Spyware seems to invade at the worst times

**zachisbest** · 09-11-2005

There seems to be some spyware that my computer scans can't pick up. You guys have aways helped me weed out my bad files and registry items in the past. I would really appreciate it if you could isolate the problem for me again.
Thank you so much
Zach

Logfile of HijackThis v1.99.1
Scan saved at 3:14:16 PM, on 11/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Retail STAR\dbntsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\mfcsu32.exe
C:\WINDOWS\system32\netzl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Retail STAR\StarSchd.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\The Village Hat Shop\Desktop\Adware stuff\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\eavqd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\eavqd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\eavqd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\eavqd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\eavqd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\eavqd.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\eavqd.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {00A88ECE-D542-06D0-B1E9-091150D86D41} - C:\WINDOWS\system32\msxj32.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0B49DBF5-766B-A933-707E-C0D543F141BB} - C:\WINDOWS\crqy.dll
O2 - BHO: Class - {0B937114-0E13-062A-9867-38F38B2CC09F} - C:\WINDOWS\system32\addvr.dll (file missing)
O2 - BHO: Class - {13C5BB54-5447-119B-46D2-63264CDBEC0F} - C:\WINDOWS\atlxm.dll (file missing)
O2 - BHO: Class - {14ACC8C5-5DB2-26C5-6B40-0B8750DAAFDE} - C:\WINDOWS\system32\javaro.dll (file missing)
O2 - BHO: Class - {17399FDF-699F-E10C-F790-3872A961BD8F} - C:\WINDOWS\system32\d3kh.dll (file missing)
O2 - BHO: Class - {24A9B7CC-0A40-BEE6-67C3-A5771F0A62F7} - C:\WINDOWS\system32\atlba32.dll (file missing)
O2 - BHO: Class - {257D6D3D-1C77-15FB-6BF6-9347E8F69CEB} - C:\WINDOWS\system32\ipia.dll (file missing)
O2 - BHO: Class - {2B56AA49-1949-09E1-63C4-F9A683F6EB92} - C:\WINDOWS\system32\addov32.dll (file missing)
O2 - BHO: Class - {2E34D0ED-0B55-5C98-05DD-51F59AB52E3A} - C:\WINDOWS\crla.dll (file missing)
O2 - BHO: Class - {3090709C-6EA7-0316-84DA-2AC3A09FD1CB} - C:\WINDOWS\crug32.dll
O2 - BHO: Class - {325EAD02-95B5-830B-5E5C-CD067BAA172B} - C:\WINDOWS\system32\sysmt.dll (file missing)
O2 - BHO: Class - {41FF1819-6FA4-A22B-A9BB-7621D02FEE43} - C:\WINDOWS\javaff32.dll (file missing)
O2 - BHO: Class - {47AC66D0-CE97-D311-E35F-40428823161F} - C:\WINDOWS\system32\cryr32.dll (file missing)
O2 - BHO: Class - {4BE23432-C392-D735-5711-ADB1E652BF8E} - C:\WINDOWS\system32\atlzk.dll (file missing)
O2 - BHO: Class - {5883D979-5C1C-5AE9-C370-C39713BB8756} - C:\WINDOWS\addfg32.dll (file missing)
O2 - BHO: Class - {58E19DDB-FF55-C80E-005C-675F6F8331B0} - C:\WINDOWS\system32\apivy.dll (file missing)
O2 - BHO: Class - {646F6A47-24D0-2033-3709-4F9D79ED6FC9} - C:\WINDOWS\atlpe.dll (file missing)
O2 - BHO: Class - {67376861-75B6-22CE-83C5-3D32CF86C703} - C:\WINDOWS\system32\addcn.dll
O2 - BHO: Class - {69C2D265-3B93-BC0A-676E-D0FD27DA5AC6} - C:\WINDOWS\system32\winvw.dll
O2 - BHO: Class - {70958982-9286-4C4E-3FD3-FEC16A115FBF} - C:\WINDOWS\javakk.dll
O2 - BHO: Class - {75FF0CF0-2B28-1964-55E8-CDEF044A53AC} - C:\WINDOWS\system32\ipyf32.dll
O2 - BHO: Class - {8044BFB2-40EC-C70A-C711-736B0EE1248F} - C:\WINDOWS\system32\winuw32.dll
O2 - BHO: Class - {8C2CBD99-0FCD-5C08-EDD5-4E5F4A8D33A0} - C:\WINDOWS\system32\javamy32.dll
O2 - BHO: Class - {8C38E844-57F2-3EDD-FEEA-F53BAA76633A} - C:\WINDOWS\crgs32.dll
O2 - BHO: Class - {8C69AF50-B4D5-7388-4CA4-3D0EEF96193F} - C:\WINDOWS\netaz.dll
O2 - BHO: Class - {8D1F9E37-0A0E-42B8-D6EE-2A8A3257FE9F} - C:\WINDOWS\iedt32.dll
O2 - BHO: Class - {8D565590-A209-9855-93F1-821B80B1EAD4} - C:\WINDOWS\iewq.dll
O2 - BHO: Class - {8EDB05B3-5843-24CB-46FB-6FA177E65713} - C:\WINDOWS\ntsp32.dll
O2 - BHO: Class - {927E57D6-F30D-0656-3454-9DCE557E5E8E} - C:\WINDOWS\system32\sysxr32.dll
O2 - BHO: Class - {9291DF23-029D-DC8D-B7E6-64BEFF3F25AF} - C:\WINDOWS\system32\winyt32.dll
O2 - BHO: Class - {92E41AF0-C151-25C6-66EF-4B3CE41A3E92} - C:\WINDOWS\system32\sysye.dll
O2 - BHO: Class - {933B6E2E-FEA0-1AF1-B7C0-9FE2EF16849A} - C:\WINDOWS\javayp32.dll
O2 - BHO: Class - {992CC6B0-F19C-96EB-B2AC-26F988029CAD} - C:\WINDOWS\ippf.dll
O2 - BHO: Class - {9FD3E41B-894A-375B-D1FB-85FBCC6A9DFF} - C:\WINDOWS\system32\netua.dll
O2 - BHO: Class - {A0F1D4D8-ADE0-D9D7-4BE2-92D771F1BC8A} - C:\WINDOWS\ntor32.dll
O2 - BHO: Class - {A0FC711E-2AC4-5B52-9D75-90B797E38DED} - C:\WINDOWS\system32\mfcab.dll
O2 - BHO: Class - {A77FBB24-6758-A44E-FEB7-E7CF6EE350DB} - C:\WINDOWS\mfcdg.dll
O2 - BHO: Class - {AC152C0C-381B-A230-6B29-1A23741F4A9A} - C:\WINDOWS\ipki.dll
O2 - BHO: Class - {B35C1647-FF47-9FEF-3DE2-7B4BBD5741D3} - C:\WINDOWS\mfcgv.dll
O2 - BHO: Class - {B661DFA3-1238-16D4-3926-4935BAF6CB6F} - C:\WINDOWS\system32\ntud32.dll
O2 - BHO: Class - {B912E0DE-C5DE-D46B-A8B0-802D6CB6F68C} - C:\WINDOWS\appyc32.dll
O2 - BHO: Class - {BE2BEA96-036C-1422-910E-62600A0061B9} - C:\WINDOWS\system32\javafn.dll
O2 - BHO: Class - {C29B2852-3733-DE06-C399-8E0A964E2124} - C:\WINDOWS\system32\d3ur32.dll
O2 - BHO: Class - {C6D6D264-D1BF-2B26-E95A-909FFD54938F} - C:\WINDOWS\sdkkt.dll
O2 - BHO: Class - {C8C69528-DCF0-EAE8-04F8-ADE94307B6EE} - C:\WINDOWS\ipig.dll
O2 - BHO: Class - {D27E597C-B77D-B4D7-FB04-A926F90AF9B2} - C:\WINDOWS\system32\iehc32.dll
O2 - BHO: Class - {E5ABA926-4A51-C5FD-9089-0E3741C5ED04} - C:\WINDOWS\system32\netuf32.dll
O2 - BHO: Class - {E61BC869-33C7-AC36-F015-C0910E22E342} - C:\WINDOWS\system32\wintz32.dll
O2 - BHO: Class - {E97180CF-0651-4CEB-8F0C-B9D3C4877FE2} - C:\WINDOWS\system32\apitk32.dll
O2 - BHO: Class - {EAC75C37-4B26-E9E1-9622-A78D21C5DB24} - C:\WINDOWS\system32\javamu.dll
O2 - BHO: Class - {EC5F1AF3-CF0D-5AC3-A2FD-C4AD27BAD24A} - C:\WINDOWS\sysyl32.dll
O2 - BHO: Class - {F0369D81-D189-AC88-E454-02C0B2632F5E} - C:\WINDOWS\d3cc.dll
O2 - BHO: Class - {F8F6985E-5F1E-9567-733D-D3264B60E41C} - C:\WINDOWS\d3oy.dll
O2 - BHO: (no name) - {FA368488-8008-3889-4E2F-86BBFD486BD2} - (no file)
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [systx.exe] C:\WINDOWS\systx.exe
O4 - HKLM\..\Run: [ipui32.exe] C:\WINDOWS\ipui32.exe
O4 - HKLM\..\Run: [netzl.exe] C:\WINDOWS\system32\netzl.exe
O4 - HKLM\..\RunOnce: [mfcsu32.exe] C:\WINDOWS\system32\mfcsu32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - Startup: SBC.lnk = ?
O4 - Startup: Schedule STAR.lnk = C:\Program Files\Retail STAR\StarSchd.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16756ba3...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1129243595906
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://supporttrial.webex.com/clien...rt/ieatgpc.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EADB5F57-B4C5-4584-B2D8-8DD5B3F5A13E}: NameServer = 206.13.31.12 206.13.28.12
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\netst32.exe (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Centura SQLBase - Centura Software - C:\Program Files\Retail STAR\dbntsrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

**Neal** · 09-11-2005

Welcome back to DAL,

You have a severe coolwebsearch infection and will take several steps and several tools to get rid of this pest. As many files that we need to delete with instructions to do so may take me 2 posts to get it all down. This is going to be long sorry. Heavily infected.
--------------------------------------------------------------------------------------------------------
Create a new folder in your C: Drive
Name it C:\HJT or HijackThis and move the HijackThis.exe file in it.
It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
This way you can undo any changes if something goes wrong
----------------------------------------------------------------------------------------------------------
Be sure to use Firefox thru out this whole fix please.
---------------------------------------------------------------------------------------------------
Make sure you can see hidden files/folders
In Windows XP
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
After you're cleaned, please "rehide" them again.
-----------------------------------------------------------------------------------------------------
Go to start >run and type: services.msc and click OK
Scroll down in that list and look if the following services are present:

Network Security Service (NSS)
Remote Procedure Call (RPC) Helper
Workstation NetLogon Service

Please make sure it is exactly the same written as above, because there are also legit services that look very much the same as the ones above, so please choose the right one!! For example, there's also a legit service called Remote Procedure Call (RPC), without the word Helper in it. That is a good one, so please don't select that one.

Doubleclick on the service(s). In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.
Click apply and OK and close all open windows.
---------------------------------------------------------------------------------------------------

Please read the complete post first, you should copy and paste this post to a new text Document or print it.

Download and install http://www.ccleaner.com/ccdownload.php---do not run yet

Download and install Adaware, uncheck "show help file" and "perform full system scan" at the end of the installing routine, perform the update and close Adaware. You will need it later

Download and save to your Desktop, don't run it now, we will use it later:
http://securityresponse.symantec.com...r/FxAgentB.exe

Next,
Download the Intermute stand-alone version of CWShredder from here: cwshredder.net/bin/CWShredder.exe
Install it and check for updates then exit, we will use it later.

Next,
Please download CWShredder from here( this is the older version), then exit no run yet http://www.thatcomputerguy.us/downloads-cat4.html

Download About:Buster from here:

http://majorgeeks.com/download4289.html

Unzip it to its own DESKTOP folder, right click open area on the desktop, click new, the new folder, name the folder Aboutbuster . It is VITAL that it be unzipped.

Please open/run the program and check for updates. After you update it exit.
Do not run the actual scan/fix until instructed.

Disconnect from the internet--pull the plug or fix will fail

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Run HijackThis
Click on scan and put a check on the following lines, if they are still there

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\eavqd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\eavqd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\eavqd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\eavqd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\eavqd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\eavqd.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\eavqd.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {00A88ECE-D542-06D0-B1E9-091150D86D41} - C:\WINDOWS\system32\msxj32.dll (file missing)

Everything from here:
O2 - BHO: Class - {0B49DBF5-766B-A933-707E-C0D543F141BB} - C:\WINDOWS\crqy.dll

All the 02's in between

To here:
O2 - BHO: (no name) - {FA368488-8008-3889-4E2F-86BBFD486BD2} - (no file)

O4 - HKLM\..\Run: [systx.exe] C:\WINDOWS\systx.exe
O4 - HKLM\..\Run: [ipui32.exe] C:\WINDOWS\ipui32.exe
O4 - HKLM\..\Run: [netzl.exe] C:\WINDOWS\system32\netzl.exe
O4 - HKLM\..\RunOnce: [mfcsu32.exe] C:\WINDOWS\system32\mfcsu32.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16756ba...ip/RdxIE601.cab

Make sure all browser and all Windows Explorer windows are closed and click on fix.

Shut down all running programs, make sure that you are not connected to the internet!
Double-click the FxAgentB.exe file to start the removal tool.
Save the log it makes and post it in your next reply.
Please do NOT start any other applications until the removal tool exits and the computer is restarted.

Restart the computer back into safe mode.

Hunt for and delete these files/folders:
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Delete every single I flagged for fixing in hijackthis(some are missing thank goodness)
There is just to many for me to put in one post. Please do not miss a single one or the whole thing may come back. This one also, this is the brains of the outfit:
C:\WINDOWS\eavqd.dll

Then after the above:

Start Ccleaner and click: Run Cleaner./use windows tab only

Run Adaware and perform a full system scan.

Take your time and do not please miss a single step or file.

Reboot and post a new HijackThis log.

**zachisbest** · 10-11-2005

Okay, I know I made some mistakes. There were just too many instructions. I believe i mostly messed up the following:
I was having trouble navigating firefow (as I was not used to it regardin fining and deleting files) I couln't find a lot of the files I thought would be there. Also when I ran the Fx angentB there was no log file at the end that I recall. All it dsaid was somthing about removing a backdoor agent B. Here is my latest hijak log file.
Thanks so far. I really appreciate it.
Zach

Logfile of HijackThis v1.99.1
Scan saved at 3:48:07 PM, on 11/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\d3ek32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Retail STAR\dbntsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Retail STAR\StarSchd.exe
C:\WINDOWS\msrb32.exe
C:\WINDOWS\system32\ntwv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\The Village Hat Shop\Desktop\Zach's Adware stuff. Do not mess with this folder\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {5C267B93-C66C-AF60-B81B-E8BFC8C44980} - C:\WINDOWS\msrb32.dll
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [d3ek32.exe] C:\WINDOWS\d3ek32.exe
O4 - HKLM\..\RunOnce: [ntwv.exe] C:\WINDOWS\system32\ntwv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - Startup: SBC.lnk = ?
O4 - Startup: Schedule STAR.lnk = C:\Program Files\Retail STAR\StarSchd.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1129243595906
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://supporttrial.webex.com/clien...rt/ieatgpc.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EADB5F57-B4C5-4584-B2D8-8DD5B3F5A13E}: NameServer = 206.13.31.12 206.13.28.12
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\msrb32.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Centura SQLBase - Centura Software - C:\Program Files\Retail STAR\dbntsrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

**Neal** · 10-11-2005

Hi, you did just fine, excellent actually. If the fixagentB tool found it that is very good.

Create a new folder in your C: Drive
Name it C:\HJT or HijackThis and move the HijackThis.exe file in it.
It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
This way you can undo any changes if something goes wrong

Go to start >run and type: services.msc and click OK
Scroll down in that list and look if the following services are present:

Network Security Service (NSS)
Remote Procedure Call (RPC) Helper
Workstation NetLogon Service

Please make sure it is exactly the same written as above, because there are also legit services that look very much the same as the ones above, so please choose the right one!! For example, there's also a legit service called Remote Procedure Call (RPC), without the word Helper in it. That is a good one, so please don't select that one.

Doubleclick on the service(s). In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.
Click apply and OK and close all open windows.

Next:

Please run HijackThis and click Config -> Misc Tools -> Delete an NT service. In the Delete window, type Network Security Service and press OK. OK any prompts, close HijackThis, and restart your computer.

If the other two are there do the same as above (one at a time) for them, if we don't kill these the infection will come back. Reboot each time one is deleted please.

Now

Reboot into safe mode again

Scan with HJT again and put a check next to these items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {5C267B93-C66C-AF60-B81B-E8BFC8C44980} - C:\WINDOWS\msrb32.dll

O4 - HKLM\..\Run: [d3ek32.exe] C:\WINDOWS\d3ek32.exe
O4 - HKLM\..\RunOnce: [ntwv.exe] C:\WINDOWS\system32\ntwv.exe

O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\msrb32.exe

Make sure everything is closed out of and click fix checked.

Still in safe mode

Hunt for and delete if found:

C:\WINDOWS\msrb32.dll

C:\WINDOWS\d3ek32.exe

C:\WINDOWS\system32\ntwv.exe

Reboot normal mode and post a new HJT log please

**zachisbest** · 10-11-2005

only Network Security service was there. I stoped it and disabled it. but when I try to delete it from Hijak this it says an error message comes up that it cannotbe found in the registry. I tried many spellings but can't get it to work. Any suggesstions?
Zach

**Neal** · 10-11-2005

HI, just do the rest and post a HJT log thanks.

**zachisbest** · 10-11-2005

Here is the latest log. Also when I started it up it normal mode I got a error message that ntwv.exe was missing. I feel as if we are winning but we have not won yet.
-Zach

ogfile of HijackThis v1.99.1
Scan saved at 8:28:46 PM, on 11/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\msrb32.exe
C:\WINDOWS\d3cj32.exe
C:\Program Files\Retail STAR\dbntsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Retail STAR\StarSchd.exe
C:\Documents and Settings\The Village Hat Shop\Desktop\Zach's Adware stuff. Do not mess with this folder\hijackthis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {55E6CF7B-F013-B32D-B116-5147DD5BB2CC} - C:\WINDOWS\ieby32.dll
O2 - BHO: Class - {5BC3F7BC-69C1-08BC-EB9C-EC3C41D197CF} - C:\WINDOWS\apppo.dll
O2 - BHO: Class - {B618D006-CBA7-0E08-16BC-4DABF979FF8B} - C:\WINDOWS\nettq32.dll
O2 - BHO: Class - {E5ADF72A-DBBF-7E41-89A6-F5404F212316} - C:\WINDOWS\system32\ntgb32.dll
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [d3ek32.exe] C:\WINDOWS\d3ek32.exe
O4 - HKLM\..\Run: [d3cj32.exe] C:\WINDOWS\d3cj32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - Startup: SBC.lnk = ?
O4 - Startup: Schedule STAR.lnk = C:\Program Files\Retail STAR\StarSchd.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1129243595906
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://supporttrial.webex.com/clien...rt/ieatgpc.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EADB5F57-B4C5-4584-B2D8-8DD5B3F5A13E}: NameServer = 206.13.31.12 206.13.28.12
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\msrb32.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Centura SQLBase - Centura Software - C:\Program Files\Retail STAR\dbntsrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

**Neal** · 10-11-2005

Hi,

I asked two times and this is the third time to please do this so there can be available backups in case a mistake was made: Thanks

Create a new folder in your C: Drive
Name it C:\HJT or HijackThis and move the HijackThis.exe file in it.
It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
This way you can undo any changes if something goes wrong.

Download KillBox from here:---Please download TheKillbox by Option^Explicit.
from here:
http://downloads.subratam.org/KillBox.zip
or here:
http://download.broadbandmedic.com/
or here:
http://www.bleepingcomputer.com/file...re/KillBox.zip
Unzip it to the desktop but do NOT run it yet.

Disconnect from the internet---pull the plug

Reboot into safe mode

Once in Safe Mode, please run Killbox.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\ieby32.dll
C:\WINDOWS\apppo.dll
C:\WINDOWS\nettq32.dll
C:\WINDOWS\system32\ntgb32.dll
C:\WINDOWS\d3ek32.exe
C:\WINDOWS\d3cj32.exe
C:\WINDOWS\msrb32.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button/looks like a stop sign. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Scan with HJT and put a check by these items please: if still there

O2 - BHO: Class - {55E6CF7B-F013-B32D-B116-5147DD5BB2CC} - C:\WINDOWS\ieby32.dll
O2 - BHO: Class - {5BC3F7BC-69C1-08BC-EB9C-EC3C41D197CF} - C:\WINDOWS\apppo.dll
O2 - BHO: Class - {B618D006-CBA7-0E08-16BC-4DABF979FF8B} - C:\WINDOWS\nettq32.dll
O2 - BHO: Class - {E5ADF72A-DBBF-7E41-89A6-F5404F212316} - C:\WINDOWS\system32\ntgb32.dll

O4 - HKLM\..\Run: [d3ek32.exe] C:\WINDOWS\d3ek32.exe
O4 - HKLM\..\Run: [d3cj32.exe] C:\WINDOWS\d3cj32.exe

O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\msrb32.exe

Make sure nothing is running but HJT, nothing showing in bottom task bar and click fix checked.

Reboot into safe mode

Run the CWShredders again also please from safe mode click fix on both

Hunt for and delete these please: if found

C:\WINDOWS\ieby32.dll < file
C:\WINDOWS\apppo.dll < file
C:\WINDOWS\nettq32.dll
C:\WINDOWS\system32\ntgb32.dll
C:\WINDOWS\d3ek32.exe < file
C:\WINDOWS\d3cj32.exe < file
C:\WINDOWS\msrb32.exe < file

Reboot normal mode and:

1. Please download dllcompare (A scanner to locate hidden DLL files) from this locations:
DLLCompare
2. When you execute dllcompare.exe, by default the c:\windows\system32 is selected. This can be changed to scan you entire computer for any file type - Simply select the path and check off the box labelled "Include SubDirectories"
3. Click on "Locate.com" and allow the scan to complete.
4. After the scan has finished click on "Compare" to scan for the files that Windows does not see. This step will take a few minutes to run.
5. If the box at the bottom of the screen contains any files, these are the ones that are hidden - Click on "Make a Log of what was Found".
6. When prompted to "View Log File" click on "Yes".
7. Notepad will open with the log file contents.
8. In Notepad, click on "Edit" => "Select All" => "Edit" = "Copy" and post the contents as a reply to this message.

Then

Post the dllcompare log and a new hjt log please.

**zachisbest** · 11-11-2005

I believe the dll compare log is empty. Sorry about the whole HJT log on the desktop thing. I just thought I wouldn't make any mistakes and it would all be okay. How did you know? Anyway, thanks for everything.
-Zach

* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found

"
________________________________________________

2,569 items found: 2,567 files, 2 directories.
Total of file sizes: 474,336,495 bytes 452.36 M

Administrator Account = True

--------------------End log---------------------

Logfile of HijackThis v1.99.1
Scan saved at 4:30:04 PM, on 11/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Retail STAR\dbntsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Retail STAR\StarSchd.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Retail STAR\POSStar.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\The Village Hat Shop\Desktop\Zach's Adware stuff. Do not mess with this folder\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - Startup: SBC.lnk = ?
O4 - Startup: Schedule STAR.lnk = C:\Program Files\Retail STAR\StarSchd.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1129243595906
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://supporttrial.webex.com/clien...rt/ieatgpc.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EADB5F57-B4C5-4584-B2D8-8DD5B3F5A13E}: NameServer = 206.13.31.12 206.13.28.12
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Centura SQLBase - Centura Software - C:\Program Files\Retail STAR\dbntsrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

**Neal** · 11-11-2005

Beautiful job,

Just a couple more Hijackthis fixes and you should be good to go, unless there is something I don't know about.

Scan with Hijackthis again and put a check next to these items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing

Make sure everything is closed out of and click fix checked.

Post hopefully one more hijackthis log and if all is ok I will have some free prevention tools for you to use if you so like. They will help keep you a lot safer. Altho you don't have to use them all but i do highly suggest spyware blaster and spywareguard also Regprotect.

Spyware seems to invade at the worst times

Spyware seems to invade at the worst times

Similar Threads

Wii, for Better or for Worst?

Alt Tab is the Worst invention ever

worst job

worst car?

Worst Wiring Setup you have seen?