"€" - What is this?

I am using Norton Internet Security 3.0. Occasionally, I will get an alert that ... Process name is "€" ... is attempting to access the internet. Since it looks somewhat ominous to me, I have always blocked the access. Since it didn't have a name, I couldn't figure out how to search for information on it. Can anyone help me. Thanks.

 

That is a Beetle Robert, see the claws in front of the body. Smile!

These are characters from the High Charcater set. The fact that a program using these sysmbols is trying to execute could mean a program witten in a foriegn languge exists on your computer.

Do you have any other langusge installed on your computer, like maybe Ukranian? Those are part of the Ukranian alphabet.

I have seen you on the BBS often before so surely you are running SpyBot. If not do it now.

I suggest a thorough cleanup of the startups/bhos.

Get these 3 programs to begin:

HiJackThis: http://www.tomcoyote.org/hjt/

Script Trap STRAP http://keir.net/scriptrap.html

Spider: http://www.fsm.nl/ward/

Then these:

NSClean cleanups and exploit fixes
http://www.nsclean.com/freebies.html
http://nsclean.com/dsostop.html
http://nsclean.com/htastop.html
http://nsclean.com/0click.html
http://nsclean.com/socklock.html
http://nsclean.com/sclean.html

When you run HiJackThis look for these characters and remove them if you see them. Then go to config-misc-generate startup list. Copy this list and paste it back so we can advise you here.

Mike

 

Hi Mike,

Thanks for the response. Yes, I have been on the board a while but no, I'm not running Spybot. Will do so shortly. I'm in the process of selling my house right now but will turn to on all the stuff you suggested as soon as I can and then report back my results.

 

Before you all run off half-****ed looking for a foreign language or something even more sinister, have you ever heard of the Euro? That's the currency that's used in many European countries and who's symbol is....are you ready?....€.

Often, if you send an email to someone who's system doesn't recognize that symbol, it appears as a square. I've never seen both a square and the Euro symbol appear in tandem, but perhaps its possible. Chances are that when I post this, my attempt to portray the Euro symbol will show only as an empty square also.

Might be a weapon of mass destruction set to explode your system, but it just might be something very innocent.

 

Euro or not it should not be executing and trying to sneak by the firewall, maybe on its way out to buy some warm German beer!?

It gets out, gets drunk, comes back Vomits inside Roberts CPU! Yuck!

Lol!

Mike

 

I'll take a pint of whatever Flynn is drinking please, barman.

 

Brett, you are our best customer, but we are out of beano and other customers may complain.

 

Mike & All,

I have run SpyBot but I think I may have gotten rid of too many identified items. Since then I have clicked on a couple of website hyperlinks in some posts in this board and I get a message that I am not authorized to access that site with current permissions or something like that. One of them was a link to MSN help site. So far not a big problem though. At least I haven't had the ugly creature try to access the internet lately.

I haven't gotten into the other references you gave me yet but I'm not clear on the instruction regarding "config-misc-generate startup list ". Is that the Start Up List you get from Start-Run-MSConfig, and then select the Startup Tab at the top? If so, I couldn't figure out how to copy and paste that list. Right click didn't let me copy. By the way, I have pasted in a couple of entries from Norton Internet Security.

Sample Entries From Norton Internet Security Event Log

Date: 6/8/2003 Time: 19:27:00
This one time, the user has chosen to "block" communications. Details:
Outbound TCP connection
Remote address,service is (217.115.153.73,http)
Process name is "€ "

Date: 5/29/2003 Time: 9:16:12
This one time, the user has chosen to "block" communications. Details:
Outbound TCP connection
Remote address,service is (us.i1.yimg.com,http)
Process name is "€ "

 

Good! I have yet to have anyone delete to much in SpyBot. I always delete everything.

It may have uncovered something else.

My reference to start up list, was while in HiJackthis click config in bottom rt corner then misc tools then generate startup list log.

While this log is on screen copy it then paste it back in a message to us.

Your problem on access to specific sites is in 1 of three places.
The Firewall, the hosts file or restrictions in IE.

Don't tinker with it till we see the startup list.

mike

 

Mike,

Glad to hear you say it's difficult to get rid of too much in Spybot. I always get a bit queasy when I start messing around with and deleting things such as Registry items that I'm not real confident about. Anyway, here is the Startup List:

StartupList report, 6/12/2003, 7:21:23 PM
StartupList version: 1.52
Started from : C:\DOWNLOAD\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WSLOADER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MAILWASHER\MAILWASHER.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
Norton Auto-Protect = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
Norton eMail Protect = C:\Program Files\Norton AntiVirus\POPROXY.EXE
Tau Monitor = C:\PROGRAM FILES\AGNITUM\TAUSCAN 1.6\TAUMON.EXE
a-winpoet-service = "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe "
NAV DefAlert = C:\PROGRA~1\NORTON~1\DEFALERT.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
SchedulingAgent = mstask.exe

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[DSS]
= C:\WINDOWS\\BBStore\DSS\dssagent.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll ctpnpscn.drv power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 1/6/2003, 9:12:58)

[rename]
NUL=C:\WINDOWS\TEMP\_iu14D2N.tmp

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP
SET CLASSPATH=C:\Program Files\PhotoDeluxe 2.0\AdobeConnectables
SET CTCM=C:\WINDOWS
SET SOUND=C:\PROGRA~1\CREATIVE\CTSND
SET MIDI=SYNTH:1 MAP:E MODE:0
SET BLASTER=A220 I5 D1 H5 P330 E620 T6
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\WIN98;C:\

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - (no file) - {004A5840-FF59-11d2-B50D-0090271D3FD4}
Citi Virtual Account Numbers Browser Helper Object - C:\WINDOWS\SYSTEM\BHOCITI.DLL - {E8C0F153-B768-4e68-B14F-40F0E8531675}

--------------------------------------------------

Enumerating Task Scheduler jobs:

{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_Robert Bonner.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job
Symantec NetDetect.job
Windows Critical Update Notification.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\SWFLASH.OCX
CODEBASE = http://active.macromedia.com/flash/cabs/swflash.cab

[sys Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PCPITSTOP.DLL
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[Pinger Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PING.OCX
CODEBASE = http://www.pcpitstop.com/Ping.cab

[ScanCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\UZDETECT.OCX
CODEBASE = http://outpost.zdnet.com/updates/resources/updates.cab

[Yahoo! Voicemail Engine]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YUMSCOM31.DLL
CODEBASE = http://phone.yahoo.com/plugin/yumscom.cab

[iPIX ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\IPIXX.OCX
CODEBASE = http://www.ipix.com/viewers/ipixx.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab

[InstallShield International Setup Player]
InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUPML.DLL
CODEBASE = http://ftp.hp.com/pub/automatic/player/isetupML.cab

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R880/V31Controls/x86/w98/en/actsetup.cab

[OPUCatalog Class]
InProcServer32 = C:\WINDOWS\SYSTEM\OPUC.DLL
CODEBASE = http://office.microsoft.com/ProductUpdates/content/opuc.cab

[MrSIDI Control]
InProcServer32 = C:\WINDOWS\MRSIDI.OCX
CODEBASE = http://images.myfamily.net/isfiles/downloads/MrSIDI.cab

[ImageControl Class]
InProcServer32 = C:\WINDOWS\SYSTEM\MFIMGVWR.OCX
CODEBASE = http://images.ancestry.com/asfiles/files/install/MFImgVwr.cab

[PreQualifier Class]
InProcServer32 = C:\WINDOWS\SYSTEM\MOTIVEPREQUAL.DLL
CODEBASE = http://www.verizon.net/getdsl/system_check/images/MotivePreQual.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37684.7284837963

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 6,603 bytes
Report generated in 0.357 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

Hi Robert

Just got home from work but saw your reply from work.

For now to test disable/turn off your Firewall for long enough to see if it has any effect on the sute you have problems with.

I don't see a real problem with your startups but am going to look into a couple of things.

Post back the results of the test with the firewall off.

For now it is bean time!

Mike

 

Ok Robert I didn’t notice this before.

DSSAgent is installed with some spy/adware and some Trojans and worms. Although it was designed and used as a legit program it is misused. It could be a door into your system.

c:\windows\\bbstore\dss\dssagent.exe

To get rid of it d/l wormfree: http://www1.distributed.net/~bovine/wormfree.zip

For performance you might try using msconfig and uncheck all that relate to Verizon. I think these are from your ISP (Verizon). Probably not needed.

So we are down to knowing if every thing is OK with firewall off. If it is we look into the firewall settings. If it is not caused by the firewall we look into IE restrictions and hosts file.

Matter of fact let us look at the hosts file now , browse to the windows folder find the hosts file rt click choose openwith and open it in wordpad copy and paste it back to us.

Mike

 

Mike,

Will do the performance stuff later. Here is what I found in the Hosts file:

August 27,2001

127.0.0.1 pop3.norton.antivirus # Added by Norton AntiVirus for e-Mail scanning
127.0.0.1 pop3.spa.norton.antivirus # Added by Norton AntiVirus for e-Mail scanning



May 11, 1998

# Copyright (c) 1998 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP stack for Windows98
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

 

No problem here with hosts file!

But what happens when Firewall is turned off, this should now pin it down.

Mike

 

Spybot's "Immunize" feature will block certain sites so you could open Spybot in Advanced mode and check under "Immunize ". To reverse changes, from what I 've gathered (I don't use Immunize myself) you click the UNDO button and "uninstall ".

This is from the Spybot help file:
============copy/paste===========
Beginning from version 1.2, Spybot-S&D allows you to immunize your computer against some spyware. It currently offers three different immunities:

Permanent Internet Explorer immunity

Similar to JavaCools SpywareBlaster, this allows you to tweak some internal Internet Explorer settings to block the installation of known spyware (and similar threats) installers. Spybot-S&D is able to set all entries for those that are in its database to be blocked. If you want to distinguish, you should install SpywareBlaster.

Permanently running bad download blocker for Internet Explorer

This is a second layer of protection for IE. While the Permanent Immunity blocks installers by their ActiveX ID, this one blocks anything that should come through by different aspects.
You can view a log of blocked installers in the Tools / Resident section.

Recommended miscellaneous protections

These are very small changes recommended to make your system a bit safer and more secure. Locking the hosts file will prevent most hosts hijackers (even unknown) from doing harm; locking the IE settings will prevent other users of your computer to change your preferences.

 

Hi Mike and Others,

Here is the link I tried to access - and I just tried it again, without success, after disabling Norton Internet Security. It is from a Windows 98 Forum post: Subj: Microsoft Grants Stay of Execution Win 98.

http://www.informationweek.com/stor...ticleID=8700301

This is the text on the denial page:

You are not authorized to view this page
You might not have permission to view this directory or page using the credentials you supplied.

--------------------------------------------------------------------------------

If you believe you should be able to view this directory or page, please try to contact the Web site by using any e-mail address or phone number that may be listed on the www.informationweek.com home page.

You can click Search to look for information on the Internet.




HTTP Error 403 - Forbidden
Internet Explorer

 

The link is bad!

I also get a 403 Forbidden page using Mozilla that says:

Cannot serve URLs with ..'s in them

 

Same here dead link!

You are OK Robert lets get on with it! You have a house to sell!

Mike

 

Mike and all the others - Thanks so much. Looks like I'm good to go so I guess this may end this saga. However, I will continue on with the Spybot and other suggestions to try to keep my system as clean as reasonably possible. Haven't seen a recurrence of the little "beetle" that started all this.