Tech Support Forum - View Single Post - need help with "dwdsregt.exe" and "NEWDOT~1.DLL"

Vikesrock8411 · 08-06-2006, 02:15 AM

Hello and welcome to TSF

I recommend you Subscribe to this thread so you are notified of any replies via email. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Downloads(make sure to save these in a permanent location)
LSPFix- Save it to a permanent folder. It is highly unlikely that you will need this program, but it is important to have it on hand in case you do. There is a very small chance that after removing New.Net, you may lose your internet connection. If this occurs, close all windows and run the LSPfix tool that you downloaded. Check "I know what I'm doing" and select all entries related to New.Net. Then click >> and remove all entries related to New.Net. Click "Finished".

Cleanup!- Install it. You will use this later.

*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.

Ewido Anti-Spyware

Install Ewido Anti-Spyware
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
I also recommend changing the "Update interval" to something more reasonable like 12 hours.

If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

Please download the Suspicious File Packer. Unzip it your Desktop

Double click on sfp.exe to run it. Paste the following text into the box that pops up.

C:\WINDOWS\msndn.exe
C:\WINDOWS\System32\RpcSs.exe
C:\WINDOWS\winsock\csrss.exe

Then click continue. It will create a file called requested-files[Date and Time].cab Please upload that file here.

Services
Click Start->Run - type SERVICES.MSC & then click on the OK button

Locate the service - Remote Procedure Call (RPC) Service
Double-click on it to open the Properties dialog.
- Stop the service by using the Stop button.
- Change the Startup type to Disabled & then click on the OK button

Repeat this for the following services:
Microsoft Networks DN
Windows TCP/IP Socket Driver

Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, type in RpcSssvc & then click on the OK button

Repeat this for:
winsck
msndn

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Viewing Hidden Files
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Add/Remove Programs
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:
NewDotNet or New.Net

HijackThis!
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDO WS\winsock\csrss.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [{1F-F4-4A-A0-ZN}] c:\windows\system32\dwdsregt.exe GID003
O23 - Service: Microsoft Networks DN (msndn) - Unknown owner - C:\WINDOWS\msndn.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINDOWS\System32\RpcSs.exe (file missing)
O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner - C:\WINDOWS\winsock\csrss.exe (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

File and Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
C:\Program Files\NewDotNet
c:\windows\system32\dwdsregt.exe
C:\WINDOWS\msndn.exe
C:\WINDOWS\System32\RpcSs.exe
C:\WINDOWS\winsock\csrss.exe

Tools
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it’s checked.

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted. If prompted to reboot, click No.

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
When the scan is complete click Recommended Action and change it to Quarantine
Then click Apply all actions

Once finished, click the Save report button, then click Save Report As and save it to your desktop.

Reboot your system in Normal Mode.

Online Scans
Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

In your next post please include:

Panda Activescan Log
Ewido Log
A new Hijackthis! Log

08-06-2006, 02:15 AM	#3 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Hello and welcome to TSF I recommend you Subscribe to this thread so you are notified of any replies via email. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Downloads(make sure to save these in a permanent location) LSPFix- Save it to a permanent folder. It is highly unlikely that you will need this program, but it is important to have it on hand in case you do. There is a very small chance that after removing New.Net, you may lose your internet connection. If this occurs, close all windows and run the LSPfix tool that you downloaded. Check "I know what I'm doing" and select all entries related to New.Net. Then click >> and remove all entries related to New.Net. Click "Finished". Cleanup!- Install it. You will use this later. NOTE Cleanup deletes EVERYTHING out of temporary folders and does not make backups. Ewido Anti-Spyware Install Ewido Anti-Spyware Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. I also recommend changing the "Update interval" to something more reasonable like 12 hours. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. Please download the Suspicious File Packer. Unzip it your Desktop Double click on sfp.exe to run it. Paste the following text into the box that pops up. C:\WINDOWS\msndn.exe C:\WINDOWS\System32\RpcSs.exe C:\WINDOWS\winsock\csrss.exe Then click continue. It will create a file called requested-files[Date and Time].cab Please upload that file here. Services Click Start->Run - type SERVICES.MSC & then click on the OK button Locate the service - Remote Procedure Call (RPC) Service Double-click on it to open the Properties dialog. Stop the service by using the Stop button. Change the Startup type to Disabled & then click on the OK button Repeat this for the following services: Microsoft Networks DN Windows TCP/IP Socket Driver Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... In the popup box that appears, type in RpcSssvc & then click on the OK button Repeat this for: winsck msndn Next, please reboot your computer in SafeMode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. Viewing Hidden Files Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Add/Remove Programs Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: NewDotNet or New.Net HijackThis! Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDO WS\winsock\csrss.exe O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s O4 - HKLM\..\Run: [{1F-F4-4A-A0-ZN}] c:\windows\system32\dwdsregt.exe GID003 O23 - Service: Microsoft Networks DN (msndn) - Unknown owner - C:\WINDOWS\msndn.exe (file missing) O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINDOWS\System32\RpcSs.exe (file missing) O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner - C:\WINDOWS\winsock\csrss.exe (file missing) Please remember to close all other windows, including browsers then click Fix checked. File and Folder Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Program Files\NewDotNet c:\windows\system32\dwdsregt.exe C:\WINDOWS\msndn.exe C:\WINDOWS\System32\RpcSs.exe C:\WINDOWS\winsock\csrss.exe Tools Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it’s checked. Click OK Press the CleanUp!* button to start the program. Reboot/logoff when prompted. If prompted to reboot, click No. Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine Then click Apply all actions Once finished, click the Save report button, then click Save Report As and save it to your desktop. Reboot your system in Normal Mode. Online Scans Perform an online scan with Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Scan your PC** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Click Scan Now* Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Click on see report. Then click Save report Post the contents of the report in your next reply You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. Turn off the real time scanner of any existing antivirus program while performing the online scan In your next post please include: Panda Activescan Log Ewido Log A new Hijackthis! Log __________________