Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Winfixer problem?


  • This topic is locked This topic is locked

#16
Labrat

Labrat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
btw Counterspy said there was a registry key infected - the same NewDotNet key as previously reported:

NewDotNet (Browser Plug-in) in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winsock2\Parameters\NameSpace_Catalog5\CatalogEntries\000000000004Stores ServiceClassInfo 1

Reebooting
  • 0

Advertisements


#17
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
We'll have to have a look at that later. I think it must be a false report on Counterspy's part.

WinsockFix would have removed every NewDotNet entry (if present)

Regards,
  • 0

#18
Labrat

Labrat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
OK. Seems to be bhaving. Here is a new Hijackfile. I've got to go to Church right now but I'll be back in about 3 hours.

Thanks so much for your help - I was lost - at least it seems better, so far.

Logfile of HijackThis v1.99.1
Scan saved at 12:30:58 PM, on 9/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\csrss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINXP\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINXP\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINXP\system32\wdfmgr.exe
C:\WINXP\System32\wltrysvc.exe
C:\WINXP\System32\bcmwltry.exe
C:\Program Files\SoftLeds\SoftLeds.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINXP\system32\LVCOMSX.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINXP\system32\ctfmon.exe
C:\Program Files\Plaxo\2.2.3.5\InstallStub.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
C:\WINXP\System32\alg.exe
C:\Program Files\SlimBrowser\sbrowser.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...ilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: FreePicGrabber Helper - {DF390801-491F-4659-8E7F-FCCC639A37BD} - C:\Program Files\FreePicGrabber\TheBar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: FreePicGrabber - {EBC780C8-5A2F-4BF2-B274-FDA3D61ACC6C} - C:\Program Files\FreePicGrabber\TheBar.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoftLeds] C:\Program Files\SoftLeds\SoftLeds.exe /min
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [sunasDtServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] "C:\WINXP\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE" /P23 EPSON Stylus C62 Series /O6 USB002 /M Stylus C62
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\WINXP\system32\LVCOMSX.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINXP\system32\NeroCheck.exe
O4 - HKLM\..\Run: [sunasServ] "C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6400 on MINER_DESKTOP] C:\WINXP\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P41 "Auto EPSON Stylus CX6400 on MINER_DESKTOP" /O23 "\\MINER_DESKTOP\Printer" /M "Stylus CX6400"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6400 on MINER_DESKTOP (Copy 1)] C:\WINXP\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P50 "Auto EPSON Stylus CX6400 on MINER_DESKTOP (Copy 1)" /O27 "\\MINER_DESKTOP\EPSONCX6400" /M "Stylus CX6400"
O4 - HKLM\..\Run: [\\MINER_DESKTOP\EPSON Stylus CX6400] C:\WINXP\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P35 "\\MINER_DESKTOP\EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.2.3.5\InstallStub.exe -a
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Free Pic GRAB - res://C:\Program Files\FreePicGrabber\Options.exe/132
O8 - Extra context menu item: &Quick GRAB Pics - res://C:\Program Files\FreePicGrabber\Options.exe/133
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Launch High Impact eMail 3.0 - {670F87A1-88B0-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {C4A67F75-88B2-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra 'Tools' menuitem: Launch High Impact eMail 3.0 - {C4A67F75-88B2-11d4-9030-000021D9C559} - C:\Program Files\KMT Software\High Impact eMail 3.0\HIE3.exe
O9 - Extra button: iSiloX Clipper - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - C:\Program Files\iSilo\iSiloX\iSiloXIE.dll
O9 - Extra 'Tools' menuitem: iSiloX Clipper... - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - C:\Program Files\iSilo\iSiloX\iSiloXIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akam...loadManager.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108244642656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1121205669078
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.h...cdetection3.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O20 - Winlogon Notify: PCANotify - C:\WINXP\SYSTEM32\PCANotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ascserv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINXP\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~2\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINXP\System32\wltrysvc.exe
  • 0

#19
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
I'll be snoring when you get back, but your log looks good.

When you get back, download LSPfix here: http://www.cexx.org/lspfix.htm
Launch the application, and let me know what's listed.
Both in the Keep and the Remove field (although there shouldn't be anything on the Remove side)

Regards,
  • 0

#20
Labrat

Labrat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
After running the LSPFix program, all of these were in the Keep column:

File / Description
mwsock.dll / tcp/ip
winrnr.dll / NDTS
nwprovau.dll / NWlink IPX/SPX/NetBIOS...
rsvpsp.dll / (protocol handler)

There was nothing in the Remove column.


Hope you had a good rest.

Edited by Labrat, 04 September 2005 - 04:41 PM.

  • 0

#21
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
I did rest very nicely, thanks. :tazz:

Looking at those Winsock files, I must admit I have no idea what Counterspy is complaining about.
I'll see if I can get a hold of one of their techs.

Ignore the report for the time being and let me know how the computer is behaving otherwise.

Regards,
  • 0

#22
Labrat

Labrat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Seems to be behaving normally as far as I can tell.

Startup is still a little slower than I recall it being, but I'm not getting those popups any more, thanks to you.

I can't thank you enough for all of your help.

Edited by Labrat, 05 September 2005 - 11:36 AM.

  • 0

#23
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
A few things you can try to speed up boot.
  • Click Start > Run > copy this command in the box:
    Rundll32.exe advapi32.dll,ProcessIdleTasks
    and click OK
    The next reboot will be slow, but the one after that should be a bit faster.
  • In the C:\windows\prefetch delete everything except layout.ini
  • Use the DiskCleanup Tool to empty all your Temp folders.
Regards,
  • 0

#24
Labrat

Labrat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Did as you asked, Didn't make a lot of difference as I can see, but was worth a try.

System seems to be clean as far as I can tell. Here is a report from CounterSpy regarding NewDotNet (which it still finds)

Threat: NewDotNet


Alias: New.Net, Dialer-RAS.aj, NewDotNet/B

Threat type: Adware - Adware is generally software that displays advertisements. Some advertisers may covertly install adware on your system and generate a stream of unsolicited advertisements that can clutter your desktop and affect your productivity. The advertisements may also contain pornographic or other material that you might find inappropriate. The extra processing required to track you or to display advertisements can tax your computer and hurt your system performance.

Advice: Remove This is a very high risk threat and should be removed immediately as to prevent harm to your computer or your privacy.

Threat risk: Moderate Risk
Moderate threats may profile users online habits or broadcast data back to a server with 'opt-out' permission. In most cases this type of threat is more along the lines of commercial type adware that offer a premium service in exchange for tracking your user online performance.

Description: New.Net is an Internet Explorer spyware/hijacker plug-in that adds subdomains of 'new.net' to your name resolution system (Windows’ Host file), resulting in what appear to be extra top-level domains (.shop, and so on) being resolvable.

The New.net Domain Software application allows you to access new domain name extensions such as .shop, .inc, and .tech, and get targeted Internet search results when you enter keywords directly into you browser address bar or when you can't find the website you are looking for using an Internet Explorer toolbar plugin.

NewDotNet installs istself as an LSP (Layered Service Provider) within your Windows Winsock settings. Although this is not overly harmful. If New.Net is removed without fixing the Winsock addresses, it will cause a computer not to be able to connect to the Internet due to the use of the Sporder.dll which is a Winsock2 layered Service Provider.

The plug-in installation only supports Netscape Navigator/Communicator and Internet Explorer v4.5 or higher. There is a separate installation for Netscape and Internet Explorer.

From the New.Net Provacy Policy:
"A user's personal information may be transmitted over third party carriers and equipment outside the control of New.net. New.net assumes no liability for or relating to the entry, delay, failure, loss, interruption or corruption of any data or other information which is transmitted for any purpose.”

“You agree that New.net shall have the right to use or disclose any information collected from you or provided by you incident to your use of this Site or your use of the Service as set forth in the New.net Standard Privacy Policy."

"The information that New.net collects from you through technical means in connection with your download, installation or use of the New.net Software will be collected, stored, used and shared by New.net in accordance with its Software Use Privacy Policy, available at http://www.new.net/p...ware_privacy.tp. The New.net Software Use Privacy Policy, as may be modified from time to time in New.net's sole discretion, is expressly incorporated herein by this reference and made part of this Agreement.

Modifications to the New.net Software or to the New.net Site; Termination.
Updates, enhancements and upgrades to the New.net Software may be delivered to you automatically. New.net shall have the right at any time to disable, enable, modify, or discontinue, temporarily or permanently, the New.net Site and/or the New.net Software (or any part thereof), with or without notice, obligation or liability to you or to any third party.

SUPPORT.
NEW.NET HAS NO OBLIGATION TO PROVIDE YOU WITH SUPPORT, MAINTENANCE, UPGRADES, MODIFICATIONS, OR NEW RELEASES WITH RESPECT TO THE NEW.NET SOFTWARE."

From the EULA:"Other Content or Services.
Through your use of the New.net Software, you may receive content or services provided through, or in connection with, the New.net Software, by individuals or entities other than New.net, including, without limitation, data, links, articles, graphic or video messages, text, software, music, sound, graphics or other materials or services (collectively, the "Other Content or Services"). You understand and agree that you will not obtain, as a result of your use of the New.net Software, any right, title or interest in or to such Other Content or Services delivered via the New.net Software or in any intellectual property rights (including, without limitation, any copyrights, patents, trademarks, trade secrets or other rights) in and to such Other Content or Services. You understand and agree that such Other Content or Services shall be the responsibility of the entity that originated, provided, delivered, of

Author: New.net, Inc.

Author URL: http://www.new.net

Author description: "The New.net Client Application provides accessibility to the New.net extensions sold at http://www.new.net. The software installs at the OS (Operating System) level so that all DNS functions for a New.net extension will work properly. New.net registers domain names under extensions such as: .AGENT .INC .LOVE .SHOP .SPORT A full list of extensions offered by New.net is located at http://www.new.ne

NewDotNet Signature Details: The following information includes some of the standard signatures* associated with this spyware threat. Please do not attempt to manually remove these items from your computer; Removing these items incorrectly or partially can cause your computer to experience critical errors, prevent your computer from restarting or cause loss of Internet connectivity. Should you be infected with NewDotNet, you can clean your machine of this spyware threat for free by downloading CounterSpy now.

Running Process Signatures:
process: uninstall3_70.exe: MD5 Hash: 02baaaeb1dec2d53861...
process: uninstall3_88.exe: MD5 Hash: 1ab107f560024b8783e...
process: uninstall4_50.exe: MD5 Hash: 6ff03f5e325328c2b34...
process: uninstall4_80.exe: MD5 Hash: 04b4fb4973b272b431c...
process: uninstall5_48.exe: MD5 Hash: c1c3f1b51c6eb35954c...
process: wcmdmgr.exe: MD5 Hash: cc74ba7eaddd53908b2...
process: uninstall5_20.exe: MD5 Hash: ...
process: ndnuninstall4_50.exe: MD5 Hash: ...
process: ndnuninstall4_80.exe: MD5 Hash: ...
process: ndnuninstall4_88.exe: MD5 Hash: ...
process: ndnuninstall5_20.exe: MD5 Hash: ...
process: ndnuninstall5_40.exe: MD5 Hash: ...
process: ndnuninstall5_48.exe: MD5 Hash: ...
process: uninstall6_38.exe: MD5 Hash: 7c92713297c1c8b4f4c...
process: uninstall6_38.exe: MD5 Hash: DD1D2080A3A7E54C37F...
process: NDNuninstall6_38.exe: MD5 Hash: DF79F4584EEC142FE72...
process: rundll32a.exe: MD5 Hash: ...
process: uninstall4_94.exe: MD5 Hash: a3ddcffe3403f9c599e...
process: uninstall5_64.exe: MD5 Hash: 48b68a2af4aebc56d80...
process: uninstall5_20.exe: MD5 Hash: 767e0b51b3cdd442919...
process: uninstall4_88.exe: MD5 Hash: ca5c622a3ca138ef16d...
process: uninstall6_10.exe: MD5 Hash: 261fd676834ccd3e549...
process: uninstall6_30.exe: MD5 Hash: f93a2942a60edbf723e...
process: uninstall5_40.exe: MD5 Hash: de4f09fa138bdee91cc...
process: uninstall6_76.exe: MD5 Hash: 2e375f53ad60d58a9d0...
process: uninstall6_22.exe: MD5 Hash: 731f07025dd990e22c0...
process: download.exe: MD5 Hash: fead881590d89d9583c...
process: ndnuninstall6_38.exe: MD5 Hash: 7c92713297c1c8b4f4c...
process: uninstall6_38.exe: MD5 Hash: 3fd9e94422875eed7cc...
process: uninstall6_34.exe: MD5 Hash: e896d910917d153b5d5...
process: nn_388.exe: MD5 Hash: 5b47d7494674c479673...
process: uninstall5_62.exe: MD5 Hash: 75551edcf3b97c18ba6...

Additionally, it found the following items which it removed:


Spyware Scan Details
Start Date: 9/6/2005 9:39:12 AM
End Date: 9/6/2005 9:47:14 AM
Total Time: 8 mins 2 secs

Detected spyware

NewDotNet Browser Plug-in more information...
Details: New.Net is an Internet Explorer spyware/hijacker plug-in that adds subdomains of 'new.net' to your name resolution system (Windows’ Host file), resulting in what appear to be extra top-level domains (.shop, and so on) being resolvable.
Status: Ignored (I Set This choice)
Moderate spyware - Moderate threats may profile users online habits or broadcast data back to a server with 'opt-out' permission. In most cases this type of threat is more along the lines of commercial type adware that offer a premium service in exchange for tracking your user online performance.

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004 StoresServiceClassInfo 1


Detected Spyware Cookies
RealMedia.com
Zedo
Tripod
Radar Spy 1.0
FortuneCity.com


Any recommendations?

Edited by Labrat, 06 September 2005 - 10:04 AM.

  • 0

#25
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
Let's have a look at the content of that registry key.

Click Start > Run > copy the command below in the dialog box:
regedit /e c:\newnet.reg "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004"
> then click OK

This will create the file c:\newnet.reg
Find that file and post the content.

For the spyware cookies, please look here: http://privacy.getne...ools/ie6/block3

Regards,
  • 0

Advertisements


#26
Labrat

Labrat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Here are the results:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004]
"LibraryPath"="%SystemRoot%\\System32\\nwprovau.dll"
"DisplayString"="NWLink IPX/SPX/NetBIOS Compatible Transport Protocol"
"ProviderId"=hex:f0,aa,2d,e0,9f,7e,cf,11,ae,5a,00,aa,00,a7,11,2b
"SupportedNameSpace"=dword:00000001
"Enabled"=dword:00000001
"Version"=dword:00000001
"StoresServiceClassInfo"=dword:00000001


Made the changes suggested in the link.

Have another good night.
  • 0

#27
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
As you can see the entry is related to NetWare (nwprovau.dll)

So I think this is a false positive by CounterSpy.
I'll inform them about it.

Regards,
  • 0

#28
Labrat

Labrat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
:tazz: Thanks, you've been a tremendous help.
  • 0

#29
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
My pleasure. :tazz:
  • 0

#30
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
Addendum:

Sunbelt reports that this problem has been resolved with the new defs for CounterSpy release version with defs 232 and in the beta with defs 230

Let me know if this is right or not. :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP