?
Solved

Possibly New.net and other spyware Loses internet connections

Posted on 2006-05-16
10
Medium Priority
?
243 Views
Last Modified: 2010-04-12
I was able to get internet connection back but the next day I lost it again. I did that by running eidos. I will run it again but please help me with a permanent solution
Windows Xp SP2
Heres the hijack this file. Please tell me if there is other stuff I should get rid of and how


Logfile of HijackThis v1.99.1
Scan saved at 9:11:39 AM, on 5/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fisher.osu.edu/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://fisher.osu.edu/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cob.ohio-state.edu
O17 - HKLM\Software\..\Telephony: DomainName = cob.ohio-state.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cob.ohio-state.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cob.ohio-state.edu,ad.cob.ohio-state.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cob.ohio-state.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cob.ohio-state.edu,ad.cob.ohio-state.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cob.ohio-state.edu,ad.cob.ohio-state.edu
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINDOWS\system32\wm.exe

0
Comment
Question by:alan4200
8 Comments
 
LVL 32

Expert Comment

by:r-k
ID: 16691117
For future reference, you can post the log to http://www.hijackthis.de/ and just post a link here to the analyzed page.

I did this for you, and the analyzed page is at:

 http://www.hijackthis.de/logfiles/95eacbeec38d9e0376a53cc4717a7dbd.html

You will want to get rid of the following entries (try with HJT itself first):

 O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
 O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
 
The rest looks OK, but post back if the above two get fixed and solve the problem.

Thanks.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16691151
Also, I noticed your main symptom is that you lost your Internet connection. That could be due to other reasons as well, so please describe that in more detail. For example, how are you connecting to the network, DSL, Cable, dial-up? Have you tried rebooting the computer and powering the DSL modem off and on? What exactly happens when you run a web browser? etc.
0
 

Author Comment

by:alan4200
ID: 16691203
It's on a network. All the other computers are working fine. When I open a web browser it will just continuosly load forever. It doesn't go to Check net work connections or whatever. Any program that tries to update or access the internet will freeze up.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 32

Accepted Solution

by:
r-k earned 500 total points
ID: 16691374
OK, I understand. I would get the HJT log cleaned up first, and reconfirm by running it again that the two bad entries are gone (in fact do post the new log to http://www.hijackthis.de/ and post a link here to the new analyzed page).

If that does not fix the network problem, then try this:

 Apply WinsockFix from: http://www.spychecker.com/program/winsockxpfix.html

If that doesn't do it, then:

 Apply LSP fix from: http://www.cexx.org/lspfix.htm

If still a problem, then:

 IEfix from: http://windowsxp.mvps.org/IEFIX.htm

But getting the remaining malware removed from the HJT log should be step-1
0
 

Author Comment

by:alan4200
ID: 16691507
I  believe internet is working but I will see in a restart or two.

Here's my new HJT log. I cleaned up the 2 and it looks like they stayed gone.

http://www.hijackthis.de/logfiles/0f4d72a47ae52baccc2cc1e3554671f8.html
0
 
LVL 32

Expert Comment

by:r-k
ID: 16691558
Yes, good work. The HJT log looks clean now.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16695766
New.Net or NewDotNet is a good suspect for your internet connection malfunction. It is well known to mess up your winsock chain.

NetDotNet is installed in your system, you need to remove it. But before you do that as a precaution, please download LSPFix.exe.(or WinsockFix)
When removing New.Net from your system there is a chance that you might lose your internet connection.
In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish" then reboot your computer, this should restore your internet access.
Please download LSPFix here: http://www.cexx.org/LSPFix.exe

Now please go Start > Run > Control Panel  
In the Add/Remove programs list, look for NewDotNet or New.Net and uninstall it.
If NewdotNet or New.Net is not listed in Add/Remove programs list, then please go to their site.
Scroll down to Procedure no.4 and follow the instructions in removing NewDotNet from your system.
http://www.newdotnet.com/removal.html

Also uninstall "MediaGateway" via Add/Remove programs list if its listed.
0
 
LVL 5

Expert Comment

by:burningmace
ID: 16845995
There is a really good way to fix this problem. I got NewDotNet from some installer yesterday. Luckily I had my second machine on and able to back me up.

Here's how you fix it:

1) Get SpyBot: Search and Destroy. If you have no internet connection on the infected machine, then you need to manually download the update file from the website.
2) Run it.
3) Immunize the system.
4) Do a scan and remove all malware.

The internet connection should come back promptly.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
This video tutorial shows you the steps to go through to set up what I believe to be the best email app on the android platform to read Exchange mail.  Get the app on your phone: The first step is to make sure you have the Samsung Email app on your …
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question