0

Shortly after downloading from mirror.cs.wisc.edu/pub/mirrors/ghost I discovered PageMaker7 online help doesn't work, also failure to start IE from desktop icon or shortcut, or from .exe file [no message received], same with Favorites from Start toolbar; starting HTMLs from WinExplorer or shortcuts on desctop receives delayed message '...cannot find [file]. make sure [...] is a valid pathname...'. Access to the I-net is however possible thru Windows Explorer>view>explorerbar>history[or searchers], Favorites and desktop shortcuts work then, but still some programs, such as Photoshop7, AdobeReader6, SpyBounce, report failure to connect to or update database from the I-net. I reinstalled IE first by upgrading to the MS XP SP2 version, with no improvment, then by setup from CD, to same effect. AdAware and SpySweeper removed several bugs with no change, NortonAntivrus & F-Prot detect none, SpyDoctor trial verson reports numerous problems, to be fixed after purchase. HijackThis generated the following log:

Logfile of HijackThis v1.98.2
Scan saved at 14:18:31, on 23.10.04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WService.EXE
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\realtime.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SpyBlocker Software\SpywareStopper\spywarestopper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\INCRED~1\bin\IMOLApp.exe
C:\HiJackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.nbu.bg
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.nbu.bg
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll (filesize 272983 bytes, MD5 B8E162E9B9A83849458F457EB84ED137)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (filesize 245760 bytes, MD5 AB7875A7318FFD0C9C7389C4F40065B2)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (filesize 50376 bytes, MD5 0C0E1B2BCAED8DF401BE94D538BCB412)
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll (filesize 229376 bytes, MD5 B8D2EA737777A3313A3B6FA5251FDC72)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll (filesize 192512 bytes, MD5 964621E8B2415FEAA99026ED4F29D198)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll (filesize 65536 bytes, MD5 F2FAFE3CB6412C89F43D88CCEBE308F3)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (filesize 708608 bytes, MD5 76E459F4BDB7DE4DC828CF70CC6B94A2)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (filesize 112248 bytes, MD5 988409CE6ED638AAFDBECFB6EC863F4F)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll (filesize 86016 bytes, MD5 94D01CBA4FBB4EB408F02F549CA5D815)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll (filesize 272983 bytes, MD5 B8E162E9B9A83849458F457EB84ED137)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (filesize 245760 bytes, MD5 AB7875A7318FFD0C9C7389C4F40065B2)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (filesize 708608 bytes, MD5 76E459F4BDB7DE4DC828CF70CC6B94A2)
O3 - Toolbar: &Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll (filesize 401408 bytes, MD5 29D4D5AB13ABABB068BDE80B5F7A2254)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (filesize 112248 bytes, MD5 988409CE6ED638AAFDBECFB6EC863F4F)
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC (filesize 455168 bytes, MD5 024DC0F68DF5FD6AE9DD82DFBAF479D6)
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName (filesize 455168 bytes, MD5 024DC0F68DF5FD6AE9DD82DFBAF479D6)
O4 - HKLM\..\Run: [WService] WService.EXE (filesize 28672 bytes, MD5 05D196B51881100E93A92D777F6FC243)
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE (filesize 290816 bytes, MD5 BE4430D763E63FCE37EE254594133DFB)
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp (filesize 33280 bytes, MD5 DA285490BBD8A1D0CE6623577D5BA1FF)
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINDOWS\srchupdt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup (filesize 33280 bytes, MD5 DA285490BBD8A1D0CE6623577D5BA1FF)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install (filesize 753664 bytes, MD5 AA022DFA622C90C3060CA794914B11AA)
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe" (filesize 278528 bytes, MD5 EEF02F205DAC244787C528647BFD0C27)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (filesize 155648 bytes, MD5 3E4C03CEFAD8DE135263236B61A49C90)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe (filesize 155648 bytes, MD5 3E4C03CEFAD8DE135263236B61A49C90)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (filesize 98304 bytes, MD5 76A3A30B58405C2C6D833895253A51A9)
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe (filesize 91648 bytes, MD5 1668411625E8994AB2973106981E89F9)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (filesize 54976 bytes, MD5 F2F3CF92C4D6CF2E019493BAF3DE0F5E)
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" (filesize 59072 bytes, MD5 3DC5F0E636BAA3CD6E0C97E03128963D)
O4 - HKLM\..\Run: [SpywareStopper] C:\Program Files\SpyBlocker Software\SpywareStopper\spywarestopper.exe (filesize 394752 bytes, MD5 E4C39A8FCAC8C34262B589B65A18AA5A)
O4 - HKLM\..\Run: [Bouncer RunStartup] C:\Program Files\Bouncer\liveupdate.exe 110 (filesize 110592 bytes, MD5 E41E4816D9B046C2C8177CAC60CD55A4)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (filesize 15360 bytes, MD5 24232996A38C0B0CF151C2140AE29FC8)
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe (filesize 95344 bytes, MD5 4D8B98507C15C217D749C8405BA39BD4)
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 (filesize 3058688 bytes, MD5 C27FD3ADDF6B6463EEF211E75B7B2B30)
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (filesize 113664 bytes, MD5 C2FF17734176CD15221C10044EF0BA1A)
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (filesize 360448 bytes, MD5 61C028ABA5E49573A6332F4A7C744E87)
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (filesize 113664 bytes, MD5 C2FF17734176CD15221C10044EF0BA1A)
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (filesize 69632 bytes, MD5 978294640062C57482BF2B65A342C266)
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm (filesize 591 bytes, MD5 F5405047DA612086AE3DC4CDBB046BDC)
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm (filesize 575 bytes, MD5 4F5140BEADB0A78CE30E9F0F4B591B8F)
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm (filesize 1898 bytes, MD5 208F30C68E12274B625E3EDF9186680C)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: &Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll (filesize 401408 bytes, MD5 29D4D5AB13ABABB068BDE80B5F7A2254)
O9 - Extra 'Tools' menuitem: &Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll (filesize 401408 bytes, MD5 29D4D5AB13ABABB068BDE80B5F7A2254)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (filesize 320656 bytes, MD5 B33A0BCE72CDC81B56154E9DF4AF34F6)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (filesize 320656 bytes, MD5 B33A0BCE72CDC81B56154E9DF4AF34F6)
O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (filesize 2323536 bytes, MD5 FD23D4D11A9F5748723FC06716BEBD30)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (filesize 2323536 bytes, MD5 FD23D4D11A9F5748723FC06716BEBD30)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (filesize 1224704 bytes, MD5 80173439AE505A62C1076E05D7478E98)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (filesize 1224704 bytes, MD5 80173439AE505A62C1076E05D7478E98)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1667584 bytes, MD5 B53343FE60A33EE765C2476D50D27B26)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1667584 bytes, MD5 B53343FE60A33EE765C2476D50D27B26)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMSERVICE_1040_pack_XP.cab
O16 - DPF: {A0EB6CA1-B26C-475D-A342-9257C5420A0D} (SFUtility Class) - http://searchfst.com/update/searchfast.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab

Please, assist in proceeding with proposed deletes.
Hoping that my procedures hitherto, although not the description, have saved some of your time, I remain in wait of salvation.

2
Contributors
1
Reply
2
Views
12 Years
Discussion Span
Last Post by crunchie
0

First of all we have to remove Newdotnet, either from add/remove programs, or by going here & scrolling down to the uninstall tool.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (filesize 245760 bytes, MD5 AB7875A7318FFD0C9C7389C4F40065B2)

O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (filesize 245760 bytes, MD5 AB7875A7318FFD0C9C7389C4F40065B2)
O3 - Toolbar: &Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll (filesize 401408 bytes, MD5 29D4D5AB13ABABB068BDE80B5F7A2254)

O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINDOWS\srchupdt.exe
O4 - HKLM\..\Run: [Bouncer RunStartup] C:\Program Files\Bouncer\liveupdate.exe 110 (filesize 110592 bytes, MD5 E41E4816D9B046C2C8177CAC60CD55A4)

O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binari...040_pack_XP.cab
-Electronic-Group Dialer
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binari...tpe32_EN_XP.cab
-Electronic-Group Dialer

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\Program Files\MyWay-folder
:\Program Files\Advanced Searchbar-folder
C:\Program Files\Bouncer-folder

C:\WINDOWS\srchupdt.exe-file

Reboot normally after doing the above, rescan with hijackthis making certain that all instances of Internet Explorer are closed, then post that log here please.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.