need help with multiple intrusions

undefinedI have Norton System Works, Zone Alarm Pro, Spybot Search & Destroy, Ad-Aware SE, Stinger and CWShredder. Despite running these daily, Norton monitored 6 unauthorized installations in the last three weeks. I had a tech remove Bullseye Network two weeks ago. This week a program with no name, a program described as "TRIFILE_AUTOMATIC$20LIVEUP"(came in during live update), and a program named "BJPRINTER" arrived without invitation. Of course if I try to uninstall them I am told that some of the files are not authorized to be deleted by me (don'tcha love it! ) and so Norton can't finish the uninstall. When I tried to uninstall the "BJPRINTER" it took my entire registry to the recycle bin and I had to restore every file manually. Since I don't know enough about file names, I incidentally restored the Bullseye Network that I had paid the tech to remove. I'd like to know more about what is happening and what to do so I don't have to keep paying expensive fees to computer techs. I run Microsoft Updates when notified they are available and update defense software weekly. Any suggestions for a fledgling geek?

 

Hi skifreak,

You should be able to Uninstall BullsEye Network via Add or Remove Programs.

Generally, if you have Malware problems, we like people to take a spin through the Cleanup Tutorial HERE:
READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

This will remove a lot of stuff that would otherwise clog a HJT log.

Please note the steps that you are able to complete and the ones that give you problems. Note that you need to be in Safe Mode with System Restore OFF (if you have it - you didn't give OS) and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

Post back and let us know how you fared. Also, send us a HijackThis Log. Make sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

Somebody will take a look when they get a chance.

Best luck
PP

 

Thanks for replying PhilliePhan
Sorry that I neglected to give my OS. It's Windows 2000.
I followed all the directions you gave and referenced all of the links. The only results I got were with Ad-Aware SE. They are as follows:
180 Solutions
Alexa Bargain Buddy
Blaze Find
Booked Space
Hijacker.Top Converting
IBIS tool bar
istbar
MRU
Tracking Cookie
Win32.Wintrim.Trojan.3
Wind Updates
I was unable to run the on-line scans in safe mode with networking support because my ISP software ( JUNO) couldn't access the modem and I didn't know how to help it. I was unable to access the on-line scans in normal boot mode either. I even disabled my firewall and they would not run. I was unable to uninstall the Malware. I tried using Add/Remove programs in safe mode, but they do not appear in the list of programs under Add/Remove programs. These programs were monitored by Norton Systemworks and only appear in the Systemworks Internet Uninstall folder under downloaded Internet programs monitored by Norton SystemWorks Cleansweep. I can not delete them there in either safe or normal mode because there are files I do not have authorization to touch. I have attached the HJT log as requested. One other thing I forgot to mention, for what it's worth, is that each time I boot up I get an error message entitled "16 bit Windows subsystem". The message contained is:
"C:\WINNT\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'close' to terminate the application".
What should I do next?

 

Hi Skifreak,

Your HJT Log is not too bad. Let's try this first and then see if you can access the Online Scans in Normal Windows with IE.

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Now scan with HijackThis and Check the Boxes for the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

O16 - DPF: DigiChat Applet -
http://66.221.181.243/DigiChat/DigiClasses/Client_IE.cab

O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

Reboot to Normal Windows and Scan with HijackThis and attach that log. Now, try to run the Online Scans using IE in Normal Windows and see what they turn up.

Best luck
PP

 

Before I could implement your directions I lost control of my mouse. The cursor doesn't appear on the screen. I was able to put the computer in safe mode and run registry mechanic and the anti-spyware, but it didn't help. I am almost illiterate when it comes to keystroke controls, so I'm dead in the water. Any suggestions on how to get mouse control back and why I might have lost it to begin with? I can't figure out why I get that "16 bit- WINNT AUTOEXEC error code and why it won't go away. I'm beginning to think my OS is damaged and needs to be reinstalled. Windows 2000 was installed by a shop that replaced my hard drive last spring. They said it was less vulnerable to infections than other Microsoft OS systems. Should I go out and buy a new OS and if so what would be best? I can't afford to keep hiring a tech to come in and fix things once a month!

 

Hi Skifreak,

Did you check the obvious first - Is the mouse connected properly?
I'll have to check back on this problem when I have more time. When it comes to Hardware, I like to doublecheck my suggestions.

The guys at the shop were fairly correct about 2000 being less vulnerable than say, XP. Plus, I did not find anything particularly evil in your log.

What is your relationship with this shop? Do you have a guarantee? If you think they messed something up, you should have them correct their error at no charge.

I will try to check back when I can.

Hang in there

PP

 

skifreak,

Here is your 16 bit- WINNT AUTOEXEC error, http://support.microsoft.com/default.aspx?scid=kb;en-us;324767

Did your cursor work in safe mode?

Steve

 

Thanks PhilliePhan
Yes the mouse is connected properly. The problem was intermittant and going into safe mode and scanning brought it back twice, but it doesn't help now, so it may have just been a coincidence. The shop I used last spring is OK, and they definitely didn't mess anything up. I switched to another service because they do housecalls. The name of the tech I'm working with is Dean. I've been having problems for about 5 weeks now. The mouse froze before Dean's first visit. He restored the mouse and got rid of Bullseye network. He couldn't explain the "16 bit" error code coming up each time I booted up and was going to do some research. In the meantime I have had more malware slip in and now I've lost the mouse again. I have always been vigilant about keeping my protective software up to date and run daily. As I mentioned before I was unable to download a Live Update Redirector file last week. Symantec wouldn't offer me any help because I have Norton Systemworks 2002. They just want to sell me a new addition. That's all I can think of at the moment.

 

Hi Skifreak,

I've been a bit overextended and, since Hardware is not my strong suit, I asked Steve for a second opinion.

A bit off the subject, if you should decide to dump the Norton, we have good Free alternatives for AV and Personal Firewall here at MGs.

I will try to dig up some suggestions for the mouse issue. There are so many possible causes. Driver, etc... Steve will probably check back as well.


PP

 

Hi Skifreak,

A couple quick thoughts before I head out for the evening:

Did you try disconnecting and then reconnecting the mouse?
Do you have another mouse on hand that you could try?

See if you are able to get into the Control Panel > Printers and Other Hardware > Mouse > Hardware Tab to check the Properties and Troubleshoot.

It could be a driver issue or hardware conflict. Let us know if you are able to progress with this.

PP

 

skifreak,

Try this just in case it is a damaged or corrupted driver. If you have trouble performing the steps below because of your mouse, turn off your computer and wait at least 2 minutes and restart. That might bring it back temporarily.

1. Click Start, point to Settings, and then click Control Panel.
2. In Control Panel, double-click System.
3. In the System Properties dialog box, click Device Manager on the Hardware tab.
4. In the Device Manager dialog box, click the plus sign next to Mice and other pointing devices.
5. Select the mouse that is not functioning properly.
6. On the Action menu, click Uninstall.
7. In the Confirm Device Removal dialog box, click OK.
8. Click Start, and then click Shut Down.
9. In the Shut Down dialog box, select Restart from the drop-down list, and then click OK.
10. Allow your computer to locate the mouse.
11. In the System Settings Change dialog box, click Yes to restart your computer.

Let us know.

Steve

 

Hi PhilliePhan
I don't have another mouse. I will try disconnecting and reconnecting. I am writing from a computer at work and will have to get back to you tomorrow. The only way I know how to get into things using the keyboard is to use ctl/alt/delete and use the arrow keys to move around. When I got into the control panel I tabbed down to the mouse, hit enter and discovered that I needed to change to an underlying window. I don't know how to do that with keystrokes and gave up. I forgot to mention that I am also getting a lot of script errors.

 

Hi PhilliePhan
I came home and resecured the mouse connections. When I booted up there was still no cursor, so I went to Safe Mode and Voila! Instant mouse. Go figure!? Also....when the computer finished booting a differrent error came up. It said:
"16-bit Windows subsystem - System\Current Control Set\Control\Virtual Device drivers.VDD.Virtual Device Driver - format in the registry is invalid. Choose close to terminate"
When I went to Safe mode and found the mouse was working I went to the control panel and checked all things related to the mouse. "Properties" said "this device is functioning properly. I then opened "Registry Mechanic" and did a scan. There was an error in the deep registry as follows:

Section [HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\Shell Folders]

Value: Administrative Tools = C:\Documents and Settings\Gateway\StartMenu\Programs\AdmistrativeTools

Correction: Delete this file

I allowed registry mechanic to delete it. I scanned all the tools I had. Only HSRemove found anything. It deleted 8 objects.

I clicked on Java Plug in while in the control panel and the window would only pop-up for a split second and then disappear. I clicked on the desk top icon for Java Web Start and got a pop-up window that said "Java Web Start 1.4.2_04 Splash:sysCreateListenerSocket failed."
Now that I'm writing this and went back to double check the console is up and everything seems to be in order. I dunno.......
I'm going to go ahead and run the Hijack This again and delete the items you recommended yesterday. Hopefully things will keep improving.

 

Hi PhilliePhan
When I got home I checked the connections for the mouse. I booted up and there was no cursor. There was a "16-bit MS-DOS error" that said "System\CurrentControlSet\Control\VirtualDeviceDrives\.VDD.VirtualDevice Driver - format in the registry is invalid". I went to Safe Mode to use Registry Mechanic. As soon as I entered Safe Mode....Voila! Instant mouse! Go figure? I went to the control panel and checked out the mouse properties. It says the device is functioning properly....I just don't know what the change was.

Registry Mechanic found one error on deep registry scan:

Section [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
ShellFolders]

Value: Administrative Tools = C:\Documents and Settings\Gateway\Startmenu\Programs\Administrative tools

Correction: Delete this entry

I deleted the file and then ran all of the scans that I ran yesterday. Only HSRemove found anything. It didn't tell me what it was, but removed 8 objects.
I clicked on the Java plug in in the control panel and it would only flash up for a second and then disappear. Clicking on the desktop icon for Java Web Start produced a pop-up window that said "JAVA WEB START 1.4.2_04 SPLASH: sysCreateListenerSocket failed" I went back after the scans and the JAVA plug in came up just fine when I clicked on it. I went into Hijack this and ran a new scan (safe mode) . I deleted the files that were recommended yesterday , then went to normal mode and ran it again. I kept the file. I then went on-line and ran the Trend Micro scan and the Symantec scan. Trend micro found "Trojan_QDown.L" and hopefully it's deleted now. Symantec thought my system was at low risk for everything except my anti-virus. They think I should update. I went into Norton Systemworks and checked the Clean Sweep downloads file. The program that took my entire registry to the recycle bin is still there unfortunately. I haven't done the "Alternative scans" that are recommended (bitdefender etc). I need to quit for the day. Any feedbackat this point?

 

Thanks for the info I'm beyond tired at this point, but I'll read it tomorrow. I really appreciate your help!

 

I have duplicate messages here to some extent....sorry. I'm getting really tired and I thought I lost the first one, so I wrote it again with an update.

 

skifreak,

This support article should help with the error message you getting:

http://support.microsoft.com/kb/q254914/

Steve

 

Hi Skifreak,

Be sure to try Steve's suggestions. I, too, wonder if this is a driver issue. Also, I am not sure if it might be a good idea to post a duplicate thread in the Hardware Forum. As I noted earlier, your HJT log was not too bad. Nothing in it that was particularly evil.

PP