TechSpot

Struggling Computer, HJT Log - Please help :)

By toddy89
Jul 8, 2006
  1. Hi everyone,

    Im basically sorting out my sisters painfully nackred computer (despite being less than a year old).

    AMD 64 Athlon processor
    448mb ram
    WinXP home SP2
    Using Mozilla Firefox Browser


    She just doesnt understand alot of the dangers that most of us have come to know and avoid! Im mid-way after a few ad-aware scans etc, have disabled some startup entries (some suspicious ones....) and have just run hijack this, hoping you guys and gals can shed some light on anyhting else adware/malware/spyware related to sort out.

    Just as another thing, ill add the suspicious startup items (active or inactive) and maybe you'll tell me what should be there or shouldnt!


    "C:\Program Files\Common Files\GMT\GMT.exe" /startup
    C:\Program Files\Network\ipnetwork.exe
    rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s (new.net domains)
    C:\WINDOWS\system32\ps2.exe
    C:\WINDOWS\SMINST\RECGUARD.EXE


    Thanks Everyone, will post anything else you may need!! :S

    Thanks again,

    Toddy
     
  2. fastco

    fastco TS Booster Posts: 1,122

    Hi,
    REBOOT in SAFE MODE (press F8 a few times when booting).

    XP/ME only: DISABLE SYSTEM RESTORE.
    Go to My Computer, Tools, Folder Options and view, check all hidden files and folders.
    Run HJT with no other programs running and put a check mark next to the following:

    C:\WINDOWS\ALCXMNTR.EXE
    R3 - URLSearchHook: (no name) - - (no file)
    R3 - URLSearchHook: (no name) - _{BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
    R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
    O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [New.net Startup] rundll32
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O15 - Trusted Zone: http://*.billingnow.com
    O15 - Trusted Zone: http://*.reliablestats.com
    O15 - Trusted Zone: http://*.winantispyware.com
    O15 - Trusted Zone: http://*.winantivirus.com
    O15 - Trusted Zone: http://*.winantiviruspro.com
    O15 - Trusted Zone: http://*.winnanny.com
    O15 - Trusted Zone: http://*.winsoftware.com
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
    O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/webmasterexe/drsmartload408a.exe
    O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
    O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/pages/scanner/ErrorSafeFreeInstall.cab
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

    Click fix selected, when it's done restart the computer
    and post a fresh HJT log and we can see if there are any persistant infestations.
     
  3. toddy89

    toddy89 TS Rookie Topic Starter Posts: 46

    Okay, did everything you said fastco, removed/fixed all selected. There was an error with something about O10, to do with the new.net startup, but said that SpyBOTS&D will get rid of it, so will do that. Here attached is the new log, thanks very much!!!
     
  4. fastco

    fastco TS Booster Posts: 1,122

    Great, are these entries causing any problems?

    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
     
  5. toddy89

    toddy89 TS Rookie Topic Starter Posts: 46

    yep, thats them!!! Will Spybot S&D get rid of them like it suggested??? Im downloading it now so i hope so :p !!!

    Thanks
    toddy
     
  6. fastco

    fastco TS Booster Posts: 1,122

    It might but if it doesn't run HJT and put a check next to thos entries. Click Config in HJT and then Misc tab and check delete file on reboot. Restart the computer and if all the infections are gone turn on system restore. Spybot might remove them and Adaware also might but they have to be run while the computer is in safe mode. Also remove this entry in safe mode C:\Program Files\Save\Save.exe
     
  7. toddy89

    toddy89 TS Rookie Topic Starter Posts: 46

    thanks for all your help mate, will do all that tomorow, right now i dont really have time. The major problems have gone now though, so thanks!

    Toddy
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You shouldn`t fix 010 entries in HJT. Instead go HERE. and follow the instructions at the bottom of the page.

    Run HJT and click on the config button, then the backups button, select everything in the backups window and click the restore button. Reboot your computer.

    Then, post a fresh HJT log into this thread.

    Regards Howard :)
     
  9. toddy89

    toddy89 TS Rookie Topic Starter Posts: 46

    Hi, This may just be my anti-virus being too over protective or reconising a virus uninstaller as a vrius, but i am constantly being warned that the program to remove the new.net virus is virus itself??? Should i download install and run anyway???

    Thanks, Toddy

    ps, morning all...(in uk :p)
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    As I`ve already said, you should run HJT and click on the config button, then the backups button, tick everything in the main window and click on the restore button.

    Then, go HERE and follow the instructions exactly.

    Post a fresh HJT log after doing the above.

    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...