NetInstaller.exe (UWAS6_0001_N68M2301NetInstaller.exe)

D

DeadBolt

New member
Here's my Spybot 1.4 Log and HJT this log.
Original post started
http://forums.spybot.info/showthread.php?p=11311

My Hijackthis.log kept getting a invalid file error when I tried to attach it, so here's my Hijackthis.log:

Logfile of HijackThis v1.99.1
Scan saved at 1:44:28 AM, on 2/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
I:\WINNT\System32\smss.exe
I:\WINNT\system32\winlogon.exe
I:\WINNT\system32\services.exe
I:\WINNT\system32\lsass.exe
I:\WINNT\system32\svchost.exe
I:\WINNT\system32\spoolsv.exe
I:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
I:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
I:\PROGRA~1\Grisoft\AVG7\avgemc.exe
I:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
I:\WINNT\System32\svchost.exe
I:\PROGRA~1\NEOWATCH\NWSERVICE.exe
I:\WINNT\system32\regsvc.exe
I:\WINNT\system32\MSTask.exe
I:\WINNT\System32\tcpsvcs.exe
I:\WINNT\System32\WBEM\WinMgmt.exe
I:\WINNT\system32\svchost.exe
I:\WINNT\Explorer.EXE
I:\PROGRA~1\Grisoft\AVG7\avgcc.exe
I:\WINNT\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe
I:\WINNT\system32\sistray.exe
I:\Program Files\NeoWatch\NeoWatchTray.exe
I:\Program Files\Opera\Opera.exe
G:\Downloaded Work\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///F:/myweb9/index.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - I:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] I:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [NeroFilterCheck] I:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] I:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NI.UWAS6_0001_N68M2301] "I:\WINNT\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe" -nag
O4 - HKLM\..\RunServices: [microsft Updates] msupdate32.exe
O4 - HKLM\..\RunServices: [Sygate Personall Firewall] Sygate32.exe
O4 - Global Startup: Utility Tray.lnk = I:\WINNT\system32\sistray.exe
O4 - Global Startup: NeoWatch Startup.lnk = I:\Program Files\NeoWatch\NeoWatchTray.exe
O4 - Global Startup: Microsoft Office.lnk = I:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &NeoTrace It! - I:\PROGRA~1\NEOWATCH\NTXcontext.htm
O8 - Extra context menu item: LimeShop Preferences - file://I:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - I:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - I:\WINNT\web\related.htm
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - I:\PROGRA~1\NEOWATCH\NTXtoolbar.htm (HKCU)
O10 - Unknown file in Winsock LSP: i:\winnt\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: i:\winnt\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: i:\winnt\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: i:\winnt\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: i:\winnt\system32\avgfwafu.dll
O12 - Plugin for .spop: I:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132678756906
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.0/installer.exe
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} (PWLNINST Control) - http://www.platoweb.com/pathways/pway_iis.dll/pwln/02040611/fullcab/pwlninst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B6DBA54-94BC-422E-846E-C1D0F8C49B4A}: NameServer = 204.127.129.4 12.102.244.2
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - I:\WINNT\System32\dmadmin.exe
O23 - Service: NeoWatch Monitor Service (NWService) - Unknown owner - I:\PROGRA~1\NEOWATCH\NWSERVICE.exe

______________________END LOG___________________________________

Once again thanks for your patienceand your hard work. :bigthumb:
 
Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)
O4 - HKLM\..\Run: [NI.UWAS6_0001_N68M2301] "I:\WINNT\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe" -nag
O4 - HKLM\..\RunServices: [microsft Updates] msupdate32.exe
O4 - HKLM\..\RunServices: [Sygate Personall Firewall] Sygate32.exe
O8 - Extra context menu item: LimeShop Preferences - file://I:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post a fresh hijackthis log please, be sure to mention any current problems.
 
:d :d :d :d

Hers's a fresh Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:34:58 PM, on 2/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
I:\WINNT\System32\smss.exe
I:\WINNT\system32\winlogon.exe
I:\WINNT\system32\services.exe
I:\WINNT\system32\lsass.exe
I:\WINNT\system32\svchost.exe
I:\WINNT\system32\LEXBCES.EXE
I:\WINNT\system32\spoolsv.exe
I:\WINNT\system32\LEXPPS.EXE
I:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
I:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
I:\PROGRA~1\Grisoft\AVG7\avgemc.exe
I:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
I:\WINNT\System32\svchost.exe
I:\PROGRA~1\NEOWATCH\NWSERVICE.exe
I:\WINNT\system32\regsvc.exe
I:\WINNT\system32\MSTask.exe
I:\WINNT\System32\tcpsvcs.exe
I:\WINNT\System32\WBEM\WinMgmt.exe
I:\WINNT\system32\svchost.exe
I:\WINNT\Explorer.EXE
I:\WINNT\system32\LXSUPMON.EXE
G:\Downloaded Work\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///F:/myweb9/index.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - I:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] I:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [NeroFilterCheck] I:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] I:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LXSUPMON] I:\WINNT\system32\LXSUPMON.EXE RUN
O4 - Global Startup: Utility Tray.lnk = I:\WINNT\system32\sistray.exe
O4 - Global Startup: NeoWatch Startup.lnk = I:\Program Files\NeoWatch\NeoWatchTray.exe
O4 - Global Startup: Microsoft Office.lnk = I:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &NeoTrace It! - I:\PROGRA~1\NEOWATCH\NTXcontext.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - I:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - I:\WINNT\web\related.htm
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - I:\PROGRA~1\NEOWATCH\NTXtoolbar.htm (HKCU)
O10 - Unknown file in Winsock LSP: i:\winnt\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: i:\winnt\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: i:\winnt\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: i:\winnt\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: i:\winnt\system32\avgfwafu.dll
O12 - Plugin for .spop: I:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132678756906
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.0/installer.exe
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} (PWLNINST Control) - http://www.platoweb.com/pathways/pway_iis.dll/pwln/02040611/fullcab/pwlninst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - I:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - I:\WINNT\system32\LEXBCES.EXE
O23 - Service: NeoWatch Monitor Service (NWService) - Unknown owner - I:\PROGRA~1\NEOWATCH\NWSERVICE.exe

_______________END LOG__________________________________________

and there are no abnormal processes running or trying to make an outgoing TCP sessions, I am extremely appreciative and in your debt LonnyRJones!:D

There are still a few registry keys associated with the NetInstaller.exe,
Is there any harm in deleting them?:

Here they are:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU
002 REG_SZ NetInstaller.exe

HKEY_USERS\S-1-5-21-1004336348-507921405-1343024091-500\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU 002 NetInstaller.exe

This one is probably part of the MS .NET framework but I not sure::confused:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs I:\Program Files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe 0x0000001 (1)

__________________END________________________________________

Once again thank you!
 
Hi

Not to worry about reg entries with mru in them

do these files exist anywhere ? if so where
msupdate32.exe
Sygate32.exe
 
Thank-you for the fast response, and the info on the Reg entries.
I could not find any listing for msupdate32.exe or Sygate32.exe,
and all is quiet.

If I can repay the favor let me know, I do hate to be redundant,
but once again I do appreciate your help.
 
OK

One last task , run hijackthis click config mise tools > delete a file on reboot
copy then paste the bolded into the file name box and click ok
I:\WINNT\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe
Let hijackthis restart your pc

For security reasons i suggest you uninstall acrobat reader then go get the current version..
 
Good Job

Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me or Tashi know.
 
You must log in or register to reply here.
Back
Top