newdotnet - o grija

Acum cateva zile mi'a descoperit ad-aware 6 o cartela cu newdotnet, dar nu stergea. Am luat un anti-troian (The Cleaner) si a gasit si a sters tot ce a miscat   Surpriza:  a doua zi nu mai puteam sa accesez nici un site , mergea doar messenger. Am desfacut carantina si dupa un restart mergea totul normal   Am cautat pe google si am gasit cum ca acest individ (newdotnet) poate provoca probleme la conexiune daca e sters gresit si nu dezinstalat. L'am dezinstalat deci. A disparut cartela NewDotNet si conexiunea merge bine..dar la o scanare am gasit resturi din el in cartela windows si povestea s'a repetat. Intrebarea e: cum pot sa scap ????? ma refer la o stergere manuala daca dezinstalarea nu a fost totala  
As vrea detalii , nu sunt decat la nivel mediu de cunostinte
Sorry daca acest subiect a mai fost dezbatut.

Buna jean807, bine ai venit la forumul SoftPedia.

Fa download la HijackThis! , dezarhiveaza-l intr-un director al lui, de exemplu c:hjt , executa-l, apasa Scan si apoi Save Log. Posteaza te rog log-ul aici sa vedem ce a mai ramas din NewDotNet.

Intre timp fa download la AdAware SE 1.03 de aici: AdAware SE Download . La instalare va elimina versiunea veche AdAware 6.181. La ultimul ecran debifeaza cele trei optiuni.

Nu scana cu AdAware inca

Configureaza AdAware 1.03 ca ma jos:
Click pe roata dintata de sus:

(Unele optiuni pot fi selectate numai in versiunile Plus si Pro - culoarea gri)

General
Safety Settings: primele trei optiuni trebuie sa fie neselectate (rosu). La ultima optiune se schimba 14 cu 7 (recomandare).

Scanning
Selecteaza urmatoarele optiuni: - (verde)
"Scan within Archives"
Click pe "Click here to select Drives + folders" si selecteaza toate HDD instalate.
Memory & Registry: selecteaza toate optiunile (verde)

Advanced
La "Shell Integration" selecteaza "Move deleted files to Recycle Bin" (verde)
Logfile Detail Level: selecteaza toate optiunile (verde).

Defaults
La "Default homepage" si/sau "Default searchpage" se introduc paginile dorite (de exemplu http://www.google.com/)

Tweak
Scanning Engine: selecteaza urmatoarele optiuni (verde)
"Unload recognized processes during scanning."
"Obtain command line of scanned processes"
"Scan registry for all users instead of current user only"

Cleaning Engine: selecteaza urmatoarele optiuni (verde)
"Automatically try to unregister objects prior to deletion."
"During removal, unload explorer and IE if necessary"
"Let Windows remove files in use at next reboot."
"Delete quarrantined objects after restoring"

Safety settings: selecteaza (verde)
"Write-protect system files after repair (Hosts file, etc)"

Webupdate settings: Selecteaza toate optiunile (verde)

Apasa "Proceed" pentru a salva preferintele.

Fa update la semnaturi (globul albastru de sus).

Nu folosi inca AdAware.

uite si logul ....desi ma ingrijorez numai cat ma uit la el

Logfile of HiJackThis v1.98.2
Scan saved at 12.53.53, on 01/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:ProgrammiFile comuniSymantec SharedccSetMgr.exe
C:ProgrammiFile comuniSymantec SharedccEvtMgr.exe
C:WINDOWSsystem32spoolsv.exe
C:ProgrammiNorton AntiVirusnavapsvc.exe
C:WINDOWSSystem32nvsvc32.exe
C:WINDOWSSystem32svchost.exe
C:ProgrammiNorton AntiVirusSAVScan.exe
C:ProgrammiFile comuniSymantec SharedccApp.exe
C:WINDOWSSystem32RunDll32.exe
C:ProgrammiMUSICMATCHMUSICMATCH Jukeboxmmtask.exe
C:WINDOWSSystem32atwtusb.exe
C:ProgrammiMSN AppsUpdater1.02.0002.1001itmsnappau.exe
C:ProgrammiThe Cleanertca.exe
C:ProgrammiThe Cleanertcm.exe
C:WINDOWSSystem32ctfmon.exe
C:ProgrammiLogitechDesktop Messenger8876480ProgramBackWeb-8876480.exe
C:ProgrammiYahoo!Messengerypager.exe
C:ProgrammiMSN MessengerMsnMsgr.Exe
C:ProgrammiTRUSTSoftware BluetoothBTTray.exe
C:Programmi3.0M SD DSCConsoleWatch.exe
C:PROGRA~1TRUSTSOFTWA~1BTSTAC~1.EXE
C:ProgrammiMessengermsmsgs.exe
C:WINDOWSSystem32taskmgr.exe
C:ProgrammiInternet Exploreriexplore.exe
C:Program FilesmIRCmirc.exe
C:ProgrammiInternet ExplorerIEXPLORE.EXE
C:PROGRA~1WINZIPwinzip32.exe
C:Documents and SettingsDImpostazioni localiTempHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://g.msn.it/0SEITIT/SAOS01
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = www.aol.co.uk
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = 212.245.244.100:9201
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O1 - Hosts: 198.65.164.171 ehttp.cc
O1 - Hosts: 198.65.164.168 winlink.biz
O1 - Hosts: 198.65.164.168 winlink.ws
O1 - Hosts: 198.65.164.168 ad45.com
O1 - Hosts: 198.65.164.168 www.ad45.com
O1 - Hosts: 198.65.164.168 ad77.com
O1 - Hosts: 198.65.164.168 www.ad77.com
O1 - Hosts: 198.65.164.168 ad86.com
O1 - Hosts: 198.65.164.168 www.ad86.com
O1 - Hosts: 198.65.164.168 ad25.com
O1 - Hosts: 198.65.164.168 www.ad25.com
O1 - Hosts: 198.65.164.168 00hq.com
O1 - Hosts: 198.65.164.168 www.00hq.com
O1 - Hosts: 198.65.164.168 8ad.com
O1 - Hosts: 198.65.164.168 www.8ad.com
O1 - Hosts: 198.65.164.168 searchv.com
O1 - Hosts: 198.65.164.168 www.searchv.com
O1 - Hosts: 198.65.164.168 008k.com
O1 - Hosts: 198.65.164.168 www.008k.com
O1 - Hosts: 198.65.164.170 galleryspots.com
O1 - Hosts: 198.65.164.170 www.galleryspots.com
O1 - Hosts: 198.65.164.170 cz9.clickzs.com
O1 - Hosts: 198.65.164.170 cz8.clickzs.com
O1 - Hosts: 198.65.164.170 cz7.clickzs.com
O1 - Hosts: 198.65.164.170 cz6.clickzs.com
O1 - Hosts: 198.65.164.170 cz5.clickzs.com
O1 - Hosts: 198.65.164.170 cz4.clickzs.com
O1 - Hosts: 198.65.164.170 cz3.clickzs.com
O1 - Hosts: 198.65.164.170 cz2.clickzs.com
O1 - Hosts: 198.65.164.170 cz1.clickzs.com
O1 - Hosts: 198.65.164.170 bigfreepics.com
O1 - Hosts: 198.65.164.170 www.moreporn.biz
O1 - Hosts: 198.65.164.170 www.vimaxnow.net
O1 - Hosts: 198.65.164.170 www.coolsearch.biz
O1 - Hosts: 198.65.164.170 coolsearch.biz
O1 - Hosts: 198.65.164.170 www.sexocean.biz
O1 - Hosts: 198.65.164.170 penis-enlargement-pills.xxx.com
O1 - Hosts: 198.65.164.170 www.bigfreepics.com
O1 - Hosts: 198.65.164.170 penispills.xxx.com
O1 - Hosts: 198.65.164.170 small-penis.abc3x.com
O1 - Hosts: 198.65.164.170 www.extenzepills.com
O1 - Hosts: 198.65.164.170 www.chokinchicken.com
O1 - Hosts: 198.65.164.170 www.quelpenis.com
O1 - Hosts: 198.65.164.170 www.myrealpics.com
O1 - Hosts: 198.65.164.170 www.zonebest.com
O1 - Hosts: 198.65.164.170 www.herbal-healthline.com
O1 - Hosts: 198.65.164.170 www.herbalvirility.com
O1 - Hosts: 198.65.164.170 www.optimoil.com
O1 - Hosts: 198.65.164.170 www.menzyme.com
O1 - Hosts: 198.65.164.170 defaultsearching.com
O1 - Hosts: 198.65.164.170 www.findwhatnow.com
O1 - Hosts: 198.65.164.170 free64all.com
O1 - Hosts: 198.65.164.170 www.free64all.com
O1 - Hosts: 198.65.164.170 coolsearcher.net
O1 - Hosts: 198.65.164.170 www.placeforsearch.com
O1 - Hosts: 198.65.164.170 placeforsearch.com
O1 - Hosts: 198.65.164.170 www.sweet4all.com
O1 - Hosts: 198.65.164.170 www.picsdrive.com
O1 - Hosts: 198.65.164.170 chokinchicken.com
O1 - Hosts: 198.65.164.170 www.efinder.cc
O1 - Hosts: 198.65.164.170 nnsearch.biz
O1 - Hosts: 198.65.164.170 www.doctors-choice-hgh-human-growth-hormone.com
O1 - Hosts: 198.65.164.170 www.advice-hgh.com
O1 - Hosts: 198.65.164.170 www.kcufrecnac.com
O1 - Hosts: 198.65.164.170 www.medical-t.com
O1 - Hosts: 198.65.164.170 www.hghcompany.com
O1 - Hosts: 198.65.164.170 www.healthsuperstore.com
O1 - Hosts: 198.65.164.170 www.hgh3000.com
O1 - Hosts: 198.65.164.170 www.21stcenturyhgh.com
O1 - Hosts: 198.65.164.170 www.sytropin.com
O1 - Hosts: 198.65.164.170 www.rejuvence.com
O1 - Hosts: 198.65.164.170 www.prescriptionhgh.com
O1 - Hosts: 198.65.164.170 www.pureghr15.com
O1 - Hosts: 198.65.164.170 www.genf20.com
O1 - Hosts: 198.65.164.170 www.puremeds.com
O1 - Hosts: 198.65.164.170 www.love-scent.com
O1 - Hosts: 198.65.164.170 www.attract-rx.com
O1 - Hosts: 198.65.164.170 www.nexuspheromones.com
O1 - Hosts: 198.65.164.170 www.luvoil.com
O1 - Hosts: 198.65.164.170 vimax.fuckfaster.com
O1 - Hosts: 198.65.164.170 www.iso-herbal.com
O1 - Hosts: 198.65.164.170 www.brava.com
O1 - Hosts: 198.65.164.170 www.39-93.com
O1 - Hosts: 198.65.164.170 www.how2enlargepenis.com
O1 - Hosts: 198.65.164.170 finder2003.com
O1 - Hosts: 198.65.164.170 www.spybot.info
O1 - Hosts: 198.65.164.170 www.javacoolsoftware.com
O1 - Hosts: 198.65.164.170 vimax-pills.xnxxx.com
O1 - Hosts: 198.65.164.170 penis-pills.xnxxx.com
O1 - Hosts: 198.65.164.170 www.search-aid.com
O1 - Hosts: 198.65.164.170 www.pureteenz.com
O1 - Hosts: 198.65.164.170 freednshost.info
O1 - Hosts: 198.65.164.170 www.search2004.net
O1 - Hosts: 198.65.164.170 www.hugesearch.net
O1 - Hosts: 198.65.164.170 luckyfinder.com
O1 - Hosts: 198.65.164.170 luckysearch.net
O1 - Hosts: 198.65.164.170 kitasearch.com
O1 - Hosts: 198.65.164.170 www.orbitexplorer.com
O1 - Hosts: 198.65.164.170 www.sqwire.com
O1 - Hosts: 198.65.164.170 www.traffichog.com
O1 - Hosts: 198.65.164.170 allneedsearch.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:ProgrammiYahoo!CompanionInstallscpnycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:ProgrammiAdobeAcrobat 5.0ReaderActiveXAcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:ProgrammiMSN AppsST1.02.0002.1001en-xustmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:ProgrammiMSN AppsMSN Toolbar1.02.2001.0001itmsntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:ProgrammiNorton AntiVirusNavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:ProgrammiNorton AntiVirusNavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:ProgrammiYahoo!CompanionInstallscpnycomp5_3_12_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:ProgrammiMSN AppsMSN Toolbar1.02.2001.0001itmsntb.dll
O3 - Toolbar: FlowGoBar - {4E7BD74F-2B8D-469E-C0FF-FD63B399BC7D} - C:ProgrammiFlowGoBarToolbarflgobar.dll
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [ccApp] "C:ProgrammiFile comuniSymantec SharedccApp.exe"
O4 - HKLM..Run: [zBrowser Launcher] C:ProgrammiLogitechiTouchiTouch.exe
O4 - HKLM..Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM..Run: [CAP3ON] C:WINDOWSSystem32spooldriversw32x863CAP3ONN.EXE
O4 - HKLM..Run: [mmtask] C:ProgrammiMUSICMATCHMUSICMATCH Jukeboxmmtask.exe
O4 - HKLM..Run: [atwtusb] atwtusb.exe beta
O4 - HKLM..Run: [RoxioEngineUtility] "C:ProgrammiFile comuniRoxio SharedSystemEngUtil.exe"
O4 - HKLM..Run: [RoxioDragToDisc] "C:ProgrammiRoxioEasy CD Creator 6DragToDiscDrgToDsc.exe"
O4 - HKLM..Run: [RoxioAudioCentral] "C:ProgrammiRoxioEasy CD Creator 6AudioCentralRxMon.exe"
O4 - HKLM..Run: [msnappau] "C:ProgrammiMSN AppsUpdater1.02.0002.1001itmsnappau.exe"
O4 - HKLM..Run: [NeroFilterCheck] C:WINDOWSsystem32NeroCheck.exe
O4 - HKLM..Run: [tcactive] C:ProgrammiThe Cleanertca.exe
O4 - HKLM..Run: [tcmonitor] C:ProgrammiThe Cleanertcm.exe
O4 - HKLM..RunOnce: [SpybotSnD] "C:ProgrammiSpybot - Search & DestroySpybotSD.exe" /autocheck
O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe
O4 - HKCU..Run: [LDM] C:ProgrammiLogitechDesktop Messenger8876480ProgramBackWeb-8876480.exe
O4 - HKCU..Run: [Yahoo! Pager] C:ProgrammiYahoo!Messengerypager.exe -quiet
O4 - HKCU..Run: [MsnMsgr] "C:ProgrammiMSN MessengerMsnMsgr.Exe" /background
O4 - HKCU..Run: [AIM] C:ProgrammiAIM95aim.exe -cnetwait.odl
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Quick StartUp.lnk = C:PENSOFTfquick32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:ProgrammiFile comuniAdobeCalibrationAdobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Microsoft Office OneNote 2003.lnk = C:ProgrammiMicrosoft OfficeOFFICE11ONENOTEM.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Controllo del Calendario di Ulead Photo Express.lnk = C:ProgrammiUlead SystemsUlead Photo Express 4.0 SECalCheck.exe
O4 - Global Startup: Finestra di stato di Canon LASER SHOT LBP-1120.LNK = C:WINDOWSsystem32spooldriversw32x863CAP3LAK.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:ProgrammiLogitechDesktop Messenger8876480ProgramLDMConf.exe
O4 - Global Startup: Watch.lnk = C:Programmi3.0M SD DSCConsoleWatch.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:ProgrammiYahoo!Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:ProgrammiYahoo!Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:ProgrammiYahoo!Messengeryhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:ProgrammiYahoo!Messengeryhexbmes0411.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:ProgrammiAIM95aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:ProgrammiMessengerMSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:ProgrammiMessengerMSMSGS.EXE
O12 - Plugin for .spop: C:ProgrammiInternet ExplorerPluginsNPDocBox.dll
O12 - Plugin for .UVR: C:ProgrammiInternet ExplorerPluginsNPUPano.dll
O16 - DPF: Yahoo! Canasta - http://download.game...nts/y/yt1_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: Yahoo! Go - http://download.game...nts/y/gt2_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.game...nts/y/zt3_x.cab
O16 - DPF: Yahoo! GoStop - http://download.game...ts/y/gst1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.s...og/y/ks12_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: Yahoo! Reversi - http://download.game...nts/y/rt0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/ywt0_x.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_3us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O17 - HKLMSystemCCSServicesTcpip..{CCD9413E-6A86-44FC-A076-C88D9E1198B7}: NameServer = 212.245.255.2 212.141.84.12

Quote

Putea fi si mai rau   .

1. Ai vreun motiv sa directionezi toate site-urile alea de la O1 la

198.65.164.170
OrgName: Verio, Inc.
OrgID: VRIO
Address: 8005 South Chester Street
Address: Suite 200
City: Englewood
StateProv: CO
PostalCode: 80112
Country: US
?

Daca nu ai sau nu stii despre ce vorbesc fa download la acest program Hoster , dezarhiveaza-l undeva, executa-l si apasa butonul "Restore Orginal Hosts". Inchide programul. Reboot in Safe mode (vezi punctul 3).

3. REBOOT in Safe Mode (apasa tasta F8 de mai multe ori imediat ce porneste calculatorul. Alege Safe Mode - sus).

Muta "HijackThis!" intr-un director al lui, de exemplu c:HJT si executa-l.
Inchide toate ferestrele si browserul.

Bifeaza urmatoarele:


R3 - Default URLSearchHook is missing

Pe astea daca le mai gasesti:
O1 - Hosts: 198.65.164.171 ehttp.cc
O1 - Hosts: 198.65.164.168 winlink.biz
O1 - Hosts: 198.65.164.168 winlink.ws
O1 - Hosts: 198.65.164.168 ad45.com
O1 - Hosts: 198.65.164.168 www.ad45.com
O1 - Hosts: 198.65.164.168 ad77.com
O1 - Hosts: 198.65.164.168 www.ad77.com
O1 - Hosts: 198.65.164.168 ad86.com
O1 - Hosts: 198.65.164.168 www.ad86.com
O1 - Hosts: 198.65.164.168 ad25.com
O1 - Hosts: 198.65.164.168 www.ad25.com
O1 - Hosts: 198.65.164.168 00hq.com
O1 - Hosts: 198.65.164.168 www.00hq.com
O1 - Hosts: 198.65.164.168 8ad.com
O1 - Hosts: 198.65.164.168 www.8ad.com
O1 - Hosts: 198.65.164.168 searchv.com
O1 - Hosts: 198.65.164.168 www.searchv.com
O1 - Hosts: 198.65.164.168 008k.com
O1 - Hosts: 198.65.164.168 www.008k.com
O1 - Hosts: 198.65.164.170 galleryspots.com
O1 - Hosts: 198.65.164.170 www.galleryspots.com
O1 - Hosts: 198.65.164.170 cz9.clickzs.com
O1 - Hosts: 198.65.164.170 cz8.clickzs.com
O1 - Hosts: 198.65.164.170 cz7.clickzs.com
O1 - Hosts: 198.65.164.170 cz6.clickzs.com
O1 - Hosts: 198.65.164.170 cz5.clickzs.com
O1 - Hosts: 198.65.164.170 cz4.clickzs.com
O1 - Hosts: 198.65.164.170 cz3.clickzs.com
O1 - Hosts: 198.65.164.170 cz2.clickzs.com
O1 - Hosts: 198.65.164.170 cz1.clickzs.com
O1 - Hosts: 198.65.164.170 bigfreepics.com
O1 - Hosts: 198.65.164.170 www.moreporn.biz
O1 - Hosts: 198.65.164.170 www.vimaxnow.net
O1 - Hosts: 198.65.164.170 www.coolsearch.biz
O1 - Hosts: 198.65.164.170 coolsearch.biz
O1 - Hosts: 198.65.164.170 www.sexocean.biz
O1 - Hosts: 198.65.164.170 penis-enlargement-pills.xxx.com
O1 - Hosts: 198.65.164.170 www.bigfreepics.com
O1 - Hosts: 198.65.164.170 penispills.xxx.com
O1 - Hosts: 198.65.164.170 small-penis.abc3x.com
O1 - Hosts: 198.65.164.170 www.extenzepills.com
O1 - Hosts: 198.65.164.170 www.chokinchicken.com
O1 - Hosts: 198.65.164.170 www.quelpenis.com
O1 - Hosts: 198.65.164.170 www.myrealpics.com
O1 - Hosts: 198.65.164.170 www.zonebest.com
O1 - Hosts: 198.65.164.170 www.herbal-healthline.com
O1 - Hosts: 198.65.164.170 www.herbalvirility.com
O1 - Hosts: 198.65.164.170 www.optimoil.com
O1 - Hosts: 198.65.164.170 www.menzyme.com
O1 - Hosts: 198.65.164.170 defaultsearching.com
O1 - Hosts: 198.65.164.170 www.findwhatnow.com
O1 - Hosts: 198.65.164.170 free64all.com
O1 - Hosts: 198.65.164.170 www.free64all.com
O1 - Hosts: 198.65.164.170 coolsearcher.net
O1 - Hosts: 198.65.164.170 www.placeforsearch.com
O1 - Hosts: 198.65.164.170 placeforsearch.com
O1 - Hosts: 198.65.164.170 www.sweet4all.com
O1 - Hosts: 198.65.164.170 www.picsdrive.com
O1 - Hosts: 198.65.164.170 chokinchicken.com
O1 - Hosts: 198.65.164.170 www.efinder.cc
O1 - Hosts: 198.65.164.170 nnsearch.biz
O1 - Hosts: 198.65.164.170 www.doctors-choice-hgh-human-growth-hormone.com
O1 - Hosts: 198.65.164.170 www.advice-hgh.com
O1 - Hosts: 198.65.164.170 www.kcufrecnac.com
O1 - Hosts: 198.65.164.170 www.medical-t.com
O1 - Hosts: 198.65.164.170 www.hghcompany.com
O1 - Hosts: 198.65.164.170 www.healthsuperstore.com
O1 - Hosts: 198.65.164.170 www.hgh3000.com
O1 - Hosts: 198.65.164.170 www.21stcenturyhgh.com
O1 - Hosts: 198.65.164.170 www.sytropin.com
O1 - Hosts: 198.65.164.170 www.rejuvence.com
O1 - Hosts: 198.65.164.170 www.prescriptionhgh.com
O1 - Hosts: 198.65.164.170 www.pureghr15.com
O1 - Hosts: 198.65.164.170 www.genf20.com
O1 - Hosts: 198.65.164.170 www.puremeds.com
O1 - Hosts: 198.65.164.170 www.love-scent.com
O1 - Hosts: 198.65.164.170 www.attract-rx.com
O1 - Hosts: 198.65.164.170 www.nexuspheromones.com
O1 - Hosts: 198.65.164.170 www.luvoil.com
O1 - Hosts: 198.65.164.170 vimax.fuckfaster.com
O1 - Hosts: 198.65.164.170 www.iso-herbal.com
O1 - Hosts: 198.65.164.170 www.brava.com
O1 - Hosts: 198.65.164.170 www.39-93.com
O1 - Hosts: 198.65.164.170 www.how2enlargepenis.com
O1 - Hosts: 198.65.164.170 finder2003.com
O1 - Hosts: 198.65.164.170 www.spybot.info
O1 - Hosts: 198.65.164.170 www.javacoolsoftware.com
O1 - Hosts: 198.65.164.170 vimax-pills.xnxxx.com
O1 - Hosts: 198.65.164.170 penis-pills.xnxxx.com
O1 - Hosts: 198.65.164.170 www.search-aid.com
O1 - Hosts: 198.65.164.170 www.pureteenz.com
O1 - Hosts: 198.65.164.170 freednshost.info
O1 - Hosts: 198.65.164.170 www.search2004.net
O1 - Hosts: 198.65.164.170 www.hugesearch.net
O1 - Hosts: 198.65.164.170 luckyfinder.com
O1 - Hosts: 198.65.164.170 luckysearch.net
O1 - Hosts: 198.65.164.170 kitasearch.com
O1 - Hosts: 198.65.164.170 www.orbitexplorer.com
O1 - Hosts: 198.65.164.170 www.sqwire.com
O1 - Hosts: 198.65.164.170 www.traffichog.com
O1 - Hosts: 198.65.164.170 allneedsearch.com

O3 - Toolbar: FlowGoBar - {4E7BD74F-2B8D-469E-C0FF-FD63B399BC7D} - C:ProgrammiFlowGoBarToolbarflgobar.dll

O4 - Startup: PowerReg Scheduler V3.exe


Apasa "Fix" si inchide HiJackThis.

4. Apasa CTRL-ALT-DEL si cauta urmatoarele daca le gasesti:
powerreg scheduler v3.exe
powerreg scheduler.exe
powerreg schedulerv2.exe
Fa click - dreapta si alege End Process.

4. Cauta si sterge urmatoarele fisiere si foldere:

Aceste fisiere pe unde le gasesti: (cauta cu Start --> Search)
powerreg scheduler v3.exe
webshots.lnk
powerreg scheduler.exe
powerreg schedulerv2.exe

Acest folder FlowGoBar in C:Programmi
Acest folder powerreg in C:Programmi

5. REBOOT normal si posteaza un nou log HJT.

Sa incepem cu inceputul.
1. Luat hoster. Rezolvat.
2. Safe mode....( apropo: care e tasta pt intrat in safe mode? ca f8 imi dadea  o fereastra in care sa aleg un drive pt boot ...am recurs la niste artificii ca sa intru acolo )
Dupa ce am dat fix cu hijack chiar nu am gasit decat cartela cu flowgobar...nimic din celelalte pomenite .
3. uite si noul log...un pic mai curatel

Logfile of HiJackThis v1.98.2
Scan saved at 15.40.06, on 01/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:ProgrammiFile comuniSymantec SharedccSetMgr.exe
C:ProgrammiFile comuniSymantec SharedccEvtMgr.exe
C:WINDOWSsystem32spoolsv.exe
C:ProgrammiNorton AntiVirusnavapsvc.exe
C:WINDOWSSystem32nvsvc32.exe
C:WINDOWSSystem32svchost.exe
C:ProgrammiFile comuniSymantec SharedccApp.exe
C:ProgrammiLogitechiTouchiTouch.exe
C:WINDOWSSystem32RunDll32.exe
C:ProgrammiMUSICMATCHMUSICMATCH Jukeboxmmtask.exe
C:WINDOWSSystem32atwtusb.exe
C:ProgrammiMSN AppsUpdater1.02.0002.1001itmsnappau.exe
C:ProgrammiThe Cleanertca.exe
C:ProgrammiThe Cleanertcm.exe
C:WINDOWSSystem32ctfmon.exe
C:ProgrammiLogitechDesktop Messenger8876480ProgramBackWeb-8876480.exe
C:ProgrammiYahoo!Messengerypager.exe
C:ProgrammiMSN MessengerMsnMsgr.Exe
C:ProgrammiTRUSTSoftware BluetoothBTTray.exe
C:ProgrammiNorton AntiVirusSAVScan.exe
C:Programmi3.0M SD DSCConsoleWatch.exe
C:PROGRA~1TRUSTSOFTWA~1BTSTAC~1.EXE
C:ProgrammiMessengermsmsgs.exe
C:WINDOWSSystem32wuauclt.exe
C:Documents and SettingsDDocumentihijack thisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://g.msn.it/0SEITIT/SAOS01
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = www.aol.co.uk
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = 212.245.244.100:9201
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = localhost
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Collegamenti
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:ProgrammiYahoo!CompanionInstallscpnycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:ProgrammiAdobeAcrobat 5.0ReaderActiveXAcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:ProgrammiMSN AppsST1.02.0002.1001en-xustmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:ProgrammiMSN AppsMSN Toolbar1.02.2001.0001itmsntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:ProgrammiNorton AntiVirusNavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:ProgrammiNorton AntiVirusNavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:ProgrammiYahoo!CompanionInstallscpnycomp5_3_12_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:ProgrammiMSN AppsMSN Toolbar1.02.2001.0001itmsntb.dll
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [ccApp] "C:ProgrammiFile comuniSymantec SharedccApp.exe"
O4 - HKLM..Run: [zBrowser Launcher] C:ProgrammiLogitechiTouchiTouch.exe
O4 - HKLM..Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM..Run: [CAP3ON] C:WINDOWSSystem32spooldriversw32x863CAP3ONN.EXE
O4 - HKLM..Run: [mmtask] C:ProgrammiMUSICMATCHMUSICMATCH Jukeboxmmtask.exe
O4 - HKLM..Run: [atwtusb] atwtusb.exe beta
O4 - HKLM..Run: [RoxioEngineUtility] "C:ProgrammiFile comuniRoxio SharedSystemEngUtil.exe"
O4 - HKLM..Run: [RoxioDragToDisc] "C:ProgrammiRoxioEasy CD Creator 6DragToDiscDrgToDsc.exe"
O4 - HKLM..Run: [RoxioAudioCentral] "C:ProgrammiRoxioEasy CD Creator 6AudioCentralRxMon.exe"
O4 - HKLM..Run: [msnappau] "C:ProgrammiMSN AppsUpdater1.02.0002.1001itmsnappau.exe"
O4 - HKLM..Run: [NeroFilterCheck] C:WINDOWSsystem32NeroCheck.exe
O4 - HKLM..Run: [tcactive] C:ProgrammiThe Cleanertca.exe
O4 - HKLM..Run: [tcmonitor] C:ProgrammiThe Cleanertcm.exe
O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe
O4 - HKCU..Run: [LDM] C:ProgrammiLogitechDesktop Messenger8876480ProgramBackWeb-8876480.exe
O4 - HKCU..Run: [Yahoo! Pager] C:ProgrammiYahoo!Messengerypager.exe -quiet
O4 - HKCU..Run: [MsnMsgr] "C:ProgrammiMSN MessengerMsnMsgr.Exe" /background
O4 - HKCU..Run: [AIM] C:ProgrammiAIM95aim.exe -cnetwait.odl
O4 - Startup: Quick StartUp.lnk = C:PENSOFTfquick32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:ProgrammiFile comuniAdobeCalibrationAdobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Microsoft Office OneNote 2003.lnk = C:ProgrammiMicrosoft OfficeOFFICE11ONENOTEM.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Controllo del Calendario di Ulead Photo Express.lnk = C:ProgrammiUlead SystemsUlead Photo Express 4.0 SECalCheck.exe
O4 - Global Startup: Finestra di stato di Canon LASER SHOT LBP-1120.LNK = C:WINDOWSsystem32spooldriversw32x863CAP3LAK.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:ProgrammiLogitechDesktop Messenger8876480ProgramLDMConf.exe
O4 - Global Startup: Watch.lnk = C:Programmi3.0M SD DSCConsoleWatch.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:ProgrammiYahoo!Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:ProgrammiYahoo!Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:ProgrammiYahoo!Messengeryhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:ProgrammiYahoo!Messengeryhexbmes0411.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:ProgrammiAIM95aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:ProgrammiMessengerMSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:ProgrammiMessengerMSMSGS.EXE
O12 - Plugin for .spop: C:ProgrammiInternet ExplorerPluginsNPDocBox.dll
O12 - Plugin for .UVR: C:ProgrammiInternet ExplorerPluginsNPUPano.dll
O16 - DPF: Yahoo! Canasta - http://download.game...nts/y/yt1_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: Yahoo! Go - http://download.game...nts/y/gt2_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.game...nts/y/zt3_x.cab
O16 - DPF: Yahoo! GoStop - http://download.game...ts/y/gst1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.s...og/y/ks12_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: Yahoo! Reversi - http://download.game...nts/y/rt0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/ywt0_x.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_3us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab

Si am observat un fenomen: a scazut nivelul utilizarii "file paging " de la 270 (cca) la 231 mb. Semn bun?

OK, HJT log e curat.  

nu vreau sa fiu rau ... dar dupa ce iti dai seama ca e curat?

Pai ... nu vad nimic suspect. Toate sunt acolo unde ma astept sa le gasesc. Nici o denumire a vreunui fisier nu este suspecta si nici un GUID (Globally Unique IDentifier) nu e bad.

De as reusi sa gasesc de unde sa iau imaginea cu print screen,     v'as arata ca individul sta inca la mine in computer.    A mai ramas doar NDNuninstal6_30.exe localizat in Windows si daca il sterg adio conexiune internet.

EDITAT DE MODERATOR

RECOMANDARE GRESITA

  Scuze uite'l aici ..

In Add/Remove programs nu ai "Download Receiver" pe care il poti dezinstala ?

... scuze de indrazneala, dar cam repede ti-ai dat seama ca e recomandare gresita!

Nu era vorba de newdot ?

ar fi trebuit sa lasi post-ul nu sa-l razi cu totul ca si cum as fi spus ceva de warez ....

in fine.

Quote

In HJT log nu apare nimic de genul:
O10 - Unknown file in Winsock LSP

Daca ai un motiv serios pentru care recomanzi LSPFix spune te rog. Daca eu am gresit iti pun textul la loc si imi cer scuze.

[later]
NewDotNet poate fi dezinstalat fara probleme folosind instructiunile date de producator la pagina http://www.newdotnet.com/ - ultimul link pe pagina.

Din motive legale continutul paginii nu poate fi reprodus aici.
[/later]

asa am ramas eu agatat dupa ce am fost infectat si se pare ca mai sunt cu un browser hijaker, un programel ceva imi tot genereaza din cand in cand dll-uri de 30kb in  system .. dar am ramas cu repercusiuni in sensul ca la pornirea lui totalcomander imi da eroare ba la kernel32 ba la unknown cu toate ca eu pot sa rulez in continuare programul dar raman agatat cu fereastra de eroare care daca o inchid evident imi zboara si programul.

Momentan sunt linistit ca orice incercare de a modifica in registrii imi este alertata de Browser Hijack Blaster si pot sa contracarez actiunea de a schimba pagina de black cu una care se salveaza pe pc. HJT-ul nu ul pot lua ca nu pot face conexiuni la portul 8080 (redirectare in linux) si site-ul oficial ultima data cand am verificat era in reparatii

"In Add/Remove programs nu ai "Download Receiver" pe care il poti dezinstala ?"

Nimic de genul asta.

"In HJT log nu apare nimic de genul:
O10 - Unknown file in Winsock LSP"

Poate ca ar apare in momentul in care l'as sterge.

"NewDotNet poate fi dezinstalat fara probleme folosind instructiunile date de producator la pagina "

Deja e dezinstalat....am citit si eu pagina aia de la ei inainte de a pune thread aici. Acesta a ramas dupa dezinstalare.

Poza pe care ai pus-o acolo este altceva:

1. Semnalarea DSO Exploit  este un bug al Spybot S&D. Va fi remediat la versiunea 1.4. Nu fixa DSO Exploit.

2. Cu eAcceleration e aceiasi problema ca si cu NewDotNet. Se dezinstaleaza din Add/Remove programs. Intreb acum exact ce e cu el si revin.