Solved

Net.exe, Net1.exe..... Right clicking on apps on desktop makes desktop disappear momentarily

Posted on 2004-03-27
24
55,047 Views
Last Modified: 2011-08-18
Howdy,

I'm running:
Athlon XP 2400+
768MB RAM
Win XP Pro (withSP1)
128MB 3D card
Ask for anything else you want to know.

I have an issue obviously......  All of the sudden, I have a few new things in my task manager.  Namely net.exe and net1.exe.  I can disable them fine, but several times when I have done so, Norton Internet Security gets shut down as well, and I am unable to restart it.  Now whenever I right click on an application on my desktop (besides My Computer and a few others), the desktop disappears briefly, and then shows back up again as if nothing has happened.  If I try to right click on the 2 net files in the Windows\system32 folder the same thing occurs.  My web browser is starting to give me issues, and I have just noticed that my Outlook Express is slowing greatly when trying to open.  

I have updated my virus definitions and scanned to no avail.  I have also run Ad Aware and Spybot just in case.  It seems as though something is causing the havok, but I have no idea where to look to find out what it might be.  I really don't want to have to format.......  HELP!

Thank you
0
Comment
Question by:JohnnyBoy01
  • 7
  • 5
  • 4
  • +4
24 Comments
 
LVL 17

Expert Comment

by:Wakeup
ID: 10697554
Looks like your problem may be very similar to this one:
http://www.computing.net/windows2000/wwwboard/forum/55859.html

Try finding those files.....and see ...

http://www.spychecker.com/download/download_hijackthis.html
Download that...and post the log of your findings...and we'll see if we can find something strange...

0
 
LVL 17

Expert Comment

by:Wakeup
ID: 10697560
Also check for viruses via these online scanners.  Your's may be bad or the viruses mayhave already circumvented the scanners.

http://housecall.trendmicro.com

http://security.symantec.com

0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10698354
Use spybot ,ad-ware ,CWshredder and post the log from Hijackthis here

After installing them, First Update them and then run

Spyware/Adware removal tools:
------------------------------

What is spyware : http://www.spychecker.com/spyware.html

SpyBot-S&D : http://www.webattack.com/download/dlspybot.shtml

Ad-aware : http://www.webattack.com/download/dladaware.shtml

CWShredder: http://www.softpedia.com/public/cat/10/17/10-17-150.shtml

HijackThis : http://www.webattack.com/download/dlhijackthis.shtml

Pest Patrol : http://www.pestpatrol.com/

Trojan Remover :http://www.simplysup.com/
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10698361
0
 

Author Comment

by:JohnnyBoy01
ID: 10699040
Well... I went through the first link to no avail.  Process Explorer found nothing and neither did either of the 2 online virus scans listed here or the one listed in that first link.  Here's the log file from Hijack This

Logfile of HijackThis v1.97.7
Scan saved at 12:27:55 PM, on 3/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton\Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\NET.exe
C:\WINDOWS\System32\NET.exe
C:\WINDOWS\System32\net1.exe
C:\WINDOWS\System32\net1.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Norton\Internet Security\SymProxySvc.exe
C:\Documents and Settings\B-Man\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton\AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton\AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton\Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O15 - Trusted Zone: http://www.nfl.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37948.4523842593
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

There are a few spyware killers and trojan finders listed above that I haven't tried yet, and I will post as soon I do.  Thanks again for your help with this!

0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10699063
Did you check my second comment where i had posted about that backdoor trojan.. I would guess that is the one that has created that net.exe file under windows/system32

Apart from that I donot see anything specifically threatening in that log
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10699074
Hey looks like net.exe is a windows application for sending messages within network

http://oldlook.experts-exchange.com:8080/Operating_Systems/Win2000/Q_20428577.html

you need not worry about that ..
0
 

Author Comment

by:JohnnyBoy01
ID: 10701191
Well......  I have tried everything on this list to no avail.  I checked the registry for that backdoor trojan as well and the keys listed weren't there.  Here is the logfile from PestPatrol..... I deleted the top 3 entries and cleaned out all of my cookies as well.  Seems as though nothing camn locate this.... whatever it is!

Scan of 3/28/2004 10:10:45 PM
Pests found: 17
Area scanned: C:\, D:\, F:\
User Name: B-Man
MAC Address: 00-50-BA-C8-1B-47
Computer Name: B-MAN
Volume Name: MAIN
File System Name: NTFS
Volume Serial No: 1410498836
Windows Version: Windows XP
Product Edition: Evaluation
PestPatrol version: 3/26/2004 4.4.1.5
PPServer.dll version: 1/26/2003
PPClean version: 3/26/2004 4.4.1.5
PPfile.dat version: 3/26/2004
PPInfo.dat version: 3/26/2004
Spyware.dat version: 3/26/2004
PPMemCheck version: 4/19/2003
PestPatrolCL version: 3/27/2004 4.4.1.5
PPUpdater version: 3/10/2004 4.4.0.33
 
Pest: PurityScan
Pest Info: Category: Adware  Background Info: Click here
File Info: In File: C:\WINDOWS\system32\winservn.exe  Date: 8/15/2003 7:59:10 PM  File Description: sear1 MFC Application  File Version: 1, 0, 0, 1  Internal Name: sear1  Legal Copyright: Copyright (C) 2002  Original Filename: sear1.EXE  Product Name: sear1 Application  Product Version: 1, 0, 0, 1
Certainty: Confirmed  Threatens:    Confidentiality, Liability  Risk: Moderate - this file can be executed!  Advice: Delete or quarantine
Action: Ignored
                                                ~~~
Pest: StatBlaster
Pest Info: Category: Adware  Background Info: Click here
File Info: In Registry: HKEY_CLASSES_ROOT\typelib\{2fe53e31-8fcd-4c4e-8567-b6449295f9f3}
Certainty: Confirmed  Threatens:    Confidentiality, Liability  Risk: Low.  Advice: Delete or ignore
Action: Ignored
                                                ~~~
Pest: StatBlaster
Pest Info: Category: Adware  Background Info: Click here
File Info: In Registry: HKEY_CLASSES_ROOT\interface\{a1a53286-d448-44ee-9660-f60a620a24b1}
Certainty: Confirmed  Threatens:    Confidentiality, Liability  Risk: Low.  Advice: Delete or ignore
Action: Ignored
                                                ~~~
Pest: Track4.com Spyware Cookie
Pest Info: Category: Spyware Cookie  Background Info: Click here
File Info: In File: C:\Documents and Settings\B-Man\Cookies\b-man@versiontracker[2].txt  Tracking URL: versiontracker.com  Hits: 11  Received: 3/28/2004 3:05:12 AM  Expires: 3/27/2006 7:03:38 PM
Certainty: Confirmed  Threatens:    Confidentiality, Liability  Risk: Low.  Advice: Delete
Action: Ignored
                                                ~~~
Pest: TribalFusion.com Spyware Cookie
Pest Info: Category: Spyware Cookie  Background Info: Click here
File Info: In File: C:\Documents and Settings\B-Man\Cookies\b-man@tribalfusion[1].txt  Tracking URL: tribalfusion.com  Hits: 11  Received: 3/28/2004 9:55:20 PM  Expires: 12/31/2037 7:00:00 PM
Certainty: Confirmed  Threatens:    Confidentiality, Liability  Risk: Low.  Advice: Delete
Action: Ignored
                                                ~~~
Pest: Revenue.net Spyware Cookie
Pest Info: Category: Spyware Cookie  Background Info: Click here
File Info: In File: C:\Documents and Settings\B-Man\Cookies\b-man@revenue[2].txt  Tracking URL: revenue.net  Hits: 2  Received: 3/27/2004 12:25:46 AM  Expires: 6/10/2022 12:05:42 AM
Certainty: Confirmed  Threatens:    Confidentiality, Liability  Risk: Low.  Advice: Delete
Action: Ignored
                                                ~~~
Pest: QuestionMarket.com Spyware Cookie
Pest Info: Category: Spyware Cookie  Background Info: Click here
File Info: In File: C:\Documents and Settings\B-Man\Cookies\b-man@questionmarket[2].txt  Tracking URL: questionmarket.com  Hits: 4  Received: 3/26/2004 11:03:54 PM  Expires: 5/17/2005 3:02:36 PM
Certainty: Confirmed  Threatens:    Confidentiality, Liability  Risk: Low.  Advice: Delete
Action: Ignored
                                                ~~~
Pest: Overture.com Spyware Cookie
Pest Info: Category: Spyware Cookie  Background Info: Click here
File Info: In File: C:\Documents and Settings\B-Man\Cookies\b-man@overture[1].txt  Tracking URL: overture.com  Hits: 8  Received: 3/28/2004 2:13:36 AM  Expires: 3/26/2014 2:06:52 AM
Certainty: Confirmed  Threatens:    Confidentiality, Liability  Risk: Low.  Advice: Delete
Action: Ignored
                                                ~~~
Pest: HitBox.com Spyware Cookie
Pest Info: Category: Spyware Cookie  Background Info: Click here
File Info: In File: C:\Documents and Settings\B-Man\Cookies\b-man@hitbox[2].txt  Tracking URL: hitbox.com  Hits: 16  Received: 3/28/2004 1:33:20 AM  Expires: 3/28/2005 1:31:52 AM
Certainty: Confirmed  Threatens:    Confidentiality, Liability  Risk: Low.  Advice: Delete
Action: Ignored
                                                ~~~
Pest: HitBox.com Spyware Cookie
Pest Info: Category: Spyware Cookie  Background Info: Click here
File Info: In File: C:\Documents and Settings\B-Man\Cookies\b-man@ehg-idg.hitbox[2].txt  Tracking URL: ehg-idg.hitbox.com  Hits: 8  Received: 3/28/2004 1:33:20 AM  Expires: 3/28/2005 1:31:52 AM
Certainty: Confirmed  Threatens:    Confidentiality, Liability  Risk: Low.  Advice: Delete
Action: Ignored
                                                ~~~
Pest: CGI-Bin Spyware Cookie
Pest Info: Category: Spyware Cookie  Background Info: Click here
File Info: In File: C:\Documents and Settings\B-Man\Cookies\b-man@cgi-bin[1].txt
Certainty: Confirmed  Threatens:    Confidentiality, Liability  Risk: Low.  Advice: Delete
Action: Ignored
                                                ~~~
Pest: Casalemedia Spyware Cookie
Pest Info: Category: Spyware Cookie  Background Info: Click here
File Info: In File: C:\Documents and Settings\B-Man\Cookies\b-man@casalemedia[2].txt  Tracking URL: casalemedia.com  Hits: 4  Received: 3/27/2004 12:13:52 AM  Expires: 3/25/2014 12:12:24 AM
Certainty: Confirmed  Threatens:    Confidentiality, Liability  Risk: Low.  Advice: Delete
Action: Ignored
                                                ~~~
Pest: Bluestreak.com Spyware Cookie
Pest Info: Category: Spyware Cookie  Background Info: Click here
File Info: In File: C:\Documents and Settings\B-Man\Cookies\b-man@bluestreak[1].txt  Tracking URL: bluestreak.com  Hits: 7  Received: 3/28/2004 3:04:42 AM  Expires: 3/25/2014 10:03:06 PM
Certainty: Confirmed  Threatens:    Confidentiality, Liability  Risk: Low.  Advice: Delete
Action: Ignored
                                                ~~~
Pest: AtlasDMT.com Spyware Cookie
Pest Info: Category: Spyware Cookie  Background Info: Click here
File Info: In File: C:\Documents and Settings\B-Man\Cookies\b-man@atdmt[2].txt  Tracking URL: atdmt.com  Hits: 4  Received: 3/28/2004 1:01:34 AM  Expires: 3/26/2009 7:00:00 PM
Certainty: Confirmed  Threatens:    Confidentiality, Liability  Risk: Low.  Advice: Delete
Action: Ignored
                                                ~~~
Pest: Adtech.de Spyware Cookie
Pest Info: Category: Spyware Cookie  Background Info: Click here
File Info: In File: C:\Documents and Settings\B-Man\Cookies\b-man@adtech[1].txt  Tracking URL: adtech.de  Hits: 2  Received: 3/28/2004 1:36:02 AM  Expires: 3/26/2014 1:34:32 AM
Certainty: Confirmed  Threatens:    Confidentiality, Liability  Risk: Low.  Advice: Delete
Action: Ignored
                                                ~~~
Pest: GorillaNation Spyware Cookie
Pest Info: Category: Spyware Cookie  Background Info: Click here
File Info: In File: C:\Documents and Settings\B-Man\Cookies\b-man@ads.gorillanation[1].txt  Tracking URL: ads.gorillanation.com  Hits: 1  Received: 3/26/2004 11:06:42 PM  Expires: 12/31/2020 7:00:00 PM
Certainty: Confirmed  Threatens:    Confidentiality, Liability  Risk: Low.  Advice: Delete
Action: Ignored
                                                ~~~
Pest: About.com Spyware Cookie
Pest Info: Category: Spyware Cookie  Background Info: Click here
File Info: In File: C:\Documents and Settings\B-Man\Cookies\b-man@about[1].txt  Tracking URL: about.com  Hits: 3  Received: 3/28/2004 3:10:58 AM  Expires: 01/01/80 12:00:00 AM
Certainty: Confirmed  Threatens:    Confidentiality, Liability  Risk: Low.  Advice: Delete
Action: Ignored
                                                ~~~

Any other ideas??  Or should I just format away?

Thanks
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10701296
SInce net.exe is not a bad application, what you may want to do is reinstall windows after backing up all data.

Also you have tried all anti-virus software and nothing seem to be there .. reinstalling windows should surely help and that you neednot format

0
 

Author Comment

by:JohnnyBoy01
ID: 10701434
I had that thought as well, but would that solve anything?  If the virus/trojan is on the machine, a reinstall wouldn't kill it would it?  I'll try it anyway , and see how things go.......
0
 
LVL 24

Expert Comment

by:SunBow
ID: 10705745
> a reinstall wouldn't kill it would it?

try backing it up to a temp directory, see if it is recreated; if not, get a good copy of it and compare the two.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 10705786
Here's mine (xp):
38.5 KB (39,424 bytes)
40.0 KB (40,960 bytes)
Thursday, July 10, 2003, 9:55:50 AM
Thursday, August 29, 2002, 2:41:26 AM
Today, March 29, 2004, 12:08:06 PM

I am networking fine, and do not have them listed in taskmanager
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:JohnnyBoy01
ID: 10709420
I am about to try a re-install, but I thought I would mention that I checked the size of my net.exe file and it seems to be on par with what is listed above.  It's 38.5 KB in size.  It isn't always in my task manager either..... actually the services running in my processes list are the normal ones right now.

On with the re-install


0
 

Author Comment

by:JohnnyBoy01
ID: 10710784
Well...... the problems keep coming!  I went to re-install, and with about 13 minutes or so left in the process, this came up and kept me from doing anything else:

"The procedure entry point GetIUMS could not be located in the dynamic link library MSDART.dll."  

After being allowed no access to my HD anymore, I decided to cut my losses, hook it up to my other machine, and format the sucker.  Now XP isn't able to format it...... it won't complete the format on either of the partitions.  
0
 
LVL 17

Expert Comment

by:Wakeup
ID: 10710817
check this one out for your new problem:
"The procedure entry point GetIUMS could not be located in the dynamic link library MSDART.dll."
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_20896797.html
0
 

Author Comment

by:JohnnyBoy01
ID: 10713289
I would love to try that, but I guess it got too far into the install. Everyway I tried to boot into the drive it just wants to reload the setup and try to continue the install.  I haven't put the drive back into my other machine yet, but I will post when I do.  I was able to format the other drive I have, so I may do a fresh install on it, and see what I can do with the offending drive after that.  

Could it just be the drive?  Why would I not be able to format it?
0
 
LVL 4

Expert Comment

by:tituba2
ID: 10728810
I'd run fdisk and clear the mbr.  
0
 
LVL 17

Accepted Solution

by:
Wakeup earned 500 total points
ID: 10729952
which is fdisk /mbr
in a FAT based os!  (IE: win9x)

However in WinXP, you'd have too boot off of the Windows XP Cd, and boot into the Recovery console. And type:
Fixmbr
0
 
LVL 4

Expert Comment

by:tituba2
ID: 10730976
I should have given more steps:

You change the BIOS to boot from CD
You boot using a 98 floppy
Use fdisk to remove partitions
Clear the mbr
Set the DOS partition

put in the XP cd and boot and install
0
 

Author Comment

by:JohnnyBoy01
ID: 10732725
I used my other HD to do a fresh install of XP, and then I put the evil drive back in and it formatted just fine.  I don't know why it wouldn't format in my other machine.....  I guess things are mended.  I appreciate all the help.  I enjoy the challenge of figuring out how to fix things of this nature in computers.  And on to the points award ceremony.......

Thank you everyone!
JB
0
 
LVL 24

Expert Comment

by:SunBow
ID: 10736690
?
0
 
LVL 1

Expert Comment

by:chow8400
ID: 12212568
i had the same problem.. i had like 100 instances of net.exe and net1.exe running on my pc ... i tried ending them in task manager but as soon as i ended one it was replaced by another

i finally ended the "dslagent" process in my task manager and it got rid of the net.exe and net1.exe processes
0
 

Expert Comment

by:jhietter
ID: 13687752
I recently updated my Kerio Firewall & now one of my shortcuts that used to point to that engine, points to net.exe.  When I saw that there was also a net1.exe with it, I thought that looked suspect, which brought me here.  Are any of you running Kerio?
0
 

Expert Comment

by:jhietter
ID: 13687798
Never mind.  I feel dumb now.  

Net.exe is Windows tool to start services.  Think about the command prompt net start ....   Kerio had simply pointed the shortcut to Kerio as a service instead the actual executable.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

So you got the Conficker. You could go to each machine and run the eye chart test (http://www.confickerworkinggroup.org/infection_test/cfeyechart.html), but in a bigger environment, or if you prefer to work smarter and not harder, you need some …
Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
This video discusses moving either the default database or any database to a new volume.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now