baker7

Hjt Log - Possible Newdotnet And Plandvdproblem

Recommended Posts

Hello There:

I need some HJT log assistance. I think I inadvertantly downloaded a hijacker called newdotnet, and I also have a file called PlanDvd.exe giving me a problem.....Emmanuel cannot seem to find any internet sites, and I think these things may have something to do with it......

SPECS: HP Pavilion 8860 60 GIG hdd 128 Meg RAM Running WinXP SP2- preformed scans with adaware and spybot, and spybot found some things that I deleted, except it found a reg entry for the Windows Security Center Antivurus disable notify....I used Spybot 1.4 and think that some of these hijacks are slowing my machine down........could someone take a look at this log and let me know what is up?

Thanks,

Baker7

LOG Below]/b]

Logfile of HijackThis v1.99.1

Scan saved at 3:57:44 PM, on 10/16/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\iNtfySvc\intfysvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe

C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\RealVNC\WinVNC\WinVNC.exe

C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE

C:\WINDOWS\system32\wwSecure.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

C:\SCANJET\PrecisionScanPro\HPLamp.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

C:\WINDOWS\system32\hphmon03.exe

C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe

C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE

C:\Program Files\GIANT Company Software\Spam Inspector\siSpamFilterEngine.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\Program Files\GIANT Company Software\Spam Inspector\siSpamFilterEngine.exe

C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Webroot\Washer\wwDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\HPHipm09.exe

C:\Program Files\Messenger\msmsgs.exe

c:\progra~1\intern~1\iexplore.exe

C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HIJACK THIS 1.99.1\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online

O2 - BHO: (no name) - {00000049-8F91-4D9C-9573-F016E7626484} - (no file)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {116A7486-4EB4-2DA2-14A2-62D3A6375766} - C:\DOCUME~1\buddy\APPLIC~1\TRANSN~1\Dumbball.exe

O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_90.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe"

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe

O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [sCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [extra hide anti ante] C:\Documents and Settings\All Users\Application Data\wipemanagerextrahide\PlanDvd.exe

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sign jugs] C:\DOCUME~1\buddy\APPLIC~1\MIXLIE~1\Axis Start.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [bLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O15 - Trusted Zone: http://www.tfn.net

O15 - Trusted Zone: http://*.tfn.net

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.charter.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1122481145936

O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} -

O16 - DPF: {88B507F9-C6B2-45CC-AAB6-720A652DE11C} (TenOfTen Class) - http://download.verizon.net/sfp/Cabs/hst/w...tWebInstall.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab

O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/whatsnext/checkmypc...tivePreQual.cab

O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} (RegPropsCtrl Class) - http://download.verizon.net/sfp/Cabs/hst/w...tWebInstall.cab

O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} -

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{3720315E-4868-4ACB-B9D5-8A477ED28305}: NameServer = 4.2.2.2,4.2.2.3

O23 - Service: Ipswitch Notification Server (inotifysvr) - Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington MA. - C:\iNtfySvc\intfysvc.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

Edited by baker7

Share this post


Link to post
Share on other sites

BUMP

I am able to connect to the Internet ONLY in safe mode on Emmanuel - Hopefulluy someone will be able to help me figure this one out, as I don't want to be running in safe mode forever -

Baker7

Share this post


Link to post
Share on other sites

I am beginning the backup process, just in case I want to reformat Emmanuel - I will do so later this afternoon if I do not get any replies, as I must do some important work today or tomorrow

Baker7

Share this post


Link to post
Share on other sites

Hi,

Sorry for the late reply.

First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.

To Get rid of NewDotNet, go to:

Start > Control Panel > Add or Remove Programs and remove the following:

New.Net Applications or New.Net Domains (anything that says New.Net)

If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.

In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.

Next, open HijackThis, and check the following items (If present):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: (no name) - {00000049-8F91-4D9C-9573-F016E7626484} - (no file)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: (no name) - {116A7486-4EB4-2DA2-14A2-62D3A6375766} - C:\DOCUME~1\buddy\APPLIC~1\TRANSN~1\Dumbball.exe

O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - (no file)

O4 - HKLM\..\Run: [extra hide anti ante] C:\Documents and Settings\All Users\Application Data\wipemanagerextrahide\PlanDvd.exe

O4 - HKCU\..\Run: [sign jugs] C:\DOCUME~1\buddy\APPLIC~1\MIXLIE~1\Axis Start.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -

O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} -

O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} -

Close all windows except HijackThis and click the "Fix Checked" button.

Next, please enable viewing of hidden files as follows:

1) Go to My Computer, and click on the "Tools" menu

2) Click "Folder options"

3) Select the "View" tab

4) Make sure "Show hidden files and folders" is selected

5) Make sure "Hide extensions for known file types" is unchecked

6) Make sure "Hide protected operating system files (recommended)" is unchecked

Now, locate the following files/folders and delete them:

C:\DOCUME~1\buddy\APPLIC~1\MIXLIE~1 << This folder

C:\Documents and Settings\All Users\Application Data\wipemanagerextrahide << This folder

Now reboot and post a new HijackThis log.

Danny :thumbsup:

Edited by dknoppix

Share this post


Link to post
Share on other sites

Danny:

I appreciate the response to my posting....I will keep this in mind the next time something happens with Emmanuel.

However, I needed to begin the backup processs to save important documents, and I have already reformatted the machine in question, and have been getting SP2 updates for her. Once this is done, I'll reenable the networking on Emmanuel, and make connections to my 2000 machine once I get Panda Installed (Need my firewall and antivirus active before doing much more)

Where did:

O2 - BHO: (no name) - {116A7486-4EB4-2DA2-14A2-62D3A6375766} - C:\DOCUME~1\buddy\APPLIC~1\TRANSN~1\Dumbball.exe

and

O4 - HKLM\..\Run: [extra hide anti ante] C:\Documents and Settings\All Users\Application Data\wipemanagerextrahide\PlanDvd.exe

come from: Think I downloaded a nasty and when I noticed what it was I deleted it, but firewall was asking forpermission to run plandvd.exe? what is this? Spyware?

I hope you don't mind me coming back here from time to time to ask assistance with checking out my logs - Since G4 changed things round, most HJT log readers are here, and I feel better knowing someonw CAN tell me what is up......

Thank you for your efforts :)

Baker7

(Brian)

Share this post


Link to post
Share on other sites
Where did:

O2 - BHO: (no name) - {116A7486-4EB4-2DA2-14A2-62D3A6375766} - C:\DOCUME~1\buddy\APPLIC~1\TRANSN~1\Dumbball.exe

and

O4 - HKLM\..\Run: [extra hide anti ante] C:\Documents and Settings\All Users\Application Data\wipemanagerextrahide\PlanDvd.exe

come from:  Think I downloaded a nasty and when I noticed what it was I deleted it, but firewall was asking forpermission to run plandvd.exe?  what is this?  Spyware?

I hope you don't mind me coming back here from time to time to ask assistance with checking out my logs - Since G4 changed things round, most HJT log readers are here, and I feel better knowing someonw CAN tell me what is up......

Thank you for your efforts :)

Baker7

(Brian)

<{POST_SNAPBACK}>

Hi,

I belive they are just random baddies. This may happen from just being on an unprotected computer that is on the internet for a couple of hours.

PlanDvd.exe is a random malware. If your firewall sees that an application is launching, etc, etc, say NO unless you know it's safe.

Of course you can stay here! :)

Feel free to post in Open Chat or whereever you want to!

Danny :thumbsup:

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.