TechSpot

Oriental Characters in Autoplay List and Elsewhere

By VvWolverinevV
Nov 18, 2006
Topic Status:
Not open for further replies.
  1. Hi, for a while now I have been seeing occasional oriental characters - usually when shutting down and all of the running processes are ending automatically one of the "process ending" windows will come up with a title in all oriental characters.

    Then today I saw this when plugging my USB drive into my PC:
    [​IMG]

    Does anyone know what that character means, why this is happening, or how to fix it? Any help or advice is much appreciated. Thanks :)
     
  2. Rik

    Rik Banned Posts: 4,985

    It may be a good idea to error check your hard drive!!!!
     
  3. VvWolverinevV

    VvWolverinevV TS Enthusiast Topic Starter Posts: 120

    I assume you're talking about scandisk...
    Done with no anomalies.

    Any other ideas?
     
  4. Rik

    Rik Banned Posts: 4,985

    Yup, thats exactly what i meant!! I usually do say scandisk but i've had some people say " do you mean error check"!!! lol

    The only other thing i can think could be a possible cause is malware!!!!

    Read this - http://www.techspot.com/vb/topic50981.html - then post your HJT log as an ATTACHMENT!!!!
     
  5. VvWolverinevV

    VvWolverinevV TS Enthusiast Topic Starter Posts: 120

    *crosses fingers*
    not another virus
     
  6. Rik

    Rik Banned Posts: 4,985

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://tritonlink.ucsd.edu/portal/site/tritonlink-preview/

    F2 - REG:system.ini: Shell=

    O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab

    O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab

    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} - http://www.webshots.com/samplers/WSDownloader.ocx

    O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

    O16 - DPF: {C58009C0-5321-11D4-99E0-204C4F4F5020} (PhotoUploader Control (www.fotki.com)) - http://images.fotki.com/activex/PhotoUploader(www.fotki.com).cab

    O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab

    O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab

    O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/windows-ie/en/AMClient.cab

    O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe

    Click on the fix checked button.

    Close HJT.

    Then reboot your system and see if there is any improvement!!!
     
  7. VvWolverinevV

    VvWolverinevV TS Enthusiast Topic Starter Posts: 120

    So... I was reluctant to just click fix on so many entries since I'm not exactly sure why they all need to be fixed. I did, however manage to get rid of that entry in the AutoPlay list. The problem was an orphaned registry value in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlers\PlayVideoFilesOnArrival

    The value GrouperAutoPlay="" was most likely left there after uninstalling the software for grouper.com.

    This seems to be, however, a temporary fix, since none of that explains why the empty AutoPlay handler came up with random oriental characters...

    Or are those just random ASCII characters I wonder? Does anyone recognize them? Better yet, has anyone ever experienced this problem and can you offer any wisdom?
     
  8. Rik

    Rik Banned Posts: 4,985

    Every single one i listed is a problem on your pc and they should all be removed!!!!
     
  9. VvWolverinevV

    VvWolverinevV TS Enthusiast Topic Starter Posts: 120

    If you don't mind, how do you identify which items are bad?
     
  10. Rik

    Rik Banned Posts: 4,985

    With automated software and by doing many hours of research!!!!
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    I have moved your thread to our security and the web forum.

    You should uninstall Download manager from add remove programmes. This is because it carries adware.

    The 023 matlabserver.exe entry is not bad and can be left alone.

    The rest of the entries should be fixed as per rik`s instructions.

    Due to your suspicious problems, I strongly suggest you do the following.

    Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

    Post fresh renamed HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


    Regards Howard :)


    This thread is for the use of VvWolverinevV only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
     
  12. VvWolverinevV

    VvWolverinevV TS Enthusiast Topic Starter Posts: 120

    Okay, so yesterday, I started getting some more weird symptoms:
    Whenever I did anything with Symantec Client Security or SpywareBlaster, an installation window would popup without any action from me, saying something to the effect of "installing Symantec/SpywareBlaster: gathering required data" with a progress bar (which I would immediately cancel).

    I have since uninstalled everything Symantec on my PC as well as SpywareBlaster and have followed the instructions in the above thread except for one thing - I forgot to unhide hidden and OS files in windows explorer :eek: I hope that's not that important. (*EDIT* - It seems this should not have affected my malware removal: http://www.techspot.com/vb/topic63723.html)

    Anyway, only minutes after installing AVG Free, it found one instance each of Dropper.Generic.FWV and Collected.Z in the C:\ directory.

    I have attached the logs for subsequent scans which found risks.

    At present, the only symptoms I am aware of are that when I try to view Windows Firewall through Windows Security Center, I receive an error message: Due to an unidentified problem, Windows cannot display Windows Firewall settings.

    What do you guys think? Am I clean? If so, how do I fix that Windows Firewall settings issue?

    Also, AVG Anti-Spyware and Spybot-SD Resident autorun on system start. Do you recommend keeping this setting?
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Delete all files in AVG Antispyware quarantine.

    If you don`t use this programme, I suggest you uninstall it as it`s not really needed.

    THEWEA~2\DESKTO~1


    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKCU\..\Run: [DW4] "C:\PROGRA~1\THEWEA~2\DESKTO~1\DESKTO~1.exe"

    O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork

    O16 - DPF: {53406295-12AB-4F49-824A-C5EAD19365DE} (CHSInstaller Class) - http://www.compaq.com/athome/support/PCHInstallTrust01.cab

    O16 - DPF: {5CE8C9BE-B561-4311-8C03-D6F6C1CAF7E1} (CSND_AX.ctlCSND_AX) - http://wwss1pro.compaq.com/support/sndetect/CSND_AX.CAB

    O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Product Registration ActiveX Control Module) - http://www.creative.com/register/OCXs/CtORWebClientNoMFC.cab

    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://ipgweb.cce.hp.com/bus-nacons/caller/SysQuery.cab

    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

    Click on the fix checked button.

    Close HJT and reboot your system.

    Other than the above, your HJT log is clean.

    Because you have Zonealarm firewall installed, you should not try and start the Windows firewall. It`s complete crap anyway. So, I wouldn`t worry too much about the Windows firewall problem.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of VvWolverinevV only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. VvWolverinevV

    VvWolverinevV TS Enthusiast Topic Starter Posts: 120

    Done and done. Thanks for your help! :grinthumb

    By the way, I found a fix for that Windows Firewall settings issue here, and then here. (Stuff like that bugs me until I fix it :stickout: )

    Also, any thoughts on my question:
    :confused: :confused: :confused:
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Sorry about that. No, I don`t recommend having them auto run on startup. They just use system resources.

    Regards Howard :)

    This thread is for the use of VvWolverinevV only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. VvWolverinevV

    VvWolverinevV TS Enthusiast Topic Starter Posts: 120

    I agree. I got rid of them, and startup is now noticeably quicker.

    On another note, every time I run Microsoft Excel 2003, an "Installing..." window (similar to the one I described for Symantec and SpywareBlaster above) pops up. When the installation preload is complete, it asks for my installation discs which I no longer have. When I click "cancel", the installation unloads and I am allowed to use Excel.

    My guess is that this has something to do with the 5GB of crap that CCleaner removed from my system. Does anyone have any experience with this issue?

    *EDIT*
    For a relevant discussion on the CCleaner issue, see http://www.techspot.com/vb/post367124-4.html
     
  17. VvWolverinevV

    VvWolverinevV TS Enthusiast Topic Starter Posts: 120

    Zlob.CY Infection

    10 months later, I'm not sure if I'm posting this in the right place, but recently an Ad-Aware scan came up with an instance of Zlob.CY. I followed all of the instructions in the Viruses/Spyware/Malware, preliminary removal instructions thread.

    Attached are the three logs requested. Some other observations:
    - SmitFraudFix fixed some hosts.
    - AVG Anti-Rootkit Free found no problems.
    - When running ComboFix, I denied nircmd.cfexe access to the internet many times with ZoneAlarm.

    Can someone please tell me if I'm clean? :D
     
  18. Rik

    Rik Banned Posts: 4,985

    The only minor thing that shows up is this line.

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    Put a tick next to it and have HJT fix it.



    This thread is for the use of VvWolverinevV only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. VvWolverinevV

    VvWolverinevV TS Enthusiast Topic Starter Posts: 120

    Done. Thanks, rik :)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.