1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Spyware Removal

Discussion in 'Virus & Other Malware Removal' started by airbag21, Oct 6, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. airbag21

    airbag21 Thread Starter

    Joined:
    Oct 6, 2003
    Messages:
    31
    I am trying to remove all the spyware my pc has on it but I have been unsuccessful in removing everything. Here is a log of my files from Hijackthis. I have also attatched a copy of the text file with all of this if it's easier to look at. Could you please let me know what I should remove. Thank you so much!

    Logfile of HijackThis v1.97.2
    Scan saved at 8:50:06 PM, on 10/6/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Media\Media\UpdateStats.exe
    C:\WINDOWS\uptodate.exe
    C:\Program Files\ClearSearch\Loader.exe
    C:\WINDOWS\rundll16.exe
    C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Documents and Settings\Patrick\Application Data\urod.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\WINDOWS\system32\cisvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\COMMON~2\ADDRES~1\comwiz.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\Rcij.exe
    C:\WINDOWS\System32\Szw2E5.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\Documents and Settings\Patrick\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fantasysports.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchenhancement.com/searchbar/iev1.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
    R3 - URLSearchHook: eUnivBHO Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll
    F2 - REG:system.ini: Shell=explorer.exe
    O1 - Hosts: indows.
    O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
    O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - C:\Program Files\scbar\v2\scbar.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll
    O2 - BHO: (no name) - {2B3452C5-1B9A-440F-A203-F6ED0F64C895} - C:\WINDOWS\rem00001.dll
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
    O2 - BHO: (no name) - {392BE62B-E7DE-430A-8859-0AFE677DE6E1} - C:\WINDOWS\bs2.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
    O2 - BHO: (no name) - {7788959D-B5AA-4223-BC99-E84C65856637} - C:\WINDOWS\System32\athrace.dll
    O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
    O2 - BHO: Httper - {A5483501-070C-41DD-AF44-9BD8864B3015} - C:\Program Files\Httper\httper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Program Files\NavExcel\NavHelper\v2.0.4\NHelper.dll
    O2 - BHO: (no name) - {E9407738-A996-421A-A309-5C93C699E10A} - c:\program files\newton knows\ntoolbar.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
    O3 - Toolbar: NewtonKnows - {E9407738-A996-421A-A309-5C93C699E10A} - c:\program files\newton knows\ntoolbar.dll (file missing)
    O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)
    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrswmda.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
    O4 - HKLM\..\Run: [BookedSpace] RunDLL32.EXE C:\WINDOWS\bs2.dll,DllRun
    O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [NewtonKnowsUpd] C:\Program Files\Newton Knows\NewtnTra.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Vju9.exe
    O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
    O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [Internet Washer Pro] C:\PROGRA~1\INTERN~2\iw.exe min
    O4 - HKCU\..\Run: [Worm Detector] C:\Program Files\Worm Detector 3\Wd.exe tray
    O4 - HKCU\..\Run: [Iotn] C:\Documents and Settings\Patrick\Application Data\urod.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: &Acronym - C:\Program Files\Newton Knows\fnAcronym.htm
    O8 - Extra context menu item: &Dictionary - C:\Program Files\Newton Knows\fnDictionary.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Thesaurus - C:\Program Files\Newton Knows\fnThesaurus.htm
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Radio Free Virgin Player (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TUR28102/turbo.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://i.rn11.com/iwasher/pptproactauthmirror/internetwasherpro.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    airbag21

    Welcome to TSG!

    Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchenhancement.com/searchbar/iev1.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.searchenhancement.com...sm&sstring=

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.searchenhancement.com...sm&sstring=

    R3 - URLSearchHook: eUnivBHO Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll

    F2 - REG:system.ini: Shell=explorer.exe

    O1 - Hosts: indows.

    O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll

    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)

    O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - C:\Program Files\scbar\v2\scbar.dll

    O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll

    O2 - BHO: (no name) - {2B3452C5-1B9A-440F-A203-F6ED0F64C895} - C:\WINDOWS\rem00001.dll

    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL

    O2 - BHO: (no name) - {392BE62B-E7DE-430A-8859-0AFE677DE6E1} - C:\WINDOWS\bs2.dll

    O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll

    O2 - BHO: (no name) - {7788959D-B5AA-4223-BC99-E84C65856637} - C:\WINDOWS\System32\athrace.dll

    O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll

    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL

    O2 - BHO: Httper - {A5483501-070C-41DD-AF44-9BD8864B3015} - C:\Program Files\Httper\httper.dll

    O2 - BHO: (no name) - {E9407738-A996-421A-A309-5C93C699E10A} - c:\program files\newton knows\ntoolbar.dll (file missing)

    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL

    O3 - Toolbar: NewtonKnows - {E9407738-A996-421A-A309-5C93C699E10A} - c:\program files\newton knows\ntoolbar.dll (file missing)

    O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)

    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrswmda.dll

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [BookedSpace] RunDLL32.EXE C:\WINDOWS\bs2.dll,DllRun

    O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b

    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain

    O4 - HKLM\..\Run: [NewtonKnowsUpd] C:\Program Files\Newton Knows\NewtnTra.exe

    O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe

    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe

    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe

    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Vju9.exe

    O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe

    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup

    O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe

    O4 - Global Startup: Digital Line Detect.lnk = ?

    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

    O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm

    O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com...28102/turbo.cab

    Restart to Safe Mode: press f8 on startup and select Safe Mode from the boot menu.

    In Safe Mode delete the following files and folders:

    The C:\Program Files\ClearSearch folder
    The C:\WINDOWS\uptodate.exe file
    The C:\WINDOWS\rundll16.exe file
    The C:\WINDOWS\System32\Vju9.exe file
    The C:\Documents and Settings\Patrick\ApplicationData\urod.exe file
    The C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe file

    Go here http://housecall.trendmicro.com/ and do an online virus scan.

    Go here http://www.lavasoftusa.com/software/adaware/ and download Adaware 6

    Install the program and launch it.

    I strongly recommend that you read the help file to familiarize yourself with the program.

    Before running the scan look at the top of the main window and you will see a Gear Icon. This is where you configure the settings. Click on that and then in the next window that pops up click on the "Scanning" tab on the left side. Under "Drives and Folders" put a check by "Scan within archives" and below that under "Memory and Registry" put a check by all the options there.
    The click on the "Tweak" tab and under "Scanning engine" put a check by "Unload recognized processes during scanning" ...........then......under "Cleaning engine" put a ckeck by "Automatically try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot" then click "Proceed"

    Next in the main window look in the bottom right corner and click on "Check for updates now" and get the latest referencefiles.
    After getting the latest referencefiles you are ready to scan.

    Click "Start" and in the next window make sure "Active in depth scanning" is checked then click "Next" and the scan will begin.

    When it is finished let it fix everything it finds.

    Restart your computer.

    Finally go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 info on how this happens and how to help prevent future attacks.
    On this page you will find links to Javacool's SpywareBlaster and SpywareGuard. Get them both and check for updates frequently.
    The Immunize feature in Spybot used in conjunction with SpywareBlaster , SpywareGuard and weekly scans with Spybot and Adaware will go a long way toward keeping you spyware free.

    Important!: ALWAYS check for updated detections and referencefiles before scanning with Spybot and Adaware. And be sure to check for updates to SpywareBlaster and SpywareGuard on a weekly basis.
     
  3. normmork

    normmork

    Joined:
    Oct 4, 2002
    Messages:
    76
    If you are going to remove New Dot Net use Control PAnel|Add/Remove Rpogrmas
     
  4. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    For help with Ad-Aware, please read this link: http://forums.techguy.org/t164245/s.html

    Once you are cleaned up, you might want to visit http://www.wilderssecurity.net/index.html and download the following:

    SpywareBlaster v2.6.1
    SpywareGuard v2.2

    These will prevent Active-X drive-by installations, as well as provide real-time browser hijacking protection.

    Lastly, consider installing IE-SPYAD, a registry file that adds a long list of known crapware to the Restricted Sites of your Internet Explorer: http://www.staff.uiuc.edu/~ehowes/resource.htm
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,169
    First Name:
    Derek
  6. airbag21

    airbag21 Thread Starter

    Joined:
    Oct 6, 2003
    Messages:
    31
    flrman1, I appreciate everything you have done to help me! You are the greatest! Everything has gone smoothly except for the following files that i am unable to remove:

    10-10-2003 8:30:12 PM - Scan started. (Smart mode)

    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ThreadCreationTime : 10-11-2003 12:13:08 AM
    BasePriority : Normal


    #:2 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ThreadCreationTime : 10-11-2003 12:13:13 AM
    BasePriority : High


    #:3 [services.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 10-11-2003 12:13:13 AM
    BasePriority : Normal
    FileSize : 99 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    OriginalFilename : services.exe
    ProductName : Microsoft
    Created on : 8/29/2002 10:00:00 AM
    Last accessed : 10/11/2003 12:27:56 AM
    Last modified : 8/29/2002 10:00:00 AM

    #:4 [lsass.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 10-11-2003 12:13:13 AM
    BasePriority : Normal
    FileSize : 11 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    OriginalFilename : lsass.exe
    ProductName : Microsoft
    Created on : 8/29/2002 10:00:00 AM
    Last accessed : 10/11/2003 12:27:56 AM
    Last modified : 8/29/2002 10:00:00 AM

    #:5 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 10-11-2003 12:13:14 AM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 8/29/2002 10:00:00 AM
    Last accessed : 10/11/2003 12:27:56 AM
    Last modified : 8/29/2002 10:00:00 AM

    #:6 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 10-11-2003 12:13:14 AM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 8/29/2002 10:00:00 AM
    Last accessed : 10/11/2003 12:27:56 AM
    Last modified : 8/29/2002 10:00:00 AM

    #:7 [spoolsv.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 10-11-2003 12:13:15 AM
    BasePriority : Normal
    FileSize : 50 KB
    FileVersion : 5.1.2600.0 (XPClient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    OriginalFilename : spoolsv.exe
    ProductName : Microsoft
    Created on : 8/29/2002 10:00:00 AM
    Last accessed : 10/11/2003 12:27:56 AM
    Last modified : 8/29/2002 10:00:00 AM

    #:8 [cisvc.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 10-11-2003 12:13:16 AM
    BasePriority : Normal
    FileSize : 5 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Content Index service
    InternalName : cisvc.exe
    OriginalFilename : cisvc.exe
    ProductName : Microsoft
    Created on : 8/29/2002 10:00:00 AM
    Last accessed : 10/11/2003 12:27:56 AM
    Last modified : 8/29/2002 10:00:00 AM

    #:9 [mcvsrte.exe]
    FilePath : c:\PROGRA~1\mcafee.com\vso\
    ThreadCreationTime : 10-11-2003 12:13:16 AM
    BasePriority : Normal
    FileSize : 100 KB
    FileVersion : 4, 4, 0, 35
    ProductVersion : 4, 4, 0, 20
    Copyright : Copyright
    CompanyName : Networks Associates Technology, Inc
    FileDescription : McAfee VirusScan Online Realtime Engine
    InternalName : mcvsrte
    OriginalFilename : mcvsrte.exe
    ProductName : McAfee VirusScan Online
    Created on : 9/22/2003 9:31:16 PM
    Last accessed : 10/11/2003 12:27:56 AM
    Last modified : 3/21/2003 4:51:52 PM

    #:10 [nvsvc32.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 10-11-2003 12:13:16 AM
    BasePriority : Normal
    FileSize : 64 KB
    FileVersion : 6.13.10.4238
    ProductVersion : 6.13.10.4238
    Copyright : (C) NVIDIA Corporation. All rights reserved.
    CompanyName : NVIDIA Corporation
    FileDescription : NVIDIA Driver Helper Service, Version 42.38
    InternalName : NVSVC
    OriginalFilename : nvsvc32.exe
    ProductName : NVIDIA Driver Helper Service, Version 42.38
    Created on : 1/1/1980 5:00:00 AM
    Last accessed : 10/11/2003 12:27:56 AM
    Last modified : 3/14/2003 7:59:00 PM

    #:11 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 10-11-2003 12:13:16 AM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 8/29/2002 10:00:00 AM
    Last accessed : 10/11/2003 12:27:56 AM
    Last modified : 8/29/2002 10:00:00 AM

    #:12 [mcshield.exe]
    FilePath : c:\PROGRA~1\mcafee.com\vso\
    ThreadCreationTime : 10-11-2003 12:13:17 AM
    BasePriority : High
    FileSize : 220 KB
    Created on : 9/22/2003 9:31:11 PM
    Last accessed : 10/11/2003 12:27:56 AM
    Last modified : 3/13/2002 12:50:34 PM

    #:13 [explorer.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 10-11-2003 12:13:20 AM
    BasePriority : Normal
    FileSize : 980 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Microsoft
    Created on : 8/29/2002 10:00:00 AM
    Last accessed : 10/11/2003 12:18:35 AM
    Last modified : 8/29/2002 10:00:00 AM

    #:14 [dsentry.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 10-11-2003 12:13:20 AM
    BasePriority : Normal
    FileSize : 28 KB
    FileVersion : 1, 0, 2, 0
    ProductVersion : 1, 0, 2, 0
    Copyright : Copyright
    CompanyName : Dell - Advanced Desktop Engineering
    FileDescription : DVDSentry
    InternalName : DVDSentry
    OriginalFilename : DSentry.exe
    ProductName : Dell - DVDSentry
    Created on : 8/14/2002 11:22:52 PM
    Last accessed : 10/11/2003 12:13:20 AM
    Last modified : 8/14/2002 11:22:52 PM

    #:15 [mcagent.exe]
    FilePath : C:\PROGRA~1\mcafee.com\agent\
    ThreadCreationTime : 10-11-2003 12:13:20 AM
    BasePriority : Normal
    FileSize : 196 KB
    FileVersion : 4, 2, 0, 8
    ProductVersion : 4, 2, 0, 0
    Copyright : Copyright
    CompanyName : Networks Associates Technology, Inc
    FileDescription : McAfee SecurityCenter Agent
    InternalName : mcagent
    OriginalFilename : mcagent.exe
    ProductName : McAfee SecurityCenter
    Created on : 9/22/2003 9:30:56 PM
    Last accessed : 10/11/2003 12:18:42 AM
    Last modified : 3/18/2003 5:53:52 PM

    #:16 [directcd.exe]
    FilePath : C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\
    ThreadCreationTime : 10-11-2003 12:13:21 AM
    BasePriority : Normal
    FileSize : 668 KB
    FileVersion : 5.3.4.21
    ProductVersion : 5.3.4.21
    Copyright : Copyright (c) 2001,2002, Roxio, Inc.
    CompanyName : Roxio
    FileDescription : DirectCD Application
    InternalName : DirectCD
    OriginalFilename : Directcd.exe
    ProductName : DirectCD
    Created on : 12/17/2002 5:28:00 PM
    Last accessed : 10/11/2003 12:13:21 AM
    Last modified : 12/17/2002 5:28:00 PM

    #:17 [mcvsshld.exe]
    FilePath : C:\PROGRA~1\mcafee.com\vso\
    ThreadCreationTime : 10-11-2003 12:13:21 AM
    BasePriority : Normal
    FileSize : 156 KB
    FileVersion : 4, 4, 0, 35
    ProductVersion : 4, 4, 0, 20
    Copyright : Copyright
    CompanyName : Networks Associates Technology, Inc
    FileDescription : McAfee ActiveShield
    InternalName : msvcshld
    OriginalFilename : mcvsshld.exe
    ProductName : McAfee VirusScan Online
    Created on : 9/22/2003 9:31:16 PM
    Last accessed : 10/11/2003 12:18:43 AM
    Last modified : 3/21/2003 4:52:12 PM

    #:18 [support.exe]
    FilePath : C:\Program Files\Common Files\Dell\EUSW\
    ThreadCreationTime : 10-11-2003 12:13:21 AM
    BasePriority : Normal
    FileSize : 240 KB
    FileVersion : 2, 0, 0, 33
    ProductVersion : 1, 0, 0, 1
    Copyright : Copyright
    CompanyName : Dell
    FileDescription : Support
    InternalName : Support
    OriginalFilename : Support.exe
    ProductName : Dell Support
    Created on : 12/13/2002 9:05:08 PM
    Last accessed : 10/11/2003 12:13:21 AM
    Last modified : 5/15/2003 7:22:36 PM

    #:19 [qttask.exe]
    FilePath : C:\Program Files\QuickTime\
    ThreadCreationTime : 10-11-2003 12:13:21 AM
    BasePriority : Normal
    FileSize : 76 KB
    FileVersion : 6.0.2
    ProductVersion : QuickTime 6.0.2
    CompanyName : Apple Computer, Inc.
    InternalName : QuickTime Task
    OriginalFilename : QTTask.exe
    ProductName : QuickTime
    Created on : 7/16/2003 1:01:30 AM
    Last accessed : 10/11/2003 12:13:21 AM
    Last modified : 7/16/2003 1:01:30 AM

    #:20 [rundll32.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 10-11-2003 12:13:21 AM
    BasePriority : Normal
    FileSize : 31 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Run a DLL as an App
    InternalName : rundll
    OriginalFilename : RUNDLL.EXE
    ProductName : Microsoft
    Created on : 8/29/2002 10:00:00 AM
    Last accessed : 10/11/2003 12:18:39 AM
    Last modified : 8/29/2002 10:00:00 AM

    #:21 [psfree.exe]
    FilePath : C:\PROGRA~1\PANICW~1\POP-UP~1\
    ThreadCreationTime : 10-11-2003 12:13:21 AM
    BasePriority : Normal
    FileSize : 512 KB
    FileVersion : 3, 1, 0, 1010
    ProductVersion : 1, 0, 0, 1
    Copyright : Copyright (C) 2002-2003
    CompanyName : Panicware, Inc.
    FileDescription : Pop-Up Stopper Free Edition
    InternalName : Pop-Up Stopper Free Edition
    OriginalFilename : PSFree.exe
    ProductName : Pop-Up Stopper Free Edition
    Created on : 7/12/2003 4:10:11 PM
    Last accessed : 10/11/2003 12:13:21 AM
    Last modified : 4/29/2003 2:40:10 PM

    #:22 [szw2e5.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 10-11-2003 12:13:28 AM
    BasePriority : Normal
    FileSize : 216 KB
    FileVersion : 1.00
    ProductVersion : 1.00
    InternalName : Kern32
    OriginalFilename : Kern32.exe
    ProductName : Kern32
    Created on : 10/5/2003 3:41:06 PM
    Last accessed : 10/11/2003 12:27:56 AM
    Last modified : 10/5/2003 3:41:06 PM

    #:23 [szw2e5.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 10-11-2003 12:13:28 AM
    BasePriority : Normal
    FileSize : 216 KB
    FileVersion : 1.00
    ProductVersion : 1.00
    InternalName : Kern32
    OriginalFilename : Kern32.exe
    ProductName : Kern32
    Created on : 10/5/2003 3:41:06 PM
    Last accessed : 10/11/2003 12:27:56 AM
    Last modified : 10/5/2003 3:41:06 PM

    #:24 [iexplore.exe]
    FilePath : C:\Program Files\Internet Explorer\
    ThreadCreationTime : 10-11-2003 12:13:49 AM
    BasePriority : Normal
    FileSize : 89 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    CompanyName : Microsoft Corporation
    FileDescription : Internet Explorer
    InternalName : iexplore
    OriginalFilename : IEXPLORE.EXE
    ProductName : Microsoft
    Created on : 8/29/2002 10:00:00 AM
    Last accessed : 10/11/2003 12:13:49 AM
    Last modified : 8/29/2002 10:00:00 AM

    #:25 [cidaemon.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 10-11-2003 12:21:02 AM
    BasePriority : Idle
    FileSize : 8 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Indexing Service filter daemon
    InternalName : cidaemon.exe
    OriginalFilename : cidaemon.exe
    ProductName : Microsoft
    Created on : 8/29/2002 10:00:00 AM
    Last accessed : 10/10/2003 11:34:47 PM
    Last modified : 8/29/2002 10:00:00 AM

    #:26 [cidaemon.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 10-11-2003 12:21:03 AM
    BasePriority : Idle
    FileSize : 8 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Indexing Service filter daemon
    InternalName : cidaemon.exe
    OriginalFilename : cidaemon.exe
    ProductName : Microsoft
    Created on : 8/29/2002 10:00:00 AM
    Last accessed : 10/10/2003 11:34:47 PM
    Last modified : 8/29/2002 10:00:00 AM

    #:27 [ad-aware.exe]
    FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
    ThreadCreationTime : 10-11-2003 12:30:07 AM
    BasePriority : Normal
    FileSize : 668 KB
    FileVersion : 6.0.1.181
    ProductVersion : 6.0.0.0
    Copyright : Copyright
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 10/10/2003 11:50:14 PM
    Last accessed : 10/11/2003 12:30:07 AM
    Last modified : 7/13/2003 2:00:20 AM

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    New.Net Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\New.net


    New.Net Object recognized!
    Type : RegValue
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Value : New.net Startup


    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 2
    Objects found so far: 2


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 2


    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


    Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Hosts file scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    2 entries scanned.
    New objects :0
    Objects found so far: 2




    Performing conditional scans..
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    New.Net Object recognized!
    Type : Folder
    Object : c:\program files\NewDotNet


    New.Net Object recognized!
    Type : File
    Data : newdotnet5_48.dll
    Object : c:\program files\newdotnet\
    FileSize : 216 KB
    FileVersion : 5, 0, 0, 48
    ProductVersion : 5, 0, 0, 48
    Copyright : Copyright 2000-2002 New.net, Inc.
    CompanyName : New.net, Inc.
    FileDescription : New.net Domains
    InternalName : tldctl2
    OriginalFilename : tldctl2.dll
    ProductName : New.net Domains
    Created on : 10/8/2003 4:01:04 AM
    Last accessed : 10/11/2003 12:29:41 AM
    Last modified : 10/8/2003 4:01:04 AM



    Conditional scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 2
    Objects found so far: 4


    8:30:45 PM Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:00:32:484
    Objects scanned :35786
    Objects identified :4
    Objects ignored :0
    New objects :4

    Any chance you could assist me in getting rid of these another way? Thanks again. You are the greatest!!!!!!!!!!!!! I am recomending this site to all my friends.
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You lost me there. What files are you having trouble removing? New.Net? Have you had Adaware remove them?

    When you run Adaware make sure you put a check by all the objects it finds.

    You can set it to automatically check all objects it finds. Go to Settings (The Gear Icon at the top) and click on "Tweak" and under "Cleaning engine" check "Automatically mark all objects in result list"
     
  8. normmork

    normmork

    Joined:
    Oct 4, 2002
    Messages:
    76
    I would recommend that you use Add/Remove Programs to remove NEw Net or see here
    "New.net has an uninstaller in Add/Remove Programs labeled New.net Domains. I recommend that you use the New.net provided uninstaller prior to using any other method. If you do not find an entry in Add/Remove Programs, please follow the other procedures listed at <http://www.newdotnet.com>. Once you have ran one instance of our uninstaller and reboot, our software should be fully removed.

    Leonard Amabile"
     
  9. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Mark...or any tech reading this.These are the tell tale signs of the peper.a trojan.

    These 2 processes will morph their filenames on every re-boot or H/T scan to keep from being deleted or spotted.
    C:\WINDOWS\System32\Rcij.exe
    C:\WINDOWS\System32\Szw2E5.exe

    The same with this one.....The only constant is
    the" [2LRX2W83X2T3MQ]"
    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Vju9.exe
    We spent a couple of days banging or heads againt the wall getting rid of this baby but the best way and only real efficient way is the advice Derek posted above.

    Just thought I would give you the heads up on this one.

    ;)
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/170040

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice