IMesh?

HELP!

I'm running XP and recently, the hard drive would start rattling like crazy, the LCD light on the panel would blink incessantly, and data transfer while online would virtually stop. Generally, if I disconnected, it would get somewhat back to normal for a while.... like a half hour to forty five minutes and then slow down again. I installed about a dozen anti spyware programs, including AdAware SE and Spybot. none of them found anything. Then I installed NoAdware V 201. Finally it found something. It said I had WinSpy (don't remember the version for sure) and IMesh. After doing the Google Double Shuffle for a couple of hours, I found directions to manually remove the WinSpy. There were many, many files listed to be removed, however, the ONLY ones I could find on my machine was unin.exe. I deleted them, and also found four files I thought may be associated with them. Those files were:

uninst disp silently.txt
uninst net silently.txt
uninst nrm silently.txt
uninst smb silently.txt

The text in all four was identical:

Set ForceNoReboot=yes
Set Silent=yes
runonce {sysdir}\nvdisp.nvu

Since I wasn't sure they were actually associated, I changed them all to "no" and saved them.

This apparently killed WinSpy, however the Google search results all said IMesh was not removable.

It said IMesh was in C\Windows\Prefetch\REGSVR32.file

After this, things seemed to run fine for several hours, but after a full day, it has started slowing down again, and I suspect maybe this IMesh may be the culprit? None of the anti spyware finds anything and from all appearances, the system is clean.I have no idea of where it came from, and certainly don't remember downloading anything that would require it.

If necessary, I will be happy to go through your complete procedure, but my instinct tells me I will have to actually overwrite files to kill it?

Any insight as to which way to go?

Thanks,
Ron

 

First:
Download and run the following utility:

• Windows XP Prefetch Clean And Control

Second:

Please note that NoAdware is on the list of rogue/suspect spyware removal tools.We do not recommend using them, please see this site for more information:

• http://www.spywarewarrior.com/rogue_anti-spyware.htm

Third:
Please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:

• Download HijackThis 1.99.1

• Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

• Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file.

• Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

• Run HijackThis and save your log file.

• Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post).

 

I've never messed with system restore before so I'm in the dark on this.

From the directions, I would have assumed to go to desktop\file\properties.

Doing so gets me a drop down with that section greyed out and not available. That "properties" is the only one I saw, and I have NO idea of how to progress further. Duh. Another interesting tidbit. when I went to desktop, the window flickered and went blank momentarily. I have never seen a window do that before on this OS.

Ideas?

Ron

 

Are you trying to disable System Restore?

If so, Right Click on My Computer and select properties. Click on the System Restore tab and disable on all drives.

 

Well, DUH! http://forums.majorgeeks.com/images/icons/icon10.gif

Nothing like trying to make things harder than they already are! http://forums.majorgeeks.com/images/icons/icon10.gif

Ever seen a grown man blush? I'm glad I had most of this stuff already downloaded and updated. As slow as it's running, it would take a couple of days at the current rate.

Depending on whether you are a WWII buff or a movie buff, "I shall return" or alternatively, "I'll be back"......As soon as all of this is finished.

Thanks so far.
Ron

 

Will be awaiting results.

Good Luck!

 

AAAAARRRGGHHHHHHH!!!!!

A never ending cycle of "stuff"

in the "do this first" sticky, it says to go in safe mode and:

* do an online scan at Trend Micro's Free Online Virus Scan
* do an online scan at Symantec Security Check
* run McAfee AVERT Stinger

Of course THAT is too easy. Never having done that before I was unaware of another apparent problem. Somehow, somewhere, something is configured wrong and it is impossible for me to get an internet connection in safe mode.

I guess I'll put this thread in my favorites in case it has dropped out of sight before I get THIS problem figured out.

Thanks for the patience, folks...

Ron

 

'Nuther problem. After many attempts to hook up to the "Trend" site to do the online scan, I assume I have been internally blocked from accessing this site by whatever critter is nesting on my PC. In either IE or Firefox, it will come to a total screeching halt of all data transfer within a second of IE, or within four or five seconds on Firefox.

Should I skip this (for now) and continure with the rest of the process, or is there a better alternative? If there is an option in the sticky, I apparently have missed it.

I was able to run the Symantec scan and it found nothing, just as my onboard version of it has found nothing all along.

I have all of the other stuff up to date and downloaded and ready to proceed.

Thanks.

Ron

 

Ok....

I've gone through the entire process. The only thing that showed up anywhere was on the RavAntivirus

This is what it gave me, but wouldn't delete it. As I read this...guessing.... that it was never activated? If it was, it was done automatically, as I have never opened such a message. I have replaced my ISP user name with asterics, but the rest of the message is as copied.

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Identities\{6401E5A8-BACD-4DE0-82E3-03FA191A22DB}\Microsoft\Outlook Express\Deleted Items.dbx->Message.362: ("******" [])->(part0001rice_08.zip)->Loader/doc_01.exe - TrojanProxy:Win32/Mitglieder.CL -> Infected

Other than this, I have found exactly nothing. The data transfer is practically non existant at times. I have also noticed lately that many times when I click a link or a favorite, the first attempt cannot find the site.

Also, for the very first time tonight when rebooting from safe mode and running the programs, my Microsoft Beta anti spyware popup notified me that my homepage on IE was attempting to change to Google.

Other than that, I'm treading water. I downloaded Hihjhack this, but after reading a bit, I doubt I'm qualified to run it, however I didn't start it to look either. I'm more into making this do things, rather than understanding how it does it. That, and the fact my old brain is partially calcified doesn't help any.

Ron

PS... that little tongue licker thingie must have built itself out of the file I pasted.

 

Now attach a current HJT log from normal mode.

 

OK...

Here's the current log.

Ron

 

In fact, I realized I had done it incorrectly and went back to correct and reattach and found you had been here first...

then I see you have edited your post to include info about multiple AV's. Here's the corrected log file.

As far as running Hijackthis from a temp directory, that confused me as well, as I most DEFINITELY ran it from a file in the direcory that was made .....per posted directions... Duh? As to the running it from a zip, that is correct. Originally I did, but not from a temp file.

What would be the suggestions about choosing a single AV application?

Ron

 

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavi lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavi lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavi lion&pf=desktop

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


After doing ALL of the above, REBOOT

Then, Scan with HijackThis and attach the new log.

 

OK....

Dare I hope we're gaining ground?

Ron

 

Your log is clean!

Are you having any further problems?

 

I surfed around a while before I came back, just to see what was going on. The HD hasn't lit up once since the last moves. So far, everything seems just fine.

After this mess, I'll be hard pressed to believe it for a while, even though everything appears correct!

I'll kill a couple of those AV's now that everything is back to normal. If for no other reason than I'm very tired of seeing the Norton popup every thirty seconds telling me my subscription is about to run out and that I forgot to capitolize the first letter of my last sentence.....

.......and still getting infected.

I want to thank you folks. I very MUCH appreciate the help you have been, and I know where to tell folks to go if they get nailed.

Once again, thanks!

Ron

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Browse Safely!

 

It's baaaAAAAcckkk!!

In fact, it ran trouble free for about three hours or so after my last post and then became obvious it was still there, and began building back to its previous level. This time, the "rattling" that went on in the hard drive hasn't returned, but it's obvious I still have a problem.

Next problem. The two online checks (trend and symantec) simply will NOT execute. Data transfer slows to a stop at each attempt. Is there another useful option I could try before I proceed with the remainder of the process, or should I go ahead without them?

Thanks,
Ron

 

Okay! To make it clear on whats going on.

What are you exact problems?

 

The biggest things are when online, I (much more often than not) get notices the websote can't be found. Sometimes it takes four or five attempts to access an address, even though the traffic on the site is still "normal". Many times, it will just sit there and do nothing...seemingly forever, before it begins an excruciatingly slow load. In the case of trying to access the sites listed here in the section before posting, when you make connection to the site for an online scan, all data transfer comes to a virtual halt, and an occasional couple of bits may be transferrred here and there, but never actually loads.

The little online status monitors at the bottom by the clock flicker, and switch back and forth, and seldom come solidly on, staying black the majority of the time.

If, for instance I try to download something that says it might take 6 or 8 minutes, I sometimes starts off fairly reasonably, but then activity ceases, and may ...sort of....work for a half a second at a time, and may do nothing for two to five minutes. Occasionaly, things may take off and run smoothly for half a minute or a minute, only to go back to total inactivity.

Web pages that would normally load in 5 or 6 seconds may take a minute or two and very often, even though a page is apparently loaded, it will sit there forever without actually getting "done"

Ron

 

Tried to add/edit and the time limit got me.

Then, from time to time, it is obvious something is going on when the little monitor icons light up and the LCD on the CPU starts flickering and you can hear the hard drive working. It is obvious..or seems to me...that something is being sent or recieved, even though nothing should be going on, and CTRL, ALT, DEL displays nothing running except what should be.

Ron

 

Okay! This isnt Malware, so I would post this in the Hardware/Software forum. Me and Chaslang are so busy in here we have to focus on malware related issues.

Let me know!

 

Thanks. I appreciate your time and effort. If/when I get it figured out, I'll check back and let you know.

Ron

 

Okay! Good Luck