1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

(Solved) hijack this log

Discussion in 'Virus & Other Malware Removal' started by ddyperez, Sep 25, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. ddyperez

    ddyperez Thread Starter

    Joined:
    Sep 22, 2003
    Messages:
    11
    I first want to thank you for all the help you have given me without even knowing it. My computer is running 100% better because of the posts I have read.
    I have downloaded hijack this in addition to spybot. Tthe Spybot helped me fix alot of files. Hijack this tells me I have an unusual amount of hijack logs, but I'm not sure what to delete. This new.net comes up whenever I run Spybot, even on startup. Its also in my hijack logs, so I know that needs to go . Help with the rest would be appreciated. here goes:
    Logfile of HijackThis v1.97.2
    Scan saved at 8:24:29 AM, on 9/25/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\windows\system\hpsysdrv.exe
    C:\Windows\system32\HpSrvUI.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\System32\S3apphk.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\ClearSearch\Loader.exe
    C:\Program Files\ISTsvc\istsvc.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by1fd.bay1.hotmail.msn.com/c...HMaction=move&tobox=F000000004&direction=next
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=131067
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
    O1 - Hosts: 127.127.127.127 elite
    O1 - Hosts: 64.191.95.139 www.google.com
    O1 - Hosts: 64.191.95.139 google.com
    O1 - Hosts: 64.191.95.139 www.altavista.com
    O1 - Hosts: 64.191.95.139 altavista.com
    O1 - Hosts: 64.191.95.139 search.yahoo.com
    O1 - Hosts: 64.191.95.139 uk.search.yahoo.com
    O1 - Hosts: 64.191.95.139 ca.search.yahoo.com
    O1 - Hosts: 64.191.95.139 jp.search.yahoo.com
    O1 - Hosts: 64.191.95.139 au.search.yahoo.com
    O1 - Hosts: 64.191.95.139 de.search.yahoo.com
    O1 - Hosts: 64.191.95.139 search.yahoo.co.jp
    O1 - Hosts: 64.191.95.139 www.lycos.de
    O1 - Hosts: 64.191.95.139 www.lycos.ca
    O1 - Hosts: 64.191.95.139 www.lycos.jp
    O1 - Hosts: 64.191.95.139 www.lycos.co.jp
    O1 - Hosts: 64.191.95.139 alltheweb.com
    O1 - Hosts: 64.191.95.139 web.ask.com
    O1 - Hosts: 64.191.95.139 ask.com
    O1 - Hosts: 64.191.95.139 www.ask.com
    O1 - Hosts: 64.191.95.139 www.teoma.com
    O1 - Hosts: 64.191.95.139 search.aol.com
    O1 - Hosts: 64.191.95.139 www.looksmart.com
    O1 - Hosts: 64.191.95.139 ca.search.msn.com
    O1 - Hosts: 64.191.95.139 fr.ca.search.msn.com
    O1 - Hosts: 64.191.95.139 search.fr.msn.be
    O1 - Hosts: 64.191.95.139 search.fr.msn.ch
    O1 - Hosts: 64.191.95.139 search.latam.yupimsn.com
    O1 - Hosts: 64.191.95.139 search.msn.at
    O1 - Hosts: 64.191.95.139 search.msn.be
    O1 - Hosts: 64.191.95.139 search.msn.ch
    O1 - Hosts: 64.191.95.139 search.msn.co.in
    O1 - Hosts: 64.191.95.139 search.msn.co.jp
    O1 - Hosts: 64.191.95.139 search.msn.co.kr
    O1 - Hosts: 64.191.95.139 search.msn.com.br
    O1 - Hosts: 64.191.95.139 search.msn.com.hk
    O1 - Hosts: 64.191.95.139 search.msn.com.my
    O1 - Hosts: 64.191.95.139 search.msn.com.sg
    O1 - Hosts: 64.191.95.139 search.msn.com.tw
    O1 - Hosts: 64.191.95.139 search.msn.co.za
    O1 - Hosts: 64.191.95.139 search.msn.de
    O1 - Hosts: 64.191.95.139 search.msn.dk
    O1 - Hosts: 64.191.95.139 search.msn.es
    O1 - Hosts: 64.191.95.139 search.msn.fi
    O1 - Hosts: 64.191.95.139 search.msn.fr
    O1 - Hosts: 64.191.95.139 search.msn.it
    O1 - Hosts: 64.191.95.139 search.msn.nl
    O1 - Hosts: 64.191.95.139 search.msn.no
    O1 - Hosts: 64.191.95.139 search.msn.se
    O1 - Hosts: 64.191.95.139 search.ninemsn.com.au
    O1 - Hosts: 64.191.95.139 search.t1msn.com.mx
    O1 - Hosts: 64.191.95.139 search.xtramsn.co.nz
    O1 - Hosts: 64.191.95.139 search.yupimsn.com
    O1 - Hosts: 64.191.95.139 uk.search.msn.com
    O1 - Hosts: 64.191.95.139 search.lycos.com
    O1 - Hosts: 64.191.95.139 www.lycos.com
    O1 - Hosts: 64.191.95.139 www.google.ca
    O1 - Hosts: 64.191.95.139 google.ca
    O1 - Hosts: 64.191.95.139 www.google.uk
    O1 - Hosts: 64.191.95.139 www.google.co.uk
    O1 - Hosts: 64.191.95.139 www.google.com.au
    O1 - Hosts: 64.191.95.139 www.google.co.jp
    O1 - Hosts: 64.191.95.139 www.google.jp
    O1 - Hosts: 64.191.95.139 www.google.at
    O1 - Hosts: 64.191.95.139 www.google.be
    O1 - Hosts: 64.191.95.139 www.google.ch
    O1 - Hosts: 64.191.95.139 www.google.de
    O1 - Hosts: 64.191.95.139 www.google.dk
    O1 - Hosts: 64.191.95.139 www.google.fi
    O1 - Hosts: 64.191.95.139 www.google.fr
    O1 - Hosts: 64.191.95.139 www.google.com.gr
    O1 - Hosts: 64.191.95.139 www.google.com.hk
    O1 - Hosts: 64.191.95.139 www.google.ie
    O1 - Hosts: 64.191.95.139 www.google.co.il
    O1 - Hosts: 64.191.95.139 www.google.it
    O1 - Hosts: 64.191.95.139 www.google.co.kr
    O1 - Hosts: 64.191.95.139 www.google.com.mx
    O1 - Hosts: 64.191.95.139 www.google.nl
    O1 - Hosts: 64.191.95.139 www.google.co.nz
    O1 - Hosts: 64.191.95.139 www.google.pl
    O1 - Hosts: 64.191.95.139 www.google.pt
    O1 - Hosts: 64.191.95.139 www.google.com.ru
    O1 - Hosts: 64.191.95.139 www.google.com.sg
    O1 - Hosts: 64.191.95.139 www.google.co.th
    O1 - Hosts: 64.191.95.139 www.google.com.tr
    O1 - Hosts: 64.191.95.139 www.google.com.tw
    O1 - Hosts: 64.191.95.139 google.at
    O1 - Hosts: 64.191.95.139 google.be
    O1 - Hosts: 64.191.95.139 google.de
    O1 - Hosts: 64.191.95.139 google.dk
    O1 - Hosts: 64.191.95.139 google.fi
    O1 - Hosts: 64.191.95.139 google.fr
    O1 - Hosts: 64.191.95.139 google.com.hk
    O1 - Hosts: 64.191.95.139 google.ie
    O1 - Hosts: 64.191.95.139 google.co.il
    O1 - Hosts: 64.191.95.139 google.it
    O1 - Hosts: 64.191.95.139 google.co.kr
    O1 - Hosts: 64.191.95.139 google.com.mx
    O1 - Hosts: 64.191.95.139 google.nl
    O1 - Hosts: 64.191.95.139 google.co.nz
    O1 - Hosts: 64.191.95.139 google.pl
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
    O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [1:] c:\hp\bin\hpdrv.exe
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [DirectX64] C:\WINDOWS\System32\DirectXset.exe
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
    O4 - Global Startup: hp center.lnk = C:\RECYCLER\NPROTECT\03819385.EXE
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
    O9 - Extra button: MktBrowser (HKLM)
    O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://spweb.whenu.com/WUInstSYNC.cab
    O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F7AF78DE-0623-4360-8A32-0973D4C87216}: NameServer = 206.151.68.1
     
  2. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Hi ddyperez, and welcome to TSG.. :)

    You may wish you hadn't asked when you see this lot.. :D

    First of all could you download and run Coolwebshredder from here, then reboot and go to Start | Settings | Control Panel | Add/Remove programs and remove the program NewDotNet.

    Then if you could reboot again and run a new HJT! log, then close all browser windows, check to fix the following entries, then click the Fix checked button...

    Note: Some entries may no longer be there following the above procedures. :)

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by1fd.bay1.hotmail.msn.com/c...;direction=next

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=131067

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/


    To save you having to check, this lot following is every 01 entry, so delete all of them. :)

    O1 - Hosts: 127.127.127.127 elite

    O1 - Hosts: 64.191.95.139 www.google.com

    O1 - Hosts: 64.191.95.139 google.com

    O1 - Hosts: 64.191.95.139 www.altavista.com

    O1 - Hosts: 64.191.95.139 altavista.com

    O1 - Hosts: 64.191.95.139 search.yahoo.com

    O1 - Hosts: 64.191.95.139 uk.search.yahoo.com

    O1 - Hosts: 64.191.95.139 ca.search.yahoo.com

    O1 - Hosts: 64.191.95.139 jp.search.yahoo.com

    O1 - Hosts: 64.191.95.139 au.search.yahoo.com

    O1 - Hosts: 64.191.95.139 de.search.yahoo.com

    O1 - Hosts: 64.191.95.139 search.yahoo.co.jp

    O1 - Hosts: 64.191.95.139 www.lycos.de

    O1 - Hosts: 64.191.95.139 www.lycos.ca

    O1 - Hosts: 64.191.95.139 www.lycos.jp

    O1 - Hosts: 64.191.95.139 www.lycos.co.jp

    O1 - Hosts: 64.191.95.139 alltheweb.com

    O1 - Hosts: 64.191.95.139 web.ask.com

    O1 - Hosts: 64.191.95.139 ask.com

    O1 - Hosts: 64.191.95.139 www.ask.com

    O1 - Hosts: 64.191.95.139 www.teoma.com

    O1 - Hosts: 64.191.95.139 search.aol.com

    O1 - Hosts: 64.191.95.139 www.looksmart.com

    O1 - Hosts: 64.191.95.139 ca.search.msn.com

    O1 - Hosts: 64.191.95.139 fr.ca.search.msn.com

    O1 - Hosts: 64.191.95.139 search.fr.msn.be

    O1 - Hosts: 64.191.95.139 search.fr.msn.ch

    O1 - Hosts: 64.191.95.139 search.latam.yupimsn.com

    O1 - Hosts: 64.191.95.139 search.msn.at

    O1 - Hosts: 64.191.95.139 search.msn.be

    O1 - Hosts: 64.191.95.139 search.msn.ch

    O1 - Hosts: 64.191.95.139 search.msn.co.in

    O1 - Hosts: 64.191.95.139 search.msn.co.jp

    O1 - Hosts: 64.191.95.139 search.msn.co.kr

    O1 - Hosts: 64.191.95.139 search.msn.com.br

    O1 - Hosts: 64.191.95.139 search.msn.com.hk

    O1 - Hosts: 64.191.95.139 search.msn.com.my

    O1 - Hosts: 64.191.95.139 search.msn.com.sg

    O1 - Hosts: 64.191.95.139 search.msn.com.tw

    O1 - Hosts: 64.191.95.139 search.msn.co.za

    O1 - Hosts: 64.191.95.139 search.msn.de

    O1 - Hosts: 64.191.95.139 search.msn.dk

    O1 - Hosts: 64.191.95.139 search.msn.es

    O1 - Hosts: 64.191.95.139 search.msn.fi

    O1 - Hosts: 64.191.95.139 search.msn.fr

    O1 - Hosts: 64.191.95.139 search.msn.it

    O1 - Hosts: 64.191.95.139 search.msn.nl

    O1 - Hosts: 64.191.95.139 search.msn.no

    O1 - Hosts: 64.191.95.139 search.msn.se

    O1 - Hosts: 64.191.95.139 search.ninemsn.com.au

    O1 - Hosts: 64.191.95.139 search.t1msn.com.mx

    O1 - Hosts: 64.191.95.139 search.xtramsn.co.nz

    O1 - Hosts: 64.191.95.139 search.yupimsn.com

    O1 - Hosts: 64.191.95.139 uk.search.msn.com

    O1 - Hosts: 64.191.95.139 search.lycos.com

    O1 - Hosts: 64.191.95.139 www.lycos.com

    O1 - Hosts: 64.191.95.139 www.google.ca

    O1 - Hosts: 64.191.95.139 google.ca

    O1 - Hosts: 64.191.95.139 www.google.uk

    O1 - Hosts: 64.191.95.139 www.google.co.uk

    O1 - Hosts: 64.191.95.139 www.google.com.au

    O1 - Hosts: 64.191.95.139 www.google.co.jp

    O1 - Hosts: 64.191.95.139 www.google.jp

    O1 - Hosts: 64.191.95.139 www.google.at

    O1 - Hosts: 64.191.95.139 www.google.be

    O1 - Hosts: 64.191.95.139 www.google.ch

    O1 - Hosts: 64.191.95.139 www.google.de

    O1 - Hosts: 64.191.95.139 www.google.dk

    O1 - Hosts: 64.191.95.139 www.google.fi

    O1 - Hosts: 64.191.95.139 www.google.fr

    O1 - Hosts: 64.191.95.139 www.google.com.gr

    O1 - Hosts: 64.191.95.139 www.google.com.hk

    O1 - Hosts: 64.191.95.139 www.google.ie

    O1 - Hosts: 64.191.95.139 www.google.co.il

    O1 - Hosts: 64.191.95.139 www.google.it

    O1 - Hosts: 64.191.95.139 www.google.co.kr

    O1 - Hosts: 64.191.95.139 www.google.com.mx

    O1 - Hosts: 64.191.95.139 www.google.nl

    O1 - Hosts: 64.191.95.139 www.google.co.nz

    O1 - Hosts: 64.191.95.139 www.google.pl

    O1 - Hosts: 64.191.95.139 www.google.pt

    O1 - Hosts: 64.191.95.139 www.google.com.ru

    O1 - Hosts: 64.191.95.139 www.google.com.sg

    O1 - Hosts: 64.191.95.139 www.google.co.th

    O1 - Hosts: 64.191.95.139 www.google.com.tr

    O1 - Hosts: 64.191.95.139 www.google.com.tw

    O1 - Hosts: 64.191.95.139 google.at

    O1 - Hosts: 64.191.95.139 google.be

    O1 - Hosts: 64.191.95.139 google.de

    O1 - Hosts: 64.191.95.139 google.dk

    O1 - Hosts: 64.191.95.139 google.fi

    O1 - Hosts: 64.191.95.139 google.fr

    O1 - Hosts: 64.191.95.139 google.com.hk

    O1 - Hosts: 64.191.95.139 google.ie

    O1 - Hosts: 64.191.95.139 google.co.il

    O1 - Hosts: 64.191.95.139 google.it

    O1 - Hosts: 64.191.95.139 google.co.kr

    O1 - Hosts: 64.191.95.139 google.com.mx

    O1 - Hosts: 64.191.95.139 google.nl

    O1 - Hosts: 64.191.95.139 google.co.nz

    O1 - Hosts: 64.191.95.139 google.pl

    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL

    O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    O4 - HKLM\..\Run: [DirectX64] C:\WINDOWS\System32\DirectXset.exe

    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe

    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup

    O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe

    O4 - Global Startup: hp center.lnk = C:\RECYCLER\NPROTECT\03819385.EXE

    O9 - Extra button: MktBrowser (HKLM)

    O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)

    O10 - Hijacked Internet access by New.Net

    O10 - Hijacked Internet access by New.Net

    O10 - Hijacked Internet access by New.Net

    O10 - Hijacked Internet access by New.Net

    O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://spweb.whenu.com/WUInstSYNC.cab

    O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search...rchsettings.cab


    This last 017 entry resolves to visuallink.com. If this is not your Internet Service provider, then please fix as well.

    O17 - HKLM\System\CCS\Services\Tcpip\..\{F7AF78DE-0623-4360-8A32-0973D4C87216}: NameServer = 206.151.68.1

    The RED entry relates to the Steph.A worm, so please reboot after fixing all of the above and go here to run an online virus scan, deleting all it finds.

    Then could you delete the bolded folder...

    C:\Program Files\ISTsvc

    Once that is all done please reboot and download Spybot - Search & Destroy, from www.tomcoyote.org/spybot : if you haven't already got the program.

    Now press Settings, and Settings again. Go to the Webupdate section, and check "Display also available beta versions".

    Now press Online, and search for, put a check mark at, and install all updates.

    Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds marked RED.

    Then if you could reboot once more (sorry about all the rebooting but this necessary in order for windows to update it's settings after each stage, especially for the removal of those 010 entries which are becoming more evasive) :) and post a new HJT! log, just for a final once over.

    Once all this is done, it only remains for you to reste the default web settings for IE. To do this please go to Start | Settings | Control Panel | Internet Options, click on the Programs tab, then click the [/b]Reset Web Settings[/b] button. You can then, of course, choose your desired home page as normal.

    Cheers

    Liam
     
  3. ddyperez

    ddyperez Thread Starter

    Joined:
    Sep 22, 2003
    Messages:
    11
    ok...followed all the directions you gave me , that new.net is the only thing that keeps popping up. when i run Spy-bot, it says that it may be fixed apon startup, so ran the spy-bot program when I rebooted, and it still wont get rid of new.net..
    heres the log:
    Logfile of HijackThis v1.97.2
    Scan saved at 12:27:53 PM, on 9/25/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\windows\system\hpsysdrv.exe
    C:\Windows\system32\HpSrvUI.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\System32\S3apphk.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Messenger\msmsgs.exe
    c:\Program Files\Microsoft Money\System\urlmap.exe
    C:\WINDOWS\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
    O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [1:] c:\hp\bin\hpdrv.exe
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
     
  4. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Hi ddyperez,

    Re: the new.net entries. We've had a couple of problems in the last day or two with new.net and it's removal. It may be a new variant that is more difficult to remove.

    Could you switch off the computer and leave it for about 5 minutes before switching back on. Then if you could switch it back on, and run spybot. Next switch off again for a few minutes, and upon rebooting spybot should finish the job of cleaning new.net up.

    If this doesn't work let me know, and I'll ask one of the security experts here to see if they have any new info on this problem.. :)

    Cheers

    Liam
     
  5. ddyperez

    ddyperez Thread Starter

    Joined:
    Sep 22, 2003
    Messages:
    11
    ok, shut down for five minutes, tried to clean it again, then shut down for five more. Same thing ...although I cant' find it in add or remove programs, I did find it in explorer. what about deleting the file manually from explorer? any other suggestions?
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,185
    First Name:
    Derek
    try the latest version of adaware, that seems to get rid of this new version of new.dot net

    download AdAware 6 181
    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and tick "Automaticly try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it.
     
  7. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Cheers Derek, (y) :)

    This latest one seems more sticky than ever. Putasolution was stuck with it a day or two ago. And it seems to be travelling fast. There are another couple of logs that have just been posted, with new.net in tow. (So I've C&Pd your Adaware info, as I never got around to it before) :D

    Cheers

    Liam
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,185
    First Name:
    Derek
    Hi Liam

    I hope it works

    as quickly as the adaware & spybot programmers come up with a solution the scum change the rules and make the removal even more difficult.

    Adaware seem to be keeping on top of it now though, anjd using a combination of the manual remoaval, adaware & spybot should work
     
  9. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Hi Derek,

    That's the problem with any heuristic (I think that's the right word) :) remedy, generally it involves bolting the gate and losing the horse.. :D

    Still, at least we're making the ****************s (pick your own expletive) work hard to try to stay one step ahead of Lavasoft and Kolla. They may get bored with it eventually, but somehow... I doubt it.

    Cheers

    Liam
     
  10. ddyperez

    ddyperez Thread Starter

    Joined:
    Sep 22, 2003
    Messages:
    11
    ok, tried the adaware, ran a full scan after adjusted the settings as suggested, then ran the spy-bot again, still detected new.net.
    I can't delete it from explorer, it says access is denied or portions of the program are currently in use.


    what now?
     
  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,185
    First Name:
    Derek
    ok you are running Xp so the next thing to try is start in safe mode, by pressing F8 on boot up and follow prompts.

    then try to uninstall through add/remove programms in control panel.

    none of the new dot net entries should be running in safe mode so they should be able to be deleted easily

    then still in safe mode run a new hijackthis scan and delete all references to new.net

    make sure you delete the entire new.net folder

    reboot normally and post a new log and lets see if that works
     
  12. ddyperez

    ddyperez Thread Starter

    Joined:
    Sep 22, 2003
    Messages:
    11
    new .net isnt in my add/remove programs, but I will try to your suggestions in safe-mode...

    BRB
     
  13. ddyperez

    ddyperez Thread Starter

    Joined:
    Sep 22, 2003
    Messages:
    11
    Tried to delete it im safe-mode, and still got the same error message believe it or not. won't let me delete it. says its currently in use, even in safe mode.
     
  14. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,185
    First Name:
    Derek
    download & run process explorer from http://www.sysinternals.com/

    use it to stop all examples of new.net running then delete the files & the folder
     
  15. ddyperez

    ddyperez Thread Starter

    Joined:
    Sep 22, 2003
    Messages:
    11
    ok, downloaded it and ran it. Searched for New.Net, found it on the bottom screan and the top screen. I assume that this program tels you what program is being run from what files. I suspended the program, assumiong that this would keep New.net from being active, then went to try to delete it. No dice. Then I went back and killed it. ( i really hope I didnt screw something up, I'm a little out of my league at this point). After killing it, I went back and searched for it in, and nothing came up. but when I went back to explorer to check, it's still there, and still won't delete from my explorer ....

    next?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/167309

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice