Slashdot Mirror

← Back to Stories (view on slashdot.org)

Does Spyware Damage Windows Networking?

Posted by Cliff on from the removing-the-stealth-riders dept.

DerBryGuy asks: "I work for an ISP in Canada. Recently we have had a rash of customers whose computers can connect via DSL, but cannot browse, or often even ping. Invariably it turns out that there is some spy ware of some sort installed on the customers machine - usually New dot Net or the other drek that comes with Kazaa. About half the time if this is removed correctly (manually or by using ad-aware) then the machine will regain http access. However the other half of the time the only option we have found is to format and reinstall the OS. So I am wondering, are other ISP's seeing this? What do they do when they get a similar complaint and they detect spyware on the machine. Is there any recourse for the customer? I mean most of these people had no idea what New dot Net was when their kid installed Kazaa, and now they are stuck with a computer store bill for reinstalling their machine."

52 comments

  1. New versions of antivirus software by Halvard · · Score: 3, Informative


    We seen this but not with spyware. Customer calls saying they no longer can access the internet. Invariably, they have updated their antivirus software and it now includes a personal firewall. Said firewall doesn't allow ports 80, 25, or 110. We've seen this with McAfee and with a less well know brand the name of which escapes my memory at the moment.


    We have seen spyware cripple the performance of a machine though.

    1. Re:New versions of antivirus software by Adam+Jenkins · · Score: 2

      It wasn't Norton's? I just fixed a friend's computer with dead Windows networking, partially I think it was a dead ZoneAlarm but also Norton AV seemed to have created a c:\windows\hosts file with something like
      127.0.0.1 pop.nortonav.com

    2. Re:New versions of antivirus software by cdrudge · · Score: 2

      That is for the e-mail monitoring. If I recall correctly, the mail is downloaded into Norton's "mail server", scanned, then downloaded into Outlook, Eudora, whatever. That line should not effect performance and is used by Norton's to run correctly.

    3. Re:New versions of antivirus software by Anonymous Coward · · Score: 0

      That line should not do any harm.

    4. Re:New versions of antivirus software by Adam+Jenkins · · Score: 2

      Entries in that file take precedence over your other settings (eg before looking at DNS servers). The line for for pop3.nortonav.com to 127.0.0.1 redirects anything for pop3.nortonav.com to your local machine. What's the point of that? Doesn't doing this mean that normal applications trying to access localhost won't be able to? Okay probably not. At any rate it is a lazy and inefficient way to send packets from an application to the same machine's mail service that fucks with bits of Windows it shouldn't touch. IMHO.

    5. Re:New versions of antivirus software by hansroy · · Score: 1

      It's an accepted practice and it doesn't mean apps can't access localhost. It only means that pop3.nortonav.com is automatically resolved to 127.0.0.1 without doing a DNS lookup. Adding hosts like ads.aol.com and other ad sites to your hosts file in this manner is a nice way to prevent banners from being loaded.

  2. Apparently you're not the only one by Anonymous Coward · · Score: 1, Informative
    I quote from http://cookiewhore.net/archives/00000009.html
    Gah.. for 2 days my connection wasnt working, I kept getting the "Line was busy" error which is really ANNOYING I'm telling you. Then just now, my comp really freaked me out because I can't even restart it! New.net kept giving an error, something about dll error and it took me an hour to figure out what happened and what I should do. After I've done system restore, scandisk bla bla bla, I FINALLY thought of deleting new.net folder (if some of you didnt know, new.net is the spyware that came with kazaa) but if I delete that, I risk of corrupting Kazaa (this has happened before). So I thought I better risk of corrupting kazaa than having my comp not working at all so i deleted it and it works fine now! my comp AND kazaa.. ok time to work on my website..ciao
    I suppose I'm relieved; new dot net can't be too effective as spyware if it prevents any connection at all from happening.
    1. Re:Apparently you're not the only one by Cpyder · · Score: 3, Informative

      If you really want KaZaA, but without the spyware, you should checkout KaZaA lite (kazaalite.com). Be sure not to allow KaZaA to update itself (like now with the 1.7 version), as it will install the Sharman Networks version with said spyware. A nice p2p-program without spyware is WinMX, too bad there are no Linux clients for it. (for their own network, that is.. Opennap clients enough.)

    2. Re:Apparently you're not the only one by GrandCow · · Score: 2

      A nice p2p-program without spyware is WinMX [winmx.com], too bad there are no Linux clients for it.

      Maybe it doesn't have any spyware (even though I oculd have sworn it did), but WinMX did a pretty good job of pissing me off up until the latest version. I installed it and decided it wasn't for me, and when I went to hit the uninstall button there was a big X over the icon. When I clicked on it a message would pop up about uninstalling the program, then it would just exit. I had to wait until the newest version that just came out a few weeks ago was released, install that, and then procede to uninstall the program. Definitely soured me on the whole WinMX experience.
      --
      "Well kids, you tried your best, and you failed. The lesson is, never try." -Homer Simpson
    3. Re:Apparently you're not the only one by tomoe27 · · Score: 1

      I've seen a few PC's affected by New.net, although it was really hard to trace, as the PC could access network neighborhood but couldn't access anything else. When we finally noticed it and removed it, the PC worked like normal again...

    4. Re:Apparently you're not the only one by data_mancer · · Score: 1

      Two words: Kazaa Lite.

      http://www.kazaalite.com

      Kazaa Lite has no spyware. Some guy got really happy with a hex editor on it.

      --
      ------------------------------
      Kompressor use logic.
  3. Install Kazaa Lite not Kazaa by Anonymous Coward · · Score: 1, Insightful

    Really i wish the people behind Kazaa Lite would have used some name that didn't have the word kazaa in it, what the heck am i supposed to tell people to install? Kazza LITE, not Kazaa, very important.

  4. This problem by brsmith4 · · Score: 2, Troll

    I have experienced the same problem where I work at my school. Many of our users can dial-up, but they cannot access web sites or ping anything. I have not been able to fix this except with Windows ME or XP, both of which have the System Restore function. I thought that it could be spyware and I warned others in my staff about it. They told me basically that I was full of crap and that there was no way spyware could damage someone's network settings. I always thought that spyware on a windoze box had the power to do whatever it felt like. Maybe now that they see this on /., they might take me seriously or no, I am probably still full of crap.

    1. Re:This problem by unhooked · · Score: 0, Flamebait

      No you're full of crap. There's no way a spyware program could place itself between the network stack and the resolver to redirect dns querries to new.net
      Oh wait, never mind I read it on slashdot

    2. Re:This problem by brsmith4 · · Score: 0, Flamebait

      What qualifies an article as a troll? I would really love to fucking know. I guess telling my story about the problems I have had is FUCKING TROLLING and deserves to be modded down. And you ass holes talk of free speech... how dare you?

    3. Re:This problem by leuk_he · · Score: 1

      What qualifies an article as a troll?

      Don't take it personal. a lot of moderators are on crack!

      But the post has all signs of a troll:

      am probably still full of crap.
      Words like fuck,gay or crap trigger the troll filter of some people. They stop reading and moderate it as troll/oftopic. (Hey this post is offtopic, but i have karma to burn)

      I have experienced the same problem
      you start with something that should make you an expert WITHOUT telling any specifics.

      You post could have been summed up by "me too".

    4. Re:This problem by cduffy · · Score: 1

      When we speak of "free speech" that means we don't want government-enabled censorship. It doesn't mean I'm going to let you grafitti on my house, or that CmdrTaco should be obligated to do so either. Moderation or even outright elimination of posts by the administrators is thus by no means in conflict with the ideals of free speech.

    5. Re:This problem by karlm · · Score: 2
      I always thought that spyware on a windoze box had the power to do whatever it felt like.

      Unlss you've set up seperate users' accounts, the default user has Administrator privledges. Any installer s/he runs can do anything it wishes to the system given a little ingenuity.

      Single user systems are evil. I'm the only one that ever uses the machine I'm currently running, yet it has 3 accounts... root, serious work, and a leasure account. This way, I protect myself from myself.

      Macromedia Fireworks (I can'tremember which version) can't run in an unpriveledged account. I set up my GF's machine properly and then started pounding my head on the table because Macromedia was forcing her to do everything I just told her not to do. It makes me wonder what thier QA people do all day. Appearently they never tested it on a multi-user system. Oh well.

      --
      Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
  5. fragile windows DNS by larry+bagina · · Score: 2, Informative

    Window's DNS is somewhat finicky. If you have a virus, or spyware that tries to make DNS lookups while you're connecting to your ISP, it can prevent DNS from working once you do connect.

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

    1. Re:fragile windows DNS by leuk_he · · Score: 2

      Any way to back this up? I too have sometimes problems with my dailup DNS. But how do i prove this is the problem and not my provider has a loose running modem.

      Where did you get this info from?

  6. Apparently you're not the only one by orthogonal · · Score: 1, Informative
    From Duke university:

    Kazaa weighs in as a heavy weight of spyware/adware installing applications. It installs two pieces of spyware without consent.

    New.net Domains

    Filters all web address requests through the DNS servers of New.net.

    This program can cause your internet connectivity stop altogether.

    The New.Net plugin is known to cause compatability problems with some other products. Leaves a new.net .dll file on your computer which may interfere with your Internet connection after removing the program

    --
    Opinions on the Twiddler2 hand-held keyboard?
  7. Send out an email by gmhowell · · Score: 3, Insightful

    I'm sure that using that crap is against the TOS. Send out a bulk email to all customers saying that there is a grace period of 30 days where you will help them through uninstalling Kazaa and all that rubbish. After that, it will be either a $100 per incident fee to do it, or you will be on your own.

    Yeah, probably wouldn't work unless you were AOL or someone like that. Being a small ISP must really suck at times.

    --
    Jesus was all right but his disciples were thick and ordinary. -John Lennon
    1. Re:Send out an email by orthogonal · · Score: 0

      There's a reason it wouldn't work: it's bad advice to alienate your customers, or to tell them, without any real explanation, "We don't allow that here".

      Hell, if I'd followed my ISP's advice, I'd never have gotten my DSL working. My ISP's co-branded IP-over-Ethernet would do little more than trash my system. To add insult to injury, it was set up so that I had to manually start it (to prevent me from staying on too long or too often); when I did so, it kept open a window with the ISP's logo and "welcomed" me with James Earl Jones's bass voice (any guesses who my ISP is?).

      Fortunately, I found a piece of freeware off the internet that did everything their co-branded piece of crap didn't, and did so unobtrusively and with a smaller memory footprint. Nor did it require six hours on the phone with customer service, installing and "nuking" it and installing it again, to make it work. (Note: if software comes with an elaborate uninstall called "nuke" that wants to play hob with your system settings ad nauseum, you need to start worrying right there. It's a good indication you're not the first person who had needed to remove it, and had trouble even getting it to die cleanly.)

      But to get back to your point, presumably somebody could have claimed I violated the TOS by using unathorized software. Admittedly, I knew full well that going my own way meant doing my own troubleshooting (which is why I did enough research to convince me that the freeware worked well), and I did not and would not have bothered customer service about it. But had I been told I couldn't use it, I'd have gone with another ISP. Immediately.

      --
      Opinions on the Twiddler2 hand-held keyboard?
    2. Re:Send out an email by RyuuzakiTetsuya · · Score: 1

      That's a bit prentious, what if your kid never pays attention to that, installs KaZaa anyway, and now you're fucked with no way out? That's just bad customer service man. If support personell can't deal with an issue like this, Fuck'em, fuck'em up the ass with a rubber dick. then break it off and ebat them to death with it.

      --
      Non impediti ratione cogitationus.
    3. Re:Send out an email by gmhowell · · Score: 1

      You're right. It's very pretentious. And it's one of the many reasons I'm not in customer service:)

      --
      Jesus was all right but his disciples were thick and ordinary. -John Lennon
  8. Uh-oh... by Jester998 · · Score: 2

    "they are stuck with a computer store bill for reinstalling their machine"

    So now spyware makers/bundlers are going to justify their actions by saying that they create third-party jobs and help strengthen the economy... great.

    1. Re:Uh-oh... by Skreech · · Score: 1

      I'm afraid this is the broken-window fallacy. It will not strengthen the economy. We are safe, for now.

  9. In a word, YES!! by Unknown+Poltroon · · Score: 1

    I have had machines unale to connect to our lan because bonzi buddy had hijacked his networking some way or another. Same with a few other odd connectivity problems that cleard up once ad aware was run on the machine.

    --
    All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
  10. AOL "WAN Device" breaks networking, too by netringer · · Score: 2, Interesting

    I've talked several buddies through disabling the AOL installed "Compuserve WAN Device" whatever that is. It prevents a lot of SMB network services like file and printer sharing, from working in Windows NT/2000/XP. It seems to re-enable itself occassionally.

    Is AOL installing this thing as spyware?

    --
    Ever dream you could fly? Get up from the Flight Sim. I Fly
    1. Re:AOL "WAN Device" breaks networking, too by Captoo · · Score: 1

      This reminds me of another problem with Windows 9x. There is a limit to the number of TCP/IP bindings you can add before TCP/IP quits working. (I think the limit is aroud four.)

      Anyway, sometimes I've seen computers that already had a NIC, a dial-up adapter, a VPN client, and a DSL modem. Then the owner installs AOL. The extra virtual device breaks one or more of his other bindings. The worst part is that Windows claims that everything is working great, but things aren't working!

  11. Yes it does! by sydney · · Score: 1

    I've been on several different levels of ISP tech support and fully agree that spyware causes A LOT of problems. New dot Net, especially, seems to affect not only DSL but dialup as well. It replaces the winsock files with its own versions, which causes the inability to browse. Many times, though, extracting native winsock dlls off the installation disk will restore browsing. Something to consider before reinstalling the entire OS.

  12. I don't even play an ISP on TV, but... by fm6 · · Score: 2
    OK, I don't know for a fact that spyware does this, but I don't find the idea hard to fathom. In fact, I'd be suprised if this hadn't happened.

    I first developed an awareness of this problem when discovered I started experiencing strange random slowdowns and hangs, and started killing background processes until the problem went away. This narrowed the problem to a spyware component that seems to have been trying to extract really detailed usage information from Windows Explorer. Every since then, I've been running Ad-Aware every time my system seemed to lag -- usually with positive results. The alternative is to give up downloading any Windows software ever. Which I suppose I could do, but only as a last resort.

    And if spyware vendors are going to snoop on what programs you have installed (I thought my problems with the installer applet was simple feature bloat!), there's sure as hell gonna snoop on what web sites you access. And if they destroy the very thing they're trying to profit from -- well, that just makes them a kind of spammer, doesn't it?

    I would recommend running Ad-Aware before you re-install the OS. It's quite good at finding those spyware components. And you can't beat the price!

  13. So THAT's What Happened.... by joeljkp · · Score: 1

    I've been having a weird problem on my WinXP machine where when it gets disconnected, then automatically reconnects, none of its http access works. Connecting manually works 100%, though. I've already taken of all my spyware a while ago, though. Lasting effects?

    By the way, check out Gnucleus, the open-source (and spyware-free) gnutella client.

    --
    WeRelate.org - wiki-based genealogy
  14. Install Ad-aware by Electrum · · Score: 2

    Have the customer install Lavasoft's wonderful Ad-aware. This freely available program should remove any spyware that is installed.

  15. Linux WinMX client. by hackwrench · · Score: 1

    http://linmx.sourceforge.net/
    The project doen't appear to have released anything yet, but at least someone is working on a Linux WinMX project.

  16. New.Net / Webhancer by |<amikaze · · Score: 2, Informative

    These screw with the HKEY_LOCAL_MACHINE/Services/Winsock2 keys and make things break. It's not easy to remove them until you get used to it. We had to request several times from New.Net to get removal instructions.

  17. Simple enough fix by Anonymous Coward · · Score: 0

    I work for another Canadian ISP and we've discovered this in our search for answers.

    If the uninstall of New.net does not work:
    Do the following to remove the New.net application from your computer:
    First, you will need to locate the New.net ".dll" file that is on the computer. Do this by doing a search for "newdot*.*".

    The file will be located in your "Winnt" or "Windows" folder (depending on what version of Windows you are running). Once found, make note of the actual filename which should look something like this:

    Example:

    newdotnet2_90.dll
    Close the Find or Search window then...

    Click Start
    Click Run
    Type in the following line:

    For Windows NT users:

    rundll32 c:\winnt\newdotnet2_90.dll,NewDotNetUninstall

    For Windows 95/98 users:

    rundll32 c:\windows\newdotnet2_90.dll,NewDotNetUninstall
    C lick OK
    You should then see a small window asking if you want to uninstall the New.net application.
    Click Yes. Once this is done, restart your computer. This should keep the .dll from loading up at startup of your computer

    After this you'll need to repair the corrupt winsock2 key in the Windows 9x registry. Follow the link and all should be good.

    There is also a way of recreating the winsock2 key in Windows 2000:

    1. Export (as backup) the winsock and winsock2 keys under: HKEY_LOCAL_MACHINE|SYSTEM|CurrentControlSet|Servic es

    2. Delete the keys mention above.

    3. Create a Dial-Up connection (a dummy one). This will create a new winsock2 key.

    4. UNINSTALL TCP-IP protocol from any connection (dial-up or "Local Area Connection").

    5. Boot the machine as required after uninstalling TCP/IP.

    6. Once machine has reboot re-install TCP-IP protocol (this will create a fresh winsock key).

    7. Don't need to reboot this will fix the problem.

    Not sure for the other OS's...can anyone else help?

  18. Re:Simple enough fix...oops by Anonymous Coward · · Score: 0

    Missing the link for Win 9x winsock2 registry fix

    http://support.microsoft.com/default.aspx?scid=k b; EN-US;q246727

  19. webhancer by pyite · · Score: 2, Insightful

    Some things install webhancer. They're evil. They modify the TCP/IP stack so that it won't work when Ad-Aware removes their files. Programmers that do stuff like this should be destroyed.

    --

    "Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman

  20. a Linux client for the WinMX network: Lopster by merriam · · Score: 1
    too bad there are no Linux clients for it.

    The latest CVS version of Lopster does WPNP as well as OpenNap. Here are instructions on building it and getting connected to the WinMX network.

  21. Kazaa-lite by Anonymous Coward · · Score: 0

    Hey folks,
    I have read about Kazaalite which is the same as Kazaa, but with a sterilized version of the spyware that would be normally installed in Kazaa. Aparently, the SpyWare "ghost" needs to remain in order for the application to work, but is non-intrusive... kind of like hacking to get around the software key requests of your favorite aplications.. :-)
    Has anyone else tried this application? Is Kazaalite as good as Kazaa? Is it truely spyware free?
    G

    1. Re:Kazaa-lite by ogre2112 · · Score: 1

      Yes, I have used Kazaa Lite, and it works wonderfully. It is 100% identical as far as I can tell, except for the fake cydoor DLL, and a different logo.

  22. NewDot POS by Anonymous Coward · · Score: 0
    Due to liability issues, the ISP I work for will not futz with the registry, and recommending OS re-install is verbotten. We refer afflicted customers to http://www.cexx.org/newnet.htm for information, and to the step-by-step instructions for removing the foistware recommended by new.net themselves.

    The catch-22 is recognised and we explain to customers that the problem is in the PC and they need to access the info via a working machine. And while "We do not support or officially recommend" ad-aware we let them know it may fix them up and keep them clean.

    Everyone is sue-happy, we gotta cover our butts. In an ideal world, "Layered Service Providers" and "Internet Explorer Helpers" would be easily disabled.

  23. Does Kazaa still function without spyware? by Anonymous Coward · · Score: 0

    Is it possible to remove the spyware component of Kazaa without losing the functionality?