kam

June 1, 2005

Download Registrar Lite from http://www.resplendence.com/download/reglite.exe.
Install it and run it... that the two tabs for
"Read" and "Full Control" are selected....

Ohhhh I am so tempted to buy a new computer...if only I had the money...

I tried the Registrar Lite-- or rather installed it, opened it, and made sure those boxes were checked, but it didn't affect Services.msc.

Also tried to run all the other steps--phew! Here are my notes starting with step 3 (step 1 being moot and 2 running smooth)

3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:
crmd32.exe
crvg.exe

Neither of these appeared, and hence did not get deleted.

4. Scan with Hijack This and put checks next to all the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINNT\gds.dll
O2 - BHO: Class - {A146D46A-42B6-1948-7D09-20744CC5FFB1} - C:\WINNT\javarm.dll
O2 - BHO: Class - {D8DFD538-D915-DA42-82AD-9910D5D6D43B} - C:\WINNT\system32\netyw32.dll
O4 - HKLM\..\Run: [crvg.exe] C:\WINNT\crvg.exe
O23 - Service: Network Security Service (NSS) ( 11FÃŸÃ¤#Â·ÂºÃ„Ã–`I) - Unknown owner - C:\WINNT\system32\crmd32.exe" /s (file missing)
Close all windows except HijackThis, and click the "Fix Checked" button.

Ok, hmm... Things in blue I didn't find at all. The red ptsif.dll I didn't find exactly-- I found the same entries but with rpvvm.dll instead. I went ahead and checked them to be fixed--those entries were all the same as what you told me to fix aside from the .dll, and apparently I haven't broken anything by doing that. Any entry not colored red or blue I found and checked to be fixed.

5. Next, delete the following files if present:
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.
C:\WINNT\system32\crmd32.exe
C:\WINNT\crvg.exe

Found and deleted crvg.exe -- did not find and did not delete crmd32.exe.

Steps 6 and 7 went fine...About:Buster log will be posted at the end with a new HijackThis log. AdAware found 7 tracking cookies and killed 'em.

Step 8...hmm. My computer has nevereverever wanted to perform Disk Cleanup. Maybe it's too full. So I emptied temp files, temp internet files and the recycle bin through Microsoft Anti-Spyware advanced settings "Tracks Eraser". I'll keep trying to run disk cleanup just for tidiness' sake, but it basically never stops "calculating how much space..." etc.

Steps 9, 10, 11 ran smooth. CWShredder found nothing.

12. Download the Hoster from here http://members.aol.com/toadbee/hoster.zip. Press "Restore Original Hosts" and press "OK". Exit Program.

I downloaded this three times but could not get it to open. Got a message from WinZip saying Cannot open file: it does not appear to be a valid archive and suggesting I try to download it again. So I didn't restore original hosts.

13. Download and run this online virus scan:
http://housecall.trendmicro.com/housecall/start_corp.asp
Make sure you check "AutoClean"

When I try to download and install this, it tries to install itself into my Netscape folder--which is nonexistent, as I've never used Netscape. It then refuses to go any further, and now when I try to go to the link you posted for it, it pretty much freezes and shuts down Firefox.

Sigh.

So my computer is hell-bent on foiling your lovely list of helpful instructions. I'm really really stumped here. If, in all honesty, you think I should ditch this piece of junk computer, tell me now

Here's my logs, just for kicks and giggles:

About:Buster

Reference List : 26

No ADS found on system

Removed! : C:\WINNT\system32\qyecy.dat

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

-- Scan 2 ---------------------------

About:Buster Version 4.0

Reference List : 26

No ADS found on system

Attempted Clean Of Temp folder.

Pages Reset... Done!

New HijackThis log

Logfile of HijackThis v1.99.1

Scan saved at 10:00:12 PM, on 5/31/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\NavNT\defwatch.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\system32\Tablet.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\MsgSys.EXE

C:\Program Files\NavNT\vptray.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

D:\downloads\quicktime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\WINNT\TBPanel.exe

C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

D:\Skype\Skype.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Wacom\TabUserW.exe

C:\Program Files\Microsoft Office\Office\1033\msoffice.exe

C:\WINNT\system32\ntgo32.exe

C:\WINNT\system32\apida32.exe

C:\Program Files\AIM\aim.exe

C:\WINNT\system32\ntvdm.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINNT\system32\cleanmgr.exe

C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\downloads\Adobe Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Class - {E07AE911-ABFC-1C43-AC8A-4A5E37895284} - C:\WINNT\appbm.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe

O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [QuickTime Task] "D:\downloads\quicktime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Gainward] C:\WINNT\TBPanel.exe /A

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [realplay.exe] C:\Program Files\Real\RealOne Player\realplay.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [apida32.exe] C:\WINNT\system32\apida32.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [skype] "D:\Skype\Skype.exe" /nosplash /minimized

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll

O23 - Service: Network Security Service (NSS) ( 11FÃŸÃ¤#Â·ÂºÃ„Ã–`I) - Unknown owner - C:\WINNT\system32\ntgo32.exe" /s (file missing)

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe

Holy piss... all that rpvvm.dll crap is still there...or there again! Gahh!! Oh my oh my oh my....

Thanks for all your patience and help, again :-)

May 27, 2005

...
1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:
Network Security Service (NSS)
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you donÂ´t find this service listed go ahead with the next steps.
...

Well, rats. I got all set up to follow this list but have already encountered an obstacle.

When I find and click on "Network Security Services (NSS)" in Services.msc, I get a nasty sounding message reading as follows:

Configuration Manager: A required entry in the registry is missing or an attempt to write to the registry failed.

When I click OK, I get another little window reading simply:

The system cannot find the file specified.

Now I know your instructions say to go ahead even if I don't find the service listed, but I wasn't too sure, since I DID find it but it appears there's something wrong with it...?

If you give me the thumbs up, I'll do all the other steps and just ignore that one...

May 26, 2005

Okey dokey, ran CWShredder again, it found nothing.

Ran About:Buster--here's the log:

-- Scan 1 ---------------------------

About:Buster Version 4.0

Reference List : 26

No ADS found on system

Removed! : C:\WINNT\coacy.dat

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

-- Scan 2 ---------------------------

About:Buster Version 4.0

Reference List : 26

No ADS found on system

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

So that's looking better. Rebooted (got the same MS Anti-Spyware message about Unclassified.Spyware.65 trying to install; "removed" it), and then ran HijackThis:

Logfile of HijackThis v1.99.1

Scan saved at 4:59:36 PM, on 5/26/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\NavNT\defwatch.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\system32\Tablet.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\MsgSys.EXE

C:\WINNT\system32\crmd32.exe

C:\Program Files\NavNT\vptray.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

D:\downloads\quicktime\qttask.exe

C:\WINNT\TBPanel.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINNT\crvg.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\AIM\aim.exe

D:\Skype\Skype.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Wacom\TabUserW.exe

C:\Program Files\Microsoft Office\Office\1033\msoffice.exe

C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\downloads\Adobe Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINNT\gds.dll

O2 - BHO: Class - {A146D46A-42B6-1948-7D09-20744CC5FFB1} - C:\WINNT\javarm.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Class - {D8DFD538-D915-DA42-82AD-9910D5D6D43B} - C:\WINNT\system32\netyw32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe

O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [QuickTime Task] "D:\downloads\quicktime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Gainward] C:\WINNT\TBPanel.exe /A

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [realplay.exe] C:\Program Files\Real\RealOne Player\realplay.exe

O4 - HKLM\..\Run: [crvg.exe] C:\WINNT\crvg.exe