Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Newdot2


  • Please log in to reply
13 replies to this topic

#1 caton_phil

caton_phil

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 22 December 2004 - 06:20 AM

I am getting a Rundll start up error caused by Newdot. I have run adaware, spybot, unchecked in msconfig/startup, run hijackthis and uncheked and it WILL NOT GO AWAY!!! Any ideas???

Logfile of HijackThis v1.99.0
Scan saved at 20:15:23, on 20/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\system32\MsPMSPSv.exe
F:\Program Files\Classic PhoneTools\CapFax.EXE
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
F:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Microsoft Office\Office\1033\msoffice.exe
F:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
F:\Program Files\Microsoft Office\Office\WINWORD.EXE
F:\Program Files\Internet Explorer\iexplore.exe
F:\PROGRA~1\DAP\DAP.EXE
F:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by V21
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {58A83E4F-477A-4A3F-BF9B-B65BC2BD5598} - (no file)
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [CapFax] F:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SBAutoUpdate] "F:\Program Files\SpywareBlaster\sbautoupdate.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Ad-watch] "F:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [MSPY2002] F:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HydraVisionDesktopManager] F:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [HydraVisionViewport] F:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 F:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - F:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: F:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O14 - IERESET.INF: START_PAGE_URL=http://portal.v21.co.uk
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/support/chipdetect/OSInfo.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae0...all/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://sea2fd.sea2.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{561A8FB6-10C3-4388-9210-BFF8F6A92D69}: NameServer = 62.55.109.21 62.55.109.22
O17 - HKLM\System\CS1\Services\Tcpip\..\{561A8FB6-10C3-4388-9210-BFF8F6A92D69}: NameServer = 62.55.109.21 62.55.109.22
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - F:\WINDOWS\system32\ZoneLabs\vsmon.exe



StartupList report, 20/12/2004, 20:16:33
StartupList version: 1.52.2
Started from : F:\Program Files\Hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\system32\MsPMSPSv.exe
F:\Program Files\Classic PhoneTools\CapFax.EXE
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
F:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Microsoft Office\Office\1033\msoffice.exe
F:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
F:\Program Files\Microsoft Office\Office\WINWORD.EXE
F:\Program Files\Internet Explorer\iexplore.exe
F:\PROGRA~1\DAP\DAP.EXE
F:\Program Files\Hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[F:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = F:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

S3TRAY2 = S3tray2.exe
CapFax = F:\Program Files\Classic PhoneTools\CapFax.EXE
AVG7_CC = F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
AVG7_EMC = F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
NeroCheck = F:\WINDOWS\system32\NeroCheck.exe
SBAutoUpdate = "F:\Program Files\SpywareBlaster\sbautoupdate.exe"
Zone Labs Client = "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
IMJPMIG8.1 = "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
Ad-watch = "F:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
VTPreset = VTPreset.exe
SpeedTouch USB Diagnostics = "F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
SunJavaUpdateSched = F:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
MSPY2002 = F:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
PHIME2002A = F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
HydraVisionDesktopManager = F:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
HydraVisionViewport = F:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
New.net Startup = rundll32 F:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "F:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Shell & screensaver key from F:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=F:\DOCUME~1\Phil\MYDOCU~1\PROGRA~1\PSALM8~1\Psalm83.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = F:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[OSInfo Control]
InProcServer32 = F:\WINDOWS\OSInfo.ocx
CODEBASE = http://www.sis.com/support/chipdetect/OSInfo.cab

[Shockwave ActiveX Control]
InProcServer32 = F:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

[MSSecurityAdvisor Class]
InProcServer32 = F:\WINDOWS\System32\mssecadv.dll
CODEBASE = http://download.microsoft.com/download/0/5...b?1083762257500

[ICSScannerLight Class]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\ICSScannerLight.dll
CODEBASE = http://download.zonelabs.com/bin/free/cm/ICSCM.cab

[Office Update Installation Engine]
InProcServer32 = F:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

[HouseCall Control]
InProcServer32 = F:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/7d90ae0...all/xscan53.cab

[HouseCallButton.setup]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\HouseCallButton.dll
CODEBASE = http://de.trendmicro-europe.com/file_downl...eCallButton.CAB

[MSN File Upload Control]
InProcServer32 = F:\WINDOWS\DOWNLO~1\MsnUpld.dll
CODEBASE = http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab

[SassCln Object]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\SassCln.dll
CODEBASE = http://www.microsoft.com/security/controls/SassCln.CAB

[Shockwave Flash Object]
InProcServer32 = F:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[Hotmail Attachments Control]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\HMAtchmt.ocx
CODEBASE = http://sea2fd.sea2.hotmail.msn.com/activex/HMAtchmt.ocx

[MSN Chat Control 4.5]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\MSNChat45.ocx
CODEBASE = http://chat.msn.com/bin/msnchat45.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: F:\WINDOWS\system32\SHELL32.dll
CDBurn: F:\WINDOWS\system32\SHELL32.dll
WebCheck: F:\WINDOWS\System32\webcheck.dll
SysTray: F:\WINDOWS\System32\stobject.dll
UPnPMonitor: F:\WINDOWS\system32\upnpui.dll

--------------------------------------------------
End of report, 7,353 bytes
Report generated in 0.031 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Phil

BC AdBot (Login to Remove)

 


#2 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:53 AM

Posted 22 December 2004 - 11:04 AM

Please download LSP-Fix from the following link and save it to a location you can find later if necessary.

LSP-Fix Download Link

To remove New.net. please go to Start | Settings | Control Panel | Add/Remove Programs, look for and remove New.Net. If you can't find it, then please go here and follow the removal instructions in Procedure 4 at the bottom of the page.

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {58A83E4F-477A-4A3F-BF9B-B65BC2BD5598} - (no file)
O4 - HKLM\..\Run: [New.net Startup] rundll32 F:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

F:\PROGRA~1\NEWDOTNET <-Delete NEWDOTNET Folder

Reboot your computer to go back to normal mode and post a new log.


If you can not connect to the Internet after removing New.net, please run the LSP-Fix program I had you download earlier, and click on the finish button. Reboot and you should be able to get back on.

Edited by raw, 22 December 2004 - 11:06 AM.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#3 caton_phil

caton_phil
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 22 December 2004 - 03:56 PM

Hi!
Thanks!
BUT it is still there!!!

There is no sign of Newdot or Newnet in my Add/Remove programmes dialogue so I went to the website and downloaded the tool suggested. I have internet access and so downloaded it to my desktop and ran it from there. Then re-booted.

I have set all files to be visible.

I ran hijack this and checked the files suggested.

I then booted into safe mode. I ran hijack this and checked the newdot there and also deleted the backup. I cannot delete any newnet or newdot folders from my programme files as I cannot see any.

I re-booted.

No error message but;

Adwatch flashed.

22/12/2004 20:31:52 Registry modification detected
Root: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Windows\Current\Version\Run
Value: New.net Startup
Data: rundll32 F:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL, NewDotNetStartup-s
New Data: Attempt to alter the autostart section (Blocked)

SO, I ran Hijack this again and checked the newdot line and clicked fix it. Rebooted and get the error message again. And the nedot STILL there!!!!!!!

Logfile of HijackThis v1.99.0
Scan saved at 20:40:55, on 22/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\Program Files\SpywareBlaster\sbautoupdate.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
F:\WINDOWS\system32\MsPMSPSv.exe
F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
F:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\SpywareBlaster\sbautoupdate.exe
F:\Program Files\Microsoft Office\Office\1033\msoffice.exe
F:\Documents and Settings\Phil\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [CapFax] F:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SBAutoUpdate] "F:\Program Files\SpywareBlaster\sbautoupdate.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Ad-watch] "F:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [MSPY2002] F:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HydraVisionDesktopManager] F:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [HydraVisionViewport] F:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 F:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - F:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: F:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O14 - IERESET.INF: START_PAGE_URL=http://portal.v21.co.uk
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/support/chipdetect/OSInfo.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae0...all/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://sea2fd.sea2.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - F:\WINDOWS\system32\ZoneLabs\vsmon.exe


Phil

#4 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:53 AM

Posted 22 December 2004 - 04:06 PM

Please click on Start - Search - Find Files or Folders
enter newdot* and post the results.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#5 caton_phil

caton_phil
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 22 December 2004 - 04:31 PM

Hi!

The search under "newdot" in the file name brought up absolutely nothing!!!!

I have found the offending files if I do a search in regedit. I delete it from there and reboot but the error comes back again.!!!

I have tried unchecking it in the startup in msconfig but when I reboot it comes back!!!

Phil

#6 caton_phil

caton_phil
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 22 December 2004 - 04:51 PM

If I do a search in regedit for newdot I get a result in a folder called search assistant!

This is, I think, something that came on the back of some "free" software I downloaded, but maybe didn't get rid of so well.

phil

#7 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:53 AM

Posted 22 December 2004 - 06:14 PM

search assistant is a windows folder.

Double check that you can view hidden files and folders on F:\Program Files\

Instructions on how to do this can be found here:

How to see hidden files in Windows

Please download DLL Compare to your desktop.

Start Dll Compare, then click on "Run Locate.com". When it tells you that's finished, click on "Compare" at the bottom right. When that finishes, click "Make a Log of What was Found" and answer "Yes" to View Log file. Copy and paste the contents of that log here.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#8 caton_phil

caton_phil
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 23 December 2004 - 03:10 AM

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :thumbsup:"
________________________________________________

1,360 items found: 1,360 files, 0 directories.
Total of file sizes: 284,725,136 bytes 271.53 M

Administrator Account = True

--------------------End log---------------------


Phil

PS I have double checked and all my hidden files should be visible.

#9 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:53 AM

Posted 23 December 2004 - 10:30 AM

Hopefully we can get it in Safe Mode.Its possible that Ad-Watch has "locked" the startup section of the registry. You may have to stop adwatch so HJT can fix that reg entry.

Reboot your computer into Safe Mode

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


O4 - HKLM\..\Run: [New.net Startup] rundll32 F:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

Then delete these files or directories (Do not be concerned if they do not exist)

F:\PROGRA~1\NEWDOTNET

Reboot your computer to go back to normal mode and post a new log.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#10 caton_phil

caton_phil
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 23 December 2004 - 06:40 PM

Thanks raw. I am away from my computer now for a few days so will try that when I get home.


When you say:
Then delete these files or directories (Do not be concerned if they do not exist)

F:\PROGRA~1\NEWDOTNET

where do I delete from??? The back up in Hijack this?? A search done under regedit?? Like I say, I cannot find any files of this in prog files or under a normal search.

Cheers

Phil

#11 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:53 AM

Posted 23 December 2004 - 09:52 PM

I think the folder might be gone...simply because its not visible in Windows Explorer,but you can look.

My Computer - F - Program Files

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#12 caton_phil

caton_phil
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 27 December 2004 - 02:55 PM

Back again!!!!

WELL, turning off Adwatch seems to help. If I turn that off I can stop the error messages. BUT, as soon as I turn Adwatch back on again the error messages turn up again. It seems like Adwatch is the one that is trying to load it. I could just dispense with Adwatch but I do like to have it running in the background.
Thoughts!!!!

Phil

#13 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:53 AM

Posted 27 December 2004 - 06:48 PM

Well you could always uninstall Ad-Watch and re-install
You can use SpywareGuard ... from the same people who made SpywareBlaster ... it also monitors the registry for hijack changes.
Other then that i'm at a complete loss as to why Ad-Watch would behave that way
The LavaSoft forums don't seem to be much help, others with the same problem, but no fix.
Here's a link to the Ad-Watch discussion forum:
http://www.lavasoftsupport.com/index.php?showforum=157

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#14 caton_phil

caton_phil
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 28 December 2004 - 08:47 AM

Thanks for your help!!!!

I have turned off adwatch and installed Spywareguard and all is well!!

Thanks again.

Phil




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users