Oriental Characters in Autoplay List and Elsewhere

[VvWolverinevV]

Hi, for a while now I have been seeing occasional oriental characters - usually when shutting down and all of the running processes are ending automatically one of the "process ending" windows will come up with a title in all oriental characters.

Then today I saw this when plugging my USB drive into my PC:

Does anyone know what that character means, why this is happening, or how to fix it? Any help or advice is much appreciated. Thanks

 

[Rik]

It may be a good idea to error check your hard drive!!!!

 

[VvWolverinevV]

I assume you're talking about scandisk...
Done with no anomalies.

Any other ideas?

 

[Rik]

Yup, thats exactly what i meant!! I usually do say scandisk but i've had some people say " do you mean error check"!!! lol

The only other thing i can think could be a possible cause is malware!!!!

Read this - https://www.techspot.com/vb/topic50981.html - then post your HJT log as an ATTACHMENT!!!!

 

[VvWolverinevV]

*crosses fingers*
not another virus

 

[Rik]

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://tritonlink.ucsd.edu/portal/site/tritonlink-preview/

F2 - REG:system.ini: Shell=

O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab

O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab

O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} - http://www.webshots.com/samplers/WSDownloader.ocx

O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O16 - DPF: {C58009C0-5321-11D4-99E0-204C4F4F5020} (PhotoUploader Control (www.fotki.com) - http://images.fotki.com/activex/PhotoUploader(www.fotki.com).cab

O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab

O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab

O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/windows-ie/en/AMClient.cab

O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe

Click on the fix checked button.

Close HJT.

Then reboot your system and see if there is any improvement!!!

 

[VvWolverinevV]

So... I was reluctant to just click fix on so many entries since I'm not exactly sure why they all need to be fixed. I did, however manage to get rid of that entry in the AutoPlay list. The problem was an orphaned registry value in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlers\PlayVideoFilesOnArrival

The value GrouperAutoPlay="" was most likely left there after uninstalling the software for grouper.com.

This seems to be, however, a temporary fix, since none of that explains why the empty AutoPlay handler came up with random oriental characters...

Or are those just random ASCII characters I wonder? Does anyone recognize them? Better yet, has anyone ever experienced this problem and can you offer any wisdom?

 

[Rik]

Every single one i listed is a problem on your pc and they should all be removed!!!!

 

[VvWolverinevV]

If you don't mind, how do you identify which items are bad?

 

[Rik]

With automated software and by doing many hours of research!!!!

 

[howard_hopkinso]

I have moved your thread to our security and the web forum.

You should uninstall Download manager from add remove programmes. This is because it carries adware.

The 023 matlabserver.exe entry is not bad and can be left alone.

The rest of the entries should be fixed as per rik`s instructions.

Due to your suspicious problems, I strongly suggest you do the following.

Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

Post fresh renamed HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


Regards Howard


This thread is for the use of VvWolverinevV only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[VvWolverinevV]

Okay, so yesterday, I started getting some more weird symptoms:
Whenever I did anything with Symantec Client Security or SpywareBlaster, an installation window would popup without any action from me, saying something to the effect of "installing Symantec/SpywareBlaster: gathering required data" with a progress bar (which I would immediately cancel).

I have since uninstalled everything Symantec on my PC as well as SpywareBlaster and have followed the instructions in the above thread except for one thing - I forgot to unhide hidden and OS files in windows explorer I hope that's not that important. (*EDIT* - It seems this should not have affected my malware removal: https://www.techspot.com/vb/topic63723.html)

Anyway, only minutes after installing AVG Free, it found one instance each of Dropper.Generic.FWV and Collected.Z in the C:\ directory.

I have attached the logs for subsequent scans which found risks.

At present, the only symptoms I am aware of are that when I try to view Windows Firewall through Windows Security Center, I receive an error message: Due to an unidentified problem, Windows cannot display Windows Firewall settings.

What do you guys think? Am I clean? If so, how do I fix that Windows Firewall settings issue?

Also, AVG Anti-Spyware and Spybot-SD Resident autorun on system start. Do you recommend keeping this setting?

 

[howard_hopkinso]

Delete all files in AVG Antispyware quarantine.

If you don`t use this programme, I suggest you uninstall it as it`s not really needed.

THEWEA~2\DESKTO~1


Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKCU\..\Run: [DW4] "C:\PROGRA~1\THEWEA~2\DESKTO~1\DESKTO~1.exe"

O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork

O16 - DPF: {53406295-12AB-4F49-824A-C5EAD19365DE} (CHSInstaller Class) - http://www.compaq.com/athome/support/PCHInstallTrust01.cab

O16 - DPF: {5CE8C9BE-B561-4311-8C03-D6F6C1CAF7E1} (CSND_AX.ctlCSND_AX) - http://wwss1pro.compaq.com/support/sndetect/CSND_AX.CAB

O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Product Registration ActiveX Control Module) - http://www.creative.com/register/OCXs/CtORWebClientNoMFC.cab

O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://ipgweb.cce.hp.com/bus-nacons/caller/SysQuery.cab

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

Click on the fix checked button.

Close HJT and reboot your system.

Other than the above, your HJT log is clean.

Because you have Zonealarm firewall installed, you should not try and start the Windows firewall. It`s complete crap anyway. So, I wouldn`t worry too much about the Windows firewall problem.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of VvWolverinevV only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[VvWolverinevV]

Done and done. Thanks for your help! :grinthumb

By the way, I found a fix for that Windows Firewall settings issue here, and then here. (Stuff like that bugs me until I fix it :stickout: )

Also, any thoughts on my question:

Also, AVG Anti-Spyware and Spybot-SD Resident autorun on system start. Do you recommend keeping this setting?

 

[howard_hopkinso]

Sorry about that. No, I don`t recommend having them auto run on startup. They just use system resources.

Regards Howard

This thread is for the use of VvWolverinevV only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[VvWolverinevV]

I agree. I got rid of them, and startup is now noticeably quicker.

On another note, every time I run Microsoft Excel 2003, an "Installing..." window (similar to the one I described for Symantec and SpywareBlaster above) pops up. When the installation preload is complete, it asks for my installation discs which I no longer have. When I click "cancel", the installation unloads and I am allowed to use Excel.

My guess is that this has something to do with the 5GB of crap that CCleaner removed from my system. Does anyone have any experience with this issue?

*EDIT*
For a relevant discussion on the CCleaner issue, see https://www.techspot.com/vb/post367124-4.html

 

[VvWolverinevV]

Zlob.CY Infection

10 months later, I'm not sure if I'm posting this in the right place, but recently an Ad-Aware scan came up with an instance of Zlob.CY. I followed all of the instructions in the Viruses/Spyware/Malware, preliminary removal instructions thread.

Attached are the three logs requested. Some other observations:
- SmitFraudFix fixed some hosts.
- AVG Anti-Rootkit Free found no problems.
- When running ComboFix, I denied nircmd.cfexe access to the internet many times with ZoneAlarm.

Can someone please tell me if I'm clean?

 

[Rik]

The only minor thing that shows up is this line.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Put a tick next to it and have HJT fix it.



This thread is for the use of VvWolverinevV only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[VvWolverinevV]

Done. Thanks, rik