Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NewDotNet - changing network configuration on clients...

Status
Not open for further replies.
AnotherITguy

AnotherITguy

MIS
Sep 16, 2003
76
US
Hello All,


We're currently dealing with the NewDotNet "virus" on our network. Although I haven't read about it anywhere online, most of the PCs infected have lost their ability to use IE and other network dependent applications. After running the removal tool from New.net, the settings are magically back to normal. I looked through the settings of an infected machine and can't find what it has changed. Any ideas?


Thanks,


Jay
 
Sort by date Sort by votes
Howdy:

What I could find ..

"The NewDotNet software is surreptitiously bundled with unrelated software in typical Foistware fashion. This software consists of a browser "plug-in" DLL (e.g. newdotnet?_??.dll, where ??? indicate a version number), which is placed in the user's Windows folder. The file is normally placed in C:\Windows\ (C:\WinNT\ for NT users) and run silently at start-up (via Rundll32) by a Run key placed in the Windows registry."

Makes the following changes to thwe Registry (note: Took this from the doxdesk site and it gives the Registry changes that should be removed):

A botched manual removal can result in you losing your network connection. Be very careful.

First you must deregister the Winsock2 Layered Service Provider installed by NewDotNet. LSPFix gives you an interface to this. You should 'remove' the NewDotNet entries and 'keep' the rest.

Next, load regedit and open HKEY_CLASSES_ROOT\CLSID. Delete the keys 4A2AACF3-ADF6-11D5-98A9-00E018981B9E and DD521A1D-1F98-11D4-9676-00E018981B9E. For older variants the key will be DD770A75-CE18-11D5-98D8-00E018981B9E instead.

Open HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the new.net value. Open HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects and remove the 4A2AACF3-ADF6-11D5-98A9-00E018981B9E key. You can also delete the new.net entry in HKLM\Software and the tldctl2 classes in HKCR to clean up if you wish.

Murray
 
Upvote 0 Downvote
This is a pain to remove. It's not really a virus but spyware. I got it yesterday when I installed either "Lord of the Rings 3D" by Useless Creations or a 3D network freeware program. I suspect the former by I don't have time to verify it.

It took three reboots, a hour with Spybot, and a boot to safe mode to get rid of it. Spybot did the necessary changes to the Registry but the <censored> thing was resident in memory and the DLLs wouldn't be deleted.


James P. Cottingham
[super]
There's no place like 127.0.0.1.
There's no place like 127.0.0.1.
[/super]
 
Upvote 0 Downvote
Usually when Spybot can't kill something because it is loaded, it will tell you and ask to rerun at the next startup. In my experience, it was able to get rid of it easily with a startup scan.
Did this work for you?

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Curious network activity over port 445
Replies
8
Views
337
DrB0b
DrB0b
Olumighty
  • Locked
  • Question
BIOS PASSWORD WIPE OR CLEAR ON COMPUTER LAPTOP 1
Replies
1
Views
178
SamBones
SamBones
Tiffc0922
  • Locked
  • Question
Virus / Malware Scans on Local PCs
Replies
5
Views
182
goombawaho
goombawaho
2ffat
  • Locked
  • News
C-Ware Bundled on &quot;ALL&quot; Freeware Sites
Replies
6
Views
185
xit
xit
goombawaho
  • Locked
  • Question
Stop Microsoft Security Essentials pop-up on XP machines 1
Replies
9
Views
208
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top