Spy Ware problem Attached log

**jutah** · October 13th, 2005, 09:19 PM

Hi All,

I have ran Adaware, Spybot S&D, CW, spy ware blaster, and norton AV with all the updates to all. After I run Spybot and Adaware it says it can not delete certain entries b\c they are in mem and to restart and then it will run again. It restarts runs again deletes and then says the same thing? I can't get rid of about 17 entries. On Spybot they are HuntBar and Trek Blue Error Nuker. Here is the log from hijackthis. Also it seems that I get about 3 Windows Service error messages an hour about registry problems? Could this be related to the spyware?

Thanks,

Jutah

Logfile of HijackThis v1.99.1
Scan saved at 9:11:18 PM, on 10/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\WINDOWS2\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS2\system32\LxrHP30s.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS2\System32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\PROGRA~1\COMMON~1\WinTools\WSup.exe
C:\WINDOWS2\system32\d3pl32.exe
C:\WINDOWS2\System32\rundll32.exe
C:\WINDOWS2\System32\rundll32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\Program Files\The Cleaner\tca.exe
C:\WINDOWS2\crni.exe
D:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS2\system32\32oror.exe
C:\WINDOWS2\System32\j?vaw.exe
C:\Program Files\boes\tuhr.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\PROGRA~1\Toolbar\tbps.exe
D:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Documents and Settings\Droid.DROID-X0IZEPZ4O\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS2\lreac.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS2\lreac.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS2\lreac.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS2\lreac.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS2\lreac.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: Class - {063DA205-F02D-CC2E-58D7-FD02913C3AB8} - C:\WINDOWS2\system32\msue.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0E32D6F4-894E-57D8-2DCF-8DF5180E2A99} - C:\WINDOWS2\system32\d3ev32.dll
O2 - BHO: Class - {13898825-A459-48A9-A446-46FCC6BC7D54} - C:\WINDOWS2\system32\sdkxi32.dll
O2 - BHO: Class - {252B1D03-5662-464E-4CD0-115D8F76565E} - C:\WINDOWS2\system32\sysiq.dll
O2 - BHO: Class - {27BB5C5B-D40A-FFB5-0074-0E2C88D1C986} - C:\WINDOWS2\system32\ntqu32.dll
O2 - BHO: Class - {3144C5AF-3EB8-63E5-27D5-D1BB35D9B4BC} - C:\WINDOWS2\atlnb.dll
O2 - BHO: Class - {43DBA2FF-79FA-EC74-B379-8D3C0A8C8A32} - C:\WINDOWS2\sdkxb32.dll
O2 - BHO: Class - {49CEC3A6-C8BD-F30B-BB10-F1F6C9627E89} - C:\WINDOWS2\system32\apinb32.dll
O2 - BHO: Class - {4A42661E-9A8D-FC35-711E-F3E6A8EE8FCE} - C:\WINDOWS2\netjq.dll
O2 - BHO: Class - {6D6CA0E6-F49F-4C70-9FE3-B7E4338EAEA3} - C:\WINDOWS2\crkl32.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: Class - {E22C0095-AAAB-961B-9B64-2E3EA98A5FC5} - C:\WINDOWS2\system32\sdkel32.dll
O2 - BHO: Class - {E4C60DB1-BF10-73C7-B262-C2EFC680F8FA} - C:\WINDOWS2\ieil.dll
O2 - BHO: (no name) - {E670EC8B-2D6A-21C8-1AB2-2077A1B70AC5} - C:\WINDOWS2\System32\bgdfwl.dll
O2 - BHO: Class - {EE875E4E-55A8-89D9-1816-CCFF499A72CF} - C:\WINDOWS2\system32\ntlp.dll
O2 - BHO: Class - {F1E884E3-B77F-371D-D46E-CC175F6013F3} - C:\WINDOWS2\iejg.dll
O2 - BHO: Class - {F43C0B7B-4851-D4D1-4656-83DF824CF3D2} - C:\WINDOWS2\system32\applm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS2\System32\msdxm.ocx
O3 - Toolbar: &WebSearch Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [d3pl32.exe] C:\WINDOWS2\system32\d3pl32.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [ieaz.exe] C:\WINDOWS2\system32\ieaz.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS2\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ipcu32.exe] C:\WINDOWS2\ipcu32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [sysdk32.exe] C:\WINDOWS2\sysdk32.exe
O4 - HKLM\..\Run: [tcactive] d:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] d:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [crff32.exe] C:\WINDOWS2\system32\crff32.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Update Checker] C:\WINDOWS2\system32\32oror.exe
O4 - HKCU\..\Run: [Kbadelq] C:\WINDOWS2\System32\j?vaw.exe
O4 - HKCU\..\Run: [Cdne] "C:\Program Files\boes\tuhr.exe" -vt mt
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - d:\Program Files\Poker.com\poker.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - d:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - d:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS2\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Lexar HP30 (LxrHP30s) - Unknown owner - C:\WINDOWS2\SYSTEM32\LxrHP30s.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - WebSearch - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

**sr71000** · October 13th, 2005, 09:22 PM

www.k-techcomputers.us

there are two links to online analyzers...post your logs there and they'll give you a bunch of info about what to remove..then post back here with new logs...also..i think i saw norton in there...try getting rid of norton and using avg instead (also on that site)

**jutah** · October 14th, 2005, 08:22 PM

sr71000 thanks for the link

Good stuff! I ran the second analyzer and cleaned up as much as I could. The following entries are giving me problems. They were listed as malicious. I deleted there entry and rebooted, but they keep coming back up? Hijack also told my after reboot to delete the C:\PROGRAM FILES\Toolbar\ and C:\Program Files\CSBB\ folders, but when I try it says I can't b\c an .exe is in use(even though ther is nothing running).

Any thoughts?

Thanks,

Jutah

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
(Description: WinTools web browser search hijacker.)

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
(Description: HuntBar/Wintools)

O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
(Description: A hidden or missing adware entry.)

O3 - Toolbar: &WebSearch Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
(Description: Huntbar)

O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
(Description: Adware.Huntbar installs itself as a Browser Helper Object and redirects search requests. Adware.Huntbar also gathers information on Web-browsing habits)

O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
(Description: Unknown toolbar process.)