DaniWeb IT Discussion Community

DaniWeb IT Discussion Community (http://www.daniweb.com/forums/index.php)
-   Viruses, Spyware and other Nasties (http://www.daniweb.com/forums/forum64.html)
-   -   DNS error - please advise on HiJack log (http://www.daniweb.com/forums/thread9645.html)

TLVenus Aug 20th, 2004 12:00 pm
DNS error - please advise on HiJack log
 
Hello-

Here's the HiJack log, I would appreciate advise.

Thanks

Logfile of HijackThis v1.98.2
Scan saved at 7:36:32 AM, on 8/20/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\CAPP.EXE
C:\WINDOWS\SYSTEM\SAHAGENT.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\TECH\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.topfivesearch.com/sidesearch.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.topfivesearch.com/sidesearch.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchgateway.net/search/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: CNNIC_IDN - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - (no file)
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\WINDOWS\DESKTOP\HOWARD\DOWNLOADS\MP\POP-UP STOPPER PRO\CCHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: FavoriteMan Class - {139D88E5-C372-469D-B4C5-1FE00852AB9B} - C:\WINDOWS\SYSTEM\FAVORITE.DLL
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
O2 - BHO: IPInsigtObj Class - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\SYSTEM\IPINSIGT.DLL
O2 - BHO: BHO.clsUrlSearch - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\SYSTEM\BHO001.DLL
O2 - BHO: BHO.clsUrlSearch - {730F2451-A3FE-4A72-938C-FC8A74F15978} - C:\WINDOWS\SYSTEM\BHO.DLL
O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O2 - BHO: GSIM - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINDOWS\GSIM.DLL
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_30.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\WINDOWS\DESKTOP\HOWARD\DOWNLOADS\MP\POP-UP STOPPER PRO\POPUPPRO.DLL
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O3 - Toolbar: (no name) - {518779A5-BF8B-4A10-82FB-F408F8EA06C8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [CApp] C:\WINDOWS\SYSTEM\capp.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe C:\PROGRA~1\AIM95\DeadAIM.ocm,ExportedCheckODLs
O4 - HKLM\..\Run: [Go!Zilla dial-up fix] "C:\WINDOWS\DESKTOP\HOWARD\DOWNLOADS\MP\GO!ZILLA\GO.EXE" /FIXRAS
O4 - HKLM\..\Run: [Soundmx] C:\WINDOWS\SYSTEM\soundmx.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\SYSTEM\SahAgent.exe
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [MpsOn] C:\WINDOWS\SYSTEM\MpsOn.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O8 - Extra context menu item: Download with Go!Zilla - file://C:\WINDOWS\DESKTOP\HOWARD\DOWNLOADS\MP\GO!ZILLA\download-with-gozilla.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: PowerWord - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\PROGRA~1\KINGSOFT\XDICT\IEPLUGIN.DLL
O9 - Extra button: Joyo - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - C:\PROGRA~1\KINGSOFT\XDICT\IEPLUGIN.DLL
O9 - Extra button: ¤¤¤å°ì¦W - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O9 - Extra 'Tools' menuitem: ¤¤¤å°ì¦W - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O10 - Hijacked Internet access by New.Net
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_22.dll' missing
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/in....30/Hiwire.cab
O16 - DPF: {9A578C98-3C2F-4630-890B-FC04196EF420} (CNNIC_IDN) - http://cdn2.cnnic.cn/ad/china/cdn.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 4.2.2.1
O18 - Protocol hijack: cn - {9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}

alc6379 Aug 20th, 2004 2:47 pm
Re: DNS error - please advise on HiJack log
 
What's the exact DNS error message you're getting?

A lot of times, DNS errors just happen because you cannot contact a DNS server, while it may be related to spyware, it's often not.

Are you having any other issues?

DMR Aug 20th, 2004 3:34 pm
Re: DNS error - please advise on HiJack log
 
OK,

Due to the " O10 - Broken Internet access..." entry in your log, you should download and run the latest version of SpyBot Search & Destroy (the link is in my sig below). Having HJT "fix" the 010 entries can break your networking, but SpyBot should be able to fix the problem. SpyBot will also find and fix a lot of the other nasties on your system. You should also download and run Ad Aware; it will probably catch some spyware that SpyBot missed.

So- here's the drill once you've gotten SpyBot and Ad Aware:

1. Open Ad Aware and configure it as follows:

- click the "Check for updates now" option on the main startup page; follow the prompts to install the most current reference file.

- Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
activate "IN-DEPTH scanning"
Close the program

2. Open SpyBot and get the latest updates for it by clicking the "Search for updates" option. Once it finishes updating, close the program.

3. Delete the contents of all Cookies, Temporary Internet Files, and Temp folders, and empty your Recycle Bin.

4. Reboot into Safe Mode. You do this by hitting the F8 key as the computer is booting.

5. Run SpyBot; have it fix everything it finds.

6. Reboot into safe mode again.

7. Run Ad Aware. Once it finishes its scan, select all of the items it finds and have Ad Aware delete them.

8 Reboot normally, run HJT again, and post a fresh log.

TLVenus Aug 23rd, 2004 10:19 am
Re: DNS error - please advise on HiJack log
 
Hello DMR-

Thank you for your reply.

I did everything you have suggested, here is the last log.

I am still unable to browse.

Logfile of HijackThis v1.98.2
Scan saved at 6:25:33 AM, on 8/23/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\TECH\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: CNNIC_IDN - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\WINDOWS\DESKTOP\HOWARD\DOWNLOADS\MP\POP-UP STOPPER PRO\CCHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\WINDOWS\DESKTOP\HOWARD\DOWNLOADS\MP\POP-UP STOPPER PRO\POPUPPRO.DLL
O3 - Toolbar: (no name) - {518779A5-BF8B-4A10-82FB-F408F8EA06C8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe C:\PROGRA~1\AIM95\DeadAIM.ocm,ExportedCheckODLs
O4 - HKLM\..\Run: [Go!Zilla dial-up fix] "C:\WINDOWS\DESKTOP\HOWARD\DOWNLOADS\MP\GO!ZILLA\GO.EXE" /FIXRAS
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [MpsOn] C:\WINDOWS\SYSTEM\MpsOn.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O8 - Extra context menu item: Download with Go!Zilla - file://C:\WINDOWS\DESKTOP\HOWARD\DOWNLOADS\MP\GO!ZILLA\download-with-gozilla.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: PowerWord - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\PROGRA~1\KINGSOFT\XDICT\IEPLUGIN.DLL
O9 - Extra button: Joyo - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - C:\PROGRA~1\KINGSOFT\XDICT\IEPLUGIN.DLL
O9 - Extra button: ¤¤¤å°ì¦W - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O9 - Extra 'Tools' menuitem: ¤¤¤å°ì¦W - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O10 - Hijacked Internet access by New.Net
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_22.dll' missing
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A578C98-3C2F-4630-890B-FC04196EF420} (CNNIC_IDN) - http://cdn2.cnnic.cn/ad/china/cdn.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 4.2.2.1

DMR Aug 23rd, 2004 3:13 pm
Re: DNS error - please advise on HiJack log
 
OK-

It looks like SpyBot wasn't able to fix your "010" error, which is why you can't browse. The newdotnet infection has mangled a portion of your system's networking software; the TCP/IP software will either need to be repaired or reinstalled.

Instructions for reinstalling your TCP/IP software in Windows 95/98/ME can be found here:

http://www.compu-docs.com/winsock9x.htm

Alternatively, you can try a repair utility called LSPFix.exe. You can download the utility here:

http://www.cexx.org/lspfix.htm

DMR Aug 23rd, 2004 3:26 pm
Re: DNS error - please advise on HiJack log
 
Also,

Have HijackThis fix all entries that contain "(no file)" and/or "(File missing)".
Fix these entries as well:

O2 - BHO: CNNIC_IDN - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O9 - Extra button: ¤¤¤å°ì¦W - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O9 - Extra 'Tools' menuitem: ¤¤¤å°ì¦W - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O16 - DPF: {9A578C98-3C2F-4630-890B-FC04196EF420} (CNNIC_IDN) - http://cdn2.cnnic.cn/ad/china/cdn.cab


And if 4.2.2.1 is not the address of your DNS server, delete:

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 4.2.2.1

* If the C:\Program Files\NewDotNet folder still exists, delete it entirely.

crunchie Aug 24th, 2004 8:44 am
Re: DNS error - please advise on HiJack log
 
Also, remove Newdotnet, either from add/remove programs, or by going here. & scrolling down to the uninstall tool.


All times are GMT -4. The time now is 11:20 am.

Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC