Returned from deployment to this...

NavyManDan · 01-25-2005, 08:10 AM

The wife

has taken over my computer... and a lot of "c***"

around that I'd like to clean up. Here' my log.

I appreciate your help. The DiskAdServ.eve and DiskAdKeep.exe are pains.

Thanks,

Dan

==========================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/23/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 8:44:05 AM, on 1/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\DeskAd Service\DeskAdServ.exe
C:\WINDOWS\system32\P2P Networking\P2P Networking.exe
C:\Program Files\DeskAd Service\DeskAdKeep.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iGlide.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://games.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bellsouth.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRA~1\DAP\dapbho.dll
O2 - BHO: IEHelperObj Class - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - C:\PROGRA~1\Odigo\Bin\OdigoBHO.dll (file missing)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRA~1\DAP\dapiebar.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [WeatherCast] C:\Program Files\WeatherCast\Weather.exe /q
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Cl.../bridge-c1.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?322
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

End of KRC HijackThis Analyzer Log.
==========================================================

**norin** · 01-25-2005, 11:25 AM

ok hello my name is NoRiN and welcome to TSF. i will post as best i can and more than likely one of the mods will come in and post as well... they are good like that ^_^

go ahead and run HJT and check the following:

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe

O4 - HKCU\..\Run: [WeatherCast] C:\Program Files\WeatherCast\Weather.exe /q

do you know exactly what this is below?
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printra y.exe

or is that your printer?

what i suggest is going to get Ad-Aware SE and also get SpyBot - S&D. open the installers, update as nessessary and let them run i suggest running Ad-Aware first then SpyBot [i suggest this because after Spybot finishes finding the bad files and you select which ones to fix it will set a system restore point. so... thus meaning if you run spybot first it will set a system restore point and then you run ad-aware and clean thos files out. well next time you restore your system to that date you have all of that spyware that you have to clean yet again. ~_^] you already have HJT which is good.

also a good thing to do. is the generic method. go in thru control panel and uninstall those programs.

i also suggest two other programs that are really well designed and user friendly.

Ashampoo WinOptimizer Suite | Wintools.net

WinTools.net comes in two flavors Classic and Pro [i personally use Pro]

the above two files are only trial versions. how you obtain the serial #s is up to you. however i do highly reccomend paying for them as the company will be able to provide us with more of these outstanding products.

hope this helps

NavyManDan · 01-25-2005, 05:49 PM

Installed / Ran AdAware SE:

Removed 103 files/processes with the exception of the DiskAdServ.exe and DiskAdKeep.exe and teh dll file that goes with it. Says perhaps AdAware will remove it after reboot?!

Installed / Ran Spybot:

Will re-run Hijack This after I eat... and post my new log.

Thanks, and keep the feedback coming.

Dan

(EDIT: We don't need the pics.)

**Midnight Tech** · 01-25-2005, 08:22 PM

Welcome Dan!
I have moved your thread over to our HiJack This section. Please run HJT again, process your log through the KRC Analyzer, and post it in here. One of our Analysts will be along shortly to get you squared away!

CTSNKY · 01-25-2005, 08:35 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

Download WinsockFix and unzip it. Then double-click on it to run it only if your internet connection becaomes broken after removing New. Net (been known to happen).

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\Program Files\DeskAd Service\DeskAdServ.exe
C:\WINDOWS\system32\P2P Networking\P2P Networking.exe
C:\Program Files\DeskAd Service\DeskAdKeep.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

P2P Networking
DeskAd Service
New.Net

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: IEHelperObj Class - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - C:\PROGRA~1\Odigo\Bin\OdigoBHO.dll (file missing)
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C...e/bridge-c1.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\P2P Networking\
C:\Program Files\DeskAd Service\
C:\Program Files\NewDotNet\

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

NavyManDan · 01-26-2005, 08:22 PM

Did as told... everything seemed to delete with no problems with the exception of NewDotNet folder. The dll file wouldn't budge (even in safe mode)...

Here's my updated HJT Analyzer log:

==========================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/23/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 9:19:08 PM, on 1/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iGlide.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://games.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bellsouth.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRA~1\DAP\dapbho.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRA~1\DAP\dapiebar.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?322
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

End of KRC HijackThis Analyzer Log.
==========================================================

CTSNKY · 01-27-2005, 05:11 AM

Download KillBox (http://www.greyknight17.com/spy/KillBox.exe). Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Replace on Reboot' and check the box underneath that. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into the top line (hitting the X button for each file - choose NO when it asks if you want to reboot until you get to the last file to delete):

(May want to confirm spellling first.)

C:\Program Files\NewDotNet\NewDotNet.DLL

Reboot to Safe Mode and try deleting that folder and fixing thos entries in HJT now. Post a fresh HJT log when done.

NavyManDan · 01-27-2005, 05:53 AM

DL'd and typed in the info... hoping it'll get rid of it.. safe mode n new HJT log coming up (although I don't know why you asked me to fix those entries (which ones?))

~Dan

CTSNKY · 01-27-2005, 05:54 AM

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

NavyManDan · 01-27-2005, 06:14 AM

Well, no tmuch luck there... didn't "see" where the KILL worked after I rebooted... although I was thinking it was doing it during, because it took a long time for my computer to log off after clicking restart.

At any rate...

My first problem... NewDotNet refusing to be deleted (even in safe mode):

I ran HJT and tried fixing those 5 things... and received THIS error:

I'm lost... and confused.

~Dan

ps. I certainly appreciate everything thus far. This NewDotNet is a PAIN!

CTSNKY · 01-27-2005, 06:15 AM

Please do the following to remove the New.net application from your computer:

Close all browsers.
Click Start
Click Run
Type in the following line:

"rundll32 c:\winnt\newdotnet6_386.dll,NewDotNetUninstall" (no quotes)

Click OK

You should then see a small window asking if you want to uninstall the New.net application. Click Yes. Once this is done, restart your computer. This should keep the .dll from loading up at startup of your computer.

NavyManDan · 01-27-2005, 06:39 AM

I copied what you had, and hit enter, but it wasn't able to find the file...

So I was like DUH... it's in the Program Files\NewDotNet folder... so I put in :

rundll32 C:\Program Files\NewDotNet\newdotnet6_38.dll,NewDotNetUninstall

It did absolutely nothing. Folder's still there...

I ran SPYBOT again, apparently there are still 27 problems and a continuous error (never has ran without an error popping up).

Here's a before fixing checked errors shot:

And here's an after fixing errors shot (or should I say atempt):

Dan

CTSNKY · 01-27-2005, 06:40 AM

Did you try deleting the folder after running this command? If not, do so now and post a fresh HJT log. We have other options.

NavyManDan · 01-27-2005, 07:11 AM

Yes, I tried deleting the file/folder... and got this msg (again):

Restarted the computer for Spybot to run again.... SAME apparent problems that need to get fixed. After I clicked Yes to removing the files, only 6 were fixed, and 12 problems remained:

Here's an updated log just for sport...

==========================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/23/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 7:58:48 AM, on 1/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iGlide.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://games.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bellsouth.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Spybot\SpybotSD.exe" /autocheck
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?322
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

End of KRC HijackThis Analyzer Log.
==========================================================

~Dan

Same Spybot process was repeated... same 18 problems found, same 6 "fixed" (or so the program said, why were they back after reboot if SpyBot fixed them?)...

Counting down the days until it's all fixed...

I DO appreciate everyone's help!

~Dan

greyknight17 · 01-27-2005, 07:37 AM

OK, let's try this. Restart and tap your F8 key repeatedly until a menu shows up. Then choose Command Prompt. Let it load and at the prompt type in the following:

rd /s /q "c:\program files\newdotnet\"

and hit your Enter key. Restart by hitting ctrl+alt+del and do the following:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

Download the Spybot DSO Exploit Fix and install it over the current Spybot installation if you haven't done so already.

Run WinsockFix again.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\PROGRA~1\NEWDOT~1\ - should be gone by now (hopefully)

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

NavyManDan · 01-27-2005, 08:41 AM

Okay, from the top:

Win XP doesn't have an option (that I saw) to JUST boot up to the MSDOS prompt... so I opted for the "Safe Mode with DOS Prompt" (or something close to that)... obviously (to me) since WinXP loaded... no chance of deleting newdotnet

So anyway, I went into safe mode and ran SpyBot, came up with 9 files to fix (the ones you listed):

During the fix, I came up with this familiar error:

After this, I attempted (frivolous, I know) to remove that folder once again...

The end result? You guessed it:

Ran HJT (before reboot) and had this as a result:

==========================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/23/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 9:08:22 AM, on 1/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iGlide.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://games.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bellsouth.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?322
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

End of KRC HijackThis Analyzer Log.
==========================================================

Rebooted in Normal mode, ran Spybot again, and came up with MORE crap:

It got rid of a lot this time... all but 3

And finally... my new/improved HJT log:

==========================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/23/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 9:41:22 AM, on 1/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iGlide.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://games.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bellsouth.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Spybot\SpybotSD.exe" /autocheck
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?322
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

End of KRC HijackThis Analyzer Log.
==========================================================

Still have confidence in the miracle happening... I HAVE downloaded Winsock, haven't ran it yet, ONLY because I haven't removed newdotnet yet.

~Dan

greyknight17 · 01-27-2005, 09:22 AM

OK, do you have your XP CD? If you do, boot from it. Let it load and then choose to boot into the Recovery Console. Enter the admin password when asked.

Now at the prompt, type in:

rd /s /q "c:\program files\newdotnet\"

Do a ctrl+alt+del to restart. Login and check and fix these in HijackThis:

O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

Restart and post a new log.

NavyManDan · 01-28-2005, 01:04 AM

looked around all evening, no XP disc... and evidently, my son felt the floppy drive was a piggy bank, (according to my wife she "dug a few quarters out)... so I can't MAKE one either.

Won't write one to a CD either..., so now what? Maybe go to a friend's n make a MS-DOS BootDisk?

~Dan

greyknight17 · 01-28-2005, 09:17 AM

Gotta keep the little one away from the PC

Yes, see if you can use a DOS disk or maybe a windows 98 bootdisk to boot up in the command prompt. In the images you gave me, I see you added another entry to delete the dll file after the command I gave you. Type in exactly what I listed previously.

01-25-2005, 08:10 AM	#1 (permalink)
NavyManDan Registered User Join Date: Jan 2005 Posts: 14 OS: XP	Returned from deployment to this... The wife has taken over my computer... and a lot of "c*" around that I'd like to clean up. Here' my log. I appreciate your help. The DiskAdServ.eve and DiskAdKeep.exe are pains. Thanks, Dan ========================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 1/23/05 Get updates at http://www.greyknight17.com/download.htm#programs Security Programs Detected** O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 8:44:05 AM, on 1/25/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE C:\Program Files\DeskAd Service\DeskAdServ.exe C:\WINDOWS\system32\P2P Networking\P2P Networking.exe C:\Program Files\DeskAd Service\DeskAdKeep.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iGlide.net R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://games.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bellsouth.net R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRA~1\DAP\dapbho.dll O2 - BHO: IEHelperObj Class - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - C:\PROGRA~1\Odigo\Bin\OdigoBHO.dll (file missing) O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRA~1\DAP\dapiebar.dll O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file) O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKCU\..\Run: [WeatherCast] C:\Program Files\WeatherCast\Weather.exe /q O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing) O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing) O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Cl.../bridge-c1.cab O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?322 O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab End of KRC HijackThis Analyzer Log. ========================================================== Last edited by CTSNKY; 01-25-2005 at 08:36 PM.

01-25-2005, 11:25 AM	#2 (permalink)
norin TSF Veteran Join Date: Dec 2004 Location: L-Town, Maine Posts: 1,748 OS: WinXP Pro SP3 My System	ok hello my name is NoRiN and welcome to TSF. i will post as best i can and more than likely one of the mods will come in and post as well... they are good like that ^_^ go ahead and run HJT and check the following: O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe O4 - HKCU\..\Run: [WeatherCast] C:\Program Files\WeatherCast\Weather.exe /q do you know exactly what this is below? O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printra y.exe or is that your printer? what i suggest is going to get Ad-Aware SE and also get SpyBot - S&D. open the installers, update as nessessary and let them run i suggest running Ad-Aware first then SpyBot [i suggest this because after Spybot finishes finding the bad files and you select which ones to fix it will set a system restore point. so... thus meaning if you run spybot first it will set a system restore point and then you run ad-aware and clean thos files out. well next time you restore your system to that date you have all of that spyware that you have to clean yet again. ~_^] you already have HJT which is good. also a good thing to do. is the generic method. go in thru control panel and uninstall those programs. i also suggest two other programs that are really well designed and user friendly. Ashampoo WinOptimizer Suite \| Wintools.net WinTools.net comes in two flavors Classic and Pro [i personally use Pro] the above two files are only trial versions. how you obtain the serial #s is up to you. however i do highly reccomend paying for them as the company will be able to provide us with more of these outstanding products. hope this helps __________________

01-25-2005, 05:49 PM	#3 (permalink)
NavyManDan Registered User Join Date: Jan 2005 Posts: 14 OS: XP	update Installed / Ran AdAware SE: Removed 103 files/processes with the exception of the DiskAdServ.exe and DiskAdKeep.exe and teh dll file that goes with it. Says perhaps AdAware will remove it after reboot?! Installed / Ran Spybot: Will re-run Hijack This after I eat... and post my new log. Thanks, and keep the feedback coming. Dan (EDIT: We don't need the pics.) Last edited by CTSNKY; 01-25-2005 at 08:28 PM.

01-25-2005, 08:22 PM	#4 (permalink)
Midnight Tech Admin/Head GreaseMonkey/Igor's alter ego/Grand Exalted PoohBah Join Date: Dec 2001 Location: SC Posts: 2,920 OS: Windows XP Home/Pro SP3/Windows 98SE/Fedora Core 6/RH 7.2 with Autopoint/TAMS II	Welcome Dan! I have moved your thread over to our HiJack This section. Please run HJT again, process your log through the KRC Analyzer, and post it in here. One of our Analysts will be along shortly to get you squared away! __________________ Please post all questions in the appropriate forum. Questions sent by email or PM will not be answered. Sharing my life...with my Imzadi! Interested in Trek gaming? Check out the Dynaverse! Proud supporter of the Carolinas Aviation Museum. If we have helped you in any way, please donate to keep TSF up and running!

01-25-2005, 08:35 PM	#5 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds. Download WinsockFix and unzip it. Then double-click on it to run it only if your internet connection becaomes broken after removing New. Net (been known to happen). The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\Program Files\DeskAd Service\DeskAdServ.exe C:\WINDOWS\system32\P2P Networking\P2P Networking.exe C:\Program Files\DeskAd Service\DeskAdKeep.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: P2P Networking DeskAd Service New.Net Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com O2 - BHO: IEHelperObj Class - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - C:\PROGRA~1\Odigo\Bin\OdigoBHO.dll (file missing) O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file) O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C...e/bridge-c1.cab O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\system32\P2P Networking\ C:\Program Files\DeskAd Service\ C:\Program Files\NewDotNet\ Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. __________________ GO BIG BLUE!!

01-26-2005, 08:22 PM	#6 (permalink)
NavyManDan Registered User Join Date: Jan 2005 Posts: 14 OS: XP	Update #2 Did as told... everything seemed to delete with no problems with the exception of NewDotNet folder. The dll file wouldn't budge (even in safe mode)... Here's my updated HJT Analyzer log: ========================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 1/23/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 9:19:08 PM, on 1/26/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iGlide.net R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://games.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bellsouth.net R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRA~1\DAP\dapbho.dll O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRA~1\DAP\dapiebar.dll O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing) O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing) O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?322 O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab End of KRC HijackThis Analyzer Log. ==========================================================

01-27-2005, 05:11 AM	#7 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Download KillBox (http://www.greyknight17.com/spy/KillBox.exe). Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Replace on Reboot' and check the box underneath that. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into the top line (hitting the X button for each file - choose NO when it asks if you want to reboot until you get to the last file to delete): (May want to confirm spellling first.) C:\Program Files\NewDotNet\NewDotNet.DLL Reboot to Safe Mode and try deleting that folder and fixing thos entries in HJT now. Post a fresh HJT log when done. __________________ GO BIG BLUE!!

01-27-2005, 05:53 AM	#8 (permalink)
NavyManDan Registered User Join Date: Jan 2005 Posts: 14 OS: XP	killed, I hope DL'd and typed in the info... hoping it'll get rid of it.. safe mode n new HJT log coming up (although I don't know why you asked me to fix those entries (which ones?)) ~Dan

01-27-2005, 05:54 AM	#9 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net __________________ GO BIG BLUE!!

01-27-2005, 06:14 AM	#10 (permalink)
NavyManDan Registered User Join Date: Jan 2005 Posts: 14 OS: XP	Well, no tmuch luck there... didn't "see" where the KILL worked after I rebooted... although I was thinking it was doing it during, because it took a long time for my computer to log off after clicking restart. At any rate... My first problem... NewDotNet refusing to be deleted (even in safe mode): I ran HJT and tried fixing those 5 things... and received THIS error: I'm lost... and confused. ~Dan ps. I certainly appreciate everything thus far. This NewDotNet is a PAIN! Last edited by NavyManDan; 01-27-2005 at 06:18 AM. Reason: bad photo

01-27-2005, 06:15 AM	#11 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Please do the following to remove the New.net application from your computer: Close all browsers. Click Start Click Run Type in the following line: "rundll32 c:\winnt\newdotnet6_386.dll,NewDotNetUninstall" (no quotes) Click OK You should then see a small window asking if you want to uninstall the New.net application. Click Yes. Once this is done, restart your computer. This should keep the .dll from loading up at startup of your computer. __________________ GO BIG BLUE!!

01-27-2005, 06:39 AM	#12 (permalink)
NavyManDan Registered User Join Date: Jan 2005 Posts: 14 OS: XP	W E I R D I copied what you had, and hit enter, but it wasn't able to find the file... So I was like DUH... it's in the Program Files\NewDotNet folder... so I put in : rundll32 C:\Program Files\NewDotNet\newdotnet6_38.dll,NewDotNetUninstall It did absolutely nothing. Folder's still there... I ran SPYBOT again, apparently there are still 27 problems and a continuous error (never has ran without an error popping up). Here's a before fixing checked errors shot: And here's an after fixing errors shot (or should I say atempt): Dan Last edited by NavyManDan; 01-27-2005 at 06:27 AM. Reason: mispelling

01-27-2005, 06:40 AM	#13 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Did you try deleting the folder after running this command? If not, do so now and post a fresh HJT log. We have other options. __________________ GO BIG BLUE!!

01-27-2005, 07:11 AM	#14 (permalink)
NavyManDan Registered User Join Date: Jan 2005 Posts: 14 OS: XP	*sigh* Yes, I tried deleting the file/folder... and got this msg (again): Restarted the computer for Spybot to run again.... SAME apparent problems that need to get fixed. After I clicked Yes to removing the files, only 6 were fixed, and 12 problems remained: Here's an updated log just for sport... ========================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 1/23/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 7:58:48 AM, on 1/27/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iGlide.net R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://games.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bellsouth.net R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Spybot\SpybotSD.exe" /autocheck O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing) O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing) O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?322 O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab End of KRC HijackThis Analyzer Log. ========================================================== ~Dan Same Spybot process was repeated... same 18 problems found, same 6 "fixed" (or so the program said, why were they back after reboot if SpyBot fixed them?)... Counting down the days until it's all fixed... I DO appreciate everyone's help! ~Dan Last edited by NavyManDan; 01-27-2005 at 06:57 AM. Reason: mispelling

01-27-2005, 07:37 AM	#15 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	OK, let's try this. Restart and tap your F8 key repeatedly until a menu shows up. Then choose Command Prompt. Let it load and at the prompt type in the following: rd /s /q "c:\program files\newdotnet\" and hit your Enter key. Restart by hitting ctrl+alt+del and do the following: Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. Download the Spybot DSO Exploit Fix and install it over the current Spybot installation if you haven't done so already. Run WinsockFix again. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing) O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing) O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\PROGRA~1\NEWDOT~1\ - should be gone by now (hopefully) Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

01-27-2005, 08:41 AM	#16 (permalink)
NavyManDan Registered User Join Date: Jan 2005 Posts: 14 OS: XP	great ideas... not so great results... Okay, from the top: Win XP doesn't have an option (that I saw) to JUST boot up to the MSDOS prompt... so I opted for the "Safe Mode with DOS Prompt" (or something close to that)... obviously (to me) since WinXP loaded... no chance of deleting newdotnet So anyway, I went into safe mode and ran SpyBot, came up with 9 files to fix (the ones you listed): During the fix, I came up with this familiar error: After this, I attempted (frivolous, I know) to remove that folder once again... The end result? You guessed it: Ran HJT (before reboot) and had this as a result: ========================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 1/23/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 9:08:22 AM, on 1/27/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iGlide.net R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://games.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bellsouth.net R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?322 O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab End of KRC HijackThis Analyzer Log. ========================================================== Rebooted in Normal mode, ran Spybot again, and came up with MORE crap: It got rid of a lot this time... all but 3 And finally... my new/improved HJT log: ========================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 1/23/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 9:41:22 AM, on 1/27/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iGlide.net R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://games.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bellsouth.net R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Spybot\SpybotSD.exe" /autocheck O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?322 O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab End of KRC HijackThis Analyzer Log. ========================================================== Still have confidence in the miracle happening... I HAVE downloaded Winsock, haven't ran it yet, ONLY because I haven't removed newdotnet yet. ~Dan

01-27-2005, 09:22 AM	#17 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	OK, do you have your XP CD? If you do, boot from it. Let it load and then choose to boot into the Recovery Console. Enter the admin password when asked. Now at the prompt, type in: rd /s /q "c:\program files\newdotnet\" Do a ctrl+alt+del to restart. Login and check and fix these in HijackThis: O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net Restart and post a new log. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

01-28-2005, 01:04 AM	#18 (permalink)
NavyManDan Registered User Join Date: Jan 2005 Posts: 14 OS: XP	no such luck looked around all evening, no XP disc... and evidently, my son felt the floppy drive was a piggy bank, (according to my wife she "dug a few quarters out)... so I can't MAKE one either. Won't write one to a CD either..., so now what? Maybe go to a friend's n make a MS-DOS BootDisk? ~Dan

01-28-2005, 09:17 AM	#19 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Gotta keep the little one away from the PC Yes, see if you can use a DOS disk or maybe a windows 98 bootdisk to boot up in the command prompt. In the images you gave me, I see you added another entry to delete the dll file after the command I gave you. Type in exactly what I listed previously. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools