what is nether.exe??

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by danu_moonfire, Oct 10, 2005.

  1. danu_moonfire

    danu_moonfire Private E-2

    My firewall keeps notifing me that this application nether.exe is trying to access the network. What is this nether.exe? Is it something thats needed or be safely removed? Thanks Danu
     
    danu_moonfire, Oct 10, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not sure! But it could be this:

    http://www.sophos.com/virusinfo/analyses/w32opankiab.html

    See the Advanced tab.

    Perhaps you should follow the below steps.


    - Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

    Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

    Downloading, Installing, and Running HijackThis

    .
     
    chaslang, Oct 10, 2005
    #2
  3. danu_moonfire

    danu_moonfire Private E-2

    I have followed all the steps in the sticky. Attached are the logs,adaware didn't find anything, nether.exe was not removed according to the log.I was not able to run in safe mode it got to the point where it says windows is starting up and never did open. I am running windows 2000,avg antivirus,and syngate firewall. Let me know if i should run the hijack this log. Thanks Danu
     

    Attached Files:

    danu_moonfire, Oct 10, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes that is what my last message indicated. Please attach logs as text files.
     
    chaslang, Oct 10, 2005
    #4
  5. danu_moonfire

    danu_moonfire Private E-2

    I ran AVG again and it did delete the nether file this time(it is a virus). The same virus you thought it might be. I noticed it still shows up on the hijackthis log. Please let me know what else it there that shouldn't be. Thanks Danu
     

    Attached Files:

    danu_moonfire, Oct 11, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First a general comment. You should not install programs like you have installed the below:

    E:\Program Files\FireWall.exe
    E:\Program Files\avgcc.exe /STARTUP
    E:\Program Files\avgemc.exeE:\PROGRA~1\avgemc.exe

    This is a bad idea and makes it difficult to distinguish good from bad. Normally the best thing to do is to install programs into the default recommended folders. But at a minimum if you want to change the name, use a folder of its own and use a name that makes sense. No programs should be install into the root or the E:\Program Files folder. The should be installed into a subfolder of E:\Program Files. Like E:\Program Files\AVG7 or E:\Program File\AVG Antivirus

    Is E:\Program Files\FireWall.exe part of AVG Plus with Firewall? If so you should not still be running Sygate Firewall. Only use one firewall.

    Do you have a program named Paltalk Messenger on you PC? I'm wondering what the below is:
    O4 - Global Startup: palstart.exe

    Okay let's cleanup some other items.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [Windows System Configuration] C:\WINNT\nether.exe
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
    O9 - Extra button: PD - {3B67A487-0F21-4527-B8B9-BA3DC33E37C1} - E:\Program Files\Popup Defender\pd.exe (file missing)
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete (if found):
    C:\WINNT\nether.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    Last edited: Oct 11, 2005
    chaslang, Oct 11, 2005
    #6
  7. danu_moonfire

    danu_moonfire Private E-2

    It appears to have gotten rid of the nether.exe I looked for the file in C:/WINNT and did not find it so i also did a search in run and nothing. I do have Patalk installed and I have the AVG free that doesn't include the firewall.
    Also I noticed Popup Defender on the hijackthis log which I uninstalled that long ago.Do I get rid of that too? Thanks Danu
     

    Attached Files:

    danu_moonfire, Oct 11, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then who does the following belong too:
    E:\Program Files\FireWall.exe

    See why it is important to install things where they belong?

    Are you sure you uninstalled Popup Defender? Check to make sure that it is not in Add/Remove programs.
     
    chaslang, Oct 11, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Could it be that a properly installed version of the fireall.exe would show?

    O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
     
    chaslang, Oct 11, 2005
    #9
  10. danu_moonfire

    danu_moonfire Private E-2

    The Popup Defender is not in the add/remove programs, however the pcshield firewall is listed but the remove button is greyed out. I did have that firewall include with another program and it never did work, so i uninstalled both of them (i thought) and got a refund. Yes I see what you mean about having there own folders. Thanks, Danu
     
    danu_moonfire, Oct 11, 2005
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [dwStart] E:\Program Files\FireWall.exe
    O4 - HKCU\..\Run: [Popup Defender] "E:\Program Files\Popup Defender\pd.exe" Minimize


    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete (if found):
    E:\Program Files\FireWall.exe
    E:\Program Files\Popup Defender <--- the whole folder.

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.

    You may want to consider uninstalling AVG, rebooting and cleaning up any left over files, and then reinstalling into the proper folder. Then update it.
     
    chaslang, Oct 11, 2005
    #11
  12. danu_moonfire

    danu_moonfire Private E-2

    I deleted the firewall exe and the popup defender,and I didn't find any remaining folders. AVG is in its own folder now. Attached is the new hjt log. Thanks for all your help, Danu
     

    Attached Files:

    danu_moonfire, Oct 12, 2005
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! Looks better now! So how is everything working?
     
    chaslang, Oct 12, 2005
    #13
  14. danu_moonfire

    danu_moonfire Private E-2

    Everything seems to be fine, thanks so much for all your help.I have one more question. How do i remove Block the pop,it is on the add/remove program list? When I click on remove i get an error message,The following file does not exist or is not a valid uninstallation log file.e:/program files/uninstal.log I don't have this program anymore. Thanks Danu
     
    danu_moonfire, Oct 13, 2005
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I don't understand you message. What is "Block the pop"? Are you saying this is the name of a program you used to have installed? What actually appears in Add/Remove programs? Also what appears in the below registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

    Hopefully you know how to run regedit and navigate the registry to this key. Do not change anything! Just look.
     
    chaslang, Oct 13, 2005
    #15
  16. danu_moonfire

    danu_moonfire Private E-2

    Blockthepop was a popup blocker I had at one time. under this registry it says HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Block The Pop v1.0
    On the right it has 3 entries the first one says... (Default) REG_SZ (value not set) second one... Display name REG_SZ Block The Pop v1.0.... 3rd one.... uninstallstring REG_SZ C://WINNT\unvise32.exe\e:\program files\uninstal.log
    in the add/remove programs it list Block The Pop v1.0 file size is blank,it appears like any other program on the list but when i click add or remove it get the error message.
     
    danu_moonfire, Oct 13, 2005
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try the below!

    Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixBTP.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixBTP.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes
    Now I would also look in c:\program files for any related folder and delete it if found.
     
    chaslang, Oct 13, 2005
    #17
  18. danu_moonfire

    danu_moonfire Private E-2

    Ok thanks alot, that seemed to do the trick Danu
     
    danu_moonfire, Oct 16, 2005
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Oct 16, 2005
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds