Well, now you've somehow gotten some new crapware that weren't on your system before.
Where did you get Xoftspy? It seems as if it's infected. I'd recommend you remove it. There are better programs available for anti malware purposes.
We have to take a step back and do a through cleaning again. I'll add some protection layers as well.
Please refrain from internet use, except for cleaning, utill we have this resolved.
Download
LSPFix as we may need it later.
Please update Ewido, and run a scan where I have it palced in this fix.
You will need to update Ewido to the latest definition files.
- On the left hand side of the main screen click update.
- Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to
manually update Ewido
When you have finished updating,
EXIT Ewido.
Disconnect from the internet.
---------------------------------------------------------------------------------------------
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.
---------------------------------------------------------------------------------------------
Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:
NewDotNet or New.Net Domains
SaveUninst.exe.
WhenU
Xoftspy
---------------------------------------------------------------------------------------------
Run a scan in HijackThis. Check each of the following and hit 'Fix checked' if they still exist (make sure not to miss any):
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
While running Hijackthis, verify if these entries still exist:
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
If they exist, we would be required to run
LSPFix.exe
Instructions for using LSPFix- Double click on LSPFix.exe to run it.
- Once running, you will be required to tick the disclaimer - "I know what I'm doing".
- You'll find a windows with 2 panes.
In the left pane which is labeled 'Keep', select all instances of:- NEWDOTNET or newdotnet7_22.dll
- Then click on the arrow pointing to the right, >>.
This will move the entry to the right pane labeled 'Remove'
- Click the Finish button to complete the fix.
Only entries similar to NEWDOTNET need to be removed. If you see any other entries in the right pane, move them back to the "Keep" pane & post the filenames to inform me.
---------------------------------------------------------------------------------------------
Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.
Delete the following if they exist:
C:\Program Files\NewDotNet
C:\Program Files\Save
C:\Documents and Settings\Paul\Desktop\l2mfix\backup.zip
C:\Documents and Settings\Paul\My Documents\Anti Spyware Software\XoftSpy421_169.exe
Run the ATF Cleaner again.
Double-click
ATF-Cleaner.exe to run the program.
Under
Main choose:
Select All
Click the
Empty Selected button.
If you use Firefox browser- Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser- Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click
Exit on the Main menu to close the program.
For
Technical Support, double-click the e-mail address located at the bottom of each menu.
Run
Ewido with it's updated definitions:(...it's important that all windows must be closed)
- Click Scanner
- Click Complete System Scan to begin scanning.
- Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
- "Perform action on all infections"
- Choose clean and click OK.
Once finished, click the
Save report button & save the report to your desktop
** Ewido scan would require at least an hour.
---------------------------------------------------------------------------------------------
Restart in normal mode.
---------------------------------------------------------------------------------------------
Establish an internet connection
---------------------------------------------------------------------------------------------
Download Ad-aware at
http://www.lavasoftusa.com/ and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go to
http://www.lavasoftusa.com/software/...2cleaner.shtml to download the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware at
http://www.greyknight17.com/spyware.php#adaware for better scan results. Run the scan and fix everything that it finds.
Perform an online scan with
Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
- Follow the prompts to install the ActiveX controls
- It will say "Loading TrendMicro definitions".
- Click "Start Scan"
After it's done scanning, click "
Scan Results"
- Make sure all items found have a check next to them, then click "Clean Threats Now".
- Click Exit.
Reboot your computer. I then need you to
repeat the same procedure above again using the TrendMicro tool.
---------------------------------------------------------------------------------------------
Run a new scan with Kaspersky, save the results and post them here.
---------------------------------------------------------------------------------------------
Run a new HijackThis scan. Save the log file and post it here.
---------------------------------------------------------------------------------------------
Download
IE-SpyAD - Extract the contents to a new folder
From within the folder, double-click
install.bat
Select Option #2 -
Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4 -
Add the old porn sites domain
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
Extract All from the menu.
- Click Next, click Next, select the option:
"Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
Download
SpywareBlaster 3.5.1
Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button -
enable protection for all unprotected items
So, please return with logs from:
Ewido
Kaspersky
HJT