Hello forum))
I’ve ran into a serious problem with two of our computers.
First of all, I have win XPsp2 here + avast home edition updated.
One fine day, I got a phone call, saying that two of our PC at work broke down. Both of them had similar problems: first of, internet connection wouldn’t work and Network connection’s panel won’t open(just a blank explorer screen); start up taking about 3min, even in safe mode; system restore won’t work, saying something about system not being secure and blah…; on one of PC’s i found modified host file, blocking all of the AV sites; Explorer won’t work later then(hangin up every time trying to open My computer); The system got very unstable and eventually comp[letly unusable.

I have scaned the system with: Hijackthis, Ewido, spyboot, Avast itself and its freeware cleaner tool. NONE of them showed up that something is wrong.
Then I have reinstalled Windows over the previous installation(upgrade mode) - didn’t help much, still no internet, weird behaviour.

P.S: I’ve looked up the Avast’ logs and mentioned that it has removed new.net(whatever it’s called) during the full scan. I’m aware of the problems that adware might cause, so I have successfuly ininstalled it - no effect on internet connection, still doesn’t work.

IS THERE A WAY TO SAVE THE SYSTEM WITHOUT FORMAT C: ?
any help would be very apreciated!

Check out this topic http://forum.avast.com/index.php?topic=21608.0 and also do a forums search for newdotnet.

Sorry for being stupid, but are you really sure new.net could cause such a disaster?
And say I didn’t remove it properly(I’ll look into it now), how do I know it’s the only nasty thing that is left? How can I be sure my system is not totally exploited?
Forgot to mention, windows still boots up for like 2-3min.
Sorry again if I didn’t grasp something right away - I’m really tired - 7 hours of troubleshooting…

edit:
Now I have installed video card drivers and rebooted and computer got back into the same state as it was: buggy GUI, windows dissapearing, long system boots, desktp icons disapeared, Exporer doesn’t work…

Just read the posts (and associated links) in the link I gave which are showing it integrates itself and if improperly removed it breaks the windsock connection set-up.

http://www.cexx.org/newnet.htm

Thank you for your time!
Still no luck(((
Read that link you gave me(I think I’ve already seen it before), ran lspfix and it didn’t show any components under remove tab.

I have noticed that if I leave the computer for like 5-10min then it will unfreeze, explorer will open…

PS:
My point was, how can broken internet stack case such a mess to the system start up and behavior, I still didn’t get it. You do not suppose this could be a virus, especially if it poped up at the same day on two computers joined into LAN?

Thank you for trying to help!

I don’t know, I was thinking if you had a direct internet connection which is trying to be established if there was a problem perhaps that may cause delays, although this is an area that I don’t have much experience.

Same problem. avast! picked up the following files on boot scan:

A0007354.dll
A0012485.EXE
A0025411.exe
A0025433.dll
A0026273.exe
A0027084.dll
A0027087.exe
NDNuninstall7_22.exe
newdotnet7_22.dll
trz3.tmp
uninstall7_22.exe

I added them to the chest, tried e-mailing them to Avast, and then deleted them- to no avail.

If avast detected them there is little reason to email them to avast, unless you have tested and believe one or more was a false positive detection.

Once in the chest they can do no harm and should it be necessary they can be recovered. So there is little point in sending them to the chest only to delete them from there immediately.

There is no rush to delete anything from the chest, they can’t do any harm there. Anything that you send to the chest you should leave there for a week or two. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

Have you read the other information in the links I gave about repairing windsock (LSPfix) ?

Yeah, and that program didn’t help me either. I tried ewido too. Here are the reports it gave:

ewido anti-malware - Connection report

• Created on: 8:11:56 PM, 6/13/2006
• Report-Checksum: DFFEB32B

TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 192.168.1.100:139 0.0.0.0:0 LISTENING
TCP 192.168.1.100:1037 192.168.1.101:445 SYN_SENT
TCP 192.168.1.100:1038 192.168.1.101:139 SYN_SENT
UDP 0.0.0.0:445
UDP 0.0.0.0:500
UDP 0.0.0.0:1025
UDP 0.0.0.0:4500
UDP 127.0.0.1:123
UDP 127.0.0.1:1900
UDP 192.168.1.100:123
UDP 192.168.1.100:137
UDP 192.168.1.100:138
UDP 192.168.1.100:1900

ewido anti-malware - Process report

• Created on: 8:12:28 PM, 6/13/2006

• Report-Checksum: 7968F3CE

  0: System Process
  4: System Process
  

  188: C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
  252: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
  496: C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
  508: C:\WINDOWS\system32\Ati2evxx.exe
  544: \SystemRoot\System32\smss.exe
  608: ??\C:\WINDOWS\system32\csrss.exe
  636: ??\C:\WINDOWS\system32\winlogon.exe
  684: C:\WINDOWS\system32\services.exe
  696: C:\WINDOWS\system32\lsass.exe
  740: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  832: C:\WINDOWS\system32\Ati2evxx.exe
  860: C:\WINDOWS\system32\svchost.exe
  908: C:\WINDOWS\Explorer.EXE
  960: C:\WINDOWS\system32\svchost.exe
  1020: C:\WINDOWS\System32\svchost.exe
  1080: C:\WINDOWS\system32\svchost.exe
  1176: C:\WINDOWS\system32\svchost.exe
  1256: C:\WINDOWS\system32\wbem\wmiprvse.exe
  1416: C:\WINDOWS\system32\spoolsv.exe
  1532: C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
  1544: C:\Program Files\Alwil Software\Avast4\ashServ.exe
  1596: C:\Program Files\Common Files\LightScribe\LSSrvc.exe
  1632: C:\WINDOWS\system32\wdfmgr.exe
  1696: C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  1812: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
  1816: C:\Program Files\ewido anti-malware\securitysuite.exe
  2120: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
  2128: C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
  2156: C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
  2212: C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
  2224: C:\Program Files\HPQ\SHARED\HPQWMI.exe
  2300: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
  2484: C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
  2604: C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
  2628: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
  2664: C:\Program Files\Filseclab\xfilter\xfilter.exe
  2732: C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
  2852: C:\Program Files\Viewpoint\Viewpoint Toolbar V35\FotomatDeviceConnect.exe
  2876: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
  2952: C:\WINDOWS\system32\svchost.exe
  3048: C:\Program Files\Common Files\Filseclab\FilMsg.exe
  3400: C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
  3880: C:\Program Files\ewido anti-malware\ewidoguard.exe
  3916: C:\Program Files\ewido anti-malware\ewidoctrl.exe

ewido anti-malware - Startup report

• Created on: 8:11:29 PM, 6/13/2006
• Report-Checksum: BE3F9102

Reg\HKLM\Run ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Reg\HKLM\Run SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
Reg\HKLM\Run hpWirelessAssistant C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
Reg\HKLM\Run SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
Reg\HKLM\Run SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Reg\HKLM\Run HP Software Update C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
Reg\HKLM\Run QuickTime Task “C:\Program Files\QuickTime\qttask.exe” -atboottime
Reg\HKLM\Run eabconfg.cpl C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
Reg\HKLM\Run Cpqset C:\Program Files\HPQ\Default Settings\cpqset.exe
Reg\HKLM\Run LSBWatcher c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
Reg\HKLM\Run Logitech Hardware Abstraction Layer KHALMNPR.EXE
Reg\HKLM\Run ViewMgr C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Reg\HKLM\Run CXMon “C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe”
Reg\HKLM\Run Share-to-Web Namespace Daemon C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
Reg\HKLM\Run ISUSPM Startup C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
Reg\HKLM\Run ISUSScheduler “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
Reg\HKLM\Run avast! C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
Reg\HKLM\Run XFILTER “C:\Program Files\Filseclab\xfilter\xfilter.exe” -a
Reg\HKLM\Run ViewpointPhotosDeviceConnect C:\Program Files\Viewpoint\Viewpoint Toolbar V35\FotomatDeviceConnect.exe
Reg\HKLM\Run TkBellExe “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
Shell\CommonStartup Filseclab Messenger.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Filseclab Messenger.lnk
Shell\CommonStartup Logitech SetPoint.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
Shell\UserStartup Shortcut to trillian.lnk C:\Documents and Settings\daniel\Start Menu\Programs\Startup\Shortcut to trillian.lnk
Shell\UserStartup Stardock ObjectDock.lnk C:\Documents and Settings\daniel\Start Menu\Programs\Startup\Stardock ObjectDock.lnk

ewido anti-malware - Scan report

• Created on: 7:43:46 PM, 6/13/2006

• Report-Checksum: 77876222

• Scan result:

  HKU\S-1-5-21-2648525484-1391294234-3797359651-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} → Adware.Generic : Cleaned with backup
  C:\WINDOWS\NDNuninstall6_38.exe → Adware.NewDotNet : Cleaned with backup

::Report End

ewido anti-malware - Scan report

• Created on: 8:08:58 PM, 6/13/2006

• Report-Checksum: 862C4C22

• Scan result:

  C:\Program Files\NewDotNet → Adware.NewDotNet : Cleaned with backup
  C:\Program Files\NewDotNet\uninstall6_38.exe → Adware.NewDotNet : Cleaned with backup

::Report End