Unable to Identify What Spyware to Remove From Computer

Discussion in 'adware, spyware & hijack cleaning' started by scams, Jan 23, 2004.

Thread Status:
Not open for further replies.
  1. scams

    scams Registered Member

    Joined:
    Jan 23, 2004
    Posts:
    32
    A neighbor of mine asked me to look at his computer because it was running very slow and his homepage for IE had changed. He has a Dell Dimension 8200 computer with windows XP installed. I am not an expert in using computers but my first look at his computer pretty much convinced me that he had either virus, trojans, spyware, or all three!! I suggested that he purchase/install NAV 2004 (he had NAV 2002) and Ad-aware 6 (lastest version) and he did so the same day. Yesterday, I ran mulitiple scans with both NAV and Adaware and it appears that every thing that should be removed was, except New.Net, with one folder in Program files(NewDotNet), with one file (newdotnet5-48.dll) in this folder, and two registry entries. I ran Adaware at least two more times but could remove these entries. I even tried manually to remove the folder but I was not allow to (I suspect it was in memory). I then ran the Hijackthis program and the results are listed below. In addition to the New.Net entries, there are other entries that I do not recognize. Since I am new at this, I decided not to try and delete any entries in the HijackThis program until I could obain some assistance. Thanks very much for any help, Sam.

    Logfile of HijackThis v1.97.7
    Scan saved at 4:21:12 PM, on 1/22/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\ISP50\bin\bartshel.exe
    C:\WINDOWS\wt\updater\wcmdmgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\PROGRA~1\ISP50\bin\ppshared.exe
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Documents and Settings\Kenneth Havel\Desktop\Hijack program\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\Program Files\ISP50\bin\BandObject.dll
    O2 - BHO: (no name) - {42F6BD74-681A-5A08-A862-1032CCECB2AE} - C:\WINDOWS\system32\chfqqgjm.dll
    O2 - BHO: (no name) - {5AD14C1B-BEFB-3E85-BD83-20C6CAD48CFB} - C:\WINDOWS\system32\nvekrxut.dll (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [jmhnbbyr] C:\WINDOWS\asmarqzv.exe
    O4 - HKLM\..\Run: [inmrtbdu] C:\WINDOWS\guowsjus.exe
    O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
    O4 - HKLM\..\Run: [x] C:\WINDOWS\System32\eiwjdv.exe
    O4 - HKLM\..\Run: [o] C:\WINDOWS\System32\usrscy.exe
    O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
    O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.7.20/ttinst.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi scams,

    Double-click on My Computer.
    Double-click on the C: drive.
    Double-click on the Program Files folder.
    Locate and double-click on the NewDotNet folder.
    Locate and double-click on the uninstall executable; it will be labeled uninstallX_XX.exe. (“X” represents the version number of the uninstaller and you should always use the latest version)
    After removal you may be prompted to reboot. Do so.

    Then check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {42F6BD74-681A-5A08-A862-1032CCECB2AE} - C:\WINDOWS\system32\chfqqgjm.dll
    O2 - BHO: (no name) - {5AD14C1B-BEFB-3E85-BD83-20C6CAD48CFB} - C:\WINDOWS\system32\nvekrxut.dll (file missing)

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

    O4 - HKLM\..\Run: [jmhnbbyr] C:\WINDOWS\asmarqzv.exe
    O4 - HKLM\..\Run: [inmrtbdu] C:\WINDOWS\guowsjus.exe
    O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
    O4 - HKLM\..\Run: C:\WINDOWS\System32\eiwjdv.exe
    O4 - HKLM\..\Run: C:\WINDOWS\System32\usrscy.exe
    O4 - HKLM\..\Run: [] c:\WINDOWS\System32\

    O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.7.20/ttinst.cab

    Add any references to New.Net that are left behind.

    Then reboot and delete:
    C:\WINDOWS\asmarqzv.exe
    C:\WINDOWS\guowsjus.exe
    c:\program files\winfavorites <= entire folder
    C:\WINDOWS\System32\eiwjdv.exe
    C:\WINDOWS\System32\usrscy.exe

    Regards,

    Pieter
     
  3. scams

    scams Registered Member

    Joined:
    Jan 23, 2004
    Posts:
    32
    Pieter, many thanks for your quick reply! Your help is very much appreciated, Sam
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    My pleasure. :)

    Pieter
     
Thread Status:
Not open for further replies.