kam

Unclassified.spyware.65

Recommended Posts

Howdy--

This spyware has been bugging the bejeezus out of me for the past couple of days: I've run Ad-Aware and Microsoft Anti-Spyware approximately 5 billion times to no avail-- it just keeps re-installing itself. It turns my IE homepage into a fake "search" page titled about:blank, lambasts me with pop-ups (despite my Google toolbar) trying to sell me anti-spyware software (haha), and has added some rude entries to my Favorites list. And I think it might be making AIM crash whenever I try to IM someone, as well as simply freezing IE every so often and slowing things down in general. I've switched to Firefox for browsing purposes.

It was Microsoft Anti-Spyware that (after manymany scans) dubbed this problem "Unclassified.Spyware.65", so that's really all I have to go on. I'm really not very tech-savvy at all, but after browsing around a bit, HijackThis looked like a good program to diagnose my problem, as long as someone else can translate it for me. Hence I downloaded HJT, plopped it in a folder on my C drive, and scanned.

Here are my results:

Logfile of HijackThis v1.99.1

Scan saved at 11:31:43 AM, on 5/25/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\NavNT\defwatch.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\system32\Tablet.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\MsgSys.EXE

C:\Program Files\NavNT\vptray.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINNT\TBPanel.exe

C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINNT\crvg.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

D:\Skype\Skype.exe

C:\Program Files\Wacom\TabUserW.exe

C:\Program Files\Microsoft Office\Office\1033\msoffice.exe

C:\WINNT\System32\svchost.exe

D:\Ares\Ares.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\WINNT\explorer.exe

C:\WINNT\system32\appxa32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\oixor.dll/sp.html#12047

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\oixor.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\oixor.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\oixor.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\oixor.dll/sp.html#12047

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\oixor.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\oixor.dll/sp.html#12047

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\downloads\Adobe Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Class - {3EE8CA0B-907B-1241-3819-1BA2E3895410} - C:\WINNT\system32\iebj.dll

O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINNT\gds.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Class - {AED1E965-E1FF-4020-0E64-514DB57FA145} - C:\WINNT\system32\netpd32.dll

O2 - BHO: Class - {E421C7FB-1BAA-F284-394F-9091F0CE6A5A} - C:\WINNT\sdkoe32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe

O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [QuickTime Task] "D:\downloads\quicktime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Gainward] C:\WINNT\TBPanel.exe /A

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [realplay.exe] C:\Program Files\Real\RealOne Player\realplay.exe

O4 - HKLM\..\Run: [crvg.exe] C:\WINNT\crvg.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe

O4 - HKLM\..\RunOnce: [appxa32.exe] C:\WINNT\system32\appxa32.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [skype] "D:\Skype\Skype.exe" /nosplash /minimized

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe

...It's all gobbledygook to me :huh: Any help would be much appreciated--just speak as if to a child, because all this is waaaay above my head!

Thanks in advance,

kam

Share this post


Link to post
Share on other sites

Oh duh -- I'm running Windows 2000, by the way. And another symptom of this spyware is that every so often a "Microsoft Security Center" bubble will pop up telling me I have spyware and to click the bubble to fix it--but if I click the bubble it just takes me to some doofy webpage not unlike the anti-spyware ads. If this happens again I'll copy the message and the url and paste them here. And again, I'm computer-stupid, but does Windows 2000 even HAVE Microsoft Security Center? :blink:

Share this post


Link to post
Share on other sites
... every so often a "Microsoft Security Center" bubble will pop up telling me I have spyware and to click the bubble to fix it--but if I click the bubble it just takes me to some doofy webpage not unlike the anti-spyware ads.  ...

Okay, that didn't happen yet, but something similar did. An "official"-looking Windows message window popped up. The message window has a red circle with an X in it to the left of the window, and the message reads:

WARNING: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwrods.

Do you want to learn how to protect your computer?

Yes No

When I click on Yes, it opens an IE window with the URL http://www.msnhelper.net/search.php?pin=12047. At the bottom of said page is a link saying "Download Recommended Software." I ain't clicking this link, so I right-clicked and checked the properties of it, and it says it would link to http://get.privacycash.com/?wm=paxan;sub=msg_box;soft=sguard. Now that just doesn't sound right.

I'm severely confused. Bah. I'm also going to be out for the rest of the day, so if someone gets back to me on this I apologize in advance for the lack of a prompt reply.

Thanks!

Share this post


Link to post
Share on other sites

Hi,

Please download Intermute's CWShredder from here:

http://cwshredder.net/bin/CWShredder.exe

Save it to the desktop and run it, and click "Fix" to remove the CWS infection.

Then please download About:Buster from here:

http://www.downloads.subratam.org/AboutBuster.zip

Unzip the files to a convenient location such as C:\AboutBuster, and run AboutBuster.exe.

Read the instructions then click OK to proceed.

Click "Check for Updates", and then "Download Updates" to update About:Buster to the newest version.

Then click Start to begin the scan.

If prompted to end the Explorer.exe process, click Yes.

Your desktop may disappear --- this is normal.

Allow the program to scan twice, and when complete click "Save Log".

This will create a text file called "AB Logfile.txt" in the folder where About:Buster is saved.

Restart.

Post the entire contents of that logfile here for me, as well as a new HijackThis log.

dk

Share this post


Link to post
Share on other sites

Wow, thanks for the quick reply!

Okay, I did what you said: downloaded and ran CWShredder (the only thing it found and removed was CWS.Mupdate), downloaded and ran About:Buster-- this is the log from that:

Scanned at: 10:16:23 PM on: 5/25/2005

-- Scan 1 ---------------------------

About:Buster Version 4.0

Reference List : 26

Removed Data Streams:

C:\WINNT\imsins.log:ztwfn

Removed! : C:\WINNT\auzxr.dat

Removed! : C:\WINNT\coacy.dat

Removed! : C:\WINNT\_win32_system_data.dll

Removed! : C:\WINNT\system32\mnyru.dat

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

-- Scan 2 ---------------------------

About:Buster Version 4.0

Reference List : 26

Removed Data Streams:

C:\WINNT\imsins.log:ztwfn

Removed! : C:\WINNT\coacy.dat

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

...Then I restarted my computer, at which point Microsoft Antispyware warned me that Unclassified.Spyware.65 was trying to install and would I like to remove it? (yes, obviously). I then ran HJT, and here's the results:

Logfile of HijackThis v1.99.1

Scan saved at 10:35:04 PM, on 5/25/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\NavNT\defwatch.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\system32\Tablet.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\MsgSys.EXE

C:\Program Files\NavNT\vptray.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

D:\downloads\quicktime\qttask.exe

C:\WINNT\TBPanel.exe

C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINNT\crvg.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINNT\system32\appxa32.exe

C:\Program Files\AIM\aim.exe

D:\Skype\Skype.exe

C:\Program Files\Wacom\TabUserW.exe

C:\Program Files\Microsoft Office\Office\1033\msoffice.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\WINNT\system32\NOTEPAD.EXE

C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\downloads\Adobe Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINNT\gds.dll

O2 - BHO: Class - {A146D46A-42B6-1948-7D09-20744CC5FFB1} - C:\WINNT\javarm.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Class - {D8DFD538-D915-DA42-82AD-9910D5D6D43B} - C:\WINNT\system32\netyw32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe

O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [QuickTime Task] "D:\downloads\quicktime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Gainward] C:\WINNT\TBPanel.exe /A

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [realplay.exe] C:\Program Files\Real\RealOne Player\realplay.exe

O4 - HKLM\..\Run: [crvg.exe] C:\WINNT\crvg.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [skype] "D:\Skype\Skype.exe" /nosplash /minimized

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll

O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\appxa32.exe" /s (file missing)

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe

>Sigh.< I'll probably run MS Anti-Spyware and Ad-Aware a time or two before bed, but I think this spyware is way beyond them. Nice to see that CWShredder and About:Buster got rid of some junk, though :-)

Is there anything else you can suggest, or need to see (more logs, etc)? Thanks so much for your help on this, I really appreciate it!

Share this post


Link to post
Share on other sites

Hi,

Please read through the instructions before you start (you may want to print this out).

Please download and install these programs - don't run them yet!!

Please download and unzip

About:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.

AboutBuster MUST be updated before you use it.

Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.

Please download and install AD-Aware.

Check Here on how setup and use it - please make sure you update it first.

Download and unzip cwsserviceremove to your desktop. use either link below:

http://computercops.biz/modules.php?name=Forums&file=download&id=3002[/url

http://www.mytechsupport.ca/helpwithpcs/up...rviceremove.zip

Download CW-Shredder at the link below:

http://cwshredder.net/bin/CWSshtreder.exe

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.

Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"

Click "Apply" then "OK"

For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that. Do this so you can see hidden files and folders - click here http://www.davehigham.zen.co.uk/downloads/xphidden.zip to download xphidden.zip. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.

Important Step

1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called:

PLACE SERVICE FILE HERE

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

2. Reboot into SafeMode. <---MAKE SURE YOU KNOW HOW TO DO THIS!!

3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:

PROCESSES TO BE STOPPED

If you find the files, click on them, and then click End Process => Exit the Task Manager.

4. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

HJT FIXES HERE

5. Delete the following files if present:

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

FILE DELETIONS HERE

(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)

6. Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

7. Scan with AdAware and let it remove any bad files found.

8. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files

Temporary Internet Files

Recycle Bin

9. Double click on the cwsserviceremove and when asked to merge say yes.

10. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

11. Reboot into normal mode.

12. Download the Hoster from here Press "Restore Original Hosts" and press "OK". Exit Program.

13. Download and run this online virus scan:

Make sure you check "AutoClean"

Then reboot and post a fresh Hijack This log as well as another about:buster log to see how we did.

Share this post


Link to post
Share on other sites
...

1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called:

PLACE SERVICE FILE HERE

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

...

3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:

PROCESSES TO BE STOPPED

If you find the files, click on them, and then click End Process => Exit the Task Manager.

...

HJT FIXES HERE

5. Delete the following files if present:

...

FILE DELETIONS HERE

(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)

...

Hmm, some of these steps confuse me a little.

Should I assume that since no service files are listed ("place service file here"), that I can skip this step? Also, with Step 4, no specific files have been listed for me to check and fix, so should I again assume this step is unnecessary? I just don't want to go deleting files left right and center based only on their extensions, since I have no clue what they might be for.

Since I wasn't sure what to do or not to do in this list of steps, I've done none of them--and I've run HJT again just for kicks, here's the log if it'll shed some light on anything:

Logfile of HijackThis v1.99.1

Scan saved at 3:35:26 PM, on 5/26/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\NavNT\defwatch.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\system32\Tablet.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\MsgSys.EXE

C:\Program Files\NavNT\vptray.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

D:\downloads\quicktime\qttask.exe

C:\WINNT\TBPanel.exe

C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINNT\crvg.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

D:\Skype\Skype.exe

C:\Program Files\Wacom\TabUserW.exe

C:\Program Files\Microsoft Office\Office\1033\msoffice.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\WINNT\system32\crmd32.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINNT\explorer.exe

C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\downloads\Adobe Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINNT\gds.dll

O2 - BHO: Class - {A146D46A-42B6-1948-7D09-20744CC5FFB1} - C:\WINNT\javarm.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Class - {D8DFD538-D915-DA42-82AD-9910D5D6D43B} - C:\WINNT\system32\netyw32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe

O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [QuickTime Task] "D:\downloads\quicktime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Gainward] C:\WINNT\TBPanel.exe /A

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [realplay.exe] C:\Program Files\Real\RealOne Player\realplay.exe

O4 - HKLM\..\Run: [crvg.exe] C:\WINNT\crvg.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\RunOnce: [crmd32.exe] C:\WINNT\system32\crmd32.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [skype] "D:\Skype\Skype.exe" /nosplash /minimized

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe

Sorry to be such a pain; ignorance is, in this case, not very blissful :-P

Also, the file crvg.exe has often caught my eye (if I look at "Running Processes" in MS Anti-Spyware, it sticks out like a sore thumb) but I'm not too sure if it's naughty or I'm simply paranoid. Or maybe 'cos MS A-S already removed a similar looking file called, if I remember correctly, crxq.exe.

Share this post


Link to post
Share on other sites

Hi,

That was error on me..I will have a fix in around 5 min..

Share this post


Link to post
Share on other sites

Also, it seems that one form of your infection is gone O_o

Share this post


Link to post
Share on other sites

Ok,

Here's what I want you to do...

Please run CWShredder, and about:buster again, and post a new HijackThis log, as well as a new HijackThis log.

dk

Share this post


Link to post
Share on other sites

Okey dokey, ran CWShredder again, it found nothing.

Ran About:Buster--here's the log:

-- Scan 1 ---------------------------

About:Buster Version 4.0

Reference List : 26

No ADS found on system

Removed! : C:\WINNT\coacy.dat

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

-- Scan 2 ---------------------------

About:Buster Version 4.0

Reference List : 26

No ADS found on system

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

So that's looking better. Rebooted (got the same MS Anti-Spyware message about Unclassified.Spyware.65 trying to install; "removed" it), and then ran HijackThis:

Logfile of HijackThis v1.99.1

Scan saved at 4:59:36 PM, on 5/26/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\NavNT\defwatch.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\system32\Tablet.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\MsgSys.EXE

C:\WINNT\system32\crmd32.exe

C:\Program Files\NavNT\vptray.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

D:\downloads\quicktime\qttask.exe

C:\WINNT\TBPanel.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINNT\crvg.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\AIM\aim.exe

D:\Skype\Skype.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Wacom\TabUserW.exe

C:\Program Files\Microsoft Office\Office\1033\msoffice.exe

C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\downloads\Adobe Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINNT\gds.dll

O2 - BHO: Class - {A146D46A-42B6-1948-7D09-20744CC5FFB1} - C:\WINNT\javarm.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Class - {D8DFD538-D915-DA42-82AD-9910D5D6D43B} - C:\WINNT\system32\netyw32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe

O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [QuickTime Task] "D:\downloads\quicktime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Gainward] C:\WINNT\TBPanel.exe /A

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [realplay.exe] C:\Program Files\Real\RealOne Player\realplay.exe

O4 - HKLM\..\Run: [crvg.exe] C:\WINNT\crvg.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [skype] "D:\Skype\Skype.exe" /nosplash /minimized

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll

O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\crmd32.exe" /s (file missing)

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe

Clueless = me. :blink: Thanks for the help!

Share this post


Link to post
Share on other sites

Hi, (Some of the steps we did cover already, and if you have the programs here, remember to update them)

Please read through the instructions before you start (you may want to print this out).

Please download and install these programs - don't run them yet!!

Please download and unzip

About:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.

AboutBuster MUST be updated before you use it.

Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.

Please download and install AD-Aware.

Check Here on how setup and use it - please make sure you update it first.

Download and unzip cwsserviceremove to your desktop. use either link below:

http://computercops.biz/modules.php?name=Forums&file=download&id=3002[/url

http://www.mytechsupport.ca/helpwithpcs/up...rviceremove.zip

Download CW-Shredder at the link below:

http://cwshredder.net/bin/CWSshtreder.exe

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.

Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"

Click "Apply" then "OK"

For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that. Do this so you can see hidden files and folders - click here http://www.davehigham.zen.co.uk/downloads/xphidden.zip to download xphidden.zip. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.

Important Step

1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called:

Network Security Service (NSS)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

2. Reboot into SafeMode. <---MAKE SURE YOU KNOW HOW TO DO THIS!!

3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:

crmd32.exe

crvg.exe

If you find the files, click on them, and then click End Process => Exit the Task Manager.

4. Scan with Hijack This and put checks next to all the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R3 - Default URLSearchHook is missing

O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINNT\gds.dll

O2 - BHO: Class - {A146D46A-42B6-1948-7D09-20744CC5FFB1} - C:\WINNT\javarm.dll

O2 - BHO: Class - {D8DFD538-D915-DA42-82AD-9910D5D6D43B} - C:\WINNT\system32\netyw32.dll

O4 - HKLM\..\Run: [crvg.exe] C:\WINNT\crvg.exe

O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\crmd32.exe" /s (file missing)

Close all windows except HijackThis, and click the "Fix Checked" button.

5. Next, delete the following files if present:

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

C:\WINNT\system32\crmd32.exe

C:\WINNT\crvg.exe

(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)

6. Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

7. Scan with AdAware and let it remove any bad files found.

8. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files

Temporary Internet Files

Recycle Bin

9. Double click on the cwsserviceremove and when asked to merge say yes.

10. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

11. Reboot into normal mode.

12. Download the Hoster from here http://members.aol.com/toadbee/hoster.zip. Press "Restore Original Hosts" and press "OK". Exit Program.

13. Download and run this online virus scan:

http://housecall.trendmicro.com/housecall/start_corp.asp

Make sure you check "AutoClean"

then reboot and post a fresh Hijack This log to see how we did.

dk

Share this post


Link to post
Share on other sites
...

1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called:

Network Security Service (NSS)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

...

Well, rats. I got all set up to follow this list but have already encountered an obstacle.

When I find and click on "Network Security Services (NSS)" in Services.msc, I get a nasty sounding message reading as follows:

Configuration Manager: A required entry in the registry is missing or an attempt to write to the registry failed.

When I click OK, I get another little window reading simply:

The system cannot find the file specified.

Now I know your instructions say to go ahead even if I don't find the service listed, but I wasn't too sure, since I DID find it but it appears there's something wrong with it...?

If you give me the thumbs up, I'll do all the other steps and just ignore that one...

Share this post


Link to post
Share on other sites

Hmm....I'll need to talk to someone about this......

For now, try the other steps......

dk

Share this post


Link to post
Share on other sites

Hi,

Try this:

Download Registrar Lite from http://www.resplendence.com/download/reglite.exe.

Install it and run it.

Click on the "Security" tab, and select "Edit Auditing"

Make sure that where it says something like (DANIEL/dknoppix) (Example from my computer), that the two tabs for

"Read" and "Full Control" are selected.

Then try the fix here: http://www.besttechie.net/forums/index.php...indpost&p=24211

dk

Share this post


Link to post
Share on other sites
Download Registrar Lite from http://www.resplendence.com/download/reglite.exe.

Install it and run it... that the two tabs for

"Read" and "Full Control" are selected....

Ohhhh I am so tempted to buy a new computer...if only I had the money...

I tried the Registrar Lite-- or rather installed it, opened it, and made sure those boxes were checked, but it didn't affect Services.msc.

Also tried to run all the other steps--phew! Here are my notes starting with step 3 (step 1 being moot and 2 running smooth)

3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:

crmd32.exe

crvg.exe

Neither of these appeared, and hence did not get deleted.

4. Scan with Hijack This and put checks next to all the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ptisf.dll/sp.html#12047

R3 - Default URLSearchHook is missing

O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINNT\gds.dll

O2 - BHO: Class - {A146D46A-42B6-1948-7D09-20744CC5FFB1} - C:\WINNT\javarm.dll

O2 - BHO: Class - {D8DFD538-D915-DA42-82AD-9910D5D6D43B} - C:\WINNT\system32\netyw32.dll

O4 - HKLM\..\Run: [crvg.exe] C:\WINNT\crvg.exe

O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\crmd32.exe" /s (file missing)

Close all windows except HijackThis, and click the "Fix Checked" button.

Ok, hmm... Things in blue I didn't find at all. The red ptsif.dll I didn't find exactly-- I found the same entries but with rpvvm.dll instead. I went ahead and checked them to be fixed--those entries were all the same as what you told me to fix aside from the .dll, and apparently I haven't broken anything by doing that. Any entry not colored red or blue I found and checked to be fixed.

5. Next, delete the following files if present:

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

C:\WINNT\system32\crmd32.exe

C:\WINNT\crvg.exe

Found and deleted crvg.exe -- did not find and did not delete crmd32.exe.

Steps 6 and 7 went fine...About:Buster log will be posted at the end with a new HijackThis log. AdAware found 7 tracking cookies and killed 'em.

Step 8...hmm. My computer has nevereverever wanted to perform Disk Cleanup. Maybe it's too full. So I emptied temp files, temp internet files and the recycle bin through Microsoft Anti-Spyware advanced settings "Tracks Eraser". I'll keep trying to run disk cleanup just for tidiness' sake, but it basically never stops "calculating how much space..." etc.

Steps 9, 10, 11 ran smooth. CWShredder found nothing.

12. Download the Hoster from here http://members.aol.com/toadbee/hoster.zip. Press "Restore Original Hosts" and press "OK". Exit Program.

I downloaded this three times but could not get it to open. Got a message from WinZip saying Cannot open file: it does not appear to be a valid archive and suggesting I try to download it again. So I didn't restore original hosts.

13. Download and run this online virus scan:

http://housecall.trendmicro.com/housecall/start_corp.asp

Make sure you check "AutoClean"

When I try to download and install this, it tries to install itself into my Netscape folder--which is nonexistent, as I've never used Netscape. It then refuses to go any further, and now when I try to go to the link you posted for it, it pretty much freezes and shuts down Firefox.

Sigh.

So my computer is hell-bent on foiling your lovely list of helpful instructions. I'm really really stumped here. If, in all honesty, you think I should ditch this piece of junk computer, tell me now :(

Here's my logs, just for kicks and giggles:

About:Buster

Reference List : 26

No ADS found on system

Removed! : C:\WINNT\system32\qyecy.dat

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

-- Scan 2 ---------------------------

About:Buster Version 4.0

Reference List : 26

No ADS found on system

Attempted Clean Of Temp folder.

Pages Reset... Done!

New HijackThis log

Logfile of HijackThis v1.99.1

Scan saved at 10:00:12 PM, on 5/31/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\NavNT\defwatch.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\system32\Tablet.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\MsgSys.EXE

C:\Program Files\NavNT\vptray.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

D:\downloads\quicktime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\WINNT\TBPanel.exe

C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

D:\Skype\Skype.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Wacom\TabUserW.exe

C:\Program Files\Microsoft Office\Office\1033\msoffice.exe

C:\WINNT\system32\ntgo32.exe

C:\WINNT\system32\apida32.exe

C:\Program Files\AIM\aim.exe

C:\WINNT\system32\ntvdm.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINNT\system32\cleanmgr.exe

C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rpvvm.dll/sp.html#12047

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\downloads\Adobe Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Class - {E07AE911-ABFC-1C43-AC8A-4A5E37895284} - C:\WINNT\appbm.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe

O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [QuickTime Task] "D:\downloads\quicktime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Gainward] C:\WINNT\TBPanel.exe /A

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [realplay.exe] C:\Program Files\Real\RealOne Player\realplay.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [apida32.exe] C:\WINNT\system32\apida32.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [skype] "D:\Skype\Skype.exe" /nosplash /minimized

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll

O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\ntgo32.exe" /s (file missing)

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe

Holy piss... all that rpvvm.dll crap is still there...or there again! Gahh!! Oh my oh my oh my....

Thanks for all your patience and help, again :-)

Share this post


Link to post
Share on other sites
If, in all honesty, you think I should ditch this piece of junk computer, tell me now

A "policy" of mine, is to avoid people having to format at all costs. This will be fixeable.....

Also, I have an updated hoster link:

http://www.funkytoad.com/download/hoster.zip

I forgot to tell you to run the Housecall in Internet Explorer....but you can't can you?

About:Buster 5.0 is out. You can get the new one from here:

http://www.besttechie.net/tools/AboutBuster5.zip

Please run that again.

Please post a HijackThis log, as well as an about:buster log (Sorry to be soooo repeditive)

dk

P.S. I will be out of town till saturday....If you need your log looked at urgently, feel free to visit chat (http://www.besttechie.net/chat/wyldrydewebchat.php)

And ask someone to look at the log.

:)

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.