•
•
•
•
What is DaniWeb IT Discussion Community?
You're currently browsing the Viruses, Spyware and other Nasties section within the Tech Talk category of DaniWeb, a massive community of 456,234 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 3,745 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.
Please support our Viruses, Spyware and other Nasties advertiser: 64-bit Windows Community
Views: 2496 | Replies: 6
 |
•
•
Join Date: Aug 2004
Posts: 3
Reputation: 
Rep Power: 0
Solved Threads: 0
Newbie Poster
DNS error - please advise on HiJack log Hello-
Here's the HiJack log, I would appreciate advise.
Thanks
Logfile of HijackThis v1.98.2
Scan saved at 7:36:32 AM, on 8/20/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\CAPP.EXE
C:\WINDOWS\SYSTEM\SAHAGENT.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\TECH\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.topfivesearch.com/sidesearch.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.topfivesearch.com/sidesearch.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchgateway.net/search/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: CNNIC_IDN - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - (no file)
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\WINDOWS\DESKTOP\HOWARD\DOWNLOADS\MP\POP-UP STOPPER PRO\CCHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: FavoriteMan Class - {139D88E5-C372-469D-B4C5-1FE00852AB9B} - C:\WINDOWS\SYSTEM\FAVORITE.DLL
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
O2 - BHO: IPInsigtObj Class - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\SYSTEM\IPINSIGT.DLL
O2 - BHO: BHO.clsUrlSearch - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\SYSTEM\BHO001.DLL
O2 - BHO: BHO.clsUrlSearch - {730F2451-A3FE-4A72-938C-FC8A74F15978} - C:\WINDOWS\SYSTEM\BHO.DLL
O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O2 - BHO: GSIM - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINDOWS\GSIM.DLL
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_30.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\WINDOWS\DESKTOP\HOWARD\DOWNLOADS\MP\POP-UP STOPPER PRO\POPUPPRO.DLL
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O3 - Toolbar: (no name) - {518779A5-BF8B-4A10-82FB-F408F8EA06C8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [CApp] C:\WINDOWS\SYSTEM\capp.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe C:\PROGRA~1\AIM95\DeadAIM.ocm,ExportedCheckODLs
O4 - HKLM\..\Run: [Go!Zilla dial-up fix] "C:\WINDOWS\DESKTOP\HOWARD\DOWNLOADS\MP\GO!ZILLA\GO.EXE" /FIXRAS
O4 - HKLM\..\Run: [Soundmx] C:\WINDOWS\SYSTEM\soundmx.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\SYSTEM\SahAgent.exe
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [MpsOn] C:\WINDOWS\SYSTEM\MpsOn.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O8 - Extra context menu item: Download with Go!Zilla - file://C:\WINDOWS\DESKTOP\HOWARD\DOWNLOADS\MP\GO!ZILLA\download-with-gozilla.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: PowerWord - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\PROGRA~1\KINGSOFT\XDICT\IEPLUGIN.DLL
O9 - Extra button: Joyo - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - C:\PROGRA~1\KINGSOFT\XDICT\IEPLUGIN.DLL
O9 - Extra button: ¤¤¤å°ì¦W - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O9 - Extra 'Tools' menuitem: ¤¤¤å°ì¦W - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O10 - Hijacked Internet access by New.Net
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_22.dll' missing
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/in....30/Hiwire.cab
O16 - DPF: {9A578C98-3C2F-4630-890B-FC04196EF420} (CNNIC_IDN) - http://cdn2.cnnic.cn/ad/china/cdn.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 4.2.2.1
O18 - Protocol hijack: cn - {9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}
Here's the HiJack log, I would appreciate advise.
Thanks
Logfile of HijackThis v1.98.2
Scan saved at 7:36:32 AM, on 8/20/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\CAPP.EXE
C:\WINDOWS\SYSTEM\SAHAGENT.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\TECH\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.topfivesearch.com/sidesearch.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.topfivesearch.com/sidesearch.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchgateway.net/search/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: CNNIC_IDN - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - (no file)
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\WINDOWS\DESKTOP\HOWARD\DOWNLOADS\MP\POP-UP STOPPER PRO\CCHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: FavoriteMan Class - {139D88E5-C372-469D-B4C5-1FE00852AB9B} - C:\WINDOWS\SYSTEM\FAVORITE.DLL
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
O2 - BHO: IPInsigtObj Class - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\SYSTEM\IPINSIGT.DLL
O2 - BHO: BHO.clsUrlSearch - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\SYSTEM\BHO001.DLL
O2 - BHO: BHO.clsUrlSearch - {730F2451-A3FE-4A72-938C-FC8A74F15978} - C:\WINDOWS\SYSTEM\BHO.DLL
O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O2 - BHO: GSIM - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINDOWS\GSIM.DLL
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_30.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\WINDOWS\DESKTOP\HOWARD\DOWNLOADS\MP\POP-UP STOPPER PRO\POPUPPRO.DLL
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O3 - Toolbar: (no name) - {518779A5-BF8B-4A10-82FB-F408F8EA06C8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [CApp] C:\WINDOWS\SYSTEM\capp.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe C:\PROGRA~1\AIM95\DeadAIM.ocm,ExportedCheckODLs
O4 - HKLM\..\Run: [Go!Zilla dial-up fix] "C:\WINDOWS\DESKTOP\HOWARD\DOWNLOADS\MP\GO!ZILLA\GO.EXE" /FIXRAS
O4 - HKLM\..\Run: [Soundmx] C:\WINDOWS\SYSTEM\soundmx.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\SYSTEM\SahAgent.exe
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [MpsOn] C:\WINDOWS\SYSTEM\MpsOn.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O8 - Extra context menu item: Download with Go!Zilla - file://C:\WINDOWS\DESKTOP\HOWARD\DOWNLOADS\MP\GO!ZILLA\download-with-gozilla.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: PowerWord - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\PROGRA~1\KINGSOFT\XDICT\IEPLUGIN.DLL
O9 - Extra button: Joyo - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - C:\PROGRA~1\KINGSOFT\XDICT\IEPLUGIN.DLL
O9 - Extra button: ¤¤¤å°ì¦W - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O9 - Extra 'Tools' menuitem: ¤¤¤å°ì¦W - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O10 - Hijacked Internet access by New.Net
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_22.dll' missing
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/in....30/Hiwire.cab
O16 - DPF: {9A578C98-3C2F-4630-890B-FC04196EF420} (CNNIC_IDN) - http://cdn2.cnnic.cn/ad/china/cdn.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 4.2.2.1
O18 - Protocol hijack: cn - {9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}
•
•
Join Date: Dec 2003
Location: Nashville, TN
Posts: 2,333
Reputation:
Rep Power: 11
Solved Threads: 102
What's the exact DNS error message you're getting?
A lot of times, DNS errors just happen because you cannot contact a DNS server, while it may be related to spyware, it's often not.
Are you having any other issues?
A lot of times, DNS errors just happen because you cannot contact a DNS server, while it may be related to spyware, it's often not.
Are you having any other issues?
Alex Cavnar, aka alc6379
•
•
Join Date: Dec 2003
Location: Marin County, CA
Posts: 6,439
Reputation:
Rep Power: 18
Solved Threads: 339
OK,
Due to the " O10 - Broken Internet access..." entry in your log, you should download and run the latest version of SpyBot Search & Destroy (the link is in my sig below). Having HJT "fix" the 010 entries can break your networking, but SpyBot should be able to fix the problem. SpyBot will also find and fix a lot of the other nasties on your system. You should also download and run Ad Aware; it will probably catch some spyware that SpyBot missed.
So- here's the drill once you've gotten SpyBot and Ad Aware:
1. Open Ad Aware and configure it as follows:
- click the "Check for updates now" option on the main startup page; follow the prompts to install the most current reference file.
- Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.
Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.
Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
activate "IN-DEPTH scanning"
Close the program
2. Open SpyBot and get the latest updates for it by clicking the "Search for updates" option. Once it finishes updating, close the program.
3. Delete the contents of all Cookies, Temporary Internet Files, and Temp folders, and empty your Recycle Bin.
4. Reboot into Safe Mode. You do this by hitting the F8 key as the computer is booting.
5. Run SpyBot; have it fix everything it finds.
6. Reboot into safe mode again.
7. Run Ad Aware. Once it finishes its scan, select all of the items it finds and have Ad Aware delete them.
8 Reboot normally, run HJT again, and post a fresh log.
Due to the " O10 - Broken Internet access..." entry in your log, you should download and run the latest version of SpyBot Search & Destroy (the link is in my sig below). Having HJT "fix" the 010 entries can break your networking, but SpyBot should be able to fix the problem. SpyBot will also find and fix a lot of the other nasties on your system. You should also download and run Ad Aware; it will probably catch some spyware that SpyBot missed.
So- here's the drill once you've gotten SpyBot and Ad Aware:
1. Open Ad Aware and configure it as follows:
- click the "Check for updates now" option on the main startup page; follow the prompts to install the most current reference file.
- Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.
Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.
Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
activate "IN-DEPTH scanning"
Close the program
2. Open SpyBot and get the latest updates for it by clicking the "Search for updates" option. Once it finishes updating, close the program.
3. Delete the contents of all Cookies, Temporary Internet Files, and Temp folders, and empty your Recycle Bin.
4. Reboot into Safe Mode. You do this by hitting the F8 key as the computer is booting.
5. Run SpyBot; have it fix everything it finds.
6. Reboot into safe mode again.
7. Run Ad Aware. Once it finishes its scan, select all of the items it finds and have Ad Aware delete them.
8 Reboot normally, run HJT again, and post a fresh log.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
•
•
Join Date: Aug 2004
Posts: 3
Reputation:
Rep Power: 0
Solved Threads: 0
Newbie Poster
Hello DMR-
Thank you for your reply.
I did everything you have suggested, here is the last log.
I am still unable to browse.
Logfile of HijackThis v1.98.2
Scan saved at 6:25:33 AM, on 8/23/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\TECH\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: CNNIC_IDN - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\WINDOWS\DESKTOP\HOWARD\DOWNLOADS\MP\POP-UP STOPPER PRO\CCHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\WINDOWS\DESKTOP\HOWARD\DOWNLOADS\MP\POP-UP STOPPER PRO\POPUPPRO.DLL
O3 - Toolbar: (no name) - {518779A5-BF8B-4A10-82FB-F408F8EA06C8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe C:\PROGRA~1\AIM95\DeadAIM.ocm,ExportedCheckODLs
O4 - HKLM\..\Run: [Go!Zilla dial-up fix] "C:\WINDOWS\DESKTOP\HOWARD\DOWNLOADS\MP\GO!ZILLA\GO.EXE" /FIXRAS
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [MpsOn] C:\WINDOWS\SYSTEM\MpsOn.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O8 - Extra context menu item: Download with Go!Zilla - file://C:\WINDOWS\DESKTOP\HOWARD\DOWNLOADS\MP\GO!ZILLA\download-with-gozilla.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: PowerWord - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\PROGRA~1\KINGSOFT\XDICT\IEPLUGIN.DLL
O9 - Extra button: Joyo - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - C:\PROGRA~1\KINGSOFT\XDICT\IEPLUGIN.DLL
O9 - Extra button: ¤¤¤å°ì¦W - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O9 - Extra 'Tools' menuitem: ¤¤¤å°ì¦W - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O10 - Hijacked Internet access by New.Net
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_22.dll' missing
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A578C98-3C2F-4630-890B-FC04196EF420} (CNNIC_IDN) - http://cdn2.cnnic.cn/ad/china/cdn.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 4.2.2.1
Thank you for your reply.
I did everything you have suggested, here is the last log.
I am still unable to browse.
Logfile of HijackThis v1.98.2
Scan saved at 6:25:33 AM, on 8/23/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\TECH\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: CNNIC_IDN - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\WINDOWS\DESKTOP\HOWARD\DOWNLOADS\MP\POP-UP STOPPER PRO\CCHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\WINDOWS\DESKTOP\HOWARD\DOWNLOADS\MP\POP-UP STOPPER PRO\POPUPPRO.DLL
O3 - Toolbar: (no name) - {518779A5-BF8B-4A10-82FB-F408F8EA06C8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe C:\PROGRA~1\AIM95\DeadAIM.ocm,ExportedCheckODLs
O4 - HKLM\..\Run: [Go!Zilla dial-up fix] "C:\WINDOWS\DESKTOP\HOWARD\DOWNLOADS\MP\GO!ZILLA\GO.EXE" /FIXRAS
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [MpsOn] C:\WINDOWS\SYSTEM\MpsOn.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O8 - Extra context menu item: Download with Go!Zilla - file://C:\WINDOWS\DESKTOP\HOWARD\DOWNLOADS\MP\GO!ZILLA\download-with-gozilla.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: PowerWord - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\PROGRA~1\KINGSOFT\XDICT\IEPLUGIN.DLL
O9 - Extra button: Joyo - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - C:\PROGRA~1\KINGSOFT\XDICT\IEPLUGIN.DLL
O9 - Extra button: ¤¤¤å°ì¦W - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O9 - Extra 'Tools' menuitem: ¤¤¤å°ì¦W - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O10 - Hijacked Internet access by New.Net
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_22.dll' missing
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A578C98-3C2F-4630-890B-FC04196EF420} (CNNIC_IDN) - http://cdn2.cnnic.cn/ad/china/cdn.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 4.2.2.1
•
•
Join Date: Dec 2003
Location: Marin County, CA
Posts: 6,439
Reputation:
Rep Power: 18
Solved Threads: 339
OK-
It looks like SpyBot wasn't able to fix your "010" error, which is why you can't browse. The newdotnet infection has mangled a portion of your system's networking software; the TCP/IP software will either need to be repaired or reinstalled.
Instructions for reinstalling your TCP/IP software in Windows 95/98/ME can be found here:
http://www.compu-docs.com/winsock9x.htm
Alternatively, you can try a repair utility called LSPFix.exe. You can download the utility here:
http://www.cexx.org/lspfix.htm
It looks like SpyBot wasn't able to fix your "010" error, which is why you can't browse. The newdotnet infection has mangled a portion of your system's networking software; the TCP/IP software will either need to be repaired or reinstalled.
Instructions for reinstalling your TCP/IP software in Windows 95/98/ME can be found here:
http://www.compu-docs.com/winsock9x.htm
Alternatively, you can try a repair utility called LSPFix.exe. You can download the utility here:
http://www.cexx.org/lspfix.htm
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
•
•
Join Date: Dec 2003
Location: Marin County, CA
Posts: 6,439
Reputation:
Rep Power: 18
Solved Threads: 339
Also,
Have HijackThis fix all entries that contain "(no file)" and/or "(File missing)".
Fix these entries as well:
O2 - BHO: CNNIC_IDN - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O9 - Extra button: ¤¤¤å°ì¦W - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O9 - Extra 'Tools' menuitem: ¤¤¤å°ì¦W - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O16 - DPF: {9A578C98-3C2F-4630-890B-FC04196EF420} (CNNIC_IDN) - http://cdn2.cnnic.cn/ad/china/cdn.cab
And if 4.2.2.1 is not the address of your DNS server, delete:
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 4.2.2.1
* If the C:\Program Files\NewDotNet folder still exists, delete it entirely.
Have HijackThis fix all entries that contain "(no file)" and/or "(File missing)".
Fix these entries as well:
O2 - BHO: CNNIC_IDN - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O9 - Extra button: ¤¤¤å°ì¦W - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O9 - Extra 'Tools' menuitem: ¤¤¤å°ì¦W - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS\SYSTEM\CDNIEHLP.DLL
O16 - DPF: {9A578C98-3C2F-4630-890B-FC04196EF420} (CNNIC_IDN) - http://cdn2.cnnic.cn/ad/china/cdn.cab
And if 4.2.2.1 is not the address of your DNS server, delete:
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 4.2.2.1
* If the C:\Program Files\NewDotNet folder still exists, delete it entirely.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
•
•
Join Date: Feb 2004
Location: Oztralya
Posts: 8,016
Reputation:
Rep Power: 23
Solved Threads: 455
Also, remove Newdotnet, either from add/remove programs, or by going here. & scrolling down to the uninstall tool.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
|
•
•
•
•
•
•
•
•
DaniWeb Viruses, Spyware and other Nasties Marketplace
•
•
•
•
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Linear Mode
•
•
•
•
- page cannot be displayed DNS error (hijack this) (Viruses, Spyware and other Nasties)
- QuickTime Error, could be spyware related??? Hijack log included (Viruses, Spyware and other Nasties)
- Error #317 popup (Hijack This Log (Viruses, Spyware and other Nasties)
- Help Please DNS Error - HJ log (Viruses, Spyware and other Nasties)
- HiJack LOg (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Bridge.dll error message - log attached
- Next Thread: very slow internet and all programs just hanging
