kam Posted May 25, 2005 Report Share Posted May 25, 2005 Howdy--This spyware has been bugging the bejeezus out of me for the past couple of days: I've run Ad-Aware and Microsoft Anti-Spyware approximately 5 billion times to no avail-- it just keeps re-installing itself. It turns my IE homepage into a fake "search" page titled about:blank, lambasts me with pop-ups (despite my Google toolbar) trying to sell me anti-spyware software (haha), and has added some rude entries to my Favorites list. And I think it might be making AIM crash whenever I try to IM someone, as well as simply freezing IE every so often and slowing things down in general. I've switched to Firefox for browsing purposes.It was Microsoft Anti-Spyware that (after manymany scans) dubbed this problem "Unclassified.Spyware.65", so that's really all I have to go on. I'm really not very tech-savvy at all, but after browsing around a bit, HijackThis looked like a good program to diagnose my problem, as long as someone else can translate it for me. Hence I downloaded HJT, plopped it in a folder on my C drive, and scanned. Here are my results:Logfile of HijackThis v1.99.1Scan saved at 11:31:43 AM, on 5/25/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\NavNT\defwatch.exeC:\WINNT\System32\svchost.exeC:\Program Files\NavNT\rtvscan.exeC:\WINNT\system32\nvsvc32.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\stisvc.exeC:\WINNT\system32\Tablet.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\System32\mspmspsv.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\MsgSys.EXEC:\Program Files\NavNT\vptray.exeC:\Program Files\Microsoft Hardware\Mouse\point32.exeC:\WINNT\TBPanel.exeC:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\WINNT\crvg.exeC:\Program Files\MSN Messenger\msnmsgr.exeD:\Skype\Skype.exeC:\Program Files\Wacom\TabUserW.exeC:\Program Files\Microsoft Office\Office\1033\msoffice.exeC:\WINNT\System32\svchost.exeD:\Ares\Ares.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\WINNT\explorer.exeC:\WINNT\system32\appxa32.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Common Files\Real\Update_OB\rnathchk.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\oixor.dll/sp.html#12047R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\oixor.dll/sp.html#12047R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\oixor.dll/sp.html#12047R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\oixor.dll/sp.html#12047R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\oixor.dll/sp.html#12047R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\oixor.dll/sp.html#12047R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\oixor.dll/sp.html#12047R3 - Default URLSearchHook is missingO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\downloads\Adobe Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: Class - {3EE8CA0B-907B-1241-3819-1BA2E3895410} - C:\WINNT\system32\iebj.dllO2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINNT\gds.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Class - {AED1E965-E1FF-4020-0E64-514DB57FA145} - C:\WINNT\system32\netpd32.dllO2 - BHO: Class - {E421C7FB-1BAA-F284-394F-9091F0CE6A5A} - C:\WINNT\sdkoe32.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exeO4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exeO4 - HKLM\..\Run: [POINTER] point32.exeO4 - HKLM\..\Run: [LoadQM] loadqm.exeO4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exeO4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osbootO4 - HKLM\..\Run: [QuickTime Task] "D:\downloads\quicktime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [Gainward] C:\WINNT\TBPanel.exe /AO4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exeO4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeO4 - HKLM\..\Run: [realplay.exe] C:\Program Files\Real\RealOne Player\realplay.exeO4 - HKLM\..\Run: [crvg.exe] C:\WINNT\crvg.exeO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exeO4 - HKLM\..\RunOnce: [appxa32.exe] C:\WINNT\system32\appxa32.exeO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [skype] "D:\Skype\Skype.exe" /nosplash /minimizedO4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exeO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exeO20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dllO23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exeO23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe...It's all gobbledygook to me Any help would be much appreciated--just speak as if to a child, because all this is waaaay above my head!Thanks in advance,kam Link to post Share on other sites
kam Posted May 25, 2005 Author Report Share Posted May 25, 2005 Oh duh -- I'm running Windows 2000, by the way. And another symptom of this spyware is that every so often a "Microsoft Security Center" bubble will pop up telling me I have spyware and to click the bubble to fix it--but if I click the bubble it just takes me to some doofy webpage not unlike the anti-spyware ads. If this happens again I'll copy the message and the url and paste them here. And again, I'm computer-stupid, but does Windows 2000 even HAVE Microsoft Security Center? Link to post Share on other sites
kam Posted May 25, 2005 Author Report Share Posted May 25, 2005 ... every so often a "Microsoft Security Center" bubble will pop up telling me I have spyware and to click the bubble to fix it--but if I click the bubble it just takes me to some doofy webpage not unlike the anti-spyware ads. ...Okay, that didn't happen yet, but something similar did. An "official"-looking Windows message window popped up. The message window has a red circle with an X in it to the left of the window, and the message reads:WARNING: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwrods.Do you want to learn how to protect your computer?Yes NoWhen I click on Yes, it opens an IE window with the URL http://www.msnhelper.net/search.php?pin=12047. At the bottom of said page is a link saying "Download Recommended Software." I ain't clicking this link, so I right-clicked and checked the properties of it, and it says it would link to http://get.privacycash.com/?wm=paxan;sub=msg_box;soft=sguard. Now that just doesn't sound right.I'm severely confused. Bah. I'm also going to be out for the rest of the day, so if someone gets back to me on this I apologize in advance for the lack of a prompt reply. Thanks! Link to post Share on other sites
Dan Posted May 25, 2005 Report Share Posted May 25, 2005 Hi,Please download Intermute's CWShredder from here:http://cwshredder.net/bin/CWShredder.exeSave it to the desktop and run it, and click "Fix" to remove the CWS infection.Then please download About:Buster from here:http://www.downloads.subratam.org/AboutBuster.zipUnzip the files to a convenient location such as C:\AboutBuster, and run AboutBuster.exe. Read the instructions then click OK to proceed. Click "Check for Updates", and then "Download Updates" to update About:Buster to the newest version. Then click Start to begin the scan. If prompted to end the Explorer.exe process, click Yes. Your desktop may disappear --- this is normal. Allow the program to scan twice, and when complete click "Save Log". This will create a text file called "AB Logfile.txt" in the folder where About:Buster is saved. Restart.Post the entire contents of that logfile here for me, as well as a new HijackThis log.dk Link to post Share on other sites
kam Posted May 26, 2005 Author Report Share Posted May 26, 2005 Wow, thanks for the quick reply!Okay, I did what you said: downloaded and ran CWShredder (the only thing it found and removed was CWS.Mupdate), downloaded and ran About:Buster-- this is the log from that:Scanned at: 10:16:23 PM on: 5/25/2005-- Scan 1 ---------------------------About:Buster Version 4.0Reference List : 26Removed Data Streams:C:\WINNT\imsins.log:ztwfnRemoved! : C:\WINNT\auzxr.datRemoved! : C:\WINNT\coacy.datRemoved! : C:\WINNT\_win32_system_data.dllRemoved! : C:\WINNT\system32\mnyru.datAttempted Clean Of Temp folder.Removed Uninstall Key (HSA)Removed Uninstall Key (SE)Removed Uninstall Key (SW)Pages Reset... Done!-- Scan 2 ---------------------------About:Buster Version 4.0Reference List : 26Removed Data Streams:C:\WINNT\imsins.log:ztwfnRemoved! : C:\WINNT\coacy.datAttempted Clean Of Temp folder.Removed Uninstall Key (HSA)Removed Uninstall Key (SE)Removed Uninstall Key (SW)Pages Reset... Done!...Then I restarted my computer, at which point Microsoft Antispyware warned me that Unclassified.Spyware.65 was trying to install and would I like to remove it? (yes, obviously). I then ran HJT, and here's the results:Logfile of HijackThis v1.99.1Scan saved at 10:35:04 PM, on 5/25/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\NavNT\defwatch.exeC:\WINNT\System32\svchost.exeC:\Program Files\NavNT\rtvscan.exeC:\WINNT\system32\nvsvc32.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\stisvc.exeC:\WINNT\system32\Tablet.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\System32\mspmspsv.exeC:\WINNT\system32\svchost.exeC:\WINNT\Explorer.EXEC:\WINNT\system32\MsgSys.EXEC:\Program Files\NavNT\vptray.exeC:\Program Files\Microsoft Hardware\Mouse\point32.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeD:\downloads\quicktime\qttask.exeC:\WINNT\TBPanel.exeC:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\WINNT\crvg.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\WINNT\system32\appxa32.exeC:\Program Files\AIM\aim.exeD:\Skype\Skype.exeC:\Program Files\Wacom\TabUserW.exeC:\Program Files\Microsoft Office\Office\1033\msoffice.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\Common Files\Real\Update_OB\rnathchk.exeC:\WINNT\system32\NOTEPAD.EXEC:\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R3 - Default URLSearchHook is missingO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\downloads\Adobe Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINNT\gds.dllO2 - BHO: Class - {A146D46A-42B6-1948-7D09-20744CC5FFB1} - C:\WINNT\javarm.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Class - {D8DFD538-D915-DA42-82AD-9910D5D6D43B} - C:\WINNT\system32\netyw32.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exeO4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exeO4 - HKLM\..\Run: [POINTER] point32.exeO4 - HKLM\..\Run: [LoadQM] loadqm.exeO4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exeO4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osbootO4 - HKLM\..\Run: [QuickTime Task] "D:\downloads\quicktime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [Gainward] C:\WINNT\TBPanel.exe /AO4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exeO4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeO4 - HKLM\..\Run: [realplay.exe] C:\Program Files\Real\RealOne Player\realplay.exeO4 - HKLM\..\Run: [crvg.exe] C:\WINNT\crvg.exeO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [skype] "D:\Skype\Skype.exe" /nosplash /minimizedO4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exeO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exeO20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dllO23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\appxa32.exe" /s (file missing)O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exeO23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe>Sigh.< I'll probably run MS Anti-Spyware and Ad-Aware a time or two before bed, but I think this spyware is way beyond them. Nice to see that CWShredder and About:Buster got rid of some junk, though :-)Is there anything else you can suggest, or need to see (more logs, etc)? Thanks so much for your help on this, I really appreciate it! Link to post Share on other sites
Dan Posted May 26, 2005 Report Share Posted May 26, 2005 Hi,Please read through the instructions before you start (you may want to print this out).Please download and install these programs - don't run them yet!!Please download and unzipAbout:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.AboutBuster MUST be updated before you use it.Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.Please download and install AD-Aware.Check Here on how setup and use it - please make sure you update it first.Download and unzip cwsserviceremove to your desktop. use either link below:http://computercops.biz/modules.php?name=Forums&file=download&id=3002[/urlhttp://www.mytechsupport.ca/helpwithpcs/up...rviceremove.zipDownload CW-Shredder at the link below:http://cwshredder.net/bin/CWSshtreder.exeOpen Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"Click "Apply" then "OK"For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that. Do this so you can see hidden files and folders - click here http://www.davehigham.zen.co.uk/downloads/xphidden.zip to download xphidden.zip. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.Important Step1. Go to Start->Run and type "Services.msc" (without quotes) then hit OkScroll down and find the service called:PLACE SERVICE FILE HEREWhen you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.2. Reboot into SafeMode. <---MAKE SURE YOU KNOW HOW TO DO THIS!!3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:PROCESSES TO BE STOPPEDIf you find the files, click on them, and then click End Process => Exit the Task Manager.4. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"HJT FIXES HERE5. Delete the following files if present:If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.FILE DELETIONS HERE(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)6. Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.7. Scan with AdAware and let it remove any bad files found.8. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:Temporary FilesTemporary Internet FilesRecycle Bin9. Double click on the cwsserviceremove and when asked to merge say yes.10. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.11. Reboot into normal mode.12. Download the Hoster from here Press "Restore Original Hosts" and press "OK". Exit Program.13. Download and run this online virus scan:Make sure you check "AutoClean"Then reboot and post a fresh Hijack This log as well as another about:buster log to see how we did. Link to post Share on other sites
kam Posted May 26, 2005 Author Report Share Posted May 26, 2005 ...1. Go to Start->Run and type "Services.msc" (without quotes) then hit OkScroll down and find the service called:PLACE SERVICE FILE HEREWhen you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps....3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:PROCESSES TO BE STOPPEDIf you find the files, click on them, and then click End Process => Exit the Task Manager....HJT FIXES HERE5. Delete the following files if present:...FILE DELETIONS HERE(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)...Hmm, some of these steps confuse me a little.Should I assume that since no service files are listed ("place service file here"), that I can skip this step? Also, with Step 4, no specific files have been listed for me to check and fix, so should I again assume this step is unnecessary? I just don't want to go deleting files left right and center based only on their extensions, since I have no clue what they might be for.Since I wasn't sure what to do or not to do in this list of steps, I've done none of them--and I've run HJT again just for kicks, here's the log if it'll shed some light on anything:Logfile of HijackThis v1.99.1Scan saved at 3:35:26 PM, on 5/26/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\NavNT\defwatch.exeC:\WINNT\System32\svchost.exeC:\Program Files\NavNT\rtvscan.exeC:\WINNT\system32\nvsvc32.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\stisvc.exeC:\WINNT\system32\Tablet.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\System32\mspmspsv.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\MsgSys.EXEC:\Program Files\NavNT\vptray.exeC:\Program Files\Microsoft Hardware\Mouse\point32.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeD:\downloads\quicktime\qttask.exeC:\WINNT\TBPanel.exeC:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\WINNT\crvg.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\MSN Messenger\msnmsgr.exeD:\Skype\Skype.exeC:\Program Files\Wacom\TabUserW.exeC:\Program Files\Microsoft Office\Office\1033\msoffice.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\Common Files\Real\Update_OB\rnathchk.exeC:\WINNT\system32\crmd32.exeC:\WINNT\System32\svchost.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINNT\explorer.exeC:\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R3 - Default URLSearchHook is missingO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\downloads\Adobe Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINNT\gds.dllO2 - BHO: Class - {A146D46A-42B6-1948-7D09-20744CC5FFB1} - C:\WINNT\javarm.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Class - {D8DFD538-D915-DA42-82AD-9910D5D6D43B} - C:\WINNT\system32\netyw32.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exeO4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exeO4 - HKLM\..\Run: [POINTER] point32.exeO4 - HKLM\..\Run: [LoadQM] loadqm.exeO4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exeO4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osbootO4 - HKLM\..\Run: [QuickTime Task] "D:\downloads\quicktime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [Gainward] C:\WINNT\TBPanel.exe /AO4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exeO4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeO4 - HKLM\..\Run: [realplay.exe] C:\Program Files\Real\RealOne Player\realplay.exeO4 - HKLM\..\Run: [crvg.exe] C:\WINNT\crvg.exeO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\RunOnce: [crmd32.exe] C:\WINNT\system32\crmd32.exeO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [skype] "D:\Skype\Skype.exe" /nosplash /minimizedO4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exeO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exeO20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dllO23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exeO23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exeSorry to be such a pain; ignorance is, in this case, not very blissful :-PAlso, the file crvg.exe has often caught my eye (if I look at "Running Processes" in MS Anti-Spyware, it sticks out like a sore thumb) but I'm not too sure if it's naughty or I'm simply paranoid. Or maybe 'cos MS A-S already removed a similar looking file called, if I remember correctly, crxq.exe. Link to post Share on other sites
Dan Posted May 26, 2005 Report Share Posted May 26, 2005 Hi,That was error on me..I will have a fix in around 5 min.. Link to post Share on other sites
Dan Posted May 26, 2005 Report Share Posted May 26, 2005 Also, it seems that one form of your infection is gone O_o Link to post Share on other sites
Dan Posted May 26, 2005 Report Share Posted May 26, 2005 Ok,Here's what I want you to do...Please run CWShredder, and about:buster again, and post a new HijackThis log, as well as a new HijackThis log.dk Link to post Share on other sites
kam Posted May 26, 2005 Author Report Share Posted May 26, 2005 Okey dokey, ran CWShredder again, it found nothing.Ran About:Buster--here's the log:-- Scan 1 ---------------------------About:Buster Version 4.0Reference List : 26No ADS found on systemRemoved! : C:\WINNT\coacy.datAttempted Clean Of Temp folder.Removed Uninstall Key (HSA)Removed Uninstall Key (SE)Removed Uninstall Key (SW)Pages Reset... Done!-- Scan 2 ---------------------------About:Buster Version 4.0Reference List : 26No ADS found on systemAttempted Clean Of Temp folder.Removed Uninstall Key (HSA)Removed Uninstall Key (SE)Removed Uninstall Key (SW)Pages Reset... Done!So that's looking better. Rebooted (got the same MS Anti-Spyware message about Unclassified.Spyware.65 trying to install; "removed" it), and then ran HijackThis:Logfile of HijackThis v1.99.1Scan saved at 4:59:36 PM, on 5/26/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\NavNT\defwatch.exeC:\WINNT\System32\svchost.exeC:\Program Files\NavNT\rtvscan.exeC:\WINNT\system32\nvsvc32.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\stisvc.exeC:\WINNT\system32\Tablet.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\System32\mspmspsv.exeC:\WINNT\system32\svchost.exeC:\WINNT\Explorer.EXEC:\WINNT\system32\MsgSys.EXEC:\WINNT\system32\crmd32.exeC:\Program Files\NavNT\vptray.exeC:\Program Files\Microsoft Hardware\Mouse\point32.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeD:\downloads\quicktime\qttask.exeC:\WINNT\TBPanel.exeC:\Program Files\Common Files\Real\Update_OB\rnathchk.exeC:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\WINNT\crvg.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Program Files\AIM\aim.exeD:\Skype\Skype.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\Wacom\TabUserW.exeC:\Program Files\Microsoft Office\Office\1033\msoffice.exeC:\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R3 - Default URLSearchHook is missingO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\downloads\Adobe Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINNT\gds.dllO2 - BHO: Class - {A146D46A-42B6-1948-7D09-20744CC5FFB1} - C:\WINNT\javarm.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Class - {D8DFD538-D915-DA42-82AD-9910D5D6D43B} - C:\WINNT\system32\netyw32.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exeO4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exeO4 - HKLM\..\Run: [POINTER] point32.exeO4 - HKLM\..\Run: [LoadQM] loadqm.exeO4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exeO4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osbootO4 - HKLM\..\Run: [QuickTime Task] "D:\downloads\quicktime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [Gainward] C:\WINNT\TBPanel.exe /AO4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exeO4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeO4 - HKLM\..\Run: [realplay.exe] C:\Program Files\Real\RealOne Player\realplay.exeO4 - HKLM\..\Run: [crvg.exe] C:\WINNT\crvg.exeO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [skype] "D:\Skype\Skype.exe" /nosplash /minimizedO4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exeO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exeO20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dllO23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\crmd32.exe" /s (file missing)O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exeO23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exeClueless = me. Thanks for the help! Link to post Share on other sites
Dan Posted May 26, 2005 Report Share Posted May 26, 2005 Hi, (Some of the steps we did cover already, and if you have the programs here, remember to update them)Please read through the instructions before you start (you may want to print this out).Please download and install these programs - don't run them yet!!Please download and unzipAbout:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.AboutBuster MUST be updated before you use it.Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.Please download and install AD-Aware.Check Here on how setup and use it - please make sure you update it first.Download and unzip cwsserviceremove to your desktop. use either link below:http://computercops.biz/modules.php?name=Forums&file=download&id=3002[/urlhttp://www.mytechsupport.ca/helpwithpcs/up...rviceremove.zipDownload CW-Shredder at the link below:http://cwshredder.net/bin/CWSshtreder.exeOpen Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"Click "Apply" then "OK"For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that. Do this so you can see hidden files and folders - click here http://www.davehigham.zen.co.uk/downloads/xphidden.zip to download xphidden.zip. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.Important Step1. Go to Start->Run and type "Services.msc" (without quotes) then hit OkScroll down and find the service called:Network Security Service (NSS)When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.2. Reboot into SafeMode. <---MAKE SURE YOU KNOW HOW TO DO THIS!!3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:crmd32.execrvg.exeIf you find the files, click on them, and then click End Process => Exit the Task Manager.4. Scan with Hijack This and put checks next to all the following:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R3 - Default URLSearchHook is missingO2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINNT\gds.dllO2 - BHO: Class - {A146D46A-42B6-1948-7D09-20744CC5FFB1} - C:\WINNT\javarm.dllO2 - BHO: Class - {D8DFD538-D915-DA42-82AD-9910D5D6D43B} - C:\WINNT\system32\netyw32.dllO4 - HKLM\..\Run: [crvg.exe] C:\WINNT\crvg.exeO23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\crmd32.exe" /s (file missing)Close all windows except HijackThis, and click the "Fix Checked" button.5. Next, delete the following files if present:If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.C:\WINNT\system32\crmd32.exeC:\WINNT\crvg.exe(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)6. Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.7. Scan with AdAware and let it remove any bad files found.8. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:Temporary FilesTemporary Internet FilesRecycle Bin9. Double click on the cwsserviceremove and when asked to merge say yes.10. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.11. Reboot into normal mode.12. Download the Hoster from here http://members.aol.com/toadbee/hoster.zip. Press "Restore Original Hosts" and press "OK". Exit Program.13. Download and run this online virus scan:http://housecall.trendmicro.com/housecall/start_corp.aspMake sure you check "AutoClean"then reboot and post a fresh Hijack This log to see how we did.dk Link to post Share on other sites
kam Posted May 27, 2005 Author Report Share Posted May 27, 2005 ...1. Go to Start->Run and type "Services.msc" (without quotes) then hit OkScroll down and find the service called:Network Security Service (NSS)When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps....Well, rats. I got all set up to follow this list but have already encountered an obstacle.When I find and click on "Network Security Services (NSS)" in Services.msc, I get a nasty sounding message reading as follows:Configuration Manager: A required entry in the registry is missing or an attempt to write to the registry failed.When I click OK, I get another little window reading simply:The system cannot find the file specified.Now I know your instructions say to go ahead even if I don't find the service listed, but I wasn't too sure, since I DID find it but it appears there's something wrong with it...?If you give me the thumbs up, I'll do all the other steps and just ignore that one... Link to post Share on other sites
Dan Posted May 29, 2005 Report Share Posted May 29, 2005 Hmm....I'll need to talk to someone about this......For now, try the other steps......dk Link to post Share on other sites
Dan Posted May 30, 2005 Report Share Posted May 30, 2005 Hi,Try this:Download Registrar Lite from http://www.resplendence.com/download/reglite.exe.Install it and run it.Click on the "Security" tab, and select "Edit Auditing"Make sure that where it says something like (DANIEL/dknoppix) (Example from my computer), that the two tabs for"Read" and "Full Control" are selected.Then try the fix here: http://www.besttechie.net/forums/index.php...indpost&p=24211dk Link to post Share on other sites
kam Posted June 1, 2005 Author Report Share Posted June 1, 2005 Download Registrar Lite from http://www.resplendence.com/download/reglite.exe.Install it and run it... that the two tabs for"Read" and "Full Control" are selected....Ohhhh I am so tempted to buy a new computer...if only I had the money...I tried the Registrar Lite-- or rather installed it, opened it, and made sure those boxes were checked, but it didn't affect Services.msc.Also tried to run all the other steps--phew! Here are my notes starting with step 3 (step 1 being moot and 2 running smooth)3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:crmd32.execrvg.exeNeither of these appeared, and hence did not get deleted.4. Scan with Hijack This and put checks next to all the following:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047R3 - Default URLSearchHook is missingO2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINNT\gds.dllO2 - BHO: Class - {A146D46A-42B6-1948-7D09-20744CC5FFB1} - C:\WINNT\javarm.dllO2 - BHO: Class - {D8DFD538-D915-DA42-82AD-9910D5D6D43B} - C:\WINNT\system32\netyw32.dllO4 - HKLM\..\Run: [crvg.exe] C:\WINNT\crvg.exeO23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\crmd32.exe" /s (file missing)Close all windows except HijackThis, and click the "Fix Checked" button.Ok, hmm... Things in blue I didn't find at all. The red ptsif.dll I didn't find exactly-- I found the same entries but with rpvvm.dll instead. I went ahead and checked them to be fixed--those entries were all the same as what you told me to fix aside from the .dll, and apparently I haven't broken anything by doing that. Any entry not colored red or blue I found and checked to be fixed.5. Next, delete the following files if present:If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.C:\WINNT\system32\crmd32.exeC:\WINNT\crvg.exeFound and deleted crvg.exe -- did not find and did not delete crmd32.exe.Steps 6 and 7 went fine...About:Buster log will be posted at the end with a new HijackThis log. AdAware found 7 tracking cookies and killed 'em.Step 8...hmm. My computer has nevereverever wanted to perform Disk Cleanup. Maybe it's too full. So I emptied temp files, temp internet files and the recycle bin through Microsoft Anti-Spyware advanced settings "Tracks Eraser". I'll keep trying to run disk cleanup just for tidiness' sake, but it basically never stops "calculating how much space..." etc.Steps 9, 10, 11 ran smooth. CWShredder found nothing.12. Download the Hoster from here http://members.aol.com/toadbee/hoster.zip. Press "Restore Original Hosts" and press "OK". Exit Program.I downloaded this three times but could not get it to open. Got a message from WinZip saying Cannot open file: it does not appear to be a valid archive and suggesting I try to download it again. So I didn't restore original hosts.13. Download and run this online virus scan:http://housecall.trendmicro.com/housecall/start_corp.aspMake sure you check "AutoClean"When I try to download and install this, it tries to install itself into my Netscape folder--which is nonexistent, as I've never used Netscape. It then refuses to go any further, and now when I try to go to the link you posted for it, it pretty much freezes and shuts down Firefox.Sigh.So my computer is hell-bent on foiling your lovely list of helpful instructions. I'm really really stumped here. If, in all honesty, you think I should ditch this piece of junk computer, tell me now Here's my logs, just for kicks and giggles:About:BusterReference List : 26No ADS found on systemRemoved! : C:\WINNT\system32\qyecy.datAttempted Clean Of Temp folder.Removed Uninstall Key (HSA)Removed Uninstall Key (SE)Removed Uninstall Key (SW)Pages Reset... Done!-- Scan 2 ---------------------------About:Buster Version 4.0Reference List : 26No ADS found on systemAttempted Clean Of Temp folder.Pages Reset... Done!New HijackThis logLogfile of HijackThis v1.99.1Scan saved at 10:00:12 PM, on 5/31/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\NavNT\defwatch.exeC:\WINNT\System32\svchost.exeC:\Program Files\NavNT\rtvscan.exeC:\WINNT\system32\nvsvc32.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\stisvc.exeC:\WINNT\system32\Tablet.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\System32\mspmspsv.exeC:\WINNT\system32\svchost.exeC:\WINNT\Explorer.EXEC:\WINNT\system32\MsgSys.EXEC:\Program Files\NavNT\vptray.exeC:\Program Files\Microsoft Hardware\Mouse\point32.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeD:\downloads\quicktime\qttask.exeC:\Program Files\Common Files\Real\Update_OB\rnathchk.exeC:\WINNT\TBPanel.exeC:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\MSN Messenger\msnmsgr.exeD:\Skype\Skype.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\Wacom\TabUserW.exeC:\Program Files\Microsoft Office\Office\1033\msoffice.exeC:\WINNT\system32\ntgo32.exeC:\WINNT\system32\apida32.exeC:\Program Files\AIM\aim.exeC:\WINNT\system32\ntvdm.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINNT\system32\cleanmgr.exeC:\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047R3 - Default URLSearchHook is missingO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\downloads\Adobe Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Class - {E07AE911-ABFC-1C43-AC8A-4A5E37895284} - C:\WINNT\appbm.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exeO4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exeO4 - HKLM\..\Run: [POINTER] point32.exeO4 - HKLM\..\Run: [LoadQM] loadqm.exeO4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exeO4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osbootO4 - HKLM\..\Run: [QuickTime Task] "D:\downloads\quicktime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [Gainward] C:\WINNT\TBPanel.exe /AO4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exeO4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeO4 - HKLM\..\Run: [realplay.exe] C:\Program Files\Real\RealOne Player\realplay.exeO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [apida32.exe] C:\WINNT\system32\apida32.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exeO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [skype] "D:\Skype\Skype.exe" /nosplash /minimizedO4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exeO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exeO20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dllO23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\ntgo32.exe" /s (file missing)O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exeO23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exeHoly piss... all that rpvvm.dll crap is still there...or there again! Gahh!! Oh my oh my oh my....Thanks for all your patience and help, again :-) Link to post Share on other sites
Dan Posted June 1, 2005 Report Share Posted June 1, 2005 If, in all honesty, you think I should ditch this piece of junk computer, tell me nowA "policy" of mine, is to avoid people having to format at all costs. This will be fixeable.....Also, I have an updated hoster link: http://www.funkytoad.com/download/hoster.zipI forgot to tell you to run the Housecall in Internet Explorer....but you can't can you?About:Buster 5.0 is out. You can get the new one from here:http://www.besttechie.net/tools/AboutBuster5.zipPlease run that again.Please post a HijackThis log, as well as an about:buster log (Sorry to be soooo repeditive)dkP.S. I will be out of town till saturday....If you need your log looked at urgently, feel free to visit chat (http://www.besttechie.net/chat/wyldrydewebchat.php)And ask someone to look at the log. Link to post Share on other sites
Recommended Posts