Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Downloadlegal music 1
- Thread starter frankieg
- Start date
Have Antivirus installed on your machine? Updated and ran a full scan lately?
If not, here's some free online scans:
If not, here's some free online scans:
Spybot
Ad-aware
Will check your computer for spyware and adware.
Ad-aware
Will check your computer for spyware and adware.
-
1
- #4
frankieg,
Would you mind being as specific as possible about this problem?
. What exactly is the wording of the message?
. Does it appear as if it was a wallpaper/desktop backtround change, or a pop-up, or something else?
. Describe what happens if you delete the IE icon on the desktop. Does some background image become clearer or disappear? (You can bring back the IE desktop icon by right-clicking a blank area of your Desktop, Properties, Desktop tab, Customize Desktop, and check Internet Explorer in the top box.)
I cannot find any evidence of this as malware, but I suspect as did Xenus and Linney above it is. In that case Spybot is unlikely to help, but there may be a clue running Hijack This and posting your scan results here:
Would you mind being as specific as possible about this problem?
. What exactly is the wording of the message?
. Does it appear as if it was a wallpaper/desktop backtround change, or a pop-up, or something else?
. Describe what happens if you delete the IE icon on the desktop. Does some background image become clearer or disappear? (You can bring back the IE desktop icon by right-clicking a blank area of your Desktop, Properties, Desktop tab, Customize Desktop, and check Internet Explorer in the top box.)
I cannot find any evidence of this as malware, but I suspect as did Xenus and Linney above it is. In that case Spybot is unlikely to help, but there may be a clue running Hijack This and posting your scan results here:
- Thread starter
- #5
Hi bcastner
thanks fyi, i have attached the follwing results, hope they mean something to you or anyone
Logfile of HijackThis v1.97.7
Scan saved at 20:22:39, on 29/12/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\KaZaA\kazaa.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CConnect\CConnect.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\minilog.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Dad.D2ZTK90J\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\WINDOWS\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [Sentry] C:\WINDOWS\Sentry.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [susp] C:\WINDOWS\susp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] \WkDetect.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
Thanks for looking
frankieg
thanks fyi, i have attached the follwing results, hope they mean something to you or anyone
Logfile of HijackThis v1.97.7
Scan saved at 20:22:39, on 29/12/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\KaZaA\kazaa.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CConnect\CConnect.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\minilog.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Dad.D2ZTK90J\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\WINDOWS\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [Sentry] C:\WINDOWS\Sentry.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [susp] C:\WINDOWS\susp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] \WkDetect.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
Thanks for looking
frankieg
NewDotNet hijack, for one.
See here: Simply running SpyBot as suggested by linney should do the trick, though.
I also see you're running Kazaa. I hate to proselytize, but I will. Using P2P ware of this type is a virtual guarantee that you'll stay on the cutting edge of maleware/virus infection. At least consider the lite version.
See here: Simply running SpyBot as suggested by linney should do the trick, though.
I also see you're running Kazaa. I hate to proselytize, but I will. Using P2P ware of this type is a virtual guarantee that you'll stay on the cutting edge of maleware/virus infection. At least consider the lite version.
And this jewel...O4 - HKLM\..\Run: [Sentry] C:\WINDOWS\Sentry.exe
is a subseven trojan...
I'd kill this entire section
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\WINDOWS\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [Sentry] C:\WINDOWS\Sentry.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [susp] C:\WINDOWS\susp.exe
and these
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
for a good night's sleep. And watch the P2P sites...that's where all of this came from, I'll wager.
is a subseven trojan...
I'd kill this entire section
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\WINDOWS\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [Sentry] C:\WINDOWS\Sentry.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [susp] C:\WINDOWS\susp.exe
and these
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
for a good night's sleep. And watch the P2P sites...that's where all of this came from, I'll wager.
Wow.
1. Disable System Restore.
right-click My Computer, Properties, System Restore, and uncheck the box to enable System Restore on all drives.
2. In Safe Mode with networking, do two online antivirus cans from smah's FAQ (Trend Micro & Panda): faq760-3862
Let them fix problems. Reboot.
3. Download and run in this order:
cwshredder *
SpyBot 1.2 *
AdAware *
* = Update the definition files within the program as the first step.
4. Run Hijack this and remove all the entries mentioned above by carr if they still remain. I will add:
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\WINDOWS\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [Sentry] C:\WINDOWS\Sentry.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
Reboot.
See if the issue is resolved.
Remember to re-enable System Restore.
1. Disable System Restore.
right-click My Computer, Properties, System Restore, and uncheck the box to enable System Restore on all drives.
2. In Safe Mode with networking, do two online antivirus cans from smah's FAQ (Trend Micro & Panda): faq760-3862
Let them fix problems. Reboot.
3. Download and run in this order:
cwshredder *
SpyBot 1.2 *
AdAware *
* = Update the definition files within the program as the first step.
4. Run Hijack this and remove all the entries mentioned above by carr if they still remain. I will add:
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\WINDOWS\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [Sentry] C:\WINDOWS\Sentry.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
Reboot.
See if the issue is resolved.
Remember to re-enable System Restore.
Follow the excellent advice supplied by my fellow posters, and after you have fixed all your problems, but are wondering why this sort of thing is happening with increasing regularity to internet surfers and how to prevent it then I suggest some reading here.
Beginners Guides: Spyware Protection and Removal
This is an 8 page article but worth the read.
Beginners Guides: Spyware Protection and Removal
This is an 8 page article but worth the read.
- Thread starter
- #12
- Status
Similar threads
- Locked
- Question