bckp)
Referencefile : SE1R25 11.01.2005
======================================================

IMISERVER IEPLUGIN
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Process : C:\WINDOWS\SYSTB.DLL
obj[2]=Regkey : wbho.band.1
obj[3]=RegValue : wbho.band.1 ""
obj[4]=Regkey : wbho.band
obj[5]=RegValue : wbho.band ""
obj[6]=Regkey : typelib\{57add57b-173e-418a-8f70-17e5c9f2bcc9}
obj[7]=Regkey : interface\{3e589169-86ad-44fe-b426-f0bf105d5582}
obj[8]=RegValue : interface\{3e589169-86ad-44fe-b426-f0bf105d5582} ""
obj[9]=Regkey : clsid\{01f44a8a-8c97-4325-a378-76e68dc4ab2e}
obj[10]=RegValue : clsid\{01f44a8a-8c97-4325-a378-76e68dc4ab2e} ""
obj[11]=Regkey : software\microsoft\windows\currentversion\explorer\browser helper objects\{01f44a8a-8c97-4325-a378-76e68dc4ab2e}
obj[54]=Regkey : software\intexp
obj[55]=RegValue : software\microsoft\internet explorer\toolbar "{2CDE1A7D-A478-4291-BF31-E1B4C16F92EB}"
obj[56]=File : C:\WINDOWS\wupdt.exe
obj[57]=File : C:\WINDOWS\systb.dll
obj[58]=File : C:\WINDOWS\redir.txt
obj[59]=File : C:\WINDOWS\lu.dat

VX2
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[1]=Process : C:\WINDOWS\LOCALNRD.DLL
obj[12]=Regkey : typelib\{3fa866ac-40d7-4fe6-babf-78ee854a4325}
obj[13]=Regkey : localnrddll.localnrddllobj.1
obj[14]=RegValue : localnrddll.localnrddllobj.1 ""
obj[15]=Regkey : localnrddll.localnrddllobj
obj[16]=RegValue : localnrddll.localnrddllobj ""
obj[17]=Regkey : interface\{a42c0ef4-1c76-43cc-989f-eadc7e4b755d}
obj[18]=RegValue : interface\{a42c0ef4-1c76-43cc-989f-eadc7e4b755d} ""
obj[19]=Regkey : clsid\{00320615-b6c2-40a6-8f99-f1c52d674fad}
obj[20]=RegValue : clsid\{00320615-b6c2-40a6-8f99-f1c52d674fad} ""
obj[21]=Regkey : software\microsoft\windows\currentversion\explorer\browser helper objects\{00320615-b6c2-40a6-8f99-f1c52d674fad}
obj[22]=RegValue : .DEFAULT\software\localnrd "LNI0d1OfSInst"
obj[40]=File : c:\WINDOWS\SYSTEM32\randreco.exe
obj[42]=File : c:\WINDOWS\TEMP\banner.exe
obj[60]=Regkey : software\localnrd
obj[61]=RegValue : software\localnrd "LNI0d1OfSInst"
obj[62]=RegValue : software\localnrd "LNC0n1trMsgSDisp"
obj[63]=RegValue : software\localnrd "LNI0d1OfSDist"
obj[64]=RegValue : software\localnrd "LNT0o1pListSPos"
obj[65]=RegValue : software\localnrd "LNs0t1icky1S"
obj[66]=RegValue : software\localnrd "LNs0t1icky2S"
obj[67]=RegValue : software\localnrd "LNs0t1icky3S"
obj[68]=RegValue : software\localnrd "LNs0t1icky4S"
obj[69]=RegValue : software\localnrd "LNC1o0d1eOfSFinalAd"
obj[70]=RegValue : software\localnrd "LNT0i1m2eOfSFinalAd"
obj[71]=RegValue : software\localnrd "LND0s1tSSEnd"
obj[72]=RegValue : software\localnrd "LN0N1a2tionSCode"
obj[73]=RegValue : software\localnrd "LNP0D1om"
obj[74]=RegValue : software\localnrd "LNI0n1ProgSCab"
obj[75]=RegValue : software\localnrd "LNI0n1ProgSEx"
obj[76]=RegValue : software\localnrd "LNI0n1ProgSLstest"
obj[77]=RegValue : software\localnrd "LNL0a1stSSChckin"
obj[78]=RegValue : software\localnrd "LNB0D1om"
obj[79]=RegValue : software\localnrd "LNC0u1rrentSMode"
obj[80]=RegValue : software\localnrd "LNC0n1tFyl"
obj[81]=RegValue : software\localnrd "LNM0o1deSSync"
obj[82]=RegValue : software\localnrd "LNT0h1rshSBath"
obj[83]=RegValue : software\localnrd "LNT0h1rshSysSInf"
obj[84]=RegValue : software\localnrd "LNT0h1rshSCheckSIn"
obj[85]=RegValue : software\localnrd "LNT0h1rshSMots"
obj[86]=RegValue : software\localnrd "LNL0n1Title"
obj[87]=RegValue : software\localnrd "LNI0g1noreS"
obj[88]=RegValue : software\localnrd "LND0s1tSCHost"
obj[89]=RegValue : software\localnrd "LND0s1tSCPath"
obj[90]=RegValue : software\localnrd "LNS0t1atusOfSInst"
obj[91]=RegValue : software\localnrd "LNL0a1stMotsSDay"
obj[92]=Regkey : software\vendor\xml
obj[93]=RegValue : software\vendor\xml ""
obj[94]=Regkey : software\vendor
obj[95]=Regkey : .default\software\localnrd
obj[96]=RegValue : .default\software\localnrd "LNC0n1trMsgSDisp"
obj[97]=RegValue : .default\software\localnrd "LNI0d1OfSDist"
obj[98]=RegValue : .default\software\localnrd "LNT0o1pListSPos"
obj[99]=RegValue : .default\software\localnrd "LNs0t1icky1S"
obj[100]=RegValue : .default\software\localnrd "LNs0t1icky2S"
obj[101]=RegValue : .default\software\localnrd "LNs0t1icky3S"
obj[102]=RegValue : .default\software\localnrd "LNs0t1icky4S"
obj[103]=RegValue : .default\software\localnrd "LNC1o0d1eOfSFinalAd"
obj[104]=RegValue : .default\software\localnrd "LNT0i1m2eOfSFinalAd"
obj[105]=RegValue : .default\software\localnrd "LND0s1tSSEnd"
obj[106]=RegValue : .default\software\localnrd "LN0N1a2tionSCode"
obj[107]=RegValue : .default\software\localnrd "LNP0D1om"
obj[108]=RegValue : .default\software\localnrd "LNI0n1ProgSCab"
obj[109]=RegValue : .default\software\localnrd "LNI0n1ProgSEx"
obj[110]=RegValue : .default\software\localnrd "LNI0n1ProgSLstest"
obj[111]=RegValue : .default\software\localnrd "LNL0a1stSSChckin"
obj[112]=RegValue : .default\software\localnrd "LNB0D1om"
obj[113]=RegValue : .default\software\localnrd "LNC0u1rrentSMode"
obj[114]=RegValue : .default\software\localnrd "LNC0n1tFyl"
obj[115]=RegValue : .default\software\localnrd "LNM0o1deSSync"
obj[116]=RegValue : .default\software\localnrd "LNT0h1rshSBath"
obj[117]=RegValue : .default\software\localnrd "LNT0h1rshSysSInf"
obj[118]=RegValue : .default\software\localnrd "LNT0h1rshSCheckSIn"
obj[119]=RegValue : .default\software\localnrd "LNT0h1rshSMots"
obj[120]=RegValue : .default\software\localnrd "LNL0n1Title"
obj[121]=RegValue : .default\software\localnrd "LNI0g1noreS"
obj[122]=RegValue : .default\software\localnrd "LND0s1tSCHost"
obj[123]=RegValue : .default\software\localnrd "LND0s1tSCPath"
obj[124]=RegValue : .default\software\localnrd "LNS0t1atusOfSInst"
obj[125]=RegValue : .default\software\localnrd "LNL0a1stMotsSDay"
obj[126]=RegValue : software\microsoft\internet explorer\toolbar\webbrowser "{0E5CBF21-D15F-11D0-8301-00AA005B4383}"
obj[127]=File : C:\WINDOWS\inf\LOCALNRD.INF
obj[128]=File : C:\WINDOWS\TEMP\dummy.htm

POSSIBLE BROWSER HIJACK ATTEMPT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[23]=RegData : Software\Microsoft\Internet Explorer\Main "Search Page"
obj[24]=RegData : Software\Microsoft\Internet Explorer\Main "Search Bar"
obj[25]=RegData : Software\Microsoft\Internet Explorer\Search "SearchAssistant"
obj[26]=RegData : Software\Microsoft\Internet Explorer\Search "CustomizeSearch"
obj[27]=RegData : .DEFAULT\Software\Microsoft\Internet Explorer\Main "Search Page"
obj[28]=RegData : .DEFAULT\Software\Microsoft\Internet Explorer\Main "Search Bar"
obj[29]=RegData : .DEFAULT\Software\Microsoft\Internet Explorer\SearchURL ""

TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[30]=IECache Entry : Cookie:[email protected]/
obj[31]=IECache Entry : Cookie:[email protected]/
obj[32]=IECache Entry : Cookie:[email protected]/
obj[33]=IECache Entry : Cookie:[email protected]/
obj[34]=IECache Entry : C:\WINDOWS\Cookies\cathy@apmebf[1].txt
obj[35]=IECache Entry : C:\WINDOWS\Cookies\cathy@overstock[2].txt
obj[36]=IECache Entry : C:\WINDOWS\Cookies\[email protected][2].txt
obj[37]=IECache Entry : C:\WINDOWS\Cookies\cathy@247realmedia[1].txt
obj[38]=IECache Entry : C:\WINDOWS\Cookies\cathy@seeq[1].txt
obj[39]=IECache Entry : C:\WINDOWS\Cookies\cathy@cgi-bin[2].txt
obj[43]=IECache Entry : c:\WINDOWS\Cookies\cathy@apmebf[1].txt
obj[44]=IECache Entry : c:\WINDOWS\Cookies\cathy@overstock[2].txt
obj[45]=IECache Entry : c:\WINDOWS\Cookies\[email protected][2].txt
obj[46]=IECache Entry : c:\WINDOWS\Cookies\cathy@247realmedia[1].txt
obj[47]=IECache Entry : c:\WINDOWS\Cookies\cathy@seeq[1].txt
obj[48]=IECache Entry : c:\WINDOWS\Cookies\cathy@cgi-bin[2].txt
obj[49]=IECache Entry : c:\WINDOWS\Cookies\cathy@advertising[1].txt
obj[50]=IECache Entry : c:\WINDOWS\Cookies\cathy@2o7[2].txt
obj[51]=IECache Entry : c:\WINDOWS\Cookies\[email protected][1].txt
obj[52]=IECache Entry : c:\WINDOWS\Cookies\cathy@doubleclick[1].txt

ELITUM.ELITEBARBHO
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[41]=File : c:\WINDOWS\TEMP\THI3270.TMP\preInsln.exe
obj[53]=File : c:\WINDOWS\PREINSLN.EXE

[guestolo]

VX2 is an infection that we have to make sure you have no other files that need removed>>It's all related to a hijacker

Can you please post back with a fresh hijackthis log
also the log from VX2 finder after you have ran spybot

The log you supplied is from Ad-aware

[catshere]

sorry so many new programs to use.. I ran the VX2 program.. it found nothing... here is the HJT log

Logfile of HijackThis v1.99.0
Scan saved at 9:56:05 AM, on 1/24/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\KNBVRK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\CALC.EXE
C:\WMCONNECT\WWM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZSERV.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [knbvrk] c:\windows\system\knbvrk.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {405BBF5B-2FD8-4614-AC51-D8566F635B94} (SafeWallet Class) - http://idsm.citadelprocessing.com/SafeComm...s/WalletCab.CAB

[guestolo]

sorry so many new programs to use

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />
No worries, most of them you can hang onto, don't get rid of them
If your sure that the VX2 finder found nothing, not even a registry string you can manually delete it

One more small program if you don't mind, again, yours to hang onto
Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Install it for now but >>Don't run a scan yet
A great little utility to assist in cleaning those temp folders, hold onto this

Set Windows To Show Hidden Files and Folders
* Open My Computer.
    * Select the View menu and click Folder Options.
    * Select the View Tab.
    * In the Hidden files section select Show all files.
    * Click OK.

Please print the rest of this out or save to a notepad file on the desktop

I need you to
Restart your computer into SAFE MODE

Find and delete these files or folders if they exist

C:\WINDOWS\ZSERV.DLL <--file
c:\windows\system\knbvrk.exe <--file

Do another scan with Hijackthis and put a check next to these entries:

Not all may be shown in safe mode but fix what I ask if you see them
I'm also including redclientapps.. Appears safe but is related to Red Sheriff spyware

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZSERV.DLL

O4 - HKLM\..\Run: [knbvrk] c:\windows\system\knbvrk.exe


If you didn't intentionally install the next ones, fix them too
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Open Windows CleanUp! and click the Cleanup button
Let it finish scanning for files, when it's done restart back to Normal mode

I see that your not running any Anti-Virus software
This is not too safe
If I'm mistaken and you have it disabled or you need a free solution
I very highly recommend that you immediately Download and Install the Free version of AVG 7 free
We must get your system more secure or you will be open for more infections
AVG is yours  for free and will update for the life of the product
http://free.grisoft.com/freeweb.php/doc/2/

From that link scroll down to
avg70free_300a419.exe
Save the installer to desktop

Install it and allow it to Update and run a Full System scan
Let it fix whatever it finds
Restart your computer afterwards

Post back a fresh hijackthis log afterwards

[Guest_catshere]

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' /> Thank you Guestolo!

Safemode worked as far as being able to delete those persistant files. But I have a few questions.

I have Norton 2002 Corporate Edition that I run at least once a week, as many imes as I have used it, it never finds anything.  So I go to the Trend "housecalls" website and do the free scan about once a week as a backup measure.  About a week ago I found a worm virus and deleted it from my system.  Norton did not detect this worm, but the trend free program did.  I only have 64 ram so my systrem runs very slow when i have too many processes running.  Thats why I do not normally keep the antivirus in my system tray.  I have not downloaded the AVD program you suggested yet, but I plan too when I get home from work tonight.  My question is this:
Is this AVG better than the Norton that I have? If so I would gladly remove Norton from my system, as it isn't really doing me any good if it cannot detect those ugly worms and trojans.   It is a pain to have to go to the Trend site...  It takes forever to go through the process on my pc.  

I did all that you sugested otherwise in your post and here is the HJT log file I ran afterwards.  I want to know if there is anything else here that is, or will cause me problems.  I play party poker alot, and do not want to remove it from my system, so if I remove the files you suggested concerning it, will my program still run ok? Are these files required to run the program on my pc?

This file" O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe" in the scan log. This file seems questionable to me and I want to know whether is ok to have on my pc or not.  It has a tendency to pop back into my start up folder whenever it wants to...  
Also There are files on my pc called "farmmext" I have heard refences to this file in other posts, is this something bad and I should delete it, as I don't remember ever downloading anything to do with this filename.



Logfile of HijackThis v1.99.0
Scan saved at 6:34:21 AM, on 1/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscan.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {405BBF5B-2FD8-4614-AC51-D8566F635B94} (SafeWallet Class) - http://idsm.citadelprocessing.com/SafeComm...s/WalletCab.CAB

Thanks again for all your help, you are a lifesaver!   http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />

[guestolo]

Your version of Norton's is way out of date
I would shut it down in the Task Manager and then Uninstall it

Restart your computer to ensure it's removed
Install AVG's Anti-Virus software
Let it update and run a full system scan

EDIT>>If you have problems updating AVG, it's on their end
They say it will be fixed shortly, their servers are swamped
We can manually update if need be
But try the Automatic update a few times before giving up http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />

O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
Check out this link
http://computercops.biz/startuplist-1116.html
or this one
http://www.pacs-portal.co.uk/startup_pages...starter_exe.htm


If this file is still around delete it
C:\WINDOWS\FARMMEXT.exe <--file

Leave the Party Poker Entries alone

Let me know if AVG finds anything bad

Post back a fresh hijackthis log and let me know if everything is running fine now

P.S.
I have a couple programs for you to Install afterwards to prevent these type of infections from happening again
Both don't run in the background, using up valuable resources

What does concern me is you not running the AV on startup----You may be asking for trouble  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'\' />
Be very careful

Also, how are you connected to the Internet
Cable or DSL?
Are you connected directly through the modem or through a Hardware Firewall(Nat Router)
Your log indicates you may be connected directly to the Modem
Not safe being without a Firewall, this can prevent Hackers and other malicious activity from accessing your machine
I know, I know, you only have 64mb
Ram's quite cheap, you may want to upgrade---get at least another 128
If your Motherboard allows it.....

I'll leave that up to you

[Guest]

Hello and my pc is still working after all these changes, so that is a good sign right? ...lol  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />  

I did all that you asked.  I am leaving the AVG running as you advised me to, it is in my system tray.  Norton has been uninstalled, but I had to do it through Rnav2003.exe as it wouldn't uninstall any other normal way. I found the link through searching with google.  

I took a look at the pages on the ensonique mixer, but didn't know whether or not you saw this program as a good thing or not, so I didn't try to delete it.  I am open to advice on this subject.

I am on 56k dial up and my 64 ram slows me down quite a bit with it.  I can't afford to upgrade right now, but I plan to as soon as I can.  

I did delete the farmmext, and ran all programs as you requested.  here is the HJT log


Logfile of HijackThis v1.99.0
Scan saved at 9:59:21 PM, on 1/26/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O15 - Trusted Zone: http://Download.Windowsupdate.com



Also I ran the AVG and it found a virus "Trojan horse Dropper.Agent.2.R" it has been locked up in the AVG virus vault.  

Thank you again for your help,

Catshere http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />

[guestolo]

Log looks good, not sure if I'm seeing all the whole bottom part however  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'\' />

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link==Download link
Scroll down and click on IE-SPYAD.EXE Free!
If you find that a scan with Hijackthis takes a lot longer after installing IE-Spyad
Not to worry, both SpywareBlaster and IE-Spyad adds a long list to your Restricted sites
Hijackthis checks these areas in the registry

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
Both of the above programs  don't run in the background
Consider them Silent Spyware Blockers

Hold onto Spybot and Ad-Aware and check for updates every couple of weeks and run a scan
For a little extra protection with Spybot
Open it
Click Immunization>>OK>>Immunize at the top

Hold onto Windows cleanup and clean those temp folders regularly
At least every couple of weeks

Keep AVG enabled
Stay safe  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />

[Chukesgirl]

Hi

I have been monitoring this post because I had a similar problem such as Catshere's on my Windows 98 SE machine. I've been battling this thing for a month and I managed to clean up pretty good with Spybot and Ad-aware. I am currently running AVG as the Virus Protection on that machine, but the trojan horse [color=\"red\"]Dropper.Agent.2.R keeps popping up. I connect to the Internet through cable. Is there a way to eliminate it completely? [/color]

[guestolo]

Hi Chukesgirl
Can you please start your own post in this forum
Simply CLICK HERE
and then click the NEW TOPIC

Also include a Hijackthis log
Can you Download Hijackthis 1.99
A small utility to help identify if any Hijackers, Malware, Spyware, etc.....Reside on your computer

Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT

Download Hijackthis from CLICK HERE or CLICK HERE
Save it to that new folder

Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log  here... Don't try and fix anything yet----It is all important

[guestolo]

I'll lock this topic as your problems are resolved
If you need it reopened, please PM the site Admin or a MOD
Supply a link to this thread

Anyone else with similiar problems please start your own topic and include a Hijackthis log