jamez_19921 Posted September 7, 2006 Report Share Posted September 7, 2006 Logfile of HijackThis v1.99.1Scan saved at 22:08:58, on 07/09/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\Explorer.EXEC:\WINDOWS\rwpnh.exeC:\Program Files\ISTsvc\istsvc.exeC:\WINDOWS\system32\mbsmon32.exeC:\WINDOWS\system32\rundll32.exeC:\windows\system32\rlvknlg.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exec:\windows\system32\mbsreg32.exeC:\WINDOWS\system32\slserv.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\WgaTray.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\jamez\Local Settings\Temporary Internet Files\Content.IE5\OPUVGPQ3\HijackThis[1].exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.ukR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...www.yahoo.co.ukR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by WanadooO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dllO2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: (no name) - {9C96DE4D-58C9-333A-F456-3DE80E4F66F0} - C:\WINDOWS\system32\cvbipeg.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dllO3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO4 - HKLM\..\Run: [ó# K"h'þ9Óœ÷3rÃ…WC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\rwpnh.exeO4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\istsvc.exeO4 - HKLM\..\Run: [mbsmon32] C:\WINDOWS\system32\mbsmon32.exeO4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -sO4 - HKLM\..\Run: [RelevantKnowledge] c:\windows\system32\rlvknlg.exe -bootO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exeO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.htmlO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.ukO18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLLO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLLO20 - AppInit_DLLs: MsgPlusLoader.dll C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLLO20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe Quote Link to post Share on other sites
Dan Posted September 7, 2006 Report Share Posted September 7, 2006 Hi,Welcome to the forums!First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.To Get rid of NewDotNet, go to:Start > Control Panel > Add or Remove Programs and remove the following:New.Net Applications or New.Net Domains (anything that says New.Net)If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.After you uninstall New.net, please open HijackThis, click the "Scan" button, and check the following items:R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...www.yahoo.co.ukO2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dllO4 - HKLM\..\Run: [ó# K"h'þ9Óœ÷3rÃ…WC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\rwpnh.exeO4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\istsvc.exeO4 - HKLM\..\Run: [mbsmon32] C:\WINDOWS\system32\mbsmon32.exeO4 - HKLM\..\Run: [RelevantKnowledge] c:\windows\system32\rlvknlg.exe -bootClose all windows except HijackThis, and click the "Fix Checked" button.Next, please reboot your computer in Safe Mode by doing the following:1) Restart your computer2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.3) Instead of Windows loading as normal, a menu should appear4) Select the first option, to run Windows in Safe Mode.For additional help in booting into Safe Mode, see the following site:http://www.pchell.com/support/safemode.shtmlGo to the Start Menu, and click on "Control Panel". Choose "Add/Remove Programs" and remove any of the following that are listed:IST ServiceORISTBarNext, please enable viewing of hidden files as follows:1) Go to My Computer, and click on the "Tools" menu2) Click "Folder options"3) Select the "View" tab4) Make sure "Show hidden files and folders" is selected5) Make sure "Hide extensions for known file types" is unchecked6) Make sure "Hide protected operating system files (recommended)" is uncheckedNext, delete the following files/folders (if they exist):c:\windows\system32\rlvknlg.exe << This fileC:\WINDOWS\system32\mbsmon32.exe << This fileC:\Program Files\ISTsvc << This folderC:\WINDOWS\rwpnh.exe << This fileReboot, and post a new HijackThis log.Danny Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.