Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware/redirects Followup-repost/updated Hjt Log


  • Please log in to reply
61 replies to this topic

#1 Dean_099

Dean_099

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 21 April 2006 - 11:51 PM

Thanks in advance for the assistance. I keep getting redirects/various lines
in my browser such as.. http://www.lovehotelfinder.net/search.php?qq=tanning%20beds

CW Shredder found and deleted coolwebsearch. AdAware found Adaware.Gain.Dashbar, Gain,
unspypc.exe,claria and w32.trojanclicker.

Recalling that I had difficulties like this a couple years ago, I did a search and found/deleted
Howiper and wurldmedia.

I also found/googled and deleted..

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\putesprpgd

Trying a normal google search before posting here, I still got this
redirect>> http://www.zipsearchusa.net/search.php?qq=viagra%20cheap
Obviously, I still havent located all bad files yet.

Heres my new hijack log after downloading updated hjt as per forum instructions

Forum suggested Logfile of HijackThis v1.99.1
Scan saved at 11:40:48 PM, on 4/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\RFA\rfagent.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Gary\Desktop\Downloads\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [rfagent] "C:\Program Files\RFA\rfagent.exe"
O17 - HKLM\System\CCS\Services\Tcpip\..\{8926E55A-ECB5-415A-8AAA-149964410B60}: NameServer = 85.255.116.165 85.255.112.122
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 22 April 2006 - 04:58 AM

Hi Dean_099 and Welcome to the Bleeping Computer!


Lets get you better fitted to use this PC out on the Internet!


Please install and update one of the following free Antivirus Software Programs

AntiVir® PersonalEdition Classic

AVG Free for Windows

BitDefender 8 Free Edition

avast! 4 Home Edition


Please install and update one of the following free Firewall Software Programs

Sunbelt Kerio Personal Firewall

ZoneAlarm Free

Outpost Firewall FREE



Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe
  • Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
  • The fix will begin; follow the prompts.
  • You will be asked to reboot your computer; please do so.
  • Your system may take longer than usual to load; this is normal.
    • Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet
      O17 - HKLM\System\CCS\Services\Tcpip\..\{8926E55A-ECB5-415A-8AAA-149964410B60}: NameServer = 85.255.116.165 85.255.112.122
    • Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button
  • Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.
While you are waiting for a reply,please make sure your new Antivirus Software is fully updated.

Go to Safe Mode and Scan the entire system,remove anything found.

#3 Dean_099

Dean_099
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  

Posted 22 April 2006 - 02:05 PM

As you requested..

Fixwareout ver 1.003
Last edited 04/09/2006
Post this report in the forums please

Reg Entries that were deleted
...
Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU
ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is ligitamate

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

And..............
Logfile of HijackThis v1.99.1
Scan saved at 1:45:35 PM, on 4/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Gary\Desktop\Downloads\New Folder\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [rfagent] "C:\Program Files\RFA\rfagent.exe"
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

After the above fixes/checks/reports, I got this from a normal google search on a file
I wanted to look up. got this instead.

http://www.superfinderusa.net/search.php?q...ife%20insurance
Something still lurking around obviously.
I'll d/load those AV's you suggested while awaiting further replies. Thank you!

#4 Dean_099

Dean_099
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 22 April 2006 - 02:46 PM

Forgot.......as you probably noticed, I did a Panda scan late last night..here is their log.

Incident Status Location

Spyware:spyware/new.net Not disinfected C:\WINDOWS\NDNuninstall7_22.exe
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Gary\Cookies\gary@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Gary\Cookies\gary@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Gary\Cookies\gary@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Gary\Cookies\gary@mediaplex[2].txt
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gary\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-358b10e4-73ffd2f8.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gary\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-358b10e4-73ffd2f8.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gary\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-358b10e4-73ffd2f8.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gary\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-358b10e4-73ffd2f8.zip[Beyond.class]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Gary\Cookies\gary@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Gary\Cookies\gary@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Gary\Cookies\gary@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Gary\Cookies\gary@mediaplex[2].txt
Spyware:Spyware/New.net Not disinfected C:\Documents and Settings\Gary\My Documents\backup-20060420-221825-434.dll
Spyware:Spyware/New.net Not disinfected C:\RECYCLER\S-1-5-21-3881976664-438588052-3458777129-1006\Dc135\newdotnet7_22.dll
Spyware:Spyware/New.net Not disinfected C:\RECYCLER\S-1-5-21-3881976664-438588052-3458777129-1006\Dc135\uninstall7_22.exe
Adware:Adware/Gator Not disinfected C:\RECYCLER\S-1-5-21-3881976664-438588052-3458777129-1006\Dc136.com\FSG\fsg.exe
Possible Virus. Not disinfected C:\RECYCLER\S-1-5-21-3881976664-438588052-3458777129-1006\Dc151.exe
Spyware:Spyware/New.net Not disinfected C:\WINDOWS\NDNuninstall7_22.exe
Spyware:Spyware/New.net

I was able to chase down most, but am going to do searches on all again. Obviously, this info will help you more. Sorry to miss posting this. TY

#5 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 22 April 2006 - 03:03 PM

As I stated in my first post,please install one of the free Antivirus and Firewall softwares I linked you to.


Locate and Delete this file

C:\WINDOWS\NDNuninstall7_22.exe


Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Try this,Open IE and Click Tools-> Internet Options-> Programs and then click "Reset Web Settings"

Now go back and Click the Advanced Tab and then Click "Restore Defaults"


Lets try using F-Secure Blacklight and have a closer look.

Download and Save Blacklight to your Local Drive C:\

Click Start-> Run-> Type in C:\blbeta.exe /expert and click OK to launch Blacklight.

Accept the Agreement and Click Next,now click Scan and let Blacklight scan the entire system.

You'll see a list of all items found. There will also be a log on your C:\ drive with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

#6 Dean_099

Dean_099
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 22 April 2006 - 07:06 PM

I did install avast as you suggested. On bootup, It found.....and I deleted the infected ones..

04/22/2006 15:54
Scan of all local drives
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0008033.exe is infected by Win32:Adware-gen. [Adw], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP12\A0008994.exe is infected by Win32:Adware-gen. [Adw], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP17\A0009691.exe is infected by Win32:Adware-gen. [Adw], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0010187.exe is infected by Win32:Adware-gen. [Adw], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP29\A0012050.exe is infected by Win32:Adware-gen. [Adw], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP31\A0012341.exe is infected by Win32:Adware-gen. [Adw], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP37\A0012767.exe is infected by Win32:Adware-gen. [Adw], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0001128.exe is infected by Win32:Adware-gen. [Adw], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0001320.exe is infected by Win32:Adware-gen. [Adw], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0001396.exe is infected by Win32:Adware-gen. [Adw], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0001447.exe is infected by Win32:Adware-gen. [Adw], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0013944.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0013948.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0013970.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0013976.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0013981.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0014000.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0014004.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0014013.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0014017.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0014024.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0014028.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0014034.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP47\A0014038.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP48\A0014068.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP48\A0014072.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP48\A0014078.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP48\A0014082.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP48\A0014090.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP48\A0014094.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP48\A0014104.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP48\A0014108.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP48\A0014115.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP48\A0014119.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP48\A0014129.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP48\A0014133.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP48\A0014140.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP48\A0014144.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP48\A0014152.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP48\A0014156.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP50\A0014273.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP50\A0014282.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP51\A0014348.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP51\A0014353.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP51\A0014357.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP53\A0014650.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP53\A0014654.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP53\A0014731.exe is infected by Win32:Adware-gen. [Adw], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP53\A0014733.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP53\A0014737.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP53\A0014741.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP53\A0014745.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP53\A0014747.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP53\A0014751.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP53\A0014754.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP53\A0014758.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP53\A0015754.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP53\A0015758.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP54\A0015762.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP54\A0015822.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP54\A0015823.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP54\A0015828.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP55\A0015832.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP55\A0015836.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP55\A0015842.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP55\A0015847.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP55\A0015854.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP55\A0015858.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP56\A0016014.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP56\A0016018.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP56\A0016048.exe is infected by Win32:Adware-gen. [Adw], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP56\A0016108.exe is infected by Win32:Adware-gen. [Adw], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP57\A0016304.exe is infected by Win32:Agent-IU [Trj], Deleted
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP8\A0006805.exe is infected by Win32:Adware-gen. [Adw], Deleted
File C:\WINDOWS\system32\ActiveScan\pskavs.dll is infected by Win32:CTX, Deleted
File C:\WINDOWS\system32\dmznr.exe is infected by Win32:Small-EK [Trj], Deleted
File C:\WINDOWS\system32\msipcsv.exe is infected by Win32:Adware-gen. [Adw], Deleted
File C:\WINDOWS\Temp\ASHeuristic\Dc151_exe.vir is infected by Win32:Agent-IU [Trj], Deleted

Number of searched folders: 2413
Number of tested files: 37695
Number of infected files: 78

----------------------------------------
04/22/2006 18:07
Scan of all local drives
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP57\A0016375.dll is infected by Win32:CTX
=====================================================

I did the web page restores as instructed.

I did delete the ndnuninstall7_22.exe, but a newdotnet2_78.dll
remains that wont allow deletion, as well as a newdot folder
with that dll inside.

Ran adaware again and again, it shows the
previous mentioned items I already deleted.

I've ran hjt again and I keep getting new.net
hijacks...which it wont delete. Log below.

Logfile of HijackThis v1.99.1
Scan saved at 6:53:45 PM, on 4/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\RFA\rfagent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Gary\Desktop\Downloads\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: IEHlprObj Class - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\GoZilla\GoIEHlp.dll
O4 - HKLM\..\Run: [rfagent] "C:\Program Files\RFA\rfagent.exe"
O4 - HKLM\..\Run: [Go!Zilla dial-up fix] "C:\Program Files\GoZilla\Go.exe" /FIXRAS
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
=====================

I got blacklight, but it didnt show a
log, but did post that there were no
hidden items and nothing to be renamed

fsbl log that probably shows you nothing.....

04/22/06 17:22:15 [Info]: BlackLight Engine 1.0.35 initialized
04/22/06 17:22:15 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/22/06 17:22:16 [Note]: 7019 4
04/22/06 17:22:16 [Note]: 7005 0
04/22/06 17:22:24 [Note]: 7006 0
04/22/06 17:22:24 [Note]: 7011 1384
04/22/06 17:22:25 [Note]: 7026 0
04/22/06 17:22:25 [Note]: 7026 0
04/22/06 17:22:25 [Note]: FSRAW library version 1.7.1015
04/22/06 17:22:48 [Note]: 7007 0
============================

PS..I had to use gozilla because I'm only on dialup and
the 12 mb file/avast would take hours to download and
probably kick me off the net. I could resume with Gozilla.
I'll be d/loading Zonealarm tonite.
Thanks for hanging in there with me. Obviously, I have a
lot of infections here.

#7 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 23 April 2006 - 03:25 AM

Hey,we are making progress,I see ther HijackThis log was from Normal Mode.


Errr...GoZilla!

Look at this link
http://www.oit.duke.edu/ats/support/spyware/gozilla.html

We can deal with Gozilla later.


First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.

To Get rid of NewDotNet, go to:

Start > Control Panel > Add or Remove Programs and remove the following:

New.Net Applications or New.Net Domains (anything that says New.Net)

If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.

In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. Check the "I know what I'm doing" button. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.


Since we deleted that newdot file,the uninstaller in Add\Remove may not work properly.

Go ahead and get the uninstaller from Procedure 4 at the newdotnet site just in case.


Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
    Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post along with a fresh HijackThis log.


#8 Dean_099

Dean_099
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  

Posted 23 April 2006 - 07:06 AM

Had to reply twice..kept getting cant find server msg on reply button.

Have the lsp..will do nothing with it at this time.

The start/control panel shows no coffee cup, so I looked in the
java folder and the cup there only shows me a picture image.
I tried the java link 3 times..get messages saying not available.

Will do kaspersky late this evening.

Will also check back a bit later this morning to see if you have
further instructions about locating that (non image picture) coffee
cup you need me to click on.

Yes, I know/Gozilla..aurate/radiate,etc..I just needed to use it
on that avast file........

As previously mentioned, many thanks for bearing with my pc
mess, as well as some of my ineptness trying to follow instructions.

PS..I have both zonalarm AND avast running at the same time. Should
I disable avast?

#9 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 23 April 2006 - 08:15 AM

Those 2 programs (ZA\Avast) should run fine together,I know it may make the PC feel a bit sluggish at times but considering the Malware options you get when not running them,I think its worth it.


For the Java thingy,open control panel,look to the left hand side and click other control panel options,the next window that opens should have the Java Icon there.

#10 Dean_099

Dean_099
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 23 April 2006 - 04:58 PM

Think I completed current chores except for the new.net crud..explained below.

Found the coffeecup/updated/rebooted. Cleared cache/Temp files/cookies,etc

I didnt mention that I turned off System Restore late Saturday night in case that
is something that needed to be done in time.

On a Registry First Aid check, I saw a new.net registry file. I deleted it. Next thing I knew,
almost nothing would work, including internet due to winsock error messages. I had to use
backup on the deleted registry files, as well as my only system restore date to get back online.

The ununinstall.exe file was deleted a couple days ago, but the newdotnet folder still holds the
unuinstall.dll..that's what I cant delete and all uninstall references are only to the exe.
Here is my registry log for any newnet/newdot files. Again, I can delete these (although the .dll file
might not be deletable??), but if I lose the internet and the lspfix doesnt work for any reason,
I'm dead in the water for getting back here.
LOG is................

Registry First Aid 4.3.1 build 981 *** registry-repair-software.com ***
Found invalid entries
Created: 4/23/2006 3:07:54 PM

===============================================
*** String Matches *** Total found entries: 8

0 Key: %s "[HKEY_CURRENT_USER] Software\Microsoft\Search Assistant\ACMru\5603"
Match is in the value data: ""001"" = ""new.net""
Correction: "Leave the entry without change"
Correction: [0] "Leave the entry without change"
Correction: [1] "Delete the entry"
Correction: [2] "Cut invalid substring "new.net""

1 Key: %s "[HKEY_CURRENT_USER] Software\New.net"
Match is in the key name: ""New.net""""
Correction: "Leave the entry without change"
Correction: [0] "Leave the entry without change"
Correction: [1] "Delete the entry"
Correction: [2] "Cut invalid substring "New.net""

2 Key: %s "[HKEY_LOCAL_MACHINE] SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004"
Match is in the value data: ""LibraryPath"" = ""C:\Program Files\NewDotNet\newdotnet7_22.dll""
Correction: "Leave the entry without change"
Correction: [0] "Leave the entry without change"
Correction: [1] "Delete the entry"
Correction: [2] "Cut invalid substring "NewDotNet""

3 Key: %s "[HKEY_LOCAL_MACHINE] SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004"
Match is in the value data: ""DisplayString"" = ""New.net Name Space Provider""
Correction: "Leave the entry without change"
Correction: [0] "Leave the entry without change"
Correction: [1] "Delete the entry"
Correction: [2] "Cut invalid substring "New.net""

4 Key: %s "[HKEY_LOCAL_MACHINE] SYSTEM\ControlSet003\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004"
Match is in the value data: ""LibraryPath"" = ""C:\Program Files\NewDotNet\newdotnet7_22.dll""
Correction: "Leave the entry without change"
Correction: [0] "Leave the entry without change"
Correction: [1] "Delete the entry"
Correction: [2] "Cut invalid substring "NewDotNet""

5 Key: %s "[HKEY_LOCAL_MACHINE] SYSTEM\ControlSet003\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004"
Match is in the value data: ""DisplayString"" = ""New.net Name Space Provider""
Correction: "Leave the entry without change"
Correction: [0] "Leave the entry without change"
Correction: [1] "Delete the entry"
Correction: [2] "Cut invalid substring "New.net""

6 Key: %s "[HKEY_LOCAL_MACHINE] SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004"
Match is in the value data: ""LibraryPath"" = ""C:\Program Files\NewDotNet\newdotnet7_22.dll""
Correction: "Leave the entry without change"
Correction: [0] "Leave the entry without change"
Correction: [1] "Delete the entry"
Correction: [2] "Cut invalid substring "NewDotNet""

7 Key: %s "[HKEY_LOCAL_MACHINE] SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004"
Match is in the value data: ""DisplayString"" = ""New.net Name Space Provider""
Correction: "Leave the entry without change"
Correction: [0] "Leave the entry without change"
Correction: [1] "Delete the entry"
Correction: [2] "Cut invalid substring "New.net""
===================================

Kapersky log...........
Ran two scans..standard showed clean.
Extended shows..

KASPERSKY ON-LINE SCANNER REPORT
Sunday, April 23, 2006 4:30:14 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 23/04/2006
Kaspersky Anti-Virus database records: 189716

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 21781
Number of viruses found 6
Number of infected objects 21
Number of suspicious objects 0
Duration of the scan process 00:16:46

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Gary\My Documents\backup-20060420-221825-434.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.i skipped

C:\Documents and Settings\Gary\My Documents\gozilla39.exe/WISE0025.BIN Infected: not-a-virus:AdWare.Win32.Aureate skipped

C:\Documents and Settings\Gary\My Documents\gozilla39.exe/WISE0026.BIN Infected: not-a-virus:AdWare.Win32.Aureate skipped

C:\Documents and Settings\Gary\My Documents\gozilla39.exe/WISE0027.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped

C:\Documents and Settings\Gary\My Documents\gozilla39.exe/WISE0028.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped

C:\Documents and Settings\Gary\My Documents\gozilla39.exe/WISE0029.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped

C:\Documents and Settings\Gary\My Documents\gozilla39.exe/WISE0112.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped

C:\Documents and Settings\Gary\My Documents\gozilla39.exe WiseSFX: infected - 6 skipped

C:\Program Files\NewDotNet\newdotnet7_22.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.i skipped

C:\Program Files\XoftSpy\uninstall.exe/data0003 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped

C:\Program Files\XoftSpy\uninstall.exe NSIS: infected - 1 skipped

C:\RECYCLER\S-1-5-21-3881976664-438588052-3458777129-1006\Dc4.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped

C:\RECYCLER\S-1-5-21-3881976664-438588052-3458777129-1006\Dc5.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000048.exe/data0003 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000048.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000107.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000109.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped

C:\WINDOWS\system32\adimage.dll Infected: not-a-virus:AdWare.Win32.Aureate skipped

C:\WINDOWS\system32\htmdeng.exe Infected: not-a-virus:AdWare.Win32.Aureate.a skipped

C:\WINDOWS\system32\ipcclient.dll Infected: not-a-virus:AdWare.Win32.Aureate.a skipped

C:\WINDOWS\system32\tfde.dll Infected: not-a-virus:AdWare.Win32.Aureate skipped

Scan process completed.
===========================

Rebooted to safe mode for new HJT log...

Logfile of HijackThis v1.99.1
Scan saved at 4:35:44 PM, on 4/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Gary\Desktop\Downloads\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: IEHlprObj Class - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\GoZilla\GoIEHlp.dll
O4 - HKLM\..\Run: [rfagent] "C:\Program Files\RFA\rfagent.exe"
O4 - HKLM\..\Run: [Go!Zilla dial-up fix] "C:\Program Files\GoZilla\Go.exe" /FIXRAS
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hope this helps a bit.......ty

#11 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 23 April 2006 - 06:32 PM

Did you try using the Uninstaller from the New.Net Site?

#12 Dean_099

Dean_099
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  

Posted 23 April 2006 - 10:13 PM

Yes, but the exe of that I deleted already 3 or 4 days ago..it's the dll of that I cant get rid of..keeps saying it's being used. It's in the newdotnet folder...cant delete folder either.

HJY checkboxes wont let me erase the new.net files either.

BTW...a friend suggested I go to windows folder/prefetch and delete everything there.
Is that viable or just gonna get me in more trouble?

thanks.......

#13 Dean_099

Dean_099
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 24 April 2006 - 02:27 AM

Out of frustration til almost 3 am...........

I was browsing through several windows folders in safe mode and signed in as *administrator*
this time. Did a properties check on that newdotnet folder with the dll inside, then dug
around more and noticed that there are several tab options to modify/allow/deny this dll,
including deleting it...if it takes. Is that something I should try?

Also, in a regedit, expanding under winsock 2, there are 4 catalog entries, each showing
new.net as a "space provider", one line showing
C:\Program Files\NewDotNet\newdotnet7_22.dll. as a library path.
Other lines/library paths in 3 entries are
%SystemRoot%\System32\mswsock.dll
%SystemRoot%\System32\winrnr.dll
%SystemRoot%\System32\mswsock.dll

There are also 20 or so expanded parameter"catalog entries", everyone with a
new.net listing. Again, all these expansions are under a winsock2 line.

There is just a "normal" winsock line also just above winsock2.

My question(s) are..do I dare delete all the expansions or delete the
**entire winsock2* line holding all these or do I chance losing the
internet, as well as creating more problems? I dont know if there are
supposed to be two winsock entries or not.

Thanks......and, yes, I'm still getting a lot of redirects.
The pc (only a month old) runs fine except for redirs.

#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 April 2006 - 05:09 PM

Allright,here is what I want you to try.

Download WinsockFix from Here

This only to be used as a backup if all other steps fail and you cant access the Internet.

Go back to the New.Net site,go top step four and download the uninstaller.

Make sure you Have LSP fix somewhere handy so you will be able to access it.

Disconnect from the Internet and run the New.Net Uninstaller once more.

If prompted to reboot,do so,into Safe Mode.

If not,reboot n safe mode to run LSPFix.

Run LSP Fix-> Click "I know what Im Doing".

Drag any instances of newdotnet7_22.dll into the "Remove" section and Click "Finished"

Plug your Internet connection back in and Restart in Normal Mode.

If the Internet is sluggish or non existent,restart the machine once more and see if it improves.

If not,Run Winsock Fix and Restart again.

Edited by Cretemonster, 24 April 2006 - 05:11 PM.


#15 Dean_099

Dean_099
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  

Posted 24 April 2006 - 06:31 PM

D/Loaded winsock fix

Newnet procedure 4 uninstaller just hangs, then I get message,
"microsoft error...sorry for the inconvenience."
(tried 3 times from three inch and sent to hd,tried again..
same messages.)

Reboot safe mode

Ran lspfix..said it uninstalled the dll file, but it's
still in program files newdotnet folder. Trying to delete it
outright gets msg, write protected.

There are still 3 other files in the left pane of lspfix
titled.......

mswsock.dll tcip
winrnl.dll NTDS
rsvpsp.dll Protocal handler

Should I delete these also?
You must be getting as frustrated as me.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users