Internet explorer hijack

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

x7turtle7x

Thread Starter
Joined
Aug 12, 2004
Messages
181
I got hijacked, and when I run hijack this and i check it off to delete it, It says it cant do it and to run spybot..... I was going to download spybot but never got around to it..... I can open internet explorer, but it says page cannot be found, and yes I am on the internet when it says that :D. And since the computer that im on doesn't have very much memory, or a cd burner, I cant download spybot, I guess that if i found a small enough program i could put it on a floppy disk. Any suggestions?

Logfile of HijackThis v1.98.2
Scan saved at 12:03:55 PM, on 9/1/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\INTEL\INTEL(R) ACTIVE MONITOR\IMON98.EXE
C:\WINDOWS\FONTS\LSASS.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\GRXP4EXE.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY FAMILY EDITION\NISSERV.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY FAMILY EDITION\IAMAPP.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY FAMILY EDITION\NISUM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MSVCHOST.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\NEWS\NEWSUPD.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\TPPALDR.EXE
C:\USBSTORAGE\USBDETECTOR.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\PROGRAM FILES\INTEL\INTEL(R) ACTIVE MONITOR\IMONTRAY.EXE
C:\PROGRAM FILES\DEFENDER\DEFENDER PRO ANTI-VIRUS\AVPM.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\SHUTDOWN\SHUTDOWN.EXE
C:\PROGRAM FILES\DEFENDER\DEFENDER PRO ANTI-VIRUS\AVPM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_5_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_5_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [IFSplash] ImmSplsh.exe
O4 - HKLM\..\Run: [Kaspersky Anti-Virus Lite] C:\Program Files\Defender\Defender Pro Anti-Virus\AvpM.exe
O4 - HKLM\..\Run: [iexplorer] C:\WINDOWS\FONTS\lsass.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunServices: [IMON] C:\Program Files\Intel\Intel(R) Active Monitor\imon98.exe
O4 - HKLM\..\RunServices: [iexplorer] C:\WINDOWS\FONTS\lsass.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServicesOnce: [iexplorer] C:\WINDOWS\FONTS\lsass.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SPYKILLER] C:\PROGRAM FILES\ANONYMIZER\SK\SPYWAREKILLER.EXE /BOOT
O4 - Startup: ShutDown.lnk = C:\Program Files\ShutDown\shutdown.exe
O4 - Startup: U.S. Robotics Internet Call Notification.lnk = C:\Program Files\U.S. Robotics\U.S. Robotics Internet Call Notification\CallWaiting.exe
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
O10 - Hijacked Internet access by New.Net
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
 
Joined
Feb 23, 2003
Messages
16,274
First off you need to go to add/remove programs and uninstall NEWDOTNET.

Reboot then rescan with hijack then insert a check next to each of the following, close all browser windows and click "fix checked"



O4 - HKLM\..\Run: [iexplorer] C:\WINDOWS\FONTS\lsass.exe

O4 - HKLM\..\RunServices: [iexplorer] C:\WINDOWS\FONTS\lsass.exe

O4 - HKLM\..\RunServicesOnce: [iexplorer] C:\WINDOWS\FONTS\lsass.exe


O10 - Hijacked Internet access by New.Net



Then reboot into safe mode http://dotcomsecurity.org/forums/index.php?showtopic=55


Open windows explorer, find then delete:
C:\WINDOWS\FONTS\lsass.exe
 

JSntgRvr

José
Retired Moderator and Malware Specialist
Joined
Jul 1, 2003
Messages
18,552
Run Msconfig and deselect all programs from the Startup peograms tab list except for systray and Scan Registry. Click Ok and restart the computer when prompted. Try downloading pybot now and if able, run a complete scan.
 
Joined
Feb 23, 2003
Messages
16,274
JSntgRvr said:
Run Msconfig and deselect all programs from the Startup peograms tab list except for systray and Scan Registry. Click Ok and restart the computer when prompted. Try downloading pybot now and if able, run a complete scan.
Aren't you finished yet...The hijacker is the first line of removal. :rolleyes:
 

x7turtle7x

Thread Starter
Joined
Aug 12, 2004
Messages
181
I went to msconfig, unchecked everything except systray, (dont know what you mean by scan registry) and I went to delete lsass, and it said it was in use. The NEWDOTNET was not on the add and remove. However, there used to be about 5 of the "Hijacked Internet access by New.Net" and i was able to get rid of 4 of those. Should i go back into hijack this and restore them? And also when I unchecked all of those, the computer acted very strange...(stranger than usual:D)
 

x7turtle7x

Thread Starter
Joined
Aug 12, 2004
Messages
181
I loaded it onto a floppy disk, and I cant seem to open it, it started having difficulty opening things whenever I took all the stuff off of start-up (if that makes any sense)
 
Joined
Feb 23, 2003
Messages
16,274
Recheck all then reboot. Thats why I didn't want that done..
 

x7turtle7x

Thread Starter
Joined
Aug 12, 2004
Messages
181
Im gonna log-off I have school tomorrow, leave your comments here and I will look at them tomorrow
 
Joined
Feb 23, 2003
Messages
16,274
Either one of these ways will work to get rid of it then:

# Double-click on My Computer.
# Double-click on the C: drive.
# Double-click on the Program Files folder.
# Locate and double-click on the NewDotNet folder. If there is no folder, please proceed to PROCEDURE 3.
# Locate and double-click on the uninstall executable; it will be labeled uninstallX_XX.exe. (“X” represents the version number of the uninstaller and you should always use the latest version)
# After removal of our software, you may be prompted to reboot. Please reboot after removing our software.
____________________________________________________________

# From a computer that has Internet access, click on the following link:
http://www.new.net/support/uninstall6_34.exe.
# Download and save uninstall6_34.exe to a 3-½ floppy disk.
# Insert the floppy disk into the floppy drive of the computer that needs to have our software uninstalled from.
# Click on Start.
# Click on Run.
# In the Open window type, A:\uninstall6_34.exe.
# Click on the OK button.
# After removal of our software, you may be prompted to reboot. Please reboot after removing our software.

______________________________________________________________

# Double-click on My Computer.
# Double-click on the C: drive.
# Double-click on the Windows or Winnt folder.
# Locate and double-click on the uninstall executable; it will be labeled NDNuninstallX_XX.exe. ("X" represents the version number of the uninstaller)
# After removal of our software, you may be prompted to reboot. Please reboot after removing our software.
 

x7turtle7x

Thread Starter
Joined
Aug 12, 2004
Messages
181
I finally got rid of it, but when internet explorer opens, i still cant open it. The past couple of days, I have been getting a run time error 91.... The first time I rebooted after removing new.net, I got the following error message...

Iamapp caused an invalid fault in module msvcrti.dll, and it will close blah blah blah, you know the rest....

Lol my computer is just full of issues
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top