Major trojan downloader problems

It seems that there is a real nasty trojan d/l'er going around that is bear to get rid of. From what I have been able to find out, it is called Trojan Downloader.Win32.Agent.ap. Apparently it has a lot of variations. My 'puter has acquired several of these files also. It has reconfigured my IE browser and reset my default homepage as "about:blank ". Some of the files I have found that are causing these problems are: netla32.exe. netlb32.exe, atlji32.exe, ippn32.exe, d3wd32.exe. and appnj.exe.

I have run Spysweeper, Spybot, Adware, and About:Buster. They all get rid of some junk but the files I listed above remain. I have turned them off in the task manager and deleted them from the registry but they always return. Most of these files are in the System32 folder but they can not be deleted. I also tried to use the Trend Micro Housecall program. Obviously I can not use it on Netscape 7.2 and when I try to download it on IE, the browser encounters an error and shuts down.

So having said all of that, here is my Hijack This log.

Logfile of HijackThis v1.99.1
Scan saved at 11:31:37 PM, on 5/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\d3wd32.exe
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\GWHotKey.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINNT\netlb32.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINNT\System32\wfxsnt40.exe
C:\WINNT\System32\ctfmon.exe
C:\Temp\hijackthis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\fpazw.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\fpazw.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\fpazw.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\fpazw.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\fpazw.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\fpazw.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\fpazw.dll/sp.html#93256
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {16DACBE2-A3F2-35AC-BB31-4603116EE523} - C:\WINNT\netfy.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [netlb32.exe] C:\WINNT\netlb32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\RunOnce: [d3wd32.exe] C:\WINNT\d3wd32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1112988096428
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O23 - Service: Network Security Service ( 11Fßä#·ºÃ„Ö`I) - Unknown owner - C:\WINNT\netnk.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Since my wife and I make our living on the Internet, any help you folks can send my way will sure make my life alot easier.

Thank you

 

That is a nasty one to get rid of sometimes. Download this zip.

http://www.downloads.subratam.org/pv.zip

Unzip it to the desktop. It will not work if you run it from inside the zip. After unzipping open the pv folder. Double click on the runme.bat. A dos window will open. Select option 1 for explorer dlls by typing 1 and then pressing enter. Notepad will open with a log in it. Copy and paste the log into this thread. Then run option 2 for IE dlls, and post it's log too. Usually pretty large and take more than one post.

 

Ok, here is the first log from the "PV" program.


Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1011712 C:\WINNT\Explorer.EXE 6.00.2600.0000 (xpclient.010817-1148) Windows Explorer
ntdll.dll 77f50000 679936 C:\WINNT\System32\ntdll.dll 5.1.2600.114 (xpclnt_qfe.021108-2107) NT Layer DLL
kernel32.dll 77e60000 937984 C:\WINNT\system32\kernel32.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINNT\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL
ADVAPI32.dll 77dd0000 569344 C:\WINNT\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API
RPCRT4.dll 78000000 454656 C:\WINNT\system32\RPCRT4.dll 5.1.2600.135 (xpclnt_qfe.021108-2107) Remote Procedure Call Runtime
GDI32.dll 77c70000 253952 C:\WINNT\system32\GDI32.dll 5.1.2600.132 (xpclnt_qfe.021108-2107) GDI Client DLL
USER32.dll 77d40000 548864 C:\WINNT\system32\USER32.dll 5.1.2600.118 (xpclnt_qfe.021108-2107) Windows XP USER API Client DLL
SHLWAPI.dll 63180000 409600 C:\WINNT\system32\SHLWAPI.dll 6.00.2730.1200 Shell Light-weight Utility Library
SHELL32.dll 773d0000 8318976 C:\WINNT\system32\SHELL32.dll 6.00.2600.151 (xpclnt_qfe.021108-2107) Windows Shell Common Dll
ole32.dll 771b0000 1126400 C:\WINNT\system32\ole32.dll 5.1.2600.136 (xpclnt_qfe.021108-2107) Microsoft OLE for Windows
OLEAUT32.dll 77120000 569344 C:\WINNT\system32\OLEAUT32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
BROWSEUI.dll 71500000 1036288 C:\WINNT\System32\BROWSEUI.dll 6.00.2737.1600 Shell Browser UI Library
SHDOCVW.dll 71700000 1347584 C:\WINNT\System32\SHDOCVW.dll 6.00.2737.800 Shell Doc Object and Control Library
UxTheme.dll 5ad70000 212992 C:\WINNT\System32\UxTheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library
comctl32.dll 71950000 933888 C:\WINNT\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 6.0 (xpclient.010817-1148) User Experience Controls Library
comctl32.dll 77340000 569344 C:\WINNT\system32\comctl32.dll 5.82 (xpclient.010817-1148) Common Controls Library
appHelp.dll 75f40000 118784 C:\WINNT\system32\appHelp.dll 5.1.2600.0 (xpclient.010817-1148) Application Compatibility Client Library
CLBCATQ.DLL 7c620000 528384 C:\WINNT\System32\CLBCATQ.DLL 2001.12.4414.53
COMRes.dll 77050000 806912 C:\WINNT\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77c00000 28672 C:\WINNT\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
cscui.dll 76620000 319488 C:\WINNT\System32\cscui.dll 5.1.2600.0 (xpclient.010817-1148) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINNT\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
themeui.dll 5b630000 458752 C:\WINNT\System32\themeui.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Theme API
Secur32.dll 76f90000 65536 C:\WINNT\System32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface
MSIMG32.dll 76380000 20480 C:\WINNT\System32\MSIMG32.dll 5.1.2600.0 (xpclient.010817-1148) GDIEXT Client DLL
netapi32.dll 71c20000 315392 C:\WINNT\System32\netapi32.dll 5.1.2600.122 (xpclnt_qfe.021108-2107) Net Win32 API DLL
USERENV.dll 75a70000 667648 C:\WINNT\system32\USERENV.dll 5.1.2600.0 (xpclient.010817-1148) Userenv
LINKINFO.dll 76980000 28672 C:\WINNT\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-1148) Windows Volume Tracking
ntshrui.dll 76990000 147456 C:\WINNT\System32\ntshrui.dll 5.1.2600.0 (xpclient.010817-1148) Shell extensions for sharing
ATL.DLL 76b20000 86016 C:\WINNT\System32\ATL.DLL 3.00.9238 ATL Module for Windows NT (Unicode)
MSCTF.dll 74720000 307200 C:\WINNT\System32\MSCTF.dll 5.1.2600.0 (xpclient.010817-1148) MSCTF Server DLL
SynTPFcs.dll 63000000 81920 C:\WINNT\System32\SynTPFcs.dll 6.0.23 14Nov01 SynTPFcs
msi.dll 76400000 2076672 C:\WINNT\System32\msi.dll 2.0.2600.0 Windows Installer
WINSTA.dll 76360000 61440 C:\WINNT\System32\WINSTA.dll 5.1.2600.0 (xpclient.010817-1148) Winstation Library
webcheck.dll 74b30000 266240 C:\WINNT\System32\webcheck.dll 6.00.2600.0000 (xpclient.010817-1148) Web Site Monitor
SETUPAPI.dll 76670000 933888 C:\WINNT\System32\SETUPAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows Setup API
stobject.dll 74b00000 131072 C:\WINNT\System32\stobject.dll 5.1.2600.0 (xpclient.010817-1148) Systray shell service object
BatMeter.dll 74af0000 36864 C:\WINNT\System32\BatMeter.dll 6.00.2600.0000 (xpclient.010817-1148) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 28672 C:\WINNT\System32\POWRPROF.dll 6.00.2600.0000 (xpclient.010817-1148) Power Profile Helper DLL
WTSAPI32.dll 76f50000 32768 C:\WINNT\System32\WTSAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Terminal Server SDK APIs
WINMM.dll 76b40000 180224 C:\WINNT\System32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) MCI API DLL
serwvdrv.dll 5cd70000 28672 C:\WINNT\System32\serwvdrv.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Serial Wave driver
umdmxfrm.dll 5b0a0000 28672 C:\WINNT\System32\umdmxfrm.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Tranform Module
wdmaud.drv 72d20000 36864 C:\WINNT\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINNT\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 81920 C:\WINNT\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINNT\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper
NETSHELL.dll 75cf0000 1638400 C:\WINNT\system32\NETSHELL.dll 5.1.2600.0 (xpclient.010817-1148) Network Connections Shell
credui.dll 76c00000 184320 C:\WINNT\system32\credui.dll 5.1.2600.0 (xpclient.010817-1148) Credential Manager User Interface
WS2_32.dll 71ab0000 86016 C:\WINNT\system32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINNT\system32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
iphlpapi.dll 76d60000 86016 C:\WINNT\system32\iphlpapi.dll 5.1.2600.2 (xpclient.010817-1148) IP Helper API
netman.dll 76de0000 155648 C:\WINNT\system32\netman.dll 5.1.2600.0 (xpclient.010817-1148) Network Connections Manager
MPRAPI.dll 76d40000 90112 C:\WINNT\system32\MPRAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT MP Router Administration DLL
ACTIVEDS.dll 76e40000 192512 C:\WINNT\system32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) ADs Router Layer DLL
adsldpc.dll 76e10000 147456 C:\WINNT\system32\adsldpc.dll 5.1.2600.0 (xpclient.010817-1148) ADs LDAP Provider C DLL
WLDAP32.dll 76f60000 180224 C:\WINNT\system32\WLDAP32.dll 5.1.2600.0 (xpclient.010817-1148) Win32 LDAP API DLL
rtutils.dll 76e80000 53248 C:\WINNT\system32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
SAMLIB.dll 71bf0000 69632 C:\WINNT\system32\SAMLIB.dll 5.1.2600.0 (xpclient.010817-1148) SAM Library DLL
RASAPI32.dll 1810000 233472 C:\WINNT\system32\RASAPI32.dll 5.1.2600.28 (xpclnt_qfe.010827-1803) Remote Access API
rasman.dll 76e90000 69632 C:\WINNT\system32\rasman.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access Connection Manager
TAPI32.dll 76eb0000 172032 C:\WINNT\system32\TAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Windows(TM) Telephony API Client DLL
WZCSvc.DLL 76da0000 196608 C:\WINNT\system32\WZCSvc.DLL 5.1.2600.0 (xpclient.010817-1148) Wireless Zero Configuration Service
WMI.dll 76d30000 16384 C:\WINNT\system32\WMI.dll 5.1.2600.0 (XPClient.010817-1148) WMI DC and DP functionality
DHCPCSVC.DLL 76d80000 106496 C:\WINNT\system32\DHCPCSVC.DLL 5.1.2600.0 (xpclient.010817-1148) DHCP Client Service
DNSAPI.dll 76f20000 151552 C:\WINNT\system32\DNSAPI.dll 5.1.2600.0 (xpclient.010817-1148) DNS Client API DLL
CRYPT32.dll 762c0000 557056 C:\WINNT\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
MSASN1.dll 762a0000 65536 C:\WINNT\system32\MSASN1.dll 5.1.2600.137 (xpclnt_qfe.021108-2107) ASN.1 Runtime APIs
mslbui.dll 605d0000 61440 C:\WINNT\System32\mslbui.dll 5.1.2600.0 (xpclient.010817-1148) LangageBar Add In
printui.dll 74b80000 532480 C:\WINNT\System32\printui.dll 5.1.2600.0 (XPClient.010817-1148) Print UI DLL
WINSPOOL.DRV 73000000 143360 C:\WINNT\System32\WINSPOOL.DRV 5.1.2600.0 (XPClient.010817-1148) Windows Spooler Driver
CFGMGR32.dll 74ae0000 28672 C:\WINNT\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL
MPR.dll 71b20000 69632 C:\WINNT\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL
SXS.DLL 75e90000 659456 C:\WINNT\System32\SXS.DLL 5.1.2600.0 (xpclient.010817-1148) Fusion 2.5
browselc.dll 72430000 73728 C:\WINNT\System32\browselc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Browser UI Library
WININET.dll 1b10000 610304 C:\WINNT\system32\WININET.dll 6.00.2737.800 Internet Extensions for Win32
netfy.dll 1fc0000 201830 C:\WINNT\netfy.dll
MSVCIRT.dll 1650000 65536 C:\WINNT\System32\MSVCIRT.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT IOStreams DLL
snmpapi.dll 71f60000 32768 C:\WINNT\System32\snmpapi.dll 5.1.2600.0 (xpclient.010817-1148) SNMP Utility Library
urlmon.dll 1a400000 495616 C:\WINNT\system32\urlmon.dll 6.00.2736.2300 OLE32 Extensions for Win32
sensapi.dll 722b0000 20480 C:\WINNT\System32\sensapi.dll 5.1.2600.0 (XPClient.010817-1148) SENS Connectivity API DLL
rsaenh.dll ffd0000 139264 C:\WINNT\System32\rsaenh.dll 5.1.2518.0 (main.010714-2114) Microsoft Base Cryptographic Provider
wsock32.dll 71ad0000 32768 C:\WINNT\System32\wsock32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL
mswsock.dll 71a50000 241664 C:\WINNT\System32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider
rasadhlp.dll 76fc0000 20480 C:\WINNT\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper
winrnr.dll 76fb0000 28672 C:\WINNT\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL
DUSER.dll 6c1b0000 274432 C:\WINNT\System32\DUSER.dll 5.1.2600.0 (xpclient.010817-1148) Windows DirectUser Engine
wshtcpip.dll 71a90000 32768 C:\WINNT\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
drprov.dll 75f60000 24576 C:\WINNT\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 53248 C:\WINNT\System32\ntlanman.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Lan Manager
NETUI0.dll 71cd0000 90112 C:\WINNT\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 245760 C:\WINNT\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 24576 C:\WINNT\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
davclnt.dll 75f70000 36864 C:\WINNT\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client DLL
shdoclc.dll 2310000 557056 C:\WINNT\System32\shdoclc.dll 6.00.2715.400 Shell Doc Object and Control Library
MSGINA.dll 75970000 987136 C:\WINNT\System32\MSGINA.dll 5.1.2600.128 (xpclnt_qfe.021108-2107) Windows NT Logon GINA DLL
ODBC32.dll 2470000 204800 C:\WINNT\System32\ODBC32.dll 3.520.9002.0 Microsoft Data Access - ODBC Driver Manager
comdlg32.dll 763b0000 282624 C:\WINNT\system32\comdlg32.dll 6.00.2600.0000 (xpclient.010817-1148) Common Dialogs DLL
odbcint.dll 1f850000 90112 C:\WINNT\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC Resources
zipfldr.dll 73380000 335872 C:\WINNT\System32\zipfldr.dll 6.00.2600.101 (xpclnt_qfe.020823-2005) Compressed (zipped) Folders
NavShExt.dll 10000000 106496 C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll 8.07.17 Norton AntiVirusNAVShellExt Module
MSVCP60.dll 76080000 397312 C:\WINNT\System32\MSVCP60.dll 6.00.8972.0 Microsoft (R) C++ Runtime Library
SSCtxMnu.dll b60000 106496 C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll 3.5.0.189 Spy Sweeper Context Menu
AcroIEHelper.ocx b80000 32768 C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx 1, 0, 0, 1 AcroIEHelper Module
WINTRUST.dll 76c30000 176128 C:\WINNT\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 139264 C:\WINNT\system32\IMAGEHLP.dll 5.1.2600.0 (XPClient.010817-1148) Windows NT Image Helper
asfsipc.dll 70eb0000 28672 C:\WINNT\System32\asfsipc.dll 1.1.00.3917 ASFSipc Object
MSISIP.DLL 605f0000 53248 C:\WINNT\System32\MSISIP.DLL 2.0.2600.0 MSI Signature SIP Provider
wshext.dll 74ea0000 65536 C:\WINNT\System32\wshext.dll 5.6.0.6626 Microsoft (r) Shell Extension for Windows Script Host
MCPS.DLL 365a0000 86016 C:\PROGRA~1\MICROS~2\Office10\MCPS.DLL 10.0.2625 Media Catalog Proxy/Stub

 

Here is the second "PV" log.


Module information for 'iexplore.exe'
MODULE BASE SIZE PATH
iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe 6.00.2600.0000 (xpclient.010817-1148) Internet Explorer
ntdll.dll 77f50000 679936 C:\WINNT\System32\ntdll.dll 5.1.2600.114 (xpclnt_qfe.021108-2107) NT Layer DLL
kernel32.dll 77e60000 937984 C:\WINNT\system32\kernel32.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINNT\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL
USER32.dll 77d40000 548864 C:\WINNT\system32\USER32.dll 5.1.2600.118 (xpclnt_qfe.021108-2107) Windows XP USER API Client DLL
GDI32.dll 77c70000 253952 C:\WINNT\system32\GDI32.dll 5.1.2600.132 (xpclnt_qfe.021108-2107) GDI Client DLL
ADVAPI32.dll 77dd0000 569344 C:\WINNT\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API
RPCRT4.dll 78000000 454656 C:\WINNT\system32\RPCRT4.dll 5.1.2600.135 (xpclnt_qfe.021108-2107) Remote Procedure Call Runtime
SHLWAPI.dll 63180000 409600 C:\WINNT\system32\SHLWAPI.dll 6.00.2730.1200 Shell Light-weight Utility Library
SHDOCVW.dll 71700000 1347584 C:\WINNT\System32\SHDOCVW.dll 6.00.2737.800 Shell Doc Object and Control Library
comctl32.dll 71950000 933888 C:\WINNT\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 6.0 (xpclient.010817-1148) User Experience Controls Library
SHELL32.dll 773d0000 8318976 C:\WINNT\system32\SHELL32.dll 6.00.2600.151 (xpclnt_qfe.021108-2107) Windows Shell Common Dll
comctl32.dll 77340000 569344 C:\WINNT\system32\comctl32.dll 5.82 (xpclient.010817-1148) Common Controls Library
ole32.dll 771b0000 1126400 C:\WINNT\system32\ole32.dll 5.1.2600.136 (xpclnt_qfe.021108-2107) Microsoft OLE for Windows
MSCTF.dll 74720000 307200 C:\WINNT\System32\MSCTF.dll 5.1.2600.0 (xpclient.010817-1148) MSCTF Server DLL
SynTPFcs.dll 63000000 81920 C:\WINNT\System32\SynTPFcs.dll 6.0.23 14Nov01 SynTPFcs
VERSION.dll 77c00000 28672 C:\WINNT\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
BROWSEUI.dll 71500000 1036288 C:\WINNT\System32\BROWSEUI.dll 6.00.2737.1600 Shell Browser UI Library
browselc.dll 72430000 73728 C:\WINNT\System32\browselc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Browser UI Library
appHelp.dll 75f40000 118784 C:\WINNT\system32\appHelp.dll 5.1.2600.0 (xpclient.010817-1148) Application Compatibility Client Library
CLBCATQ.DLL 7c620000 528384 C:\WINNT\System32\CLBCATQ.DLL 2001.12.4414.53
OLEAUT32.dll 77120000 569344 C:\WINNT\system32\OLEAUT32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
COMRes.dll 77050000 806912 C:\WINNT\System32\COMRes.dll 2001.12.4414.42
UxTheme.dll 5ad70000 212992 C:\WINNT\System32\UxTheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library
WININET.dll d60000 610304 C:\WINNT\system32\WININET.dll 6.00.2737.800 Internet Extensions for Win32
CRYPT32.dll 762c0000 557056 C:\WINNT\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
MSASN1.dll 762a0000 65536 C:\WINNT\system32\MSASN1.dll 5.1.2600.137 (xpclnt_qfe.021108-2107) ASN.1 Runtime APIs
Secur32.dll 76f90000 65536 C:\WINNT\System32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface
cscui.dll 76620000 319488 C:\WINNT\System32\cscui.dll 5.1.2600.0 (xpclient.010817-1148) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINNT\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
SETUPAPI.dll 76670000 933888 C:\WINNT\System32\SETUPAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows Setup API
googletoolbar2.dll 10000000 733184 c:\program files\google\googletoolbar2.dll 2, 0, 114, 9 Google IE Client Toolbar
urlmon.dll 1a400000 495616 C:\WINNT\system32\urlmon.dll 6.00.2736.2300 OLE32 Extensions for Win32
WSOCK32.dll 71ad0000 32768 C:\WINNT\System32\WSOCK32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL
WS2_32.dll 71ab0000 86016 C:\WINNT\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINNT\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
WINTRUST.dll 76c30000 176128 C:\WINNT\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 139264 C:\WINNT\system32\IMAGEHLP.dll 5.1.2600.0 (XPClient.010817-1148) Windows NT Image Helper
WINMM.dll 76b40000 180224 C:\WINNT\System32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) MCI API DLL
serwvdrv.dll 5cd70000 28672 C:\WINNT\System32\serwvdrv.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Serial Wave driver
umdmxfrm.dll 5b0a0000 28672 C:\WINNT\System32\umdmxfrm.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Tranform Module
netapi32.dll 71c20000 315392 C:\WINNT\System32\netapi32.dll 5.1.2600.122 (xpclnt_qfe.021108-2107) Net Win32 API DLL
ntshrui.dll 76990000 147456 C:\WINNT\System32\ntshrui.dll 5.1.2600.0 (xpclient.010817-1148) Shell extensions for sharing
ATL.DLL 76b20000 86016 C:\WINNT\System32\ATL.DLL 3.00.9238 ATL Module for Windows NT (Unicode)
USERENV.dll 75a70000 667648 C:\WINNT\system32\USERENV.dll 5.1.2600.0 (xpclient.010817-1148) Userenv
MPR.dll 71b20000 69632 C:\WINNT\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL
drprov.dll 75f60000 24576 C:\WINNT\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 53248 C:\WINNT\System32\ntlanman.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Lan Manager
NETUI0.dll 71cd0000 90112 C:\WINNT\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 245760 C:\WINNT\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 24576 C:\WINNT\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
SAMLIB.dll 71bf0000 69632 C:\WINNT\System32\SAMLIB.dll 5.1.2600.0 (xpclient.010817-1148) SAM Library DLL
davclnt.dll 75f70000 36864 C:\WINNT\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client DLL
shgina.dll 73d70000 73728 C:\WINNT\System32\shgina.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Shell User Logon
MSGINA.dll 75970000 987136 C:\WINNT\System32\MSGINA.dll 5.1.2600.128 (xpclnt_qfe.021108-2107) Windows NT Logon GINA DLL
WINSTA.dll 76360000 61440 C:\WINNT\System32\WINSTA.dll 5.1.2600.0 (xpclient.010817-1148) Winstation Library
ODBC32.dll 1630000 204800 C:\WINNT\System32\ODBC32.dll 3.520.9002.0 Microsoft Data Access - ODBC Driver Manager
comdlg32.dll 763b0000 282624 C:\WINNT\system32\comdlg32.dll 6.00.2600.0000 (xpclient.010817-1148) Common Dialogs DLL
odbcint.dll 1f850000 90112 C:\WINNT\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC Resources
DBGHELP.DLL 6d510000 507904 C:\WINNT\System32\DBGHELP.DLL 5.1.2600.0 (XPClient.010817-1148) Windows Image Helper
RASAPI32.DLL 1910000 233472 C:\WINNT\System32\RASAPI32.DLL 5.1.2600.28 (xpclnt_qfe.010827-1803) Remote Access API
rasman.dll 76e90000 69632 C:\WINNT\System32\rasman.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access Connection Manager
TAPI32.dll 76eb0000 172032 C:\WINNT\System32\TAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Windows(TM) Telephony API Client DLL
rtutils.dll 76e80000 53248 C:\WINNT\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
sensapi.dll 722b0000 20480 C:\WINNT\System32\sensapi.dll 5.1.2600.0 (XPClient.010817-1148) SENS Connectivity API DLL
rsaenh.dll ffd0000 139264 C:\WINNT\System32\rsaenh.dll 5.1.2518.0 (main.010714-2114) Microsoft Base Cryptographic Provider
AcroIEHelper.ocx 14b0000 32768 C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx 1, 0, 0, 1 AcroIEHelper Module
SXS.DLL 75e90000 659456 C:\WINNT\System32\SXS.DLL 5.1.2600.0 (xpclient.010817-1148) Fusion 2.5
netfy.dll 1bd0000 201830 C:\WINNT\netfy.dll
iphlpapi.dll 76d60000 86016 C:\WINNT\System32\iphlpapi.dll 5.1.2600.2 (xpclient.010817-1148) IP Helper API
netman.dll 76de0000 155648 C:\WINNT\System32\netman.dll 5.1.2600.0 (xpclient.010817-1148) Network Connections Manager
MPRAPI.dll 76d40000 90112 C:\WINNT\System32\MPRAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT MP Router Administration DLL
ACTIVEDS.dll 76e40000 192512 C:\WINNT\System32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) ADs Router Layer DLL
adsldpc.dll 76e10000 147456 C:\WINNT\System32\adsldpc.dll 5.1.2600.0 (xpclient.010817-1148) ADs LDAP Provider C DLL
WLDAP32.dll 76f60000 180224 C:\WINNT\system32\WLDAP32.dll 5.1.2600.0 (xpclient.010817-1148) Win32 LDAP API DLL
WZCSvc.DLL 76da0000 196608 C:\WINNT\System32\WZCSvc.DLL 5.1.2600.0 (xpclient.010817-1148) Wireless Zero Configuration Service
WMI.dll 76d30000 16384 C:\WINNT\System32\WMI.dll 5.1.2600.0 (XPClient.010817-1148) WMI DC and DP functionality
DHCPCSVC.DLL 76d80000 106496 C:\WINNT\System32\DHCPCSVC.DLL 5.1.2600.0 (xpclient.010817-1148) DHCP Client Service
DNSAPI.dll 76f20000 151552 C:\WINNT\System32\DNSAPI.dll 5.1.2600.0 (xpclient.010817-1148) DNS Client API DLL
WTSAPI32.dll 76f50000 32768 C:\WINNT\System32\WTSAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Terminal Server SDK APIs
MSVCIRT.dll 1c20000 65536 C:\WINNT\System32\MSVCIRT.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT IOStreams DLL
snmpapi.dll 71f60000 32768 C:\WINNT\System32\snmpapi.dll 5.1.2600.0 (xpclient.010817-1148) SNMP Utility Library
NavShExt.dll 1e40000 106496 C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll 8.07.17 Norton AntiVirusNAVShellExt Module
MSVCP60.dll 76080000 397312 C:\WINNT\System32\MSVCP60.dll 6.00.8972.0 Microsoft (R) C++ Runtime Library
mshtml.dll 63580000 2789376 C:\WINNT\System32\mshtml.dll 6.00.2743.600 Microsoft (R) HTML Viewer
shdoclc.dll 2270000 557056 C:\WINNT\System32\shdoclc.dll 6.00.2715.400 Shell Doc Object and Control Library
MLANG.dll 74770000 585728 C:\WINNT\System32\MLANG.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL
msi.dll 76400000 2076672 C:\WINNT\System32\msi.dll 2.0.2600.0 Windows Installer
msimtf.dll 746f0000 167936 C:\WINNT\System32\msimtf.dll 5.1.2600.0 (xpclient.010817-1148) Active IMM Server DLL
mslbui.dll 605d0000 61440 C:\WINNT\System32\mslbui.dll 5.1.2600.0 (xpclient.010817-1148) LangageBar Add In
sptip.dll 5c2c0000 274432 C:\WINNT\ime\sptip.dll 5.1.2600.0 (xpclient.010817-1148) SAPI5.0/CTF layer DLL
SKCHUI.DLL 24a0000 372736 C:\Program Files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL 1.0.1038.0 Draw Pen Tip
MSLS31.DLL 746c0000 159744 C:\WINNT\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
msohev.dll 32520000 73728 C:\Program Files\Microsoft Office\Office10\msohev.dll 10.0.2609 Microsoft Office XP component
jscript.dll 6b700000 589824 c:\winnt\system32\jscript.dll 5.6.0.8513 Microsoft (r) JScript
mswsock.dll 71a50000 241664 C:\WINNT\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 71a90000 32768 C:\WINNT\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
rasadhlp.dll 76fc0000 20480 C:\WINNT\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper
winrnr.dll 76fb0000 28672 C:\WINNT\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL

 

Since these logs are very long and it is late, I will check back later in the day after I've had some sleep and you've had a chance to scan the logs.

Once again, thank you for your help.

 

Please download MWAV. Save it to your desktop and double click to open. Check the boxes for Memory, Registry, Startup Folders, System Folders, Services, Drive, All Local Drives and Scan All Files, then click scan. When it completes, copy the lower window labled Virus Log Information and post it here. Takes quite a long time for it to finish, so be patient.

 

Dave,

My apologies for the long delay in getting back to you. I was unable to copy and paste the virus log that resulted when I ran the MWAV program as you requested. So what I did was transcribe the log to MS Word so I could copy and paste the the log for you to see.

File system found infected by "sw Spyware/Adware" Virus
File system found infected by "CoolWebSearch Spyware/Adware" Virus
File system found infected by "hsa Spyware/Adware" Virus

C:\WINNT\d3ke.exe infected by "Trojan.Win32.Agent.bi" Virus
C:\WINNT\d3wd32.exe infected by "Trojan.Win32.Agent.bi" Virus (x2)
C:\WINNT\winsom.exe infected by "Trojan.Win32.Agent.bi" Virus (x2)

C:\WINNT\behjc.dll infected by "not-a-virus: Adware.SearchPage" Virus (x2)
C:\WINNT\dwxuk.dll infected by "not-a-virus: Adware.SearchPage" Virus (x2)
C:\WINNT\fpazw.dll infected by "not-a-virus: Adware.SearchPage" Virus (x2)
C:\WINNT\shvut.dll infected by "not-a-virus: Adware.SearchPage" Virus (x2)
C:\WINNT\tentq.dll infected by "not-a-virus: Adware.SearchPage" Virus (x2)
C:\WINNT\tncjz.dll infected by "not-a-virus: Adware.SearchPage" Virus (x2)
C:\WINNT\yzwlk.dll infected by "not-a-virus: Adware.SearchPage" Virus (x2)
C:\WINNT\ijkfm.dll infected by "not-a-virus: Adware.SearchPage" Virus

C:\WINNT\system32\123.45 infected by "Trojan-Downloader.Win32.Winshow.ay" Virus (x2)

C:\WINNT\system32\appor32.exe infected by "Trojan.Win32.Agent.bi" Virus (x2)
C:\WINNT\system32\d3fz32.exe infected by "Trojan.Win32.Agent.bi" Virus (x2)
C:\WINNT\system32\d3pa.exe infected by "Trojan.Win32.Agent.bi" Virus (x2)
C:\WINNT\system32\javayt32.exe infected by "Trojan.Win32.Agent.bi" Virus (x2)

C:\WINNT\system32\abxsb.dll infected by "not-a-virus: Adware.SearchPage" Virus (x2)
C:\WINNT\system32\kmbds.dll infected by "not-a-virus: Adware.SearchPage" Virus (x2)
C:\WINNT\system32\krsvp.dll infected by "not-a-virus: Adware.SearchPage" Virus (x2)
C:\WINNT\system32\offju.dll infected by "not-a-virus: Adware.SearchPage" Virus (x2)
C:\WINNT\system32\xybey.dll infected by "not-a-virus: Adware.SearchPage" Virus (x2)

C:\Documents and Settings\Owner\jpi_cache\jar\1.0\ar3.jar31548af4-550af331.zip infected by "Trojan.Java.ClassLoader.K" Virus

C:\Documents and Settings\Owner\Application Data\mozilla profiles\Rick\stdvuymz.slt\ Mail\mail.pcsia.net\Business Mail infected by "Email-Worm.32.Badtransll" Virus
C:\Documents and Settings\Owner\Application Data\mozilla profiles\Rick\stdvuymz.slt\ Mail\mail.pcsia.net\Inbox infected by "Email-Worm.32.Mimail.txt" Virus
C:\Documents and Settings\Owner\Application Data\mozilla profiles\yrrocks\8hjtsybq.slt\ Mail\mail.pcsia.net\Inbox infected by "Email-Worm.32.Magistr.a" Virus
C:\Documents and Settings\Owner\Application Data\mozilla profiles\yrrocks\8hjtsybq.slt\ Mail\mail.pcsia.net\Incoming Saved Mail infected by "Email-Worm.32.Magistr.a" Virus


The lines that have a (x2) at the end of the line means that these particular lines showed up twice on the virus log.

Just a note - there are 2 files that keep regenerating themselves in the HKLM run and run once registry files as well as the task manager after I have deleted and end process, respectively. They are netlb32.exe and d3ke.exe. When I try to delete them from the Windows files, I get access denied.

I have disconnected the 'puter with all of these viruses from my DSL network connection to avoid any further complications until I get this under control. So needless to say, I am sending this post from our other 'puter. Let me know what I need to do next. ARGH! I hate viruses!

 

Add Housecall to your favorites so you can later go there without opening any IE windows first.

Save this to text where you can access it in safe mode.

Check for updates to AboutBuster and Ad-aware.

Download the delfiles.zip file attached to the bottom of this post. Save it to your desktop. If it saves as attachment.php, right click and rename to delfiles.zip Now right click the zip and extract the delfiles.bat file to your desktop.

Download the stand-alone CWShredder 2.14 from here. Save it to the desktop.

Click here to download cwsserviceremove.zip, unzip it to your desktop and have it ready to run later.

Create a new folder in C:\ named HJT and move HijckThis.exe to there.

Click start then run and type services.msc, then hit enter. Locate Network Security Service, right click and choose properties. Stop the service, then set to disabled. Click Apply then OK. Close the services window. If you don't find it, just continue on.

Either reboot and repeatedly tap F8 to enable the start menu and select safe mode, or go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and click OK. Click yes to restart. This will restart your computer in safe mode. Logon to your user account.

Double click the delfiles.bat on your desktop.

Double click the cwsserviceemove.reg file you unzipped earlier. Click yes to merge it to the registry.

Open AboutBuster, click start then OK. Exit when finished.

Open CWShredder and click fix.

Open Ad-aware and run in full scan mode. Delete all it finds.

Scan again with HijackThis and place a check next to the following entries if present. Close ALL other windows and click fix.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\fpazw.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\fpazw.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\fpazw.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\fpazw.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\fpazw.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\fpazw.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\fpazw.dll/sp.html#93256
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {16DACBE2-A3F2-35AC-BB31-4603116EE523} - C:\WINNT\netfy.dll
O4 - HKLM\..\Run: [netlb32.exe] C:\WINNT\netlb32.exe
O4 - HKLM\..\RunOnce: [d3wd32.exe] C:\WINNT\d3wd32.exe
O23 - Service: Network Security Service ( 11Fßä#·ºÃ„Ö`I) - Unknown owner - C:\WINNT\netnk.exe (file missing)

Do not close HijackThis yet. Again, open this saved text. Copy the text between the parenthesis of this entry
O23 - Service: Network Security Service ( 11Fßä#·ºÃ„Ö`I) Note the space before the first 1.....it needs to be copied also. Now click the config button in HijackThis, then misc tools. Click the Delete an NT Service button and right click then paste in the opening window. Click OK and no to reboot. Close HijackThis.

Open C:\Temp, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Windows\Prefetch, select all and delete.
Open C:\Documents and Settings\username\Local Settings\temp, select all and delete. Do this for all username folders.
Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.

If you used msconfig, uncheck the /safeboot box and click ok to reboot. Upon reboot you will be greeted with a message window from the System Configuration Utility. Check the box not to use and don't show, then click OK. If you used F8, just reboot back into Windows.

Open your favorites and click the Housecall shortcut to run the online scan. Make sure the box to autoclean is checked. Close IE when done.

Click Start>All Programs>Windows Update. Accept all critical updates (choose the Express Install), reboot when prompted and go back, until no more critical updates are offered.

Run another MWAV scan, and another HijackThis scan, then post both logs.

 

Dave,

It's a miracle! Everything is back to normal. I had a little difficulty with the MS window updates (the reason for the delay) but all seems to be working fine now.

Below is the latest HJT log. The MWAV virus log came up clean.

Thank you for all your help and assistance. You guys are Gods!

Logfile of HijackThis v1.99.1
Scan saved at 8:49:26 PM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINNT\GWHotKey.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINNT\System32\wfxsnt40.exe
C:\WINNT\System32\ctfmon.exe
C:\Hijack This\hijackthis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1112988096428
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

 

Excellent job! Your log is clean!

I recommend you turn off system restore, then turn it back on to clear your restore points of any infections. Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out. Reboot and turn it back on.

You still need some Windows Updates.

Platform: Windows XP SP1 << from your log....should be SP2

After doing the above, I strongly recommend you go back as many times as necessary to get fully updated......till you are offered no more critical updates or service packs.

For further protection, do you have Spybot Version 1.3? If not, download it from my signature and install. Allow it to load SD Helper. Open it up and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it (always recheck this setting after downloading updates). Click the link below that for SpywareBlaster, download, install, enable all protection and update. Check for updates regularly and watch for any protection being disabled. Then, still in Spybot, click tools button, then IE tweaks and at least lock the HOSTS file.
Then download IESpyad.exe, double click to extract (it extracts to C:\IESpyad by default), open the folder, double click the ie-ads.reg file and allow it to merge into the registry.