Hi! I need help from you guys, I cant manage to remove this trojan from my computer! I will download the Hijack program and post my log here soon. please help me!
Logfile of HijackThis v1.99.1 Scan saved at 14:37:38, on 26.05.2006 Platform: Windows 2000 SP2 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\SCardSvr.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe C:\Programfiler\Alwil Software\Avast4\ashServ.exe C:\Programfiler\Fellesfiler\EPSON\EBAPI\SAgent2.exe C:\WINNT\System32\nssd.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\watchlog.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\Explorer.EXE C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe C:\WINNT\System32\dcomcfg.exe C:\WINNT\System32\WatchTray.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\Programfiler\Card Reader\shwicon.exe C:\Programfiler\D-Tools\daemon.exe C:\Programfiler\QuickTime\qttask.exe C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe C:\WINNT\System32\rundll32.exe C:\Programfiler\Winamp\winampa.exe C:\WINNT\System32\internat.exe C:\Programfiler\RALINK\RT2500 Wireless LAN Card\Installer\WIN2K\RaConfig2500.exe C:\Programfiler\Internet Explorer\iexplore.exe C:\Programfiler\MSN Messenger\msnmsgr.exe C:\Hjt\HijackThis_v1.99.1.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Programfiler\NewDotNet\newdotnet7_22.dll O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINNT\System32\hp100.tmp O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Teleplan WatchTray] WatchTray.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [ShowIcon_The Company_Card Reader v1.14e049] "C:\Programfiler\Card Reader\shwicon.exe" -t"The Company\Card Reader v1.14e049" O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HP Component Manager] "C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s O4 - HKLM\..\Run: [WinampAgent] C:\Programfiler\Winamp\winampa.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: RaConfig2500.lnk = C:\Programfiler\RALINK\RT2500 Wireless LAN Card\Installer\WIN2K\RaConfig2500.exe O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Programfiler\expektMPP\MPPoker.exe O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Programfiler\Bodog Poker\GameClient.exe O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://post.sf-f.kommune.no/iNotes6.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1DC0D4DF-D6CB-4BAB-8124-375F997C5FFB}: NameServer = 62.97.193.3 O17 - HKLM\System\CS1\Services\Tcpip\..\{1DC0D4DF-D6CB-4BAB-8124-375F997C5FFB}: NameServer = 62.97.193.3 O17 - HKLM\System\CS2\Services\Tcpip\..\{1DC0D4DF-D6CB-4BAB-8124-375F997C5FFB}: NameServer = 62.97.193.3 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programfiler\Fellesfiler\EPSON\EBAPI\SAgent2.exe O23 - Service: Network Service Server (NSS) - Unknown owner - C:\WINNT\System32\nssd.exe O23 - Service: TeleplanTWS - Teleplan AS - C:\WINNT\System32\\watchlog.exe -.-.-.-.-.-.-.-.-.--.-..- .-.-.-.-.-.-.-.-.-.-.-.-. SmitFraudFix v2.48 Scan done at 14:42:16,26, fr 26.05.2006 Run from C:\Documents and Settings\Administrator\Skrivebord\SmitfraudFix OS: Microsoft Windows 2000 [Versjon 5.00.2195] Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32 C:\WINNT\system32\dcomcfg.exe FOUND ! C:\WINNT\system32\hp????.tmp FOUND ! C:\WINNT\system32\ld????.tmp FOUND ! C:\WINNT\system32\ot.ico FOUND ! C:\WINNT\system32\regperf.exe FOUND ! C:\WINNT\system32\simpole.tlb FOUND ! C:\WINNT\system32\stdole3.tlb FOUND ! C:\WINNT\system32\ts.ico FOUND ! C:\WINNT\system32\1024\ FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1 C:\DOCUME~1\ADMINI~1\FAVORI~1\Antivirus Test Online.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Programfiler »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="Min gjeldende hjemmeside" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End
You really need to apply the latest security pack to your Windows 2000 machine. Running service pack 2 leaves you wide open to a variety of risks. For the infection do this: You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Next, please reboot your computer in Safe Mode by doing the following : - Restart your computer - After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; - Instead of Windows loading as normal, a menu with options should appear; - Select the first option, to run Windows in Safe Mode, then press "Enter". - Choose your usual account. Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a brand new hijackthis log. The report can also be found at the root of the system drive, usually at C:\rapport.txt Warning : running option #2 on a non infected computer will remove your Desktop background
If you'd like me two cents here they are............ You could always try AVG free, Norton Internet Security 2006,etc. If that doesn't work try the F10 button (which restores everything your computer was shipped with). Any thing from there someone else will have to advise you (I am just a computer greek not an expert).
No reason to install any AV programs yet...later though it is advisable. F10? Not sure what you are talking about there.
Logfile of HijackThis v1.99.1 Scan saved at 16:47:17, on 26.05.2006 Platform: Windows 2000 SP2 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\SCardSvr.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe C:\Programfiler\Alwil Software\Avast4\ashServ.exe C:\Programfiler\Fellesfiler\EPSON\EBAPI\SAgent2.exe C:\WINNT\System32\nssd.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\watchlog.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe C:\WINNT\System32\WatchTray.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\Programfiler\Card Reader\shwicon.exe C:\Programfiler\D-Tools\daemon.exe C:\Programfiler\QuickTime\qttask.exe C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe C:\WINNT\System32\rundll32.exe C:\Programfiler\Winamp\winampa.exe C:\WINNT\System32\internat.exe C:\Programfiler\RALINK\RT2500 Wireless LAN Card\Installer\WIN2K\RaConfig2500.exe C:\Hjt\HijackThis_v1.99.1.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Programfiler\NewDotNet\newdotnet7_22.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Teleplan WatchTray] WatchTray.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [ShowIcon_The Company_Card Reader v1.14e049] "C:\Programfiler\Card Reader\shwicon.exe" -t"The Company\Card Reader v1.14e049" O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HP Component Manager] "C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s O4 - HKLM\..\Run: [WinampAgent] C:\Programfiler\Winamp\winampa.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: RaConfig2500.lnk = C:\Programfiler\RALINK\RT2500 Wireless LAN Card\Installer\WIN2K\RaConfig2500.exe O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Programfiler\expektMPP\MPPoker.exe O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Programfiler\Bodog Poker\GameClient.exe O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://post.sf-f.kommune.no/iNotes6.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1DC0D4DF-D6CB-4BAB-8124-375F997C5FFB}: NameServer = 62.97.193.3 O17 - HKLM\System\CS1\Services\Tcpip\..\{1DC0D4DF-D6CB-4BAB-8124-375F997C5FFB}: NameServer = 62.97.193.3 O17 - HKLM\System\CS2\Services\Tcpip\..\{1DC0D4DF-D6CB-4BAB-8124-375F997C5FFB}: NameServer = 62.97.193.3 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programfiler\Fellesfiler\EPSON\EBAPI\SAgent2.exe O23 - Service: Network Service Server (NSS) - Unknown owner - C:\WINNT\System32\nssd.exe O23 - Service: TeleplanTWS - Teleplan AS - C:\WINNT\System32\\watchlog.exe -.-.-.-. .--.-.-.- SmitFraudFix v2.48 Scan done at 16:36:53,66, fr 26.05.2006 Run from C:\Documents and Settings\Administrator\Skrivebord\SmitfraudFix OS: Microsoft Windows 2000 [Versjon 5.00.2195] Fix ran in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINNT\system32\dcomcfg.exe Deleted C:\WINNT\system32\hp????.tmp Deleted C:\WINNT\system32\ld????.tmp Deleted C:\WINNT\system32\ot.ico Deleted C:\WINNT\system32\regperf.exe Deleted C:\WINNT\system32\simpole.tlb Deleted C:\WINNT\system32\stdole3.tlb Deleted C:\WINNT\system32\ts.ico Deleted C:\WINNT\system32\1024\ Deleted C:\DOCUME~1\ADMINI~1\FAVORI~1\Antivirus Test Online.url Deleted »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End hmmm.. it actually seemes clean now!
Its not clean. First, Download this program: http://www.safer-networking.org/files/sfp.zip Highlight the files listed below in bold and right-click and selecting copy. C:\WINNT\System32\nssd.exe Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field. Then press the Continue button. I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab. Rename this file to yourmembername.cab (for example grinler.cab). Then go to: http://www.bleepingcomputer.com/submit-malware.php and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button. Then, Did you purposely install the two poker games Expekt.com and Bodog Poker? If not include these in the entries below to fix: O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Programfiler\expektMPP\MPPoker.exe O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Programfiler\Bodog Poker\GameClient.exe Next, Do you know what this is? O23 - Service: TeleplanTWS - Teleplan AS - C:\WINNT\System32\\watchlog.exe Finally, Please download LSP-Fix from the following link and save it to a location you can find later if necessary. http://www.bleepingcomputer.com/files/lspfix.php To remove New.net. please go to Start | Settings | Control Panel | Add/Remove Programs, look for and remove New.Net. If you can't find it, then please go http://www.newdotnet.com and follow the removal instructions in Procedure 4 at the bottom of the page. Print out these instructions and then close all windows including Internet Explorer. Then I want you to fix some of those entries. Please do the following: Please make sure that you can view all hidden files. Instructions on how to do this can be found here: http://www.bleepingcomputer.com/forums/tutorial62.html Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Programfiler\NewDotNet\newdotnet7_22.dll O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s Reboot your computer into Safe mode. Instructions here: http://www.bleepingcomputer.com/forums/tutorial61.html Then delete these files or directories (Do not be concerned if they do not exist) C:\Programfiler\NewDotNet\ Reboot your computer to go back to normal mode and post a new log. If you can not connect to the Internet after removing New.net, please run the LSP-Fix program I had you download earlier, and click on the finish button. Reboot and you should be able to get back on.
Logfile of HijackThis v1.99.1 Scan saved at 18:47:54, on 26.05.2006 Platform: Windows 2000 SP2 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\SCardSvr.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe C:\Programfiler\Alwil Software\Avast4\ashServ.exe C:\Programfiler\Fellesfiler\EPSON\EBAPI\SAgent2.exe C:\WINNT\System32\nssd.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\watchlog.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\Explorer.EXE C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\Programfiler\Card Reader\shwicon.exe C:\Programfiler\D-Tools\daemon.exe C:\Programfiler\QuickTime\qttask.exe C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe C:\Programfiler\Winamp\winampa.exe C:\WINNT\System32\internat.exe C:\Programfiler\RALINK\RT2500 Wireless LAN Card\Installer\WIN2K\RaConfig2500.exe C:\Hjt\HijackThis_v1.99.1.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.firda.no/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Teleplan WatchTray] WatchTray.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [ShowIcon_The Company_Card Reader v1.14e049] "C:\Programfiler\Card Reader\shwicon.exe" -t"The Company\Card Reader v1.14e049" O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HP Component Manager] "C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb10.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [WinampAgent] C:\Programfiler\Winamp\winampa.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: RaConfig2500.lnk = C:\Programfiler\RALINK\RT2500 Wireless LAN Card\Installer\WIN2K\RaConfig2500.exe O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Programfiler\expektMPP\MPPoker.exe O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Programfiler\Bodog Poker\GameClient.exe O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://post.sf-f.kommune.no/iNotes6.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1DC0D4DF-D6CB-4BAB-8124-375F997C5FFB}: NameServer = 62.97.193.3 O17 - HKLM\System\CS1\Services\Tcpip\..\{1DC0D4DF-D6CB-4BAB-8124-375F997C5FFB}: NameServer = 62.97.193.3 O17 - HKLM\System\CS2\Services\Tcpip\..\{1DC0D4DF-D6CB-4BAB-8124-375F997C5FFB}: NameServer = 62.97.193.3 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programfiler\Fellesfiler\EPSON\EBAPI\SAgent2.exe O23 - Service: Network Service Server (NSS) - Unknown owner - C:\WINNT\System32\nssd.exe O23 - Service: TeleplanTWS - Teleplan AS - C:\WINNT\System32\\watchlog.exe pokerclients are okey, and teleplanTWS is a old system I dont need anymore, but It is not defined as a risk. I think the system is working fine now!
One last thing. Do you know what this is? I find it highly suspicious after looking at it, yet I can not determine its nature. O23 - Service: Network Service Server (NSS) - Unknown owner - C:\WINNT\System32\nssd.exe
no, I am not sure what it is. Do you think it could be harmfull to run the .exe file? I guess I'll just do nothing, since my system seemes stable now.
