Struggling Computer, HJT Log - Please help :)

[toddy89]

Hi everyone,

Im basically sorting out my sisters painfully nackred computer (despite being less than a year old).

AMD 64 Athlon processor
448mb ram
WinXP home SP2
Using Mozilla Firefox Browser


She just doesnt understand alot of the dangers that most of us have come to know and avoid! Im mid-way after a few ad-aware scans etc, have disabled some startup entries (some suspicious ones....) and have just run hijack this, hoping you guys and gals can shed some light on anyhting else adware/malware/spyware related to sort out.

Just as another thing, ill add the suspicious startup items (active or inactive) and maybe you'll tell me what should be there or shouldnt!


"C:\Program Files\Common Files\GMT\GMT.exe" /startup
C:\Program Files\Network\ipnetwork.exe
rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s (new.net domains)
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\SMINST\RECGUARD.EXE


Thanks Everyone, will post anything else you may need!! :S

Thanks again,

Toddy

 

[fastco]

Hi,
REBOOT in SAFE MODE (press F8 a few times when booting).

XP/ME only: DISABLE SYSTEM RESTORE.
Go to My Computer, Tools, Folder Options and view, check all hidden files and folders.
Run HJT with no other programs running and put a check mark next to the following:

C:\WINDOWS\ALCXMNTR.EXE
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - _{BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [New.net Startup] rundll32
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: .billingnow.com[/url]
O15 - Trusted Zone: .reliablestats.com[/url]
O15 - Trusted Zone: .winantispyware.com[/url]
O15 - Trusted Zone: .winantivirus.com[/url]
O15 - Trusted Zone: .winantiviruspro.com[/url]
O15 - Trusted Zone: .winnanny.com[/url]
O15 - Trusted Zone: .winsoftware.com[/url]
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/webmasterexe/drsmartload408a.exe
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/pages/scanner/ErrorSafeFreeInstall.cab
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

Click fix selected, when it's done restart the computer
and post a fresh HJT log and we can see if there are any persistant infestations.

 

[toddy89]

Okay, did everything you said fastco, removed/fixed all selected. There was an error with something about O10, to do with the new.net startup, but said that SpyBOTS&D will get rid of it, so will do that. Here attached is the new log, thanks very much!!!

 

[fastco]

Great, are these entries causing any problems?

O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

 

[toddy89]

yep, thats them!!! Will Spybot S&D get rid of them like it suggested??? Im downloading it now so i hope so !!!

Thanks
toddy

 

[fastco]

It might but if it doesn't run HJT and put a check next to thos entries. Click Config in HJT and then Misc tab and check delete file on reboot. Restart the computer and if all the infections are gone turn on system restore. Spybot might remove them and Adaware also might but they have to be run while the computer is in safe mode. Also remove this entry in safe mode C:\Program Files\Save\Save.exe

 

[toddy89]

thanks for all your help mate, will do all that tomorow, right now i dont really have time. The major problems have gone now though, so thanks!

Toddy

 

[howard_hopkinso]

You shouldn`t fix 010 entries in HJT. Instead go HERE. and follow the instructions at the bottom of the page.

Run HJT and click on the config button, then the backups button, select everything in the backups window and click the restore button. Reboot your computer.

Then, post a fresh HJT log into this thread.

Regards Howard

 

[toddy89]

Hi, This may just be my anti-virus being too over protective or reconising a virus uninstaller as a vrius, but i am constantly being warned that the program to remove the new.net virus is virus itself??? Should i download install and run anyway???

Thanks, Toddy

ps, morning all...(in uk )

 

[howard_hopkinso]

As I`ve already said, you should run HJT and click on the config button, then the backups button, tick everything in the main window and click on the restore button.

Then, go HERE and follow the instructions exactly.

Post a fresh HJT log after doing the above.

Regards Howard