Re: Serious Spyware issues ...

From: Chuck (none_at_example.net)
Date: 06/14/04

• Next message: Kaylene aka Taurarian: "Re: Help again"
• Previous message: Russell: "Serious Spyware issues ..."
• In reply to: Shoff: "Serious Spyware issues ..."
• Next in thread: Jim Byrd: "Re: Serious Spyware issues ..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 14 Jun 2004 00:21:13 -0500

On 13 Jun 2004 15:42:23 -0700, shofozul_ali@hotmail.com (Shoff) wrote:

>For the past fortnight, I have had serious problems with popup
>windows, hijacked startup sites of IE, IE bars installed, and even had
>executables downloaded and executed without my knowledge. I've even
>had one window popup, download a screen saver and install it as my
>default screen saver.
>
>I have got XP, ZoneAlarmPRO 4.5 and Norton Anti-Virus running. I have
>run Ad-Aware many times and hijack this. They clear the situation
>until the next time I connect to the Internet, then it all comes back
>again. Many time I have gone through the registry and got rid of
>programs that were installed without my knowledge and even though ZA
>doesn't say anything about programs being downloaded, it does tell me
>that these weird programs are connecting to the Internet and asks to
>allow it or not.
>
>In fact many times when I have been searching for the names of the
>offending exes (7015.exe etc.) I find them in a key of Pending
>Renames. They somehow get into my Temp directory and I presume via
>this setting get renamed so that you can't block them forever.
>
>I have taken all programs off the ZoneAlarm allowe programs list, and
>adding them back one-by-one the ones that I was not sure about were
>winlogon.exe, rundll and svchost. These could run anything, but I am
>sure thye had access before.
>
>I am not sure whether this was always the case but when I looked into
>it, Winlogon.exe keeps on trying to connect to the internet to a site
>...btcentralplus.com. First I thought this was my provider, but it
>keeps on sending packets there and if I block it, it actually locks up
>my internet access becasue of it continually trying to connect to the
>site, the ZA blocking the site and then logging this.
>
>Furthermore I have noticed that my HOSTS file keeps on getting
>rewritten to
>
>127.0.0.1 www.igetnet.com
>127.0.0.1 code.ignphrases.com
>127.0.0.1 clear-search.com
>127.0.0.1 r1.clrsch.com
>127.0.0.1 sds.clrsch.com
>127.0.0.1 status.clrsch.com
>127.0.0.1 www.clrsch.com
>127.0.0.1 clr-sch.com
>127.0.0.1 sds-qckads.com
>127.0.0.1 status.qckads.com
>69.20.16.183 auto.search.msn.com
>69.20.16.183 search.netscape.com
>69.20.16.183 ieautosearch
>
>Running FileMonitor on it shows that Winlogon.exe keeps checking and
>updating it. Even if I delete it or amend it, it gets written back.
>
>I thought perhaps the winlogon.exe was at fault because, I do not
>remeber it trying to access the Internet so often before, but checking
>the file it says Company Microsoft Corp., File Version 5.1.2600.1106
>(xpsp1.020828-1920). Is this a good enough check to say that it is
>
>It has also tampered with my search. I can no longer search my files
>and folders or anything else. It keeps on saying some component is
>missing. So Ican't even check if there are any other files like this.
>
>It is almost getting unusable, and I don't know what to do? How is it
>getting past anti-virus, firewall, and adaware? Please help, as there
>seems to be something on my machine that just lets everything back on
>when I clean it up.

OK, you've run both Spybot S&D, and HijackThis? Which expert forum did you post
the HJT log in (essential for HJT use!)? Can you provide a link to your post?

There is some very persistent spyware out there that takes a lot of detailed
analysis to remove it. You have to have the experts help you out.
<http://forums.net-integration.net/>
<http://forums.spywareinfo.com/>
<http://spywarewarrior.com/index.php>
<http://forums.tomcoyote.org/>
<http://www.wilderssecurity.com/>

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

---

• Next message: Kaylene aka Taurarian: "Re: Help again"
• Previous message: Russell: "Serious Spyware issues ..."
• In reply to: Shoff: "Serious Spyware issues ..."
• Next in thread: Jim Byrd: "Re: Serious Spyware issues ..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Best freeware available? ... > download it all the way and is stuck somewhere in the middle. ... Microsoft has these suggestions for Protecting your computer from the ... Empty your Internet Explorer Temporary Internet Files and make sure the ... install a third-party application and configure/maintain it. ... (microsoft.public.security) Re: New comp. Got infected before SP2 installed. ... did another clean install of XP - and this time ... download the MS big fixes and Norton AV definition updates. ... C drive before trying to use the internet. ... > broadband arrived so Windows Update would work faster. ... (microsoft.public.windowsxp.general) Re: Downloading XP Service Pack 1 error ... If not installed download Adaware and update ... > connected to the Internet through a server, ... > My downloads don't install easily either. ... (microsoft.public.windowsxp.perform_maintain) Serious Spyware issues ... ... windows, hijacked startup sites of IE, IE bars installed, and even had ... download a screen saver and install it as my ... until the next time I connect to the Internet, ... (microsoft.public.security.virus) Re: Home page ... this case malware) that is designed to hijack your website ... Tools -> Internet Options ... We'll now have you download some programs which shall aid ... First, download AdAware. ... (microsoft.public.windows.inetexplorer.ie6.browser)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)