My security has been doing so good, that this is my first major problem. I had ZA request a connection using R_server.exe. I google searched and saw where I should disable R_server.exe in Task Manager. I did so, and ran an avast scan which showed a [b]VBS:Malware
[/b] in [b]install.htm[/b] file. I sent it to the virus chest and ran a boot scan which showed I was again clean. I went in again and disabled [b]R_server.exe[/b] in TM after restart.
Now, how do I remove [b]R_server.exe[/b] and keep it from reinstalling itself? I found a TrendMIcro page which sent me to:HKEY:Local_Machine.......Run, but the line they said to delete:"updatexp=wscript.exe........vbs", was not there. The only questionable one was:"(default) REG_SZ (value not set)". How do I cure my problem? I appreciate the assistance.
Ok, Artras…er, Eddy. TrendMicro House Call and Rav Anti-virus both come up clean. All service packs are to date. In Event Properties: Sign of "VBS:Malware
Disable system restore, reboot, run HJT, fix the items I list here, reboot and run HJT again. Also run the psy-/adware removers I mention on my page (click my signature)
\program files\support.com\bin\tgcmd.exe
o2 - bho: (no name) - {02478d38-c3f9-4efb-9b51-7695eca05670} - (no file)
o4 - hklm..\run: [bjcfd] c:\program files\broadjump\client foundation\cfd.exe
The logs looks ok, but I don’t see the R-Server.exe ?
if you have disabled anything via msconfig, please enable it again, and reboot, and post a new log,
so we’ll see everythign listed…
also update to HJT 1.98.1
Some issues:
C:\program files\support.com\bin\tgcmd.exe
This part ensures the software is installed correctly (similar to an installation wizard) as reported by Cox. Regarded as spyware by some as it has the ability to retrieve user information. Whether it does so depends upon the provider. “tgcmdprovidersbc” is for SBC Yahoo DSL. One Toshiba user reports problems with hibernate on his laptop if disabled - hence the “U” recommendation
→ “U” = User decision
tgcmd.exe http://www.liutilities.com/products/wintaskspro/processlibrary/tgcmd/
Spyware from SupportSoft provided to manufacturers, such as Sony (Vaio Support Agent) and Toshiba (Virtual Tech), and ISPs, such as Comcast, Cox and Charter (Pipeline Support Agent), that allows them to offer on-line support. This part ensures that software is installed correctly. Regarded as spyware as it has the ability to retrieve user information.
http://www.winpatrol.com/db/freesample/tgcmd.html
TGCMD.EXE is spyware originally created by Tioga/Support.com. If you’re an @Home subscriber, this was probably installed with your Comcast @home software. If you own a Sony Vaio system, it was probably factory installed along with the Sony Support software.
This program collects data on the programs that you use and websites you browse. It is unclear if anything is being done with the data. This program and the companion file TGKILL.EXE can be safely uninstalled from the Start menu > Settings > Control Panel > Add/remove programs. Remove either “Comcast Support Software” or “Sony Vaio Support” depending upon which appears.
cfd.exe http://www.liutilities.com/products/wintaskspro/processlibrary/cfd/
Newer name for BroadJump Foundation Client (BJCFD) from BroadJump.com, now Motive. The software collects information on your Internet activity and sends it to your ISP so that your ISP can serve you advertisements related to the type of sites you visit.
Eddy and Whocares: R_sever has been sucessfully deleted. Everest Home Edition showed it under Services, so I went into regedit and found it in “HKEY_LOCAL_MACHINE\SYSTEM…\services\r_services” and deleted it. It did not show up after reboot. I fixed all the files in HijackThis you suggested Eddy.
Note: the lifescapes (016) is for Picassa which I no longer use.
Logfile of HijackThis v1.98.1
Scan saved at 10:42:33 PM, on 8/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Since I have had no comment on the latest HijackThis I posted, I assume all is OK. Thank you Eddy and Whocares for your help. I learned several things in doing this removal.
Yup everthing looks ok. Except for a few very small things. Fix:
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) (just to clean up the registry)
And check out:
O17 - HKLM\System\CCS\Services\Tcpip..{54CD1443-E820-4F24-A7FE-9DFACF4B656A}: NameServer = 206.141.192.60 206.141.193.55
If that domain is not from your ISP or LAN, fix it.
That is all. Everything else is fine.
I though I already posted this. But apperently not. Perhaps I forgot to press the “send” button or there was another glitch. Anyway. Nothing to worry about. The log is almost clean as can be.
Oops, the 017 line you suggested deleting is for Yahoo! and IE browser (dsl). I got the line back by turning off dsl and reconnecting. Live and learn. No harm done.
02 - BHO: (no name) - {02478D38-C359-4efb-9B51-7695ECA05670} - (no file) apparently is used by SBC to hook up to my dsl. This registry item shows up each time after Restart. If I delete it prior to hooking up to dsl, I can’t log on. If I open Yahoo! I can log on to dsl OK, but get a message that says I am not logged on. I guess it is a good registry item.