1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

whats this file ..

Discussion in 'Virus & Other Malware Removal' started by BAM, Sep 5, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. BAM

    BAM Thread Starter

    Joined:
    Jun 25, 2003
    Messages:
    135
    any body knows what the netsh.exe file recently it started to start and shut down in my the process list (it jumps out and thne jumps in)
     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
  3. BAM

    BAM Thread Starter

    Joined:
    Jun 25, 2003
    Messages:
    135
    okay thx but why is it restarting all the time (it eats up some cpu when it does it so its pretty annoying ..)
     
  4. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    I think Netsh has something to do with your Network Adapter...

    Are you using a LAN?
    What version of Windows are you using? 2000? XP?
     
  5. BAM

    BAM Thread Starter

    Joined:
    Jun 25, 2003
    Messages:
    135
    XP i have a LAN Connection witha D-LINK 604 Router wich i have used for 3 years now and this started to happen yesterday
     
  6. BAM

    BAM Thread Starter

    Joined:
    Jun 25, 2003
    Messages:
    135
    btw maybee you could chekc my HTJ log:
    Logfile of HijackThis v1.98.0
    Scan saved at 19:48:22, on 2004-09-06
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
    C:\Norman\NVC\BIN\Zanda.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    C:\NORMAN\Nvc\BIN\nvcoas.exe
    C:\NORMAN\Nvc\BIN\nipsvc.exe
    C:\Program\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\NORMAN\Nvc\BIN\ZLH.EXE
    C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\NORMAN\Nvc\BIN\NYMSE.EXE
    C:\NORMAN\Nvc\BIN\NIP.EXE
    C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    C:\NORMAN\Nvc\BIN\NJEEVES.EXE
    C:\NORMAN\Nvc\BIN\npfmsg2.exe
    C:\NORMAN\Nvc\BIN\cclaw.exe
    C:\WINDOWS\System32\wuauclt.exe
    D:\Users\HemPC\Mina dokument\Program\HijackThis.exe
    C:\WINDOWS\System32\netsh.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    F0 - system.ini: Shell=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
     
  7. BAM

    BAM Thread Starter

    Joined:
    Jun 25, 2003
    Messages:
    135
    i shutted down all the processesin my process list and when i got to the svchost.exe files and shutted thme down the netsh.exe progrma stopped to start and close this means that its something wrong with svchost.exe wth shall i do ???
     
  8. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I don't see any reason for it to be starting, probably as a "service" since there is no obvious startup for it.

    First, find the file, right click on it and check Properties > Version. It should have a Microsoft copyright and be about 81 kb in length.

    download the "getservice.zip" file: http://forums.techguy.org/attachment.php?attachmentid=38367


    ... unzip it and run "getservice.bat". Upload the text file it produces as an attachment here.

    Also get the latest version of HijackThis, 1.98.2 and post the results of that too.

    http://www.net-integration.net/tools/hijackthis.html
     
  10. BAM

    BAM Thread Starter

    Joined:
    Jun 25, 2003
    Messages:
    135
    okay here it is and btw i have uploaded the userinit and it says its clean and i have runned house call and Panda to .. and here is the hjt with the 1.98.2
    Logfile of HijackThis v1.98.2
    Scan saved at 13:27:45, on 2004-09-07
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
    C:\Norman\NVC\BIN\Zanda.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    C:\NORMAN\Nvc\BIN\nvcoas.exe
    C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    C:\NORMAN\Nvc\BIN\nipsvc.exe
    C:\NORMAN\Nvc\BIN\NJEEVES.EXE
    C:\Program\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\NORMAN\Nvc\BIN\ZLH.EXE
    C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\NORMAN\Nvc\BIN\NYMSE.EXE
    C:\NORMAN\Nvc\BIN\NIP.EXE
    C:\NORMAN\Nvc\BIN\npfmsg2.exe
    C:\NORMAN\Nvc\BIN\cclaw.exe
    D:\Users\HemPC\Mina dokument\Program\HijackThis.exe
    C:\WINDOWS\System32\netsh.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
     

    Attached Files:

  11. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I don't see any "direct" startup for it. However one of your service startups from MS, not by any means a "default" startup is:

    aspnet_state.exe associated with Microsoft.net:

    C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe

    Now from what I gather this is installed as part of a web host server management application on a network. (I really know nothing of this stuff).

    http://builder.com.com/5100-6387-1049585.html

    Quite possibly it is is utilizing netsh.exe as part of its routines.

    Have you installed Microsoft.net\Frmework recently? And just how is this system being used?
     
  12. BAM

    BAM Thread Starter

    Joined:
    Jun 25, 2003
    Messages:
    135
    yes i have Net Framework but it was installed from start (when i got the computer) and i use this computer for playing games ..
     
  13. BAM

    BAM Thread Starter

    Joined:
    Jun 25, 2003
    Messages:
    135
    okay i think i have found out were the problem is i tried to shut down my AV program (since it have caused problems before..) and thne the netsh.exe file stopped to restart and dissapered from the task list .. so its probally my AV program (Norman AV very ****** AV program that i got with the computer) thats making trouble ...
     
  14. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I've been running a "trial" version of Norman AV (expired now) and have most of the processes running that you have except npfmsg2.exe. I don't know what that does, in fact it isn't even on the system.

    One thing you might check in the configuration editor for "on demand" and "on access" scanning is whether you have the scan "files on networked drives" option enabled/excluded in the two interfaces. Could be that netsh.exe is doing something with that enabled.
     
  15. BAM

    BAM Thread Starter

    Joined:
    Jun 25, 2003
    Messages:
    135
    tryed that and it did not work ..
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/270523

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice