Log into the Admin account.
Open HijackThis
Click on Config > Misc Tools
Click on 'Delete an NT Sevice' and enter the following bold text into the address box:
Network Security Service
Click OK.

Please update your virus definitions to the latest at this point.


TDS Anti-Trojan
1.Download and install the trial version of TDS-3 Anti-Trojan from here. Don't start the program yet. Update the trojan database by right clicking the link below and selecting 'save as' and save it to the directory where you installed TDS-3, overwriting the previous radius.td3.

http://www.diamondcs.com.au/tds/radius.td3


2.Reboot in safe mode and launch TDS-3. In the top bar of the TDS window click System Testing > Full System Scan.

3. Detections will appear in the lower pane of the TDS window. When the scan has eventually finished, right click the lower pane and select 'save as txt' to save the 'scandump.txt'. Leaving the program open, copy and paste the contents of scandump.txt into your next reply.

4. After posting the scanlog, right click the lower TDS pane again and select 'delete' to remove everything labelled 'positive identification'.

5. Reboot the machine in Safe Mode again and run a full system scan with your anti-virus program. Copy & paste a summary of it's findings in your next reply if it detects anything.


6. Reboot in normal mode and post the TDS log, anti-virus summary and a fresh HijackThis log for inspection.

Hi there. A couple of problems......

When I entered "Network Security Service" into HJT Delete an NT service, I get the error message...."Service 'Network Security Service' was not found in the Registry. Make sure you entered the short name of the service."

So I copied the name in brackets as it suggest from the HJT scan, which is (� 6QÔõ'ª´ÆÐ8).
Now this worked, but it replied saying the service is running/enabled. Disable it using HJT or services.msc.
When I 'fix' using HJT, it just returns immediately in the next scan and can't then delete it through HJT.
And according to services.msc it is already stopped. I can't do anything with the service - I get a general internal error, due the file being missing.

I guess the problem comes back to when I deleted it but forgot to 'unload' it on reboot as per your instructions. Now the file is missing but the PC thinks it is running. Not sure if that's right or not.

I feel like we're mighty close, but no cigar at the moment.

Any more ideas would be extremely well appreciated. Many thanks again.

Click Start > Run > type services.msc, then click OK
Scroll down and right click on 'Network Security Services'
Select 'Properties' and set the "Service Status" option to "Stop"
Set "Startup type" to "Disabled", click Apply, then OK.


Can you post the TDS log, anti-virus summary and a fresh HijackThis log please.

Ahead of you already. Have tried all of that but the service is effectively dead. Can do nothing with it.

Clicking on properties gives the error "Configuration manager. General Internal error occured"
The properties window does then come up, and the service is stopped. But when you press start another error "Could not start the NSS on the local computer. Error 2. The system could not find the specified file."
Can't seem to do anything at all with it !!

Here is latest HJT log though. Let me know if you still want the TDS & Antivirus logs too.

Logfile of HijackThis v1.99.1
Scan saved at 21:55:51, on 02/03/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ati2evxx.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = ttgprxy1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...31/mcfscan.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Network Security Service (� 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINNT\d3nz32.exe (file missing)

The service isn't doing any harm now but best to remove it.

Go to Start | Run and type Regedit then click Ok.
Before you edit the registry, you should make a backup.
Click 'FILE\Export Registry File'.
Call it REGBACKUP and save it on your desktop.

Then navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es and expand 'Services' in the left pane. Look for any entries named as:

(� 6QÔõ'ª´ÆÐ8) or Network Security Service

If either are listed, right-click them and choose Delete.

Then navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot and expand Root in the Left Pane. Look for any entries like this:

LEGACY (� 6QÔõ'ª´ÆÐ8) or LEGACY Network Security Service

If listed, right-click them and choose Delete.

If you have trouble deleting a key. Then click once on the key name to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

Reboot and post the TDS log, anti-virus summary and a fresh HijackThis log please.

Hi there.
All done. Managed to delete from the registry.

Ran TDS log (scandump.txt), Ad-Aware (adawarelog.txt) and HJT (Highjackthis15.txt).

I don't have up to date Anti-Virus software. I ran my Virius Scan and it found nothing. Would you recommend Norton as a good product for protection?

Many thanks again.

I've been looking at this entry in your log since we started:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = ttgprxy1:80

Can you shed any light on whether this proxy is something you've set yourself? If not it may be a good idea to remove with HijackThis. If you do remove it and run into connection problems, restore it by using the backup feature of HJT in Misc. Tools.


Download unzip and run Hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.


Reboot and POST (not attach) a fresh log please. It's easier for me to analyse the log if posted on the forum.

Yes, that entry is the Proxy server for my company. I occasionally attach to their network and still use it.

I've assumed you only wanted me to Restore Original Hosts because of this entry?....so I've not run Hoster.zip?

Will certainly post rather than attach next time....should there be one

Should I be doing anything else?

Thanks again....and again.

Thanks for the info. Please run Hoster.zip, it will take care of the 01 Host entry present in your log and restore the host file to it's original state. Then post a fresh HJT log please.