Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Start up error


  • Please log in to reply
3 replies to this topic

#1 caton_phil

caton_phil

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 20 December 2004 - 03:17 PM

I am getting a Rundll start up error caused by Newdot. I have run adaware, spybot, unchecked in msconfig/startup, run hijackthis and uncheked and it WILL NOT GO AWAY!!! Any ideas???

Logfile of HijackThis v1.99.0
Scan saved at 20:15:23, on 20/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\system32\MsPMSPSv.exe
F:\Program Files\Classic PhoneTools\CapFax.EXE
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
F:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Microsoft Office\Office\1033\msoffice.exe
F:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
F:\Program Files\Microsoft Office\Office\WINWORD.EXE
F:\Program Files\Internet Explorer\iexplore.exe
F:\PROGRA~1\DAP\DAP.EXE
F:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by V21
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {58A83E4F-477A-4A3F-BF9B-B65BC2BD5598} - (no file)
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [CapFax] F:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SBAutoUpdate] "F:\Program Files\SpywareBlaster\sbautoupdate.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Ad-watch] "F:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [MSPY2002] F:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HydraVisionDesktopManager] F:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [HydraVisionViewport] F:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 F:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - F:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: F:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O14 - IERESET.INF: START_PAGE_URL=http://portal.v21.co.uk
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/support/chipdetect/OSInfo.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae0...all/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://sea2fd.sea2.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{561A8FB6-10C3-4388-9210-BFF8F6A92D69}: NameServer = 62.55.109.21 62.55.109.22
O17 - HKLM\System\CS1\Services\Tcpip\..\{561A8FB6-10C3-4388-9210-BFF8F6A92D69}: NameServer = 62.55.109.21 62.55.109.22
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - F:\WINDOWS\system32\ZoneLabs\vsmon.exe



StartupList report, 20/12/2004, 20:16:33
StartupList version: 1.52.2
Started from : F:\Program Files\Hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\system32\MsPMSPSv.exe
F:\Program Files\Classic PhoneTools\CapFax.EXE
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
F:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Microsoft Office\Office\1033\msoffice.exe
F:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
F:\Program Files\Microsoft Office\Office\WINWORD.EXE
F:\Program Files\Internet Explorer\iexplore.exe
F:\PROGRA~1\DAP\DAP.EXE
F:\Program Files\Hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[F:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = F:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

S3TRAY2 = S3tray2.exe
CapFax = F:\Program Files\Classic PhoneTools\CapFax.EXE
AVG7_CC = F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
AVG7_EMC = F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
NeroCheck = F:\WINDOWS\system32\NeroCheck.exe
SBAutoUpdate = "F:\Program Files\SpywareBlaster\sbautoupdate.exe"
Zone Labs Client = "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
IMJPMIG8.1 = "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
Ad-watch = "F:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
VTPreset = VTPreset.exe
SpeedTouch USB Diagnostics = "F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
SunJavaUpdateSched = F:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
MSPY2002 = F:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
PHIME2002A = F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
HydraVisionDesktopManager = F:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
HydraVisionViewport = F:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
New.net Startup = rundll32 F:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "F:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Shell & screensaver key from F:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=F:\DOCUME~1\Phil\MYDOCU~1\PROGRA~1\PSALM8~1\Psalm83.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = F:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[OSInfo Control]
InProcServer32 = F:\WINDOWS\OSInfo.ocx
CODEBASE = http://www.sis.com/support/chipdetect/OSInfo.cab

[Shockwave ActiveX Control]
InProcServer32 = F:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

[MSSecurityAdvisor Class]
InProcServer32 = F:\WINDOWS\System32\mssecadv.dll
CODEBASE = http://download.microsoft.com/download/0/5...b?1083762257500

[ICSScannerLight Class]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\ICSScannerLight.dll
CODEBASE = http://download.zonelabs.com/bin/free/cm/ICSCM.cab

[Office Update Installation Engine]
InProcServer32 = F:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

[HouseCall Control]
InProcServer32 = F:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/7d90ae0...all/xscan53.cab

[HouseCallButton.setup]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\HouseCallButton.dll
CODEBASE = http://de.trendmicro-europe.com/file_downl...eCallButton.CAB

[MSN File Upload Control]
InProcServer32 = F:\WINDOWS\DOWNLO~1\MsnUpld.dll
CODEBASE = http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab

[SassCln Object]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\SassCln.dll
CODEBASE = http://www.microsoft.com/security/controls/SassCln.CAB

[Shockwave Flash Object]
InProcServer32 = F:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[Hotmail Attachments Control]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\HMAtchmt.ocx
CODEBASE = http://sea2fd.sea2.hotmail.msn.com/activex/HMAtchmt.ocx

[MSN Chat Control 4.5]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\MSNChat45.ocx
CODEBASE = http://chat.msn.com/bin/msnchat45.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: F:\WINDOWS\system32\SHELL32.dll
CDBurn: F:\WINDOWS\system32\SHELL32.dll
WebCheck: F:\WINDOWS\System32\webcheck.dll
SysTray: F:\WINDOWS\System32\stobject.dll
UPnPMonitor: F:\WINDOWS\system32\upnpui.dll

--------------------------------------------------
End of report, 7,353 bytes
Report generated in 0.031 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Phil

BC AdBot (Login to Remove)

 


#2 JackTheHaack

JackTheHaack

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Location:Queensland, Australia.
  • Local time:03:33 AM

Posted 20 December 2004 - 03:51 PM

Might be an idea to post this in the HJT log & analysis forum. I'm sure you'll get a better response.

BTW.... :thumbsup: to BC, hope you enjoy your stay.

Good luck

Edited by JackTheHaack, 20 December 2004 - 03:54 PM.

JTH

#3 cowsgonemadd3

cowsgonemadd3

    Feed me some spyware!


  • Banned
  • 4,557 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 20 December 2004 - 04:59 PM

Welcome to BC and what he said!

#4 caton_phil

caton_phil
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 22 December 2004 - 06:22 AM

Thanks guys!!!!

I have done!

All the best,

Phil




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users