Tried everything... can't get rid of "only the best"

Ok, I've been up countless nights trying to fix this. Can somebody help me with me hijacking? I've tried Ad-aware, CWShredder, Spybot, Spyware Doctor, and About:Buster. CWShredder comes up clean every time I run it. Thanks. I've attached my full HijackThis log.


Logfile of HijackThis v1.97.7
Scan saved at 11:41:25 AM, on 6/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\GWHotKey.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\winni.exe
C:\WINDOWS\system32\d3zk32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\tsai\Desktop\Spyremover\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\emnza.dll/sp.html#27063
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://emnza.dll/index.html#27063
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://emnza.dll/index.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\emnza.dll/sp.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://emnza.dll/index.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\emnza.dll/sp.html#27063
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {CBCD4D3F-1DC5-8E9F-BD4F-58E145A3C11A} - C:\WINDOWS\system32\ipgn32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\eDonkey2000.exe -t
O4 - HKLM\..\Run: [winni.exe] C:\WINDOWS\winni.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\RunOnce: [d3zk32.exe] C:\WINDOWS\system32\d3zk32.exe
O4 - HKLM\..\RunOnce: [netfh.exe] C:\WINDOWS\netfh.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .dcr: C:\Program Files\Netscape\Communicator\Program\PLUGINS\np32dsw.dll
O12 - Plugin for .dr: C:\PROGRA~1\INTERN~1\PLUGINS\npDRDW.dll
O12 - Plugin for .jpg: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O12 - Plugin for .kweb: C:\PROGRA~1\INTERN~1\PLUGINS\NPKWEB32.DLL
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.54-deleon/GoogleNav.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37876.3410763889
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

http://majorgeeks.com/vb/showthread.php?t=35708

Perhaps this thread will help you understand the log? Hope it helps some...

 

Sorry, actually try this..
http://majorgeeks.com/vb/showthread.php?t=35407&highlight=hijack+log+read

I get 5 or 6 windows open and start getting confused.

 

OK I had this same problem and it took me about 2 hrs to fix it once I followed what chaslang told svengali to do. Read this thread and follow it to the letter (all three pages).

http://www.majorgeeks.com/vb/showthread.php?t=35165

Also check my last entry on

http://www.majorgeeks.com/vb/showthread.php?p=375305

for a very quick summary of how I fixed the problem.

Note that with the svengali thread you need to work out which files to delete as the names will be different on your computer. On your logfile I think the following have to go;

O4 - HKLM\..\RunOnce: [d3zk32.exe] C:\WINDOWS\system32\d3zk32.exe
O4 - HKLM\..\RunOnce: [netfh.exe] C:\WINDOWS\netfh.exe

but I'm no expert so you should check everything carefully. I recommend you print out svengali's thread and any links mentioned. Print your logfiles and highlight the files that need to go, use the search function to find them and delete them (there will be more than one copy of some of them and they will be in more than one place).

DO NOT USE MY THREAD AS YOUR GUIDE IT DOESN'T HAVE ENOUGH INFO!

The only thing I didn't do that chaslang said was to open the ?????.dll file, delete the content and then save as an empty file. I just deleted everything. I wouldn't recommend leaving out anything else.

MAKE SURE you have hidden files turned off so you can see everything.

 

Ok! I seem to be clean for now. Couple of questions though.

1) I'm using Win2000, and there was no "prefetch" folder, nor did I ever find the .exe to which NSS was pointing. Do you think this will be a problem?? I still have NSS disabled... so it shouldn't hurt me for now...??

2) It seems the key to kicking this guy is the "run once" items that show up on HijackThis. Is this a correct assumption?

Thanks again, and I hope I got rid of it for good this time.

 

Oh, and ...
3) How do you disable "system restore" for Win2000? I can't find those options anywhere!

4) What does Network Security Services (NSS) do?