Newdotnet infection - how?

[Calum]

I've been infected with NDN before, but I cleared it up and anyway my PC has been reformatted since then.
I scanned with Spybot this morning as part of my weekly maintenance, and it's popped up!
Just one instance, a setting in the registry.
I've been to no dodgy sites or anything, only ones I trust.
How did I get infected with it?
XP Pro SP2, latest updates, Avira Antivir Antivirus PE Classic, Adaware SE personal, Spybot S&D.
Thanks in advance for any light shed on this.
Calum.

[TheAdvocate]

After some googling I have found this - http://www.spywareinfo.com/newsletter/archives/feb-2003/22.php#new.net



I suggest you read the entire thing so you understand what is going on, and the page also has removal instructions...

[patio]

Foistware: New Net, Inc. (NewDotNet) DLL
NewDotNet is company that sells domain names for "nonstandard" top-level domains such as .free, .porn and .shop. While several such nonstandard TLDs are currently implemented by a number of organizations and under consideration by ICANN, this particular implementation smacks of an attempt to overthrow more legitimate pioneers of alternate domain-names (e.g. OpenNIC, AlterNIC) for a quick buck. The multiple systems offering the alternate TLDs will ultimately result in widespread namespace overlap, meaning that multiple sites can be using the exact same address, and what site comes up when you enter, say, www.example.free, will depend on whose DNS server gets queried first! (As if the lawyers aren't having a field day with domain-name registrations already...)
Infection method:
The NewDotNet software is surreptitiously bundled with unrelated software and ISP setup utilities in typical Foistware fashion. This software consists of a browser "plug-in" DLL (e.g. newdotnet2_78.dll), which is placed in the user's Windows folder. The file is normally placed in C:\Windows\ and run silently at start-up (via Rundll32) by a Run key placed in the Windows registry. According to the NewDotNet Web site, a New Net affiliate gets 5 cents for each system the plugin is successfully installed on.

I suspect Tiscali...or any add-on toolbars recently installed...

Removal Instructions...


patio.  8-)

[Calum]

Thanks for the replies.
I've seen both of those links before, when I was cleaning this PC and the family one of a case of NDN.
This was before I'd even heard of it.
I read up on it and so on, and I thought I'd removed it.
It's never come up in any other scans, just this one today.
Very strange.
None of the HJT entries are there, it's not on the computer, it seems.
It's not in the Windows folder either.
Just one registry entry, which was labelled as settings.
It'll be interesting to see if it also comes up on the other PC.

I suspect Tiscali...or any add-on toolbars recently installed...

Why do you suspect Tiscali?
This could be bad, my internet is with Tiscali . . .
And the only toolbar I've installed recently is definitely safe.
It's been vouched for by many people, people who I trust.
So I think I can rule that out as the cause.

[patio]

$$$...

Follow the money.

[Calum]

I see.
Well, I'm stuck with Tiscali for a while now, and their service has been faultless, unless this NDN is indeed their fault, in which case they'll get an earful (and an inbox-full) from me.
Nothing of Tiscali has touched this PC though - not their setup CD or anything - and I've never even visited their site.
So is it possible that they've installed it some other way?

[patio]

Yes.

[Calum]

Can I ask how?
Or is it a super secret?

[Dilbert]

Well, your Internet traffic goes through them... it shouldn't be hard to put their stuff on your computer, trojan style.

[Calum]

How very dare they!
I'm going to have a word with them now.
And I'm praying their site doesn't dump more infections on me . . .

[Calum]

 

Among this month's gainer is [highlight]New.net[/highlight], which added 18k web-visible domains for a 60 percent gain from May. New.net offers domain names outside the ICANN top-level domain (TLD) system, including extensions such as .shop, .xxx, .ltd and .mp3. New.net domains aren't recognized by the centralized domain name system, but are [highlight]supported[/highlight] by a number of large ISPs including [highlight]Tiscal[/highlight]i, Earthlink, Juno and NetZero. Those using other ISPs must download a browser plugin to visit those sites.

So Tiscali does support them!
But see this, from their help pages:

Some applications that include [highlight]Spyware[/highlight], are: Xupiter, Gator, SaveNow, [highlight]NewDotNet[/highlight], BDE Projector, HotBar, Bonzai Buddy, Comet Cursor, Morpheus, WebHancer, WinMX, and Kazaa.

And looking on Google, there are a lot of people with Tiscali that have problems with NDN.
No one seems to have made the connection though.

[Dilbert]

Jeez, NDN is annoying. (Hmm. Apparently, "Jeez" isn't spelled right with an "e" on the end... didn't know that.) Just reading about it is sending shivers.

[Calum]

I've always spelt it without an e on the end.
Anyway, NDN seems to be pretty prevalent across the internet.
Tiscali aren't helping, there are about 15 different ways to contact them and they keep trying to head me off at the pass with links to free help and their shop.
I don't want to buy a router, I want to complain about the spyware they support and install!
And every second I spend on their site could be bringing more spyware down on me too . . .
Ah, Broadband help will do.
Pick an email address, any email address . . .
Edit: Now I have to give them my phone number and my name amongst other things?
Dear lord, it's like Windows installation . . . name, age, shoe size, credit card number . . .
Edit again: They seem determined to head me off.  More links to answers, forms to fill in . . . not even vaguely related to my email . . . still, it's done now.
Let's see what they make of that, the cheeky . . . people.

[patio]

Actually shop around and then send them a few e-mails in a row saying you are seriously considering dropping your service due to their marketing practises and plan on letting everyone you know about the same...

On the legal side of things we are still not SURE it is from them.

[Calum]

I already emailed them last night asking about it.
They replied pretty soon, and said that they were in no way affiliated with NDN and advised locking my HOSTS file as read-only, which I had already done, and to keep my firewall enabled.
Their spelling was pretty bad too, I think it may have been wangming . . .
I replied asking them the same thing in a different way, waiting to hear back from them now.
I can't even threaten to drop my service, I'm tied into a 12 month contract which ends in a few months.