Re: Serious Spyware issues ...
From: Shoff (shofozul_ali_at_hotmail.com)
Date: 23 Jun 2004 05:55:26 -0700
Thanks very much. It was a look2me issue and it seems to have gone
away, for now. I still am not sure how it got there but have also put
in all the recommendations Russell pointed me to (Thank you too
Russell), and so far no repeates of things installing themselves and
weird popups all the time.
Once again thanks everyone.
"Jim Byrd" <email@example.com> wrote in message news:<OXgK7AQVEHA.firstname.lastname@example.org>...
> Hi Shoff - IIRC, 126.96.36.199 may be added by look2me. Although I don't
> usually recommend it, you can try their uninstaller here, since that one can
> be messy. It has been reported to work, however. See the direction here
> first before running the uninstaller:
> Then follow up with CWShredder, AdAware, and SpyBotS&D again in that order,
> with each being run from Safe mode. Reboot and re-run from Safe mode when
> any fix is made until you get a clean "non-red" scan from each.
> Please respond in the same thread.
> Regards, Jim Byrd, MS-MVP
> In news:email@example.com,
> Shoff <firstname.lastname@example.org> typed:
> > For the past fortnight, I have had serious problems with popup
> > windows, hijacked startup sites of IE, IE bars installed, and even had
> > executables downloaded and executed without my knowledge. I've even
> > had one window popup, download a screen saver and install it as my
> > default screen saver.
> > I have got XP, ZoneAlarmPRO 4.5 and Norton Anti-Virus running. I have
> > run Ad-Aware many times and hijack this. They clear the situation
> > until the next time I connect to the Internet, then it all comes back
> > again. Many time I have gone through the registry and got rid of
> > programs that were installed without my knowledge and even though ZA
> > doesn't say anything about programs being downloaded, it does tell me
> > that these weird programs are connecting to the Internet and asks to
> > allow it or not.
> > In fact many times when I have been searching for the names of the
> > offending exes (7015.exe etc.) I find them in a key of Pending
> > Renames. They somehow get into my Temp directory and I presume via
> > this setting get renamed so that you can't block them forever.
> > I have taken all programs off the ZoneAlarm allowe programs list, and
> > adding them back one-by-one the ones that I was not sure about were
> > winlogon.exe, rundll and svchost. These could run anything, but I am
> > sure thye had access before.
> > I am not sure whether this was always the case but when I looked into
> > it, Winlogon.exe keeps on trying to connect to the internet to a site
> > ...btcentralplus.com. First I thought this was my provider, but it
> > keeps on sending packets there and if I block it, it actually locks up
> > my internet access becasue of it continually trying to connect to the
> > site, the ZA blocking the site and then logging this.
> > Furthermore I have noticed that my HOSTS file keeps on getting
> > rewritten to
> > 127.0.0.1 www.igetnet.com
> > 127.0.0.1 code.ignphrases.com
> > 127.0.0.1 clear-search.com
> > 127.0.0.1 r1.clrsch.com
> > 127.0.0.1 sds.clrsch.com
> > 127.0.0.1 status.clrsch.com
> > 127.0.0.1 www.clrsch.com
> > 127.0.0.1 clr-sch.com
> > 127.0.0.1 sds-qckads.com
> > 127.0.0.1 status.qckads.com
> > 188.8.131.52 auto.search.msn.com
> > 184.108.40.206 search.netscape.com
> > 220.127.116.11 ieautosearch
> > Running FileMonitor on it shows that Winlogon.exe keeps checking and
> > updating it. Even if I delete it or amend it, it gets written back.
> > I thought perhaps the winlogon.exe was at fault because, I do not
> > remeber it trying to access the Internet so often before, but checking
> > the file it says Company Microsoft Corp., File Version 5.1.2600.1106
> > (xpsp1.020828-1920). Is this a good enough check to say that it is
> > It has also tampered with my search. I can no longer search my files
> > and folders or anything else. It keeps on saying some component is
> > missing. So Ican't even check if there are any other files like this.
> > It is almost getting unusable, and I don't know what to do? How is it
> > getting past anti-virus, firewall, and adaware? Please help, as there
> > seems to be something on my machine that just lets everything back on
> > when I clean it up.