There seems to be some spyware that my computer scans can't pick up. You guys have aways helped me weed out my bad files and registry items in the past. I would really appreciate it if you could isolate the problem for me again.
Thank you so much
Zach
Logfile of HijackThis v1.99.1
Scan saved at 3:14:16 PM, on 11/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
You have a severe coolwebsearch infection and will take several steps and several tools to get rid of this pest. As many files that we need to delete with instructions to do so may take me 2 posts to get it all down. This is going to be long sorry. Heavily infected.
--------------------------------------------------------------------------------------------------------
Create a new folder in your C: Drive
Name it C:\HJT or HijackThis and move the HijackThis.exe file in it.
It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
This way you can undo any changes if something goes wrong
----------------------------------------------------------------------------------------------------------
Be sure to use Firefox thru out this whole fix please.
---------------------------------------------------------------------------------------------------
Make sure you can see hidden files/folders
In Windows XP
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK. After you're cleaned, please "rehide" them again.
-----------------------------------------------------------------------------------------------------
Go to start >run and type: services.msc and click OK
Scroll down in that list and look if the following services are present:
Network Security Service (NSS)
Remote Procedure Call (RPC) Helper
Workstation NetLogon Service
Please make sure it is exactly the same written as above, because there are also legit services that look very much the same as the ones above, so please choose the right one!! For example, there's also a legit service called Remote Procedure Call (RPC), without the word Helper in it. That is a good one, so please don't select that one.
Doubleclick on the service(s). In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.
Click apply and OK and close all open windows.
---------------------------------------------------------------------------------------------------
Please read the complete post first, you should copy and paste this post to a new text Document or print it.
Download and install Adaware, uncheck "show help file" and "perform full system scan" at the end of the installing routine, perform the update and close Adaware. You will need it later
Next,
Download the Intermute stand-alone version of CWShredder from here: cwshredder.net/bin/CWShredder.exe
Install it and check for updates then exit, we will use it later.
Unzip it to its own DESKTOP folder, right click open area on the desktop, click new, the new folder, name the folder Aboutbuster . It is VITAL that it be unzipped.
Please open/run the program and check for updates. After you update it exit.
Do not run the actual scan/fix until instructed.
Disconnect from the internet--pull the plug or fix will fail
Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.
Run HijackThis
Click on scan and put a check on the following lines, if they are still there
Make sure all browser and all Windows Explorer windows are closed and click on fix.
Shut down all running programs, make sure that you are not connected to the internet!
Double-click the FxAgentB.exe file to start the removal tool.
Save the log it makes and post it in your next reply.
Please do NOT start any other applications until the removal tool exits and the computer is restarted.
Restart the computer back into safe mode.
Hunt for and delete these files/folders: If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.
Delete every single I flagged for fixing in hijackthis(some are missing thank goodness)
There is just to many for me to put in one post. Please do not miss a single one or the whole thing may come back. This one also, this is the brains of the outfit:
C:\WINDOWS\eavqd.dll
Then after the above:
Start Ccleaner and click: Run Cleaner./use windows tab only
Run Adaware and perform a full system scan.
Take your time and do not please miss a single step or file.
Reboot and post a new HijackThis log.
__________________ Stalking and killing Spyware
Have we helped you? Please consider a donation to help keep D-A-L free.Click on donate below
Okay, I know I made some mistakes. There were just too many instructions. I believe i mostly messed up the following:
I was having trouble navigating firefow (as I was not used to it regardin fining and deleting files) I couln't find a lot of the files I thought would be there. Also when I ran the Fx angentB there was no log file at the end that I recall. All it dsaid was somthing about removing a backdoor agent B. Here is my latest hijak log file.
Thanks so far. I really appreciate it.
Zach
Logfile of HijackThis v1.99.1
Scan saved at 3:48:07 PM, on 11/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\d3ek32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Retail STAR\dbntsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Retail STAR\StarSchd.exe
C:\WINDOWS\msrb32.exe
C:\WINDOWS\system32\ntwv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\The Village Hat Shop\Desktop\Zach's Adware stuff. Do not mess with this folder\hijackthis.exe
Hi, you did just fine, excellent actually. If the fixagentB tool found it that is very good.
Create a new folder in your C: Drive
Name it C:\HJT or HijackThis and move the HijackThis.exe file in it.
It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
This way you can undo any changes if something goes wrong
Go to start >run and type: services.msc and click OK
Scroll down in that list and look if the following services are present:
Network Security Service (NSS)
Remote Procedure Call (RPC) Helper
Workstation NetLogon Service
Please make sure it is exactly the same written as above, because there are also legit services that look very much the same as the ones above, so please choose the right one!! For example, there's also a legit service called Remote Procedure Call (RPC), without the word Helper in it. That is a good one, so please don't select that one.
Doubleclick on the service(s). In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.
Click apply and OK and close all open windows.
Next:
Please run HijackThis and click Config -> Misc Tools -> Delete an NT service. In the Delete window, type Network Security Service and press OK. OK any prompts, close HijackThis, and restart your computer.
If the other two are there do the same as above (one at a time) for them, if we don't kill these the infection will come back. Reboot each time one is deleted please.
Now
Reboot into safe mode again
Scan with HJT again and put a check next to these items:
only Network Security service was there. I stoped it and disabled it. but when I try to delete it from Hijak this it says an error message comes up that it cannotbe found in the registry. I tried many spellings but can't get it to work. Any suggesstions?
Zach
Here is the latest log. Also when I started it up it normal mode I got a error message that ntwv.exe was missing. I feel as if we are winning but we have not won yet.
-Zach
ogfile of HijackThis v1.99.1
Scan saved at 8:28:46 PM, on 11/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\msrb32.exe
C:\WINDOWS\d3cj32.exe
C:\Program Files\Retail STAR\dbntsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Retail STAR\StarSchd.exe
C:\Documents and Settings\The Village Hat Shop\Desktop\Zach's Adware stuff. Do not mess with this folder\hijackthis.exe
I asked two times and this is the third time to please do this so there can be available backups in case a mistake was made: Thanks
Create a new folder in your C: Drive
Name it C:\HJT or HijackThis and move the HijackThis.exe file in it.
It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
This way you can undo any changes if something goes wrong.
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button/looks like a stop sign. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
Scan with HJT and put a check by these items please: if still there
O2 - BHO: Class - {55E6CF7B-F013-B32D-B116-5147DD5BB2CC} - C:\WINDOWS\ieby32.dll
O2 - BHO: Class - {5BC3F7BC-69C1-08BC-EB9C-EC3C41D197CF} - C:\WINDOWS\apppo.dll
O2 - BHO: Class - {B618D006-CBA7-0E08-16BC-4DABF979FF8B} - C:\WINDOWS\nettq32.dll
O2 - BHO: Class - {E5ADF72A-DBBF-7E41-89A6-F5404F212316} - C:\WINDOWS\system32\ntgb32.dll
1. Please download dllcompare (A scanner to locate hidden DLL files) from this locations: DLLCompare
2. When you execute dllcompare.exe, by default the c:\windows\system32 is selected. This can be changed to scan you entire computer for any file type - Simply select the path and check off the box labelled "Include SubDirectories"
3. Click on "Locate.com" and allow the scan to complete.
4. After the scan has finished click on "Compare" to scan for the files that Windows does not see. This step will take a few minutes to run.
5. If the box at the bottom of the screen contains any files, these are the ones that are hidden - Click on "Make a Log of what was Found".
6. When prompted to "View Log File" click on "Yes".
7. Notepad will open with the log file contents.
8. In Notepad, click on "Edit" => "Select All" => "Edit" = "Copy" and post the contents as a reply to this message.
Then
Post the dllcompare log and a new hjt log please.
__________________ Stalking and killing Spyware
Have we helped you? Please consider a donation to help keep D-A-L free.Click on donate below
I believe the dll compare log is empty. Sorry about the whole HJT log on the desktop thing. I just thought I wouldn't make any mistakes and it would all be okay. How did you know? Anyway, thanks for everything.
-Zach
* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found "
________________________________________________
2,569 items found: 2,567 files, 2 directories.
Total of file sizes: 474,336,495 bytes 452.36 M
Administrator Account = True
--------------------End log---------------------
Logfile of HijackThis v1.99.1
Scan saved at 4:30:04 PM, on 11/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Retail STAR\dbntsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Retail STAR\StarSchd.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Retail STAR\POSStar.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\The Village Hat Shop\Desktop\Zach's Adware stuff. Do not mess with this folder\hijackthis.exe
Make sure everything is closed out of and click fix checked.
Post hopefully one more hijackthis log and if all is ok I will have some free prevention tools for you to use if you so like. They will help keep you a lot safer. Altho you don't have to use them all but i do highly suggest spyware blaster and spywareguard also Regprotect.
__________________ Stalking and killing Spyware
Have we helped you? Please consider a donation to help keep D-A-L free.Click on donate below
"
