spyware (RESOLVED)

payne1504 · #1 (**permalink**) 07-03-2007, 03:18 AM

Hello, I'm new to this so please bare with me.

I believe my homepage has been hijacked. When I enter windows explorer I am automatically redirected to a site called security center. the address is ieprotectpage.com. I tried to change my home page back but to no avail. Also I'm continuously getting pop ups about spyware dowloads such as trojan-spy & spydawn. How do I get my homepage back and get rid of these pop ups?

VopThis · #2 (**permalink**) 07-03-2007, 05:04 AM

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
DO NOT RUN ANY OTHER OPTIONS UNTIL REQUESTED TO.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

I would also like to see a HijackThis LOG as per the last set of intructions found here:

Read This First - IMPORTANT Instructions

payne1504 · #3 (**permalink**) 12-03-2007, 05:57 PM

Here is the contents of the text file.

SmitFraudFix v2.148

Scan done at 12

50.45, Mon 03/12/2007
Run from C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\EPJBE377\SmitfraudFix[1]\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\tvomnc.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\SpyDawn\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{634be415-da12-496b-b89e-329b73c4807f}"="cam"

[HKEY_CLASSES_ROOT\CLSID\{634be415-da12-496b-b89e-329b73c4807f}\InProcServer32]
@="C:\WINDOWS\system32\tvomnc.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{634be41 5-da12-496b-b89e-329b73c4807f}\InProcServer32]
@="C:\WINDOWS\system32\tvomnc.dll"

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

VopThis · #4 (**permalink**) 12-03-2007, 07:30 PM

STEP # 2 - Cleaning

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Download and install AVG Anti-Spyware 7.5 (AVG AS - previously known as Ewido anti-spyware 4.0) (uninstall any previous version first).

Click the Download BUTTON. On the next page click the Download now BUTTON.
Save and then install (Run) from the save location.
Open/Run AVG Anti-Spyware
Wait a few moments and AVG Anti-Spyware should Auto update itself (note date of last update). If it doesn't update, click the update ICON at top of screen:
Quote:
Click on the Update now LINK at the top of the window
Click on the Start update button

Wait for the update to download and install
This is very important to get the LATEST updates
Click on the Status ICON
- Under "Your computers Security"
  Click change status on Resident shield to inactive (ONLY consider activation of that feature once you are clean)
Click on the Scanner ICON at the top of the window
Click on the Settings tab then select Recommended Actions and choose Quarantine
When updating has finished. Close AVG Anti-Spyware.

We will be using this tool in a later step.

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer and quit any instances of Windows Explorer.
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware , and run a full scan:

Click on the default Status ICON and select the Scan now LINK.

OR
Click on the Scanner ICON . Select the Scan TAB.
- Select Complete System Scan. AVG Anti-Spyware will now begin to scan your system.

If AVG Anti-Spyware finds anything it will list them in the Preview WINDOW:
- Make sure that Set all elements to: shows Quarantine, if not click on the link and choose Quarantine from the popup menu.
- Select Apply all actions at the bottom of the window (and the items found will be quarantined – and recoverable, if any items are needed back).
When the scan has completed, click on the Save Scan Report button and save the scan to your Desktop where it can be easily found.
Copy and paste the AVG Anti-Spyware scan results into your next post.
Close AVG Anti-Spyware.

______________________________
SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

----------No items specified

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

______________________________
Reboot in Normal Mode.

Please post (preferably not file attachments, please):

c:\rapport.txt
AVG Anti-Spyware log
A new HijackThis log

payne1504 · #5 (**permalink**) 13-03-2007, 12:26 AM

SmitFraudFix v2.148

Scan done at 18:10:24.36, Mon 03/12/2007
Run from C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\EPJBE377\SmitfraudFix[1]\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{634be415-da12-496b-b89e-329b73c4807f}"="cam"

[HKEY_CLASSES_ROOT\CLSID\{634be415-da12-496b-b89e-329b73c4807f}\InProcServer32]
@="C:\WINDOWS\system32\tvomnc.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{634be41 5-da12-496b-b89e-329b73c4807f}\InProcServer32]
@="C:\WINDOWS\system32\tvomnc.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\tvomnc.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:03:05 PM 3/12/2007

+ Scan result:

HKU\S-1-5-21-1079541628-236781750-2621664363-1006\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : No action taken.
C:\Program Files\NewDotNet -> Adware.NewDotNet : No action taken.
C:\Program Files\NewDotNet\newdotnet7_48.dll -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064545.exe -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064546.exe -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064573.exe -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064574.exe -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064580.exe -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064596.exe -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP149\A0065177.exe -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP149\A0065188.exe -> Adware.NewDotNet : No action taken.
C:\WINDOWS\NDNuninstall7_48.exe -> Adware.NewDotNet : No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \\New.net Startup -> Adware.NewDotNet : No action taken.
HKLM\SOFTWARE\New.net -> Adware.NewDotNet : No action taken.
HKU\S-1-5-21-1079541628-236781750-2621664363-1006\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : No action taken.
HKU\S-1-5-21-1079541628-236781750-2621664363-1006\Software\New.net -> Adware.NewDotNet : No action taken.
[1072] C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL -> Adware.NewDotNet : No action taken.
[1684] C:\Program Files\NewDotNet\newdotnet7_48.dll -> Adware.NewDotNet : No action taken.
[2060] C:\Program Files\NewDotNet\newdotnet7_48.dll -> Adware.NewDotNet : No action taken.
[2568] C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL -> Adware.NewDotNet : No action taken.
[2852] C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL -> Adware.NewDotNet : No action taken.
[3016] C:\Program Files\NewDotNet\newdotnet7_48.dll -> Adware.NewDotNet : No action taken.
[3976] C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064491.ini -> Adware.Qworke : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP149\A0065159.exe -> Adware.SpyHeal : No action taken.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2DA.tmp\pmunst.exe -> Downloader.Zlob.asv : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064577.exe -> Downloader.Zlob.asv : No action taken.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2DA.tmp\pmmnt.exe -> Downloader.Zlob.bov : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064484.exe -> Downloader.Zlob.bov : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064505.exe -> Downloader.Zlob.bov : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064522.exe -> Downloader.Zlob.bov : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064534.exe -> Downloader.Zlob.bov : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064555.exe -> Downloader.Zlob.bov : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064566.exe -> Downloader.Zlob.bov : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064583.exe -> Downloader.Zlob.bov : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064486.exe -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064507.exe -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064523.exe -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064535.exe -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064557.exe -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064568.exe -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064582.exe -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP149\A0065157.exe -> Downloader.Zlob.bpn : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP149\A0065158.exe -> Downloader.Zlob.bpn : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@viamtvcom.112.2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@advertising[1].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@atdmt[1].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@cz11.clickzs[2].txt -> TrackingCookie.Clickzs : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@vip.clickzs[1].txt -> TrackingCookie.Clickzs : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ehg-eline.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@hg1.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@paycounter[1].txt -> TrackingCookie.Paycounter : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ads.pointroll[2].txt -> TrackingCookie.Pointroll : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@questionmarket[1].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@counter1.sextracker[1].txt -> TrackingCookie.Sextracker : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@counter6.sextracker[1].txt -> TrackingCookie.Sextracker : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@counter9.sextracker[1].txt -> TrackingCookie.Sextracker : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@sextracker[1].txt -> TrackingCookie.Sextracker : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@statcounter[2].txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP150\A0065249.dll -> Trojan.Dialer.cs : No action taken.

::Report end

Technical_1 · #6 (**permalink**) 13-03-2007, 02:47 AM

Hello payne1504.

VopThis is away for a week so I will help you until we get you resolved or VopThis returns. Thanks for your understanding.

Looks like smitfraud is gone. AVG AS listed many things but it says it did not remove them.

Quote:

Originally Posted by VopThis

Click on the Status ICON

Under "Your computers Security"
Click change status on Resident shield to inactive (ONLY consider activation of that feature once you are clean)

Click on the Scanner ICON at the top of the window
Click on the Settings tab then select Recommended Actions and choose Quarantine
When updating has finished. Close AVG Anti-Spyware.

Go ahead and set AVG AS up to Quarantine the items and run the scan again please. Then we'll clean up anything it couldn't get.

Thanks.

payne1504 · #7 (**permalink**) 13-03-2007, 04:22 AM

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:19:26 PM 3/12/2007

+ Scan result:

HKU\S-1-5-21-1079541628-236781750-2621664363-1006\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : No action taken.
C:\Program Files\NewDotNet -> Adware.NewDotNet : No action taken.
C:\Program Files\NewDotNet\newdotnet7_48.dll -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064545.exe -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064546.exe -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064573.exe -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064574.exe -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064580.exe -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064596.exe -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP149\A0065177.exe -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP149\A0065188.exe -> Adware.NewDotNet : No action taken.
C:\WINDOWS\NDNuninstall7_48.exe -> Adware.NewDotNet : No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \\New.net Startup -> Adware.NewDotNet : No action taken.
HKLM\SOFTWARE\New.net -> Adware.NewDotNet : No action taken.
HKU\S-1-5-21-1079541628-236781750-2621664363-1006\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : No action taken.
HKU\S-1-5-21-1079541628-236781750-2621664363-1006\Software\New.net -> Adware.NewDotNet : No action taken.
[1792] C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL -> Adware.NewDotNet : No action taken.
[2648] C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL -> Adware.NewDotNet : No action taken.
[2708] C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL -> Adware.NewDotNet : No action taken.
[3244] C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL -> Adware.NewDotNet : No action taken.
[3800] C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064491.ini -> Adware.Qworke : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP149\A0065159.exe -> Adware.SpyHeal : No action taken.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2DA.tmp\pmunst.exe -> Downloader.Zlob.asv : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064577.exe -> Downloader.Zlob.asv : No action taken.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2DA.tmp\pmmnt.exe -> Downloader.Zlob.bov : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064484.exe -> Downloader.Zlob.bov : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064505.exe -> Downloader.Zlob.bov : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064522.exe -> Downloader.Zlob.bov : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064534.exe -> Downloader.Zlob.bov : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064555.exe -> Downloader.Zlob.bov : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064566.exe -> Downloader.Zlob.bov : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP146\A0064583.exe -> Downloader.Zlob.bov : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@oasc02.247realmedia[2].txt -> TrackingCookie.247realmedia : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@viamtvcom.112.2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@advertising[1].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@atdmt[1].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@cz11.clickzs[2].txt -> TrackingCookie.Clickzs : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@vip.clickzs[1].txt -> TrackingCookie.Clickzs : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ehg-eline.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@hg1.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@paycounter[1].txt -> TrackingCookie.Paycounter : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ads.pointroll[2].txt -> TrackingCookie.Pointroll : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@questionmarket[1].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@counter1.sextracker[1].txt -> TrackingCookie.Sextracker : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@counter6.sextracker[1].txt -> TrackingCookie.Sextracker : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@counter9.sextracker[1].txt -> TrackingCookie.Sextracker : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@sextracker[1].txt -> TrackingCookie.Sextracker : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@statcounter[2].txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP150\A0065249.dll -> Trojan.Dialer.cs : No action taken.

::Report end

Technical_1 · #8 (**permalink**) 13-03-2007, 04:48 AM

Hmmmm. Still the same results. Let's try something a little different.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
- Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.
If you use Firefox browser
- Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
- Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Let's get an Uninstall List from HijackThis:
- Open HijackThis, click Config, click Misc Tools
- Click "Open Uninstall Manager"
- Click "Save List" (generates uninstall_list.txt)
- Click Save, copy and paste the results in your next post along with a new Hijack This Log.

payne1504 · #9 (**permalink**) 13-03-2007, 05:11 AM

Adobe Flash Player 9 ActiveX
Adobe Reader 7.0
Adobe Shockwave Player
ArcSoft PhotoStudio 5.5
AVG Anti-Spyware 7.5
BigFix
Canon MP Navigator 2.0
Canon MP150
Canon Utilities Easy-PhotoPrint
CardRd81
ccCommon
CCScore
CR2
Digital Media Reader
DING!
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
ESSTUTOR
ESSvpaht
ESSvpot
Fish Tycoon
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
HLPIndex
HLPPDOCK
HLPRFO
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Internet Worm Protection
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
Kodak EasyShare software
KSU
LiveUpdate 3.0 (Symantec Corporation)
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Digital Image Starter Edition 2006
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Professional
Microsoft Office Standard Edition 2003
Microsoft Works
MSN
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
Multimedia Keyboard Driver
Napster
Napster Burn Engine
NAVShortcut
Nero BurnRights
Nero OEM
Norton AntiVirus 2006
Norton AntiVirus 2006 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Protection Center
Norton WMI Update
Notifier
NVIDIA Drivers
OmniPage SE 2.0
OTtBP
OTtBPSDK
PlayLinc
PowerDVD
QuickTime
RealPlayer Basic
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
SFR
SHASTA
SKIN0001
SKINXSDK
SoftV92 Data Fax Modem with SmartCP
Sonic Encoders
SPBBC
Spy Sweeper
Spybot - Search & Destroy 1.4
Symantec
System Alert Popup
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB931836)
Update Rollup 2 for Windows XP Media Center Edition 2005
Verizon Games on Demand Player
Verizon Internet Security Suite
Verizon Online DSL
Verizon Online Help and Support
Verizon Servicepoint 1.3.21
Viewpoint Media Player
VPRINTOL
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Media Center Edition 2005 KB908250
WIRELESS
Yahoo! Anti-Spy
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar

Technical_1 · #10 (**permalink**) 13-03-2007, 11:30 PM

Let's get rid of a couple things.

Display Hidden Files Please set your system to show
all files; please see here if you're unsure how to do this.
Remove Questionable Programs. Go to Start > Control Panel > Add/Remove Programs. Scroll down to and highlight each of the following programs and select uninstall/remove:
- Viewpoint Media Player<---Related Link
Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Delete Files/Folders
Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\NewDotNet
After that, Reboot.
Please re-open HiJackThis and scan and save a new log file.
Post Logs
New Hijack This Log

Let me know how things are running now.