Avast WEBforum
Other => Viruses and worms => Topic started by: [QEH]Nick on June 12, 2006, 10:08:14 AM
-
AVAST this morning is preventing internet access by blockin the file NEWDOTNET7_22.dll.
This is definatley a false positive yet it is reported as adaware.
-
In the meantime I've added it to an exclusion list.
-
Read this link...
http://www.pchell.com/support/savenow.shtml
-
Yes i realise it's spyware, but removal / blocking of it prevents users accessing some network based applications etc.
Any idea why?
-
Any idea why?
Because of its aggressive system integration, repair Winsock with http://www.cexx.org/lspfix.htm.
-
Nick, how many machines does this apply to? (in your case)
AFAIK avast should be removing the associations (e.g. LSP) automatically.
It would be useful to know what exactly failed to be removed - this way we'll be able to improve the removal in the next update.
Thanks
Vlk
-
The actual DLL mentioned earlier cannot be removed as it's in use.
A boottime scan gets rid of it.
Once I've done this, i can then run the fix mentioned earlier (many thanks for that tip).
This restores the PC to functionality.
Still trying to puzzle out how it got onthe users PC's though. They all deny installing anything (they would though).
-
The actual DLL mentioned earlier cannot be removed as it's in use.
A boottime scan gets rid of it.
Did you try simply deleting the file with the "delete during next reboot" option? (i.e. not running a boot-time scan, but rather simply setting the action to delete after reboot)?
Thanks
Vlk
-
Yes i did, unfortunatley this did not seem to work.
Boot time scan is just as fast expecially if I limit it to just the NEWDOTNET folder.
-
Hello folks,
I do not like the subject title here. This could lead people to believe that NEWDOTNET or Webhancer are FP's and therefore harmless, this is malicious so-called foistware or trackware. Read here:
http://www.cexx.org/newnet.htm
And if you try to remove it in a wrong manner, you can run into serious trouble. It is the most prevailing infection lately that victims of this malware here ask to be helped with to conquer. Trojan downloaders and these kind of aggressive adware spreading "stuff"is the main menace to users of the Internet to-day.
All bho's or plug-ins that try to hijack your machine are imo malware ad hoc, and no FP's or harmless services. That is the same as calling SpyBouncer a good anti-malware solution for spyware. No it is roque, and does not belong on a clean machine.
What are the affiliates, what is the problem with so-called "grey-nets", and where big money and Zango come in, you can read from here: http://blog.spywareguide.com/2006/06/botnet_installer_launches_zang.html
If you read that carefully, you can come up with your own conclusions.
polonus
-
Yes i did, unfortunatley this did not seem to work.
So, even if you asked avast! to delete the file and checked the "Delete locked files on the next reboot" option - you still got the message that it cannot be done since the file is in use?
-
Yes, after it had rebooted, Avast detected the malware again.
This led me to do a boot scan to be sure.
-
That's not really what I meant.
I thought that you chose "Delete file" from an ordinary Windows scan, checked the "If necessary, delete file(s) at the next system start" - but got an error message that it cannot be done since the file is in use, or something like that...
-
This is real nasty stuff. Even if you remove the program from your PC you can still end up with no internet access (as noted) & Ive had no less than 3 machines affected by it that Ive decided to format (havent tired the winsock fix as yet however I dont have a high success rate with these types of programs).
Anyone know how this crap gets on the PC to start with? Ive had customers infected by it after only 2 weeks of buying a new PC & they are hardly the types that would visit dodgy websites that might install this stuff automatically?
-
Hi dscomp,
It comes with other stuff, they used to offer a 5- to 10-cent "bounty" for each copy of New.Net you installed; that's why it was bundled with a lot of other programs.The bounty program was discontinued, however.
If the above mentioned instruction in this thread, should not work, which we doubt, the easiest way to delete New.Net is to do the following:
1. remove it using "Add/remove" programs
2. if still not working, remove the WinSock and WinSock2 registry keys from CurrentControlSet
3. Go to network settings on win98 or on 2000/XP, just go into the properties of your network connection and if possible, remove tcp/ip. On XP this is impossible, so ignore this step
4. Add new service. If you're not on XP, just reinstall tcp/ip. On XP, select "have disk" and point it at C:\windows\inf. Then select tcp/ip and install it
5. clean up any newdotnet files lying around. Here you also could use
a hjt log, pre-analyzed.
Optional: 6. Join a class-action lawsuit against the company that makes this piece of crapware. No one in his right mind knows why lawmakers tolerate this sort of Internet-harassment.
Be aware that these steps can cause problems with programs like cyber-sitter or firewalling programs that modify the networking stack. Do this then at your own risk.
This is very prolific.
-
Thanks polonus. I wont be surprised to get more of these & will see if this workaround can save some time.
-
To solve issue, just do start/run ant type in
netsh winsock reset
Hit ok and reboot, will be OK.
no more manipulations are needed....
We got about 60-70 customers with this issue, all of them solved the issue with this manipulation.
-
:) Hi all ( and Noz ) :
As I said in the other thread, "netsh winsock reset" works
ONLY if one has Win XP SP2 .
-
yeah you're right in extremes.
But as the probleme seems to be in closed relation with the SP2 firewall, i supposed that this issue can only appears with SP2?? perhaps i'm wrong!
we didn't had any customers with this problem under any other OS....
can anyone here tell me if he had this under SP1 or something else?
by the way thx all for infos, i need a maximum of informations to answer our cust's questions ;)
-
:) Hi Noz :
If one has Win XP SP1, then use the "Winsockfix" program
instead of the "netsh winsock reset" command" .
-
Hi noz,
This is the golden tip. After cleaning out the newdotnet with x-cleaner micro from here: http://www.xblock.com/download-freeware.php (Do not forget to bckup the registry), I rebooted the computer and lost both the browser and mail internet connections. Happily the man had Win XP SP2 indstalled. So went via start to the commandline prompt and give in the magical "netsh winsock reset" (without brackets), and instantly after the enter it got the connection reset and working again.
So I can state after what I have experienced to-night, that this works beautifully. Chapeau "noz", you are a promishing malware fighter. Thanx. Else I would have used lspfix from a mem stick.
Open my computer, double click, and run from that partition.
But again "netsh winsock reset" is the easiest and most elegant of varyous solutions lest on XP SP2.
Good work noz, I remember the victim of Newdotnet after he saw his Internet connection back. "How did you do that?"
I responded: "Just some magical word from a very good anti-virus forum". The nicest thing is the big smile in the eyes you get. Great feeling, man. Most awarding.
polonus
-
thanks noz
-
dude, it's my job ;)
But no one answered me: did you ever saw this problem under any other os than XP SP2?
I think it happen only when the sharedaccess service (sp2 firewall/internet connection sharing) is present, so=>only on SP2.
more simply:
Did anyone actually encountered this issue under SP1?
I just would like to have this info to forward it to my boss ;D
-
Noz,
Yep, the case that I cleansed was with SP2 installed. We had various newdotnet infections here in threads on this forum, you could ask the victims, who are now free of this foistware, if they had SP2 installed. This spyware nuisances all go according the "known to give guarantee" recipe. So it is very well possible they work in a way you suppose. There was a whole period that malware was silently installed through one and the same exploit (unpatched ByteVerify java hole for instance).
Foistware and nuisances like these are applied by methods that are not particvularly innovative, but they seek for effectiveness.
polonus
-
I am pretty sure that this newdot.net virus is what destroyed my other computer. I am using a brand new, bug/virus free computer and would like to keep it that way.
I was able to copy some pics, documents etc from the computer that died, is it safe to put those on this new computer?
I have all my spyware/spamfighter/virus protection enabled and it scans clean.
So, should I wait a little longer before attempting to add the old files I made from the CD onto this computer? Or is it safe enough to scan them with avast and proceed to add them. I do have a favorites folder as well.
Just don't wanna go through that again.
By the way I am using Netscreen hardware firewall, not sure if this was the reason Avast could not fully delete that virus from my old comp.
-
:) Hi Akaara :
Newdotnet is primarily "Adware/Spyware", not a "Virus".
And I have never heard of it "destroying" a computer,
since its purpose is to "deliver" ads & possibly "spy" on
you to deliver that info to its "sponsor" .
What are the name(s) of your antispyware program(s) ?
And the mention of "Netscreen hardware" firewall
implies you do NOT have a "software" firewall !?
Anything from the "old" computer should be screened
by more than just Avast; I suspect you probably have
other "malware" that caused your other computer to
be "destroyed".
Hopefully, you have the good & FREE "Ewido" from :
www.ewido.net/en on your new computer !?
-
It did something so the computer couldn't find the ethernet card, now I don't know what would cause this or if Avast didn't know what it was. My husband reinstall the OS and had to do something to get the ethernet card to work.
Do you think I can safely put the information I saved from that old computer onto this new one? Or should I wait abit in case it's a new virus/worm.
thanks,
-
Do you think I can safely put the information I saved from that old computer onto this new one?
What do you call information here? Your documents? Program and applications folders?
Or should I wait abit in case it's a new virus/worm.
If on the new one you use avast at 'high' security level and, maybe, if you scan all the moved files with ewido... I won't be worried...
-
Do you think I can safely put the information I saved from that old computer onto this new one?
You can scan the CD you made for the data using avast and ewido as Tech mentions to see if there is anything there.
Placing that data in a temporary folder on your hard disk 'TempCD' or similar name shouldn't cause any problems as you aren't executing any potential malware. You could also scan that folder (as I'm not sure it would scan a CD) using an on-line scanner as a second or third opinion, etc.
On-line Virus Scanners and other useful Links Security-Ops.eu.tt (http://www.security-ops.eu.tt), you would need to pause Standard Shield once you establish the connection just before starting the on-line scan to avoid conflict, enable it again immediately the scan is completed.
-
Hi Akaara,
If you reinstalled the OS in such a way that a larger part of your old files are there, this should be fine after a thorough scan or a look into possible registry or dll conflicts. You could safe all your data and reinstall the old programs. Some programs need a reinstall to make them work again.
If you are sure that this was the only thing in which your OS was affected and after for instance a thorough online scan, you can trust your machine and the folders on it from that point.
The major point for me always is to know the background of trouble (instantly or gradually). Essential to know is what made the computer malfunction? Even spyware infections badly documented can create havoc on a machine.
polonus
-
Hello peeps I'm back the only proper way to defeat new dot net is as follows
First, Download LSPFix.exe (http://www.cexx.org/lspfix.htm) to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.
To Get rid of NewDotNet, go to:
Start > Control Panel > Add or Remove Programs and remove the following:
New.Net Applications or New.Net Domains (anything that says New.Net)
If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4 (http://www.newdotnet.com/removal.html).
Then delete all newdotnet folders in \program files and run HJT and delete all found refences to newdotnet such as
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program.
Courtesy of my training at Geeks to Go
-
Hi to all :)
I have a question regarding this NewDotNet thing :P
I've just noticed that I have it on my PC, but avast! do not detect it ???
Did Alwil removed the detection till the problem with removing the registry keys is fixed, or this is new variant?
I've send the file to Alwil, just in case ;)
-
Hi .:X:M:A:S:.,
This is the best information link I could find on the NEWDOTNET foistware, and how this unwanted program should be qualified, as well as technical info. The link is to be found here: http://spyware-malware-removal.blogspot.com/2006/05/ndotnet.html
Just another reason for those without SP2 to install that for XP
(think of the instant restore of the winsock settings through start command prompt, and giving in "netsh winsock reset"(without the brackets, and of course only for XP SP2).
polonus