PDA

View Full Version : NetInstaller.exe (UWAS6_0001_N68M2301NetInstaller.exe)


DeadBolt
2006-02-11, 09:58
Here's my Spybot 1.4 Log and HJT this log.
Original post started
http://forums.spybot.info/showthread.php?p=11311

My Hijackthis.log kept getting a invalid file error when I tried to attach it, so here's my Hijackthis.log:

Logfile of HijackThis v1.99.1
Scan saved at 1:44:28 AM, on 2/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
I:\WINNT\System32\smss.exe
I:\WINNT\system32\winlogon.exe
I:\WINNT\system32\services.exe
I:\WINNT\system32\lsass.exe
I:\WINNT\system32\svchost.exe
I:\WINNT\system32\spoolsv.exe
I:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
I:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
I:\PROGRA~1\Grisoft\AVG7\avgemc.exe
I:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
I:\WINNT\System32\svchost.exe
I:\PROGRA~1\NEOWATCH\NWSERVICE.exe
I:\WINNT\system32\regsvc.exe
I:\WINNT\system32\MSTask.exe
I:\WINNT\System32\tcpsvcs.exe
I:\WINNT\System32\WBEM\WinMgmt.exe
I:\WINNT\system32\svchost.exe
I:\WINNT\Explorer.EXE
I:\PROGRA~1\Grisoft\AVG7\avgcc.exe
I:\WINNT\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe
I:\WINNT\system32\sistray.exe
I:\Program Files\NeoWatch\NeoWatchTray.exe
I:\Program Files\Opera\Opera.exe
G:\Downloaded Work\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///F:/myweb9/index.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - I:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] I:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [NeroFilterCheck] I:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] I:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NI.UWAS6_0001_N68M2301] "I:\WINNT\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe" -nag
O4 - HKLM\..\RunServices: [microsft Updates] msupdate32.exe
O4 - HKLM\..\RunServices: [Sygate Personall Firewall] Sygate32.exe
O4 - Global Startup: Utility Tray.lnk = I:\WINNT\system32\sistray.exe
O4 - Global Startup: NeoWatch Startup.lnk = I:\Program Files\NeoWatch\NeoWatchTray.exe
O4 - Global Startup: Microsoft Office.lnk = I:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &NeoTrace It! - I:\PROGRA~1\NEOWATCH\NTXcontext.htm
O8 - Extra context menu item: LimeShop Preferences - file://I:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - I:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - I:\WINNT\web\related.htm
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - I:\PROGRA~1\NEOWATCH\NTXtoolbar.htm (HKCU)
O10 - Unknown file in Winsock LSP: i:\winnt\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: i:\winnt\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: i:\winnt\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: i:\winnt\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: i:\winnt\system32\avgfwafu.dll
O12 - Plugin for .spop: I:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132678756906
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} (PWLNINST Control) - http://www.platoweb.com/pathways/pway_iis.dll/pwln/02040611/fullcab/pwlninst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B6DBA54-94BC-422E-846E-C1D0F8C49B4A}: NameServer = 204.127.129.4 12.102.244.2
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - I:\WINNT\System32\dmadmin.exe
O23 - Service: NeoWatch Monitor Service (NWService) - Unknown owner - I:\PROGRA~1\NEOWATCH\NWSERVICE.exe

______________________END LOG___________________________________

Once again thanks for your patienceand your hard work. :bigthumb:
LonnyRJones
2006-02-11, 19:33
Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)
O4 - HKLM\..\Run: [NI.UWAS6_0001_N68M2301] "I:\WINNT\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe" -nag
O4 - HKLM\..\RunServices: [microsft Updates] msupdate32.exe
O4 - HKLM\..\RunServices: [Sygate Personall Firewall] Sygate32.exe
O8 - Extra context menu item: LimeShop Preferences - file://I:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post a fresh hijackthis log please, be sure to mention any current problems.
DeadBolt
2006-02-11, 20:58
Hers's a fresh Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:34:58 PM, on 2/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
I:\WINNT\System32\smss.exe
I:\WINNT\system32\winlogon.exe
I:\WINNT\system32\services.exe
I:\WINNT\system32\lsass.exe
I:\WINNT\system32\svchost.exe
I:\WINNT\system32\LEXBCES.EXE
I:\WINNT\system32\spoolsv.exe
I:\WINNT\system32\LEXPPS.EXE
I:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
I:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
I:\PROGRA~1\Grisoft\AVG7\avgemc.exe
I:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
I:\WINNT\System32\svchost.exe
I:\PROGRA~1\NEOWATCH\NWSERVICE.exe
I:\WINNT\system32\regsvc.exe
I:\WINNT\system32\MSTask.exe
I:\WINNT\System32\tcpsvcs.exe
I:\WINNT\System32\WBEM\WinMgmt.exe
I:\WINNT\system32\svchost.exe
I:\WINNT\Explorer.EXE
I:\WINNT\system32\LXSUPMON.EXE
G:\Downloaded Work\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///F:/myweb9/index.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - I:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] I:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [NeroFilterCheck] I:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] I:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LXSUPMON] I:\WINNT\system32\LXSUPMON.EXE RUN
O4 - Global Startup: Utility Tray.lnk = I:\WINNT\system32\sistray.exe
O4 - Global Startup: NeoWatch Startup.lnk = I:\Program Files\NeoWatch\NeoWatchTray.exe
O4 - Global Startup: Microsoft Office.lnk = I:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &NeoTrace It! - I:\PROGRA~1\NEOWATCH\NTXcontext.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - I:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - I:\WINNT\web\related.htm
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - I:\PROGRA~1\NEOWATCH\NTXtoolbar.htm (HKCU)
O10 - Unknown file in Winsock LSP: i:\winnt\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: i:\winnt\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: i:\winnt\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: i:\winnt\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: i:\winnt\system32\avgfwafu.dll
O12 - Plugin for .spop: I:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132678756906
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} (PWLNINST Control) - http://www.platoweb.com/pathways/pway_iis.dll/pwln/02040611/fullcab/pwlninst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - I:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - I:\WINNT\system32\LEXBCES.EXE
O23 - Service: NeoWatch Monitor Service (NWService) - Unknown owner - I:\PROGRA~1\NEOWATCH\NWSERVICE.exe

_______________END LOG__________________________________________

and there are no abnormal processes running or trying to make an outgoing TCP sessions, I am extremely appreciative and in your debt LonnyRJones!:D

There are still a few registry keys associated with the NetInstaller.exe,
Is there any harm in deleting them?:

Here they are:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU
002 REG_SZ NetInstaller.exe

HKEY_USERS\S-1-5-21-1004336348-507921405-1343024091-500\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU 002 NetInstaller.exe

This one is probably part of the MS .NET framework but I not sure::confused:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs I:\Program Files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe 0x0000001 (1)

__________________END________________________________________

Once again thank you!
LonnyRJones
2006-02-11, 21:27
Hi

Not to worry about reg entries with mru in them

do these files exist anywhere ? if so where
msupdate32.exe
Sygate32.exe
DeadBolt
2006-02-11, 21:48
Thank-you for the fast response, and the info on the Reg entries.
I could not find any listing for msupdate32.exe or Sygate32.exe,
and all is quiet.

If I can repay the favor let me know, I do hate to be redundant,
but once again I do appreciate your help.
LonnyRJones
2006-02-11, 21:58
OK

One last task , run hijackthis click config mise tools > delete a file on reboot
copy then paste the bolded into the file name box and click ok
I:\WINNT\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe
Let hijackthis restart your pc

For security reasons i suggest you uninstall acrobat reader then go get the current version..
DeadBolt
2006-02-11, 22:56
done!?

having read through other post your a hardworking tech so I do appriecate the time!!!!
LonnyRJones
2006-02-12, 05:42
Good Job

Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me or Tashi know.