| View previous topic :: View next topic |
| Author |
Message |
mickeblue
Joined: 23 Sep 2003
Posts: 2215
|
 Posted: Tue Jul 27, 2004 1:08 pm Post subject: |
 |
|
Think this posting should be moved to "ain't either" 
it's a sod though innit?
|
|
|
| Back to top |
|
 |
mati
Joined: 03 Aug 2004
Posts: 5
|
| Posted: Wed Aug 04, 2004 9:03 am Post subject: the continue of http://www.astonshell.com/forum/viewtopic.ph |
|
|
An update,
Given the suggestions of PC_mechanic over http://www.astonshell.com/forum/viewtopic.php?p=16097#16097
| Quote: |
Hi there!
What you need to do is read the topic already referenced in detail. You have Spyware on your system - at least one of which has had detailed removal instructions given (Clue: C:\Program Files\WindowsSA\omniscient.exe / F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe ). Getting rid of this should fix your issues (the alternative file browser is unaffected because of the nature of the malware. With regards to your scans, I recommend you follow the guidelines posted in the referenced thread, both before and after removing the afore-mentioned "nasty".
As an off topic, you appear to have an unusually large amount of items running on startup - you might consider trimming the list down for improved boot time and system performance.
You can certainly get rid of:
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
Please post follow-ups in the appropriate thread ( http://www.astonshell.com/forum/viewtopic.php?t=2216&postdays=0&postorder=asc&start=0 ) referencing this topic, which I am now locking.
Regards,
|
I've removed WSAupdater.exe and omniscient.exe (intire windowsSA directory) + sum harmless but annoying roboform processes, and here is the result:
Logfile of HijackThis v1.98.1
Scan saved at 11:43:02 AM, on 8/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
c:\oracle\ora90\bin\ORACLE.EXE
C:\WINDOWS\system32\Ati2evxx.exe
c:\Aston\aston.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\xpoint\xpadmin\xpadmin.exe
C:\Aston\XP\internat.exe
C:\PROGRA~1\xpoint\agent\Xpagent.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\PROGRA~1\xpoint\EEClient\xpclient.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\tp4serv.exe
C:\PROGRA~1\xpoint\SAS\jre\bin\javaw.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\PROGRA~1\xpoint\pe\PCRECSA.EXE
C:\Program Files\DocSphere\Docsphere.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
C:\Program Files\Spyware\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spyware\SpywareGuard\sgmain.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Babylon\Babylon.exe
C:\Program Files\Spyware\SpywareGuard\sgbhp.exe
C:\Program Files\ExplorerXP\ExplorerXP.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Mati Golani\Desktop\software\spyWare\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.co.il
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.il
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=wwwproxy.ac.il:8080;http=wwwproxy.ac.il:8080;https=wwwproxy.ac.il:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ac.il; *hotmail*;*services.msn*;<local>
F2 - REG:system.ini: Shell=explorer.exe ,svchost.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\Spyware\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ZoneAlarm Pro] C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe -nopopup
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [PCRecSA] C:\PROGRA~1\xpoint\pe\PCRECSA.EXE -noshow
O4 - HKLM\..\Run: [DocSphere] "C:\Program Files\DocSphere\Docsphere.exe" HIDE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QCWLIcon] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [NPDTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Spyware\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Spyware\SpywareGuard\sgmain.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Shortcut to Babylon.lnk = C:\Program Files\Babylon\Babylon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &התאמה אישית לתפריט לחצן ימני - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: הוסף לצייד הפרסומות - C:\Program Files\MYIE2\config/blacklist.htm
O8 - Extra context menu item: שמירת טפסים &^ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ????? ????? - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: ????? ????? &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: ????? - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: ????? ????? &^ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: ???????? - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: ???? ????? ?? ???????? &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://hb2.bankleumi.co.il/download/CfxIEAx.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\Program Files\Support.com\bin\IBMAccessSupport\common\install\ibmegath.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/sp_new/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84C897D3-49A7-4DBD-BEDE-ED44306ED97B}: NameServer = 132.68.159.1,132.68.1.9
PS: now the windows explorer is open for about 5 minutes  quite a miracle.
Many thanks
PS speaking of shortening the boot time, How can I know what processes I can remove from the startup procedure without causing any harm?
Thanks again
Mati
|
|
|
| Back to top |
|
|
Veratil
Joined: 29 Aug 2003
Posts: 3536
Location: Texas
|
| Posted: Wed Aug 04, 2004 5:13 pm Post subject: |
|
|
Start->Run->msconfig
Select the last tab, and uncheck things you don't want to load at bootup.
|
_________________
ASTONSHELL.COM FORUM MODERATOR |
|
| Back to top |
|
|
The_PC_Mechanic
Site Admin
Joined: 22 Oct 2002
Posts: 2113
Location: Algonquin Hills, USA
|
| Posted: Wed Aug 11, 2004 9:07 pm Post subject: |
|
|
It's worth noting that Lavasoft have a new offering called AdAwareSE. It appears to be more effective at grabbing the nasties, but they recommend removing the old version you might already have. When you do this, you lose your ignore list, so remember to look for the entry that claims the shell has been compromised - PUT THAT ENTRY IN YOUR IGNORE LIST, as it is the Aston shell entry.
I have posted this behaviour on the AdAware forum, and they state that this is how they intend to have AdAware work, and they will not change it, so the ignore list is the only option for us.
Regards,
|
_________________
Reading these feeds: http://www.mypcmechanic.com/pcmfeeds.opml |
|
| Back to top |
|
|
Eugney
Joined: 15 Jul 2004
Posts: 357
Location: Dallas,Texas
|
| Posted: Wed Aug 25, 2004 6:24 pm Post subject: |
|
|
PC I ran the hijackthis and it fount probs I forgot to save log but it looked fix for the next 5 times I did it than I keep fixing erch assest and it keeps comeing back, but the problam I had posted and that VEratilwas talking about is now fixed.
Logfile of HijackThis v1.98.2
Scan saved at 1:21:59 PM, on 8/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Aston\aston.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\LVComsX.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Photoshop CS\Photoshop.exe
C:\DOCUME~1\Chris\LOCALS~1\Temp\Rar$EX00.303\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hgoavixvpitbxze.com/UOiyIPk0ecHqUndHQxPtTZ1BVj6RfHvFSblExc7jxrWINqm8KNiZZiQgUqcnmGzu.html
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
|
_________________
<img src="http://www.eugneysoft.com/oimages/banner1.jpg"> |
|
| Back to top |
|
|
The_PC_Mechanic
Site Admin
Joined: 22 Oct 2002
Posts: 2113
Location: Algonquin Hills, USA
|
| Posted: Wed Aug 25, 2004 6:38 pm Post subject: |
|
|
So are you saying that you have successfully removed New.net? Make sure you read the posts regarding new.net (newdotnet) further up in this thread.
Regards,
|
_________________
Reading these feeds: http://www.mypcmechanic.com/pcmfeeds.opml |
|
| Back to top |
|
|
Eugney
Joined: 15 Jul 2004
Posts: 357
Location: Dallas,Texas
|
| Posted: Wed Aug 25, 2004 6:43 pm Post subject: |
|
|
ok thank you
|
_________________
<img src="http://www.eugneysoft.com/oimages/banner1.jpg"> |
|
| Back to top |
|
|
Eugney
Joined: 15 Jul 2004
Posts: 357
Location: Dallas,Texas
|
| Posted: Tue Aug 31, 2004 5:16 pm Post subject: |
|
|
Well PC, the proiblam came back I tried everythaing the edit you said to do for cmd alllll sort of spyware adaware stuff reg cleaners manuly doing i everythang so please help lol
Logfile of HijackThis v1.98.2
Scan saved at 12:12:00 PM, on 8/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Aston\aston.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\System32\LVComsX.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\Chris\LOCALS~1\Temp\Rar$EX00.789\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.fdmimwvtiaalxgsq.com/UOiyIPk0ecHqUndHQxPtTZ1BVj6RfHvFSblExc7jxrW6okaJfk3RLyQgUqcnmGzu.php
O4 - HKLM\..\Run: [Multi iso] C:\PROGRA~1\PLUSHO~1\mathforkooze.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
|
_________________
<img src="http://www.eugneysoft.com/oimages/banner1.jpg"> |
|
| Back to top |
|
|
Eugney
Joined: 15 Jul 2004
Posts: 357
Location: Dallas,Texas
|
| Posted: Tue Aug 31, 2004 6:31 pm Post subject: |
|
|
lol forget it I selcted a full system scan on lavasoft and it fount it and removed it so i gone I took a ss of it showed veratil he was like good for the retard lol I am all happy thank you though
|
_________________
<img src="http://www.eugneysoft.com/oimages/banner1.jpg"> |
|
| Back to top |
|
|
Eugney
Joined: 15 Jul 2004
Posts: 357
Location: Dallas,Texas
|
| Posted: Tue Aug 31, 2004 7:19 pm Post subject: |
|
|
OK IT CAME BACK YET AGAIN ARGGGGGGGGGGGGGGG 
Logfile of HijackThis v1.98.2
Scan saved at 2:19:20 PM, on 8/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Aston\aston.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\explorer.exe
C:\DOCUME~1\Chris\LOCALS~1\Temp\Rar$EX02.190\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.djnglceavudphnbcktyc.com/UOiyIPk0ecGI2hXX_HHYD/PIDqCQ1T0wgWu9cWgjMFw.cgi
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.lqfsyuwrdsbwkswbwyf.uk/UOiyIPk0ecHqUndHQxPtTZ1BVj6RfHvFSblExc7jxrXF_Y6wSFGWyiQgUqcnmGzu.asp
O2 - BHO: (no name) - {D9389421-596E-B7B2-31C3-816F0257720B} - C:\PROGRA~1\MODEMO~1\Realhole.exe
O4 - HKLM\..\Run: [Multi iso] C:\PROGRA~1\PLUSHO~1\mathforkooze.exe
O4 - HKLM\..\Run: [Debug safe bat ooze] C:\Documents and Settings\All Users\Application Data\Coal Internet Debug Safe\Barb Bind.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
|
_________________
<img src="http://www.eugneysoft.com/oimages/banner1.jpg"> |
|
| Back to top |
|
|
Eugney
Joined: 15 Jul 2004
Posts: 357
Location: Dallas,Texas
|
| Posted: Tue Aug 31, 2004 7:41 pm Post subject: |
|
|
ok lavasoft willl find it remove it and abou 30 mins l8r it comes back
|
_________________
<img src="http://www.eugneysoft.com/oimages/banner1.jpg"> |
|
| Back to top |
|
|
The_PC_Mechanic
Site Admin
Joined: 22 Oct 2002
Posts: 2113
Location: Algonquin Hills, USA
|
| Posted: Tue Aug 31, 2004 10:33 pm Post subject: |
|
|
That means you are either not removing the whole thing, or you are visiting a site that is re-downloading the hijacker. One thing you need to be sure of is that Newdotnet is not leaving the HOSTS entry intact. Assuming you aren't visiting a site that is redownloading it for you, you are going to have to try and find what item is reloading it.
What you can try (though make certain you have teatimer and Spywareblaster running, and updated) is go to http://www.google.com/search?q=uninstall6%5F34%2Eexe and click the newdotnet site link. (I can't give the link directly, as their page prohibits all linking - and it's hard to determine if they mean to the executable file or the HTML!  They seem to have a set of very happy attorneys, so I'll play it safe).
Anyway, with any luck, that should remove it. If not, there is another option, put we'll only go there if we really have to.
Regards,
|
_________________
Reading these feeds: http://www.mypcmechanic.com/pcmfeeds.opml |
|
| Back to top |
|
|
Eugney
Joined: 15 Jul 2004
Posts: 357
Location: Dallas,Texas
|
| Posted: Tue Aug 31, 2004 10:36 pm Post subject: |
|
|
if it is reinstalling windows I am thainking about formating duel boot slackware/windows XP
|
_________________
<img src="http://www.eugneysoft.com/oimages/banner1.jpg"> |
|
| Back to top |
|
|
Eugney
Joined: 15 Jul 2004
Posts: 357
Location: Dallas,Texas
|
| Posted: Sat Sep 18, 2004 12:39 pm Post subject: |
|
|
okay since there are still 2 iexploers always open I am tired of it so I am prolly going to format :S
|
_________________
<img src="http://www.eugneysoft.com/oimages/banner1.jpg"> |
|
| Back to top |
|
|
Eugney
Joined: 15 Jul 2004
Posts: 357
Location: Dallas,Texas
|
| Posted: Thu Oct 28, 2004 5:39 am Post subject: |
|
|
Fresh format after install of msn I get 2 ieploers open all the time the hijack log is this
Logfile of HijackThis v1.97.7
Scan saved at 12:36:25 AM, on 10/28/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Aston\aston.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gkujlhysva.biz/kiWioY/jvatSCFQF6MJ7amDEEpF7lGtL3ilndSkZQMWylSZfQY7k1PQxK1t_BZ2o.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKCU\..\Run: [second eggs] C:\DOCUME~1\Chris\APPLIC~1\REFSTU~1\Mode Loud.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O9 - Extra button: AIM (HKLM)
Ran regsuprme lovasof adawere and spybot also
|
_________________
<img src="http://www.eugneysoft.com/oimages/banner1.jpg"> |
|
| Back to top |
|
|
|
