trojan horse dialer

Viruses and worms
1

hi people. i just enountered a virus while i download a prog from a site. after that my connection to the internet was down and it say i have no connectivity or limited connectivity. Ever since, i got a RUNDLL error when i turn on my computer. it says
C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL the specific module could not be found.
im not sure what caused it but i ran a virus scan on PC Doorguard and it detected vr1.exe2bin. Im a total noob at computer virus so i hope someone would gladly help me. This problem has been bugging me for 3days…and still no connection to the internet. I read a few topics here and got hijackthis to do this scan.

Logfile of HijackThis v1.99.1
Scan saved at 10:38:18 PM, on 5/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\System32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\Explorer.EXE
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Windows\System32\NMSSvc.exe
C:\Windows\System32\svchost.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Windows\system32\PROMon.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet3_88.dll (file missing)
O4 - HKLM..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM..\Run: [webHancer Survey Companion] “C:\Program Files\webHancer\Programs\whSurvey.exe”
O4 - HKLM..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider ‘c:\program files\newdotnet\newdotnet3_88.dll’ missing
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

not sure how to read this tough…hopefully someone would help me with it. Thanks alot people.

2

Well you have stumbled on the support forums for avast and normally I would suggest that you run and avast boot-time scan but since you have AVG, that won’t work. It would also appear to be a browser hijacker/spyware.

A forums search for newdot also returns many hits.

Check out this link http://process.networktechs.com/newdot~1.dll.php

For an on-line analysis - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.

  1. Ad-Aware
  2. Spybot Search and Destroy
  3. Spywareblaster Don’t install this until you are clean.
  4. Ewido Security Suite If using winXP. or a-Squared free if using win98/ME.
3

:slight_smile: Hi :

 Since AVG is your antivirus provider, it would be more
 appropiate to ask for help on THEIR forums at :

http://www.castlecops.com/f106-AVG_Topics.html .
4

Hallo nishimura,

Your hjt log has been analyzed here:
http://www.hijackthis.de/logfiles/7fceff8825345bd0c3f31a397c0a7a42.html

Repair the red flagged ones, after you have downloaded Spybot Search & Destroy, to repair one of these.
You have Nw Dot Net malware & Web Enhancer foistware (survey.exe). So after you have run the programs that DavidR has proposed, repair the red ones in the hjt.de logfiles. The online analysis will be there on three consequent days from now.
If you like to switch from the AVG to Avast free version, you have to uninstall AVG and download the Avast home version, free for personal use. Remember always use ONLY one resident anti-virus product and software firewall. Hope your problems soon will be solved, and surf safe, and secure,

polonus aka Damian

5

wow thanks alot people for your replies ok i am gonna try out the programs that david has mentioned but one problem is how am i going to update the programs? my computer that is infected can’t have internet access at all.

EDIT: ok i did a spybot scan and it found 3 entries. Windows Security Centre.UpdateDisableNotify ,
Windows Security Centre.AntivirusDisableNotify and Windows Security Centre.FirewallDisableNotify. Should i fix these problems?

6

Hi nishimura,

These detections:

Windows Security Center.FirewallDisableNotify: Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Windows Security Center.AntiVirusDisableNotify: Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

etc.

Indicate three of the setting within Windows Security Center have been turned off. Go into Start > Control Panel > Security Center > Resources (on the left hand side of the window – expand if necessary) > click “Change the way Security Center alerts me”. This brings up an “Alert Setting” window. There are three possible alerts:
Firewall
Alert me if my computer might be at risk because of my firewall settings
Automatic Updates
Alert me if my computer might be at risk because of my Automatic Updates settings
Virus Protection
Alert me if my computer might be at risk because of my virus protection software settings
I believe that you will find that the first and third alerts are turned off. For more of an explanation please see this post:
http://forums.spybot.info/showpost.php?p=216&postcount=2

polonus