 |  |  |  |  |  |  |  |
Potential Unwanted Behaviour
 |
Am new to this site, a learner still learning, and having annoying problems with my computer. Have been getting excessive internet account usage, and when doing a virus scan, have noticed that many MS KB updates have been uninstalled. Have spoke to MS and they claim that they don't uninstall KB updates when updating. Strange???
Also on MS Defender when I open up there are two service and driver entries that are claimed to be required for the security of the computer. One is identifiable, but the other has no satisfactory information to confirm if it's legit. When I attempt to block it, it comes up with a failed error, and will not block it. Strange???
After going through MS Defender "History" box I've found numerous insertions that I didn't "ALLOW", and I don't know whether they are updates from servers or malicious insertions.
I have installed on my computer:
MS Defender
PC Security Shield Vi Robot (Antivirus)
PC Security Shield Firewall
PC Security Shiel Registry Cleaner.
I have tried to get answers from PC Security Shield tech support to confirm if any of these challenges by MS Defender are their updates for all the programmes, and have found a brickwall, and have been fobbed off. And Hauri who is the updating server for the virus and firewall programme, redirects me back to PC Security Shield.
I believe that the only way to rid my computer of all these annoying problems, and possibly malicious insertions that has got past MS Defender is to clean down the computer completely.
Can anyone give me a simple step-by-step procedure for taking such an extreme action.
I have the recovery disk supplied by Acer for Windows XP.
Has anyone have any knowledge of these programme listed above, whether they are of a high quality, or what would be a better quality programes.
Regards
George
Also on MS Defender when I open up there are two service and driver entries that are claimed to be required for the security of the computer. One is identifiable, but the other has no satisfactory information to confirm if it's legit. When I attempt to block it, it comes up with a failed error, and will not block it. Strange???
After going through MS Defender "History" box I've found numerous insertions that I didn't "ALLOW", and I don't know whether they are updates from servers or malicious insertions.
I have installed on my computer:
MS Defender
PC Security Shield Vi Robot (Antivirus)
PC Security Shield Firewall
PC Security Shiel Registry Cleaner.
I have tried to get answers from PC Security Shield tech support to confirm if any of these challenges by MS Defender are their updates for all the programmes, and have found a brickwall, and have been fobbed off. And Hauri who is the updating server for the virus and firewall programme, redirects me back to PC Security Shield.
I believe that the only way to rid my computer of all these annoying problems, and possibly malicious insertions that has got past MS Defender is to clean down the computer completely.
Can anyone give me a simple step-by-step procedure for taking such an extreme action.
I have the recovery disk supplied by Acer for Windows XP.
Has anyone have any knowledge of these programme listed above, whether they are of a high quality, or what would be a better quality programes.
Regards
George
•
•
Join Date: May 2006
Posts: 599
Reputation: 
Solved Threads: 36
A.K.A. The Laughing Man
Download HiJackThis from here.
Make a new folder called HJT in the C: directory(C:\HJT) Extract the zip contents to that folder. Run HJT and select the scan option. After it finishes scanning there should be a save log button. Once clicked it should open up a notepad file with the log. Copy and Paste the contents of the note pad file in your next reply.
Make a new folder called HJT in the C: directory(C:\HJT) Extract the zip contents to that folder. Run HJT and select the scan option. After it finishes scanning there should be a save log button. Once clicked it should open up a notepad file with the log. Copy and Paste the contents of the note pad file in your next reply.
•
•
•
•
Originally Posted by kylethedarkn
Download HiJackThis from here.
Make a new folder called HJT in the C: directory(C:\HJT) Extract the zip contents to that folder. Run HJT and select the scan option. After it finishes scanning there should be a save log button. Once clicked it should open up a notepad file with the log. Copy and Paste the contents of the note pad file in your next reply.
I downloaded HJT, and I followed your instructions, and I noted the Notepad File, which contains, what appears to be the full system files. Being a concerned person, posting this to all to read on the net makes wary and concerned.
Could you please let me know a bit more about this.
Regards
George
•
•
Join Date: May 2006
Posts: 599
Reputation:
Solved Threads: 36
A.K.A. The Laughing Man
All It Tells us is what Processes are running on your computer(Some might be malicious)
What you IE settings Are(to see if you have homepage hijacker)
What your browser helper objects are(could be malware)
What toolbars you have(some are not good)
What processes run at startup(helpful so when we delete malware it wont say being used by another process)
What you see when you right click in IE(Shows us if your infected)
What extra buttons you have in your toolbar(could be malicious)
What your trusted zones in IE are(so we can make sure malware didn't add any sites that could harm your computer)
What dowloaded programs are actively running on you computer(most victims have malcious downloaded programs)
Lets us know what dlls that will be loaded when user32.dll is loaded(used often by malware to start up early)
What your running services are(shows us if you have malicious services such as NewDotNet)
The system files it shows us is information that we already know and that most people have running on their computer. By system files I beleive your refering to files such as svchost.exe, lsass.exe, snmp.exe, winlogon.exe, spoolsv.exe, smss.exe, and many others. I assure you that by posting your HJT log here you are no way putting yourself in any danger.
What you IE settings Are(to see if you have homepage hijacker)
What your browser helper objects are(could be malware)
What toolbars you have(some are not good)
What processes run at startup(helpful so when we delete malware it wont say being used by another process)
What you see when you right click in IE(Shows us if your infected)
What extra buttons you have in your toolbar(could be malicious)
What your trusted zones in IE are(so we can make sure malware didn't add any sites that could harm your computer)
What dowloaded programs are actively running on you computer(most victims have malcious downloaded programs)
Lets us know what dlls that will be loaded when user32.dll is loaded(used often by malware to start up early)
What your running services are(shows us if you have malicious services such as NewDotNet)
The system files it shows us is information that we already know and that most people have running on their computer. By system files I beleive your refering to files such as svchost.exe, lsass.exe, snmp.exe, winlogon.exe, spoolsv.exe, smss.exe, and many others. I assure you that by posting your HJT log here you are no way putting yourself in any danger.
Roger that, copy follows:
Logfile of HijackThis v1.99.1
Scan saved at 8:17:23 AM, on 14/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-au\bin\WindowsSearch.exe
C:\Program Files\KODAK\Kodak EasyShare Software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-au\bin\WindowsSearchIndexer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PCSecurityShield\MyRegistryCleaner\MyRegistryCleaner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\PROGRAM FILES\VIROBOTXP\VRMONNT.EXE
C:\PROGRAM FILES\VIROBOTXP\VRRES.EXE
C:\Program Files\ViRobotXP\vrmonsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\DOCUME~1\GEORGE~1.OEM\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Farstone Url Blocker - {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - C:\PROGRA~1\PCSECU~1\THESHI~1\IrlOnIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: ninemsn Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-au\msntb.dll
O2 - BHO: Farstone Popup Blocker - {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - C:\PROGRA~1\PCSECU~1\THESHI~1\FARPOP~1.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ninemsn Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB002" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
O4 - HKLM\..\Run: [MyRegistryCleaner] C:\Program Files\PCSecurityShield\MyRegistryCleaner\MyRegistryCleaner.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\ViRobotXP\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\ViRobotXP\Vrres.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-au\bin\WindowsSearch.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ninemsn Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-au\msntb.dll/search.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-au\msntabres.dll/229?99e7170269b746369ab1976b111b516f
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-au\msntabres.dll/230?99e7170269b746369ab1976b111b516f
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093322491312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1125710115078
O16 - DPF: {D9701E87-A34D-11D4-BE29-000102598CE4} (VrUpdate Control) - http://download.globalhauri.com/Eng/...p/vrupdate.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\ViRobotXP\vrmonsvc.exe
Logfile of HijackThis v1.99.1
Scan saved at 8:17:23 AM, on 14/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-au\bin\WindowsSearch.exe
C:\Program Files\KODAK\Kodak EasyShare Software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-au\bin\WindowsSearchIndexer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PCSecurityShield\MyRegistryCleaner\MyRegistryCleaner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\PROGRAM FILES\VIROBOTXP\VRMONNT.EXE
C:\PROGRAM FILES\VIROBOTXP\VRRES.EXE
C:\Program Files\ViRobotXP\vrmonsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\DOCUME~1\GEORGE~1.OEM\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Farstone Url Blocker - {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - C:\PROGRA~1\PCSECU~1\THESHI~1\IrlOnIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: ninemsn Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-au\msntb.dll
O2 - BHO: Farstone Popup Blocker - {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - C:\PROGRA~1\PCSECU~1\THESHI~1\FARPOP~1.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ninemsn Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB002" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
O4 - HKLM\..\Run: [MyRegistryCleaner] C:\Program Files\PCSecurityShield\MyRegistryCleaner\MyRegistryCleaner.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\ViRobotXP\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\ViRobotXP\Vrres.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-au\bin\WindowsSearch.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ninemsn Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-au\msntb.dll/search.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-au\msntabres.dll/229?99e7170269b746369ab1976b111b516f
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-au\msntabres.dll/230?99e7170269b746369ab1976b111b516f
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093322491312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1125710115078
O16 - DPF: {D9701E87-A34D-11D4-BE29-000102598CE4} (VrUpdate Control) - http://download.globalhauri.com/Eng/...p/vrupdate.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\ViRobotXP\vrmonsvc.exe
•
•
Join Date: May 2006
Posts: 599
Reputation:
Solved Threads: 36
A.K.A. The Laughing Man
Run HJT and Check the following.
O16 - DPF: {D9701E87-A34D-11D4-BE29-000102598CE4} (VrUpdate Control) - http://download.globalhauri.com/Eng/...p/vrupdate.cab
If you removed the sites in front of the following items on purpose dont check them.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
The following is a resource hog and is optional to check, it is unneeded.
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Close all other windows and click fix checked.
Do you know what the following is?
qld.bigpond.net.au
Be sure to tell me if you know what is in your next post.
Please download and install ewido anti-spyware tool
Post the Ewido log along with a new HJT log.
Still having problems?
O16 - DPF: {D9701E87-A34D-11D4-BE29-000102598CE4} (VrUpdate Control) - http://download.globalhauri.com/Eng/...p/vrupdate.cab
If you removed the sites in front of the following items on purpose dont check them.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
The following is a resource hog and is optional to check, it is unneeded.
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Close all other windows and click fix checked.
Do you know what the following is?
qld.bigpond.net.au
Be sure to tell me if you know what is in your next post.
Please download and install ewido anti-spyware tool
- Close all other Applications Select language click Ok
- Click I Agree
- Click next
- Click Install
- Click Finish
- Wait Ewido will open main screen automatically.
- Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
- This in very important to get updates
- When updating has finished. Close Ewido.
- Next, please reboot your computer in Safe Mode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear use arrow up to highlight
- Select the first option, to run Windows in Safe Mode hit enter.
- For additional help in booting into Safe Mode, see the following site: HERE
You MUST manage to get into Safe Mode for the fix to work.
- Open Ewido
- Click on scanner top of Ewido sceen
- Click on Settings
- Under How to Act click on Recommended Action choose Quarantine
- Under How to scan all boxes should be selected
- Under Possibly unwanted software all boxes should be selected
- On right side under Reports: click on Automatically generate report after every scan.
- Under What to scan select scan every file
- Click On scan Tab
- Click on Complete system scan
- Let the program scan the machine It can take awhile give it time.
- When scan has finished At bottom of screen click Apply all Actions
- Click Save report
- Click Save Report as (Save as window's screen should pop up.)
- Click desktop
- Click Save
- Exit ewido
Post the Ewido log along with a new HJT log.
Still having problems?
Last edited by kylethedarkn; Jul 14th, 2006 at 1:17 am.
Number 7 14 July 2006 Outgoing
Hi Kyle,
Thanks for your time and patience.
As I had said in my first posting that I am new to the game, so I will ask some questions first before I proceed, just to set my mind right. I hope this is okay with you. I’m 69 years of age, and understand things very well, but always like to set my mind at ease. It’s my old Army training from the communicating field.
Run HJT and Check the following.
O16 - DPF: {D9701E87-A34D-11D4-BE29-000102598CE4} (VrUpdate Control) - http://download.globalhauri.com/Eng/...p/vrupdate.cab
(1) Okay, I can run HJT again.
But, before I do so, I’m not to sure what you mean when you said to “CHECK THE FOLLOWING”? Is that “TICKING” a box, or “HIGHLIGHTING” Item 016, or does it also include Item 016, and the 3 x RO and 04 Items below?
I’m in doubt of what you are advising, because Item 16, VrUpdate Control, I believe to be part of the automatic update for my Virus programme, as Global Hauri is my programme server.
If you removed the sites in front of the following items on purpose dont check them.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
The following is a resource hog and is optional to check, it is unneeded.
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Close all other windows and click fix checked.
(2) I don’t quiet understand what you are saying here, “If you removed the sites in front of the following items on purpose, don’t check them"?
Do you know what the following is?
qld.bigpond.net.au
Be sure to tell me if you know what is in your next post.
(3) Item 017 – qld.Bigpond.net.au is my server. Qld is short for Queensland. I live in Australia.
Thank you for your help.
Kind Regards
George
Hi Kyle,
Thanks for your time and patience.
As I had said in my first posting that I am new to the game, so I will ask some questions first before I proceed, just to set my mind right. I hope this is okay with you. I’m 69 years of age, and understand things very well, but always like to set my mind at ease. It’s my old Army training from the communicating field.
Run HJT and Check the following.
O16 - DPF: {D9701E87-A34D-11D4-BE29-000102598CE4} (VrUpdate Control) - http://download.globalhauri.com/Eng/...p/vrupdate.cab
(1) Okay, I can run HJT again.
But, before I do so, I’m not to sure what you mean when you said to “CHECK THE FOLLOWING”? Is that “TICKING” a box, or “HIGHLIGHTING” Item 016, or does it also include Item 016, and the 3 x RO and 04 Items below?
I’m in doubt of what you are advising, because Item 16, VrUpdate Control, I believe to be part of the automatic update for my Virus programme, as Global Hauri is my programme server.
If you removed the sites in front of the following items on purpose dont check them.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
The following is a resource hog and is optional to check, it is unneeded.
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Close all other windows and click fix checked.
(2) I don’t quiet understand what you are saying here, “If you removed the sites in front of the following items on purpose, don’t check them"?
Do you know what the following is?
qld.bigpond.net.au
Be sure to tell me if you know what is in your next post.
(3) Item 017 – qld.Bigpond.net.au is my server. Qld is short for Queensland. I live in Australia.
Thank you for your help.
Kind Regards
George
•
•
Join Date: May 2006
Posts: 599
Reputation:
Solved Threads: 36
A.K.A. The Laughing Man
Yes by checking the following i meant to tick the box thats right behind them.
You don't have to fix the 016 line but its been known to cause some trouble but im not going to force you to do anything so its up to you.
For the ones that started with R0 I wasn't sure if when you were copying and pasting the log if you removed any websites that were there for privacy.
Ok and as for the 017 i was just making sure you knew the server you were using.
Make sure to do the Ewido scan and post the log here along with a new HJT log.
Let me know if your still having problems after you complete the Ewido scan.
BTW-It's no problem answering your questions.
You don't have to fix the 016 line but its been known to cause some trouble but im not going to force you to do anything so its up to you.
For the ones that started with R0 I wasn't sure if when you were copying and pasting the log if you removed any websites that were there for privacy.
Ok and as for the 017 i was just making sure you knew the server you were using.
Make sure to do the Ewido scan and post the log here along with a new HJT log.
Let me know if your still having problems after you complete the Ewido scan.
BTW-It's no problem answering your questions.
•
•
•
•
Originally Posted by kylethedarkn
Yes by checking the following i meant to tick the box thats right behind them.
You don't have to fix the 016 line but its been known to cause some trouble but im not going to force you to do anything so its up to you.
For the ones that started with R0 I wasn't sure if when you were copying and pasting the log if you removed any websites that were there for privacy.
Ok and as for the 017 i was just making sure you knew the server you were using.
Make sure to do the Ewido scan and post the log here along with a new HJT log.
Let me know if your still having problems after you complete the Ewido scan.
BTW-It's no problem answering your questions.
Thanks for your reply.
I just gone to Ewido net.
I checked their "compatibility list" and my Antivirus, Firewall (PC Security Shield Pro 2006), and Antispyware (MS Defender) are not listed. So, I sent them an email just to check the compatibility. Does that sound okay to you.
On your previous email you said to "download and install ewido anti-spyware tool", and then said to "close all other Applications".
By, "all other applications", you would mean the Antivirus, Firewall, Spyware, and all other incidental programmes that appears on the "taskbar", bottom-right of screen, near the "clock".
I notice that the Ewido programme is free for a 30 day trial. Do you use this programme yourself, and any other programmes in tandem with it?
Do you think I need to wait for a reply back from them whether my programmes are compatible. I guess they would be, but they were not listed on their list.
Sorry if I am being cautious, but I just want to get all things right before I start playing around with things that I am not fully conversant with.
Thanks for your time.
Regards
George
Australia
•
•
Join Date: May 2006
Posts: 599
Reputation:
Solved Threads: 36
A.K.A. The Laughing Man
By all other applications it means any open windows and any firewalls you have running. Just re-enable the firewalls after the ewido installation is complete.
Yes I use Ewido Myself and it is a great Spyware scanning program. It finds alot more than other scanners.
As for the compatability that is for other Anti-Virus programs and Firewalls. Since Ewido is not an AV program but a Malware Scanner and has no firewall it should be safe to run with your other AV programs. You can always Uninstall it after we fix the problems with your computer
Feel free to post those logs anytime.
Yes I use Ewido Myself and it is a great Spyware scanning program. It finds alot more than other scanners.
As for the compatability that is for other Anti-Virus programs and Firewalls. Since Ewido is not an AV program but a Malware Scanner and has no firewall it should be safe to run with your other AV programs. You can always Uninstall it after we fix the problems with your computer
Feel free to post those logs anytime.
|
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: HJT and L2MFIX Log Included:
- Next Thread: How to avoid somebody spying my pc
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gaming gtaiv gumblar hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn news obama paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista warning windows worm zeroday
