Help Please

[Craig]

Running Windows XP Pro SP2, using Norton Antivirus2005,
Spybot, AdAware Se, MSAS Beta.

Installed MSAS and it founf INetSPeak Websearch. It
indicates this is a high risk threat. Removes it then
comes back about 2 monutes later.

Have run in safe mode and still it returns when I boot up
in normal mode. Any suggestions?

 

[Mark Stinson]

A couple of other spyware reporting sites classify it as more of an
annoyance than a threat (spywareguide.com, for example), but I guess threat
rating is a matter of opinion. You can manually remove it, if you want.
Here's a link to the removal instructions

http://www.spywareguide.com/product_show.php?id=486

Interestingly enough, Giant's page on this pest is now a dead link.

Mark

 

[Bill Sanderson]

Interestingly enough, Giant's page on this pest is now a dead link.

I suspect most or all such pages are now dead. I hope that much of this
information will be come available in the future--many users of Giant's
products found it a valuable part of the service.

 

[Craig]

Does this mean that even though the software is still
loaded on my system (and I can't get rid of it) the links
are dead so no information is being transmitted? I tried
the manual suggestion but don't seem to have any of the
files noted at the link provided, so it's still in my pc.

 

[Bill Sanderson]

Craig - I don't think that is what Mark meant. Have you gone to the link
that Mark provided and tried the manual removal steps posted there?

Are you doing a full scan, or just the Intelligent quickscan?

 

[Craig]

Thanks Bill. I am running full scans in Safe mode. I did
go to that link and it describes several file names for
it's location, depending on how it was installed i.e.
through which program. I've not installed any of those
programs and do not have any files with those file names
or .dll names. Any further thoughts?

 

[Bill Sanderson]

It definitely isn't dead on your system, and seems to have changed since the
instructions Mark references were posted. Some apps of this kind use
randomly named portions of their code so that the names aren't useful as
guidance in removal.

The key for you will be finding the executable in a startup vector on your
machine which is re-starting the process each time you restart the machine.
It is probably hidden--perhaps as a hidden, system file, in some location
such as Temporary Internet files.

However, the System explorers in Tools, advanced tools, ought to show it.

The "older" (and perhaps still the best) approach in this situation is to
use the HijackThis application and post logs showing the startup vectors on
your machine to a forum where folks who are accustomed to looking at those
can spot the bad stuff and guide you through unchecking the entries that
allow the spyware to get restarted.

The system explorers certainly allow you to look at those same locations
yourself, and the question is whether they give you enough guidance that you
can spot what is bad.

What do you see in the System Explorers Startup Programs list which has a
minimal description, or, perhaps, starts from an unusual location?

 

[Craig]

Thanks for your persistance Bill. I'm not sure what you
mean by system explorers in tools, advanced tools. In IE
if I drop down the Tools list I don't have an advanced
tools choice. Perhaps I'm looking in the wrong place.
Likely.

I did go back to the instructions from that link Mark
sent and actually found a .dll in the C:\windows\system32
folder. I deleted it and it came back within a minute.
It is a 5 digit number followed by .dll. It comes back
as a different number each time I wipe it out. I then
tried to follow the link instructions, opened a dos
window and was able to remove the .dll using the
regsvr32 /u command. It confirmed it had successfully
removed the .dll entry from the registry. I then went
back into the system32 folder and deleted the .dll.
Again within a minute it was back as a different 5 digit
number. I know this is the correct dll as it's
originator is ESD which is the originator of this
INetSpeak thing.

I would be happy to report what is in the tools advanced
tools thing if you could specify how I would find that.
I'll keep looking in windows explorer and will post
results if I find the right spot before you reply. Thank
you for your help.

 

[Bill Sanderson]

Yes--the dll comes back because there is a monitoring process running that
keeps it active. And, there is a startup item that creates that monitoring
process---these critters have sort of a three-part mechanism which is quite
robust, as you've discovered. I doubt I have described it particularly
accurately, but you get the idea!

When I hit Tools, I see Summary, Spyware Scan, Real-time protection,
Advanced Tools, and Suspected Spyware report.

If you don't see all those choices, can you post what you do see?

And, can you try control panel, add or remove programs, Microsoft
antispyware, change, update--just to see whether that (effectively a repair
install) fixes things?

 

[Craig]

Amazing what you find when you look in the right place.
I do have all of the options as you've listed them. I
was looking in IE and Windows, not MSAS! The ESD BHO was
listed in the IE BHO's tab. I permanently deleted it,
and it only took a minute to show up again using a new
number.

Under start up applications I recognize everything on the
list except a couple near the bottom that are from
Microsoft (you don't get the option to delete them if you
click on them for more info). There are several programs
on the list that don't need to start up when I boot. If
I block them from starting will the apps still run ok if
I start them manually when needed? Here's a list of
these.

Cisco Systems VPN Client
File name: vpngui.exe
EPSON Status Monitor 3
File name: e_srcv02.exe
Microsoft Office XP
File name: osa.exe
WinZip
File name: wzqkpick.exe
Online Ink Purchase Utility
File name: inkmonitor.exe
Microsoft ActiveSync
File name: wcescomm.exe

If I block them and then run scans in Safe mode and
INetSpeak gets deleted for good when rebooting into
normal mode, then I guess it could be buried in one of
these.

Everything else is related to MSAS, Norton, Windows, or
my Logitech wireless keyboard and mouse.

Suggestions for next steps? Thanks.

 

[Craig]

Right after I sent the last email I went in to Running
Processes and all but 2 are recognizable as belonging to
something I would have installed or belong to Microsoft.
The two are:

adprot.exe location is C:\windows\system32\adprot.exe
no description, no publisher, no file version

lucoms~1.exe
no description, no publisher, no file path, no file
version

Not sure if either are an issue but found them so thought
I'd let you know. Thanks.

 

[Bill Sanderson]

Hmm --lucoms could be Live Update from Symantec, but I would want to find
this file on your system and verify that its location and, ideally, internal
descriptive properties verify that it is Symantec's file.

I think ADPROT.exe is what we are looking for.

This thread:

http://www.wilderssecurity.com/showthread.php?p=353497#post353497

mentions this, and suggests how to kill it (kill the running process, find,
rename or delete the executable, and delete the numeric .dll and a .exe with
the same numeric name.)

 

[Bill Sanderson]

I'm still at a loss as to how adprot.exe as referenced in your other
message, is starting.

You might try the "silent runners.vbs" script available via this reference:
http://forum.aumha.org/viewtopic.php?t=9364

 

[Craig]

Thanks. I followed the link and it seems to reference
the AdBlaster program, and I don't know if that's related
in any way to INetSpeak. When I ran Adaware SE in Safe
mode it found and deleted Adblaster. I haven't run it in
safe mode for a few days, but it may still be there too.
I defintely have the newer version of this thing. I will
try this later today and let you know how it worked. How
do I get and run Hijackthis?

 

[Bill Sanderson]

One safe place to find it is here:

http://aumha.org/free.htm

Look for it in the left column and click there, then read carefully the
explanatory stuff on the right, particularly note the HERE link for a forum
to post logs, and the tutorial link to learn about what the tool looks at.

 

[Craig]

Bill, I followed the process in Mark's link and
successfully downloaded and ran the HijackThis program.
It appears to have knocked off Adblaster and INetSpeak. I
have ran successful scans in both safe and normal mode.
I'll run again over the weekend just to make sure but so
far things look clean. Thanks for your help.

 

[Bill Sanderson]

Terrific. Keep patched, and keep the kinds of active protection that
Microsoft Antispyware includes active, and you should stay clean.