Link to home
Start Free TrialLog in
Avatar of alan4200
alan4200

asked on

Possibly New.net and other spyware Loses internet connections

I was able to get internet connection back but the next day I lost it again. I did that by running eidos. I will run it again but please help me with a permanent solution
Windows Xp SP2
Heres the hijack this file. Please tell me if there is other stuff I should get rid of and how


Logfile of HijackThis v1.99.1
Scan saved at 9:11:39 AM, on 5/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fisher.osu.edu/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://fisher.osu.edu/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cob.ohio-state.edu
O17 - HKLM\Software\..\Telephony: DomainName = cob.ohio-state.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cob.ohio-state.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cob.ohio-state.edu,ad.cob.ohio-state.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cob.ohio-state.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cob.ohio-state.edu,ad.cob.ohio-state.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cob.ohio-state.edu,ad.cob.ohio-state.edu
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINDOWS\system32\wm.exe

Avatar of r-k
r-k
For future reference, you can post the log to http://www.hijackthis.de/ and just post a link here to the analyzed page.

I did this for you, and the analyzed page is at:

 http://www.hijackthis.de/logfiles/95eacbeec38d9e0376a53cc4717a7dbd.html

You will want to get rid of the following entries (try with HJT itself first):

 O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
 O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
 
The rest looks OK, but post back if the above two get fixed and solve the problem.

Thanks.
Avatar of r-k
r-k
Also, I noticed your main symptom is that you lost your Internet connection. That could be due to other reasons as well, so please describe that in more detail. For example, how are you connecting to the network, DSL, Cable, dial-up? Have you tried rebooting the computer and powering the DSL modem off and on? What exactly happens when you run a web browser? etc.
Avatar of alan4200
alan4200

ASKER

It's on a network. All the other computers are working fine. When I open a web browser it will just continuosly load forever. It doesn't go to Check net work connections or whatever. Any program that tries to update or access the internet will freeze up.
ASKER CERTIFIED SOLUTION
Avatar of r-k
r-k
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of alan4200
alan4200

ASKER

I  believe internet is working but I will see in a restart or two.

Here's my new HJT log. I cleaned up the 2 and it looks like they stayed gone.

http://www.hijackthis.de/logfiles/0f4d72a47ae52baccc2cc1e3554671f8.html
Avatar of r-k
r-k
Yes, good work. The HJT log looks clean now.
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image
New.Net or NewDotNet is a good suspect for your internet connection malfunction. It is well known to mess up your winsock chain.

NetDotNet is installed in your system, you need to remove it. But before you do that as a precaution, please download LSPFix.exe.(or WinsockFix)
When removing New.Net from your system there is a chance that you might lose your internet connection.
In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish" then reboot your computer, this should restore your internet access.
Please download LSPFix here: http://www.cexx.org/LSPFix.exe

Now please go Start > Run > Control Panel  
In the Add/Remove programs list, look for NewDotNet or New.Net and uninstall it.
If NewdotNet or New.Net is not listed in Add/Remove programs list, then please go to their site.
Scroll down to Procedure no.4 and follow the instructions in removing NewDotNet from your system.
http://www.newdotnet.com/removal.html

Also uninstall "MediaGateway" via Add/Remove programs list if its listed.
Avatar of burningmace
burningmace
Flag of United Kingdom of Great Britain and Northern Ireland image
There is a really good way to fix this problem. I got NewDotNet from some installer yesterday. Luckily I had my second machine on and able to back me up.

Here's how you fix it:

1) Get SpyBot: Search and Destroy. If you have no internet connection on the infected machine, then you need to manually download the update file from the website.
2) Run it.
3) Immunize the system.
4) Do a scan and remove all malware.

The internet connection should come back promptly.