Help Please

Running Windows XP Pro SP2, using Norton Antivirus2005,
Spybot, AdAware Se, MSAS Beta.

Installed MSAS and it founf INetSPeak Websearch. It
indicates this is a high risk threat. Removes it then
comes back about 2 monutes later.

Have run in safe mode and still it returns when I boot up
in normal mode. Any suggestions?

A couple of other spyware reporting sites classify it as more of an
annoyance than a threat (spywareguide.com, for example), but I guess threat
rating is a matter of opinion. You can manually remove it, if you want.
Here's a link to the removal instructions

http://www.spywareguide.com/product_show.php?id=486

Interestingly enough, Giant's page on this pest is now a dead link.

Mark

"Craig" <anonymous@discussions.microsoft.com> wrote in message
news:1f8a01c5019b$e713cb80$a601280a@phx.gbl...
> Running Windows XP Pro SP2, using Norton Antivirus2005,
> Spybot, AdAware Se, MSAS Beta.
>
> Installed MSAS and it founf INetSPeak Websearch. It
> indicates this is a high risk threat. Removes it then
> comes back about 2 monutes later.
>
> Have run in safe mode and still it returns when I boot up
> in normal mode. Any suggestions?

"Mark Stinson" <spiderman@daily.bugle.com> wrote in message
news:Oj0irUaAFHA.2392@CPMSFTNGSA04.privatenews.microsoft.com...
>
> Interestingly enough, Giant's page on this pest is now a dead link.
>
I suspect most or all such pages are now dead. I hope that much of this
information will be come available in the future--many users of Giant's
products found it a valuable part of the service.

Does this mean that even though the software is still
loaded on my system (and I can't get rid of it) the links
are dead so no information is being transmitted? I tried
the manual suggestion but don't seem to have any of the
files noted at the link provided, so it's still in my pc.


>-----Original Message-----
>"Mark Stinson" <spiderman@daily.bugle.com> wrote in
message
>news:Oj0irUaAFHA.2392@CPMSFTNGSA04.privatenews.microsoft.c
om...
>>
>> Interestingly enough, Giant's page on this pest is now
a dead link.
>>
>I suspect most or all such pages are now dead. I hope
that much of this
>information will be come available in the future--many
users of Giant's
>products found it a valuable part of the service.
>
>
>.
>

Craig - I don't think that is what Mark meant. Have you gone to the link
that Mark provided and tried the manual removal steps posted there?

Are you doing a full scan, or just the Intelligent quickscan?

--
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt

"Craig" <anonymous@discussions.microsoft.com> wrote in message
news:07b001c50303$f6655b30$a601280a@phx.gbl...
> Does this mean that even though the software is still
> loaded on my system (and I can't get rid of it) the links
> are dead so no information is being transmitted? I tried
> the manual suggestion but don't seem to have any of the
> files noted at the link provided, so it's still in my pc.
>
>
>>-----Original Message-----
>>"Mark Stinson" <spiderman@daily.bugle.com> wrote in
> message
>>news:Oj0irUaAFHA.2392@CPMSFTNGSA04.privatenews.microsoft.c
> om...
>>>
>>> Interestingly enough, Giant's page on this pest is now
> a dead link.
>>>
>>I suspect most or all such pages are now dead. I hope
> that much of this
>>information will be come available in the future--many
> users of Giant's
>>products found it a valuable part of the service.
>>
>>
>>.
>>

Thanks Bill. I am running full scans in Safe mode. I did
go to that link and it describes several file names for
it's location, depending on how it was installed i.e.
through which program. I've not installed any of those
programs and do not have any files with those file names
or .dll names. Any further thoughts?
>-----Original Message-----
>Craig - I don't think that is what Mark meant. Have you
gone to the link
>that Mark provided and tried the manual removal steps
posted there?
>
>Are you doing a full scan, or just the Intelligent
quickscan?
>
>--
>FAQ for MS AntiSpy
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt
>
>"Craig" <anonymous@discussions.microsoft.com> wrote in
message
>news:07b001c50303$f6655b30$a601280a@phx.gbl...
>> Does this mean that even though the software is still
>> loaded on my system (and I can't get rid of it) the
links
>> are dead so no information is being transmitted? I
tried
>> the manual suggestion but don't seem to have any of the
>> files noted at the link provided, so it's still in my
pc.
>>
>>
>>>-----Original Message-----
>>>"Mark Stinson" <spiderman@daily.bugle.com> wrote in
>> message
>>>news:Oj0irUaAFHA.2392@CPMSFTNGSA04.privatenews.microsoft
..c
>> om...
>>>>
>>>> Interestingly enough, Giant's page on this pest is now
>> a dead link.
>>>>
>>>I suspect most or all such pages are now dead. I hope
>> that much of this
>>>information will be come available in the future--many
>> users of Giant's
>>>products found it a valuable part of the service.
>>>
>>>
>>>.
>>>
>
>
>.
>

It definitely isn't dead on your system, and seems to have changed since the
instructions Mark references were posted. Some apps of this kind use
randomly named portions of their code so that the names aren't useful as
guidance in removal.

The key for you will be finding the executable in a startup vector on your
machine which is re-starting the process each time you restart the machine.
It is probably hidden--perhaps as a hidden, system file, in some location
such as Temporary Internet files.

However, the System explorers in Tools, advanced tools, ought to show it.

The "older" (and perhaps still the best) approach in this situation is to
use the HijackThis application and post logs showing the startup vectors on
your machine to a forum where folks who are accustomed to looking at those
can spot the bad stuff and guide you through unchecking the entries that
allow the spyware to get restarted.

The system explorers certainly allow you to look at those same locations
yourself, and the question is whether they give you enough guidance that you
can spot what is bad.

What do you see in the System Explorers Startup Programs list which has a
minimal description, or, perhaps, starts from an unusual location?


--
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt

"Craig" <anonymous@discussions.microsoft.com> wrote in message
news:279501c503eb$897fa910$a501280a@phx.gbl...
> Thanks Bill. I am running full scans in Safe mode. I did
> go to that link and it describes several file names for
> it's location, depending on how it was installed i.e.
> through which program. I've not installed any of those
> programs and do not have any files with those file names
> or .dll names. Any further thoughts?
>>-----Original Message-----
>>Craig - I don't think that is what Mark meant. Have you
> gone to the link
>>that Mark provided and tried the manual removal steps
> posted there?
>>
>>Are you doing a full scan, or just the Intelligent
> quickscan?
>>
>>--
>>FAQ for MS AntiSpy
> http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt
>>
>>"Craig" <anonymous@discussions.microsoft.com> wrote in
> message
>>news:07b001c50303$f6655b30$a601280a@phx.gbl...
>>> Does this mean that even though the software is still
>>> loaded on my system (and I can't get rid of it) the
> links
>>> are dead so no information is being transmitted? I
> tried
>>> the manual suggestion but don't seem to have any of the
>>> files noted at the link provided, so it's still in my
> pc.
>>>
>>>
>>>>-----Original Message-----
>>>>"Mark Stinson" <spiderman@daily.bugle.com> wrote in
>>> message
>>>>news:Oj0irUaAFHA.2392@CPMSFTNGSA04.privatenews.microsoft
> .c
>>> om...
>>>>>
>>>>> Interestingly enough, Giant's page on this pest is now
>>> a dead link.
>>>>>
>>>>I suspect most or all such pages are now dead. I hope
>>> that much of this
>>>>information will be come available in the future--many
>>> users of Giant's
>>>>products found it a valuable part of the service.
>>>>
>>>>
>>>>.
>>>>
>>
>>
>>.
>>

Thanks for your persistance Bill. I'm not sure what you
mean by system explorers in tools, advanced tools. In IE
if I drop down the Tools list I don't have an advanced
tools choice. Perhaps I'm looking in the wrong place.
Likely.

I did go back to the instructions from that link Mark
sent and actually found a .dll in the C:\windows\system32
folder. I deleted it and it came back within a minute.
It is a 5 digit number followed by .dll. It comes back
as a different number each time I wipe it out. I then
tried to follow the link instructions, opened a dos
window and was able to remove the .dll using the
regsvr32 /u command. It confirmed it had successfully
removed the .dll entry from the registry. I then went
back into the system32 folder and deleted the .dll.
Again within a minute it was back as a different 5 digit
number. I know this is the correct dll as it's
originator is ESD which is the originator of this
INetSpeak thing.

I would be happy to report what is in the tools advanced
tools thing if you could specify how I would find that.
I'll keep looking in windows explorer and will post
results if I find the right spot before you reply. Thank
you for your help.
>-----Original Message-----
>It definitely isn't dead on your system, and seems to
have changed since the
>instructions Mark references were posted. Some apps of
this kind use
>randomly named portions of their code so that the names
aren't useful as
>guidance in removal.
>
>The key for you will be finding the executable in a
startup vector on your
>machine which is re-starting the process each time you
restart the machine.
>It is probably hidden--perhaps as a hidden, system file,
in some location
>such as Temporary Internet files.
>
>However, the System explorers in Tools, advanced tools,
ought to show it.
>
>The "older" (and perhaps still the best) approach in
this situation is to
>use the HijackThis application and post logs showing the
startup vectors on
>your machine to a forum where folks who are accustomed
to looking at those
>can spot the bad stuff and guide you through unchecking
the entries that
>allow the spyware to get restarted.
>
>The system explorers certainly allow you to look at
those same locations
>yourself, and the question is whether they give you
enough guidance that you
>can spot what is bad.
>
>What do you see in the System Explorers Startup Programs
list which has a
>minimal description, or, perhaps, starts from an unusual
location?
>
>
>--
>FAQ for MS AntiSpy
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt
>
>"Craig" <anonymous@discussions.microsoft.com> wrote in
message
>news:279501c503eb$897fa910$a501280a@phx.gbl...
>> Thanks Bill. I am running full scans in Safe mode. I
did
>> go to that link and it describes several file names for
>> it's location, depending on how it was installed i.e.
>> through which program. I've not installed any of those
>> programs and do not have any files with those file
names
>> or .dll names. Any further thoughts?
>>>-----Original Message-----
>>>Craig - I don't think that is what Mark meant. Have
you
>> gone to the link
>>>that Mark provided and tried the manual removal steps
>> posted there?
>>>
>>>Are you doing a full scan, or just the Intelligent
>> quickscan?
>>>
>>>--
>>>FAQ for MS AntiSpy
>> http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt
>>>
>>>"Craig" <anonymous@discussions.microsoft.com> wrote in
>> message
>>>news:07b001c50303$f6655b30$a601280a@phx.gbl...
>>>> Does this mean that even though the software is still
>>>> loaded on my system (and I can't get rid of it) the
>> links
>>>> are dead so no information is being transmitted? I
>> tried
>>>> the manual suggestion but don't seem to have any of
the
>>>> files noted at the link provided, so it's still in my
>> pc.
>>>>
>>>>
>>>>>-----Original Message-----
>>>>>"Mark Stinson" <spiderman@daily.bugle.com> wrote in
>>>> message
>>>>>news:Oj0irUaAFHA.2392@CPMSFTNGSA04.privatenews.micros
oft
>> .c
>>>> om...
>>>>>>
>>>>>> Interestingly enough, Giant's page on this pest is
now
>>>> a dead link.
>>>>>>
>>>>>I suspect most or all such pages are now dead. I
hope
>>>> that much of this
>>>>>information will be come available in the future--
many
>>>> users of Giant's
>>>>>products found it a valuable part of the service.
>>>>>
>>>>>
>>>>>.
>>>>>
>>>
>>>
>>>.
>>>
>
>
>.
>

Yes--the dll comes back because there is a monitoring process running that
keeps it active. And, there is a startup item that creates that monitoring
process---these critters have sort of a three-part mechanism which is quite
robust, as you've discovered. I doubt I have described it particularly
accurately, but you get the idea!

When I hit Tools, I see Summary, Spyware Scan, Real-time protection,
Advanced Tools, and Suspected Spyware report.

If you don't see all those choices, can you post what you do see?

And, can you try control panel, add or remove programs, Microsoft
antispyware, change, update--just to see whether that (effectively a repair
install) fixes things?


--
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt

"Craig" <anonymous@discussions.microsoft.com> wrote in message
news:0eb801c5047b$361261b0$a401280a@phx.gbl...
> Thanks for your persistance Bill. I'm not sure what you
> mean by system explorers in tools, advanced tools. In IE
> if I drop down the Tools list I don't have an advanced
> tools choice. Perhaps I'm looking in the wrong place.
> Likely.
>
> I did go back to the instructions from that link Mark
> sent and actually found a .dll in the C:\windows\system32
> folder. I deleted it and it came back within a minute.
> It is a 5 digit number followed by .dll. It comes back
> as a different number each time I wipe it out. I then
> tried to follow the link instructions, opened a dos
> window and was able to remove the .dll using the
> regsvr32 /u command. It confirmed it had successfully
> removed the .dll entry from the registry. I then went
> back into the system32 folder and deleted the .dll.
> Again within a minute it was back as a different 5 digit
> number. I know this is the correct dll as it's
> originator is ESD which is the originator of this
> INetSpeak thing.
>
> I would be happy to report what is in the tools advanced
> tools thing if you could specify how I would find that.
> I'll keep looking in windows explorer and will post
> results if I find the right spot before you reply. Thank
> you for your help.
>>-----Original Message-----
>>It definitely isn't dead on your system, and seems to
> have changed since the
>>instructions Mark references were posted. Some apps of
> this kind use
>>randomly named portions of their code so that the names
> aren't useful as
>>guidance in removal.
>>
>>The key for you will be finding the executable in a
> startup vector on your
>>machine which is re-starting the process each time you
> restart the machine.
>>It is probably hidden--perhaps as a hidden, system file,
> in some location
>>such as Temporary Internet files.
>>
>>However, the System explorers in Tools, advanced tools,
> ought to show it.
>>
>>The "older" (and perhaps still the best) approach in
> this situation is to
>>use the HijackThis application and post logs showing the
> startup vectors on
>>your machine to a forum where folks who are accustomed
> to looking at those
>>can spot the bad stuff and guide you through unchecking
> the entries that
>>allow the spyware to get restarted.
>>
>>The system explorers certainly allow you to look at
> those same locations
>>yourself, and the question is whether they give you
> enough guidance that you
>>can spot what is bad.
>>
>>What do you see in the System Explorers Startup Programs
> list which has a
>>minimal description, or, perhaps, starts from an unusual
> location?
>>
>>
>>--
>>FAQ for MS AntiSpy
> http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt
>>
>>"Craig" <anonymous@discussions.microsoft.com> wrote in
> message
>>news:279501c503eb$897fa910$a501280a@phx.gbl...
>>> Thanks Bill. I am running full scans in Safe mode. I
> did
>>> go to that link and it describes several file names for
>>> it's location, depending on how it was installed i.e.
>>> through which program. I've not installed any of those
>>> programs and do not have any files with those file
> names
>>> or .dll names. Any further thoughts?
>>>>-----Original Message-----
>>>>Craig - I don't think that is what Mark meant. Have
> you
>>> gone to the link
>>>>that Mark provided and tried the manual removal steps
>>> posted there?
>>>>
>>>>Are you doing a full scan, or just the Intelligent
>>> quickscan?
>>>>
>>>>--
>>>>FAQ for MS AntiSpy
>>> http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt
>>>>
>>>>"Craig" <anonymous@discussions.microsoft.com> wrote in
>>> message
>>>>news:07b001c50303$f6655b30$a601280a@phx.gbl...
>>>>> Does this mean that even though the software is still
>>>>> loaded on my system (and I can't get rid of it) the
>>> links
>>>>> are dead so no information is being transmitted? I
>>> tried
>>>>> the manual suggestion but don't seem to have any of
> the
>>>>> files noted at the link provided, so it's still in my
>>> pc.
>>>>>
>>>>>
>>>>>>-----Original Message-----
>>>>>>"Mark Stinson" <spiderman@daily.bugle.com> wrote in
>>>>> message
>>>>>>news:Oj0irUaAFHA.2392@CPMSFTNGSA04.privatenews.micros
> oft
>>> .c
>>>>> om...
>>>>>>>
>>>>>>> Interestingly enough, Giant's page on this pest is
> now
>>>>> a dead link.
>>>>>>>
>>>>>>I suspect most or all such pages are now dead. I
> hope
>>>>> that much of this
>>>>>>information will be come available in the future--
> many
>>>>> users of Giant's
>>>>>>products found it a valuable part of the service.
>>>>>>
>>>>>>
>>>>>>.
>>>>>>
>>>>
>>>>
>>>>.
>>>>
>>
>>
>>.
>>

Amazing what you find when you look in the right place.
I do have all of the options as you've listed them. I
was looking in IE and Windows, not MSAS! The ESD BHO was
listed in the IE BHO's tab. I permanently deleted it,
and it only took a minute to show up again using a new
number.

Under start up applications I recognize everything on the
list except a couple near the bottom that are from
Microsoft (you don't get the option to delete them if you
click on them for more info). There are several programs
on the list that don't need to start up when I boot. If
I block them from starting will the apps still run ok if
I start them manually when needed? Here's a list of
these.

Cisco Systems VPN Client
File name: vpngui.exe
EPSON Status Monitor 3
File name: e_srcv02.exe
Microsoft Office XP
File name: osa.exe
WinZip
File name: wzqkpick.exe
Online Ink Purchase Utility
File name: inkmonitor.exe
Microsoft ActiveSync
File name: wcescomm.exe

If I block them and then run scans in Safe mode and
INetSpeak gets deleted for good when rebooting into
normal mode, then I guess it could be buried in one of
these.

Everything else is related to MSAS, Norton, Windows, or
my Logitech wireless keyboard and mouse.

Suggestions for next steps? Thanks.

>-----Original Message-----
>Yes--the dll comes back because there is a monitoring
process running that
>keeps it active. And, there is a startup item that
creates that monitoring
>process---these critters have sort of a three-part
mechanism which is quite
>robust, as you've discovered. I doubt I have described
it particularly
>accurately, but you get the idea!
>
>When I hit Tools, I see Summary, Spyware Scan, Real-time
protection,
>Advanced Tools, and Suspected Spyware report.
>
>If you don't see all those choices, can you post what
you do see?
>
>And, can you try control panel, add or remove programs,
Microsoft
>antispyware, change, update--just to see whether that
(effectively a repair
>install) fixes things?
>
>
>--
>FAQ for MS AntiSpy
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt
>
>"Craig" <anonymous@discussions.microsoft.com> wrote in
message
>news:0eb801c5047b$361261b0$a401280a@phx.gbl...
>> Thanks for your persistance Bill. I'm not sure what
you
>> mean by system explorers in tools, advanced tools. In
IE
>> if I drop down the Tools list I don't have an advanced
>> tools choice. Perhaps I'm looking in the wrong place.
>> Likely.
>>
>> I did go back to the instructions from that link Mark
>> sent and actually found a .dll in the
C:\windows\system32
>> folder. I deleted it and it came back within a minute.
>> It is a 5 digit number followed by .dll. It comes back
>> as a different number each time I wipe it out. I then
>> tried to follow the link instructions, opened a dos
>> window and was able to remove the .dll using the
>> regsvr32 /u command. It confirmed it had successfully
>> removed the .dll entry from the registry. I then went
>> back into the system32 folder and deleted the .dll.
>> Again within a minute it was back as a different 5
digit
>> number. I know this is the correct dll as it's
>> originator is ESD which is the originator of this
>> INetSpeak thing.
>>
>> I would be happy to report what is in the tools
advanced
>> tools thing if you could specify how I would find that.
>> I'll keep looking in windows explorer and will post
>> results if I find the right spot before you reply.
Thank
>> you for your help.
>>>-----Original Message-----
>>>It definitely isn't dead on your system, and seems to
>> have changed since the
>>>instructions Mark references were posted. Some apps of
>> this kind use
>>>randomly named portions of their code so that the names
>> aren't useful as
>>>guidance in removal.
>>>
>>>The key for you will be finding the executable in a
>> startup vector on your
>>>machine which is re-starting the process each time you
>> restart the machine.
>>>It is probably hidden--perhaps as a hidden, system
file,
>> in some location
>>>such as Temporary Internet files.
>>>
>>>However, the System explorers in Tools, advanced tools,
>> ought to show it.
>>>
>>>The "older" (and perhaps still the best) approach in
>> this situation is to
>>>use the HijackThis application and post logs showing
the
>> startup vectors on
>>>your machine to a forum where folks who are accustomed
>> to looking at those
>>>can spot the bad stuff and guide you through unchecking
>> the entries that
>>>allow the spyware to get restarted.
>>>
>>>The system explorers certainly allow you to look at
>> those same locations
>>>yourself, and the question is whether they give you
>> enough guidance that you
>>>can spot what is bad.
>>>
>>>What do you see in the System Explorers Startup
Programs
>> list which has a
>>>minimal description, or, perhaps, starts from an
unusual
>> location?
>>>
>>>
>>>--
>>>FAQ for MS AntiSpy
>> http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt
>>>
>>>"Craig" <anonymous@discussions.microsoft.com> wrote in
>> message
>>>news:279501c503eb$897fa910$a501280a@phx.gbl...
>>>> Thanks Bill. I am running full scans in Safe mode.
I
>> did
>>>> go to that link and it describes several file names
for
>>>> it's location, depending on how it was installed i.e.
>>>> through which program. I've not installed any of
those
>>>> programs and do not have any files with those file
>> names
>>>> or .dll names. Any further thoughts?
>>>>>-----Original Message-----
>>>>>Craig - I don't think that is what Mark meant. Have
>> you
>>>> gone to the link
>>>>>that Mark provided and tried the manual removal steps
>>>> posted there?
>>>>>
>>>>>Are you doing a full scan, or just the Intelligent
>>>> quickscan?
>>>>>
>>>>>--
>>>>>FAQ for MS AntiSpy
>>>> http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt
>>>>>
>>>>>"Craig" <anonymous@discussions.microsoft.com> wrote
in
>>>> message
>>>>>news:07b001c50303$f6655b30$a601280a@phx.gbl...
>>>>>> Does this mean that even though the software is
still
>>>>>> loaded on my system (and I can't get rid of it) the
>>>> links
>>>>>> are dead so no information is being transmitted? I
>>>> tried
>>>>>> the manual suggestion but don't seem to have any of
>> the
>>>>>> files noted at the link provided, so it's still in
my
>>>> pc.
>>>>>>
>>>>>>
>>>>>>>-----Original Message-----
>>>>>>>"Mark Stinson" <spiderman@daily.bugle.com> wrote in
>>>>>> message
>>>>>>>news:Oj0irUaAFHA.2392@CPMSFTNGSA04.privatenews.micr
os
>> oft
>>>> .c
>>>>>> om...
>>>>>>>>
>>>>>>>> Interestingly enough, Giant's page on this pest
is
>> now
>>>>>> a dead link.
>>>>>>>>
>>>>>>>I suspect most or all such pages are now dead. I
>> hope
>>>>>> that much of this
>>>>>>>information will be come available in the future--
>> many
>>>>>> users of Giant's
>>>>>>>products found it a valuable part of the service.
>>>>>>>
>>>>>>>
>>>>>>>.
>>>>>>>
>>>>>
>>>>>
>>>>>.
>>>>>
>>>
>>>
>>>.
>>>
>
>
>.
>