Author Topic: NEWDOTNET Nuisance  (Read 21816 times)

0 Members and 1 Guest are viewing this topic.

[QEH]Nick

  • Guest
NEWDOTNET Nuisance
« on: June 12, 2006, 10:08:14 AM »
AVAST this morning is preventing internet access by blockin the file NEWDOTNET7_22.dll.

This is definatley a false positive yet it is reported as adaware.
« Last Edit: June 12, 2006, 01:52:56 PM by [QEH]Nick »

[QEH]Nick

  • Guest
Re: NEWDOTNET False positive
« Reply #1 on: June 12, 2006, 10:19:34 AM »
In the meantime I've added it to an exclusion list.

..::ReVaN::..

  • Guest
Re: NEWDOTNET False positive
« Reply #2 on: June 12, 2006, 10:30:14 AM »

[QEH]Nick

  • Guest
Re: NEWDOTNET False positive
« Reply #3 on: June 12, 2006, 10:43:21 AM »
Yes i realise it's spyware, but removal / blocking of it prevents users accessing some network based applications etc.

Any idea why?

Offline chocholo

  • Poster
  • *
  • Posts: 645
  • BSC, GSC, MCP
    • Avast
Re: NEWDOTNET False positive
« Reply #4 on: June 12, 2006, 11:14:05 AM »
Any idea why?
Because of its aggressive system integration, repair Winsock with http://www.cexx.org/lspfix.htm.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: NEWDOTNET False positive
« Reply #5 on: June 12, 2006, 11:35:10 AM »
Nick, how many machines does this apply to? (in your case)

AFAIK avast should be removing the associations (e.g. LSP) automatically.
It would be useful to know what exactly failed to be removed - this way we'll be able to improve the removal in the next update.



Thanks
Vlk
If at first you don't succeed, then skydiving's not for you.

[QEH]Nick

  • Guest
Re: NEWDOTNET False positive
« Reply #6 on: June 12, 2006, 12:29:40 PM »
The actual DLL mentioned earlier cannot be removed as it's in use.
A boottime scan gets rid of it.

Once I've done this, i can then run the fix mentioned earlier (many thanks for that tip).
This restores the PC to functionality.

Still trying to puzzle out how it got onthe users PC's though. They all deny installing anything (they would though).

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: NEWDOTNET False positive
« Reply #7 on: June 12, 2006, 01:38:28 PM »
Quote
The actual DLL mentioned earlier cannot be removed as it's in use.
A boottime scan gets rid of it.


Did you try simply deleting the file with the "delete during next reboot" option? (i.e. not running a boot-time scan, but rather simply setting the action to delete after reboot)?


Thanks
Vlk
If at first you don't succeed, then skydiving's not for you.

[QEH]Nick

  • Guest
Re: NEWDOTNET False positive
« Reply #8 on: June 12, 2006, 01:52:31 PM »
Yes i did, unfortunatley this did not seem to work.

Boot time scan is just as fast expecially if I limit it to just the NEWDOTNET folder.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: NEWDOTNET Nuisance
« Reply #9 on: June 12, 2006, 03:16:32 PM »
Hello folks,

I do not like the subject title here. This could lead people to believe that NEWDOTNET or Webhancer are FP's and therefore harmless, this is malicious so-called foistware or trackware. Read here:
http://www.cexx.org/newnet.htm
And if you try to remove it in a wrong manner, you can run into serious trouble. It is the most prevailing infection lately that victims of this malware here ask to be helped with to conquer. Trojan downloaders and these kind of aggressive adware spreading "stuff"is the main menace to users of the Internet to-day.
All bho's or plug-ins that try to hijack your machine are imo malware ad hoc, and no FP's or harmless services. That is the same as calling SpyBouncer a good anti-malware solution for spyware. No it is roque, and does not belong on a clean machine.

What are the affiliates, what is the problem with so-called "grey-nets", and where big money and Zango come in, you can read from here: http://blog.spywareguide.com/2006/06/botnet_installer_launches_zang.html
If you read that carefully, you can come up with your own conclusions.


polonus
« Last Edit: June 12, 2006, 03:49:20 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: NEWDOTNET False positive
« Reply #10 on: June 13, 2006, 12:31:34 AM »
Yes i did, unfortunatley this did not seem to work.

So, even if you asked avast! to delete the file and checked the "Delete locked files on the next reboot" option - you still got the message that it cannot be done since the file is in use?

[QEH]Nick

  • Guest
Re: NEWDOTNET Nuisance
« Reply #11 on: June 13, 2006, 03:02:40 PM »
Yes, after it had rebooted, Avast detected the malware again.

This led me to do a boot scan to be sure.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: NEWDOTNET Nuisance
« Reply #12 on: June 13, 2006, 03:22:37 PM »
That's not really what I meant.
I thought that you chose "Delete file" from an ordinary Windows scan, checked the "If necessary, delete file(s) at the next system start" - but got an error message that it cannot be done since the file is in use, or something like that...

dscomp

  • Guest
Re: NEWDOTNET Nuisance
« Reply #13 on: June 15, 2006, 07:03:41 AM »
This is real nasty stuff. Even if you remove the program from your PC you can still end up with no internet access (as noted) & Ive had no less than 3 machines affected by it that Ive decided to format (havent tired the winsock fix as yet however I dont have a high success rate with these types of programs).

Anyone know how this crap gets on the PC to start with? Ive had customers infected by it after only 2 weeks of buying a new PC & they are hardly the types that would visit dodgy websites that might install this stuff automatically?

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: NEWDOTNET Nuisance
« Reply #14 on: June 15, 2006, 08:17:47 AM »
Hi dscomp,

It comes with other stuff, they used to offer a 5- to 10-cent "bounty" for each copy of New.Net you installed; that's why it was bundled with a lot of other programs.The bounty program was discontinued, however.

If the above mentioned instruction in this thread, should not work, which we doubt, the easiest way to delete New.Net is to do the following:

1. remove it using "Add/remove" programs
2. if still not working, remove the WinSock and WinSock2 registry keys from CurrentControlSet
3. Go to network settings on win98 or on 2000/XP, just go into the properties of your network connection and if possible, remove tcp/ip. On XP this is impossible, so ignore this step
4. Add new service. If you're not on XP, just reinstall tcp/ip. On XP, select "have disk" and point it at C:\windows\inf. Then select tcp/ip and install it
5. clean up any newdotnet files lying around. Here you also could use
a hjt log, pre-analyzed.
Optional: 6. Join a class-action lawsuit against the company that makes this piece of crapware. No one in his right mind knows why lawmakers tolerate this sort of Internet-harassment.

Be aware that these steps can cause problems with programs like cyber-sitter or firewalling programs that modify the networking stack. Do this then at your own risk.

This is very prolific.
« Last Edit: June 15, 2006, 08:19:30 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!