whenever i restart my computer my home page changes and i get random pop-ups, even when i'm not running IE. also, when my computer occasionally crashes and i use ctrl+alt+del i find between 4 and 10 copies of rundll32 running. i have tried running ad-aware and spybot and it hasn't corrected the problem. Here's my hijackthis log. PLEASE HELP ME!!!!! Logfile of HijackThis v1.97.7 Scan saved at 3:04:23 PM, on 12/8/03 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\MPREXE.exe C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.exe C:\WINDOWS\SYSTEM\SYSTRAY.exe C:\WINDOWS\TASKMON.exe C:\WINDOWS\LOADQM.exe C:\WINDOWS\SYSTEM\QTTASK.exe C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.exe C:\PROGRAM FILES\WINAMP3\WINAMPA.exe C:\PROGRAM FILES\WINZIP\WZQKPICK.exe C:\PROGRAM FILES\TRILLIAN\TRILLIAN.exe C:\WINDOWS\SYSTEM\DDHELP.exe C:\WINDOWS\RUNDLL32.exe C:\PROGRAM FILES\RBENHANCE\RBENH.exe C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bmgmusic.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.244.29:1082 O1 - Hosts: 217.116.231.7 aimtoday.aol.com O1 - Hosts: 217.116.231.7 aimtoday.aol.com O1 - Hosts: 3510794918 auto.search.msn.com O1 - Hosts: 217.116.231.7 aimtoday.aol.com O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_2_3_0.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\HH.DLL O2 - BHO: (no name) - {3F68A524-6E47-44E6-9FE7-795EABFA3B36} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\TRAFFIX1.1.0.25.DLL O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: IMU - {88DECE3E-B7BB-4B13-96FE-924AF77C3780} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\TRAFFIX1.1.0.25.DLL O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_2_3_0.DLL O4 - HKLM\..\Run: [SystemTray] SysTray.exe O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [Inet Delivery] C:\Program Files\Inet Delivery\INTDEL_2.exe O4 - HKLM\..\Run: [Tapicfg.exe] C:\WINDOWS\SYSTEM\tapicfg.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe" O4 - HKLM\..\Run: [rbenh 5l0111] "c:\program files\RBEnhance\rbenh.exe" O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe O4 - Startup: Trillian.lnk = C:\PROGRAM FILES\TRILLIAN\trillian.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: AIM (HKLM) O9 - Extra button: ICQ Pro (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O13 - WWW. Prefix: http:// O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/23b7d83bb5dfa67de021/netzip/RdxIE601.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37916.5167361111 O16 - DPF: {F7B91BD4-2325-47E1-8EBD-AA4262C577A5} (BHOScript Class) - http://im.imatchup.com/download/traffix.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.60.131.204/activex/AxisCamControl.ocx O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 24.52.223.218 O19 - User stylesheet: C:\WINDOWS\Web\win.def O19 - User stylesheet: C:\WINDOWS\default.css (HKLM)

To my untrained eye it looks like you might have some RapidBlaster remnants, probably wouldn't hurt to run RapidBlaster Killer Close all bbbowser windows and have HjT fix the following: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bmgmusic.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.244.29:1082 O1 - Hosts: 217.116.231.7 aimtoday.aol.com O1 - Hosts: 217.116.231.7 aimtoday.aol.com O1 - Hosts: 3510794918 auto.search.msn.com O1 - Hosts: 217.116.231.7 aimtoday.aol.com O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_2_3_0.DLL O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\HH.DLL O2 - BHO: (no name) - {3F68A524-6E47-44E6-9FE7-795EABFA3B36} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\TRAFFIX1.1.0.25.DLL O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - O3 - Toolbar: IMU - {88DECE3E-B7BB-4B13-96FE-924AF77C3780} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\TRAFFIX1.1.0.25.DLL O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_2_3_0.DLL O4 - HKLM\..\Run: [Inet Delivery] C:\Program Files\Inet Delivery\INTDEL_2.exe O4 - HKLM\..\Run: [rbenh 5l0111] "c:\program files\RBEnhance\rbenh.exe O13 - WWW. Prefix: http:// O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/23b7d83bb5dfa67de021/netzip/RdxIE601.cab O16 - DPF: {F7B91BD4-2325-47E1-8EBD-AA4262C577A5} (BHOScript Class) - http://im.imatchup.com/download/traffix.cab O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cab reboot. In case I missed somethingstay on this thread some smart folks hang here. hth shep

Shep, two heads are better than one, thanks for stoping by. Coolwebsearch: O4 - HKLM\..\Run: [Tapicfg.exe] C:\WINDOWS\SYSTEM\tapicfg.exe

Should Justin restart and remove this: C:\WINDOWS\SYSTEM\tapicfg.exe After following the above? Learn't something again shep Thanks ab

Was waiting for you to add cwshredder link. cwshreddder.zip use this tool also and post another log file.

That's to cover anything we missed Shep, like 017 and 019. Let the tool find the bad ones.

hey guys, thx for the help. you wanted an updated log, so here it is: Logfile of HijackThis v1.97.7 Scan saved at 4:18:45 PM, on 12/9/03 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\MPREXE.exe C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.exe C:\WINDOWS\SYSTEM\SYSTRAY.exe C:\WINDOWS\TASKMON.exe C:\WINDOWS\LOADQM.exe C:\WINDOWS\SYSTEM\QTTASK.exe C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.exe C:\PROGRAM FILES\WINAMP3\WINAMPA.exe C:\PROGRAM FILES\COMMON FILES\UPDATER\WUPDATER.exe C:\PROGRAM FILES\WINZIP\WZQKPICK.exe C:\PROGRAM FILES\TRILLIAN\TRILLIAN.exe C:\WINDOWS\SYSTEM\DDHELP.exe C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.exe R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL O4 - HKLM\..\Run: [SystemTray] SysTray.exe O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe" O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKCU\..\Run: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q O4 - HKCU\..\Run: [DownloadCoach] C:\PROGRAM FILES\DOWNLOAD COACH\DOWNLOADCOACH.exe /startup O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe O4 - Startup: Trillian.lnk = C:\PROGRAM FILES\TRILLIAN\trillian.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: AIM (HKLM) O9 - Extra button: ICQ Pro (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37916.5167361111 O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.60.131.204/activex/AxisCamControl.ocx O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab O16 - DPF: {3717DF57-0396-463D-98B7-647C7DC6898A} - http://delivery.inet-traffic.com/intdel.exe O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 24.52.223.218