System files infected

Discussion in 'adware, spyware & hijack cleaning' started by Devin84, Feb 14, 2004.

Thread Status:
Not open for further replies.
  1. Devin84

    Devin84 Registered Member

    Joined:
    Feb 14, 2004
    Posts:
    49
    I need your help. These files got infected:


    C:\WINDOWS\sys_ext.dll - Win32/StartPage.BX trojan

    C:\WINDOWS\SYSTEM32\__sys.exe - Win32/Apsiv.A worm

    C:\WINDOWS\SYSTEM32\xplugin.dll - Win32/TrojanDownloader.Esepor.F trojan

    NOD32 can't clean them, what should I do, I can't delete them they are important files. If I delete them my Windows XP stops working. What should I do?

    Thanx in advance!
     
  2. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Have you tried a restore to before infection?
     
  3. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    ps can't find any of the named files on my system
     
  4. Devin84

    Devin84 Registered Member

    Joined:
    Feb 14, 2004
    Posts:
    49
    You mean reinstall WinXP?
    There got to be another way.
     
  5. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Restart in Safe mode and then run NOD32 scanner. Delete all infected files if NOD can't cure this files!

    izi
     
  6. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    No system resore to point before infection
     
  7. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Failing that launch msconfig and restore files from insallation disc using:-
    general tab and expand file button then follow the dialogs
     
  8. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    looks like my "t" key has gone sticky!!
     
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Devin,

    In case the above mentioned won't work, please follow this advice and after that post over on the forum mentioned.

    regards.

    paul
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Those files are allassociated with a cWS hijack so

    CWshredder from http://www.merijn.org/cwschronicles.html
    or http://www.wilderssecurity.com/attachments/CWShredder1481.zip
    Run CWSHREDDER, check you have the current version, press check for update and let it update
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.

    and make sure you follow the advice about the security updates listed at the bottom of the page, in order to prevent re-infection, otherwise you will be continually reinfected
    the patches are :
    http://support.microsoft.com/default.aspx?kbid=828026
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp
    *Note: The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates & service Packs"
     
  11. Devin84

    Devin84 Registered Member

    Joined:
    Feb 14, 2004
    Posts:
    49
    Thanx for the advice guys but these files are still infected:

    File C:\WINDOWS\sys_ext.dll is infected with trojan Win32/StartPage.BX. NOD32 cannot clean this infiltration.

    File C:\WINDOWS\SYSTEM32\__sys.exe is infected with worm Win32/Apsiv.A. NOD32 cannot clean this infiltration.

    I strongly believe that sys_ext.dll & __sys.exe are of much importance, other ways?
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    They are not genuine windows fuiles and need to be deleted

    they are the actual trojan virus file and NOD cannot clean them, because they aren't a genuine file with an infection. NOD should be able to delete them though

    but as well as deleting the files youi need to delete their associated registry entries so do as paul suggested and post a hijackthis log so we can see and advise
    go to http://www.merijn.org/files/hijackthis.zip , and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please post its contents to the forum.

    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.

    if merijn.org is still down due to the ddos attack then a copy of HJT is available from http://www.wilderssecurity.com/attachments/hijackthis1977.zip
     
  13. Devin84

    Devin84 Registered Member

    Joined:
    Feb 14, 2004
    Posts:
    49
    Ok i did what you said: I deleted the two files and finished scanning with HijackThis.exe here's the Log:

    Logfile of HijackThis v1.97.7
    Scan saved at 14:37:44, on 2004-02-15
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SYSTEM32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program\Messenger Plus! 2\MsgPlus.exe
    C:\Program\Interactive Agents\ActivePlus.exe
    C:\Program\ATI Technologies\HydraVision\HydraDM.exe
    C:\Program\Eset\nod32kui.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program\TransText\TransText.exe
    C:\Program\DV Series\Console\Watch.exe
    C:\Program\Eset\nod32krn.exe
    C:\Program\Cleaner\tca.exe
    C:\Program\Cleaner\tcm.exe
    D:\Program2\MYIE2\MyIE.exe
    C:\Program\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\Devin\Skrivbord\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tradera.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program\NewDotNet\newdotnet5_64.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program2\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {56381348-3352-468b-ad11-1f02943c5ffc} - C:\DOCUME~1\Devin\APPLIC~1\rukgrglqo.dll (file missing)
    O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: hidrdrwcnqn - {fba654e2-c81e-4f50-a699-d208dac3977c} - C:\DOCUME~1\Devin\APPLIC~1\rukgrglqo.dll (file missing)
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [MOD] C:\Program\Microangelo\muamgr.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ActivePlus] "C:\Program\Interactive Agents\ActivePlus.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program\ATI Technologies\HydraVision\HydraDM.exe
    O4 - HKLM\..\Run: [nod32kui] C:\Program\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\Program\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
    O4 - HKLM\..\Run: [tcactive] C:\Program\Cleaner\tca.exe
    O4 - HKLM\..\Run: [tcmonitor] C:\Program\Cleaner\tcm.exe
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - Global Startup: TransText.lnk = C:\Program\TransText\TransText.exe
    O4 - Global Startup: Watch.lnk = C:\Program\DV Series\Console\Watch.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://C:\Program\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\Program\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O10 - Hijacked Internet access by New.Net
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {607DF741-7D0A-11D4-9EDC-005004189684} - http://www.ucmore.com/download/UCmoreIEx.cab
    O16 - DPF: {6924091F-CD97-41E1-B1D4-D9079409D413} (IMCv1 Control) - http://207.142.8.119:1995/talk.cab
    O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37903.2790162037
    O16 - DPF: {BF4FC0C7-4387-4D18-AD86-DF33DDDE33C7} - http://hot.activebuddy.com/catalog/smarterchild/websetup.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by1fd.bay1.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3048380F-7F70-4A58-9444-5F6A4579870F}: NameServer = 212.185.54.2,212.181.54.3
    O17 - HKLM\System\CCS\Services\Tcpip\..\{55D1D36C-87A3-4E0C-86E8-946B8C917557}: NameServer = 212.181.54.2,212.181.54.3
     
  14. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    You have a couple of other problems as well to fix, first uninstall new.net by following instructions on this page http://www.newdotnet.com#remove
    then reboot
    then
    Run hijackthis, tick these entries listed below and ONLY these entries, if they still remain, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program\NewDotNet\newdotnet5_64.dll
    O2 - BHO: (no name) - {56381348-3352-468b-ad11-1f02943c5ffc} - C:\DOCUME~1\Devin\APPLIC~1\rukgrglqo.dll (file missing)
    O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - (no file)
    O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: hidrdrwcnqn - {fba654e2-c81e-4f50-a699-d208dac3977c} - C:\DOCUME~1\Devin\APPLIC~1\rukgrglqo.dll (file missing)
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\Program\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup

    O10 - Hijacked Internet access by New.Net

    O16 - DPF: {607DF741-7D0A-11D4-9EDC-005004189684} - http://www.ucmore.com/download/UCmoreIEx.cab
    O16 - DPF: {6924091F-CD97-41E1-B1D4-D9079409D413} (IMCv1 Control) - http://207.142.8.119:1995/talk.cab

    O16 - DPF: {BF4FC0C7-4387-4D18-AD86-DF33DDDE33C7} - http://hot.activebuddy.com/catalog/smarterchild/websetup.cab


    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files
    NONE

    and Delete these folders
    C:\Program\NewDotNet\

    then
    Reboot normally and post a new log

    I expect that this thread will be moved as it isn't a NOD problem
     
  15. Devin84

    Devin84 Registered Member

    Joined:
    Feb 14, 2004
    Posts:
    49
    Should I check it now, isn't it more secure?
    However I did the things you wrote down and I'm thanfull for your help. I 99% sure that NewDotNet is gone now btw is it a spyware?

    Here is my second Log:

    Logfile of HijackThis v1.97.7
    Scan saved at 16:31:20, on 2004-02-15
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SYSTEM32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program\Messenger Plus! 2\MsgPlus.exe
    C:\Program\Interactive Agents\ActivePlus.exe
    C:\Program\ATI Technologies\HydraVision\HydraDM.exe
    C:\Program\Eset\nod32kui.exe
    C:\Program\TransText\TransText.exe
    C:\Program\DV Series\Console\Watch.exe
    C:\Program\Eset\nod32krn.exe
    D:\Program2\MYIE2\MyIE.exe
    C:\Documents and Settings\Devin\Skrivbord\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tradera.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program2\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [MOD] C:\Program\Microangelo\muamgr.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ActivePlus] "C:\Program\Interactive Agents\ActivePlus.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program\ATI Technologies\HydraVision\HydraDM.exe
    O4 - HKLM\..\Run: [nod32kui] C:\Program\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - Global Startup: TransText.lnk = C:\Program\TransText\TransText.exe
    O4 - Global Startup: Watch.lnk = C:\Program\DV Series\Console\Watch.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://C:\Program\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\Program\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37903.2790162037
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by1fd.bay1.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3048380F-7F70-4A58-9444-5F6A4579870F}: NameServer = 212.185.54.2,212.181.54.3
    O17 - HKLM\System\CCS\Services\Tcpip\..\{55D1D36C-87A3-4E0C-86E8-946B8C917557}: NameServer = 212.181.54.2,212.181.54.3


    Oh yeah should I delete the backup files that Hijacker saved?
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Devin84,

    Your log is clean now.
    Hold on to the backups, until you are sure everything is working as it should.

    Regards,

    Pieter
     
  17. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    read these pages about newdotnet
    http://www.doxdesk.com/parasite/NewDotNet.html

    http://cexx.org/newnet.htm

    it is one of the most problematical spywares around

    If you want to revert your settings back to hide protected operating system files and hide hidden files and folders go ahead

    but remember if you get problems how to expose them again to fix any problems

    You do need to update your version of windows XP plain has many serious security and other faults and you really need to download and install SP1 from the windows update site, many of the latest security patches insist on SP1 being installed


    Now you are clear this will help to keep it that way

    Turn off system restore by following instructions here
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039 for Xp
    or here
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239 for ME

    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

    go here http://forums.net-integration.net/index.php?showtopic=3051 for info on how to tighten your security settings and how to help prevent future attacks.
    On this page you will find links to Javacool's SpywareBlaster and SpywareGuard. Get them both and check for updates frequently.

    The Immunize feature in Spybot used in conjunction with SpywareBlaster , SpywareGuard and weekly scans with Spybot and Adaware will go a long way toward keeping your PC free of these pests.
    It also contains links for IE-SPYAD that puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

    And links to a browser & security test site to test for exploits that might let these baddies in to your computer

    Important!: ALWAYS check for updated detections and referencefiles before scanning with Spybot and Adaware. And be sure to check for updates to SpywareBlaster and SpywareGuard on a weekly basis.
     
  18. Devin84

    Devin84 Registered Member

    Joined:
    Feb 14, 2004
    Posts:
    49
    Thank you all, and most of all for the valuable information dvk01, you have saved me a lot of work!
     
Thread Status:
Not open for further replies.