Help with looking-for.cc spyware

Grakus · #1 (**permalink**) 07-05-2005, 06:08 AM

Hey i have some spyware that i cant seem to get rid of. I have two programs in the add/remove programs list (Search Extender and Shopping Wizard) that i cant get rid of. My homepage is also resetting to about:blank and i keep getting three links reposted in my favourites whenever i reboot. I have tried spybot and adaware but niether of them seem to find these files. Any help would be greatly apprieciated as this is a pain in the butt! =) Here is HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:01:49 PM, on 7/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\mfcbs32.exe
C:\WINDOWS\javabv32.exe
C:\Downloads\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rezit.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rezit.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rezit.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rezit.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rezit.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rezit.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rezit.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {433C7071-2FBD-32B1-026E-7B1AF33C122A} - C:\WINDOWS\system32\javacx.dll
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [javabv32.exe] C:\WINDOWS\javabv32.exe
O4 - HKLM\..\RunOnce: [mfcbs32.exe] C:\WINDOWS\mfcbs32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntzv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

Thankyou for taking the time to look at this.

HJThis · #2 (**permalink**) 07-05-2005, 12:00 PM

Hello,Grakus & Welcome

First do this for me

Please change the location of HijackThis.exe.
Create a new folder in your C: Drive
Name it C:\HJT or HijackThis and move the HijackThis.exe file in it.
It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
This way you can undo any changes if something goes wrong

& now

First make sure you can view all hidden files and folders, use this link for help.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Copy all my instructions into wordpad and save to your desktop. You can't have any open browser windows.

Go to Start->Run and type in services.msc and hit OK. Then look for Remote Procedure Call (RPC) Helper and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\javabv32.exe
C:\WINDOWS\mfcbs32.exe
C:\WINDOWS\system32\javacx.dll

CAUTION: There is also a service named Remote Procedure Call (RPC) Locator and one called Remote Procedure Call (RPC) . These are the legitimate services. Do not stop those two.

Now Download the following Cleanup! About:Buster, CWshredder,Ad-aware, & Spy-bot

* Updating Ad-aware:
Double-Click the Desktop Icon > Click 'Check For Updates Now' > Click 'Connect'
* Updating Spybot:
Double-Click the Desktop Icon > Click Update > Drop-Down Box UniDo(Europe) > Select Pure-Elite(USA) or EON (AU) > Click 'Search for Updates' > Click 'Download Updates'

Please Copy ALL My Notes Below Into Notepad and Save the File to Your Desktop. You Need to be Offline and In Safe Mode to Remove Everything in your Log

Now rebooot into safe mode (press f8 during reboot, select safe mode) and DON'T reconnect to the net. You MUST be in safe mode to remove the About:Blank Bug on your system.

Run Hijackthis and place a check next to the following

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rezit.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rezit.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rezit.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rezit.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rezit.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rezit.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rezit.dll/sp.html#12345

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {433C7071-2FBD-32B1-026E-7B1AF33C122A} - C:\WINDOWS\system32\javacx.dll

O4 - HKLM\..\Run: [javabv32.exe] C:\WINDOWS\javabv32.exe
O4 - HKLM\..\RunOnce: [mfcbs32.exe] C:\WINDOWS\mfcbs32.exe
O4 - Startup: PowerReg Scheduler.exe

These items here are they your ISP???? if yes do not fix
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntzv.exe (file missing)

and click fix.

Remain in safe mode for the next part of the removal.

- First Run the Cleanit! Program

- Next, Unzip the About:Buster Program to your desktop > Double-Click the Folder > Double-Click About:Buster > Click 'OK' > Click 'Start' >

now the program will start to run, it will take a few minutes, once the program is complete go ahead and run the program again.

- Double-Click CWShredder and click 'Fix'

* Close CWShredder, open Ad-aware and make the following changes to the settings in Ad-aware.
o Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Scanning Engine:
check: "Unload recognized processes during scanning."
o Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Cleaning Engine:
Check: "Let Windows remove files in use at next reboot."

Press 'Proceed'

Press 'Start'

* Select option 'Use Custom scanning options'
* Click 'Activate in-depth scan'
* Press 'Select drives\folders to scan' Select the active partition which is usually C:

Click 'Customize'

* Make sure the following are all are Checked:
o 'Scan Within Archives'
o 'Scan Active Processes'
o 'Scan Registry'
o 'Deep Scan Registry'
o 'Scan My IE Favorites For Banned URL'S
o 'Scan My Hosts File'

Click 'Proceed'

* Now press "Next" to let Ad-aware scan your drives.
* Once Ad-aware has completed its scan click 'Next' > Now Click 'Scan Summary' > Click All the Boxes with a Green Check Mark
* Now Click 'Next' and Finally Click 'OK'

Close Out Ad-aware

Open Spybot.

* Click 'Search & Destroy'
* Click 'Check for problems' (the program will now search your HDD)
* Make sure all finding are checked and click 'Fix Selected Problems'

Close SpyBot!

Now Delete the following Files.

Files:
C:\WINDOWS\ntzv.exe << This file
C:\WINDOWS\system32\javacx.dll << This file
C:\WINDOWS\mfcbs32.exe << This file
C:\WINDOWS\javabv32.exe << This file

Reboot back into normal mode
Download the Hoster from here: http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.

Once complete post a fresh Hijackthis log in your thread.

HGD

Grakus · #3 (**permalink**) 07-05-2005, 04:04 PM

Hey i followed those steps of yours and found some files in HijackThis to be different to the ones on the list you gave me and i still seem to have the about:home problem. Here is the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12

03 AM, on 8/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\netvq32.exe
C:\WINDOWS\crek32.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\riskl.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\riskl.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\riskl.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\riskl.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\riskl.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\riskl.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\riskl.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {66059432-BCBA-0EE4-3589-73A184B410A7} - C:\WINDOWS\system32\netdm.dll
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [crek32.exe] C:\WINDOWS\crek32.exe
O4 - HKLM\..\RunOnce: [netvq32.exe] C:\WINDOWS\netvq32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntzv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Downloads\cwshredder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

Sorry to be an inconvienience. I am very appreciative of youe help.

HJThis · #4 (**permalink**) 07-05-2005, 08:28 PM

Hey,Grakus

First no need to be sorry but lit me add this once you start
the fix don't stop go from start to end just take your time

Hello,Grakus & Welcome

First do this for me

Please change the location of HijackThis.exe.
Create a new folder in your C: Drive
Name it C:\HJT or HijackThis and move the HijackThis.exe file in it.
It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
This way you can undo any changes if something goes wrong

& now

First make sure you can view all hidden files and folders, use this link for help.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Copy all my instructions into wordpad and save to your desktop. You can't have any open browser windows.

Go to Start->Run and type in services.msc and hit OK. Then look for Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\crek32.exe
C:\WINDOWS\netvq32.exe
C:\WINDOWS\system32\netdm.dll

CAUTION: There is also a service named Remote Procedure Call (RPC) Locator and one called Remote Procedure Call (RPC) . These are the legitimate services. Do not stop those two.

Now Download the following Cleanup! About:Buster, CWshredder,Ad-aware, & Spy-bot

* Updating Ad-aware:
Double-Click the Desktop Icon > Click 'Check For Updates Now' > Click 'Connect'
* Updating Spybot:
Double-Click the Desktop Icon > Click Update > Drop-Down Box UniDo(Europe) > Select Pure-Elite(USA) or EON (AU) > Click 'Search for Updates' > Click 'Download Updates'

Please Copy ALL My Notes Below Into Notepad and Save the File to Your Desktop. You Need to be Offline and In Safe Mode to Remove Everything in your Log

Now rebooot into safe mode (press f8 during reboot, select safe mode) and DON'T reconnect to the net. You MUST be in safe mode to remove the About:Blank Bug on your system.

Run Hijackthis and place a check next to the following

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\riskl.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\riskl.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\riskl.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\riskl.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\riskl.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\riskl.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\riskl.dll/sp.html#12345

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {66059432-BCBA-0EE4-3589-73A184B410A7} - C:\WINDOWS\system32\netdm.dll

O4 - HKLM\..\Run: [crek32.exe] C:\WINDOWS\crek32.exe
O4 - HKLM\..\RunOnce: [netvq32.exe] C:\WINDOWS\netvq32.exe
O4 - Startup: PowerReg Scheduler.exe

As i had said before if this is your ISP???? don't fix them
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntzv.exe (file missing)

and click fix.

Remain in safe mode for the next part of the removal.

- First Run the Cleanit! Program

- Next, Unzip the About:Buster Program to your desktop > Double-Click the Folder > Double-Click About:Buster > Click 'OK' > Click 'Start' >

now the program will start to run, it will take a few minutes, once the program is complete go ahead and run the program again.

- Double-Click CWShredder and click 'Fix'

* Close CWShredder, open Ad-aware and make the following changes to the settings in Ad-aware.
o Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Scanning Engine:
check: "Unload recognized processes during scanning."
o Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Cleaning Engine:
Check: "Let Windows remove files in use at next reboot."

Press 'Proceed'

Press 'Start'

* Select option 'Use Custom scanning options'
* Click 'Activate in-depth scan'
* Press 'Select drives\folders to scan' Select the active partition which is usually C:

Click 'Customize'

* Make sure the following are all are Checked:
o 'Scan Within Archives'
o 'Scan Active Processes'
o 'Scan Registry'
o 'Deep Scan Registry'
o 'Scan My IE Favorites For Banned URL'S
o 'Scan My Hosts File'

Click 'Proceed'

* Now press "Next" to let Ad-aware scan your drives.
* Once Ad-aware has completed its scan click 'Next' > Now Click 'Scan Summary' > Click All the Boxes with a Green Check Mark
* Now Click 'Next' and Finally Click 'OK'

Close Out Ad-aware

Open Spybot.

* Click 'Search & Destroy'
* Click 'Check for problems' (the program will now search your HDD)
* Make sure all finding are checked and click 'Fix Selected Problems'

Close SpyBot!

Now Delete the following Files.

Files:
C:\WINDOWS\ntzv.exe << This file
C:\WINDOWS\netvq32.exe << This file
C:\WINDOWS\crek32.exe << This file
C:\WINDOWS\system32\netdm.dll << This file

Reboot back into normal mode
Download the Hoster from here: http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.

Once complete post a fresh Hijackthis log in your thread.

HGD

Grakus · #5 (**permalink**) 08-05-2005, 05:26 AM

Hi, okay i ran through those steps and my problems seem to be fixed (Atleast no pesky about:blank and searchhelpers in my add/remove program listst). Here is the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:24:02 PM, on 8/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Downloads\cwshredder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

Thankyou very much for your help so far in this issue =)

HJThis · #6 (**permalink**) 08-05-2005, 06:01 AM

Hey,Grakus

You did some great work on this

now do this here

click start->settings->control panel->internet options->programs tab->RESET WEB SETTINGS

That will change everything back to defaults (M$)......

Change your homepage and search engines to whatever you wish and reset your pc.

When it boots back up, open IE and see if the page stays the way that you set it.

once you do the above if all is good get these progs here

SpywareBlaster - Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
http://www.javacoolsoftware.com/spywareblaster.html

SpywareGuard - An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware!
http://www.javacoolsoftware.com/spywareguard.html

IE-SPYAD is a Registry file (IE-ADS.REG) that adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer.
https://netfiles.uiuc.edu/ehowes/www/resource.htm

also you should think about using Firefox & Mozilla just use IE for updates

Get your Firefox here

Mo who

HGD

Grakus · #7 (**permalink**) 08-05-2005, 10:05 AM

Okay well it all seems to be running good now! Thankyou very much for all the help you gave me =) Thanks again.

Grakus

HJThis · #8 (**permalink**) 08-05-2005, 12:42 PM

Hi,Grakus

No problem thanks for having DAL give you a hand

please make sure to install them tools

HGD