baker7 Posted October 16, 2005 Report Share Posted October 16, 2005 (edited) Hello There:I need some HJT log assistance. I think I inadvertantly downloaded a hijacker called newdotnet, and I also have a file called PlanDvd.exe giving me a problem.....Emmanuel cannot seem to find any internet sites, and I think these things may have something to do with it......SPECS: HP Pavilion 8860 60 GIG hdd 128 Meg RAM Running WinXP SP2- preformed scans with adaware and spybot, and spybot found some things that I deleted, except it found a reg entry for the Windows Security Center Antivurus disable notify....I used Spybot 1.4 and think that some of these hijacks are slowing my machine down........could someone take a look at this log and let me know what is up? Thanks,Baker7LOG Below]/b]Logfile of HijackThis v1.99.1Scan saved at 3:57:44 PM, on 10/16/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\iNtfySvc\intfysvc.exeC:\WINDOWS\System32\nvsvc32.exeC:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exeC:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\RealVNC\WinVNC\WinVNC.exeC:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXEC:\WINDOWS\system32\wwSecure.exeC:\WINDOWS\Explorer.EXEC:\Program Files\GIANT Company Software\Spam Inspector\siService.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Java\jre1.5.0_02\bin\jusched.exeC:\Program Files\SlySoft\CloneCD\CloneCDTray.exeC:\SCANJET\PrecisionScanPro\HPLamp.exeC:\Program Files\Logitech\MouseWare\system\em_exec.exeC:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exeC:\WINDOWS\system32\hphmon03.exeC:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exeC:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exeC:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXEC:\Program Files\GIANT Company Software\Spam Inspector\siSpamFilterEngine.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exeC:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exeC:\Program Files\GIANT Company Software\Spam Inspector\siSpamFilterEngine.exeC:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exeC:\Program Files\QuickTime\qttask.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Webroot\Washer\wwDisp.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\HPHipm09.exeC:\Program Files\Messenger\msmsgs.exec:\progra~1\intern~1\iexplore.exeC:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\HIJACK THIS 1.99.1\hijackthis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...://my.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jspR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon OnlineO2 - BHO: (no name) - {00000049-8F91-4D9C-9573-F016E7626484} - (no file)O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {116A7486-4EB4-2DA2-14A2-62D3A6375766} - C:\DOCUME~1\buddy\APPLIC~1\TRANSN~1\Dumbball.exeO2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_90.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - (no file)O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [siService.exe] "C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe"O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exeO4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exeO4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.ExeO4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /sO4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exeO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exeO4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exeO4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exeO4 - HKLM\..\Run: [sCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /sO4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelperO4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exeO4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [extra hide anti ante] C:\Documents and Settings\All Users\Application Data\wipemanagerextrahide\PlanDvd.exeO4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -sO4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exeO4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [sign jugs] C:\DOCUME~1\buddy\APPLIC~1\MIXLIE~1\Axis Start.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [bLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exeO4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO15 - Trusted Zone: http://www.tfn.netO15 - Trusted Zone: http://*.tfn.netO16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cabO16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cabO16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.charter.com/sdccommon/download/tgctlcm.cabO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1122481145936O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - O16 - DPF: {88B507F9-C6B2-45CC-AAB6-720A652DE11C} (TenOfTen Class) - http://download.verizon.net/sfp/Cabs/hst/w...tWebInstall.cabO16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocxO16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cabO16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/whatsnext/checkmypc...tivePreQual.cabO16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} (RegPropsCtrl Class) - http://download.verizon.net/sfp/Cabs/hst/w...tWebInstall.cabO16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cabO16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} - O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{3720315E-4868-4ACB-B9D5-8A477ED28305}: NameServer = 4.2.2.2,4.2.2.3O23 - Service: Ipswitch Notification Server (inotifysvr) - Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington MA. - C:\iNtfySvc\intfysvc.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exeO23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exeO23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exeO23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe Edited October 16, 2005 by baker7 Link to post Share on other sites
baker7 Posted October 17, 2005 Author Report Share Posted October 17, 2005 BUMP I am able to connect to the Internet ONLY in safe mode on Emmanuel - Hopefulluy someone will be able to help me figure this one out, as I don't want to be running in safe mode forever - Baker7 Link to post Share on other sites
baker7 Posted October 17, 2005 Author Report Share Posted October 17, 2005 I am beginning the backup process, just in case I want to reformat Emmanuel - I will do so later this afternoon if I do not get any replies, as I must do some important work today or tomorrow Baker7 Link to post Share on other sites
Dan Posted October 17, 2005 Report Share Posted October 17, 2005 (edited) Hi,Sorry for the late reply.First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.To Get rid of NewDotNet, go to:Start > Control Panel > Add or Remove Programs and remove the following:New.Net Applications or New.Net Domains (anything that says New.Net)If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.Next, open HijackThis, and check the following items (If present):R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...://my.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.comR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comO2 - BHO: (no name) - {00000049-8F91-4D9C-9573-F016E7626484} - (no file)O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)O2 - BHO: (no name) - {116A7486-4EB4-2DA2-14A2-62D3A6375766} - C:\DOCUME~1\buddy\APPLIC~1\TRANSN~1\Dumbball.exeO2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - (no file)O4 - HKLM\..\Run: [extra hide anti ante] C:\Documents and Settings\All Users\Application Data\wipemanagerextrahide\PlanDvd.exeO4 - HKCU\..\Run: [sign jugs] C:\DOCUME~1\buddy\APPLIC~1\MIXLIE~1\Axis Start.exeO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} -O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} -Close all windows except HijackThis and click the "Fix Checked" button.Next, please enable viewing of hidden files as follows:1) Go to My Computer, and click on the "Tools" menu2) Click "Folder options"3) Select the "View" tab4) Make sure "Show hidden files and folders" is selected5) Make sure "Hide extensions for known file types" is unchecked6) Make sure "Hide protected operating system files (recommended)" is uncheckedNow, locate the following files/folders and delete them:C:\DOCUME~1\buddy\APPLIC~1\MIXLIE~1 << This folderC:\Documents and Settings\All Users\Application Data\wipemanagerextrahide << This folderNow reboot and post a new HijackThis log.Danny Edited October 17, 2005 by dknoppix Link to post Share on other sites
baker7 Posted October 17, 2005 Author Report Share Posted October 17, 2005 Danny:I appreciate the response to my posting....I will keep this in mind the next time something happens with Emmanuel. However, I needed to begin the backup processs to save important documents, and I have already reformatted the machine in question, and have been getting SP2 updates for her. Once this is done, I'll reenable the networking on Emmanuel, and make connections to my 2000 machine once I get Panda Installed (Need my firewall and antivirus active before doing much more)Where did: O2 - BHO: (no name) - {116A7486-4EB4-2DA2-14A2-62D3A6375766} - C:\DOCUME~1\buddy\APPLIC~1\TRANSN~1\Dumbball.exeand O4 - HKLM\..\Run: [extra hide anti ante] C:\Documents and Settings\All Users\Application Data\wipemanagerextrahide\PlanDvd.execome from: Think I downloaded a nasty and when I noticed what it was I deleted it, but firewall was asking forpermission to run plandvd.exe? what is this? Spyware?I hope you don't mind me coming back here from time to time to ask assistance with checking out my logs - Since G4 changed things round, most HJT log readers are here, and I feel better knowing someonw CAN tell me what is up......Thank you for your efforts Baker7(Brian) Link to post Share on other sites
Dan Posted October 18, 2005 Report Share Posted October 18, 2005 Where did: O2 - BHO: (no name) - {116A7486-4EB4-2DA2-14A2-62D3A6375766} - C:\DOCUME~1\buddy\APPLIC~1\TRANSN~1\Dumbball.exeand O4 - HKLM\..\Run: [extra hide anti ante] C:\Documents and Settings\All Users\Application Data\wipemanagerextrahide\PlanDvd.execome from: Think I downloaded a nasty and when I noticed what it was I deleted it, but firewall was asking forpermission to run plandvd.exe? what is this? Spyware?I hope you don't mind me coming back here from time to time to ask assistance with checking out my logs - Since G4 changed things round, most HJT log readers are here, and I feel better knowing someonw CAN tell me what is up......Thank you for your efforts Baker7(Brian)<{POST_SNAPBACK}>Hi,I belive they are just random baddies. This may happen from just being on an unprotected computer that is on the internet for a couple of hours. PlanDvd.exe is a random malware. If your firewall sees that an application is launching, etc, etc, say NO unless you know it's safe.Of course you can stay here! Feel free to post in Open Chat or whereever you want to!Danny Link to post Share on other sites
Dan Posted December 7, 2005 Report Share Posted December 7, 2005 Closed Link to post Share on other sites
Recommended Posts