BleepingComputer.com: HiJackThis Log: Please Help Diagnose

Logfile of HijackThis v1.99.1
Scan saved at 3:26:15 PM, on 7/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\WINDOWS\system32\sol.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Hijackers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKCU\..\Run: [SP2ConnPatcher] "C:\Program Files\SP2 Connection Patcher\sp2connpatcher.exe" -n=200
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AdwareFilter Background Protection.lnk = C:\Program Files\AdwareFilter\adwarefilter.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1068257809234
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Hello BigRedGuy and welcome to the BC malware forum. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

The first thing that I see is that you have NewDotNet installed. To remove it follow these directions:

• Please download LSP-Fix and WinSockFix from the following links and save them to a location you can find later if necessary.
  LSP-Fix Download Link
  WinsockFix
  
  
• To remove New.net:
  • Go to Start | Settings | Control Panel | Add/Remove Programs
    
  • Look for and remove New.Net. If you can't find it, then please go here and follow the removal instructions in Procedure 4 at the bottom of the page.
  
  
• If you can not connect to the Internet after removing New.net, please run the LSP-Fix program I had you download earlier, and click on the finish button. If you still have a problem run the WinSockFix program and click the Fix button. Reboot if you run either tool and you should be able to get back on.

Step #2

Start in Safe Mode Using the F8 method:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  
• Use the arrow keys to select the Safe Mode menu item.
  
• Press the Enter key.

Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - Global Startup: AdwareFilter Background Protection.lnk = C:\Program Files\AdwareFilter\adwarefilter.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:

• Click Start.
  
• Open My Computer.
  
• Select the Tools menu and click Folder Options.
  
• Select the View tab.
  
• Under the Hidden files and folders heading select Show hidden files and folders.
  
• Uncheck the Hide file extensions for known types option.
  
• Uncheck the Hide protected operating system files (recommended) option.
  
• Click Yes to confirm.
  
• Click OK.

Find the following files/folders and delete them (don't worry if they are already gone):

C:\PROGRAM FILES\NEWDOTNET\ <--folder
C:\Program Files\AdwareFilter\ <--folder

Now reboot normally.

Step #5

AdAware SE v1.06

Download, install, update, configure and run a scan with Ad-aware SE v1.06:

• Download and Install AdAware SE Personal, keeping the default options. However, some of the settings will need to be changed before your first scan.
  
• Close ALL windows except Ad-Aware SE.
  
• Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
  
• Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
  • In the ‘General’ window make sure the following are selected in green:
    • Under Safety:
      • Automatically save log-file
      
      
    • Automatically quarantine objects prior to removal
      
    • Safe Mode (always request confirmation)
    
    
  • Under Definitions:
    • Prompt to update outdated definitions - set the number of days
  
  
• Click on the ‘Scanning’ button on the left and select in green:
  • Under Driver, Folders & Files:
    • Scan Within Archives
    
    
  • Under Select drives & folders to scan:
    • choose all hard drives
    
    
  • Under Memory & Registry: all green
    • Scan Active Processes
      
    • Scan Registry
      
    • Deep Scan Registry
      
    • Scan my IE favorites for banned URL’s
      
    • Scan my Hosts file
  
  
• Click on the ‘Advanced’ button on the left and select in green:
  • Under Shell Integration:
    • Move deleted files to recycle bin
    
    
  • Under Logfile Detail Level: all green
    • include addtional object information
      
    • DESELECT - include negligible objects information
      
    • include environment information
    
    
  • Under Alternate Data Streams:
    • Don't log streams smaller than 0 bytes
      
    • Don't log ADS with the following names: CA_INOCULATEIT
  
  
• Click the ‘Tweak’ button and select in green:
  • Under ‘Scanning Engine’:
    • Unload recognized processes during scanning
      
    • Scan registry for all users instead of current user only
    
    
  • Under ‘Cleaning Engine’:
    • Let Windows remove files in use at next reboot
    
    
  • Under Log Files:
    • Include basic Ad-aware SE settings in logfile
      
    • Include additional Ad-aware SE settings in logfile
      
    • Please do not check: Include Module list in logfile
  
  
• Click on ‘Proceed’ to save the settings.
  
• Click ‘Start’
  
• Choose 'Perform Full System Scan'
  
• DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
  
• Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
  
• If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
  
• Right-click on the list and choose Select All
  
• Click the Next button to finish removing the items that were found
  
• When finished, REBOOT to complete the removal of what Ad-Aware SE found

Step #6

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT