In need of spyware help
Norge
Sidney, Ohio
It seems like my grandpa has stumbled upon the spyware motherload. I just spent over an hour running ad-aware and uninstalling programs and he is still getting it. I think there is a trojan downloader somewhere. Any help would be great.
Norge
Logfile of HijackThis v1.99.0
Scan saved at 7:53:12 PM, on 2/12/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\winole.exe
C:\WINNT\system32\atlzh32.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\mfcft.exe
C:\WINNT\System32\drwtsn32.exe
C:\WINNT\System32\drwtsn32.exe
C:\Documents and Settings\Dan Schilling\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rniuw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rniuw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\rniuw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rniuw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rniuw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rniuw.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rniuw.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A1B2A72B-0418-3F3F-AF79-8CA6EE459874} - C:\WINNT\system32\netvd32.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Windows Compliant] winole.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINNT\system32\defragfat32pi.exe
O4 - HKLM\..\Run: [atlzh32.exe] C:\WINNT\system32\atlzh32.exe
O4 - HKLM\..\Run: [25.tmp] C:\DOCUME~1\DANSCH~1\LOCALS~1\Temp\25.tmp.exe 0 28129
O4 - HKLM\..\Run: [tibs5] C:\WINNT\System32\tibs5.exe
O4 - HKLM\..\Run: [Local Procedure Call Mapper] LPC.exe
O4 - HKLM\..\RunServices: [Windows Compliant] winole.exe
O4 - HKLM\..\RunServices: [Local Procedure Call Mapper] LPC.exe
O4 - HKLM\..\RunOnce: [apizx32.exe] C:\WINNT\apizx32.exe
O4 - HKLM\..\RunOnce: [crap.exe] C:\WINNT\system32\crap.exe
O4 - HKLM\..\RunOnce: [netrp.exe] C:\WINNT\netrp.exe
O4 - HKLM\..\RunOnce: [netjh32.exe] C:\WINNT\netjh32.exe
O4 - HKLM\..\RunOnce: [mfcft.exe] C:\WINNT\system32\mfcft.exe
O4 - HKCU\..\Run: [Windows Compliant] winole.exe
O4 - HKCU\..\Run: [Local Procedure Call Mapper] LPC.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: (HKLM)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\enhypdww.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1D44D2B-2F4D-4A9D-A1D1-DDB9ECAD5A75}: NameServer = 209.143.0.10 66.209.140.124
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINNT\apiir32.exe (file missing)
Norge
Logfile of HijackThis v1.99.0
Scan saved at 7:53:12 PM, on 2/12/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\winole.exe
C:\WINNT\system32\atlzh32.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\mfcft.exe
C:\WINNT\System32\drwtsn32.exe
C:\WINNT\System32\drwtsn32.exe
C:\Documents and Settings\Dan Schilling\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rniuw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rniuw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\rniuw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rniuw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rniuw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rniuw.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rniuw.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A1B2A72B-0418-3F3F-AF79-8CA6EE459874} - C:\WINNT\system32\netvd32.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Windows Compliant] winole.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINNT\system32\defragfat32pi.exe
O4 - HKLM\..\Run: [atlzh32.exe] C:\WINNT\system32\atlzh32.exe
O4 - HKLM\..\Run: [25.tmp] C:\DOCUME~1\DANSCH~1\LOCALS~1\Temp\25.tmp.exe 0 28129
O4 - HKLM\..\Run: [tibs5] C:\WINNT\System32\tibs5.exe
O4 - HKLM\..\Run: [Local Procedure Call Mapper] LPC.exe
O4 - HKLM\..\RunServices: [Windows Compliant] winole.exe
O4 - HKLM\..\RunServices: [Local Procedure Call Mapper] LPC.exe
O4 - HKLM\..\RunOnce: [apizx32.exe] C:\WINNT\apizx32.exe
O4 - HKLM\..\RunOnce: [crap.exe] C:\WINNT\system32\crap.exe
O4 - HKLM\..\RunOnce: [netrp.exe] C:\WINNT\netrp.exe
O4 - HKLM\..\RunOnce: [netjh32.exe] C:\WINNT\netjh32.exe
O4 - HKLM\..\RunOnce: [mfcft.exe] C:\WINNT\system32\mfcft.exe
O4 - HKCU\..\Run: [Windows Compliant] winole.exe
O4 - HKCU\..\Run: [Local Procedure Call Mapper] LPC.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: (HKLM)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\enhypdww.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1D44D2B-2F4D-4A9D-A1D1-DDB9ECAD5A75}: NameServer = 209.143.0.10 66.209.140.124
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINNT\apiir32.exe (file missing)
0
Comments
Download(right click and select Save file as or Save link as): DelDomains.inf
http://mvps.org/winhelp2002/DelDomains.inf
To use: Close all open browsers
Right-click DelDomains.inf and select: Install
This should remove those 015 entries.
Please download CWShredder but don't run it yet.
http://cwshredder.net/bin/CWSInstall.exe
Download Ad-aware SE from: http://www.majorgeeks.com/download506.html
Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.
Make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rniuw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rniuw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\rniuw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rniuw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rniuw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rniuw.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rniuw.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A1B2A72B-0418-3F3F-AF79-8CA6EE459874} - C:\WINNT\system32\netvd32.dll
O4 - HKLM\..\Run: [Windows Compliant] winole.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINNT\system32\defragfat32pi.exe
O4 - HKLM\..\Run: [atlzh32.exe] C:\WINNT\system32\atlzh32.exe
O4 - HKLM\..\Run: [25.tmp] C:\DOCUME~1\DANSCH~1\LOCALS~1\Temp\25.tmp.exe 0 28129
O4 - HKLM\..\Run: [tibs5] C:\WINNT\System32\tibs5.exe
O4 - HKLM\..\Run: [Local Procedure Call Mapper] LPC.exe
O4 - HKLM\..\RunServices: [Windows Compliant] winole.exe
O4 - HKLM\..\RunServices: [Local Procedure Call Mapper] LPC.exe
O4 - HKLM\..\RunOnce: [apizx32.exe] C:\WINNT\apizx32.exe
O4 - HKLM\..\RunOnce: [crap.exe] C:\WINNT\system32\crap.exe
O4 - HKLM\..\RunOnce: [netrp.exe] C:\WINNT\netrp.exe
O4 - HKLM\..\RunOnce: [netjh32.exe] C:\WINNT\netjh32.exe
O4 - HKLM\..\RunOnce: [mfcft.exe] C:\WINNT\system32\mfcft.exe
O4 - HKCU\..\Run: [Windows Compliant] winole.exe
O4 - HKCU\..\Run: [Local Procedure Call Mapper] LPC.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\enhypdww.exe
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINNT\apiir32.exe (file missing)
Reboot your computer into Safe Mode
Now run CWShredder, making sure to click "Fix".
Then delete these files or directories (Do not be concerned if they do not exist)
C:\WINNT\system32\rniuw.dll
C:\WINNT\system32\netvd32.dll
C:\WINNT\System32\winole.exe
C:\WINNT\apizx32.exe
C:\WINNT\system32\crap.exe
C:\WINNT\netrp.exe
C:\WINNT\netjh32.exe
C:\WINNT\system32\mfcft.exe
C:\WINNT\apiir32.exe
C:\Program Files\Internet Explorer\enhypdww.exe
LPC.exe
Delete temp files
Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.
Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.
Empty the Recycle Bin.
Run a full scan with Adaware.
Reboot your computer to go back to normal mode.
Please download and run AVG antivirus. It's a very good free antivirus application and I didn't see one in your log.
http://free.grisoft.com/softw/70free/setup/avg70free_300a419.exe
It should find a few things.
Reboot your computer once more, post a new hijackthis log, and let me know how it went.