Hi everybody,

Am concerned about two 'programs' showing up on my allow always internet access list (GLB78 and GLB6E).

As I hardly ever have any luck drilling the internet looking for a lot of things, I didn't find anything on them and am again hoping I'll catch someone here that's 'into it'.

Gee, this forum has rarely ever let me down, but my last post sure did, as all I got were one or two replies w/o answers or even any useful suggestions, even though it seemed one replier knew more than was offered.

Likely these are not anything to worry about, but my Windows search engine is wacky and so's my OE6's spell checker.

Regards and hap' e-trails, Steve Hopper

Steve, Since it is in your temp. files run this free program ccleaner

I usually run it from default but it will clean out your recycle bin.

Then try Ewido

* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* Run Ewido

This freebie trojan finder/fixer might be worth a go too (disregard its report about computing.net cookie):
A2FREE - JUST DOWN PAGE

I assume you've tried MS Antispyware Beta.

DerekW

Steve, did you ever find out if this was a virus or adware?

This may or may not be related to your question, but every now and then I would find a GLB file in my temp folder, but it had an exe extension. No virus or adware found. Turned out to be an uninstaller file. From what I could find out, a lot of programs use unwise.exe as the uninstaller.
Sometimes unwise.exe will clone itself to a GLB file for easier removal. Not sure I totally understand it, but someone here might have more info related to this.

Hi Everybody,

Gosh I don't know where to start with so many replies and recommendations.

Plus I have new issues. I should back up and mention I used NewDotNet's uninstall tool despite my aprehension against using it and all seemed well afterwards until I xhanged form my neighbor's wireless access to my own new DSL.

About a three days ago (after installing a number of MS hotfixes that came in) I started getting at startup, a couple of popups. The 1st always titled RUNDLL error- said- Error loading C:\PROGRA~1\ NEWDOT “~1\NEWDOT~2.dll specialized module could not be found.

Moments later another popup titled “Caution Associated Application No..” said “The WiseUpdate client could not locate an associated application file to update. Please make sure that this software is installed properly.

I simply clicked OK and tried to ignore it figuring that until I could get that issue resolved, I'd simply go about my business and all seemed 'well' until...

..after beginning my new internet access yesterday, I did so seemingly w/o incidents (as I avoided using Verizon's software and simply am using the eithernet cable off their modem)...

..BUT after surfing all day I then noticed I'd received a Symantec update and even so all seemed to be okay and I even scanned my entire OS (finding axactly nothing).

It gets better.

In that this morning I found a Symantec popup sitting on my desktop titled "Norton Internet Security - Program Control - Medium Risk - A remote system is trying to access your computer" and the details listed...

Protocol: TCP (Inbound)
Remote Address: (what looked like my own IP)followed by ": 4697"
Local Address: (what looked again exactly like my own IP (followed by) "(80)"
Location: Home.

So not being sure what it was and didn't want to fall victim of possibly blocking my own pc from either itself or the internet, I 'told it' to "block once". And almost instantly another same popup appeared, each time with a different last four colon preceded digits.

Anyway the Symantec log viewer for alerts states exactly whay=t I mentioned with respect as to what was occurring, except that it added...

..This one time, the user has chosen to "block" communications.
Inbound TCP connection.
Local address,service is (XXXXXX(###.###.#.##),http(80)).
Remote address,service is (XXXXXX(###.###.#.##),1860).
Process name is "N/A".

If it wasn't (apparrently) my own IP (Remote and local address(es), I think I would have been more than just a little concerned.

I eventually (no pun intended) found in the Symantec NIS's log viewer (in my Firewall portion of the log) a Symantec link for more info on these alerts, and that started to really freak me out (but then after 11 months of Symantec now, I know it is a piece of ----), but their link led me to their "attack signatures" page in which none of the several hundred listed viruses, trojans and worms looked familiar, so I then figured that maybe I needed to enter into their search box a phrase from my alert.

Doing so I pasted "Unused port blocking has blocked communications." and the damned thing hit on nothing but KB articles on worms and backdoor trojans, none of which really had anything definitive to do with what it is I'm experiencing.

So, in a last ditch effort to stop Symantec's popups for this so called alert surrounding a 'reported' an attempt at remote accessing what seems to be my laptop trying to remote access itself, I rebooted for the 1st time in days and I no longer am getting those popups.

Anyway, sorry for the rambling and record post, but I am now convinced that most if mot all my issues are a mix of Symantec acting up yet once again, and the issues I am having with my removal of NewDotNet.

Lastly I'm not sure but after removing it using their unistall (I mentioned before), I also axed Real Player which I am near positive imported the NewDotNet pain in the arse registry invading SO*.

Lastly, lastly its looking like I do need to run CCleaner as its been nearly 7 weeks since running it and at this point I can't imagine it can do mu OS anymore harm than I already am dealing with.

But I will keep getting back to this post for anymore sageness I might be graced with from all you wonderful people.

I am a little worried though about the 5 invisible files I have let sit in my recycle bin (being afraid to empty it not knowing what they are and nobody yet has told me how to view them).

I did run across a thing on how to maybe expose them and will try that 1st.

I found it at http://forums.thatcomputerguy.us/index.php?s=cda19ffbf23505a5b085f0977fb55cdb&showtopic=14969&pid=90634&st=15&#entry90634
and the post there says to reboot and start in safe mode locate (Start>Search) and delete "C:\gendel32.exe" and adds alternatively, you might need to do the following process: How to use the Delete on Reboot tool http://www.bleepingcomputer.com/forums/ind...orial=42#delreb

Man, the fun just never ends.

I think I will sit on my issues for a while before I try either of those scary sounding dealies.

Regards and hap-e-trails, Steve Hopper

If you still have those files in your bin there is one way you might be able to peer inside them.

Make up some spare folder, then right click them in the bin and do a Cut and Paste into that folder. Note their names and where they came from just in case you need them back (unlikely).

Now change their extensions to .txt (or just add .txt). They will now be harmless and come up in NotePad if you double click them. There will probably be a load of junk but you might find some plain language somewhere inside them that gives you a clue.

DerekW

Hi everybody,

Say maybe I'm a little dysplexic, getting burned out, or even a chance of on setting Alzheimers, but I can't quite follow the instructions and won't hazard a try until they're a little more explained.

Please reiterate. Braille might help. :)

Oh yes, I inadvertantly lost those five invisible files from out of the bin by doing a disc cleanup and not surprizingly (maybe just a little) they're again back in my bin (still invisible).

Plus I found only by a server reporting infected files that I have one or more jpegs infected with a Exp/MS04-028 'virus'. All I can find out is thaqt it is a low risk Windows trojan that 'could' exploit system or software vulnerabilities.

Miffs me pretty good that none of protection had ever identified it and my Symantec only reported it to me after the server identified it.

But for all I know the server could be up to nothing more than dirty tricks by cloaking their bumps by their usual 'could not access/send due to the half a dozen reasons' (when inactuality it was only that the files exceeded their max size.

Beside that, even more frustrating is that I cannot find anything that will scan and find this so called trojan, let alone remove it from whichever of the sevral hundred jpegs I had tried to e-mail.

Ultimately all I've found out so far about the jpeg's is that only QuickTime Picture Viewer will show a corrupted jpeg when most if not all other viewers display the very same (now known) 'corrupted' jpegs just fine.

And supposedly QT's viewer will crash if one tries to view a jpeg that has malformed format (dirty script), but mine simply notified me of "2 corrupt" files out of the hundreds I had to open one at a time in QTPV's limiting way of viewing pics. Nice viewer though.

Regards and hap-e-trails, Steve Hopper

I'm getting a bit punch drunk too LOL. Not sure what you mean by "invisible files in bin" - maybe its somewhere in the verbiage.

Did you try that A2FREE I mentioned?
"Ad-Aware" and "SpyBot Search & Destroy" are the most usual freebie malware finders that folk have, but I daresay you already have those on board.

When all has been exhausted you could throw "HijackThis" at it - more later if required.

DerekW

Hi Everybody,

Derek, I have been pulling my hair out the entire time since I last posted on this thread. I have been wrestling with trying to remove NewDotNet and have failed thus far miserably even though I have left the last resort to last.

I'll be trying to use the LSP-FIX - Winsock 2 repair utility (ref. http://www.cexx.org/lspfix.htm) and have left it to last because it requires some serious surgery...

First you must deregister the Winsock2 Layered Service Provider installed by NewDotNet. LSPFix gives you an interface to this. You should 'remove' the NewDotNet entries and 'keep' the rest.

Next, load regedit and open HKEY_CLASSES_ROOT\CLSID . Delete the keys 4A2AACF3-ADF6-11D5-98A9-00E018981B9E and DD521A1D-1F98-11D4-9676-00E018981B9E . For older variants the key will be DD770A75-CE18-11D5-98D8-00E018981B9E instead.

Open HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run . Delete the new.net value. Open HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects and remove the 4A2AACF3-ADF6-11D5-98A9-00E018981B9E key. You can also delete the new.net entry in HKLM\Software and the tldctl2 classes in HKCR to clean up if you wish.

Reset the computer and you should be able to delete the NewDotNet folder (new variant) or the newdotnet DLL in the Windows directory (old variant).

It ought to take me another week to figure out those instructions.

As for the 5 files I refer to as invisible, I didn't think it was too vague and quite the reverse, pretty descriptive in that I also mentioned I had tried 'show all files and folders
and still I can't view the i-n-v-i-s-i-b-l-e files inside my bin (recycle bin). As such, I'd hoped your suggestion that lost me would have been predicated on your having understood what files I was trying to view (before recommending whatever it is you tried to suggest).

I'm even wondering now if maybe you're just having fun with me, as even your last post, seems to have overlooked that I'd asked you to elaborate on your suggestion.

But if you or anyone does know of a way to view hidden, invisible, unseen files which are inside my recycle bin (unseen and only detected when initiating an "delete all files" and it propmts back are you sure you want to delete all ## files?), please feel free to jump in here anytime.

And yes I've used Adaware (pales against Ewido), SpyBot (which misses quite a bit and whose only real usefulness, compared to my trial sub for Ewido, is that SpyBot will immunize), and more good adware finder are (and I bite my tongue here) "MS's AntiSpyware" and again their "Windows-KB890830-V1.7A-ENU.exe" malware find/remover.

As for HiJackThis, it may be my savior in the end, but I need to figure out what to do with the load of info it deluges me with, not to mention the myriad mazes of fixes HJT will eventually beseige/bestow me with. I won't say a word about Symantec's NIS 2005.

It's staring to look like I'll be going to Linux asfp as I have found a number of trojans, an MS04-28 'virus', and countless registry problems all related to spy and malware.

Regards and hap-e-trails, Steve Hopper

If you decide to use HJT I have found that you can cut through the cackle a bit by putting your log on here as first step and then letting it remove all malicious items:
HJT DETECTIVE

You then put your new (hopefully shorter) log on here:
HJT ANALYSIS

It's the last one that shows all running items and is a bit of a mouthful (although a Google search can often find the dubious items).

DerekW