Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Red Cross in Taskbar & NEWGENLOOK.INFO (fixed)


  • This topic is locked This topic is locked

#1
RNP

RNP

    New Member

  • Member
  • Pip
  • 5 posts
Ok, I read through many of the posts that referenced this Red button with White Cross in taskbar and looked at suggestions for removing Spyware that pops up newgenlook.info ad pages... but none of those suggestions seem to work for me --

I can't find any of the folders or files that were indicated to be removed! Here's my log, please let me know any ideas --

THANKS!


---------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:29:12 PM, on 4/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\crypserv.exe
H:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
H:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
H:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
H:\WINDOWS\System32\nvsvc32.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\ZoneLabs\vsmon.exe
H:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
H:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
H:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
H:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
H:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
H:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\WINDOWS\System32\taskmgr.exe
H:\WINDOWS\System32\inetsrv\inetinfo.exe
H:\WINDOWS\explorer.exe
H:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
H:\Program Files\Microsoft AntiSpyware\gcasServ.exe
H:\Dloads\Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0179/
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - H:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] H:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [vptray] H:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "H:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "H:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Google Desktop Search] "H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: ZoneAlarm Pro.lnk = H:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: Download all by Net Transport - H:\Program Files\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - H:\Program Files\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - H:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - H:\Program Files\Hello\PicasaCapture.dll
O16 - DPF: Dialpad Webphone - https://www.dialpad....update/cham.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4B2829E9-2545-4775-A9DC-5AF38B054486} - https://na1.salesfor...ForceOffice.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://www.msnusers....UC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102202727670
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx...erInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {AB883AA5-F28E-462B-B2D7-8E3717FE933C} (SFCom Control) - https://na1.salesfor...ce/vm/SFCom.CAB
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - H:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - H:\WINDOWS\System32\NavLogon.dll
O23 - Service: Crypkey License - Kenonic Controls Ltd. - H:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DefWatch - Symantec Corporation - H:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - H:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - H:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by RNP, 24 April 2005 - 07:09 AM.

  • 0

Advertisements


#2
RNP

RNP

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Quick Note -

After looking at some other people's logs with a similar problem (newgenlook.info) -- I found that they had some similar files that I tried to "fix" using HiJackThis:

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx

and

09 - Extra Button Messenger - {...-...} - H:\program files\messenger\msmsg.exe
09 - Extra 'tools' menuitem - ..... .... - H:\program files\messenger\msmsg.exe


I don't know if this is of any significance, but I just can't seem to find the file that's causing that cross/popups in the taskbar to remain. plz help?
  • 0

#3
RNP

RNP

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
One more file that I found in other people's logs that have the same problem as me. These seem to be the only entries that I have in common..

O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
  • 0

#4
RNP

RNP

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
This problem is not getting resolved with either Spybot, Ad-Ware SE, MS Antispyware, NOrton AV.. Any ideas?
  • 0

#5
RNP

RNP

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Ok, I figured it out, looking at someone else's post. It should've been pretty simple, but I don't know what I was thinking.

I checked in my %SystemRoot%/System32 (i.e. H:\Windows\System32) for files that have the same create date as a bunch of .ICO files -- those that were put as garbage on my Desktop by spyware.

In my case those files were param32.dll, guninstall.exe and popup_bl.dll.

I had KillBox installed, so I did the "delete on reboot" option, and then put paths to these files. Then before I hit reboot after the last entry, I 'fixed' the **R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenloo...fo/ad/ad0179/**

The rest worked fine.
  • 0

#6
Nishu

Nishu

    New Member

  • Member
  • Pip
  • 1 posts
:tazz:
Thanks RNP for your valueable tips. I did clean up my system from those horrible popups and icons.
Nishu
  • 0

#7
ScHwErV

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
RNP

I am glad that you got your issue resolved, but before you post your fix, you should know that each infection is different depending on the variant and the computer.

To all others who read this

Please post your log in a new thread. This fix may not work for your computer.

ScHwErV :tazz:
  • 0






Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP