Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I have strange search bars; alexa; about:blank [CLOSED]


  • This topic is locked This topic is locked

#1
clarissalorenz

clarissalorenz

    New Member

  • Member
  • Pip
  • 2 posts
Hi! If you can help me, I'll be very pleased!

First, I will list all programs that I downloaded and run:

AD AWARE SE
CWSHREDDER
EWIDO
SPYWARE SCANNER
SPYBOT
WINSOCK XP FIX
XOFTSPY
TDS 3
SPYWARE GUARD
ZONE ALARM TRIAL
CLEAN UP
KILL BOX
SMITFRAUD
TREND MICRO WEB SCAN
TROJAN HUNTER
HOSTS

I get all of that reading others posts forums

I execute ewido and all other scan tools but my pc is still infected.

If you could help me...
I'll already send you my log from hijack this.


Logfile of HijackThis v1.99.1
Scan saved at 11:11:14, on 19/7/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Roxio Shared\Project Selector\projselector.exe
C:\Arquivos de programas\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Arquivos de programas\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Arquivos de programas\Arquivos comuns\InstallShield\Engine\6\Intel 32\{332654785113541.2265441265}\Systems Files\taskmnr.exe
C:\Arquivos de programas\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\ARQUIV~1\FREESP~1\SpyWatcher.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\winnt\ljiwfqc.exe
c:\arquiv~1\intern~1\iexplore.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\ARQUIV~1\MOZILL~1\FIREFOX.EXE
C:\Arquivos de programas\ewido\security suite\ewidoguard.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\TrojanHunter 4.2\TrojanHunter.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Administrador\Desktop\Anti SPY\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hyrzhbdwt...FdaHRjHT81z.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/
O2 - BHO: (no name) - {03C89125-F56E-B2B2-4135-BB250930D7B9} - C:\DOCUME~1\ADMINI~1\DADOSD~1\MULTIC~1\delete vc.exe (file missing)
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\WINNT\System32\scpsssh2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [DeluxeCD] C:\WINNT\System32\cdplayer.exe -tray
O4 - HKLM\..\Run: [projselector] "C:\Arquivos de programas\Arquivos comuns\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Arquivos de programas\Arquivos comuns\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Arquivos de programas\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Arquivos de programas\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Mirebilis ICQ] C:\Arquivos de programas\Arquivos comuns\InstallShield\Engine\6\Intel 32\{332654785113541.2265441265}\Systems Files\taskmnr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [InterBaseBaseGuardian] C:\Arquivos de programas\Firebird\bin\ibguard.exe -a
O4 - HKLM\..\Run: [OKAYGRAMBROWSEEACH] C:\Documents and Settings\All Users\Dados de aplicativos\Face Style Okay Gram\Load bore.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\ARQUIV~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [intel32.exe] C:\WINNT\System32\intel32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Arquivos de programas\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [Spy Watcher] "C:\ARQUIV~1\FREESP~1\SpyWatcher.exe" -S
O4 - HKLM\..\Run: [Zone Labs Client] C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [discador] C:\Arquivos de programas\TurboADSL\TurboADSL 0.98\DISCADOR.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Way axis] C:\DOCUME~1\ADMINI~1\DADOSD~1\FLAGRE~1\Body One Soap.exe
O4 - HKCU\..\Run: [iansima] c:\winnt\ljiwfqc.exe
O4 - HKCU\..\Run: [rttpmqd] c:\winnt\ljiwfqc.exe
O4 - HKCU\..\Run: [ytgcfnv] c:\winnt\ljiwfqc.exe
O4 - HKCU\..\Run: [thpvgcx] c:\winnt\cdrmwev.exe
O4 - HKCU\..\Run: [mskbdmc] c:\winnt\cdrmwev.exe
O4 - HKCU\..\Run: [qjlwwis] c:\winnt\cyxnhct.exe
O4 - HKCU\..\Run: [wtjrcgb] c:\winnt\uyufwib.exe
O4 - HKCU\..\Run: [rsyggtd] c:\winnt\uyufwib.exe
O8 - Extra context menu item: &Google Search - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsimilar.html
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://wwwss.brades...k1/scpsssh2.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22....es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3353CF4B-55F5-43C8-A41B-3B4A3E241705}: NameServer = 200.180.128.68,200.199.241.17
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB85E0C8-0764-4B91-859C-C69B74B98554}: NameServer = 200.96.255.198 201.10.120.4
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Arquivos de programas\ewido\security suite\ewidoguard.exe
O23 - Service: Hide Files and Folders (HideFilesAndFolders_S) - Unknown owner - C:\WINNT\System32\hffsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\System32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe



AND, i'm not using IE anymore, but Firefox, and I'm now downloading the windows 2000 updates.

Sorry for my bad english,
thanks a lot,

Clarissa :tazz:
  • 0

Advertisements


#2
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Hello and welcome to Geeks to Go! :tazz: I'm kool808 and I will be helping you today.

I am working on your log. As soon as I made a good fix for this, I will post a reply. Thank you for your patience.
  • 0

#3
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi clarissalorenz

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Use windows add remove program file's uninstall the following: If you can not remove them continue with the fix.
C:\Arquivos de programas\PSGuard\PSGuard.exe
C:\ARQUIV~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

Download Pocket Killbox and unzip it; save it to your Desktop.

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop. Don't run it yet!

Reboot into Safe Mode: please see here if you are not sure how to do this.

Now run smitRem.zip

Run ewido save the scan log

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
O2 - BHO: (no name) - {03C89125-F56E-B2B2-4135-BB250930D7B9} - C:\DOCUME~1\ADMINI~1\DADOSD~1\MULTIC~1\delete vc.exe (file missing)
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\WINNT\System32\scpsssh2.dll
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\ARQUIV~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [intel32.exe] C:\WINNT\System32\intel32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Arquivos de programas\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [Way axis] C:\DOCUME~1\ADMINI~1\DADOSD~1\FLAGRE~1\Body One Soap.exe
O4 - HKCU\..\Run: [iansima] c:\winnt\ljiwfqc.exe
O4 - HKCU\..\Run: [rttpmqd] c:\winnt\ljiwfqc.exe
O4 - HKCU\..\Run: [ytgcfnv] c:\winnt\ljiwfqc.exe
O4 - HKCU\..\Run: [thpvgcx] c:\winnt\cdrmwev.exe
O4 - HKCU\..\Run: [mskbdmc] c:\winnt\cdrmwev.exe
O4 - HKCU\..\Run: [qjlwwis] c:\winnt\cyxnhct.exe
O4 - HKCU\..\Run: [wtjrcgb] c:\winnt\uyufwib.exe
O4 - HKCU\..\Run: [rsyggtd] c:\winnt\uyufwib.exe
O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://wwwss.brades...k1/scpsssh2.cab

Click on Fix Checked when finished and exit HijackThis.

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\WINNT\System32\scpsssh2.dll
C:\WINNT\System32\intel32.exe
C:\DOCUME~1\ADMINI~1\DADOSD~1\FLAGRE~1\Body One Soap.exe
c:\winnt\ljiwfqc.exe
c:\winnt\cdrmwev.exe
c:\winnt\cyxnhct.exe
c:\winnt\uyufwib.exe

Let the system reboot.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda, ewido and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#4
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Sorry I guess we had posted at the same time.

Clarrisa, please stick to thatman you are in good hands with him.


regards,

kool808
  • 0

#5
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
After you posted the latest results from HijackThis Log and other logs requested then I will take it from here. I will post a reply as soon as I see the results.
  • 0

#6
clarissalorenz

clarissalorenz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Hi, thanks for help me, here goes the logs:

ewido:

C:\Documents and Settings\Administrador\Cookies\administrador@qksrv[1].txt -> Spyware.Cookie.Qksrv : Limpo com backup
:mozilla.16:C:\Documents and Settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\i3mbe43c.default\cookies.txt -> Spyware.Cookie.Doubleclick : Limpo com backup
:mozilla.63:C:\Documents and Settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\i3mbe43c.default\cookies.txt -> Spyware.Cookie.Qksrv : Limpo com backup
:mozilla.64:C:\Documents and Settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\i3mbe43c.default\cookies.txt -> Spyware.Cookie.Qksrv : Limpo com backup


housecall: it found a trojan named swizzor.gq (or qg?)

panda:
Incident Status Location

Adware:Adware/Lop No disinfected c:\docume~1\admini~1\config~1\temp\sta4a.exe
Adware:Adware/Lop No disinfected c:\docume~1\admini~1\dadosd~1\flagre~1\Ooze Browse Bike.exe
Adware:adware/findspy No disinfected C:\DOCUMENTS AND SETTINGS\ADMINISTRADOR\FAVORITOS\ Free Spy Cam - Realtime.url
Adware:adware/savenow No disinfected C:\WINNT\SYSTEM32\q10pvbrv.dat
Adware:adware/sahagent No disinfected C:\WINNT\SYSTEM32\ritsacnk.dat
Adware:adware/adsmart No disinfected C:\DOCUMENTS AND SETTINGS\ADMINISTRADOR\CONFIGURAES LOCAIS\TEMP\pi.sys
Adware:adware/twain-tech No disinfected C:\WINNT\smdat32m.sys
Adware:adware/ipinsight No disinfected C:\WINNT\alchem.ini
Adware:adware/lop No disinfected C:\ARQUIVOS DE PROGRAMAS\C2Media
Spyware:spyware/new.net No disinfected C:\ARQUIVOS DE PROGRAMAS\NewDotNet
Adware:adware/superbar No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\BLUE HAVEN MEDIA
Adware:adware/webhancer No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\WHSURVEY
Adware:adware/powerstrip No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{669695BC-A811-4A9D-8CDF-BA8C795F261C}
Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
Virus:Trj/Banbra.JX Disinfected C:\WINNT\inf\anmanda.inf
Spyware:Spyware/Bridge No disinfected C:\WINNT\tmpdata.reg
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Dados de aplicativos\Face Style Okay Gram\Amok2.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Dados de aplicativos\Face Style Okay Gram\NurbDale.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Dados de aplicativos\Face Style Okay Gram\CoolAim.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Dados de aplicativos\Face Style Okay Gram\Plus up.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Dados de aplicativos\Face Style Okay Gram\Load bore.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Dados de aplicativos\Chin manager scr meal\ONLINE FORD.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Dados de aplicativos\Chin manager scr meal\64 Noun.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\bff8ce9e.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\3527be.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\sta4A.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Administrador\Configurações locais\Temporary Internet Files\Content.IE5\4JUZUL8X\upAYB_unk[1].int
Adware:Adware/Lop No disinfected C:\Documents and Settings\Administrador\Dados de aplicativos\Flag remote license\gwvqnfop.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Administrador\Dados de aplicativos\Flag remote license\Pile City Test Junk.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Administrador\Dados de aplicativos\Flag remote license\Ooze Browse Bike.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Administrador\Dados de aplicativos\Flag remote license\wfgqcame.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Administrador\Dados de aplicativos\Flag remote license\tngsbzof.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Administrador\Dados de aplicativos\Flag remote license\uaojwfmf.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Administrador\Dados de aplicativos\Flag remote license\rprbhyot.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Administrador\Dados de aplicativos\Flag remote license\fyvxkwbg.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Administrador\Dados de aplicativos\Flag remote license\gavxqkks.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Administrador\Dados de aplicativos\Flag remote license\fjeyjgic.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Administrador\Dados de aplicativos\Flag remote license\Body One Soap.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Administrador\Dados de aplicativos\Flag remote license\zyasdist.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Administrador\Dados de aplicativos\multicurbexit\delete vc.exe
Virus:Trj/Qhost.BM Disinfected C:\Arquivos de programas\TDS3\dcsres.exe
Virus:Bck/mIRCBased.X Disinfected C:\Scoop2004\mirc.exe
Virus:HackTool/Gendel.A No disinfected C:\gendel32.exe



:tazz: thanks again,

clarissa
  • 0

#7
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts

I believe you did missed to post back the NEW HijackThis Log results.  Can I ask you a little favor, can you change your language to ENGLISH for this moment ;) . I have little know-how with spanish.  :tazz:


Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.
================================================

You are advised to temporarily DISABLE the following Protection Programs, if they are running:
Note: They may interfere with our fixes.



  • Spybot S&D : Tea Timer

  • Ad-Aware : Ad-Watch

  • Spyware Guard

  • Trojan Hunter Guard
(Note: We will re-ENABLE them later after your system is all clean and malware free.)


++++++++ N O T I C E ++++++++

This will likely be a few step process in removing the malware that has infected your system.  I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further. You have lots of complex infections but we can take them one at a time. Trust me!


++++++++ STEP 1 ++++++++
First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.

To Get rid of NewDotNet, go to:

Start > Control Panel > Add or Remove Programs and remove the following:

New.Net Applications or New.Net Domains (anything that says New.Net)

If it is not there, go here and follow Procedure 4: NewDotNet.

In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", DO NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.

++++++++ STEP 2 ++++++++
Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
Do NOT run it yet.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite 3.5 here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Do NOT run the scan yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
(How to boot in Safe Mode...)

++++++++ STEP 3 ++++++++
We will now fix the remaining problems with HijackThis. Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\ARQUIV~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

Make sure to double check the items you have selected,then click Fix Checked.

++++++++ STEP 4 ++++++++
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

++++++++ STEP 5 ++++++++
Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!

Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

Edited by kool808, 20 July 2005 - 09:29 AM.

  • 0

#8
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP