mikekelly

hello!

I ran a spyware program in safe mode and removed some nastys from my machine, it then asked me to reboot to complete removal which i did.

everything booting back up fine but my wireless network will not work, so then I restored the spyware removal and it works fine.

I think the problem is when Im removing a program called newdot.net but i have posted a log of the removal operation and would be grateful is someone could maybe troubleshoot a little and advise me another way of get rid of this thing with out have any after effects on my wireless connections.

The product I used is called spysubtract and the log is as follows...


Machine=LAPTOP
Time=Sun Aug 07 22:06:14 2005
Product Version=3, 0, 0, 29
OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Started Scanning
Programs in Memory
Finished Scanning
IE Plugins: Found '{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explore r\Browser Helper Objects'
IE Plugins: Found '{53707962-6F74-2D53-2644-206D7942484F}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explore r\Browser Helper Objects'
IE Plugins: Found '{BA52B914-B692-46c4-B683-905236F6F655}' in 'SOFTWARE\Microsoft\Internet Explorer\Toolbar'
IE Plugins: Found '{B56B682A-E143-46CB-95F6-9F2ADA5B4200}' in 'Software\Microsoft\Internet Explorer\URLSearchHooks'
IE Plugins: Found '{B56B682A-E143-46CB-95F6-9F2ADA5B4200}' in 'Software\Microsoft\Internet Explorer\URLSearchHooks'
Web Browser Security Settings: Found 'Start Page' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
Web Browser Security Settings: Found 'Default_Page_URL' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
Web Browser Security Settings: Found 'Default_Page_URL' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
Web Browser Security Settings: Found 'Default_Search_URL' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
Web Browser Security Settings: Found 'CustomizeSearch' in 'SOFTWARE\Microsoft\Internet Explorer\Search'
Web Browser Security Settings: Found 'Local Page' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
Web Browser Security Settings: Found 'DisableCachingOfSSLPages' in 'Software\Microsoft\Windows\CurrentVersion\Interne t Settings'
Web Browser Security Settings: Found 'WarnOnZoneCrossing' in 'Software\Microsoft\Windows\CurrentVersion\Interne t Settings'
Web Browser Security Settings: Found 'iexplore.exe' in 'Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_ LOCKDOWN'
Web Browser Security Settings: Found 'msn' in 'Software\Microsoft\Windows\CurrentVersion\Interne t Settings\ZoneMap\Domains\ '
Web Browser Security Settings: Found 'Download ALL with IDA' in 'Software\Microsoft\Internet Explorer\MenuExt\Download ALL with IDA'
Web Browser Security Settings: Found 'Download with IDA' in 'Software\Microsoft\Internet Explorer\MenuExt\Download with IDA'
IE Downloaded Program Files: Found '' in 'C:\WINDOWS\Downloaded Program Files\ppctl.dll'
IE Downloaded Program Files: Found 'PPSDKActiveXScanner.MainScreen' in 'C:\WINDOWS\Downloaded Program Files\PPSDKActiveXScanner.ocx,C:\WINDOWS\Downloade d Program Files\PPSDKActiveXScanner.INF'
IE Downloaded Program Files: Found 'Crucial cpcScan' in 'C:\WINDOWS\Downloaded Program Files\cpcscan.dll'
IE Downloaded Program Files: Found 'IntraLaunch.MainControl' in 'C:\WINDOWS\Downloaded Program Files\INTRALAUNCH.OCX,C:\WINDOWS\Downloaded Program Files\IntraLaunch.INF'
IE Downloaded Program Files: Found '' in 'C:\Program Files\Yahoo!\Common\yaddbook.dll'
IE Downloaded Program Files: Found 'Lycos File Upload Component' in 'C:\WINDOWS\Downloaded Program Files\FileUploader.dll,C:\WINDOWS\Downloaded Program Files\FileUploader.inf'
Layered Service Providers (LSP's): Found 'New.net UDP Chain' in 'C:\Program Files\NewDotNet\newdotnet6_38.dll'
Layered Service Providers (LSP's): Found 'New.net TCP Chain' in 'C:\Program Files\NewDotNet\newdotnet6_38.dll'
Layered Service Providers (LSP's): Found 'New.net TCP Filter' in 'C:\Program Files\NewDotNet\newdotnet6_38.dll'
Layered Service Providers (LSP's): Found 'New.net UDP Filter' in 'C:\Program Files\NewDotNet\newdotnet6_38.dll'
Windows Policy Settings: Found 'restrictanonymous' in 'SYSTEM\CurrentControlSet\Control\Lsa'
Windows Policy Settings: Found 'forceunlocklogon' in 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
Services: Found 'gearsec' in ''
Services: Found 'LexBce Server' in ''
Windows Shell Settings: Found 'Browse with Paint Shop Pro 8' in 'SOFTWARE\Classes\Folder\shell\Browse with Paint Shop Pro 8'
Windows Shell Settings: Found 'DriveLetterAccess' in 'SOFTWARE\Classes\Drive\shellex\ContextMenuHandler s\DriveLetterAccess'
Windows Shell Settings: Found 'Trojan Remover' in 'SOFTWARE\Classes\Drive\shellex\ContextMenuHandler s\Trojan Remover'
Windows Shell Settings: Found 'AntiVir/Win' in 'SOFTWARE\Classes\Folder\shellex\ContextMenuHandle rs\AntiVir/Win'
Windows Shell Settings: Found 'SpySweeper' in 'SOFTWARE\Classes\Folder\shellex\ContextMenuHandle rs\SpySweeper'
Windows Shell Settings: Found 'Trojan Remover' in 'SOFTWARE\Classes\Folder\shellex\ContextMenuHandle rs\Trojan Remover'
Windows Shell Settings: Found '{A70C977A-BF00-412C-90B7-034C51DA2439}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
Windows Shell Settings: Found '{5CA3D70E-1895-11CF-8E15-001234567890}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
Windows Shell Settings: Found '{7C9D5882-CB4A-4090-96C8-430BFE8B795B}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
Windows Shell Settings: Found '{5464D816-CF16-4784-B9F3-75C0DB52B499}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
Windows Shell Settings: Found '{32020A01-506E-484D-A2A8-BE3CF17601C3}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
Windows Shell Settings: Found '{52B87208-9CCF-42C9-B88E-069281105805}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
Windows Shell Settings: Found '{BBA7EB3F-97AB-4EBD-BCA2-C3C8DBED444F}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
Windows Shell Settings: Found '{792F0537-F929-4eb7-AC1D-FB6334C71550}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
Windows Shell Settings: Found '{1E9B04FB-F9E5-4718-997B-B8DA88302A48}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
Windows Shell Settings: Found '{FFB699E0-306A-11d3-8BD1-00104B6F7516}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
Program Startup Areas: Found 'DadApp' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'Dell QuickSet' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'PCMService' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'RemHelp' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'RunMotive' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'DiskeeperSystray' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'BCMSMMSG' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'GSICONEXE' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'DSLAGENTEXE' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'DSLSTATEXE' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found '%FP%Friendly fts.exe' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'AVGCtrl' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'RealTray' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'SP2ConnPatcher' in 'S-1-5-21-501449678-2886101355-1413624805-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Run '
Program Startup Areas: Found 'Steam' in 'S-1-5-21-501449678-2886101355-1413624805-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Run '
--------------------------------- SpySubtract session ended ---------------------------------


cheers
Mike

alanuofm

could you post a hijackthis?

mikekelly

heres my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 6:02:33 PM, on 8/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\LinkTheater\app\LinkTheater-server.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\mike\LOCALS~1\Temp\Rar$EX00.516\Hijack This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mcnutty.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mcnutty.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R3 - URLSearchHook: HyperSearchHook - {B56B682A-E143-46CB-95F6-9F2ADA5B4200} - C:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [DadApp] "C:\Program Files\Dell\AccessDirect\dadapp.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [dla] "C:\WINDOWS\system32\dla\tfswctrl.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RemHelp] "remhelp.exe"
O4 - HKLM\..\Run: [RunMotive] ""
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [BCMSMMSG] "BCMSMMSG.exe"
O4 - HKLM\..\Run: [GSICONEXE] "GSICON.EXE"
O4 - HKLM\..\Run: [DSLAGENTEXE] "C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] "C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe " icon
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SP2ConnPatcher] "C:\Program Files\SP2 Connection Patcher\sp2connpatcher.exe" -n=200
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: LinkTheater.lnk = C:\Program Files\LinkTheater\app\LinkTheater-server.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1097411585328
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\PCFormat\IntraLaunch.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f007.mail.lycos.co.uk/app/upl...leUploader.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

BTW i have tried running the newdot.net unistaller which makes me retstart my machine but its still there on reboot, it must be some 3rd party stuff i have downloaded in error but I cant find out what.

regards
Mike

alanuofm

you should probably remove the following entries:

R3 - URLSearchHook: HyperSearchHook - {B56B682A-E143-46CB-95F6-9F2ADA5B4200} - C:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [RunMotive] ""

O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yah...utocomplete.cab



[remove the following if you do not know what program this is for]

O4 - HKCU\..\Run: [SP2ConnPatcher] "C:\Program Files\SP2 Connection Patcher\sp2connpatcher.exe" -n=200

mikekelly

thanks i removed all bar the bottom one, I think thats a patch AOL issued due to problems with XP SP2

cheers
Mike

alanuofm

if you have any more problems head over to the computer security section and the mods there can further assist you.