.dll error - making us crazy

[Suzanne]

The following error keeps popping up if the computer is
powered on - whether or not we are using it. If left
alone, 100s of error pop up windows will show up. Any
advice to remedy this problem is greatly appreciated!

c:\progra~\intern~3\inetkw.dll

While researching the problem yesterday afternoon, I found
a site where someone posted their Hijack This logfile. If
this helps, here's ours:

Logfile of HijackThis v1.97.7
Scan saved at 5:24:14 PM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\PROGRA~1\INTERN~3\inetmgr.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\INTERN~3\inetsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkCalRem.exe
C:\WINDOWS\system32\d3ut.exe
C:\WINDOWS\system32\atlwp32.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = res://C:\WINDOWS\myceb.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = res://myceb.dll/index.html#37794
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL = http://homepage.com
%
(e-mail address removed)-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://homepage.com
%
(e-mail address removed)-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://homepage.com
%
(e-mail address removed)-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = res://myceb.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://homepage.com
@www.e-finder.cc/search/
(obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = res://C:\WINDOWS\myceb.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
res://myceb.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\myceb.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = http://homepage.com
%
(e-mail address removed)-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://your-
searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://your-searcher.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page_bak = http://default-homepage-network.com/start.cgi?
np-hkcu
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,
(Default) = http://homepage.com
@www.e-
finder.cc/search/ (obfuscated)
N3 - Netscape 7: user_pref
("browser.startup.homepage", "search200.com");\nuser_pref
("browser.startup.page", 1); (C:\Documents and
Settings\Owner\Application
Data\Mozilla\Profiles\default\7t81jzou.slt\prefs.js)
N3 - Netscape 7: user_pref
("browser.search.defaultengine", "engine://C%3A%5CProgram%
20Files%5CNetscape%5CNetscape%5Csearchplugins%
5CSBWeb_01.src"); (C:\Documents and
Settings\Owner\Application
Data\Mozilla\Profiles\default\7t81jzou.slt\prefs.js)
O2 - BHO: (no name) - {0E6B1D03-5874-1ED0-9838-
871F6064878A} - C:\WINDOWS\sdkwt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-
FADC6B084872} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-
00D0B743919D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-
0090271D4F88} - C:\Program Files\Yahoo!
\Common\ycomp5,0,8,0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-
009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-
7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32
\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS
Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common
Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program
Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program
Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!
\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [kbtpqvk] C:\WINDOWS\System32
\gljhvswy.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1
\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32
\stcloader.exe
O4 - HKLM\..\Run: [d3ut.exe] C:\WINDOWS\system32\d3ut.exe
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~3
\inetmgr.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe
nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Weather] C:\Program
Files\AWS\WeatherBug\Weather.exe 1
O4 - HKLM\..\RunOnce: [apphr32.exe] C:\WINDOWS\apphr32.exe
O4 - HKLM\..\RunOnce: [atlwp32.exe] C:\WINDOWS\system32
\atlwp32.exe
O4 - HKLM\..\RunOnce: [mfcii32.exe] C:\WINDOWS\mfcii32.exe
O4 - HKLM\..\RunOnce: [javaid32.exe]
C:\WINDOWS\javaid32.exe
O4 - Startup: Download Plus.lnk = C:\Documents and
Settings\Owner\Application Data\DownloadPlus.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk =
C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: winlgn.exe
O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Control Panel present
O8 - Extra context menu item: &Google Search -
res://c:\program
files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links -
res://c:\program
files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://c:\program
files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages -
res://c:\program
files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://c:\program
files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O16 - DPF: {11111111-1111-1111-1111-111111113456} -
file://c:\info6.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/
sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-
4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF}
(MediaTicketsInstaller Control) - http://www.mt-
download.com/MediaTicketsInstaller.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000}
(YahooYMailTo Class) -
http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C}
(Downloader Class) -
http://www.stopzilla.com/_download/Auto_Installer/dwnldr.ca
b
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/Flash/swf
lash.cab

 

[Malke]

The following error keeps popping up if the computer is
powered on - whether or not we are using it. If left
alone, 100s of error pop up windows will show up. Any
advice to remedy this problem is greatly appreciated!

c:\progra~\intern~3\inetkw.dll

While researching the problem yesterday afternoon, I found
a site where someone posted their Hijack This logfile. If
this helps, here's ours:

Please do not post HijackThis logs in this newsgroup. Two places where
it is appropriate and useful are:

http://forum.aumha.org/ - look under "Security" for various forums
forums at http://www.spywareinfo.com

You need to run a scan with a current (post-2002 version) antivirus
using updated definitions (I see you have NAV, so is it current and
updated?) and run Ad-aware, Spybot S&D, CWShredder, and HijackThis
again, making sure that all programs are using updated reference files.
Here are some additional comments about your HJT log:

C:\Program Files\STOPzilla!\szntsvc.exe - Stopzilla should be removed;

it is spyware.

C:\Program Files\Common Files\Real\Update_OB\realsched.exe - Although

legitimate, you don't need RealPlayer's updater running. Disable it.

C:\PROGRA~1\INTERN~3\inetmgr.exe - CommonName malware

C:\Program Files\AWS\WeatherBug\Weather.exe - get rid of this

C:\PROGRA~1\INTERN~3\inetsvc.exe - malware
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkCalRem.exe - disable this
C:\WINDOWS\system32\d3ut.exe - probable malware
C:\WINDOWS\system32\atlwp32.exe - probable malware

C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe

You should never have all those instances of rundll32.exe running, but
of course we see that you have quite a bit of malware on your machine.

(rest of log snipped)

Malke