Serious Spyware issues ...

From: Shoff (shofozul_ali_at_hotmail.com)
Date: 06/14/04


Date: 13 Jun 2004 15:42:23 -0700

For the past fortnight, I have had serious problems with popup
windows, hijacked startup sites of IE, IE bars installed, and even had
executables downloaded and executed without my knowledge. I've even
had one window popup, download a screen saver and install it as my
default screen saver.

I have got XP, ZoneAlarmPRO 4.5 and Norton Anti-Virus running. I have
run Ad-Aware many times and hijack this. They clear the situation
until the next time I connect to the Internet, then it all comes back
again. Many time I have gone through the registry and got rid of
programs that were installed without my knowledge and even though ZA
doesn't say anything about programs being downloaded, it does tell me
that these weird programs are connecting to the Internet and asks to
allow it or not.

In fact many times when I have been searching for the names of the
offending exes (7015.exe etc.) I find them in a key of Pending
Renames. They somehow get into my Temp directory and I presume via
this setting get renamed so that you can't block them forever.

I have taken all programs off the ZoneAlarm allowe programs list, and
adding them back one-by-one the ones that I was not sure about were
winlogon.exe, rundll and svchost. These could run anything, but I am
sure thye had access before.

I am not sure whether this was always the case but when I looked into
it, Winlogon.exe keeps on trying to connect to the internet to a site
...btcentralplus.com. First I thought this was my provider, but it
keeps on sending packets there and if I block it, it actually locks up
my internet access becasue of it continually trying to connect to the
site, the ZA blocking the site and then logging this.

Furthermore I have noticed that my HOSTS file keeps on getting
rewritten to

127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
69.20.16.183 auto.search.msn.com
69.20.16.183 search.netscape.com
69.20.16.183 ieautosearch

Running FileMonitor on it shows that Winlogon.exe keeps checking and
updating it. Even if I delete it or amend it, it gets written back.

I thought perhaps the winlogon.exe was at fault because, I do not
remeber it trying to access the Internet so often before, but checking
the file it says Company Microsoft Corp., File Version 5.1.2600.1106
(xpsp1.020828-1920). Is this a good enough check to say that it is

It has also tampered with my search. I can no longer search my files
and folders or anything else. It keeps on saying some component is
missing. So Ican't even check if there are any other files like this.

It is almost getting unusable, and I don't know what to do? How is it
getting past anti-virus, firewall, and adaware? Please help, as there
seems to be something on my machine that just lets everything back on
when I clean it up.