kam
-
Content Count
8 -
Joined
-
Last visited
Content Type
Profiles
Forums
Calendar
Posts posted by kam
-
-
...
1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:
Network Security Service (NSS)
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.
...
Well, rats. I got all set up to follow this list but have already encountered an obstacle.
When I find and click on "Network Security Services (NSS)" in Services.msc, I get a nasty sounding message reading as follows:
Configuration Manager: A required entry in the registry is missing or an attempt to write to the registry failed.
When I click OK, I get another little window reading simply:
The system cannot find the file specified.
Now I know your instructions say to go ahead even if I don't find the service listed, but I wasn't too sure, since I DID find it but it appears there's something wrong with it...?
If you give me the thumbs up, I'll do all the other steps and just ignore that one...
-
Okey dokey, ran CWShredder again, it found nothing.
Ran About:Buster--here's the log:
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26
No ADS found on system
Removed! : C:\WINNT\coacy.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26
No ADS found on system
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
So that's looking better. Rebooted (got the same MS Anti-Spyware message about Unclassified.Spyware.65 trying to install; "removed" it), and then ran HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 4:59:36 PM, on 5/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\crmd32.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\downloads\quicktime\qttask.exe
C:\WINNT\TBPanel.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\crvg.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
D:\Skype\Skype.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\downloads\Adobe Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINNT\gds.dll
O2 - BHO: Class - {A146D46A-42B6-1948-7D09-20744CC5FFB1} - C:\WINNT\javarm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {D8DFD538-D915-DA42-82AD-9910D5D6D43B} - C:\WINNT\system32\netyw32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\downloads\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Gainward] C:\WINNT\TBPanel.exe /A
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [realplay.exe] C:\Program Files\Real\RealOne Player\realplay.exe
O4 - HKLM\..\Run: [crvg.exe] C:\WINNT\crvg.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [skype] "D:\Skype\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\crmd32.exe" /s (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe
Clueless = me. Thanks for the help!
-
...
1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:
PLACE SERVICE FILE HERE
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.
...
3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:
PROCESSES TO BE STOPPED
If you find the files, click on them, and then click End Process => Exit the Task Manager.
...
HJT FIXES HERE
5. Delete the following files if present:
...
FILE DELETIONS HERE
(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)
...
Hmm, some of these steps confuse me a little.
Should I assume that since no service files are listed ("place service file here"), that I can skip this step? Also, with Step 4, no specific files have been listed for me to check and fix, so should I again assume this step is unnecessary? I just don't want to go deleting files left right and center based only on their extensions, since I have no clue what they might be for.
Since I wasn't sure what to do or not to do in this list of steps, I've done none of them--and I've run HJT again just for kicks, here's the log if it'll shed some light on anything:
Logfile of HijackThis v1.99.1
Scan saved at 3:35:26 PM, on 5/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\downloads\quicktime\qttask.exe
C:\WINNT\TBPanel.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\crvg.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\Skype\Skype.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINNT\system32\crmd32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\explorer.exe
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\downloads\Adobe Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINNT\gds.dll
O2 - BHO: Class - {A146D46A-42B6-1948-7D09-20744CC5FFB1} - C:\WINNT\javarm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {D8DFD538-D915-DA42-82AD-9910D5D6D43B} - C:\WINNT\system32\netyw32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\downloads\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Gainward] C:\WINNT\TBPanel.exe /A
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [realplay.exe] C:\Program Files\Real\RealOne Player\realplay.exe
O4 - HKLM\..\Run: [crvg.exe] C:\WINNT\crvg.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [crmd32.exe] C:\WINNT\system32\crmd32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [skype] "D:\Skype\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe
Sorry to be such a pain; ignorance is, in this case, not very blissful :-P
Also, the file crvg.exe has often caught my eye (if I look at "Running Processes" in MS Anti-Spyware, it sticks out like a sore thumb) but I'm not too sure if it's naughty or I'm simply paranoid. Or maybe 'cos MS A-S already removed a similar looking file called, if I remember correctly, crxq.exe.
-
Wow, thanks for the quick reply!
Okay, I did what you said: downloaded and ran CWShredder (the only thing it found and removed was CWS.Mupdate), downloaded and ran About:Buster-- this is the log from that:
Scanned at: 10:16:23 PM on: 5/25/2005
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26
Removed Data Streams:
C:\WINNT\imsins.log:ztwfn
Removed! : C:\WINNT\auzxr.dat
Removed! : C:\WINNT\coacy.dat
Removed! : C:\WINNT\_win32_system_data.dll
Removed! : C:\WINNT\system32\mnyru.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26
Removed Data Streams:
C:\WINNT\imsins.log:ztwfn
Removed! : C:\WINNT\coacy.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
...Then I restarted my computer, at which point Microsoft Antispyware warned me that Unclassified.Spyware.65 was trying to install and would I like to remove it? (yes, obviously). I then ran HJT, and here's the results:
Logfile of HijackThis v1.99.1
Scan saved at 10:35:04 PM, on 5/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\downloads\quicktime\qttask.exe
C:\WINNT\TBPanel.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\crvg.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\appxa32.exe
C:\Program Files\AIM\aim.exe
D:\Skype\Skype.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\downloads\Adobe Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINNT\gds.dll
O2 - BHO: Class - {A146D46A-42B6-1948-7D09-20744CC5FFB1} - C:\WINNT\javarm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {D8DFD538-D915-DA42-82AD-9910D5D6D43B} - C:\WINNT\system32\netyw32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\downloads\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Gainward] C:\WINNT\TBPanel.exe /A
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [realplay.exe] C:\Program Files\Real\RealOne Player\realplay.exe
O4 - HKLM\..\Run: [crvg.exe] C:\WINNT\crvg.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [skype] "D:\Skype\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\appxa32.exe" /s (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe
>Sigh.< I'll probably run MS Anti-Spyware and Ad-Aware a time or two before bed, but I think this spyware is way beyond them. Nice to see that CWShredder and About:Buster got rid of some junk, though :-)
Is there anything else you can suggest, or need to see (more logs, etc)? Thanks so much for your help on this, I really appreciate it!
-
... every so often a "Microsoft Security Center" bubble will pop up telling me I have spyware and to click the bubble to fix it--but if I click the bubble it just takes me to some doofy webpage not unlike the anti-spyware ads. ...
Okay, that didn't happen yet, but something similar did. An "official"-looking Windows message window popped up. The message window has a red circle with an X in it to the left of the window, and the message reads:
WARNING: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwrods.
Do you want to learn how to protect your computer?
Yes No
When I click on Yes, it opens an IE window with the URL http://www.msnhelper.net/search.php?pin=12047. At the bottom of said page is a link saying "Download Recommended Software." I ain't clicking this link, so I right-clicked and checked the properties of it, and it says it would link to http://get.privacycash.com/?wm=paxan;sub=msg_box;soft=sguard. Now that just doesn't sound right.
I'm severely confused. Bah. I'm also going to be out for the rest of the day, so if someone gets back to me on this I apologize in advance for the lack of a prompt reply.
Thanks!
-
Oh duh -- I'm running Windows 2000, by the way. And another symptom of this spyware is that every so often a "Microsoft Security Center" bubble will pop up telling me I have spyware and to click the bubble to fix it--but if I click the bubble it just takes me to some doofy webpage not unlike the anti-spyware ads. If this happens again I'll copy the message and the url and paste them here. And again, I'm computer-stupid, but does Windows 2000 even HAVE Microsoft Security Center?
-
Howdy--
This spyware has been bugging the bejeezus out of me for the past couple of days: I've run Ad-Aware and Microsoft Anti-Spyware approximately 5 billion times to no avail-- it just keeps re-installing itself. It turns my IE homepage into a fake "search" page titled about:blank, lambasts me with pop-ups (despite my Google toolbar) trying to sell me anti-spyware software (haha), and has added some rude entries to my Favorites list. And I think it might be making AIM crash whenever I try to IM someone, as well as simply freezing IE every so often and slowing things down in general. I've switched to Firefox for browsing purposes.
It was Microsoft Anti-Spyware that (after manymany scans) dubbed this problem "Unclassified.Spyware.65", so that's really all I have to go on. I'm really not very tech-savvy at all, but after browsing around a bit, HijackThis looked like a good program to diagnose my problem, as long as someone else can translate it for me. Hence I downloaded HJT, plopped it in a folder on my C drive, and scanned.
Here are my results:
Logfile of HijackThis v1.99.1
Scan saved at 11:31:43 AM, on 5/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\TBPanel.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\crvg.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\Skype\Skype.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINNT\System32\svchost.exe
D:\Ares\Ares.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\appxa32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\oixor.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\oixor.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\oixor.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\oixor.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\oixor.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\oixor.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\oixor.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\downloads\Adobe Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {3EE8CA0B-907B-1241-3819-1BA2E3895410} - C:\WINNT\system32\iebj.dll
O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINNT\gds.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {AED1E965-E1FF-4020-0E64-514DB57FA145} - C:\WINNT\system32\netpd32.dll
O2 - BHO: Class - {E421C7FB-1BAA-F284-394F-9091F0CE6A5A} - C:\WINNT\sdkoe32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\downloads\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Gainward] C:\WINNT\TBPanel.exe /A
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [realplay.exe] C:\Program Files\Real\RealOne Player\realplay.exe
O4 - HKLM\..\Run: [crvg.exe] C:\WINNT\crvg.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKLM\..\RunOnce: [appxa32.exe] C:\WINNT\system32\appxa32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [skype] "D:\Skype\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe
...It's all gobbledygook to me Any help would be much appreciated--just speak as if to a child, because all this is waaaay above my head!
Thanks in advance,
kam
Unclassified.spyware.65
in Malware Removal
Posted
Ohhhh I am so tempted to buy a new computer...if only I had the money...
I tried the Registrar Lite-- or rather installed it, opened it, and made sure those boxes were checked, but it didn't affect Services.msc.
Also tried to run all the other steps--phew! Here are my notes starting with step 3 (step 1 being moot and 2 running smooth)
Neither of these appeared, and hence did not get deleted.
Ok, hmm... Things in blue I didn't find at all. The red ptsif.dll I didn't find exactly-- I found the same entries but with rpvvm.dll instead. I went ahead and checked them to be fixed--those entries were all the same as what you told me to fix aside from the .dll, and apparently I haven't broken anything by doing that. Any entry not colored red or blue I found and checked to be fixed.
Found and deleted crvg.exe -- did not find and did not delete crmd32.exe.
Steps 6 and 7 went fine...About:Buster log will be posted at the end with a new HijackThis log. AdAware found 7 tracking cookies and killed 'em.
Step 8...hmm. My computer has nevereverever wanted to perform Disk Cleanup. Maybe it's too full. So I emptied temp files, temp internet files and the recycle bin through Microsoft Anti-Spyware advanced settings "Tracks Eraser". I'll keep trying to run disk cleanup just for tidiness' sake, but it basically never stops "calculating how much space..." etc.
Steps 9, 10, 11 ran smooth. CWShredder found nothing.
I downloaded this three times but could not get it to open. Got a message from WinZip saying Cannot open file: it does not appear to be a valid archive and suggesting I try to download it again. So I didn't restore original hosts.
When I try to download and install this, it tries to install itself into my Netscape folder--which is nonexistent, as I've never used Netscape. It then refuses to go any further, and now when I try to go to the link you posted for it, it pretty much freezes and shuts down Firefox.
Sigh.
So my computer is hell-bent on foiling your lovely list of helpful instructions. I'm really really stumped here. If, in all honesty, you think I should ditch this piece of junk computer, tell me now
Here's my logs, just for kicks and giggles:
About:Buster
Reference List : 26
No ADS found on system
Removed! : C:\WINNT\system32\qyecy.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26
No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!
New HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 10:00:12 PM, on 5/31/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\downloads\quicktime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINNT\TBPanel.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\Skype\Skype.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINNT\system32\ntgo32.exe
C:\WINNT\system32\apida32.exe
C:\Program Files\AIM\aim.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\cleanmgr.exe
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\downloads\Adobe Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {E07AE911-ABFC-1C43-AC8A-4A5E37895284} - C:\WINNT\appbm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\downloads\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Gainward] C:\WINNT\TBPanel.exe /A
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [realplay.exe] C:\Program Files\Real\RealOne Player\realplay.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [apida32.exe] C:\WINNT\system32\apida32.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [skype] "D:\Skype\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\ntgo32.exe" /s (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe
Holy piss... all that rpvvm.dll crap is still there...or there again! Gahh!! Oh my oh my oh my....
Thanks for all your patience and help, again :-)