Log review

Discussion in 'adware, spyware & hijack cleaning' started by ..MK.., Jan 10, 2004.

Thread Status:
Not open for further replies.
  1. ..MK..

    ..MK.. Registered Member

    Joined:
    Jan 10, 2004
    Posts:
    4
    I've already written this out but it was in someone elses post so i thought i would create a new topic just to be sure.

    Could someone please check my log?
    I used ad aware to scan my computer and the problem I have been having is whenever i try and go to a search engine it always redirects me to some smartsearch page.

    here's my log.

    Logfile of HijackThis v1.97.7
    Scan saved at 11:44:04 AM, on 11/01/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\DelFin\PromulGate\PgMonitr.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\Program Files\Open Site\opnste.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Windows\explore.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\navpmc\navpmc.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AOL 7.0\waol.exe
    C:\Program Files\GetRight\GETRIGHT.EXE
    C:\Program Files\GetRight\GETRIGHT.EXE
    C:\Documents and Settings\Bob\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://smartsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartsearch.ws/?q=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartsearch.ws
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartsearch.ws
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://smartsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://smartsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartsearch.ws
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartsearch.ws
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://smartsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://smartsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchwww.com/search.cgi?s=%s
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://smartsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://smartsearch.ws/?q=
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {014b85a7-512e-45f4-ab97-cdc2e51eaefe} - C:\DOCUME~1\Bob\APPLIC~1\eethvblmchcr.dll
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program

    Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

    5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {10955232-B671-11D7-8066-0040F6F477E4} - C:\WINDOWS\whattn.dll
    O2 - BHO: (no name) - {D7D7004C-A763-4F8C-B0D4-55A7E017E69D} - C:\WINDOWS\newones.dll
    O2 - BHO: (no name) - {DE614603-6320-4046-A7A7-6A69CEC26F14} - C:\WINDOWS\navpmc\4b_1,0,0,5_navpmc.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

    Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O3 - Toolbar: ackfrfrfjdr - {561c3d42-3034-486a-b8f4-dac961b1a5ce} -

    C:\DOCUME~1\Bob\APPLIC~1\eethvblmchcr.dll
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Eac_Download] C:\Program Files\Common Files\eAcceleration\download.exe -k
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nopop.exe] C:\Program Files\Blazing Logic\NoPop!\nopop.exe
    O4 - HKLM\..\Run: [updater] C:\WINDOWS\Update-Nopop.exe
    O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [cmchth] C:\DOCUME~1\Bob\APPLIC~1\qegckfrc.exe -QuieT
    O4 - HKLM\..\Run: [Open Site] C:\Program Files\Open Site\opnste.exe
    O4 - HKLM\..\Run: [WebInstall2] C:\WINDOWS\Temp\Adware\WebInstall.exe /R
    O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
    O4 - HKLM\..\Run: [SystemEmergency] C:\Windows\explore.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [KnightSpy] c:\program files\metal knights\knightspy.exe
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDHTML_1026.dll,InstantAccess
    O4 - HKCU\..\Run: [cpntmgc] C:\WINDOWS\navpmc\navpmc.exe
    O4 - HKCU\..\Run: [SystemEmergency] C:\Windows\explore.exe
    O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O13 - DefaultPrefix: http://smartsearch.ws/?q=
    O13 - WWW Prefix: http://smartsearch.ws/?q=
    O16 - DPF: ConferenceRoom Java Client - http://nsw-chat.telstra.com/java/cr.cab
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) -

    http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -

    http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

    http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) -

    http://www.armbender.com/UCSearch.CAB
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) -

    http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} -

    http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_XP.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -

    http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) -

    http://tl-chat.moneysaver.com.au:4080/chat/data/html/user/msie/msichat.ocx
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
    O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) -

    http://aol.ea.com/downloads/games/common/snoopy/iesnoopy.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -

    http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) -

    http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} -

    http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_pack_XP.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) -

    http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} -

    http://webpdp.gator.com/v3/download/pdpplugin5094_hd3ptdmgainads.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

    http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://216.65.38.226/crack.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F0FF9B4E-FBD6-4542-A236-70B60663FAEB}: NameServer = 202.67.64.150

    thanks again.
     
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    In order to prevent duplicated efforts relating to your duplicate postings you other was split from the other thread and removed. I am starting to analyze your log now and will post recommendations shortly ;)

    [late edit - almost forgot...

    Welcome to Wilders! :D ]
     
  3. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    First can you please use taskmgr to close out these processes

    C:\Program Files\DelFin\PromulGate\PgMonitr.exe
    C:\Program Files\Open Site\opnste.exe
    C:\Windows\explore.exe

    [ note- it is explore.exe that we need to terminate and not the legitimate explorer.exe ]

    Then close out of all applications/windows and select and fix the following

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://smartsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartsearch.ws/?q=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartsearch.ws
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartsearch.ws
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://smartsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://smartsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartsearch.ws
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartsearch.ws
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://smartsearch.ws/?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://smartsearch.ws/?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchwww.com/search.cgi?s=%s
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://smartsearch.ws/?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://smartsearch.ws/?q=
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {014b85a7-512e-45f4-ab97-cdc2e51eaefe} - C:\DOCUME~1\Bob\APPLIC~1\eethvblmchcr.dll
    O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
    O2 - BHO: (no name) - {10955232-B671-11D7-8066-0040F6F477E4} - C:\WINDOWS\whattn.dll
    O2 - BHO: (no name) - {D7D7004C-A763-4F8C-B0D4-55A7E017E69D} - C:\WINDOWS\newones.dll
    O2 - BHO: (no name) - {DE614603-6320-4046-A7A7-6A69CEC26F14} - C:\WINDOWS\navpmc\4b_1,0,0,5_navpmc.dll
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O3 - Toolbar: ackfrfrfjdr - {561c3d42-3034-486a-b8f4-dac961b1a5ce} -
    C:\DOCUME~1\Bob\APPLIC~1\eethvblmchcr.dll
    O4 - HKLM\..\Run: [Eac_Download] C:\Program Files\Common Files\eAcceleration\download.exe -k
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
    O4 - HKLM\..\Run: [cmchth] C:\DOCUME~1\Bob\APPLIC~1\qegckfrc.exe -QuieT
    O4 - HKLM\..\Run: [Open Site] C:\Program Files\Open Site\opnste.exe
    O4 - HKLM\..\Run: [WebInstall2] C:\WINDOWS\Temp\Adware\WebInstall.exe /R
    O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
    O4 - HKLM\..\Run: [SystemEmergency] C:\Windows\explore.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
    O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDHTML_1026.dll,InstantAccess
    O4 - HKCU\..\Run: [cpntmgc] C:\WINDOWS\navpmc\navpmc.exe
    O4 - HKCU\..\Run: [SystemEmergency] C:\Windows\explore.exe
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O13 - DefaultPrefix: http://smartsearch.ws/?q=
    O13 - WWW Prefix: http://smartsearch.ws/?q=
    O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
    O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) -
    http://www.armbender.com/UCSearch.CAB
    O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} -
    http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_XP.cab
    O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} -
    http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_pack_XP.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} -
    http://webpdp.gator.com/v3/download/pdpplugin5094_hd3ptdmgainads.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://216.65.38.226/crack.CAB

    After a reboot ... rescan with Hijackthis and repost a fresh log in this thread for another review

    Also, you should note that you were infested with a trojan. See the link below

    http://securityresponse.symantec.com/avcenter/venc/data/trojan.simcss.html

    As this trojan will attempt to disable your AV (if you have one) you should consider your AV install suspect. You might want to do an online virus scan such as Panda's ActiveScan

    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    You should also download and install a good AntiTrojan such as TDS-3, the demo of which you can obtain here

    http://www.diamondcs.com.au/tds/downloads/tds3setup.exe

    Once you have it installed and before you launch it you should download the latest definitions database from the same URL and copy it into the directory you installed TDS (and overwrite the older database file). Once you open TDS you should set all sensitivity settings to maximum and do a scan of your local drive(s)

    Regards,

    Dan
     
  4. ..MK..

    ..MK.. Registered Member

    Joined:
    Jan 10, 2004
    Posts:
    4
    Here is the log after I rescanned my computer.

    Logfile of HijackThis v1.97.7
    Scan saved at 3:07:56 PM, on 11/01/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\AOL 7.0\waol.exe
    C:\Program Files\GetRight\GETRIGHT.EXE
    C:\Program Files\GetRight\GETRIGHT.EXE
    C:\Documents and Settings\Bob\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O3 - Toolbar: ackfrfrfjdr - {561c3d42-3034-486a-b8f4-dac961b1a5ce} - C:\DOCUME~1\Bob\APPLIC~1\eethvblmchcr.dll (file missing)
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nopop.exe] C:\Program Files\Blazing Logic\NoPop!\nopop.exe
    O4 - HKLM\..\Run: [updater] C:\WINDOWS\Update-Nopop.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
    O4 - HKCU\..\Run: [KnightSpy] c:\program files\metal knights\knightspy.exe
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O13 - DefaultPrefix: http://smartsearch.ws/?q=
    O13 - WWW Prefix: http://smartsearch.ws/?q=
    O16 - DPF: ConferenceRoom Java Client - http://nsw-chat.telstra.com/java/cr.cab
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) - http://www.armbender.com/UCSearch.CAB
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_XP.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://tl-chat.moneysaver.com.au:4080/chat/data/html/user/msie/msichat.ocx
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
    O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://aol.ea.com/downloads/games/common/snoopy/iesnoopy.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_pack_XP.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download/pdpplugin5094_hd3ptdmgainads.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://216.65.38.226/crack.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F0FF9B4E-FBD6-4542-A236-70B60663FAEB}: NameServer = 202.67.64.150

    Is that good?
     
  5. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Well it is better :doubt:

    many of the items we wanted removed still appear there.

    First, can you look into c:\Program Files\NewDotNet and see if there is an uninstaller there? If so run it and reboot, if not look in Control Panel -> Add/Remove Programs and see if you can remove it from there and reboot.

    Then with all other programs or windows closed please select and fix the following

    O3 - Toolbar: ackfrfrfjdr - {561c3d42-3034-486a-b8f4-dac961b1a5ce} - C:\DOCUME~1\Bob\APPLIC~1\eethvblmchcr.dll (file missing)

    O13 - DefaultPrefix: http://smartsearch.ws/?q=
    O13 - WWW Prefix: http://smartsearch.ws/?q=

    O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
    O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) - http://www.armbender.com/UCSearch.CAB
    O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_XP.cab
    O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_pack_XP.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download/pdpplugin5094_hd3ptdmgainads.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://216.65.38.226/crack.CAB


    Then do a reboot and scan again and post a fresh log to see if there are any remaining dregs :)
     
  6. ..MK..

    ..MK.. Registered Member

    Joined:
    Jan 10, 2004
    Posts:
    4
    thanks again. I did the panda active scan and it came up with two infected files which the pandascan disinfected. Also here is the new log.

    Logfile of HijackThis v1.97.7
    Scan saved at 4:06:17 PM, on 11/01/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\GetRight\GETRIGHT.EXE
    C:\Program Files\GetRight\GETRIGHT.EXE
    C:\Documents and Settings\Bob\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
    C:\WINDOWS\system32\notepad.exe

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nopop.exe] C:\Program Files\Blazing Logic\NoPop!\nopop.exe
    O4 - HKLM\..\Run: [updater] C:\WINDOWS\Update-Nopop.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
    O4 - HKCU\..\Run: [KnightSpy] c:\program files\metal knights\knightspy.exe
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ConferenceRoom Java Client - http://nsw-chat.telstra.com/java/cr.cab
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://tl-chat.moneysaver.com.au:4080/chat/data/html/user/msie/msichat.ocx
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
    O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://aol.ea.com/downloads/games/common/snoopy/iesnoopy.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F0FF9B4E-FBD6-4542-A236-70B60663FAEB}: NameServer = 202.67.64.150

    cheers
     
  7. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi all,

    It's best to uninstall new.dot via the add/remove programs list in control panel. Their uninstaller works best, otherwise it's not completely cleaned and it will re-appear.

    Also I'ld fix this :

    O4 - HKLM\..\Run: [updater] C:\WINDOWS\Update-Nopop.exe

    It's a dubious so called popup-stopper, but actually it's from a company spamming adds themselves ;) + bother you with pay us 25$ popup windows whenever you surf...

    Well, at the end , the choice is yours of course MK :)

    Aah, forgot to add a hyperlink with some more info :

    NoPop! , scroll down, almost 'till the bottom of the page.


    Cheers,
     
  8. yokenny

    yokenny Registered Member

    Joined:
    Apr 8, 2003
    Posts:
    27
    Location:
    Toronto, Canada
    To add to Unzy's advice:

    http://www.newdotnet.com/#remove has the uninstall procedures for newdotnet. If it is uninstalled incorrectly it could stop your Internet access from working.

    Also, you should install Windows Service Pack 1 and all Critical Updates.
    In IE go to Tools then Windows Update and install each patch one by one rebooting when necessary.

    Read the link below to have a safer Internet experience in 2004.
    I recommend IE-SPYAD and SpywareBlaster available in these links.

    http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD
    http://www.javacoolsoftware.com/spywareblaster.html
     
  9. ..MK..

    ..MK.. Registered Member

    Joined:
    Jan 10, 2004
    Posts:
    4
    thanks everyone for the help in being rid of smartsearch. My computer is running fine now. ;)
     
Thread Status:
Not open for further replies.