I've been struggling for the past two days with this thing on a client's system and I still haven't got it all cleaned up. I went searching for answers on the net and finally came up with this from CastleCops. This all came about as a result of the client turning off their firewall (that I installed to protect them from this very type of thing) in order to play the World Of Warcraft game. They turned off the firewall,... they got infected. <grumble> :mad: I put the firewall there for a reason. You take it down, you pay the consequences. Fortunately the Avast antivirus that I installed caught it. UNfortunately Avast didn't fix the damage already done and now I've got to put it all back together,.. the majority of which is what I've been struggling with. That's where the following information comes into play.
-----


http://castlecops.com/p781667-PLEASE_HELP_COMPUTER_BECOMING_LESS_USABLE.html

* I suggest you remove NewDotNet unless you deliberately installed it. It is extremely dubious and commercially sponsored:

First, please open Add/Remove programs and uninstall New.Net or NewDotNet from there if listed. If it is not listed, follow these instructions:

· From a computer that has Internet access, click on the following link:
http://www.new.net/support/uninstall6_90.exe.
· Download and save uninstall6_90.exe to the Desktop.
· Go to the Desktop and double-click on uninstall6_90.exe
· Click on the OK button.
· After removal, you may be prompted to reboot. Please reboot even if not prompted.

* You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.
.

So, once it's in place, New Dot Net replaces the standard Windoze TCP/IP stack with it's own, and forces all name resolution to go through the New Dot Net servers for name resolution, disregarding what name servers are set in the system...the motivation was so that the company behind it could come up with new TLD components to use in place of .com, .net and the others actually in the RFC for DNS resolution.

This would let the company come up with (and sell registration for) TLDs like ".xxx" and ".mp3" and the like, which don't fit in the way things actually work. Problem is, if it is removed incorrectly, the standard windows TCP/IP stack is not replaced, and with Windows XP, it is impossible to remove/replace TCP/IP as we used to do....

However, you can reset the stack, which will sometimes clear the issue.

issue this command at command line (I'd do it in safe mode as an admin and then reboot, but I'm also paid to be paranoid...)

netsh int ip reset resetlog.txt

(more on this here: http://support.microsoft.com/kb/299357/)

However, real world, I'd usually end up undoing whatever removed it incorrectly (I use Adaware and it has an undo) and then using the uninstaller from add/remove.

Then it was put on the rubber gloves and clean up the rest of the scum...because if a system has NEW DOT NET on it, odds are good that it will be loaded with spyware...

Only once out of maybe a hundred times was I not able to completely clean a system without blowing away the OS.

To remove New Dot Net and a multitude of other nefarious things go here:

http://community.middlebury.edu/~pmitrevs . Here you will find what we call the Malware Pack, an executable put together by one of our students that includes a number of useful tools, including a New Dot Net removal tool. You will find it at the "Other Removal Tools" button.

We use this handy little package many times a day. You would not beleive what students and bored administrative assistants can do to a computer in a very short amount of time. Rarely does this tool fail to fix the problem!

The student who put this together is from, of all places, Macedonia. He is about to enter his senior year, and we are threatening to force him to marry an American girl so we can keep him after he graduates!

A

Thanks for any and all input. There's still a little bit I need to clean up but I'll get it. When it comes to SPYware of this type I get REALLY PI$$ED and I go to war! At least the person has got internet access again almost back to normal. There's just one little thing (I hope) that I need to track down still and obliterate and then it'll all be done.
.

...before you start cleaning up any of this stuff on an XP machine, TURN OFF SYSTEM RESTORE!

...before you start cleaning up any of this stuff on an XP machine, TURN OFF SYSTEM RESTORE!
Oh believe me I'm very familiar with that. I love the system restore feature because I've saved my behind from myself many a time with that, but I'm also very aware of the hazards one faces because of it. Actually -if- the client had been using it the way I suggested, this would never have been a problem. I've told this person (and many others) to always set a restore point immediately prior to installing any software. Then after the system has been running successfully for a period of time (say a week or so) set another restore point, or obliterate all previous restore points first and then set one. I know about restore points.....
.