MSupdater.exe??

Sussex Hi

even the professionals ask before fixing things with hijackthis
always good to get second opinions.
please post its log,, you can copy paste it here if you'd like
I would first use the backups hihackthis created and put back anything you have fixed
simple
to do that hit the config button then backups and replace anything you have removed. please
then restart the PC..
scan again and post a hijackthis log

Happy T day
================
Charles somethings up if the cwshredder didn't already do that.
both the kill process and delete the file(but I'm not sure)will have to recheck my info.
Lonny

 

Hi Sussex,

By now I'm really curious to see a log. From the get-go, this has been an odd varition on this problem.

Lonny,

Happy Thanksgiving to you.

If I'm not mistaken, Sussex is a Brit?

Regards - Charles

 

Lonnie: HiJackthis did not show any back-ups. Can I delete the file the way Charles said? I have never used safe mode and don't understand it, but will check it out.

 

Yes but please do post a log first then i'll post url to explain exacly how to get into safe mode the easy way
we dont know yet even what operating system you use
dont be comprehence if the log includes lots of nastie web sites .. they get put there sometimes agaist our will.

Lonny

 

I have a log from HiJackthis and a start-up list from ?, both on Notepad but don't know how to post them. This is where I get lost. They are both dated today.

Since my computer runs fine (never did have any problems before or after this discovery) why can't I just delete the back-up file and call it a day?

And again, thanks guys for your outstanding patience and support.

BTW, I am not a Brit. I live in Sussex, Wisconsin. 70 yr. young retiree, who is dangerous with a computer.

 

Becouse there are others things things we need to check..
to be thurough. we have to to ensure a complete cleanup..
I would hate to have coused further problems.

open the hijackthis log,, in notepad or wordpad it doesnt matter
then go edit select all, edit again and copy, then close that text file
come here start a reply ,right click and choose paste

PS dont post that startup log, no need to.just the formentioned.
hijackthislog...

Im only 43 ,,had to retire also
Lonny

 

Logfile of HijackThis v1.97.7
Scan saved at 8:51:44 AM, on 11/27/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\pctspk.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\CallWave\IAM.exe
C:\PROGRA~1\INTERN~2\IDMan.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jerome Cobus\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.surfbest.net/home
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe "
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All Links with IDM - C:\PROGRA~1\INTERN~2\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\PROGRA~1\INTERN~2\IEExt.htm
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://solitaire46.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo.com - http://solitaire45.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://drawpoker.pogo.com/applet/drawpoker/drawpoker-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo.com - http://hspoker01.pogo.com/applet/drawpoker/drawpoker-ob-assets.cab
O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
O16 - DPF: Pop Fu by pogo.com - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: Squelchies by pogo.com - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet/peaks/peaks-ob-assets.cab
O16 - DPF: Tumble Bees by pogo.com - http://jumbee.pogo.com/applet/jumbee/jumbee-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet/wordwhomp/wordwhomp-ob-assets.cab
O16 - DPF: Word Whomp by pogo.com - http://whomp.pogo.com/applet/wordwhomp/wordwhomp-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo.com - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {17163BB4-107E-11D4-9B76-006097DF2317} (EABootStrap Class) - http://www.ea.com/downloads/games/common/boot_strap/iegils.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {4226E9B7-D637-40E8-893A-13298AB41477} - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab
O16 - DPF: {53406295-12AB-4F49-824A-C5EAD19365DE} - http://www.compaq.com/athome/support/PCHInstallTrust01.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/272d1be81590972a1817/netzip/RdxIE6.cab
O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.com/pcpitstop/diskhealth.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.5618287037
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - http://security1.norton.com/us/sa/common/common/bin/cabsa.cab
O16 - DPF: {C78AC153-1FB9-4198-986D-3613E49B152E} - http://download.microsoft.com/download/win2000platform/Utility/MPSA415/NT45XP/EN-US/mssecuredll.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D47B9AB4-83C1-4534-ABDC-ACBFFE8F2B86} - http://www.callwave.com/include/cab/CWDL_DownLoad.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12AF6D7A-522A-4B31-8DE5-629E75264FDE}: NameServer = 207.250.248.10 207.250.248.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{12AF6D7A-522A-4B31-8DE5-629E75264FDE}: NameServer = 207.250.248.10 207.250.248.9

Cool, looks like it worked. Thanks. Lonnie

 

Hello again.
charles would be better at this one since it a XP system ,so wait and see what he has to say before fixing anything ..
Log looks great except fo some very minor things
=======
place a check next to these items>
close all internet explorers and other windows then hit fix
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
========
completly optional
START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
reboot ,restart PC
==========
I usualy recomend to fix all the 0 16 items.if theres lots&lots ,
they get put back when needed.
why becouse things get put there without our knowledge ,
then when you get a prompt to once again install one,it only takes seconds,
always check it out ,search the web for info ,never just trust them.
never tick the box to always trust..
then go on the toolbar tools internet options > content >
publishers (stay away from the certificates button)
anyway [publishers] then proceed to remove all except if some exists from microsoft..
this is explained here better than I could here>
Dealing with Unwanted Spyware and Parasites: http://www.mvps.org/winhelp2002/unwanted.htm
===
To prevent this happening again go get the latest sunjava VM
Might have to turn off your popupblocker temporaraly.
Heres how I would do it.. go here and manualy download
the sunjava VM
http://java.com/en/download/manual.jsp
get the "Windows (Offline Installation) "
(delete later after installed)
read the instructs first,,ie you'l need to disable your download manager first..maybe other things as well.

anywho after its downloaded. close all open programs/windows
and go control panel addremove programs find and uninstall the sunjava VM,,
reboot if prompted
then install again. reboot even if not prompted

one more thing to do at this point
go here to test it.
http://java.com/en/download/help/testvm.jsp
======
finaly but not least ,safe mode and delete that darn MSupdater.exe if its still hanging around.
How to start the computer in Safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406


Dont for get to ,when you have time to install and cleanup with both Adaware and SpyBot,, You should stick with adaware for now..
Let us know if you have any questions ?
Regards
Lonny

 

Hi Sussex,

*BTW, I am not a Brit.*

Happy Thanksgiving!

FYI: Safe Mode - boots the system up w/o any user applications running and minimal XP services.

Use the Help&Support applet on the Control Panel and type in safe mode, will get a good explanation of what it is and some of the trouble shooting circumstances it's used for.

Your log looks OK a far as I can see, but maybe Lonny will spot a problem.

Since you're experiencing no problems, you can take your time with this.

Regards - Charles

 

Thanks, Charles.

For some unknown reason the Icon for help and support on my start menu and control panel do not work. And I'll be darned if I can find a way to access it.

Will be gone the remainder of the day. You and Lonnie have a great Thanksgiving.

 

Hello Sussex,

I re-read the thread and you write that the exe file is on your desktop. I really think its Ok to remove it, its simply not functional there. To make sure, copy it out to a 3.5

The Help&Support not working. When this start? And what is the response of the System?

Regards - Charles

 

I deleted the exe file in safe mode.

Don't know what you mean copy 3.5

The start menu shortcut for Help and Support and in the Control Panel do not work. I click on them and nothing happens. Have not been able to find a way to access help and support for Windows XP Home Edition (the two tone blue screen). This occurred several months ago.

 

copy it out to a 3.5 refers to the size of the more recent, and now mainstream, floppy disks.

 

Hello Sussex,

Sorry, a 3.5 is a floppy.

helpctr.exe is in \WINDOWS\PCHEALTH\HELPCTR\Binaries

Double clicking on the helpctr.exe (Help and Support) will bring it up. Create a shortcut to it - right click on helpctr.exe - and place on the desktop or wherever you want.

I don't know why the link broke - if this works - not worth trying to fix.

Regards - Charles

 

Thanks, but it doesn't work there or anywhere else. I is a real mystery.