tUDJ

I'm having an issue with Net.exe popping up at Windows login

Screenshot;



This box lasts for 10-15 seconds, then after a few seconds it reappears and then disappears and then one with ipconfig.exe opens and in this time the PC is slow slow slow. There are the 2 processes running in this time that I have tried to delete, net.exe and net1.exe.

I've done all of the usual virus scans and defrag etc.

I just can't work out why this is opening, I've tried renaming and deleting the net.exe and net1.exe files from the System32 folder but they just get replaced.

Can anyone offer any help? I'd like to try and get this resolved as I'm flying home tomorrow.

Thanks in advance.

__________________________

Here's the HiJackThis log;

Attached Thumbnails

 

__________________

Audio Rig:
X-Fi Xtreme Music / Minidisk deck as DAC
HD600
Millet Hybrid MiniMAX

OCN Speaker Club ≡ OCN Headphones Club ≡ OCN's Audio Rigs ≡ OCN CD Exchange ≡ Head-Fi Meet Impressions

joemaniaci

The only time I have ever seen that window is sometimes with the computers at my school due to the networks, if that gives you something to look into.

__________________
IF YOU ARE DISGUSTED WITH MY AVATAR, GO TO THE RANTS AND RAVES SECTION AND CHOOSE ONE OF FIVE LESS DISGUSTING BUT STILL DISTASTEFUL CHOICES LINK

The Guess What joemaniaci Is Going to Do Next ThreadThe T-Shirt Thread

unknown person 2-9/1/9-We will never forget

tUDJ

Well this PC is notn a LAN, it's connected to the internet via a router.

As the PC is not networked, I tried to delete them but could not, does anyone know which service may be using these processes? Then I could try to stop them starting at login.

__________________

Audio Rig:
X-Fi Xtreme Music / Minidisk deck as DAC
HD600
Millet Hybrid MiniMAX

OCN Speaker Club ≡ OCN Headphones Club ≡ OCN's Audio Rigs ≡ OCN CD Exchange ≡ Head-Fi Meet Impressions

keyboard_commando

Quote:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:57 PM, on 6/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Comodo\COMODO Internet Security\cfp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
E:\EXE FILES\Active Desktop Calendar\ADC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\ati2sgag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\UpsPilot\Winpower.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\WINDOWS\system32\Net.exe
C:\WINDOWS\system32\net1.exe
E:\From Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystart.incredimail.com/english
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\Comodo\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\RunServices: [Winpower] C:\Program Files\UpsPilot\Winpower.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] E:\EXE FILES\Active Desktop Calendar\ADC.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188055208406
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...72/mcfscan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Winpower - ZeroG Software - C:\PROGRA~1\UpsPilot\Winpower.exe
O23 - Service: Winpowermanager - ZeroG Software - C:\PROGRA~1\UpsPilot\manager.exe
O23 - Service: Winpowermonitor - ZeroG Software - C:\PROGRA~1\UpsPilot\monitor.exe
O23 - Service: WinpowerRMI - ZeroG Software - C:\PROGRA~1\UpsPilot\wpRMI.exe




RED = Remove, Unamed objects will be malware
Blue = Resource hogs and unnecessary
Yellow = Check this is the Homepage you want and that it isnt a hi-jack. says: http://mystart.incredimail.com/english

Whatever installed those unamed red objects will most likely still be on your computer. Scan with Malwarebytes to remove, you might have to rename to run. Superantispyware and do same as with malwarebytes if you find it wont run.

Scan with anti virus, if yours isnt picking up anything ... try Avira You can install as on demand scanner if youre happy with your own AV.

Its a good idea to turn system restore off and then back on, to clear out any potentially infected system images you might have there.

tUDJ

Thanks for the reply, unfortunately I'm back home now so I can't do anything, I did get rid of those unnamed objects though - just in case.

All the stuff in blue will have had to stay anyway as the user wanted them :/

The homepage was set as the user wanted as well, as I've left it, the net.exe box still appears but I'm pretty certain it's not linked to any Virus/Trojan/Malware etc.

Thanks for the reply.

__________________

Audio Rig:
X-Fi Xtreme Music / Minidisk deck as DAC
HD600
Millet Hybrid MiniMAX

OCN Speaker Club ≡ OCN Headphones Club ≡ OCN's Audio Rigs ≡ OCN CD Exchange ≡ Head-Fi Meet Impressions

freakb18c1

click start run type msconfig hit enter then click the start up tab click disable all hit apply then reboot.

go into safe mode with networking download this http://siri.urz.free.fr/Fix/SmitfraudFix.exe

hit enter and hit option 2 you should be fine.