Unable to Identify What Spyware to Remove From Computer

A neighbor of mine asked me to look at his computer because it was running very slow and his homepage for IE had changed. He has a Dell Dimension 8200 computer with windows XP installed. I am not an expert in using computers but my first look at his computer pretty much convinced me that he had either virus, trojans, spyware, or all three!! I suggested that he purchase/install NAV 2004 (he had NAV 2002) and Ad-aware 6 (lastest version) and he did so the same day. Yesterday, I ran mulitiple scans with both NAV and Adaware and it appears that every thing that should be removed was, except New.Net, with one folder in Program files(NewDotNet), with one file (newdotnet5-48.dll) in this folder, and two registry entries. I ran Adaware at least two more times but could remove these entries. I even tried manually to remove the folder but I was not allow to (I suspect it was in memory). I then ran the Hijackthis program and the results are listed below. In addition to the New.Net entries, there are other entries that I do not recognize. Since I am new at this, I decided not to try and delete any entries in the HijackThis program until I could obain some assistance. Thanks very much for any help, Sam.

Logfile of HijackThis v1.97.7
Scan saved at 4:21:12 PM, on 1/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Kenneth Havel\Desktop\Hijack program\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\Program Files\ISP50\bin\BandObject.dll
O2 - BHO: (no name) - {42F6BD74-681A-5A08-A862-1032CCECB2AE} - C:\WINDOWS\system32\chfqqgjm.dll
O2 - BHO: (no name) - {5AD14C1B-BEFB-3E85-BD83-20C6CAD48CFB} - C:\WINDOWS\system32\nvekrxut.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [jmhnbbyr] C:\WINDOWS\asmarqzv.exe
O4 - HKLM\..\Run: [inmrtbdu] C:\WINDOWS\guowsjus.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [x] C:\WINDOWS\System32\eiwjdv.exe
O4 - HKLM\..\Run: [o] C:\WINDOWS\System32\usrscy.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.7.20/ttinst.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

 

Hi scams,

Double-click on My Computer.
Double-click on the C: drive.
Double-click on the Program Files folder.
Locate and double-click on the NewDotNet folder.
Locate and double-click on the uninstall executable; it will be labeled uninstallX_XX.exe. (“X” represents the version number of the uninstaller and you should always use the latest version)
After removal you may be prompted to reboot. Do so.

Then check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {42F6BD74-681A-5A08-A862-1032CCECB2AE} - C:\WINDOWS\system32\chfqqgjm.dll
O2 - BHO: (no name) - {5AD14C1B-BEFB-3E85-BD83-20C6CAD48CFB} - C:\WINDOWS\system32\nvekrxut.dll (file missing)

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

O4 - HKLM\..\Run: [jmhnbbyr] C:\WINDOWS\asmarqzv.exe
O4 - HKLM\..\Run: [inmrtbdu] C:\WINDOWS\guowsjus.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: C:\WINDOWS\System32\eiwjdv.exe
O4 - HKLM\..\Run: C:\WINDOWS\System32\usrscy.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\

O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.7.20/ttinst.cab

Add any references to New.Net that are left behind.

Then reboot and delete:
C:\WINDOWS\asmarqzv.exe
C:\WINDOWS\guowsjus.exe
c:\program files\winfavorites <= entire folder
C:\WINDOWS\System32\eiwjdv.exe
C:\WINDOWS\System32\usrscy.exe

Regards,

Pieter

 

Pieter, many thanks for your quick reply! Your help is very much appreciated, Sam

 

My pleasure.

Pieter