1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

NetSpry Help

Discussion in 'Virus & Other Malware Removal' started by ptvGuy, Apr 20, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. ptvGuy

    ptvGuy Thread Starter

    Joined:
    Apr 20, 2004
    Messages:
    78
    I know that you've handled the NetSpry question here before, but I need someone who knows what they're doing to check my log file and tell me which items I need to get rid of. I don't want to mess up the office computer. Thanks.

    -->ptvGuy

    \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
    Logfile of HijackThis v1.97.7
    Scan saved at 2:34:27 PM, on 4/20/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC CLIENT FIREWALL\NISSERV.EXE
    C:\WINDOWS\SYSTEM\MSDTCW.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC CLIENT FIREWALL\NISUM.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HPSJVXD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC CLIENT FIREWALL\IAMAPP.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC CLIENT FIREWALL\SYMPXSVC.EXE
    C:\WINDOWS\SYSTEM\HPZSTATX.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TEMP\NOT.EXE
    C:\WINDOWS\SYSTEM\WINOA386.MOD
    C:\WINDOWS\SYSTEM\DBHB2.EXE
    C:\WINDOWS\SYSTEM\KROY8.EXE
    C:\PROGRAM FILES\COMMON FILES\UPDATER\WUPDATER.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\UPTODATE.EXE
    C:\WINDOWS\APPLICATION DATA\SOTT.EXE
    C:\PROGRAM FILES\EZULA\MMOD.EXE
    C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
    C:\PROGRAM FILES\SYSAI\SYSAI.EXE
    C:\WINDOWS\SYSTEM32\PCS\PCSVC.EXE
    C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\HJT\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startium.com/metasearch.php?dst=DIST1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netspry.com
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    F1 - win.ini: run=hpfsched
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://kixe.org/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\f6eo9xy9.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\f6eo9xy9.slt\prefs.js)
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet3_88.dll
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\SYSTEM\STLBDIST.DLL
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\PROGRAM FILES\SYSAI\APROPOSPLUGIN.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\SYSTEM\STLBDIST.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
    O4 - HKLM\..\Run: [Not] C:\WINDOWS\TEMP\NOT.EXE
    O4 - HKLM\..\Run: [5X2EE653R45PGK] C:\WINDOWS\SYSTEM\JqvGne.exe
    O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\SYSTEM\IEDriver\IEDriver.exe
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-K13W13.EXE
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\SYSTEM\STLBDIST.DLL,DllRunMain
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.EXE
    O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start
    O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
    O4 - HKLM\..\RunServices: [nisserv] C:\PROGRA~1\SYMANT~1\SYMANT~2\NISSERV.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [Oess] C:\WINDOWS\Application Data\sott.exe
    O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\SYSTEM\wintcc.exe
    O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37748.4974305556
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...compaq.com/html/interactive/xw4100/model.html
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = kixe.org
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 66.81.224.253,66.81.224.254
     
  2. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    Hi ptvguy, welcome to TSG.

    Okay, first thing, go to add/remove and uninstall NewDotNnet. If any problems with that, see the other instructions here:

    http://www.newdotnet.com/

    After rebooting, go here and download CWShredder:

    http://www.spywareinfo.com/~merijn/downloads.html

    After downloading, close your browser, open the application and click Fix (not scan) and let it do its' thing.

    Then, go here and download AdAware and read how to initially configure it:

    http://forums.techguy.org/showthrea...hreadid=164245&

    After installing, download current updates, then scan your system. Everything AdAware finds is safe to delete.

    Reboot, then post a new HJT log here and we'll clean up whatever is leftover, okay?

    :)
     
  3. ptvGuy

    ptvGuy Thread Starter

    Joined:
    Apr 20, 2004
    Messages:
    78
    Wow, thanks for the quick response. I followed your instructions, and the new log is below. AdAware found 252 objects it recognized, but couldn't get rid of all of them. I didn't realize that it would take so long to scan. BTW, your link to the AdAware configuration instructions didn't work, but I found them on my own.


    \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
    Logfile of HijackThis v1.97.7
    Scan saved at 12:39:20 PM, on 4/21/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC CLIENT FIREWALL\NISSERV.EXE
    C:\WINDOWS\SYSTEM\MSDTCW.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC CLIENT FIREWALL\NISUM.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC CLIENT FIREWALL\SYMPXSVC.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HPSJVXD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC CLIENT FIREWALL\IAMAPP.EXE
    C:\WINDOWS\TEMP\NOT.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\BZTOQ.EXE
    C:\WINDOWS\SYSTEM\KROY8.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\HJT\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kixe.org/
    R3 - Default URLSearchHook is missing
    F1 - win.ini: run=hpfsched
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://kixe.org/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\f6eo9xy9.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\f6eo9xy9.slt\prefs.js)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
    O4 - HKLM\..\Run: [Not] C:\WINDOWS\TEMP\NOT.EXE
    O4 - HKLM\..\Run: [5X2EE653R45PGK] C:\WINDOWS\SYSTEM\PgoWP.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-K13W13.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start
    O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
    O4 - HKLM\..\RunServices: [nisserv] C:\PROGRA~1\SYMANT~1\SYMANT~2\NISSERV.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\SYSTEM\wintcc.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37748.4974305556
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...compaq.com/html/interactive/xw4100/model.html
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = kixe.org
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 66.81.224.253,66.81.224.254
     
  4. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    Sorry for the delay....and you're right, that link has changed. I'll correct that, thanks for letting me know.

    Okay, one thing you have is the peper a. trojan. Go here and download this uninstaller:

    http://www.zerosrealm.com/downloads/uninst.exe


    Now let's use HJT to cleanup the other entries. Close your browser, check the following entries in HJT, click Fix and then REBOOT.


    R3 - Default URLSearchHook is missing


    O4 - HKLM\..\Run: [Not] C:\WINDOWS\TEMP\NOT.EXE
    O4 - HKLM\..\Run: [5X2EE653R45PGK] C:\WINDOWS\SYSTEM\PgoWP.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-K13W13.EXE

    O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\SYSTEM\wintcc.exe


    After rebooting, find and delete these files:

    C:\WINDOWS\TEMP\NOT.EXE
    C:\WINDOWS\SYSTEM\PgoWP.exe
    C:\WINDOWS\SYSTEM\DP-K13W13.EXE
    C:\WINDOWS\SYSTEM\wintcc.exe


    Hopefully you'll be good to go.

    :)
     
  5. ptvGuy

    ptvGuy Thread Starter

    Joined:
    Apr 20, 2004
    Messages:
    78
    Buckaroo, thanks a lot for all the help. It all seems to be fixed now. I'm hoping that it will stay that way, but since my office computer is connected to both the Internet and the only color printer, everyone comes in to use it when I'm out. Anyway, thanks again.

    -->ptvGuy
     
  6. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    You're welcome! (y) Keep AdAware updated and periodically scan your system. Also, make sure you're current with MS critical updates.

    :)
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/222396

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice