Potential Unwanted Behaviour

Download HiJackThis from here.

Make a new folder called HJT in the C: directory(C:\HJT) Extract the zip contents to that folder. Run HJT and select the scan option. After it finishes scanning there should be a save log button. Once clicked it should open up a notepad file with the log. Copy and Paste the contents of the note pad file in your next reply.

Download HiJackThis from here.

Make a new folder called HJT in the C: directory(C:\HJT) Extract the zip contents to that folder. Run HJT and select the scan option. After it finishes scanning there should be a save log button. Once clicked it should open up a notepad file with the log. Copy and Paste the contents of the note pad file in your next reply.

HI Kyle,

I downloaded HJT, and I followed your instructions, and I noted the Notepad File, which contains, what appears to be the full system files. Being a concerned person, posting this to all to read on the net makes wary and concerned.

Could you please let me know a bit more about this.

Regards
George

All It Tells us is what Processes are running on your computer(Some might be malicious)

What you IE settings Are(to see if you have homepage hijacker)

What your browser helper objects are(could be malware)

What toolbars you have(some are not good)

What processes run at startup(helpful so when we delete malware it wont say being used by another process)

What you see when you right click in IE(Shows us if your infected)

What extra buttons you have in your toolbar(could be malicious)

What your trusted zones in IE are(so we can make sure malware didn't add any sites that could harm your computer)

What dowloaded programs are actively running on you computer(most victims have malcious downloaded programs)

Lets us know what dlls that will be loaded when user32.dll is loaded(used often by malware to start up early)

What your running services are(shows us if you have malicious services such as NewDotNet)

The system files it shows us is information that we already know and that most people have running on their computer. By system files I beleive your refering to files such as svchost.exe, lsass.exe, snmp.exe, winlogon.exe, spoolsv.exe, smss.exe, and many others. I assure you that by posting your HJT log here you are no way putting yourself in any danger.

Roger that, copy follows:

Logfile of HijackThis v1.99.1
Scan saved at 8:17:23 AM, on 14/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-au\bin\WindowsSearch.exe
C:\Program Files\KODAK\Kodak EasyShare Software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-au\bin\WindowsSearchIndexer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PCSecurityShield\MyRegistryCleaner\MyRegistryCleaner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\PROGRAM FILES\VIROBOTXP\VRMONNT.EXE
C:\PROGRAM FILES\VIROBOTXP\VRRES.EXE
C:\Program Files\ViRobotXP\vrmonsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\DOCUME~1\GEORGE~1.OEM\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Farstone Url Blocker - {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - C:\PROGRA~1\PCSECU~1\THESHI~1\IrlOnIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: ninemsn Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-au\msntb.dll
O2 - BHO: Farstone Popup Blocker - {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - C:\PROGRA~1\PCSECU~1\THESHI~1\FARPOP~1.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ninemsn Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB002" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
O4 - HKLM\..\Run: [MyRegistryCleaner] C:\Program Files\PCSecurityShield\MyRegistryCleaner\MyRegistryCleaner.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\ViRobotXP\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\ViRobotXP\Vrres.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-au\bin\WindowsSearch.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ninemsn Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-au\msntb.dll/search.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-au\msntabres.dll/229?99e7170269b746369ab1976b111b516f
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-au\msntabres.dll/230?99e7170269b746369ab1976b111b516f
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093322491312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125710115078
O16 - DPF: {D9701E87-A34D-11D4-BE29-000102598CE4} (VrUpdate Control) - http://download.globalhauri.com/Eng/online_up/vrupdate.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\ViRobotXP\vrmonsvc.exe

Run HJT and Check the following.
O16 - DPF: {D9701E87-A34D-11D4-BE29-000102598CE4} (VrUpdate Control) - http://download.globalhauri.com/Eng/...p/vrupdate.cab
If you removed the sites in front of the following items on purpose dont check them.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
The following is a resource hog and is optional to check, it is unneeded.
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Close all other windows and click fix checked.

Do you know what the following is?
qld.bigpond.net.au
Be sure to tell me if you know what is in your next post.

Please download and install ewido anti-spyware tool

• Close all other Applications Select language click Ok
• Click I Agree
• Click next
• Click Install
• Click Finish
• Wait Ewido will open main screen automatically.
• Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
• This in very important to get updates
• When updating has finished. Close Ewido.

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

• Next, please reboot your computer in Safe Mode by doing the following:
• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear use arrow up to highlight
• Select the first option, to run Windows in Safe Mode hit enter.
• For additional help in booting into Safe Mode, see the following site: HERE

  You MUST manage to get into Safe Mode for the fix to work.

Make sure to close all open windows/programs/folders. Have nothing else open while ewido performs its scan!

• Open Ewido
• Click on scanner top of Ewido sceen
• Click on Settings
• Under How to Act click on Recommended Action choose Quarantine
• Under How to scan all boxes should be selected
• Under Possibly unwanted software all boxes should be selected
• On right side under Reports: click on Automatically generate report after every scan.
• Under What to scan select scan every file
• Click On scan Tab
• Click on Complete system scan
• Let the program scan the machine It can take awhile give it time.
• When scan has finished At bottom of screen click Apply all Actions
• Click Save report
• Click Save Report as (Save as window's screen should pop up.)
• Click desktop
• Click Save
• Exit ewido

Reboot back to normal mode

Post the Ewido log along with a new HJT log.
Still having problems?

Number 7 14 July 2006 Outgoing

Hi Kyle,

Thanks for your time and patience.

As I had said in my first posting that I am new to the game, so I will ask some questions first before I proceed, just to set my mind right. I hope this is okay with you. I’m 69 years of age, and understand things very well, but always like to set my mind at ease. It’s my old Army training from the communicating field.

Run HJT and Check the following.
O16 - DPF: {D9701E87-A34D-11D4-BE29-000102598CE4} (VrUpdate Control) - http://download.globalhauri.com/Eng/...p/vrupdate.cab

(1) Okay, I can run HJT again.

But, before I do so, I’m not to sure what you mean when you said to “CHECK THE FOLLOWING”? Is that “TICKING” a box, or “HIGHLIGHTING” Item 016, or does it also include Item 016, and the 3 x RO and 04 Items below?

I’m in doubt of what you are advising, because Item 16, VrUpdate Control, I believe to be part of the automatic update for my Virus programme, as Global Hauri is my programme server.

If you removed the sites in front of the following items on purpose dont check them.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
The following is a resource hog and is optional to check, it is unneeded.
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Close all other windows and click fix checked.

(2) I don’t quiet understand what you are saying here, “If you removed the sites in front of the following items on purpose, don’t check them"?

Do you know what the following is?
qld.bigpond.net.au
Be sure to tell me if you know what is in your next post.

(3) Item 017 – qld.Bigpond.net.au is my server. Qld is short for Queensland. I live in Australia.

Thank you for your help.

Kind Regards
George

Yes by checking the following i meant to tick the box thats right behind them.

You don't have to fix the 016 line but its been known to cause some trouble but im not going to force you to do anything so its up to you.

For the ones that started with R0 I wasn't sure if when you were copying and pasting the log if you removed any websites that were there for privacy.

Ok and as for the 017 i was just making sure you knew the server you were using.

Make sure to do the Ewido scan and post the log here along with a new HJT log.

Let me know if your still having problems after you complete the Ewido scan.

BTW-It's no problem answering your questions.

Yes by checking the following i meant to tick the box thats right behind them.

You don't have to fix the 016 line but its been known to cause some trouble but im not going to force you to do anything so its up to you.

For the ones that started with R0 I wasn't sure if when you were copying and pasting the log if you removed any websites that were there for privacy.

Ok and as for the 017 i was just making sure you knew the server you were using.

Make sure to do the Ewido scan and post the log here along with a new HJT log.

Let me know if your still having problems after you complete the Ewido scan.

BTW-It's no problem answering your questions.

Hi Kyle,

Thanks for your reply.

I just gone to Ewido net.

I checked their "compatibility list" and my Antivirus, Firewall (PC Security Shield Pro 2006), and Antispyware (MS Defender) are not listed. So, I sent them an email just to check the compatibility. Does that sound okay to you.

On your previous email you said to "download and install ewido anti-spyware tool", and then said to "close all other Applications".

By, "all other applications", you would mean the Antivirus, Firewall, Spyware, and all other incidental programmes that appears on the "taskbar", bottom-right of screen, near the "clock".

I notice that the Ewido programme is free for a 30 day trial. Do you use this programme yourself, and any other programmes in tandem with it?

Do you think I need to wait for a reply back from them whether my programmes are compatible. I guess they would be, but they were not listed on their list.

Sorry if I am being cautious, but I just want to get all things right before I start playing around with things that I am not fully conversant with.

Thanks for your time.

Regards
George
Australia

By all other applications it means any open windows and any firewalls you have running. Just re-enable the firewalls after the ewido installation is complete.

Yes I use Ewido Myself and it is a great Spyware scanning program. It finds alot more than other scanners.

As for the compatability that is for other Anti-Virus programs and Firewalls. Since Ewido is not an AV program but a Malware Scanner and has no firewall it should be safe to run with your other AV programs. You can always Uninstall it after we fix the problems with your computer

Feel free to post those logs anytime.

Hi Kyle,

Thanks for that info, it's just that I have this warning pasted on my "Reminder List”:

"uninstall any antivirus software you are currently using before installing a new product; having two different programs might cause problems on your computer".

I’ve printed off the other information you suggested.

Therefore, I’ll close down all icons that I have on my taskbar.

It’s just that I was thinking that if I closed down the antivirus, firewall, and spyware to download the Ewido programme, wouldn’t my connection be vulnerable?

It’s my old Army security mind ticking over, I spent a long time in the communications field.

Regards
George

Not if you are only downloading Ewido while you firewall and AV programs are down. In other words dont go to any other sites besides this one and the ewido sites while your firewall and AV program are disabled. As soon as Ewido is finished downloading turn them back on and you should be fine.

Roger that, I'll try to see what I can do tonight. What country are you located?

Regards
George

United States of America in the Centrel time zone.

Hi Kyle,

Yep, central time, that means it’s 8:30am, Monday, our time and it will be about 3:30pm, Sunday your time.

I've been preparing my computer and myself to do this test. I haven’t downloaded the Ewido programme at the moment. I have copied all those notes on SAFE MODE and HIJACK THIS and have been studying them, and pluse your instructions. I sent a query on the compatibility list to Ewido. But, you said that it should be okay.

Are you able to answer another question that a strange incident comes up a lot. When I open up each morning I go to CONTROL PANEL, INTERNET OPTIONS, and delete all temp files and cookies. But, when I do a small “FLASHLIGHT” icon comes up and sweeps the screen, and then disappears.

In the preparation of playing around with SAFE MODE, and wanting to clean down the computer, I’ve been copying all my files onto two CDs, deleting those files of MY DOCUS. Now, when I copy the files to my second CD, this “FLASHLIGHT” icon comes up again, but it’s labelled “AUTOPLAY – YAHOO CENSOR”.

Now this is strange, because I have no idea where this came from. I’ve been working on a YAHOO site. Have they hacked into my computer? Any idea what this “FLASHLIGHT” is?

I checked GOOGLE and what I see about YAHOO, it appears that they are intercepting traffic going in and out. Is this coreect?

Take care.
Regards
George

I highly doubt that a company like Yahoo would even dare to try and hack into peoples computer because of the legal issues that would arrise.
However I am curious to what this icon looks like and when it pops up.
If you could get a screen shot of it that would be great. To get a screen shot press crtl + Prt Scrn at the same time then go to a image editing program like paint and go to Edit>paste. Then save up load it and post the link to the uploaded picture here.

Also there is a very common icon that does that when you open My computer. It is a flashlight that points one way then turns and points the other ways and is a normal icon.

Is this the icon possibly?

Number 17 17th July 2006 Outgoing

Hi Kyle,

Now is Kyle your name?

I’ll try to print the screen, but it happens so quickly, that my trigger finger is so slow.

Well Kyle, I can go along with what you said, but, could you tell me why YAHOO has an intercept programme on cyberspace? This programme is called “Home Security” and it intercepts anything that has certain words in the text of the mail, such as conspiracy sorts of things. I punched in YAHOO Censor on GOOGLE and I was amazed at some of the postings that I eventually found through other links.

Yep, the same “flashlight” that you speak about, which I am wondering is an “AUTOPLAY” icon. But on my CDs the words “YAHOO CENSOR” appears, which to me, means that my computer and records have been “MARKED” by something else, by some other means.

All my problems began when I joined a YAHOO GROUP site. My emails from the States wasn’t getting to me, and through other sources I found out that they were not receiving my mail, and their mail to me was being non-delivered claiming that my email address was invalid. I did complain to Yahoo, and my mail is now getting through.

Anyway, I’ll try to get a “Print Screen” of what comes up on my CDs.

Thanks for your time and patience.

Regards
George

Hi Kyle,

I was able to copy the AUTOPLAY - YAHOO CENSORING. Now I have clicked the "icon" above near the smiley face, but I don't know if I uploaded it okay.

I'll send this then check the reply to see if it worked.

Regards
George

Hi Kyle,

I checked the reply and the attachment was posted as a THUMBNAIL, but when I opened it the printing on the attachment wasn't clear. So if you download is the same, then the words below to flashlight is YAHOO CENSORING.

regards
George

After doing some research, I found that Yahoo has idioticly tried to censor everything that invovles them. They went so far as to star out Dick Cheney's First name. I beleive that the email you weren't receiving has something to do with that. Also some Yahoo groups have even been deleted without reason given to the members.

As for the CD issue, The program looks harmless enough and I can't find any evidence to the contrary, so if the file writing process still finishes then I would say not to worry about it.

Also I suggest you run ewido soon, so I can see whats going on with your computer and don't forget to post a new HJT log after you run the Ewido Program.

PS:Yes my name is Kyle.

Hi Kyle,

Sorry for any delay in answering, but I was waiting for your reply, and normally it's forwarded onto my Hotmail server as an email. This one I didn't receive.

On going to site, I found your reply, re Yahoo.

Sorry for delay, but I'll try and do it later on today when the computer is quiet. My wife plays scrabble on with a number of people around the Globe.

Yes, I was having a lot of problems with Yahoo, but I believe that this Yahoo Homeland Security Programme does go a bit deeper than that. I won't go down that track.

Thanks again, will be in touch tonight.

Regards
George

Hi Kyle,

I finally raised up the courage to have a go at it. Ewido found 5 objects. Can you tell me if this programme has also Antivirus and Firewall?

I hope it all looks good. I followed your instructions to the Tee of the 14th July.

Thanks again Kyle.

Regards
George
************************************************
The HJT log follows:

Logfile of HijackThis v1.99.1
Scan saved at 6:45:41 PM, on 23/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\ViRobotXP\vrmonsvc.exe
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\Program Files\ViRobotXP\vrmonnt.exe
C:\Program Files\ViRobotXP\Vrres.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-au\bin\WindowsSearch.exe
C:\Program Files\KODAK\Kodak EasyShare Software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-au\bin\WindowsSearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-au\bin\WindowsSearchFilter.exe
C:\DOCUME~1\GEORGE~1.OEM\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Farstone Url Blocker - {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - C:\PROGRA~1\PCSECU~1\THESHI~1\IrlOnIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: ninemsn Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-au\msntb.dll
O2 - BHO: Farstone Popup Blocker - {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - C:\PROGRA~1\PCSECU~1\THESHI~1\FARPOP~1.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ninemsn Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB002" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
O4 - HKLM\..\Run: [MyRegistryCleaner] C:\Program Files\PCSecurityShield\MyRegistryCleaner\MyRegistryCleaner.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\ViRobotXP\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\ViRobotXP\Vrres.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-au\bin\WindowsSearch.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ninemsn Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-au\msntb.dll/search.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-au\msntabres.dll/229?99e7170269b746369ab1976b111b516f
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-au\msntabres.dll/230?99e7170269b746369ab1976b111b516f
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093322491312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125710115078
O16 - DPF: {D9701E87-A34D-11D4-BE29-000102598CE4} (VrUpdate Control) - http://download.globalhauri.com/Eng/online_up/vrupdate.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\ViRobotXP\vrmonsvc.exe

****************************************
Ewido log follows:

ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 6:27:06 PM 23/07/2006
+ Scan result:

C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL -> Downloader.IstBar : Cleaned with backup (quarantined).
C:\Documents and Settings\George.OEM-VSW4ECXI8FT\Cookies\george@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\George.OEM-VSW4ECXI8FT\Local Settings\Temp\Cookies\george@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\George.OEM-VSW4ECXI8FT\Cookies\george@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\George.OEM-VSW4ECXI8FT\Cookies\george@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).

::Report end

Unfortunetly Ewido is neither an AV program nor a firewall. It has similar features such as live scanning which scan proccesses that start up and if they are bad alerts you. When you scan with it it might find some viruses but that is not its main purpose.

Also I see a harmfull folder on your computer.

First go to Control Panel>>Add or Remove Programs then look for one of the following entries and remove it.
Mywebsearch, Myway, Myway Websearch bar, or something similar.

If its not there use My Computer delete the following folder.
C:\Program Files\MyWebSearch\

The log was clean and now mywebsearch is gone so your computer looks fine.

HI Kyle,

I found MY SEARCH file in the "Program FILES", and it has been deleted.

I've also REMOVED MS Defender.

After doing a bit more research, I've now got a little bit more of knowledge. Still confusing to me at the moment, and still very warry when you have to rely on these programmes to do their job.

I've had one problem with Ewido, the Shield has turned itself "OFF" to inactive a couple of times. The red icon goes GREY, and I have manually turn it back on again. Any idea what could be causing this to happen?

I do appreciate your help and advice.

Thanks again.
Regards
George

It may be a conflict with your firewall so I suggest just turning ewido's live protection off and using your original firewall.

I'm assuming that your not having anymore problems with your computer. If that is the case then you can mark this thread as solved.

Hi Kyle,

Thanks again. It all appears to be running reasonably well.

I'll wait and see what happens, because after I deleted that other programme, things seemed to have improved.

I don't quiet understand "turning ewido's live protection off", because I assumed that "The Resident Shield" is the "live protector"?

"The Resident Shield" is what I am talking about. The Resident Shield is being turned off, from "active" to "inactive". Isn't that the main workings of the programme?

I'm still learning!!!!

Regards
George

Im pretty sure that the resident sheild is conflicting with your firewall so I would just leave the resident sheild off and use your regular firewall.

Hi Kyle,

Thanks for that information. I'm keen to learn, but always warry of things that I do that I am not sure of. Acutally, it seems to be working okay, and I did a "memory scan" this morning, which was sweet and short. How often should I do a complete scan, once a week, or daily?

Also, last night I had a strange incident on the computer. It was about 10:20PM, when I notice that my computer was humming and it seemed to be going through computer check. The drive was humming away like anything, and the light was "full on", which indicates the something was going on in the computer.

It was like when you run an automatic scan, but I have uninstalled MS Defender, and there is no other security programme running on an "AUTOMATIC" function, except for "automatic updates". Normally, when there is an automatic update coming in, a ballon appears for Microsoft, but I don't know about the Antivirus and FIrewall.

I guess that's what it might be, is there anyway that you are able to check the computer when it's doing this to see what is happening?

I'm sorry to be a nuisance to you. But, I do appreciate your help.

Regards
George

Im pretty sure that the resident sheild is conflicting with your firewall so I would just leave the resident sheild off and use your regular firewall.

Ewido does have an automatic update feature and most Firewalls and AV programs have them too. There is also windows updates, so I doubt that it is anything. We can check whats going on though. Run HJT and save a log when the computer is NOT humming. Then when the computer starts humming run HJT and save another log with a different name.(So that it doesn't overwirte the other one) Now look at the running processes in both logs. Find the one thats in one log and not in the other and post the name of it here.

Hi Kyle,

Thanks for that.

I'll do a HJT later on tonight. But, I guess it's most probably an automatic update from one of the programme's sites. But, you would think, like Microsoft, they would let you know that there is an update being downloaded.

It's strange sensation when you are sitting in front of your computer, then all of a sudden it begins humming and whirring with the green light blinking and the light remaining constant, as if it's doing a scan.

I haven't had any confliction with the Ewido at all over the past two days.

Thanks again, and take care.
Regards
George