can't get rid of this spyware - need help

Discussion in 'Computer Support' started by Puzzled, Dec 14, 2004.

  1. Puzzled

    Puzzled Guest

    Two problems I wonder if related ... first is the adware/spyware I can't
    get rid of. I'm using AdAware, SpySweeper, Norton Systemworks and
    HijackThis. Here are the malware lines from the HijackThis log:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch

    Second - the Recycle bin shows that it needs to be emptied of two items
    yet in Explore, there are no items in the bin. Each time I try to empty
    the bin of these two items it returns to the previous state of containing
    two items which cannot be seen.

    I don't know if these two problems are related and could really use some
    guidance. Thank you.
    Puzzled, Dec 14, 2004
    #1
    1. Advertising

  2. Puzzled

    doS Guest

    create a new folder, then drag it to the bin. see if it will let you empty
    then.

    "Puzzled" <> wrote in message
    news:...
    > Two problems I wonder if related ... first is the adware/spyware I can't
    > get rid of. I'm using AdAware, SpySweeper, Norton Systemworks and
    > HijackThis. Here are the malware lines from the HijackThis log:
    >
    > R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    > O1 - Hosts: 69.20.16.183 auto.search.msn.com
    > O1 - Hosts: 69.20.16.183 search.netscape.com
    > O1 - Hosts: 69.20.16.183 ieautosearch
    > O1 - Hosts: 69.20.16.183 ieautosearch
    > O1 - Hosts: 69.20.16.183 ieautosearch
    >
    > Second - the Recycle bin shows that it needs to be emptied of two items
    > yet in Explore, there are no items in the bin. Each time I try to empty
    > the bin of these two items it returns to the previous state of containing
    > two items which cannot be seen.
    >
    > I don't know if these two problems are related and could really use some
    > guidance. Thank you.
    >
    >
    doS, Dec 14, 2004
    #2
    1. Advertising

  3. Puzzled

    °Mike° Guest

    Post the FULL contents of your HijackThis log here.


    On Tue, 14 Dec 2004 08:10:46 -0500, in
    <>
    Puzzled scrawled:

    >Two problems I wonder if related ... first is the adware/spyware I can't
    >get rid of. I'm using AdAware, SpySweeper, Norton Systemworks and
    >HijackThis. Here are the malware lines from the HijackThis log:
    >
    >R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    >O1 - Hosts: 69.20.16.183 auto.search.msn.com
    >O1 - Hosts: 69.20.16.183 search.netscape.com
    >O1 - Hosts: 69.20.16.183 ieautosearch
    >O1 - Hosts: 69.20.16.183 ieautosearch
    >O1 - Hosts: 69.20.16.183 ieautosearch
    >
    >Second - the Recycle bin shows that it needs to be emptied of two items
    >yet in Explore, there are no items in the bin. Each time I try to empty
    >the bin of these two items it returns to the previous state of containing
    >two items which cannot be seen.
    >
    >I don't know if these two problems are related and could really use some
    >guidance. Thank you.
    >


    --
    Basic computer maintenance
    http://uk.geocities.com/personel44/maintenance.html
    °Mike°, Dec 14, 2004
    #3
  4. Puzzled

    Puzzled Guest

    Hi Mike :) Please don't scold me about all the crapola. Am at the point
    of considering a reformat. Here is the log (after the third scan):
    Logfile of HijackThis v1.98.2
    Scan saved at 7:59:23 AM, on 12/14/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adobe\Photoshop Elements
    3.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
    C:\Program Files\Roxio\GoBack\GBPoll.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\Program Files\Adobe\Photoshop Elements
    3.0\PhotoshopElementsDeviceConnect.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
    C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\tppaldr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
    C:\WINDOWS\system\lsass.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\Program Files\GetRight\GETRIGHT.EXE
    C:\Program Files\Norton Personal Firewall\NISSERV.EXE
    C:\Program Files\GetRight\GETRIGHT.EXE
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\AdsGone\adsgone.exe
    C:\Program Files\Roxio\GoBack\GBTray.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    C:\Program Files\YahooPOPs\YahooPOPs.exe
    C:\Program Files\Norton Personal Firewall\ATRACK.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\MailWasher Pro\MailWasher.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\unzipped\hijackthis\hijackthis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -
    C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program
    Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
    c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum
    Online\Netsurf.exe -tray
    O4 - HKLM\..\Run: [MOD] "C:\Program Files\Microangelo\muamgr.exe"
    O4 - HKLM\..\Run: [iamapp] "C:\Program Files\Norton Personal
    Firewall\IAMAPP.EXE"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
    Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
    Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control
    Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [TPP Auto Loader] "C:\WINDOWS\tppaldr.exe"
    O4 - HKLM\..\Run: [Samsung LBP SM]
    "C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
    O4 - HKLM\..\Run: [EPSON Stylus C84 Series]
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus
    C84 Series" /O6 "USB001" /M "Stylus C84"
    O4 - HKLM\..\Run: [lsass] C:\WINDOWS\system\lsass.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [EPSON Stylus C84 Series]
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus
    C84 Series" /M "Stylus C84" /EF "HKCU"
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
    Sweeper\SpySweeper.exe" /0
    O4 - Startup: YahooPOPs.lnk = C:\Program Files\YahooPOPs\YahooPOPs.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
    Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AdsGone 2004.lnk = C:\Program
    Files\AdsGone\adsgone.exe
    O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
    O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton
    SystemWorks\Norton Utilities\SYSDOC32.EXE
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box -
    C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Google Search - res://c:\program
    files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program
    files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
    files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel -
    res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program
    files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program
    files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
    Files\Messenger\msmsgs.exe
    O16 - DPF: Yahoo! Pool 2 -
    http://download.games.yahoo.com/games/clients/y/potd_x.cab
    O16 - DPF: {05E0D4E9-A832-4886-B443-3729E04B3704} (Living Picture
    Player) - http://www.gamewaredevelopment.co.uk/cab/livingpicturex.cab
    O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Adobe Form Control) -
    http://www.jud2.state.ct.us/webforms/Codebase/FormCtl.cab
    O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) -
    http://www.jud2.state.ct.us/webforms/codebase/plsspeller.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download
    Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager
    Control) -
    http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab
    O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX
    control) - http://www.photodex.com/pxplay.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
    https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Adobe Soft Font
    Installer) -
    http://www.jud2.state.ct.us/webforms/codebase/fontinstaller.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) -
    http://www2.incredimail.com/contents/setup/downloader/imloader.cab

    Thanks for any guidance you can offer.
    >
    >

    "°Mike°" <> wrote in message
    news:...
    > Post the FULL contents of your HijackThis log here.
    >
    >
    > On Tue, 14 Dec 2004 08:10:46 -0500, in
    > <>
    > Puzzled scrawled:
    >
    >>Two problems I wonder if related ... first is the adware/spyware I can't
    >>get rid of. I'm using AdAware, SpySweeper, Norton Systemworks and
    >>HijackThis. Here are the malware lines from the HijackThis log:
    >>
    >>R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    >>O1 - Hosts: 69.20.16.183 auto.search.msn.com
    >>O1 - Hosts: 69.20.16.183 search.netscape.com
    >>O1 - Hosts: 69.20.16.183 ieautosearch
    >>O1 - Hosts: 69.20.16.183 ieautosearch
    >>O1 - Hosts: 69.20.16.183 ieautosearch
    >>
    >>Second - the Recycle bin shows that it needs to be emptied of two items
    >>yet in Explore, there are no items in the bin. Each time I try to empty
    >>the bin of these two items it returns to the previous state of
    >>containing
    >>two items which cannot be seen.
    >>
    >>I don't know if these two problems are related and could really use some
    >>guidance. Thank you.
    >>

    >
    > --
    > Basic computer maintenance
    > http://uk.geocities.com/personel44/maintenance.html
    Puzzled, Dec 14, 2004
    #4
  5. Puzzled

    doS Guest

    yeh, have him post 10 or 12kbs, idiot......

    "°Mike°" <> wrote in message
    news:...
    > Post the FULL contents of your HijackThis log here.
    >
    >
    > On Tue, 14 Dec 2004 08:10:46 -0500, in
    > <>
    > Puzzled scrawled:
    >
    doS, Dec 14, 2004
    #5
  6. Puzzled

    °Mike° Guest

    On Tue, 14 Dec 2004 15:09:33 -0500, in
    <>
    Puzzled scrawled:

    >Hi Mike :) Please don't scold me about all the crapola. Am at the point
    >of considering a reformat. Here is the log (after the third scan):
    >Logfile of HijackThis v1.98.2
    >Scan saved at 7:59:23 AM, on 12/14/2004
    >Platform: Windows XP SP2 (WinNT 5.01.2600)
    >MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    >
    >Running processes:


    >C:\WINDOWS\system\lsass.exe


    Lsass.exe should ONLY be run from the Windows\System32
    folder, so this is likely to be a virus/worm. Terminate the
    above process and SCAN YOUR SYSTEM.


    >O1 - Hosts: 69.20.16.183 auto.search.msn.com
    >O1 - Hosts: 69.20.16.183 search.netscape.com
    >O1 - Hosts: 69.20.16.183 ieautosearch
    >O1 - Hosts: 69.20.16.183 ieautosearch
    >O1 - Hosts: 69.20.16.183 ieautosearch


    Have HijackThis fix the above 5 entries.


    >O4 - HKLM\..\Run: [lsass] C:\WINDOWS\system\lsass.exe


    Have HijackThis fix the above -- see my comment about
    probable worm/virus.

    <snip>

    --
    Basic computer maintenance
    http://uk.geocities.com/personel44/maintenance.html
    °Mike°, Dec 14, 2004
    #6
  7. Puzzled

    Cassie Guest

    °Mike°, I have tried numerous times to let HijackThis fix the problems but
    the following items keep recurring like a bad dream:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch

    Once again I am wondering if the two invisible items in the recycle bin
    could have anything to do with this.

    Do you know of any other way I can stop these popups? AdsGone is trying
    its best but the sudden lurch of the screen when the ad tries to present
    and then AdsGone deflects it is hard on my concentration when working. I
    really, really appreciate your help.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    "°Mike°" <> wrote in message
    news:...
    > On Tue, 14 Dec 2004 15:09:33 -0500, in
    > <>
    > Puzzled scrawled:
    >
    >>Hi Mike :) Please don't scold me about all the crapola. Am at the
    >>point
    >>of considering a reformat. Here is the log (after the third scan):
    >>Logfile of HijackThis v1.98.2
    >>Scan saved at 7:59:23 AM, on 12/14/2004
    >>Platform: Windows XP SP2 (WinNT 5.01.2600)
    >>MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    >>
    >>Running processes:

    >
    >>C:\WINDOWS\system\lsass.exe

    >
    > Lsass.exe should ONLY be run from the Windows\System32
    > folder, so this is likely to be a virus/worm. Terminate the
    > above process and SCAN YOUR SYSTEM.
    >
    >
    >>O1 - Hosts: 69.20.16.183 auto.search.msn.com
    >>O1 - Hosts: 69.20.16.183 search.netscape.com
    >>O1 - Hosts: 69.20.16.183 ieautosearch
    >>O1 - Hosts: 69.20.16.183 ieautosearch
    >>O1 - Hosts: 69.20.16.183 ieautosearch

    >
    > Have HijackThis fix the above 5 entries.
    >
    >
    >>O4 - HKLM\..\Run: [lsass] C:\WINDOWS\system\lsass.exe

    >
    > Have HijackThis fix the above -- see my comment about
    > probable worm/virus.
    >
    > <snip>
    >
    > --
    > Basic computer maintenance
    > http://uk.geocities.com/personel44/maintenance.html
    Cassie, Dec 16, 2004
    #7
  8. Puzzled

    °Mike° Guest

    Now I'm confused. I was helping somebody
    with the nym "Puzzled". Is that you? If so,
    you haven't mentioned anything about the
    virus/worm issue, and what you did about
    it, if anything.


    On Thu, 16 Dec 2004 00:36:19 -0500, in
    <pe9wd.2313$>
    Cassie scrawled:

    >°Mike°, I have tried numerous times to let HijackThis fix the problems but
    >the following items keep recurring like a bad dream:
    >R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    >O1 - Hosts: 69.20.16.183 auto.search.msn.com
    >O1 - Hosts: 69.20.16.183 search.netscape.com
    >O1 - Hosts: 69.20.16.183 ieautosearch
    >O1 - Hosts: 69.20.16.183 ieautosearch
    >
    >Once again I am wondering if the two invisible items in the recycle bin
    >could have anything to do with this.
    >
    >Do you know of any other way I can stop these popups? AdsGone is trying
    >its best but the sudden lurch of the screen when the ad tries to present
    >and then AdsGone deflects it is hard on my concentration when working. I
    >really, really appreciate your help.
    >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


    <snip>

    --
    Basic computer maintenance
    http://uk.geocities.com/personel44/maintenance.html
    °Mike°, Dec 16, 2004
    #8
  9. Puzzled

    Cassie Guest

    I confuse myself, too. Use one name for business news server and another
    for my ISP news server. Computer gets mixed up sometimes. Sorry.

    I ran SpyBot S&D, then SpySweeper, then HouseCall, then Norton AV.
    Went to GeeksToGo and read for hours.
    Found Guard.tmp in the System32 folder, dragged to desktop, renamed and
    deleted. It recreated itself.
    Ran HijackThis twenty times.
    Result:
    Still have the following bouncing back after the HijackThis fix:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    And now, have a white box on the screen saying "No new messages".
    This box remains 'Always on Top' and I have no clue what it is.

    I do not run Messenger (think I deleted it a long time ago.
    Think this is VX2 in some form but have run out of ideas about what to do.
    Can you help?
    Puzzled aka Cassie
    >

    "°Mike°" <> wrote in message
    news:...
    > Now I'm confused. I was helping somebody
    > with the nym "Puzzled". Is that you? If so,
    > you haven't mentioned anything about the
    > virus/worm issue, and what you did about
    > it, if anything.
    Cassie, Dec 17, 2004
    #9
  10. Puzzled

    °Mike° Guest

    Is your hosts file read only? Take the R/O attribute
    off before you scan, and reinstate it afterwards.

    Have you ran the VX2 plugin for Ad-Aware?

    Ad-Aware SE
    http://www.lavasoftusa.com/
    http://www.lavasoft.nu/
    http://www.lavasoft.de/
    Ad-Aware VX2 cleaner plug-in
    http://www.lavasoftusa.com/software/addons/vx2cleaner.shtml
    http://www.lavasoft.nu/software/addons/vx2cleaner.shtml
    http://www.lavasoft.de/software/addons/vx2cleaner.shtml
    IMPORTANT NOTICE:
    http://www.mvps.org/winhelp2002/hosts.htm#Attention


    Also, there is now a new version of HijackThis:

    HijackThis
    http://mjc1.com/mirror/hjt/
    http://www.spywareinfo.com/~merijn/files/hijackthis.zip
    http://209.133.47.12/~merijn/files/HijackThis.exe
    http://aumha.org/downloads/hijackthis.zip
    http://aumha.org/downloads/hijackthis.exe


    On Thu, 16 Dec 2004 20:39:21 -0500, in
    <qSqwd.2533$>
    Cassie scrawled:

    >I confuse myself, too. Use one name for business news server and another
    >for my ISP news server. Computer gets mixed up sometimes. Sorry.
    >
    >I ran SpyBot S&D, then SpySweeper, then HouseCall, then Norton AV.
    >Went to GeeksToGo and read for hours.
    >Found Guard.tmp in the System32 folder, dragged to desktop, renamed and
    >deleted. It recreated itself.
    >Ran HijackThis twenty times.
    >Result:
    >Still have the following bouncing back after the HijackThis fix:
    >R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    >O1 - Hosts: 69.20.16.183 auto.search.msn.com
    >O1 - Hosts: 69.20.16.183 search.netscape.com
    >O1 - Hosts: 69.20.16.183 ieautosearch
    >And now, have a white box on the screen saying "No new messages".
    >This box remains 'Always on Top' and I have no clue what it is.
    >
    >I do not run Messenger (think I deleted it a long time ago.
    >Think this is VX2 in some form but have run out of ideas about what to do.
    >Can you help?
    >Puzzled aka Cassie
    >>

    >"°Mike°" <> wrote in message
    >news:...
    >> Now I'm confused. I was helping somebody
    >> with the nym "Puzzled". Is that you? If so,
    >> you haven't mentioned anything about the
    >> virus/worm issue, and what you did about
    >> it, if anything.

    >


    --
    Basic computer maintenance
    http://uk.geocities.com/personel44/maintenance.html
    °Mike°, Dec 17, 2004
    #10
  11. Puzzled

    Cassie Guest

    °Mike°" <> wrote in message
    news:...
    > Is your hosts file read only? Take the R/O attribute
    > off before you scan, and reinstate it afterwards.
    >

    Ok, looks like I'm getting in over my head here. I went to MVPS.org and
    downloaded the Hosts file, put it in the Windows\system32\drivers\etc
    directory, then rebooted. Was something supposed to happen? Where am I
    supposed to find the host files in order to change the properties? Am I
    to create a HOSTS Editor? or go to Services-msc?
    >
    > Have you run the VX2 plugin for Ad-Aware?
    >

    Yes, thanks. It found no problem!
    >
    > Also, there is now a new version of HijackThis:
    >

    Got the latest version, thanks. Now for the repercussions . . .
    Registry Mechanic reports no problems
    Norton AV reports no virus
    Registry Vac reports no virus
    SpyBot reports no problem
    AdAware reports no problem
    HijackThis reports the same problems every single time:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    Sometimes more lines but never less. Always the same
    auto/search/ieautosearch trio. And that Guard.tmp file is still hovering
    in the Windows folder.

    Spyware Doctor looked like it was going to give me 18+ infections, but at
    18, it crashes and the system reboots ... over and over and over ...

    And did I tell you that I keep getting a "UMonitor" error and the
    following two errors:
    Could not find Program Code
    Winlog error

    Just tell me ... is this hopeless? I need to finish some work now and
    will reformat if you think it is the only way to go. All my business
    files are backed up; most of the other files I care about have been copied
    to another hdd. I am so very tired of this but I hate to give up. Need
    your advice, °Mike°. Thanks.
    Cassie, Dec 18, 2004
    #11
  12. Puzzled

    Guest

    On Fri, 17 Dec 2004 20:18:31 -0500, "Cassie" <>
    wrote:

    |> > Is your hosts file read only? Take the R/O attribute
    |> > off before you scan, and reinstate it afterwards.
    |> >
    |> Ok, looks like I'm getting in over my head here. I went to MVPS.org and
    |> downloaded the Hosts file, put it in the Windows\system32\drivers\etc
    |> directory, then rebooted. Was something supposed to happen? Where am I
    |> supposed to find the host files in order to change the properties? Am I
    |> to create a HOSTS Editor? or go to Services-msc?

    Goto http://drudgereport.com/ you should not see ANY ads. If not it's
    working just fine.


    --
    , Dec 18, 2004
    #12
  13. Puzzled

    Guest

    On Fri, 17 Dec 2004 20:18:31 -0500, "Cassie" <>
    wrote:

    |> > Is your hosts file read only? Take the R/O attribute
    |> > off before you scan, and reinstate it afterwards.
    |> >
    |> Ok, looks like I'm getting in over my head here. I went to MVPS.org and
    |> downloaded the Hosts file, put it in the Windows\system32\drivers\etc
    |> directory, then rebooted. Was something supposed to happen? Where am I
    |> supposed to find the host files in order to change the properties? Am I
    |> to create a HOSTS Editor? or go to Services-msc?

    Goto http://drudgereport.com/ you should not see ANY ads. No ad's...
    it's working just fine.


    --
    , Dec 18, 2004
    #13
  14. Puzzled

    Puzzled Guest

    <> wrote in message
    news:...
    > On Fri, 17 Dec 2004 20:18:31 -0500, "Cassie" <>
    > wrote:
    >
    > |> > Is your hosts file read only? Take the R/O attribute
    > |> > off before you scan, and reinstate it afterwards.
    > |> >
    > |> Ok, looks like I'm getting in over my head here. I went to MVPS.org
    > and
    > |> downloaded the Hosts file, put it in the Windows\system32\drivers\etc
    > |> directory, then rebooted. Was something supposed to happen? Where am
    > I
    > |> supposed to find the host files in order to change the properties?
    > Am I
    > |> to create a HOSTS Editor? or go to Services-msc?
    >
    > Goto http://drudgereport.com/ you should not see ANY ads. No ad's...
    > it's working just fine.
    >

    Pardon? I don't know what you are telling me to do. The problem with my
    computer doesn't really have much to do with ads. I'm looking for a virus
    antidote. But thanks for trying to help :)
    Puzzled, Dec 18, 2004
    #14
  15. Puzzled

    Guest

    On Fri, 17 Dec 2004 22:27:24 -0500, "Puzzled" <> wrote:

    |> <> wrote in message
    |> news:...
    |> > On Fri, 17 Dec 2004 20:18:31 -0500, "Cassie" <>
    |> > wrote:
    |> >
    |> > |> > Is your hosts file read only? Take the R/O attribute
    |> > |> > off before you scan, and reinstate it afterwards.
    |> > |> >
    |> > |> Ok, looks like I'm getting in over my head here. I went to MVPS.org
    |> > and
    |> > |> downloaded the Hosts file, put it in the Windows\system32\drivers\etc
    |> > |> directory, then rebooted. Was something supposed to happen? Where am
    |> > I
    |> > |> supposed to find the host files in order to change the properties?
    |> > Am I
    |> > |> to create a HOSTS Editor? or go to Services-msc?
    |> >
    |> > Goto http://drudgereport.com/ you should not see ANY ads. No ad's...
    |> > it's working just fine.
    |> >
    |> Pardon? I don't know what you are telling me to do. The problem with my
    |> computer doesn't really have much to do with ads. I'm looking for a virus
    |> antidote. But thanks for trying to help :)
    |>

    Sorry bout that, I pop'd in on a small part of the situation, you
    question'd if your Hosts file was working, I just gave you a link to
    test it.




    --
    , Dec 18, 2004
    #15
  16. Puzzled

    °Mike° Guest

    On Fri, 17 Dec 2004 20:18:31 -0500, in
    <_ELwd.2866$>
    Cassie scrawled:

    >°Mike°" <> wrote in message
    >news:...
    >> Is your hosts file read only? Take the R/O attribute
    >> off before you scan, and reinstate it afterwards.
    >>

    >Ok, looks like I'm getting in over my head here. I went to MVPS.org and
    >downloaded the Hosts file, put it in the Windows\system32\drivers\etc
    >directory, then rebooted. Was something supposed to happen?


    No, apart from the original hosts file being overwritten.

    >Where am I supposed to find the host files in order to change the
    >properties?


    Exactly where you put the MVPS hosts file.

    >Am I to create a HOSTS Editor? or go to Services-msc?


    No and no.

    <snip>

    >> Also, there is now a new version of HijackThis:
    >>

    >Got the latest version, thanks. Now for the repercussions . . .
    >Registry Mechanic reports no problems
    >Norton AV reports no virus
    >Registry Vac reports no virus
    >SpyBot reports no problem
    >AdAware reports no problem
    >HijackThis reports the same problems every single time:
    > R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    > O1 - Hosts: 69.20.16.183 auto.search.msn.com
    > O1 - Hosts: 69.20.16.183 search.netscape.com
    > O1 - Hosts: 69.20.16.183 ieautosearch
    > O1 - Hosts: 69.20.16.183 ieautosearch
    >Sometimes more lines but never less. Always the same
    >auto/search/ieautosearch trio.


    Do you have a hosts file (no extension) in your Windows
    or Windows\System folder?

    >And that Guard.tmp file is still hovering in the Windows folder.


    Clean out your system as per the link in my signature.

    >Spyware Doctor looked like it was going to give me 18+ infections, but at
    >18, it crashes and the system reboots ... over and over and over ...


    Run these, and BE SURE to update them:

    Spybot Search & Destroy
    http://www.safer-networking.org/en/index.html
    SpyBot S&D guide
    http://www.chem.wisc.edu/~network/spybot/

    Spyware Blaster
    http://www.javacoolsoftware.com/spywareblaster.html

    CWShredder (CoolWebSearch remover)
    http://cwshredder.net/cwshredder/cwschronicles.html
    Now maintained by InterMute
    http://www.intermute.com/spysubtract/cwshredder_download.html
    http://cwshredder.net/bin/CWShredder.exe


    >And did I tell you that I keep getting a "UMonitor" error and the
    >following two errors:
    > Could not find Program Code
    > Winlog error


    No, you didn't. When does this occur, and what is/are
    the VERBATIM error message/s?

    >Just tell me ... is this hopeless?


    Nothing is hopeless if approached in the right manner.

    >I need to finish some work now and will reformat if you think
    >it is the only way to go.


    I wouldn't say that you have got to that stage, yet.

    >All my business files are backed up; most of the other files I
    >care about have been copied to another hdd. I am so very
    >tired of this but I hate to give up. Need your advice, °Mike°.
    >Thanks.


    If you haven't already taken the drastic route, try the
    steps above, and also don't be afraid to post an updated
    HijackThis log, with the updated version of HJT.

    --
    Basic computer maintenance
    http://uk.geocities.com/personel44/maintenance.html
    °Mike°, Dec 19, 2004
    #16
  17. Puzzled

    Cassie Guest

    "°Mike°" <> wrote in message
    news:...
    > On Fri, 17 Dec 2004 20:18:31 -0500, in
    > <snip>
    > If you haven't already taken the drastic route, try the
    > steps above, and also don't be afraid to post an updated
    > HijackThis log, with the updated version of HJT.
    >

    Ok, °Mike°, here is an update. All programs updated. Ran them and found:
    SpyBot finds -
    search.netscape.com...auto.search.msn.com...ieautosearch=69.20.16.183(aka
    IGetNet)
    Spysweeper finds - UserFaultCheck - assessment unknown
    CWShredder -Removed from your system: ...CWS.Bootconf...Hosts file
    redirections

    C:\WINDOWS\system32\drivers\etc holds the following Hosts
    hosts
    hosts.2041216-083415.backup
    hosts.2041216-083453.backup
    hosts.2041219-210230.backup
    hosts.2041219-210224.backup
    hosts.2041219-212534.backup
    hosts.2041219-212537.backup
    hosts.2041219-212540.backup
    hostsagb
    imhosts.sam
    None of them are READ ONLY at this point. But one of them was before. Is
    this important?

    Here are the error messages I get upon warm boot:
    - winlogon.exe encountered a problem and needed to close
    - Rundll:
    - An exception occurred while trying to run
    ""c:\WINDOWS\system32\nrdll.dll".UMonitor"
    - Error: Could not find program code

    Here is latest VX2 log:
    Log for VX2.BetterInternet File Finder (msg126)
    Files Found---
    Additional Files---
    Keys Under Notify---
    crypt32chain
    cryptnet
    cscdll
    Extensions
    FolderGuard
    ScCertProp
    Schedule
    sclgntfy
    SensLogn
    termsrv
    wlballoon
    Guardian Key--- is called:
    User Agent String---
    {43C4951B-E63A-4756-ABA4-9245A37E4FAA}

    Here is latest HijackThis log:
    Logfile of HijackThis v1.99.0
    Scan saved at 12:00:16 PM, on 12/20/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adobe\Photoshop Elements
    3.0\PhotoshopElementsFileAgent.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
    C:\Program Files\Roxio\GoBack\GBPoll.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
    C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\tppaldr.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
    C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\Program Files\Norton Personal Firewall\NISSERV.EXE
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\AdsGone\adsgone.exe
    C:\Program Files\Roxio\GoBack\GBTray.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    C:\Program Files\interMute\SpySubtract\SpySub.exe
    C:\Program Files\YahooPOPs\YahooPOPs.exe
    C:\Program Files\Norton Personal Firewall\ATRACK.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\GetRight\GETRIGHT.EXE
    C:\Program Files\GetRight\GETRIGHT.EXE
    C:\Program Files\MailWasher Pro\MailWasher.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\StickyNote\StickyNote.exe
    C:\Documents and Settings\Momsie\Desktop\AV stuff\hijackthis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -
    C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program
    Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
    c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: (no name) - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - (no
    file)
    O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum
    Online\Netsurf.exe -tray
    O4 - HKLM\..\Run: [MOD] "C:\Program Files\Microangelo\muamgr.exe"
    O4 - HKLM\..\Run: [iamapp] "C:\Program Files\Norton Personal
    Firewall\IAMAPP.EXE"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
    Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
    Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control
    Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [TPP Auto Loader] "C:\WINDOWS\tppaldr.exe"
    O4 - HKLM\..\Run: [EPSON Stylus C84 Series]
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus
    C84 Series" /O6 "USB001" /M "Stylus C84"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ImInstaller_IncrediMail]
    C:\DOCUME~1\Momsie\LOCALS~1\Temp\ImInstaller\IncrediMail\imloader.exe -startup
    -product IncrediMail -skip_dialog info
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [EPSON Stylus C84 Series]
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus
    C84 Series" /M "Stylus C84" /EF "HKCU"
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
    Sweeper\SpySweeper.exe" /0
    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - Startup: StickyNote.exe
    O4 - Startup: YahooPOPs.lnk = C:\Program Files\YahooPOPs\YahooPOPs.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
    Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AdsGone 2004.lnk = C:\Program
    Files\AdsGone\adsgone.exe
    O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
    O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton
    SystemWorks\Norton Utilities\SYSDOC32.EXE
    O4 - Global Startup: SpySubtract.lnk = C:\Program
    Files\interMute\SpySubtract\SpySub.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box -
    C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Google Search - res://c:\program
    files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program
    files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
    files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel -
    res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program
    files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program
    files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
    Files\Messenger\msmsgs.exe
    O16 - DPF: Yahoo! Pool 2 -
    http://download.games.yahoo.com/games/clients/y/potd_x.cab
    O16 - DPF: {05E0D4E9-A832-4886-B443-3729E04B3704} (Living Picture
    Player) - http://www.gamewaredevelopment.co.uk/cab/livingpicturex.cab
    O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Adobe Form Control) -
    http://www.jud2.state.ct.us/webforms/Codebase/FormCtl.cab
    O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) -
    http://www.jud2.state.ct.us/webforms/codebase/plsspeller.cab
    O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager
    Control) -
    http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
    http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX
    control) - http://www.photodex.com/pxplay.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
    https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Adobe Soft Font
    Installer) -
    http://www.jud2.state.ct.us/webforms/codebase/fontinstaller.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) -
    http://www5.incredimail.com/contents/setup/downloader_sp1/imloader.cab
    O23 - Service: Adobe Active File Monitor - Unknown - C:\Program
    Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Ati HotKey Poller - Unknown -
    C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program
    Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec
    Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. -
    C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
    O23 - Service: GBPoll - Roxio, Inc. - C:\Program
    Files\Roxio\GoBack\GBPoll.exe
    O23 - Service: GhostStartService - Symantec Corporation -
    C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    O23 - Service: Iomega App Services - Iomega Corporation -
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    O23 - Service: License Management Service ESD - element5 - C:\Program
    Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec
    Corporation - C:\Program Files\Norton SystemWorks\Norton
    AntiVirus\navapsvc.exe
    O23 - Service: Norton Personal Firewall Service - Symantec Corporation -
    C:\Program Files\Norton Personal Firewall\NISSERV.EXE
    O23 - Service: Norton Personal Firewall Accounts Manager - Symantec
    Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
    O23 - Service: Norton Unerase Protection - Symantec Corporation -
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: Retrospect Launcher - Dantz Development Corporation -
    C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation -
    C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service - Symantec Corporation -
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation -
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    O23 - Service: Norton Personal Firewall Proxy Service - Symantec
    Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program
    Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Iomega Active Disk - Iomega Corporation - C:\Program
    Files\Iomega\AutoDisk\ADService.exe

    Ran NAV overnight - no problem found.

    Thanks for your support, °Mike°
    Cassie, Dec 20, 2004
    #17
  18. Puzzled

    °Mike° Guest

    On Mon, 20 Dec 2004 12:10:59 -0500, in
    <eODxd.8180$>
    Cassie scrawled:

    >"°Mike°" <> wrote in message
    >news:...
    >> On Fri, 17 Dec 2004 20:18:31 -0500, in
    >> <snip>
    >> If you haven't already taken the drastic route, try the
    >> steps above, and also don't be afraid to post an updated
    >> HijackThis log, with the updated version of HJT.
    >>

    >Ok, °Mike°, here is an update. All programs updated. Ran them and found:
    >SpyBot finds -
    >search.netscape.com...auto.search.msn.com...ieautosearch=69.20.16.183(aka
    >IGetNet)


    See:
    http://www.pestpatrol.com/PestInfo/I/IGetNet.asp
    http://www.pestpatrol.com/PestInfo/i/igetnet_clearsearch.asp


    >Spysweeper finds - UserFaultCheck - assessment unknown
    >CWShredder -Removed from your system: ...CWS.Bootconf...Hosts file
    >redirections


    Am I reading that right? Did Spysweeper remove CWShredder
    from your system? CWShredder is a valuable tool for removing
    the CoolWeb hijacker.

    CWShredder (CoolWebSearch remover)
    http://cwshredder.net/cwshredder/cwschronicles.html
    Now maintained by InterMute
    http://www.intermute.com/spysubtract/cwshredder_download.html
    http://cwshredder.net/bin/CWShredder.exe


    >C:\WINDOWS\system32\drivers\etc holds the following Hosts
    >hosts


    Before you proceed, see (*****) in the HijackThis log advice.
    Open the above in Notepad and delete EVERYTHING
    from it. Save the changes and then right click on it,
    choose 'Properties' and set the Read Only flag.

    >hosts.2041216-083415.backup
    >hosts.2041216-083453.backup
    >hosts.2041219-210230.backup
    >hosts.2041219-210224.backup
    >hosts.2041219-212534.backup
    >hosts.2041219-212537.backup
    >hosts.2041219-212540.backup
    >hostsagb


    Select ALL of the above, hold the SHIFT button and press
    the Delete button -- confirm to delete them all.

    >imhosts.sam
    >None of them are READ ONLY at this point. But one of them was before. Is
    >this important?


    For the original hosts file, yes. It will (should) prevent
    it from being altered.

    >Here are the error messages I get upon warm boot:
    >- winlogon.exe encountered a problem and needed to close
    >- Rundll:
    >- An exception occurred while trying to run
    >""c:\WINDOWS\system32\nrdll.dll".UMonitor"
    >- Error: Could not find program code


    The above file is not a valid system file. Boot into Safe Mode
    and delete nrdll.dll from the system32 folder.

    <snip>

    >Here is latest HijackThis log:
    >Logfile of HijackThis v1.99.0
    >Scan saved at 12:00:16 PM, on 12/20/2004
    >Platform: Windows XP SP2 (WinNT 5.01.2600)
    >MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


    <snip>

    >O1 - Hosts: 69.20.16.183 ieautosearch
    >O1 - Hosts: 69.20.16.183 ieautosearch
    >O1 - Hosts: 69.20.16.183 ieautosearch
    >O1 - Hosts: 69.20.16.183 ieautosearch
    >O1 - Hosts: 69.20.16.183 ieautosearch
    >O1 - Hosts: 69.20.16.183 ieautosearch
    >O1 - Hosts: 69.20.16.183 auto.search.msn.com
    >O1 - Hosts: 69.20.16.183 search.netscape.com
    >O1 - Hosts: 69.20.16.183 ieautosearch
    >O1 - Hosts: 69.20.16.183 ieautosearch


    (*****)
    Again, have HijackThis fix the above "01" (hosts) entries,
    but do this BEFORE you alter the hosts file as described
    at the beginning of this post.


    >O3 - Toolbar: (no name) - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - (no
    >file)


    Have HijackThis fix the above.


    >O4 - HKLM\..\Run: [ImInstaller_IncrediMail]
    >C:\DOCUME~1\Momsie\LOCALS~1\Temp\ImInstaller\IncrediMail\imloader.exe -startup
    > -product IncrediMail -skip_dialog info


    >O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c


    >O8 - Extra context menu item: &Add animation to IncrediMail Style Box -
    >C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm


    Comment on above three entries:
    Personally, I wouldn't trust Incredimail as far as I could spit.


    >O16 - DPF:


    Have HijackThis fix ALL of your 016-DPF entries.


    >O23 - Service: License Management Service ESD - element5 - C:\Program
    >Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe


    I do not know what the above service is, or if it should be
    running. I suggest disabling it until you can find out what
    it is, exactly. You can find it by: Start / Run / services.msc
    Stop the service and then disable it.

    <snip>

    --
    Basic computer maintenance
    http://uk.geocities.com/personel44/maintenance.html
    °Mike°, Dec 20, 2004
    #18
  19. Puzzled

    Cassie Guest

    "°Mike°" <> wrote in message
    news:41d70b37.3652796@localhost...
    > On Mon, 20 Dec 2004 12:10:59 -0500, in

    <snip>
    >
    >>Spysweeper finds - UserFaultCheck - assessment unknown
    >>CWShredder -Removed from your system: ...CWS.Bootconf...Hosts file
    >>redirections

    >
    > Am I reading that right? Did Spysweeper remove CWShredder
    > from your system? CWShredder is a valuable tool for removing
    > the CoolWeb hijacker.
    >

    <snip>
    Sorry, no. Should have read:
    1-Spysweeper finds - UserFaultCheck - assessment unknown
    2-CWShredder -Removed from your system
    CWS.Bootconf
    Hosts file redirections
    Thanks for the quick response. Will follow instructions after work.
    fingers crossed.
    Cassie, Dec 20, 2004
    #19
  20. Puzzled

    Cassie Guest

    "°Mike°" <> wrote in message
    news:41d70b37.3652796@localhost...
    > On Mon, 20 Dec 2004 12:10:59 -0500, in
    >
    > <SNIP>
    >>C:\WINDOWS\system32\drivers\etc holds the following Hosts

    >
    > Before you proceed, see (*****) in the HijackThis log advice.
    > Open the above in Notepad and delete EVERYTHING
    > from it. Save the changes and then right click on it,
    > choose 'Properties' and set the Read Only flag.


    How can I open the \drivers\etc file in Notepad?? I opened it in Explore
    and deleted the files. Then, as directed, I made it Read Only.
    > <SNIP>
    >>- Rundll:
    >>- An exception occurred while trying to run
    >>""c:\WINDOWS\system32\nrdll.dll".UMonitor"
    >>- Error: Could not find program code

    >
    > The above file is not a valid system file. Boot into Safe Mode
    > and delete nrdll.dll from the system32 folder.
    >

    Futile - every time the system boots, the *.dll".UMonitor name is
    different. Do you know where this is coming from?
    >
    ><SNIP>
    > Again, have HijackThis fix the above "01" (hosts) entries,
    > but do this BEFORE you alter the hosts file as described
    > at the beginning of this post.
    >

    OK, done.

    >>O3 - Toolbar: (no name) - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - (no
    >>file)

    >
    > Have HijackThis fix the above.
    >

    Done.
    >>O4 - HKLM\..\Run: [ImInstaller_IncrediMail]
    >>C:\DOCUME~1\Momsie\LOCALS~1\Temp\ImInstaller\IncrediMail\imloader.exe -startup
    >> -product IncrediMail -skip_dialog info

    >
    >>O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c

    >
    >>O8 - Extra context menu item: &Add animation to IncrediMail Style Box -
    >>C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

    >
    > Comment on above three entries:
    > Personally, I wouldn't trust Incredimail as far as I could spit.
    >

    Oh, °Mike°, you almost made it through a full week without saying that :p

    >>O16 - DPF:

    >
    > Have HijackThis fix ALL of your 016-DPF entries.
    >

    Done
    >>O23 - Service: License Management Service ESD - element5 - C:\Program
    >>Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe

    >
    > I do not know what the above service is, or if it should be
    > running. I suggest disabling it until you can find out what
    > it is, exactly. You can find it by: Start / Run / services.msc
    > Stop the service and then disable it.
    >

    Done
    And here is the latest HJT log:
    Logfile of HijackThis v1.99.0
    Scan saved at 9:32:26 PM, on 12/20/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adobe\Photoshop Elements
    3.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
    C:\Program Files\Roxio\GoBack\GBPoll.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\tppaldr.exe
    C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\Norton Personal Firewall\NISSERV.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\AdsGone\adsgone.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\Program Files\Roxio\GoBack\GBTray.exe
    C:\Program Files\Norton Personal Firewall\ATRACK.EXE
    C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    C:\Program Files\interMute\SpySubtract\SpySub.exe
    C:\Program Files\YahooPOPs\YahooPOPs.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\StickyNote\StickyNote.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\MailWasher Pro\MailWasher.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\GetRight\GETRIGHT.EXE
    C:\Program Files\GetRight\GETRIGHT.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\SolSuite\SolSuite.exe
    C:\Documents and Settings\Momsie\Desktop\AV stuff\hijackthis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -
    C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program
    Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
    c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum
    Online\Netsurf.exe -tray
    O4 - HKLM\..\Run: [MOD] "C:\Program Files\Microangelo\muamgr.exe"
    O4 - HKLM\..\Run: [iamapp] "C:\Program Files\Norton Personal
    Firewall\IAMAPP.EXE"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
    Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
    Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control
    Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [TPP Auto Loader] "C:\WINDOWS\tppaldr.exe"
    O4 - HKLM\..\Run: [EPSON Stylus C84 Series]
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus
    C84 Series" /O6 "USB001" /M "Stylus C84"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ImInstaller_IncrediMail]
    C:\DOCUME~1\Momsie\LOCALS~1\Temp\ImInstaller\IncrediMail\imloader.exe -startup
    -product IncrediMail -skip_dialog info
    O4 - HKLM\..\Run: [PestPatrol Control Center]
    c:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [EPSON Stylus C84 Series]
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus
    C84 Series" /M "Stylus C84" /EF "HKCU"
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
    Sweeper\SpySweeper.exe" /0
    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - Startup: StickyNote.exe
    O4 - Startup: YahooPOPs.lnk = C:\Program Files\YahooPOPs\YahooPOPs.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
    Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AdsGone 2004.lnk = C:\Program
    Files\AdsGone\adsgone.exe
    O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
    O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton
    SystemWorks\Norton Utilities\SYSDOC32.EXE
    O4 - Global Startup: SpySubtract.lnk = C:\Program
    Files\interMute\SpySubtract\SpySub.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box -
    C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Google Search - res://c:\program
    files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program
    files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
    files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel -
    res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program
    files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program
    files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
    Files\Messenger\msmsgs.exe
    O23 - Service: Adobe Active File Monitor - Unknown - C:\Program
    Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Ati HotKey Poller - Unknown -
    C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program
    Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec
    Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. -
    C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
    O23 - Service: GBPoll - Roxio, Inc. - C:\Program
    Files\Roxio\GoBack\GBPoll.exe
    O23 - Service: GhostStartService - Symantec Corporation -
    C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    O23 - Service: Iomega App Services - Iomega Corporation -
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec
    Corporation - C:\Program Files\Norton SystemWorks\Norton
    AntiVirus\navapsvc.exe
    O23 - Service: Norton Personal Firewall Service - Symantec Corporation -
    C:\Program Files\Norton Personal Firewall\NISSERV.EXE
    O23 - Service: Norton Personal Firewall Accounts Manager - Symantec
    Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
    O23 - Service: Norton Unerase Protection - Symantec Corporation -
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: Retrospect Launcher - Dantz Development Corporation -
    C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation -
    C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service - Symantec Corporation -
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation -
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    O23 - Service: Norton Personal Firewall Proxy Service - Symantec
    Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program
    Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Iomega Active Disk - Iomega Corporation - C:\Program
    Files\Iomega\AutoDisk\ADService.exe

    Getting there with your help, thanks.
    the ever Puzzled Cassie
    Cassie, Dec 21, 2004
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Need program to get rid of spyware

    , Jan 8, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    383
  2. Bodysnatcher

    Can not get rid of spyware!

    Bodysnatcher, Jun 26, 2004, in forum: Computer Support
    Replies:
    7
    Views:
    489
    Bodysnatcher
    Jun 27, 2004
  3. tony

    How do I get rid of Spyware popups?!!

    tony, Feb 15, 2007, in forum: Computer Support
    Replies:
    3
    Views:
    480
    Leythos
    Feb 15, 2007
  4. tony

    PLEASE, PLEASE HELP ME GET RID OF SPYWARE

    tony, Aug 4, 2007, in forum: Computer Support
    Replies:
    10
    Views:
    699
  5. gpurbpur
    Replies:
    1
    Views:
    1,401
    BigMike
    Jan 2, 2008
Loading...

Share This Page