i ran my weekly scan of housecall & kaspersky online a/v scanners,avast a/v scan,ewido online and spywareterminator and spyware doctor full scans and housecall is the only one that came up with this-as suggested by help of davidr in pm’s be a detective and investigate it in hijack this and see if i can find it-i couldn’t find it-not that knowledgeable of hijackthis and was wonder since this a low risk adware threat what to do and or is it a false positive : ???
click on pic to supersize :
I can’t read the file name and path… :
Did you upload it to Jotti and/or VirusTotal?
You don’t need to read the path or file names as they are Browser Helper Objects for McAfee and Pest Patrol.
All that is required is confirming that these Browser Helper Objects were installed by you for a legitimate purpose, e.g. do you have a McAfee browser tool, like SiteAdvisor and one PestPatrol ?
If yes then no problem, but you have to confirm this.
HJT analysis will show the 02 BHO entries, detailing what these entries are for.
no i don’t have site advisor as of yet :
have firefox but haven’t got the siteadvisor extension yet :o
HJT analysis will show the 02 BHO entries, detailing what these entries are for.have the hijackthis from the a-squared free website http://www.hijackfree.com/en/ and where would i find those 2 entries ??? do an analysis of my laptop ???
???
i have opera,firefox,avant & polonus new browser on here
but what extensions like site advisor none as of yet :
so what would it be :o :
could it be something like a password manager type thing on one of the browsers???
Dan - why not post the HJT log and we can all walk through it …
Hello Dan,
Can you post a HJT logfile for us to check up on. This seems a browser helper object adware. Did you loose memory because of it? Or did your IE browser have altered settings? Did you find questionable cookies?
We had a specific problem to-day at work, someone downloaded a nasty toolbar infested Mirc, hope yours is easier to tackle.
Damian
P.S. Keith, you must have read my mind. We do this one together, won’t we?
how can i post it-it exceeds the character limit ???
keith-i will send to your email address :-[
Split it in two say first part up to 04 then the rest
Hi drhayden1,
After we got this cleansed, you are going to get www.scandoo.com as your searchengine page. There you have the same features as siteadvisor. NoScript is a must on Mozilla browsers because you can ban javascript etc. to be executed on pages you do not trust, and allow it temporarily for pages you have been before. I’d also advise to use the Netcraft toolbar to keep you out of the phishing bernuda. And now we wait for you to come up with your HJT log, if it does not fit in one posting, use two, whatever is convenient,
polonus
I spotted essexboy is around also, not much that can go wrong then, Dan.
Explorer And Browser Addons: Good
Name: AcroIEHlprObj Class
Path: C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
Location: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
ClsID: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Unknown - may be bad
Name: SSVHelper Class
Path: C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
Location: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
ClsID: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
Unknown - may be bad
Name: URL Exec Hook
Path: shell32.dll
Location: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
ClsID: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
is this them ??? ???
It could just be a false positive detection by Trend Micro- their spyware scanner always seems to pick up on a few registry entries that it thinks are spyware.
As Kaspersky, Ewido, etc. find nothing, I suspect it will turn out to be a false alarm.
In order
Adobe
Java
Active desktop
All legit
keith and bob-gonna send to your email addresses-its way toooooooo long to post-its a block long :
Hi Dan, can you check this one: http://www.spywareremove.com/remove3721.html
Found it under shellexecutehooks removal.
Remove CnsMin Manually
Note: This manual removal process is difficult and you run the risk of destroying your computer.
Remove CnsMin registry values:
Software\Microsoft\Internet Explorer\AdvancedOptions!CNS\connect2party.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\B83FC273-3522-4CC6-92EC-75CC86678DA4\connect2party.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\B83FC273-3522-4CC6-92EC-75CC86678DA4
Software\Microsoft\Internet Explorer\AdvancedOptions!CNS
FD00D911-7529-4084-9946-A29F1BDF4FE5
ECF2E268-F28C-48d2-9AB7-8F69C11CCB71
5D73EE86-05F1-49ed-B850-E423120EC338
AAB6BCE3-1DF6-4930-9B14-9CA79DC8C267
A5ADEAE7-A8B4-4F94-9128-BF8D8DB5E927
DF692509-D9EF-48A0-9CD0-3AA5B81F6F68
InterChina
3721
B83FC273-3522-4CC6-92EC-75CC86678DA4
D157330A-9EF3-49F8-9A67-4141AC41ADD4
CnsHelper.CH
CnsHelper.CH.1
CnsMinHK.CnsHook
CnsMinHK.CnsHook.1
1BB0ABBE-2D95-4847-B9D8-6F90DE3714C1
Detect and Delete these CnsMin files:
cnsmin
Our Recommendation:
To avoid the unnecessary risk of damaging your computer, we highly recommend you use a good spyware cleaner/remover to track CnsMin and automatically find and remove other spyware, adware, trojans, and viruses in your PC. But like to see the HJT logfile.
polonus
Never seen that A2 thing before I might take a mosey through it
Program & Tutorial - Download HiJackThis.zip HJT has now been sold to Trend Micro inc. but the 1.99.1 version should still be available here or at one of the download sites. - HJT Information HiJackThis Tutorial
This is the proper HiJackThis that produces the logs that you will have seen in the forums, it has them categorised and will show all 02 BHO entries, etc.
Nothing in my in-box yet, Dan.
If you want to send it I’ll post it for you.
Hi drhayden1,
shell32.dll was that in its normal place in the sys folder or somewhere else. If in another place, e.g. program files etc., it is fishy. Normally shell32.dll is legit, no adware, no virus, and should be on your comp.
polonus
Hey Dan - I got your a-squared HijackFree log but a Hijackthis log would be better. Here’s a link and directions
Click here to download HJTsetup.exe
[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
.
EDIT: Tried to post the HijackFree analysis but its not formatted well for this. Lots of comments to research files on Google, etc.