Need help

I am having many issues and before I f-disk and reimage I wanted to see if there was anything that I missed.
What's happening:
My Host file keeps getting edited with bad entries. ie.msn... which redirects and causes many popups, etc.
I can edit it but I cannot save what I edit. I also can't set it as read only.
My recycle bin doesn't work. when I send a file to it, it just automatically deletes it completely.
I keep getting a trojan that puts lowcow.dll in my C:/windows/system32
I can delete it when in safemode but it re appears
I had icons for amazon.com, ebay.com, and expedia.com keep appearing on
my desktop
Spybot settings don't keep
What I've done:
Run Spybot, McAfee, AdwareFilter, Hijackthis, CWShredder, Stinger numerous times in normal mode and safemode.
Manually edited registry
manually edited host file
manually deleted lowcow.dll
everytime I get it cleaned, run my checkers and have them all come up clean and reboot, all reappear
I have WinXP pro SP2. Mcafee 7.0.0, Firewall is on, Popup blockers are on.

 

If you have run all the steps in this Sticky thread < READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal > and you still have a problem, you should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log file as an attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

Make sure you have HJT version 1.98.2 and follow the guidelines on where to install it and how to post a log as an attachment.

 

Did all of that stuff
results;
1. still keep getting my host file edited
2. Spybot keeps finding and removing IGETNET, and Common Hijackers search.netscape.com=69.20.16.183 and auto.search.msn.com=69.20.16.183
3. CWShredder keeps cleaning CWS.Boofconf
HiJackThis keeps finding
01 - hosts:69.20.16.183 auto.search.msn.com
01 - hosts:69.20.16.183 search.netscape.com
01 - hosts:69.20.16.183 ieatuosearch
4. AdAware keeps finding the host files and also can't delete dll's in System32 folder

It cleans them and then on the next run, finds them again. I also set the config to write protect the host file after removal of bad entries and it doesn't seem to work.

 

ok, make sure sure "System Restore" is turned off and that you have the lastest version of HiJack This 1.98.2

Just an idea I have found AdwareAway to be effective with removal of these type issues. To try this just follow these directions.
1)Download and Install AdwareAway
2)After Install run program, click on "Online Update"
"NOTE: In order for updates to be applied you must close and restart the application"
3)Under "Global Scanning & Fix" click "Options & Settings" Make sure all are selected
4)Click scan, "NOTE: Toward the end it will detect for "Keyloggers" press enter with your keyboard, Do NOT cilck"
5)After scan is complete Click NEXT, you will see the list of items detected above, check all and click "Fast Fix". If prompted click yes to continue.
6)If you like to scan for other objects you can select "Remove HiJackers" "Remove Adwares" "Remove SpyWares" "Remove Trojans & Worms" for specialized removal tools.

Please attach a HiJack This log so that I can view it. Thanks

Also, You can update to the latest version of CWShredder 2.12

 

here is my HJT log file
no matter how many times I have it fix this they come back
I can't manually edit the host file. I can't delete it or replace the host file.
I get IGETNET and Common Hijackers each time I run Spybot.
WHatever each of these programs find, they just put themselves back after removal
The rediections goto
Inqwire
eblocs
adserver
.......


Logfile of HijackThis v1.98.2
Scan saved at 6:59:06 PM, on 12/14/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\PELMICED.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HiJackThis\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

 

Just to be sure you dont run into problems, I would try this removal if "Safe Mode"

Manual removal instructions will depend on your version of IGetNet. Try to edit your host file by going into the C:\WINDOWS\System32\drivers directory.Open the file 'hosts' in a text editor such as Notepad and remove the lines:

216.177.73.139 auto.search.msn.com
216.177.73.139 search.netscape.com
216.177.73.139 ieautosearch

then save. In some versions, the IP address on the left may be different, and the third line might not be there. 216.177.73.139 is http://www.igetnet.com/

To remove IGN Keywords, try this uninstaller: Uninstaller

Stop Running Processes:

nlnp13.exe
nlnupgradev4_00p1.exe
profilepath+\local settings\temp\nlnp41.exe
profilepath+\local settings\temporary internet files\content.ie5\khirgp6n\nlnp1w[1].exe
profilepath+\local settings\temporary internet files\content.ie5\m6772vqj\nlnp1w[1].exe
programfilesdir+\filesubmit\taking a break\nlnp38.exe
systemroot+\system\nlnp29.exe
systemroot+\system\winstart.exe
systemroot+\system\winstart001.exe
systemroot+\system32\winstart.exe
systemroot+\system32\winstart001.exe

Remove Any AutoRun Entries:

Go to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\winstart, delete it and reboot the machine immediately.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\winstart001.exe, delete it and reboot the machine immediately.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\winstart002, delete it and reboot the machine immediately.

Unregister the DLL's with Regsvr32 (if applicable)
HINT: Click start, Run type in: Regsvr32 /u (Full addess of DLL files)

bho.dll
nlnp13.dll
systemroot+\system\bho001.dll
systemroot+\system\install_all.dll
systemroot+\system\rsp.dll
systemroot+\system\rsp001.dll
systemroot+\system\update_com.dll
systemroot+\system\update_removeold.dll
systemroot+\system32\bho001.dll
systemroot+\system32\rsp.dll
systemroot+\system32\rsp001.dll
update_hosts.dll

Cleanup Any Registry Entries Installed via Regedit

HKEY_CLASSES_ROOT\bho.clsurlsearch
HKEY_CLASSES_ROOT\clsid\{60e78cac-e9a7-4302-b9ee-8582ede22fbf}
HKEY_CLASSES_ROOT\clsid\{676058e4-89bd-11d6-8a8c-0050ba8452c0}
HKEY_CLASSES_ROOT\clsid\{730f2451-a3fe-4a72-938c-fc8a74f15978}
HKEY_CLASSES_ROOT\clsid\{60e78cac-e9a7-4302-b9ee-8582ede22fbf}
HKEY_CLASSES_ROOT\clsid\{676058e4-89bd-11d6-8a8c-0050ba8452c0}
HKEY_CLASSES_ROOT\clsid\{730f2451-a3fe-4a72-938c-fc8a74f15978}
HKEY_CLASSES_ROOT\clsid\{94742e3f-d9a1-4780-9a87-2ffa43655da2}
HKEY_CLASSES_ROOT\interface\{226a045e-fd4e-4632-b51d-a112bd8254e5}
HKEY_CLASSES_ROOT\interface\{3683fd85-0501-40dc-9edb-9d9181800d72}
HKEY_CLASSES_ROOT\interface\{3c8cde30-d013-4093-b00e-adbc74f33315}
HKEY_CLASSES_ROOT\interface\{676058e3-89bd-11d6-8a8c-0050ba8452c0}
HKEY_CLASSES_ROOT\interface\{f6fbfe07-ca76-438e-b34e-4f4dc41f0123}
HKEY_CLASSES_ROOT\rsp.bizlgk
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{60e78cac-e9a7-4302-b9ee-8582ede22fbf}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{730f2451-a3fe-4a72-938c-fc8a74f15978}
HKEY_CLASSES_ROOT\typelib\{676058db-89bd-11d6-8a8c-0050ba8452c0}
HKEY_CLASSES_ROOT\typelib\{95b3af07-0e4f-4cdf-acfd-3d4efd9aec0b}
HKEY_CLASSES_ROOT\typelib\{974cc25e-d62c-4278-84e6-a806726e37bc}
HKEY_CLASSES_ROOT\typelib\{acba087f-1547-41de-8e9e-3f0963ce4bef}
HKEY_CURRENT_USER\software\vb and vba program settings\ie rsp
HKEY_LOCAL_MACHINE\software\classes\clsid\{730f2451-a3fe-4a72-938c-fc8a74f15978}
HKEY_LOCAL_MACHINE\software\classes\rsp.bizlgk
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{60e78cac-e9a7-4302-b9ee-8582ede22fbf}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{60e78cac-e9a7-4302-b9ee-8582ede22fbf}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{730f2451-a3fe-4a72-938c-fc8a74f15978}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\winstart
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\winstart001.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\winstart002
HKEY_USERS\s-1-5-21-1060284298-1450960922-725345543-1001\software\vb and vba program settings\ie rsp
HKEY_USERS\s-1-5-21-1409082233-1390067357-1801674531-500\software\vb and vba program settings\ie rsp

Remove these files with windows explorer (if they exist)

bho.dll
ign fax cover.htm
inctrl.log
install.log
nlnp13.dll
nlnp13.exe
nlnupgradev4_00p1.exe
profilepath+\local settings\temp\nlnp41.exe
profilepath+\local settings\temporary internet files\content.ie5\khirgp6n\nlnp1w[1].exe
profilepath+\local settings\temporary internet files\content.ie5\m6772vqj\nlnp1w[1].exe
programfilesdir+\ebatesmoemoneymaker\system\code\bi.class
programfilesdir+\ebatesmoemoneymaker\system\code\bj.class
programfilesdir+\ebatesmoemoneymaker\system\code\bk.class
programfilesdir+\ebatesmoemoneymaker\system\code\bl.class
programfilesdir+\ebatesmoemoneymaker\system\code\bm.class
programfilesdir+\ebatesmoemoneymaker\system\code\bn.class
programfilesdir+\ebatesmoemoneymaker\system\code\bo.class
programfilesdir+\ebatesmoemoneymaker\system\code\bp.class
programfilesdir+\ebatesmoemoneymaker\system\code\bq.class
programfilesdir+\ebatesmoemoneymaker\system\code\br.class
programfilesdir+\ebatesmoemoneymaker\system\code\p.class
programfilesdir+\ebatesmoemoneymaker\system\code\x.class
programfilesdir+\ebatesmoemoneymaker\system\code\y.class
programfilesdir+\filesubmit\taking a break\nlnp38.exe
readme.txt
systemroot+\system\bho001.dll
systemroot+\system\install_all.dll
systemroot+\system\nlnp29.exe
systemroot+\system\rsp.dll
systemroot+\system\rsp001.dll
systemroot+\system\update_com.dll
systemroot+\system\update_removeold.dll
systemroot+\system\winstart.exe
systemroot+\system\winstart001.exe
systemroot+\system32\bho001.dll
systemroot+\system32\rsp.dll
systemroot+\system32\rsp001.dll
systemroot+\system32\vbarry.scr
systemroot+\system32\winstart.exe
systemroot+\system32\winstart001.exe
update_hosts.dll

 

Thanks to all who tried to help but I'm tired.....
I broke down and just reimaged.
Can anyone please suggest what may be the best tools to put on to
1. block viruses from getting in this time
2. Permanently block adaware, spyware, malware, etc