No software picking up Trojans/Spyware..Help!!!

[Bill]

I've got some spyware that just wont go away no matter
how many spyware/antivirus packages I use.

"127021.exe" that I got rid of is now "127051.exe".
Symptoms include a window that pops up and asks you to
select your country.

The other is called "Horseserver.net". Symptoms include
Explorer being opened and taken to
webpage "Horseserver.net"

Here is my HyJack This file...

Logfile of HijackThis v1.99.0
Scan saved at 8:01:47 AM, on 23/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Stardock\Object
Desktop\WindowBlinds\wbload.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft
Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\open32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Compaq Connections\1940576
\Program\BackWeb-1940576.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkCalRem.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\tmpf01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.cbc.ca/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://ie.redirect.hp.com/svs/rdr?
TYPE=3&tp=iesearch&locale=EN_CA&c=Q304&bd=presario&pf=desk
top
R1 - HKCU\Software\Microsoft\Internet Connection
Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?
TYPE=3&tp=iehome&locale=EN_CA&c=Q304&bd=presario&pf=deskto
p
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0
\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-
000874180BB3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-
8333-CF10577473F7} - c:\program
files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-
009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv]
c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] "C:\Program
Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32
\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1
\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32
\prvdi.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program
Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Shell] open32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ares] "C:\Program
Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN
Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32
\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program
Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32
\prvdi.exe
O4 - Startup: HotSync Manager.LNK = C:\Program
Files\palmOne\HOTSYNC.EXE
O4 - Startup: IMStart.lnk = C:\Program
Files\InterMute\IMStart.exe
O4 - Startup: winupdate01149333[1].exe
O4 - Startup: WkCalRem.LNK = C:\Program Files\Common
Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk =
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk =
C:\Program Files\Common Files\Autodesk
Shared\acstart16.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program
Files\Compaq Connections\1940576\Program\BackWeb-
1940576.exe
O4 - Global Startup: D-Link AirPlus Xtreme G
Configuration Utility.lnk = ?
O8 - Extra context menu item: &Google Search -
res://C:\Program
Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links -
res://C:\Program
Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://C:\Program
Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages -
res://C:\Program
Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://C:\Program
Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\WINDOWS\System32\msjava.dll (file
missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-
4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32
\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-
3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-
00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-
11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}
(Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3}
(EPUImageControl Class) -
http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-
0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN
Photo Upload Tool) -
http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools
Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09}
(Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-
JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloa
der.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs
AoD Class) -
http://player.bugs.co.kr/install/BugsLoader20041018.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-
8E447D129300} - C:\Program
Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Autodesk Licensing Service - Autodesk,
Inc. - C:\Program Files\Common Files\Autodesk
Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager - Symantec
Corporation - c:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec
Corporation - c:\Program Files\Common Files\Symantec
Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec
Corporation - c:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Unknown - crypserv.exe
(file missing)
O23 - Service: iPod Service - Apple Computer, Inc. -
C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service -
Symantec Corporation - c:\Program Files\Norton
AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA
Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32
\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation -
c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\SNDSrvc.exe

 

[Guest]

-----Original Message-----
I've got some spyware that just wont go away no matter
how many spyware/antivirus packages I use.

"127021.exe" that I got rid of is now "127051.exe".
Symptoms include a window that pops up and asks you to
select your country.

The other is called "Horseserver.net". Symptoms include
Explorer being opened and taken to
webpage "Horseserver.net"

These are for sure spyware.

O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32
\prvdi.exe
and
C:\WINDOWS\System32\tmpf01.exe

Remove these files in safe mode and O4 with Hijack.
Dont blame me.......

I recommend you to go to a forum.

http://aumha.net/viewtopic.php?t=4075

and then post your Hijack log if needed.

 

[Steve Dodson [MSFT]]

Also,

Please submit a suspected spyware report to us through the application
(Tools -> Suspected Spyware Report)

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

-----Original Message-----
I've got some spyware that just wont go away no matter
how many spyware/antivirus packages I use.

"127021.exe" that I got rid of is now "127051.exe".
Symptoms include a window that pops up and asks you to
select your country.

The other is called "Horseserver.net". Symptoms include
Explorer being opened and taken to
webpage "Horseserver.net"

These are for sure spyware.

O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32
\prvdi.exe
and
C:\WINDOWS\System32\tmpf01.exe

Remove these files in safe mode and O4 with Hijack.
Dont blame me.......

I recommend you to go to a forum.

http://aumha.net/viewtopic.php?t=4075

and then post your Hijack log if needed.