Member Avatar for rodp

An icon labeled TAG (TagASaurus) appeared on my desktop. Since then, I have lost my internet access, my browser home page seems to get re-directed and all of my bookmarks have been changed to the same re-direct. I downloaded, installed and ran HijackThis and my log is as follows (any help would be appreciated):

Logfile of HijackThis v1.99.1
Scan saved at 1:16:07 PM, on 5/8/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER.EXE
C:\WINNT\nhvqvhx.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\windows\mousepad17.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\nhvqvhxA.exe
C:\winnt\system32\fthot.exe
C:\WINNT\system32\logon.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\WINNT\System32\svchost.exe
C:\Install\HijackThis\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://fast-finder.com/searchresults.asp?si=20061&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://fast-finder.com/searchresults.asp?si=20061&k=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: (no name) - {B86C63AF-1916-4B1E-9165-9A70208935C6} - C:\Program Files\Internet Explorer\horec.dll
O2 - BHO: SDWin32 Class - {BB18E44E-A622-411E-81C3-EFC23BD0CFB6} - C:\WINNT\system32\zexgp.dll
O2 - BHO: SDWin32 Class - {E939BDAB-6802-44A8-9C1A-E630A560522A} - C:\WINNT\system32\xtgvw.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Manager] C:\WINNT\system32\ppvypqv.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard17.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad17.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname17.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [nhvqvhxA] C:\WINNT\nhvqvhxA.exe
O4 - HKLM\..\Run: [lstat] c:\winnt\system32\fthot.exe
O4 - HKLM\..\Run: [xtgvwc] C:\WINNT\system32\xtgvwc.exe
O4 - HKLM\..\Run: [zexgpc] C:\WINNT\system32\zexgpc.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINNT\system32\logon.exe
O4 - HKCU\..\Run: [kmir] C:\Program Files\Common Files\kmir\kmirm.exe
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O13 - WWW. Prefix: http://
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138297860078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138306460203
O17 - HKLM\System\CCS\Services\Tcpip\..\{75E483E7-DDDE-4EEE-A0B5-BD31656151B6}: NameServer = 64.105.189.26,64.105.179.138
O20 - Winlogon Notify: App Management - C:\WINNT\system32\tafaux.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINNT\system32\ppvypqv.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\nhvqvhx.exe

  • 2 Contributors
  • 1 Reply
  • 87 Views
  • 7 Hours Discussion Span
  • Latest Post Latest Post by tayspen
Member Avatar for tayspen

Did you run this in safe mode? If so don't.

Please run HJt again, and check the following items.

O4 - HKLM\..\Run: [Microsoft (R) Windows Update Manager] C:\WINNT\system32\ppvypqv.exe

O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard17.exe

O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad17.exe

O4 - HKLM\..\Run: [newname] C:\windows\newname17.exe

O4 - HKLM\..\Run: [nhvqvhxA] C:\WINNT\nhvqvhxA.exe

O4 - HKLM\..\Run: [lstat] c:\winnt\system32\fthot.exe

O4 - HKLM\..\Run: [xtgvwc] C:\WINNT\system32\xtgvwc.exe

O4 - HKLM\..\Run: [zexgpc] C:\WINNT\system32\zexgpc.exe

O4 - HKLM\..\Run: [Windows Logon Application] C:\WINNT\system32\logon.exe

O4 - HKCU\..\Run: [kmir] C:\Program Files\Common Files\kmir\kmirm.exe

O13 - WWW. Prefix: http://

O20 - Winlogon Notify: App Management - C:\WINNT\system32\tafaux.dll (file missing)

O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINNT\system32\ppvypqv.exe (file missing)

Click Fix Checked.

_____________________________________________

First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.

To Get rid of NewDotNet, go to:

Start > Control Panel > Add or Remove Programs and remove the following:

New.Net Applications or New.Net Domains (anything that says New.Net)

If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.

In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.

_______________________________________________

Please download Pocket Killbox by O^E.

  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINNT\system32\ppvypqv.exe

    C:\windows\keyboard17.exe

    C:\windows\mousepad17.exe

    C:\windows\newname17.exe

    C:\WINNT\nhvqvhxA.exe

    C:\winnt\system32\fthot.exe

    C:\WINNT\system32\xtgvwc.exe

    C:\WINNT\system32\zexgpc.exe

    C:\WINNT\system32\logon.exe

    C:\Program Files\Common Files\kmir\kmirm.exe

    C:\WINNT\system32\tafaux.dll

    C:\WINNT\system32\ppvypqv.exe


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

_________________________________________

Please download ewido anti-malware it is a free version of the program.

  1. Install ewido anti-malware
  2. When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  3. Launch ewido, there should be an icon on your desktop, double-click it.
  4. The program will now open to the main screen.
  5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  6. You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  7. The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful" )

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed close ewido anti-malware.

Next, please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in safe mode,

  • Open up Ewido
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
  • Close ewido anti-malware.

Boot back into normal mode.

Post a new HJT log, and the ewido log.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.