Please Help!! file cannot be deleted: netiis.exe

[cohenfive]

i've posted this in the spyware section as well....

this spyware (which is killing my system) cannot be removed by any means i know of.

i just tried to fix it in hijack this to no avail....then i used killbox (which killed my last problem, vgaanti.exe) and it didn't kill it either.

any suggestions? here is the location of the problem:

c:\windows\config\netiis.exe rerun

and

c:\windows\config\netiis.exe

thanks!!

 

[bacillus]

tried doing it in safe mode?

 

[Schadenfroh]

Originally posted by: bacillus
tried doing it in safe mode?

also, have you disabled system restore?

1. Reboot into safemode
2. Disable System Restore
3. Remove the offending entries in HJT (probably another entry that is respawing them)
4. Manually delete the file
5. Reboot and post new HJT log

 

[cohenfive]

Originally posted by: bacillus
tried doing it in safe mode?

here are the steps that i followed (from your playbook!!)...

1. disable system restore
2. boot into safe mode
3. ran hijack this and attempted to delete the relevent files from the list you suggested (including the netiis.exe and netiis.exe rerun files)
4. reran hijack this and saw that netiis.exe did not go away
5. ran killbox, tried to delete the above files on reboot
6. rebotted normally and those files were still there messing me up...

when i get home i will try the following:

1. system restore still disabled
2. boot into safe mode
3. go to windows\config and manually try to delete these. if they are in a sub-folder should i blow away the sub-folder or just the .exe files??

i will also peform the original processes again and will repost the hijack this file to see if you can find anything that continues to 'spawn' this application.

this one is tough!!

 

[Aluf]

Rebooting all the time can be daunting I guess. Interesting point here is - what did it say when you tried to delete it manually ? may be it's easier to find any references to this file in Registry and wipe them out ? Another informative task would be to run Filemon from http://www.sysinternals.com/ntw2k/source/filemon.shtml over time, log it and then search the log for what program uses this file.

 

[cohenfive]

Originally posted by: Aluf
Rebooting all the time can be daunting I guess. Interesting point here is - what did it say when you tried to delete it manually ? may be it's easier to find any references to this file in Registry and wipe them out ? Another informative task would be to run Filemon from http://www.sysinternals.com/ntw2k/source/filemon.shtml over time, log it and then search the log for what program uses this file.

i don't mind rebooting, what i mind is that this spyware is rendering my pc almost useless...

i haven't tried to delete it manually (from safe mode) yet, will try that when i get home today. i'm not sure how to work with the registry nor have i run (or heard of) filemon...

thanks, i'm open to anything which will get rid of this!! i'm curious why others don't have this problem as i doubt this spyware was made especially for me...

 

[sao123]

I have seen spyware installed itself as a service on the pc. Dont besurprised if after manually deleting it, it reappears.
Use the filemon program possibly in combination with teatimer from spybot ssd, to track every file and registry key as it is accessed, read or deleted.

 

[Aluf]

Working with registry isn't that hard, BUT only after all other methods have failed. As I said the key probably lies in the error message you get when you try to delete it manually (no matter in which mode - normal or safe ) .

If we talk about, just in case, registry - ( I guess you have windows XP) then to search for something in registry (it's kinda global database of all the tweaks for the system and installed programs) is done this way :

Start -> Run ->(type word) regedit and hit enter. Then you're presented with a window named "Registry Editor", press CTRL+F and type in the searched file "netiis.exe" and wait. The main point while working with Registry is NEVER DELETE or CHANGE anything in it that you don't understand.

spyware was made especially for me..

may well be the case - search on the Google for netiis.exe brings nothing ,veery unusual situation...

 

[Jeff7]

Have you tried CWShredder yet?

The CoolWebSearch Chronicles

The next step with that program will be to track down the people writing it, and remove them as well.

 

[Aluf]

BTW if you curious to know more about this parasite ( what it's doing to your PC, what ads sites it's contacting etc.. ) you 're welcome to send it to me I'll look into it and tell you its 'bio' aluf2004@yahoo.com

 

[cohenfive]

i am very interested, as soon as i get rid of it. my wife called me this morning since she can't open an email with an attachment due to this thing chewing up so much resources!!

how do i 'send' it to you?

i'll be home in a couple of hours and will be sitting down to try to manually get rid of this thing....

oh, and i haven't used cwshredder before...not sure what it does. if the manual delete fails i'll be pretty desperate to try anything.

still one question--do i delete just the .exe files or the folder where they sit (if they are in a sub-folder within config)??

 

[Schadenfroh]

still one question--do i delete just the .exe files or the folder where they sit (if they are in a sub-folder within config)??

just go in with windows explorer in safe mode and delete the files, you might have to set windows explorer to view all files, as it might be hidden. This is most likely the reason for its return. Fix it in hijackthis and delete the file manually, all this should be done in safe mode.

 

[cohenfive]

latest update....

got home today and the pc was silent...instead of 49 processes running (task mgr) there were only 31 and no sign of netiis.exe. however, when i checked the task manager closely it showed a new application called oleutil.exe which was running all the time. seems like netiis.exe has morphed into something else.

i did a search of my hd in explorer (safe mode, sys restore off) and found the following bandits:

netiis.exe:

C:\!Submit 836kb application
C:\WINDOWS\Config 836kb application
C:\WINDOWS\Prefetch 101kb pf file

oleutil.exe:

C:\WINDOWS\Registration 836kb application

here is my lastest hijack this log, found netiis.exe and 'fixed' it.....

what i'm thinking is the following:

in safe mode with system restore off, search explorer again and delete all of the above files under netiis.exe and oleutil.exe.....then pray!!!



Logfile of HijackThis v1.98.2
Scan saved at 7:54:20 PM, on 11/22/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Registration\oleutil.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi...prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi...;pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnet.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\spyware-adware removal tools\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: CATLEvents Object - {C69FA570-7FDE-4C49-A7BC-CB1CF24BE66B} - C:\DOCUME~1\Owner\LOCALS~1\Temp\lituelo.dat
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe
O4 - HKLM\..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [*db] C:\WINDOWS\db.exe
O4 - HKLM\..\RunOnce: [*oleutil] C:\WINDOWS\Registration\oleutil.exe rerun
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/downloa...alls/yinst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/15...QuickTimeInstaller.exe
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/co...ditor.cab?ver=1,1,0,30
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/co...ab?version=4,3,2,20802
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/downloa...pper/ydropper1_3us.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://ipgweb.cce.hp.com/bus-nacons/caller/SysQuery.cab

 

[neolith2099]

If your computer can boot a CD-ROM then simply go to http://www.knoppix.com, download and burn the cd image and boot it!

This is a piece of work that will create a temporary OS from the CD. You will then be able to delete any files off your disk with no problems and no questions asked. Give it a whirl. What may drive some people away is the fact that it's linux based and Windows users tend to avoid Linux.

Note: It works with Windows File Systems

 

[S0Y73NTGR33N]

boot into recovery console and delete it... then delete all registry entries that coincide with it.

-green

 

[Aluf]

Well, it's getting more interesting (for me , and more troublesome for you)

By send I mean send it (any suspicious file(s)) as an attachment to my email aluf2004@yahoo.com.

The good news (according to your log) is that you have Norton Antivirus (NAV) installed and running? ( in the right low corner of screen there has to be icon of NAV, when you point on it with a mouse it should read " Norton Antivirus Auto-protect Enabled" , is its virus database updated? The only disturbing point here is - in your log in 'Running processes' I don't see NAV running (Did you cut the list while pasting to messageboard or is it a log while running in Safe mode?)


I see AT&T Worldnet as default page for IE in log of hijack, it's well known source of spam and spyware . Do you have email with them? If you didn't set this page change/fix it to something trouble-free like www.google.com.

IF it has already occured twice - netiis and oleutil (btw oleutil.exe is alien prog for sure) it's guaranteed to come up 3d, 4th ... time with new spyware with new file names. Not enough info to be sure (if at least few logs over time) but my guess there's in system some master-program/tweak that downloads these spies and runs them after. If it's the case then deleting these downloaded files won't change much.

For now I'd suggest fixing O4 - HKLM\..\RunOnce: [*oleutil] C:\WINDOWS\Registration\oleutil.exe rerun and http://www.worldnet.att.net in hijack, updating NAV virus definitions and running the full system scan. If there is no viruses/trojans disclosed in scan then it's not immeadiately dangerous to the system. When deleting , enough to delete exe files and leave subfolders alone, or delete them as well - no difference. Next I'd really suggest installing firewall that would control which programs are allowed to connect to Internet (Windows Xp SP2 has built-in crippled one but it sucks) - I use e.g. ZoneAlarm , it's years proven , easy enough to configurate and is free for individual and not-for-profit charitable entity use. It's available at http://www.zonelabs.com/store/content/home.jsp under Download&Buy section.

 

[Jeff7]

Originally posted by: neolith2099
If your computer can boot a CD-ROM then simply go to http://www.knoppix.com, download and burn the cd image and boot it!

This is a piece of work that will create a temporary OS from the CD. You will then be able to delete any files off your disk with no problems and no questions asked. Give it a whirl. What may drive some people away is the fact that it's linux based and Windows users tend to avoid Linux.

Note: It works with Windows File Systems

Knoppix never gave me anything more than read-only on NTFS partitions.

oh, and i haven't used cwshredder before...not sure what it does. if the manual delete fails i'll be pretty desperate to try anything.

Well give it a try. It's one of the best little utilities for getting rid of CWS infections.
If you've got CWS, just deleting the one visible file might not do the trick. There might be a hidden file that will just regenerate it.

 

[cohenfive]

thanks for the input. here's my plan of attack for today:

1. system restore off
2. boot into safe mode
3. will try cwshredder to see what that does
4. will try to fix netiis.exe and oleutil.exe in hijack this
5. will open explorer and delete all files related to either netiis.exe or oleutil.exe
6. will eliminate att worldnet as home page for explorer--but my wife uses this as her email--i'm trying to get her to switch to google or yahoo (need a google invite for the former, i'm all out)
7. will install zonealarm after the above is done

does this sound like a reasonable plan of attack? i'm not sure how to clean up the registry items--should i open regedit after item 5 above and delete anything having to do with netiis.exe and oleutil.exe??

thanks a bunch for the advice, i owe you all a cyber beer!!

 

[Aluf]

Fixing oleutil.exe in hijack WILL clean these from registry so needn't fix anything manually. Next if your wife set att worldnet as default page and not this spyware then no need to change it ( no harm by changing either). Sounds like a well planned anti-malware military operation, good luck

 

[cohenfive]

norton picked up a virus today automatically and i had an error message on a bunch of files. the name of the virus was: trojan.mundo. also it picked up my oleutil.exe as a problem. i'm going to go in an delete all this stuff anyway, or at least see if it's still around.

went through my process after norton, and found nothing...cwshredder picked up nothing, hijack this showed no sign of either netiis.exe or oleutil.exe and i searched the hard drives using explorer and neither was there either. could this stuff be gone....we hope so but i'm cautious since stuff came back before.

here's my current log:

Logfile of HijackThis v1.98.2
Scan saved at 5:33:19 PM, on 11/23/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\WINDOWS\System32\fxredir.exe
C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
C:\Program Files\Caere\OmniPagePro90\opware32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\INSTAN~1\Presario\XPHNARS3EN\plugin\bin\pchbutton.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnet.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\spyware-adware removal tools\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: CATLEvents Object - {C69FA570-7FDE-4C49-A7BC-CB1CF24BE66B} - C:\DOCUME~1\Owner\LOCALS~1\Temp\lituelo.dat (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe
O4 - HKLM\..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [*db] C:\WINDOWS\db.exe
O4 - HKCU\..\Run: [TrayX] C:\WINDOWS\winppr32.exe /sinc
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\INSTAN~1\Presario\XPHNARS3EN\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/downloa...alls/yinst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/15...QuickTimeInstaller.exe
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/co...ditor.cab?ver=1,1,0,30
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/co...ab?version=4,3,2,20802
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/downloa...pper/ydropper1_3us.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://ipgweb.cce.hp.com/bus-nacons/caller/SysQuery.cab

 

[cquark]

Originally posted by: Jeff7

Originally posted by: neolith2099
If your computer can boot a CD-ROM then simply go to http://www.knoppix.com, download and burn the cd image and boot it!

This is a piece of work that will create a temporary OS from the CD. You will then be able to delete any files off your disk with no problems and no questions asked. Give it a whirl. What may drive some people away is the fact that it's linux based and Windows users tend to avoid Linux.

Note: It works with Windows File Systems

Knoppix never gave me anything more than read-only on NTFS partitions.

Did you boot with the 2.6 kernel by supplying the keyword "knoppix26" at the boot prompt?

 

[mechBgon]

cohenfive, could you take screenies of your Windows Services window and post the pics. example

Personally, my solution would be to reformat and reinstall, get the system properly secured from the start this time around, and educate yourself and your wife about how spyware/adware gets in the door in the first place. It doesn't typically just fall from the sky. My suggestions are under the Ongoing prevention section here if you decide to nuke Windows and start over. Don't underestimate that bit about using Limited-class accounts for routine usage... takes some getting used to, but it is effective.

 

[Aluf]

cquark - have you tried to make changes on NTFS (create, modify files) ? I've always used RH so used installable support for NTFS, but it read in manual that while reading was well-tested writing to NTFS was unstable and unpredicrable...

Reformating is a good idea if .. there's possibility to back up all user data before that and patience to install all the software again ( and I see author has lots of it . From formal point of view (like "Security Encyclop. by Microsoft etc) this trojan/virus/whatever had Admin rights and could do anything imaginable to the system ( install something as a driver and services/applications won't show anything). Norton when is being installed asks to create a set of REscue diskettes so if problem like that occurs there's no need to boot even into Safe mode but boot to these diskettes and run full system scan. If there is such rescue set then doing that and then installing some firewall would (IMO) make most painless path.

 

[cquark]

Originally posted by: Aluf
cquark - have you tried to make changes on NTFS (create, modify files) ? I've always used RH so used installable support for NTFS, but it read in manual that while reading was well-tested writing to NTFS was unstable and unpredicrable...

They've labeled NTFS writing unstable for years, but it's always worked fine for me. it's possible they're being too conservative, or perhaps I've never encounted one of the corner cases that are problematic.

Returning to the OP, I agree that reloading your system from scratch is the best solution at this point.