Please help!

Discussion in 'adware, spyware & hijack cleaning' started by novice, May 29, 2004.

Thread Status:
Not open for further replies.
  1. novice

    novice Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    8
    I would appreciate it if someone would review this hijack log. We have been having lots of problems with our computer. Thanks.

    Logfile of HijackThis v1.97.7
    Scan saved at 11:18:43 PM, on 5/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\2Wire\Gateway\2PortalMon.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\PROGRA~1\DUMBBE~1\Build Four.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\System32\IEHost.exe
    C:\PROGRA~1\WHENUS~1\Search.exe
    C:\WINDOWS\System32\pjlhc.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\Program Files\Common files\updmgr\updmgr.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\America Online 8.0\aoltray.exe
    C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    C:\WINDOWS\System32\Tsa9.exe
    C:\WINDOWS\System32\UkpQFY.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Sheila\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passthrough/index.html?http://www.comcast.net/comcast.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O3 - Toolbar: 2020SEARCH2 - {4E7BD74F-2B8D-469E-92C6-CE7EB590A94D} - C:\WINDOWS\2020Search2.dll (file missing)
    O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\Program Files\DashBar\DashBar15.dll (file missing)
    O3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
    O3 - Toolbar: Plangrid - {71FF9BD6-DF30-667A-5C7C-83E745BD0DAA} - C:\PROGRA~1\ONCEMF~1\BalmLite.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
    O4 - HKLM\..\Run: [] C:\WINDOWS\System32\
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Atom user] C:\PROGRA~1\DUMBBE~1\Build Four.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SafeSurfingUpdate] C:\WINDOWS\System32\SSUpdate.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [KP.exe] c:\documents and settings\julie 2\local settings\temp\KP.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [4SJ#8Y745N9X#@] C:\WINDOWS\System32\Yhg5qx6.exe
    O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
    O4 - HKLM\..\Run: [vFnO3Ei] pjlhc.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [OfferApp] C:\Program Files\OfferApp\OfferApp.exe
    O4 - HKLM\..\Run: [jupkf] C:\WINDOWS\jupkf.exe
    O4 - HKLM\..\Run: [vsrcdyz] C:\WINDOWS\vsrcdyz.exe
    O4 - HKLM\..\Run: [povefin] C:\WINDOWS\povefin.exe
    O4 - HKLM\..\Run: [qfsh] C:\WINDOWS\qfsh.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msccof.exe
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - Startup: BJ Status Monitor S600.lnk = C:\Documents and Settings\Ken\cnmss2v.exe
    O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: Whistle (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} (iSearch Toolbar) - file://C:\install.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/partners/aolim/install.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37878.8148958333
    O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} (ClearStream Accelerator) - http://www.riversoftware.net/x0ff.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi novice,

    First start with uninstalling new.net from the add/remove programs list in control panel

    After oing so uninstall peper trojan by running this uninstaller (while being online) :

    http://www.memorywatcher.com/uninst.exe

    Then have only HijackThis running and fix :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passth...et/comcast.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com

    O3 - Toolbar: 2020SEARCH2 - {4E7BD74F-2B8D-469E-92C6-CE7EB590A94D} - C:\WINDOWS\2020Search2.dll (file missing)
    O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\Program Files\DashBar\DashBar15.dll (file missing)
    O3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
    O3 - Toolbar: Plangrid - {71FF9BD6-DF30-667A-5C7C-83E745BD0DAA} - C:\PROGRA~1\ONCEMF~1\BalmLite.dll

    O4 - HKLM\..\Run: [] C:\WINDOWS\System32\
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
    O4 - HKLM\..\Run: [Atom user] C:\PROGRA~1\DUMBBE~1\Build Four.exe
    O4 - HKLM\..\Run: [SafeSurfingUpdate] C:\WINDOWS\System32\SSUpdate.exe
    O4 - HKLM\..\Run: [KP.exe] c:\documents and settings\julie 2\local settings\temp\KP.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
    O4 - HKLM\..\Run: [vFnO3Ei] pjlhc.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [OfferApp] C:\Program Files\OfferApp\OfferApp.exe
    O4 - HKLM\..\Run: [jupkf] C:\WINDOWS\jupkf.exe
    O4 - HKLM\..\Run: [vsrcdyz] C:\WINDOWS\vsrcdyz.exe
    O4 - HKLM\..\Run: [povefin] C:\WINDOWS\povefin.exe
    O4 - HKLM\..\Run: [qfsh] C:\WINDOWS\qfsh.exe
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msccof.exe

    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} (iSearch Toolbar) - file://C:\install.cab
    O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} (ClearStream Accelerator) - http://www.riversoftware.net/x0ff.cab

    Next make sure all ghidden files and folders are set to show : Here's How

    Then restart PC in Safe Mode : Here's How and remove (if still present) :

    C:\WINDOWS\System32\bridge.dll <- this file
    C:\WINDOWS\System32\a.exe <- this file
    C:\PROGRAM FILES\DUMBBE....\<- this folder, starting with those letters
    C:\WINDOWS\System32\SSUpdate.exe <- this file
    c:\documents and settings\julie 2\local settings\temp\KP.exe <- this file
    C:\WINDOWS\System32\IEHost.exe <- this file
    C:\PROGRAM FILES\WHENUSEARCH\ <- this folder
    C:\WINDOWS\System32\pjlhc.exe <- this file
    C:\Program Files\AutoUpdate\ <- this folder
    C:\WINDOWS\system32\pcs\ <- this folder
    C:\Program Files\Common Files\Dpi\ <- this folder
    C:\Program Files\Common files\updmgr\ <- this folder
    C:\WINDOWS\jupkf.exe <- this file
    C:\WINDOWS\vsrcdyz.exe <- this file
    C:\WINDOWS\povefin.exe <- this file
    C:\WINDOWS\qfsh.exe <- this file
    C:\WINDOWS\System32\msccof.exe <- this file

    Clean temp internet files

    Restart again in normal mode and download this tool :

    http://cexx.org/LSPFix.exe

    Open and checkmark the I know what I'm doing box

    Guide all entries of inetadpt.dll to the remove box

    Click finish

    Hope this helps

    Cheers,
     
  3. novice

    novice Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    8
    I could not find new.net in control panel's add/remove programs. Here is the new log. If I need to try to safe mode run again and delete files, how is that done. I figured out how to get to safe mode. Do I then open my computer and find the files and delete them, or do I run Hijack again to delete. Thanks.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:21:06 AM, on 5/30/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\2Wire\Gateway\2PortalMon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\AIM\aim.exe
    C:\Program Files\America Online 8.0\aoltray.exe
    C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    C:\Program Files\AdDestroyer\AdDestroyer.exe
    C:\Program Files\VBouncer\VirtualBouncer.exe
    C:\Documents and Settings\Sheila\Desktop\hijackthis\HijackThis.exe
    C:\WINDOWS\System32\wuauclt.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchant.com/sp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchant.com/sp
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchant.com/r=6&s=%s
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
    O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file)
    O3 - Toolbar: Plangrid - {71FF9BD6-DF30-667A-5C7C-83E745BD0DAA} - C:\PROGRA~1\ONCEMF~1\BalmLite.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
    O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: Whistle (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/partners/aolim/install.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37878.8148958333
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi novice,

    Double-click on My Computer.
    Double-click on the C: drive.
    Double-click on the Program Files folder.
    Locate and double-click on the NewDotNet folder.
    Locate and double-click on the uninstall executable; it will be called uninstallX_XX.exe. (“X” represents the version number of the uninstaller)


    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchant.com/sp

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchant.com/sp
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchant.com/r=6&s=%s

    R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
    O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file)
    O3 - Toolbar: Plangrid - {71FF9BD6-DF30-667A-5C7C-83E745BD0DAA} - C:\PROGRA~1\ONCEMF~1\BalmLite.dll

    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup

    O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe

    O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

    O9 - Extra button: Whistle (HKLM)

    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net

    O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/partners/aolim/install.cab

    Then reboot and download VX2Finder from this link:
    http://tools.zerosrealm.com/VX2Finder.exe

    Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

    Copy and paste the contents of the log into your next reply here.

    Deleting files is to be done in Explorer, very much like you looked for the NewDotNet uninstaller.

    Regards,

    Pieter
     
  5. novice

    novice Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    8
    When I double clicked on NewDotNet folder, there was a single file called newdotnet6_22.dll6.0.0.22new.netdomain. When I tried to open that file I received a message that I was trying to open a file of type application extension (.dll). Editing of modifying could damage your systems. In order to open the folder, you need to indicate what to open it with. I did not see an uninstall file within the newdotnet folder. Thanks for any additional help you can offer. I did everything else and here is the log from Vx2.betterinternet.
    Novice

    Files Found---
    C:\WINDOWS\System32\6do4svc.cpy.dll
    C:\WINDOWS\System32\6po4svc.cpy.dll
    C:\WINDOWS\System32\6qo4svc.cpy.dll


    Guardian Key--- is called: GuardianMZGEJ
    Asynchronous 000
    DllName C:\WINDOWS\system32\6qo4svc.cpy.dll
    Impersonate 000
    Logon WinLogon
    Logoff WinLogoff
    Version 124
    ID {BC123C7B-6A13-4750-AC95-1DF03129C97A}
    IDex BWk

    User Agent String---
    {BC123C7B-6A13-4750-AC95-1DF03129C97A}
     
    Last edited: May 30, 2004
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi novice,

    Could you try the uninstall steps for New.Net here:
    http://www.newdotnet.com/#remove

    Then once New.Net is uninstalled successfully, continue with the rest of the instructions Pieter has posted.

    Regards,

    snap
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Might as well tackle Zestyfind straight away. It is a much bigger threat then New.Net.

    Stay off the net until all files are deleted (which is after the second reboot)

    Open VX2Finder and click on the *click to find VX2.BetterInternet* button.

    Then select the *Delete these files* button.
    You will be left with notice about one to be deleted on reboot.
    It will ask to reboot on deletion of the last file (do that)

    After that last file is gone go to
    Start > run > type regedit > enter and navigate to :

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GuardianMZGEJ

    (Note : the five letters in caps at the end may have changed [MZGEJ] but it will still start with Guardian)

    Right click on the Guardiano_O?? key and select delete.
    Close Regedit.
    Reboot.

    Open VX2Finder again and select:
    User Agent$ > yes to confirm delete.
    and then
    Restore Policy

    Exit and reboot.

    Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.
    Post it here with a fresh HijackThis log please.

    Regards,

    Pieter
     
  8. novice

    novice Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    8
    Thanks for the help. I think I've done everything. Here is the log from VX2Finder (when I clicked make log, it didn't do anything so I copied what was already on the screen) followed by the Hijack This log. Please let me know if I need to do anything further. Novice

    Files Found---
    C:\WINDOWS\System32\6do4svc.cpy.dll
    C:\WINDOWS\System32\6fo4svc.dll
    C:\WINDOWS\System32\6jo4svc.cpy.dll
    C:\WINDOWS\System32\6po4svc.cpy.dll
    C:\WINDOWS\System32\6qo4svc.cpy.dll
    C:\WINDOWS\System32\6xo4svc.cpy.dll
    C:\WINDOWS\System32\apaamon.dll


    Guardian Key--- is called: GuardianCOVRG
    Asynchronous 000
    DllName C:\WINDOWS\system32\6qo4svc.cpy.dll
    Impersonate 000
    Logon WinLogon
    Logoff WinLogoff
    Version 124
    ID {BC123C7B-6A13-4750-AC95-1DF03129C97A}
    IDex BWk

    User Agent String---
    {BC123C7B-6A13-4750-AC95-1DF03129C97A


    Logfile of HijackThis v1.97.7
    Scan saved at 10:58:30 PM, on 5/31/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\2Wire\Gateway\2PortalMon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\AIM\aim.exe
    C:\Program Files\America Online 8.0\aoltray.exe
    C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    C:\Program Files\AdDestroyer\AdDestroyer.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\AOL COMPANION\COMPANION.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Sheila\Local Settings\Temporary Internet Files\Content.IE5\LGDTT7RE\VX2Finder[1].exe
    C:\Documents and Settings\Sheila\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
    O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/partners/aolim/install.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37878.8148958333
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Good job....stay off the net until all files are deleted (second reboot)

    Open VX2Finder again and click on the *click to find VX2.BetterInternet* button.

    Then select the *Delete these files* button.
    You will be left with notice about one to be deleted on reboot.
    It will ask to reboot on deletion of the last file (do that)

    After that last file is gone go to
    Start > run > type regedit > OK and navigate to :

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GuardianCOVRG

    (Note : the five letters in caps at the end may have changed [COVRG] but it will still start with Guardian)

    Right click on the Guardiano_O?? key and select delete.
    Close Regedit.
    Reboot.

    Open VX2Finder again and select:
    User Agent$ > yes to confirm delete.
    and then
    Restore Policy

    Exit and reboot.

    Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.
    Post it here, so we can see if it's all gone.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.