Can someone please help me to analyze my hijaakthis logfile, because i suspect that there is spyware on my Laptop, Thanks Logfile of HijackThis v1.97.7 Scan saved at 10:03:02 AM, on 2/3/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\ibmpmsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\BMC Software\SmartDBA\bin\jk_nt_service.exe C:\WINDOWS\System32\cisvc.exe C:\Program Files\NavNT\defwatch.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\PROGRA~1\BMCSOF~1\SmartDBA\JRE\bin\java.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\NavNT\rtvscan.exe C:\Oracle\Ora81\bin\dbsnmp.exe C:\Oracle\Ora81\bin\vppdc.exe C:\WINDOWS\System32\QCONSVC.exe C:\WINDOWS\System32\ScsiAccess.exe C:\Program Files\VMware\VMware Workstation\vmware-authd.exe C:\WINDOWS\System32\vmnat.exe C:\WINDOWS\System32\vmnetdhcp.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe C:\WINDOWS\LTSMMSG.exe C:\WINDOWS\System32\atiptaxx.exe C:\WINDOWS\System32\tp4serv.exe C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.exe C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe C:\WINDOWS\System32\AEIWLSTA.exe C:\WINDOWS\System32\dpmw32.exe C:\WINDOWS\System32\NWTRAY.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\WINDOWS\System32\RunDll32.exe C:\PROGRA~1\NavNT\vptray.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Emoticons Mail\emomail.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\MSO97\Office\OSA.exe C:\Program Files\Outlook Express\msimn.exe C:\WINDOWS\System32\cidaemon.exe C:\WINDOWS\System32\cidaemon.exe C:\Lotus\Notes\nlnotes.exe C:\Lotus\Notes\naldaemn.exe C:\Lotus\Notes\nwrdaemn.exe C:\Lotus\Notes\nupdate.exe C:\Lotus\Notes\nhldaemn.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\GoxoZ.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\Nyy2.exe C:\Temp\HijackThis.exe C:\Program Files\Microsoft Office\Office10\WINWORD.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\sb.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.quicken.com/investments/portfolio/?&t=1073898981 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.30.254:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.10.10.20;hvgo.staatsolie.sr;10.10.10.1;10.10.30.3;10.20.10.15;10.10.10.5;http://hvgo.staatsolie.sr;10.10.10.102;ts_fl_01.staatsolie.sr;10.10.10.10;10.10.10.20;10.10.10.101;som_intranet;10.10.40.101;10.20.10.21;10.20.10.22;10.11.40.5;10.30.10.10;10.20.10.10;10.10.10.100;10.10.40.2;10.10.30.4;10.10.10.100;fltest1.staatsolie.sr;localhost;10.30.30.202;10.10.30.254;10.10.10.40;https://10.10.200.4;<local> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.quicken.com/investments/portfolio/?ref=hp_nav&;&t=1029916161 R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O1 - Hosts: 200.1.157.8 pop1.sr.net O1 - Hosts: 216.248.195.207 www.staatsolie.com O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {18084AB6-0622-4C7E-A536-E50398D5F563} - C:\WINDOWS\System32\pjgsh400.dll O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_48.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL O3 - Toolbar: SuperBar - {FF317DB7-6D8B-4980-925E-FCC606BDB670} - C:\Program Files\SuperBar\SuperBar.Dll (file missing) O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.exe O4 - HKLM\..\Run: [TP4EX] tp4ex.exe O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.exe O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe O4 - HKLM\..\Run: [NWTRAY] NWTRAY.exe O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.exe O4 - HKLM\..\Run: [3SAHCS#4MABT@T] C:\WINDOWS\System32\Lryrg9f.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Emoticons Mail] C:\Program Files\Emoticons Mail\emomail.exe O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1 O4 - HKCU\..\Run: [IDMan] C:\PROGRA~1\INTERN~2\IDMan.exe /onboot O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe O4 - Global Startup: Office Startup.lnk = C:\Program Files\MSO97\Office\OSA.exe O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download All Links with IDM - C:\PROGRA~1\INTERN~2\IEGetAll.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0A454840-7232-11D5-B63D-00C04FAEDB18} - http://ntapps/d7i/jinitiator/jinit11814.exe O16 - DPF: {21157916-4D49-11D4-A3E0-00C04FA32518} - http://admin-a30p:3339/oem_webstage/java-plugin/install_win32.html O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/aslibmain/aslib/content/IbmEgath.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37866.4686342593 O16 - DPF: {A97608DD-6999-11D5-9C8C-0010A4F2D6BF} (QCOMCont Class) - http://www.quicken.com/qw2001/qcominst.cab O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} (MoneyTree Dialer) - http://cdn.climaxbucks.com/internet-optimizer/080703/UniDistIOcrack.CAB O16 - DPF: {ed54a7b0-6c1c-11d5-b63d-00c04faedb18} - http://hvgo.staatsolie.sr:8000/jinitiator/oajinit.exe O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{F1040C89-0667-4262-9249-35FE151EE8FE}: NameServer = 10.10.10.10,10.10.10.4 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = flora O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = flora

If you don't remove new.net completely, you could mess up your internet connection. Please follow the instructions here from the new.net site in order to completely remove it. After removing new.net and rebooting, you could run Ad-aware to clean up. Download Ad-aware Build 6.181 (free version) from here This link will tell you how to update your ref files (which you should do after installation and before each scan because they are updated frequently). This link will tell you how to configure AAW for a full custom scan (when you click on "scan now", make sure "custom" is checked, not "smart"): This link will tell you how to remove unwanted objects.

hi patrick, check to see if you have anyFunWebProducts on your machine. (GoxoZ.exe) disable system restore unregister this DLL f3ezsetp.dll with Regsvr32, if its on your machine, then reboot. Remove these files (if present) in Windows Explorer: do a search for: 00631b27 00631df6 00632009 00632190 006323c2 cursormaniabtn.html f3ezsetp.dll files.ini mailstampbtn.html mystationerybtn.html notallow smileycentralbtn.html also check these files out with google, as you may have a keylogger in cisvc.exe, and you may have to delete some of these files: pjgsh400.dll, stlbdist.DLL, newdotnet5_48.dll, stlbdist.DLL, SuperBar.Dll, LTSMMSG.exe, AEIWLSTA.EXE, NEWDOT~1.DLL, Lryrg9f.exe,http://dload.ipbill.com/del/loader.cab, IEGetAll.htm It would also be good if you ran spybot, cwshredder, and like mama bear said adaware. also download a free copy of A2 anti-trojan, you can link to it by going to www.thepublicworks.com, and hitting Ants anti-trojan. After following the instructions above, you will still need to a system restore. hope this helps, murve

Adaware. :) www.lavasoft.com