I have done everything I know to get rid of this spyware that is plagueing me. Elite ToolBar and WWWCoolSearch just will not die! I have deleted them with NAV, I have deleted them with Spybot, I have used CWShredder. I have deleted the bad files from where they are. I have deleted them from the registry, and I have used HijackThis. At one point I was 100% I had it clean, but I had to get on another computer and download WinsockXPFix because getting rid of the spyware had made it to where I couldn't get online. After I ran that I could get back online, but the spyware came back. Obviously I'm missing something, or I keep going to the same bad places when I get online. What do I need to do? Thanks in advance for any advice.

I don't know if this will help you but I launched a big anti-crapware assault on my computer and hardly anything gets past me anymore.
I would run AntiVi XP. It seems to catch some crap that VirusScan and AVG don't get.
Usually then I run Ad-Aware SE, followed by Spybot: S&D. I then double check with Hijack This. Hope this helps.

post a hijackthis log ,we'll have a look

Ok, here is my current Hijack log....


Logfile of HijackThis v1.99.0
Scan saved at 10:05:56 PM, on 12/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Documents and Settings\ANNALEAH\Desktop\Desktop\runescape.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\ANNALEAH\Local Settings\Temp\Temporary Directory 1 for hijackthis[2].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://loginnet.passport.com/ppsecu...th.srf?lc=1033
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [Tray Temperature] C:\DOCUME~1\ANNALEAH\LOCALS~1\Temp\MiniBug.exe 1
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3367F46-8ED0-445D-9415-110C55DA5EF8}: NameServer = 198.68.210.2 204.117.214.10
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD Helper - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



I was told to get rid of the O1's but they keep coming back. Minibug won't die either.

Your copy of HijackThis needs to be in a folder of it's own. When HJT fixes anything, it makes backups of the original files in the folder it is in. Since Temporary folders are emptied now and then (the files are DELETED), it would not be a good idea to have your backups there. Those backups would be VITAL to restoring your system if something went wrong in the FIX process!


1. Please go to you're 'My Documents' folder, right-click and select 'New > Folder' then name the folder 'HJT'.

2. Copy and paste HijackThis.exe to the new folder.

3. Close ALL windows except HJT

4. SCAN with HJT

5. POST the new log in this thread using 'Add Reply'

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO YOUR COMPUTER'S HEALTH
,,,,,,,,,,,,,,,
I have to give up the computer to my daughrt before she drives me nuts ,will check back later .

Wow, a lot happened while I was posting this! :eek:

Do you have a firewall (and is it enabled)? That should be your first line of defense (a hardware firewall is better, but a software firewall at least -- both is best!).

Next would be an up-to-date anti-virus program.

The third means of protection is to get SpywareBlaster and/or SpywareGuard. These two programs block known malware from getting to your system (as with AV programs, you need to keep them updated for best protection).

Once you have yourself protected, you should have Spybot and Adaware to help catch most of what gets past that protection.

Finally, you should have Hijackthis to help find more specialized problems; many of these can be resolve with HJT itself, but even for the ones that can't be, it is used to identify them so more specific/specialized fixes can be determined.

I realize you already mentioned having some of these, I just listed it all for anyone else that comes across this thread.

VIrtualBouncer malware from Spyware Labs. It is distributed by the same bundling and drive-by download techniques as the parasites it claims to remove, so definitely qualifies as unsolicited commercial software in itself. It also has an update feature that can download and execute arbitrary code. Warning - choose "custom" uninstall as "automatic" may remove other programs.

check in control panel add and remove programs to uninstall it maybe .
,,,,,,,,,,,,,,,,,,,,,,
then od the following
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
close all browser windows and fix the 01s' and fix this one also
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
..........
reboot to safe mode ,hitting f8 on startup and delete following folder .
C:\Program Files\VBouncer\

reboot and post new log

Here's some more info on the Bouncer (if you're interested):
http://www.iamnotageek.com/a/bundleouter.exe.php

Before you post a new log, empty the contents of all Temp and Temporary Internet folders for all users on the computer.

Question about that... 2 of the users of this computer have it set where I don't have access to their files. Any way I can change that?

Do you have admin rights on this computer? If so, are you using XP Home or XP Pro? If XP Home, and you have admin rights, you should be able to access them in Safe Mode. If XP Pro, you should be able to do it from Normal Mode (I think).

By the way, if you're "ANNALEAH" that's the main one we need to worry about right now.