Security Software Malware problem

[Renegade]

Sorry for highjacking this thread but even I have one prob with a malware that isnt getting detected by any of spyware doctor, adaware, spybot.

Earlier I had dialup. So whenever I used to conect to net many instances of a certain process 'hole owns.exe' used to initialise and then after a while they disappeared. Until then no new program used to launch as if the PC was hung up. I couldnt remove the malware which as identified by bladerunner was some 'lop'. I guess it gets installed while browsing warez sites. Not to mention I never had any antivirus or firewall.

Now that I have DSL (even antivirus and firewall). I have a diff prob, there is one process which just launches on its own (even after I close it manually) and consumes all the processor time. It is 'sixth ping beep.exe'. I also managed to have a fleeting peek on 'hide.exe' before it automatically disappeared from the task manager window.

Ah yes hijackthis log attached.

 

[Anish]

I would suggest a clean install of Windows to solve all the problems

 

[Renegade]

I know the panacea. :bleh:

 

[medpal]

ren : i know little about this viruses and trojans but i think messenger plus is what at root of your problem (info courtesy batty aka it_waaznt_me)

O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_98.dll

this is one thing i found in your hijackthis log

here is info
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453094853

and this should cure it
http://securityresponse.symantec.com/avcenter/FxNdotN.exe
http://www.cexx.org/LSPFix.exe

more i am looking for

 

[it_waaznt_me]

Ah .. Renegade .. Please split your problem to a seperate thread .. Or this will create confusion .. And btw .. Where is hijackthis logfile attached .. ? I cant see it .. And I cant find Report button .. Is it all because of winter ..?

 

[Renegade]

The file is the renegade.txt attached at the end. and if you cant find the report button then it must be winter. :bleh:

 

[medpal]

@ renegade : i sent your log file to batty lets wait what he comes up with he was telling me about a lot of crap things on your log (yahoo chat)

 

[it_waaznt_me]

Cool.. Now first understand how you got this problem .. Lop.com is installed by Messenger Plus (Yeah .. I hope it wasnt a shocker for you) .. And you have more than just Lop on your system .. So remove them one by one ..
First do this :
Start > Run > Appwiz.cpl <Press Enter>
Now in Add Remove Programs applet, Uninstall :
NewDotNet
Reboot, Post a fresh logfile ..

 

[Renegade]

I used the norton tool by medpal for that.
it removed 9 entries and 3 files.

 

[medpal]

ok renegade also follow batty`s method too.

c:\docume~1\r4575~1.xs-\applic~1\procwin\Sixth Ping Beep.exe LOP

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_98.dll NewDotNet

O2 - BHO: (no name) - {B77B9F18-C8EF-77E3-30C8-001A68BCD0D2} - C:\DOCUME~1\R4575~1.XS-\APPLIC~1\MEOW2S~1\bitssect.exe LOP
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
(is this known to you, i do not know about it)


O4 - HKLM\..\Run: [blue name new rdr] C:\Documents and Settings\All Users.WINDOWS\Application Data\SOFTWAREDVDBLUENAME\Hide hold.exe LOP

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -sNewDotNet

O4 - HKCU\..\Run: [gpl audio] C:\DOCUME~1\R4575~1.XS-\APPLIC~1\procwin\Hold Peak.exe LOP
O10 - Hijacked Internet access by New.Net NewDotNet
O10 - Hijacked Internet access by New.Net NewDotNet
O10 - Hijacked Internet access by New.Net NewDotNet
O10 - Hijacked Internet access by New.Net NewDotNet
O10 - Hijacked Internet access by New.Net NewDotNet

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
(is this known to you, i do not know about it)


O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Sandra Service (SandraTheSrv) - Unknown owner - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe (file missing)

these are the problems in your log what i found out.

first things first
you have messenger plus installed and also DAP installed i would advise to uninstall them

scan and clean with spybot s&d, adaware se, microsoft antispyware beta.
yes all three

and then if you have this tony arts Easy cleaner, and System Mechanic also scan with them and fix any registry problems

i hope this helps you.
i am going off to home now will look back in morning.
leaving a offliner to batty to helo you out more when he is online.

 

[Renegade]

Okay thanks... ill donwload all that stuff and do the cleaning.

 

[blaster]

O4 - HKLM\..\Run: [blue name new rdr] C:\Documents and Settings\All Users.WINDOWS\Application Data\SOFTWAREDVDBLUENAME\Hide hold.exe

TYPE msconfig in run, goto start up tab,

Delete that entry ,

Turn System Restore off,

Reboot

Delete file from the path (If possible from safe mode)

Hope this solves your problem

For future protection i would recomend som another version of AV and a robust Firewall.

 

[it_waaznt_me]

Its not that easy ..
Renegade .. NewDotNet is still on your system .. When its not going from Add Remove, we'll take other measures .. First to remove Lop from your system, download this and disable System Restore. Then run the tool .. It will remove Lop.com from your system .. Reboot and post a fresh log, from which we will remove NewDotNet ..

 

[Renegade]

yes it is still there. I cant find it on add-remove though.

Well the first thing i do after installing XP is disable system restore. so its always off.
OK I cant download that tool which you gave. and there is no suspicious entry in add-rmove.
Attaching the latest hijack.