Tech Support Forum - View Single Post

fredmh · 08-05-2006, 01:49 PM

Hello and welcome to TSF

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools,
then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

Your original infection of 7/7/06 is still present on your system. As you can see, it is necessary to carry out all instructions given and
return with the logs, to completely remove this infection.

----------------------------------------

CLEANUP! version 4.51 – TEMP FILE CLEANING

Please download Cleanup! and install it. You will use this later.

*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.

WARNING:Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it!
You can download & run this TOOL to find out for sure.

Please download Ewido Anti-Malware

Install Ewido Anti-Malware.
Double-click the icon on Desktop to launch Ewido
On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
I also recommend changing the "Update interval" to something more reasonable like 12 hours.

If you are having problems with the updater, you can use this link to manually update Ewido.
When you have finished updating, EXIT Ewido.

Download LSPFix.exe. Do not run it yet.

----------------------------------------

Spywareguard

Please disable Spywareguard, as it may hinder the removal of some entries. You can re-enable it after you're clean.

Right click the running icon of Spywareguard located in the system tray
Go to Menu > File > Exit and confirm the programs close.

----------------------------------------

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list).
In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.
----------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

NewNet
NewDotNet

----------------------------------------
Run a scan with HiJack This and verify these entries are still present:

O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

If they are present, we will be required to run LSPFix. If not, proceed to the next step

Instructions for using LSPFix

Double click on LSPFix.exe to run it.
Once running, you will be required to tick the disclaimer - "I know what I'm doing".
You'll find a windows with 2 panes.
In the left pane which is labeled 'Keep', select all instances of this file:
- Any instance of NewDot.net or New.net
Then click on the arrow pointing to the right, >>.
This will move the entry to the right pane labeled 'Remove'
Click the Finish button to complete the fix.

Only entries similar to newdotnet need to be removed. If you see any other entries in the right pane, move them back to the "Keep" pane & post
the filenames to inform me.

----------------------------------------

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files (if present)
Cleanup! All Users
Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program and DO NOT reboot when prompted.

EWIDO

Run Ewido with it's updated definitions: (...it's important that all windows must be closed)
This scan can take quite a while to run, so be prepared.
Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
When the scan is complete click Recommended Action and change it to Quarantine.
Then click Apply all actions.

----------------------------------------

Reboot into Normal Mode.

----------------------------------------
Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

----------------------------------------
Please return and post these logs:

Ewido scan
Panda scan
A new HJT Log

08-05-2006, 01:49 PM	#4 (permalink)
fredmh Analyst, Security Team ; TSF Supporter Join Date: May 2006 Location: Phila,Pa Posts: 2,335 OS: XP	Hello and welcome to TSF Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. ---------------------------------------- Your original infection of 7/7/06 is still present on your system. As you can see, it is necessary to carry out all instructions given and return with the logs, to completely remove this infection. ---------------------------------------- CLEANUP! version 4.51 – TEMP FILE CLEANING Please download Cleanup! and install it. You will use this later. NOTE Cleanup deletes EVERYTHING out of temporary folders and does not make backups. WARNING:Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! You can download & run this TOOL to find out for sure. Please download Ewido Anti-Malware Install Ewido Anti-Malware. Double-click the icon on Desktop to launch Ewido On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. I also recommend changing the "Update interval" to something more reasonable like 12 hours. If you are having problems with the updater, you can use this link to manually update Ewido. When you have finished updating, EXIT Ewido. Download LSPFix.exe. Do not run it yet. ---------------------------------------- Spywareguard Please disable Spywareguard, as it may hinder the removal of some entries. You can re-enable it after you're clean. Right click the running icon of Spywareguard located in the system tray Go to Menu > File > Exit and confirm the programs close. ---------------------------------------- Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. ---------------------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: NewNet NewDotNet ---------------------------------------- Run a scan with HiJack This and verify these entries are still present: O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net If they are present, we will be required to run LSPFix. If not, proceed to the next step Instructions for using LSPFix Double click on LSPFix.exe to run it. Once running, you will be required to tick the disclaimer - "I know what I'm doing". You'll find a windows with 2 panes. In the left pane which is labeled 'Keep', select all instances of this file: Any instance of NewDot.net or New.net Then click on the arrow pointing to the right, >>. This will move the entry to the right pane labeled 'Remove' Click the Finish button to complete the fix. Only entries similar to newdotnet need to be removed. If you see any other entries in the right pane, move them back to the "Keep" pane & post the filenames to inform me. ---------------------------------------- Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following (Make sure nothing else is checked!): Empty Recycle Bins Delete Cookies Delete Prefetch files (if present) Cleanup! All Users Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked. Click OK Press the CleanUp! button to start the program and DO NOT reboot when prompted. EWIDO Run Ewido with it's updated definitions: (...it's important that all windows must be closed) This scan can take quite a while to run, so be prepared. Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine. Then click Apply all actions. ---------------------------------------- Reboot into Normal Mode. ---------------------------------------- Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan ---------------------------------------- Please return and post these logs: Ewido scan Panda scan A new HJT Log