Startup Programs.

[Guest @AUTUMN@]

Can anyone tell me what these 2 programs are please.

 

new.net startup (seems to be a dll32)

 

and

 

Ctfmon.

 

Ive asked before but usually end up with a list of websites to visit where you get a load of speel you dont really understand. Anyone able to give a laymans terms description please and advice on the necessity of these 2.???

 

THanks in advance if you can help

[habilis]

CTFMon is involved with the language/alternative input services in Office XP. Ctfmon.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled. Not required if you don't need these features. For more info on ctfmon see here. Ctfmon can be disabled from Control Panel, Text & Speech Services. Note - the file will always be located in the System32 folder, if it is located elsewhere it will likely be a worm or trojan!

 

Just pulled that down from http://www.sysinfo.org - I hope they don't mind.

 

Any use?

 

 

Sorry, meant to mention, the other one is a real nasty. Make it go away!

[Guest @AUTUMN@]

Ive just looked in the technical help section for the answer to this topic I posted earlier. I thought I had forgot to click post reply when I couldnt find it. Then Ive found it here. Confirms im loosing me marbles. Been a very stressful day with on thing and another. Could one of the mods move this to where it belongs please.

 

Sorry for wasting your time. Ive reported meself to The mods for sillyness.

 

New net start up is a nasty but it wont bloody go away. Its installed its ugly little self in start up menu and wont be removed no matter how many times I try. What a pain in the rear.

 

Help me please someone !!!!!!!

Edited November 1, 2005 by @AUTUMN@

[IanR]

Symantec have a removal tool here: http://securityresponse.symantec.com/avcen...re.ndotnet.html

 

Cheers

 

Ian.

[Newt]

When you finish the removal via the symantec tool, download the latest version of Hijackthis. Unzip the .exe to a folder of it's own like c:\hjt or something - not to desktop and not to any sort of temp folder.

 

Run a scan & log then post the log contents here. I'll take a look for other baddies since it's rare to get new.net and not pick up some other trash along the way.

[Guest @AUTUMN@]

Hi,

 

Symantec wont shift it. Just keeps reinstalling in startup menu.

 

Here's the hijack this log.

 

Many thanks

 

Logfile of HijackThis v1.99.1

Scan saved at 10:59:41, on 02/11/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\StartupMonitor.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Downloads\hijackthis\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1130179557686

O17 - HKLM\System\CCS\Services\Tcpip\..\{B6662B07-B779-42EF-B8F2-0578A51DB42B}: NameServer = 194.168.4.100 194.168.8.100

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Newt]

Grrrr. I posted a how-to and the dang browser crashed out when I clicked to post it. I'll try again later. Didn't save a copy of the instructions.

 

Have you tried getting rid of new.net from control panel & add/remove programs?

[Guest @AUTUMN@]

Its not in the add remove bit. Damn thing is rather a problem

[Newt]

Before you start, download a copy of LSP-fix. Don't use it but have it. Also, print off a copy of this how-to.

 

First go to start->run->msconfig and OK. Click on the startup tab and uncheck any startup items that have files named things like

ndnuninstall4_50.exe

uninstall3_88.exe

or similar and also any others where you don't recognize the program or process as something you loaded. These changes can be easily reversed so better too many than too few.

 

Do a search and locate any files newdot*.*

You are looking for .dll files. The one in your HJT log is it but no way to tell the full name from that listing.

 

When you locate it/them (from one to a half-dozen or more) write down the name with the full path location (and the name may be something like newdotnet3_92.dll or something similar) then get to a start->run line and for each .dll you found, enter

regsvr32 -u file.dll and click OK. You may get a window popping up asking if you really want to uninstall. You do. Since the .dll files are located in a path with spaces (c:\program files\whatever) you may need to put double quote marks around the file.dll path so that you have

regsvr32 -u "c:\program files\new dot net crap\newdotnet4_83.dll"

It depends on how you have a couple of settings and easier to just try it both ways if needed than to look around for the settings.

 

Reboot, run HJT again and remove the various new.net entries and the 016 & 017 entries.

 

Now surf around a bit and see if you are cured. There is a possibility that when you finish the cleaning you won't be able to connect to the internet. In that case, run the lsp-fix program you downloaded. That usually takes care of things.

 

If not, do the following from a start->run line.

netsh int ip reset c:\resetlog.txt

Note that after it runs you will need to set up your networking (including all the entries pointing to your ISP & email) so if you don't know them, write them down since they will be gone after the netsh reset finishes.

 

Post another HJT scan log after you've done all the above and surfed for a few hours.

[limestone]

I find sysinfo.org very useful for identifying startup entries and what they do. It's surprising how many programs you have running aren't really needed, let alone the unpleasant ones!