| Author |
Topic: Defender fails |
Anders Brundell
From:
Falun, Sweden
|
Posted 24 Mar 2006 12:17 am |
|
| Windows defender fails to remove UCMore and WhenU.saveNow and doesn't suggest any other action. What should I do? |
|
|
|
Jack Stoner
From:
Kansas City, MO
|
Posted 24 Mar 2006 2:57 am
|
|
Use a different spyware program to try and remove it.
One thing to keep in mind, Defender is "Beta" software so it can (and will) have problems or may not remove everything.
But, I also find that other spyware programs are the same way - one will detect some spyware items tht another will not.
I have AdAware and Pest Patrol and run scans with both of them. |
|
|
|
Anders Brundell
From:
Falun, Sweden
|
Posted 27 Mar 2006 10:48 pm
|
|
| Thanks for your advices! Now I've used a combination of clean-up programs and manual erasing of suspect files, but one little program remains - CTHELPER.EXE is impossible to get rid of. Anyone who knows what that program is for and how to get rid of it? "Access denied" is the only result when I try to delete it from the Windows System 32 map. [This message was edited by Anders Brundell on 27 March 2006 at 10:49 PM.] |
|
|
|
Jack Stoner
From:
Kansas City, MO
|
|
|
|
Anders Brundell
From:
Falun, Sweden
|
Posted 28 Mar 2006 6:27 am
|
|
Very interesting!
One of the anti spyware programs that scan the pc for free listed CThelper as a spyware and demanded a purchase to remove it.
|
|
|
|
Ole Dantoft
From:
Copenhagen, Denmark
|
Posted 28 Mar 2006 8:04 am
|
|
Hej Anders (and Hi Jack !)
It's very common for SpyWare-programs to try and pretend that they are harmless utility programs by naming themselves as e.g. cthelper.exe !
I have a SoundBlaster Live! card in my PC and I have a cthelper.exe, 24 kb in size in my system32-folder, but I can rename and move it as I wish, so that tells me you could be the victim of just that !
Try to go to a command prompt, change to the system32-folder and enter :
attrib cthelper.exe -h
attrib cthelper.exe -s
attrib cthelper.exe -r
That will set it as not-hidden, not-system and not-readonly - you should then be able to delete it and you can then re-install your drivers for your SoundBlaster-card (if you have one in the first place !)
Hope that helps !
Og månge hälsningar !
Ole
|
|
|
|
Ole Dantoft
From:
Copenhagen, Denmark
|
Posted 28 Mar 2006 8:58 am
|
|
Anders,
On second thought this could also be because your SoundBlaster driver is configured differently than mine !
If you have some sort of SoundBlaster-like icon in your SystemTray try and Exit that one (or go to the Task Manager and do an "End Process" to it !) and THEN try to just rename the cthelper.exe in your system32-folder ! If you succeed doing that, the cthelper.exe is NOT a SpyWare-program, but a genuine part of your SoundBlaster driver-suite !
Ole |
|
|
|
Anders Brundell
From:
Falun, Sweden
|
Posted 28 Mar 2006 10:32 am
|
|
Hello Ole!
& thanks for all advices! My pc has a Creative SB Audigy 2 ZS (WDM) sound card as far as I can understand - and that's not much when it comes to the data world! I don't dare to do anything at the command prompt, but I think I need to ask someone who knows this better to take a look. Right now the only strange thing I notice is that this pc seemes a little slow, and it shouldn't, because it´s new, big and strong - and bloody expensive! |
|
|
|
Ole Dantoft
From:
Copenhagen, Denmark
|
Posted 28 Mar 2006 11:06 am
|
|
Hello again Anders,
That's fair enough of course ! I fully understand.
If your soundcard is working as it should and you can use all of it's configuration utilities, you probably don't have any problems with spyware and you can disregard the message from that spyware-scanner. What scanner was it that gave you the message ?? I could try running it on my PC and see if I get that same message !
Please feel free to contact me anytime if I can be of any assitance !
Ole |
|
|
|
Jack Stoner
From:
Kansas City, MO
|
Posted 28 Mar 2006 2:58 pm
|
|
| The popular SpyBot, about 6 months ago had several issues of marking system files (real files not spyware that was renamed as system files) and deleting them. I fixed one customer's PC because SpyBot deleted a needed file. I've also assisted two people on the Dell user's forum with file problems related to SpyBot. I haven't seen that in later versions so I assume it's been fixed. |
|
|
|
Anders Brundell
From:
Falun, Sweden
|
Posted 1 Apr 2006 3:45 am
|
|
Ole: I think I used ScanSpyware's scanner http://www.scanspyware.net/download.htm but I'm not quite sure. Anyhow I used one of the first listed sites when I had googled UCMore and WhenU.saveNow and I think it was ScanSpyware.
It listed CTHELPER.EXE, xmlparse.dll and xmltok.dll as malware and I've removed the two .dll files manually from the System 32 map without any following problems as far as I can see.
I have no other problems than a sometimes slow reacting pc, but that might as well depend on a slow line - a quarter mega, so it's actually 1/8 of a real broadband (2 mega). But sometimes the pc is slow also when I'm not surfing, but it's OK again after a restart.
I use F-Secure anti-virus, Windows defender, Ad-Aware SE plus, Spyware blaster and Spybot, and update every day so I ought to be fairly safe, especially since I follow Wiz's advices here at the Forum too, in case I'm able to understand and implement them. However, I'm data stupid and that limits my actions severely. |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 1 Apr 2006 8:50 am
|
|
Anders wrote: quote:
However, I'm data stupid and that limits my actions severely.
Anders;
The purpose of this peer-to-peer computers section of the SGF is to educate our members in matters related to computers and their safe and efficient operation. There are no stupid questions here, and usually everybody will learn something new from the experiences and answers in posts and replies. If you keep asking technical questions and remember the answers and solutions in replies, your level of data understanding is bound to increase.
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
|
|
|
|
Anders Brundell
From:
Falun, Sweden
|
Posted 2 Apr 2006 2:41 am
|
|
Thanks a lot, Wiz!
You do a really great job and must have the patience of two or three angels. Do you do yoga or dope or what? 
|
|
|
|
