1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Internet explorer hijack

Discussion in 'Earlier Versions of Windows' started by x7turtle7x, Sep 1, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. x7turtle7x

    x7turtle7x Thread Starter

    Joined:
    Aug 12, 2004
    Messages:
    181
    I got hijacked, and when I run hijack this and i check it off to delete it, It says it cant do it and to run spybot..... I was going to download spybot but never got around to it..... I can open internet explorer, but it says page cannot be found, and yes I am on the internet when it says that :D. And since the computer that im on doesn't have very much memory, or a cd burner, I cant download spybot, I guess that if i found a small enough program i could put it on a floppy disk. Any suggestions?

    Logfile of HijackThis v1.98.2
    Scan saved at 12:03:55 PM, on 9/1/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\INTEL\INTEL(R) ACTIVE MONITOR\IMON98.EXE
    C:\WINDOWS\FONTS\LSASS.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\GRXP4EXE.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY FAMILY EDITION\NISSERV.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY FAMILY EDITION\IAMAPP.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY FAMILY EDITION\NISUM.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\MSVCHOST.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\CREATIVE\NEWS\NEWSUPD.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\TPPALDR.EXE
    C:\USBSTORAGE\USBDETECTOR.EXE
    C:\WINDOWS\SYSTEM\PROMON.EXE
    C:\PROGRAM FILES\INTEL\INTEL(R) ACTIVE MONITOR\IMONTRAY.EXE
    C:\PROGRAM FILES\DEFENDER\DEFENDER PRO ANTI-VIRUS\AVPM.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\SHUTDOWN\SHUTDOWN.EXE
    C:\PROGRAM FILES\DEFENDER\DEFENDER PRO ANTI-VIRUS\AVPM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\WINOA386.MOD
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_5_0.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_5_0.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
    O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
    O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
    O4 - HKLM\..\Run: [IFSplash] ImmSplsh.exe
    O4 - HKLM\..\Run: [Kaspersky Anti-Virus Lite] C:\Program Files\Defender\Defender Pro Anti-Virus\AvpM.exe
    O4 - HKLM\..\Run: [iexplorer] C:\WINDOWS\FONTS\lsass.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\RunServices: [IMON] C:\Program Files\Intel\Intel(R) Active Monitor\imon98.exe
    O4 - HKLM\..\RunServices: [iexplorer] C:\WINDOWS\FONTS\lsass.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServicesOnce: [iexplorer] C:\WINDOWS\FONTS\lsass.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SPYKILLER] C:\PROGRAM FILES\ANONYMIZER\SK\SPYWAREKILLER.EXE /BOOT
    O4 - Startup: ShutDown.lnk = C:\Program Files\ShutDown\shutdown.exe
    O4 - Startup: U.S. Robotics Internet Call Notification.lnk = C:\Program Files\U.S. Robotics\U.S. Robotics Internet Call Notification\CallWaiting.exe
    O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
    O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
    O10 - Hijacked Internet access by New.Net
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
    O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
     
  2. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    First off you need to go to add/remove programs and uninstall NEWDOTNET.

    Reboot then rescan with hijack then insert a check next to each of the following, close all browser windows and click "fix checked"



    O4 - HKLM\..\Run: [iexplorer] C:\WINDOWS\FONTS\lsass.exe

    O4 - HKLM\..\RunServices: [iexplorer] C:\WINDOWS\FONTS\lsass.exe

    O4 - HKLM\..\RunServicesOnce: [iexplorer] C:\WINDOWS\FONTS\lsass.exe


    O10 - Hijacked Internet access by New.Net



    Then reboot into safe mode http://dotcomsecurity.org/forums/index.php?showtopic=55


    Open windows explorer, find then delete:
    C:\WINDOWS\FONTS\lsass.exe
     
  3. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Run Msconfig and deselect all programs from the Startup peograms tab list except for systray and Scan Registry. Click Ok and restart the computer when prompted. Try downloading pybot now and if able, run a complete scan.
     
  4. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Aren't you finished yet...The hijacker is the first line of removal. :rolleyes:
     
  5. x7turtle7x

    x7turtle7x Thread Starter

    Joined:
    Aug 12, 2004
    Messages:
    181
    I went to msconfig, unchecked everything except systray, (dont know what you mean by scan registry) and I went to delete lsass, and it said it was in use. The NEWDOTNET was not on the add and remove. However, there used to be about 5 of the "Hijacked Internet access by New.Net" and i was able to get rid of 4 of those. Should i go back into hijack this and restore them? And also when I unchecked all of those, the computer acted very strange...(stranger than usual:D)
     
  6. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
  7. x7turtle7x

    x7turtle7x Thread Starter

    Joined:
    Aug 12, 2004
    Messages:
    181
    I loaded it onto a floppy disk, and I cant seem to open it, it started having difficulty opening things whenever I took all the stuff off of start-up (if that makes any sense)
     
  8. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Recheck all then reboot. Thats why I didn't want that done..
     
  9. x7turtle7x

    x7turtle7x Thread Starter

    Joined:
    Aug 12, 2004
    Messages:
    181
    Im gonna log-off I have school tomorrow, leave your comments here and I will look at them tomorrow
     
  10. x7turtle7x

    x7turtle7x Thread Starter

    Joined:
    Aug 12, 2004
    Messages:
    181
    I checked everything and it still wont load... Any suggestions?
     
  11. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Either one of these ways will work to get rid of it then:

    # Double-click on My Computer.
    # Double-click on the C: drive.
    # Double-click on the Program Files folder.
    # Locate and double-click on the NewDotNet folder. If there is no folder, please proceed to PROCEDURE 3.
    # Locate and double-click on the uninstall executable; it will be labeled uninstallX_XX.exe. (“X” represents the version number of the uninstaller and you should always use the latest version)
    # After removal of our software, you may be prompted to reboot. Please reboot after removing our software.
    ____________________________________________________________

    # From a computer that has Internet access, click on the following link:
    http://www.new.net/support/uninstall6_34.exe.
    # Download and save uninstall6_34.exe to a 3-½ floppy disk.
    # Insert the floppy disk into the floppy drive of the computer that needs to have our software uninstalled from.
    # Click on Start.
    # Click on Run.
    # In the Open window type, A:\uninstall6_34.exe.
    # Click on the OK button.
    # After removal of our software, you may be prompted to reboot. Please reboot after removing our software.

    ______________________________________________________________

    # Double-click on My Computer.
    # Double-click on the C: drive.
    # Double-click on the Windows or Winnt folder.
    # Locate and double-click on the uninstall executable; it will be labeled NDNuninstallX_XX.exe. ("X" represents the version number of the uninstaller)
    # After removal of our software, you may be prompted to reboot. Please reboot after removing our software.
     
  12. x7turtle7x

    x7turtle7x Thread Starter

    Joined:
    Aug 12, 2004
    Messages:
    181
    I finally got rid of it, but when internet explorer opens, i still cant open it. The past couple of days, I have been getting a run time error 91.... The first time I rebooted after removing new.net, I got the following error message...

    Iamapp caused an invalid fault in module msvcrti.dll, and it will close blah blah blah, you know the rest....

    Lol my computer is just full of issues
     
  13. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/269001

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice