(Solved) hijack this log

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

ddyperez

Thread Starter
Joined
Sep 22, 2003
Messages
11
I first want to thank you for all the help you have given me without even knowing it. My computer is running 100% better because of the posts I have read.
I have downloaded hijack this in addition to spybot. Tthe Spybot helped me fix alot of files. Hijack this tells me I have an unusual amount of hijack logs, but I'm not sure what to delete. This new.net comes up whenever I run Spybot, even on startup. Its also in my hijack logs, so I know that needs to go . Help with the rest would be appreciated. here goes:
Logfile of HijackThis v1.97.2
Scan saved at 8:24:29 AM, on 9/25/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ClearSearch\Loader.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by1fd.bay1.hotmail.msn.com/c...HMaction=move&tobox=F000000004&direction=next
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=131067
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
O1 - Hosts: 127.127.127.127 elite
O1 - Hosts: 64.191.95.139 www.google.com
O1 - Hosts: 64.191.95.139 google.com
O1 - Hosts: 64.191.95.139 www.altavista.com
O1 - Hosts: 64.191.95.139 altavista.com
O1 - Hosts: 64.191.95.139 search.yahoo.com
O1 - Hosts: 64.191.95.139 uk.search.yahoo.com
O1 - Hosts: 64.191.95.139 ca.search.yahoo.com
O1 - Hosts: 64.191.95.139 jp.search.yahoo.com
O1 - Hosts: 64.191.95.139 au.search.yahoo.com
O1 - Hosts: 64.191.95.139 de.search.yahoo.com
O1 - Hosts: 64.191.95.139 search.yahoo.co.jp
O1 - Hosts: 64.191.95.139 www.lycos.de
O1 - Hosts: 64.191.95.139 www.lycos.ca
O1 - Hosts: 64.191.95.139 www.lycos.jp
O1 - Hosts: 64.191.95.139 www.lycos.co.jp
O1 - Hosts: 64.191.95.139 alltheweb.com
O1 - Hosts: 64.191.95.139 web.ask.com
O1 - Hosts: 64.191.95.139 ask.com
O1 - Hosts: 64.191.95.139 www.ask.com
O1 - Hosts: 64.191.95.139 www.teoma.com
O1 - Hosts: 64.191.95.139 search.aol.com
O1 - Hosts: 64.191.95.139 www.looksmart.com
O1 - Hosts: 64.191.95.139 ca.search.msn.com
O1 - Hosts: 64.191.95.139 fr.ca.search.msn.com
O1 - Hosts: 64.191.95.139 search.fr.msn.be
O1 - Hosts: 64.191.95.139 search.fr.msn.ch
O1 - Hosts: 64.191.95.139 search.latam.yupimsn.com
O1 - Hosts: 64.191.95.139 search.msn.at
O1 - Hosts: 64.191.95.139 search.msn.be
O1 - Hosts: 64.191.95.139 search.msn.ch
O1 - Hosts: 64.191.95.139 search.msn.co.in
O1 - Hosts: 64.191.95.139 search.msn.co.jp
O1 - Hosts: 64.191.95.139 search.msn.co.kr
O1 - Hosts: 64.191.95.139 search.msn.com.br
O1 - Hosts: 64.191.95.139 search.msn.com.hk
O1 - Hosts: 64.191.95.139 search.msn.com.my
O1 - Hosts: 64.191.95.139 search.msn.com.sg
O1 - Hosts: 64.191.95.139 search.msn.com.tw
O1 - Hosts: 64.191.95.139 search.msn.co.za
O1 - Hosts: 64.191.95.139 search.msn.de
O1 - Hosts: 64.191.95.139 search.msn.dk
O1 - Hosts: 64.191.95.139 search.msn.es
O1 - Hosts: 64.191.95.139 search.msn.fi
O1 - Hosts: 64.191.95.139 search.msn.fr
O1 - Hosts: 64.191.95.139 search.msn.it
O1 - Hosts: 64.191.95.139 search.msn.nl
O1 - Hosts: 64.191.95.139 search.msn.no
O1 - Hosts: 64.191.95.139 search.msn.se
O1 - Hosts: 64.191.95.139 search.ninemsn.com.au
O1 - Hosts: 64.191.95.139 search.t1msn.com.mx
O1 - Hosts: 64.191.95.139 search.xtramsn.co.nz
O1 - Hosts: 64.191.95.139 search.yupimsn.com
O1 - Hosts: 64.191.95.139 uk.search.msn.com
O1 - Hosts: 64.191.95.139 search.lycos.com
O1 - Hosts: 64.191.95.139 www.lycos.com
O1 - Hosts: 64.191.95.139 www.google.ca
O1 - Hosts: 64.191.95.139 google.ca
O1 - Hosts: 64.191.95.139 www.google.uk
O1 - Hosts: 64.191.95.139 www.google.co.uk
O1 - Hosts: 64.191.95.139 www.google.com.au
O1 - Hosts: 64.191.95.139 www.google.co.jp
O1 - Hosts: 64.191.95.139 www.google.jp
O1 - Hosts: 64.191.95.139 www.google.at
O1 - Hosts: 64.191.95.139 www.google.be
O1 - Hosts: 64.191.95.139 www.google.ch
O1 - Hosts: 64.191.95.139 www.google.de
O1 - Hosts: 64.191.95.139 www.google.dk
O1 - Hosts: 64.191.95.139 www.google.fi
O1 - Hosts: 64.191.95.139 www.google.fr
O1 - Hosts: 64.191.95.139 www.google.com.gr
O1 - Hosts: 64.191.95.139 www.google.com.hk
O1 - Hosts: 64.191.95.139 www.google.ie
O1 - Hosts: 64.191.95.139 www.google.co.il
O1 - Hosts: 64.191.95.139 www.google.it
O1 - Hosts: 64.191.95.139 www.google.co.kr
O1 - Hosts: 64.191.95.139 www.google.com.mx
O1 - Hosts: 64.191.95.139 www.google.nl
O1 - Hosts: 64.191.95.139 www.google.co.nz
O1 - Hosts: 64.191.95.139 www.google.pl
O1 - Hosts: 64.191.95.139 www.google.pt
O1 - Hosts: 64.191.95.139 www.google.com.ru
O1 - Hosts: 64.191.95.139 www.google.com.sg
O1 - Hosts: 64.191.95.139 www.google.co.th
O1 - Hosts: 64.191.95.139 www.google.com.tr
O1 - Hosts: 64.191.95.139 www.google.com.tw
O1 - Hosts: 64.191.95.139 google.at
O1 - Hosts: 64.191.95.139 google.be
O1 - Hosts: 64.191.95.139 google.de
O1 - Hosts: 64.191.95.139 google.dk
O1 - Hosts: 64.191.95.139 google.fi
O1 - Hosts: 64.191.95.139 google.fr
O1 - Hosts: 64.191.95.139 google.com.hk
O1 - Hosts: 64.191.95.139 google.ie
O1 - Hosts: 64.191.95.139 google.co.il
O1 - Hosts: 64.191.95.139 google.it
O1 - Hosts: 64.191.95.139 google.co.kr
O1 - Hosts: 64.191.95.139 google.com.mx
O1 - Hosts: 64.191.95.139 google.nl
O1 - Hosts: 64.191.95.139 google.co.nz
O1 - Hosts: 64.191.95.139 google.pl
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [1:] c:\hp\bin\hpdrv.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [DirectX64] C:\WINDOWS\System32\DirectXset.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\RECYCLER\NPROTECT\03819385.EXE
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://spweb.whenu.com/WUInstSYNC.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7AF78DE-0623-4360-8A32-0973D4C87216}: NameServer = 206.151.68.1
 
Joined
Jun 19, 2003
Messages
1,241
Hi ddyperez, and welcome to TSG.. :)

You may wish you hadn't asked when you see this lot.. :D

First of all could you download and run Coolwebshredder from here, then reboot and go to Start | Settings | Control Panel | Add/Remove programs and remove the program NewDotNet.

Then if you could reboot again and run a new HJT! log, then close all browser windows, check to fix the following entries, then click the Fix checked button...

Note: Some entries may no longer be there following the above procedures. :)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by1fd.bay1.hotmail.msn.com/c...;direction=next

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=131067

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/


To save you having to check, this lot following is every 01 entry, so delete all of them. :)

O1 - Hosts: 127.127.127.127 elite

O1 - Hosts: 64.191.95.139 www.google.com

O1 - Hosts: 64.191.95.139 google.com

O1 - Hosts: 64.191.95.139 www.altavista.com

O1 - Hosts: 64.191.95.139 altavista.com

O1 - Hosts: 64.191.95.139 search.yahoo.com

O1 - Hosts: 64.191.95.139 uk.search.yahoo.com

O1 - Hosts: 64.191.95.139 ca.search.yahoo.com

O1 - Hosts: 64.191.95.139 jp.search.yahoo.com

O1 - Hosts: 64.191.95.139 au.search.yahoo.com

O1 - Hosts: 64.191.95.139 de.search.yahoo.com

O1 - Hosts: 64.191.95.139 search.yahoo.co.jp

O1 - Hosts: 64.191.95.139 www.lycos.de

O1 - Hosts: 64.191.95.139 www.lycos.ca

O1 - Hosts: 64.191.95.139 www.lycos.jp

O1 - Hosts: 64.191.95.139 www.lycos.co.jp

O1 - Hosts: 64.191.95.139 alltheweb.com

O1 - Hosts: 64.191.95.139 web.ask.com

O1 - Hosts: 64.191.95.139 ask.com

O1 - Hosts: 64.191.95.139 www.ask.com

O1 - Hosts: 64.191.95.139 www.teoma.com

O1 - Hosts: 64.191.95.139 search.aol.com

O1 - Hosts: 64.191.95.139 www.looksmart.com

O1 - Hosts: 64.191.95.139 ca.search.msn.com

O1 - Hosts: 64.191.95.139 fr.ca.search.msn.com

O1 - Hosts: 64.191.95.139 search.fr.msn.be

O1 - Hosts: 64.191.95.139 search.fr.msn.ch

O1 - Hosts: 64.191.95.139 search.latam.yupimsn.com

O1 - Hosts: 64.191.95.139 search.msn.at

O1 - Hosts: 64.191.95.139 search.msn.be

O1 - Hosts: 64.191.95.139 search.msn.ch

O1 - Hosts: 64.191.95.139 search.msn.co.in

O1 - Hosts: 64.191.95.139 search.msn.co.jp

O1 - Hosts: 64.191.95.139 search.msn.co.kr

O1 - Hosts: 64.191.95.139 search.msn.com.br

O1 - Hosts: 64.191.95.139 search.msn.com.hk

O1 - Hosts: 64.191.95.139 search.msn.com.my

O1 - Hosts: 64.191.95.139 search.msn.com.sg

O1 - Hosts: 64.191.95.139 search.msn.com.tw

O1 - Hosts: 64.191.95.139 search.msn.co.za

O1 - Hosts: 64.191.95.139 search.msn.de

O1 - Hosts: 64.191.95.139 search.msn.dk

O1 - Hosts: 64.191.95.139 search.msn.es

O1 - Hosts: 64.191.95.139 search.msn.fi

O1 - Hosts: 64.191.95.139 search.msn.fr

O1 - Hosts: 64.191.95.139 search.msn.it

O1 - Hosts: 64.191.95.139 search.msn.nl

O1 - Hosts: 64.191.95.139 search.msn.no

O1 - Hosts: 64.191.95.139 search.msn.se

O1 - Hosts: 64.191.95.139 search.ninemsn.com.au

O1 - Hosts: 64.191.95.139 search.t1msn.com.mx

O1 - Hosts: 64.191.95.139 search.xtramsn.co.nz

O1 - Hosts: 64.191.95.139 search.yupimsn.com

O1 - Hosts: 64.191.95.139 uk.search.msn.com

O1 - Hosts: 64.191.95.139 search.lycos.com

O1 - Hosts: 64.191.95.139 www.lycos.com

O1 - Hosts: 64.191.95.139 www.google.ca

O1 - Hosts: 64.191.95.139 google.ca

O1 - Hosts: 64.191.95.139 www.google.uk

O1 - Hosts: 64.191.95.139 www.google.co.uk

O1 - Hosts: 64.191.95.139 www.google.com.au

O1 - Hosts: 64.191.95.139 www.google.co.jp

O1 - Hosts: 64.191.95.139 www.google.jp

O1 - Hosts: 64.191.95.139 www.google.at

O1 - Hosts: 64.191.95.139 www.google.be

O1 - Hosts: 64.191.95.139 www.google.ch

O1 - Hosts: 64.191.95.139 www.google.de

O1 - Hosts: 64.191.95.139 www.google.dk

O1 - Hosts: 64.191.95.139 www.google.fi

O1 - Hosts: 64.191.95.139 www.google.fr

O1 - Hosts: 64.191.95.139 www.google.com.gr

O1 - Hosts: 64.191.95.139 www.google.com.hk

O1 - Hosts: 64.191.95.139 www.google.ie

O1 - Hosts: 64.191.95.139 www.google.co.il

O1 - Hosts: 64.191.95.139 www.google.it

O1 - Hosts: 64.191.95.139 www.google.co.kr

O1 - Hosts: 64.191.95.139 www.google.com.mx

O1 - Hosts: 64.191.95.139 www.google.nl

O1 - Hosts: 64.191.95.139 www.google.co.nz

O1 - Hosts: 64.191.95.139 www.google.pl

O1 - Hosts: 64.191.95.139 www.google.pt

O1 - Hosts: 64.191.95.139 www.google.com.ru

O1 - Hosts: 64.191.95.139 www.google.com.sg

O1 - Hosts: 64.191.95.139 www.google.co.th

O1 - Hosts: 64.191.95.139 www.google.com.tr

O1 - Hosts: 64.191.95.139 www.google.com.tw

O1 - Hosts: 64.191.95.139 google.at

O1 - Hosts: 64.191.95.139 google.be

O1 - Hosts: 64.191.95.139 google.de

O1 - Hosts: 64.191.95.139 google.dk

O1 - Hosts: 64.191.95.139 google.fi

O1 - Hosts: 64.191.95.139 google.fr

O1 - Hosts: 64.191.95.139 google.com.hk

O1 - Hosts: 64.191.95.139 google.ie

O1 - Hosts: 64.191.95.139 google.co.il

O1 - Hosts: 64.191.95.139 google.it

O1 - Hosts: 64.191.95.139 google.co.kr

O1 - Hosts: 64.191.95.139 google.com.mx

O1 - Hosts: 64.191.95.139 google.nl

O1 - Hosts: 64.191.95.139 google.co.nz

O1 - Hosts: 64.191.95.139 google.pl

O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL

O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKLM\..\Run: [DirectX64] C:\WINDOWS\System32\DirectXset.exe

O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup

O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe

O4 - Global Startup: hp center.lnk = C:\RECYCLER\NPROTECT\03819385.EXE

O9 - Extra button: MktBrowser (HKLM)

O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://spweb.whenu.com/WUInstSYNC.cab

O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search...rchsettings.cab


This last 017 entry resolves to visuallink.com. If this is not your Internet Service provider, then please fix as well.

O17 - HKLM\System\CCS\Services\Tcpip\..\{F7AF78DE-0623-4360-8A32-0973D4C87216}: NameServer = 206.151.68.1

The RED entry relates to the Steph.A worm, so please reboot after fixing all of the above and go here to run an online virus scan, deleting all it finds.

Then could you delete the bolded folder...

C:\Program Files\ISTsvc

Once that is all done please reboot and download Spybot - Search & Destroy, from www.tomcoyote.org/spybot : if you haven't already got the program.

Now press Settings, and Settings again. Go to the Webupdate section, and check "Display also available beta versions".

Now press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds marked RED.

Then if you could reboot once more (sorry about all the rebooting but this necessary in order for windows to update it's settings after each stage, especially for the removal of those 010 entries which are becoming more evasive) :) and post a new HJT! log, just for a final once over.

Once all this is done, it only remains for you to reste the default web settings for IE. To do this please go to Start | Settings | Control Panel | Internet Options, click on the Programs tab, then click the [/b]Reset Web Settings[/b] button. You can then, of course, choose your desired home page as normal.

Cheers

Liam
 

ddyperez

Thread Starter
Joined
Sep 22, 2003
Messages
11
ok...followed all the directions you gave me , that new.net is the only thing that keeps popping up. when i run Spy-bot, it says that it may be fixed apon startup, so ran the spy-bot program when I rebooted, and it still wont get rid of new.net..
heres the log:
Logfile of HijackThis v1.97.2
Scan saved at 12:27:53 PM, on 9/25/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\WINDOWS\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [1:] c:\hp\bin\hpdrv.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
 
Joined
Jun 19, 2003
Messages
1,241
Hi ddyperez,

Re: the new.net entries. We've had a couple of problems in the last day or two with new.net and it's removal. It may be a new variant that is more difficult to remove.

Could you switch off the computer and leave it for about 5 minutes before switching back on. Then if you could switch it back on, and run spybot. Next switch off again for a few minutes, and upon rebooting spybot should finish the job of cleaning new.net up.

If this doesn't work let me know, and I'll ask one of the security experts here to see if they have any new info on this problem.. :)

Cheers

Liam
 

ddyperez

Thread Starter
Joined
Sep 22, 2003
Messages
11
ok, shut down for five minutes, tried to clean it again, then shut down for five more. Same thing ...although I cant' find it in add or remove programs, I did find it in explorer. what about deleting the file manually from explorer? any other suggestions?
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
try the latest version of adaware, that seems to get rid of this new version of new.dot net

download AdAware 6 181
Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

Then ........

Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"

then......

click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

then.........

go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and tick "Automaticly try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot"

then...... click "proceed" to save your settings.

Now to scan it´s just to click the "Scan" button.

When scan is finished, mark everything for removal and get rid of it.
 
Joined
Jun 19, 2003
Messages
1,241
Cheers Derek, (y) :)

This latest one seems more sticky than ever. Putasolution was stuck with it a day or two ago. And it seems to be travelling fast. There are another couple of logs that have just been posted, with new.net in tow. (So I've C&Pd your Adaware info, as I never got around to it before) :D

Cheers

Liam
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
Hi Liam

I hope it works

as quickly as the adaware & spybot programmers come up with a solution the scum change the rules and make the removal even more difficult.

Adaware seem to be keeping on top of it now though, anjd using a combination of the manual remoaval, adaware & spybot should work
 
Joined
Jun 19, 2003
Messages
1,241
Hi Derek,

That's the problem with any heuristic (I think that's the right word) :) remedy, generally it involves bolting the gate and losing the horse.. :D

Still, at least we're making the ****************s (pick your own expletive) work hard to try to stay one step ahead of Lavasoft and Kolla. They may get bored with it eventually, but somehow... I doubt it.

Cheers

Liam
 

ddyperez

Thread Starter
Joined
Sep 22, 2003
Messages
11
ok, tried the adaware, ran a full scan after adjusted the settings as suggested, then ran the spy-bot again, still detected new.net.
I can't delete it from explorer, it says access is denied or portions of the program are currently in use.


what now?
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
ok you are running Xp so the next thing to try is start in safe mode, by pressing F8 on boot up and follow prompts.

then try to uninstall through add/remove programms in control panel.

none of the new dot net entries should be running in safe mode so they should be able to be deleted easily

then still in safe mode run a new hijackthis scan and delete all references to new.net

make sure you delete the entire new.net folder

reboot normally and post a new log and lets see if that works
 

ddyperez

Thread Starter
Joined
Sep 22, 2003
Messages
11
new .net isnt in my add/remove programs, but I will try to your suggestions in safe-mode...

BRB
 

ddyperez

Thread Starter
Joined
Sep 22, 2003
Messages
11
Tried to delete it im safe-mode, and still got the same error message believe it or not. won't let me delete it. says its currently in use, even in safe mode.
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
download & run process explorer from http://www.sysinternals.com/

use it to stop all examples of new.net running then delete the files & the folder
 

ddyperez

Thread Starter
Joined
Sep 22, 2003
Messages
11
ok, downloaded it and ran it. Searched for New.Net, found it on the bottom screan and the top screen. I assume that this program tels you what program is being run from what files. I suspended the program, assumiong that this would keep New.net from being active, then went to try to delete it. No dice. Then I went back and killed it. ( i really hope I didnt screw something up, I'm a little out of my league at this point). After killing it, I went back and searched for it in, and nothing came up. but when I went back to explorer to check, it's still there, and still won't delete from my explorer ....

next?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top