spyware

***

i've tried everything... I got rid of wintoola.exe, wsup.exe and wintools.exe and once in a while, i get this pop up that goes to some look2me.com or a few other sites.. I've tried all their removal instuctions including pepfix.exe and hijackthis delete nothign works help...

hijacklog

Logfile of HijackThis v1.98.0
Scan saved at 8:40:08 AM, on 7/27/2004
Platform: Unknown Windows (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpybotSD\TeaTimer.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hjiurrkdlenhgjoxjhxzclls...ssrUIMBllNZ2AS2P5uMjo5Ms7r530nhFsONNTJOC.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\SpybotSD\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eaglegroupint.com
O17 - HKLM\Software\..\Telephony: DomainName = eaglegroupint.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eaglegroupint.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eaglegroupint.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

 

Welcome to WindowsBBS noclue119

First, update Spybot and disable Tea-Timer.(some recent problems with some of Spybot's update sites- may have to try more than one).

If you haven't already, download Ad-aware (build 6.181), and CWShredder (v1.59.1). Both are free and available from the links in my signature. Install Ad-aware, then immediately check for updates. Configure for a custom full scan. CWShredder can be saved to the desktop.

Right click the desktop and choose new>folder. Name it HJT. Cut and paste HijackThis.exe to that folder. That will keep backup files from scattering all over the desktop.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hjiurrkdlenhgjoxjhxzclls...hFsONNTJOC.html
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch


Close ALL other windows and open CWShredder, then click fix.

Run Spybot and fix everything it finds that is prechecked.

Run Ad-aware and delete all it finds.

If you have disabled any startups, please re-enable and reboot.(needs to be rebooted at this point regardless)

Then visit Windows Update. Accept all critical updates.
Reboot and go back to Windows Update until there are no more criticals offered.

Copy and paste the following command into the address bar then hit enter.

javascript:navigator.userAgent

Copy the text of the resulting window and paste it here with your next reply, along with a new HJT log.

It appears that HJT cannot identify your OS. Would you please tell us what it is?

 

Dave - it is a windows 2003 server build.