whats this file ..

[BAM]

any body knows what the netsh.exe file recently it started to start and shut down in my the process list (it jumps out and thne jumps in)

 

[Cheeseball81]

All about Netsh.exe

http://support.microsoft.com/default.aspx?kbid=242468

 

[BAM]

okay thx but why is it restarting all the time (it eats up some cpu when it does it so its pretty annoying ..)

 

[Cheeseball81]

I think Netsh has something to do with your Network Adapter...

Are you using a LAN?
What version of Windows are you using? 2000? XP?

 

[BAM]

XP i have a LAN Connection witha D-LINK 604 Router wich i have used for 3 years now and this started to happen yesterday

 

[BAM]

btw maybee you could chekc my HTJ log:
Logfile of HijackThis v1.98.0
Scan saved at 19:48:22, on 2004-09-06
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
C:\Norman\NVC\BIN\Zanda.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\Program\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\NIP.EXE
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\npfmsg2.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Users\HemPC\Mina dokument\Program\HijackThis.exe
C:\WINDOWS\System32\netsh.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTDVDDet] C:\Program\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

 

[BAM]

i shutted down all the processesin my process list and when i got to the svchost.exe files and shutted thme down the netsh.exe progrma stopped to start and close this means that its something wrong with svchost.exe wth shall i do ???

 

[Nok1]

Remove these entries from HJT:

F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe

upload the file below to the this site - http://virusscan.jotti.dhs.org/
C:\WINDOWS\system32\userinit.exe

Next, run an online virus scan from at least two of thse places:
http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/

Post back a new HJT log. Everything fine now?

 

[Rollin' Rog]

I don't see any reason for it to be starting, probably as a "service" since there is no obvious startup for it.

First, find the file, right click on it and check Properties > Version. It should have a Microsoft copyright and be about 81 kb in length.

download the "getservice.zip" file: http://forums.techguy.org/attachment.php?attachmentid=38367


... unzip it and run "getservice.bat". Upload the text file it produces as an attachment here.

Also get the latest version of HijackThis, 1.98.2 and post the results of that too.

http://www.net-integration.net/tools/hijackthis.html

 

[BAM]

okay here it is and btw i have uploaded the userinit and it says its clean and i have runned house call and Panda to .. and here is the hjt with the 1.98.2
Logfile of HijackThis v1.98.2
Scan saved at 13:27:45, on 2004-09-07
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
C:\Norman\NVC\BIN\Zanda.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\Program\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\NIP.EXE
C:\NORMAN\Nvc\BIN\npfmsg2.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
D:\Users\HemPC\Mina dokument\Program\HijackThis.exe
C:\WINDOWS\System32\netsh.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTDVDDet] C:\Program\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

 

[Rollin' Rog]

I don't see any "direct" startup for it. However one of your service startups from MS, not by any means a "default" startup is:

aspnet_state.exe associated with Microsoft.net:

C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe

Now from what I gather this is installed as part of a web host server management application on a network. (I really know nothing of this stuff).

http://builder.com.com/5100-6387-1049585.html

Quite possibly it is is utilizing netsh.exe as part of its routines.

Have you installed Microsoft.net\Frmework recently? And just how is this system being used?

 

[BAM]

yes i have Net Framework but it was installed from start (when i got the computer) and i use this computer for playing games ..

 

[BAM]

okay i think i have found out were the problem is i tried to shut down my AV program (since it have caused problems before..) and thne the netsh.exe file stopped to restart and dissapered from the task list .. so its probally my AV program (Norman AV very ****** AV program that i got with the computer) thats making trouble ...

 

[Rollin' Rog]

I've been running a "trial" version of Norman AV (expired now) and have most of the processes running that you have except npfmsg2.exe. I don't know what that does, in fact it isn't even on the system.

One thing you might check in the configuration editor for "on demand" and "on access" scanning is whether you have the scan "files on networked drives" option enabled/excluded in the two interfaces. Could be that netsh.exe is doing something with that enabled.

 

[BAM]

tryed that and it did not work ..