XP Startup (SP1)

Topic

New Reply

Looks like I screwed up. Went surfing without Internet security & now I have two programmes that try to access the internet and I get a warning from Norton. In addition as soon as I switch on IE tries to start and I get a connection request.

The programes are “bundle.exe” sitting in my temp folder and “msbb.exe” sitting in a folder called DDM in my Programme files folder. Not sure what they are – can anybody advise. I have tried to delete them but I get the message that they are in use.

So, I think my options are a selective startup to try to isolate these from starting during boot. How do I do this, help is no much use as it simply says to select selective startup click on the general tab – where is this.

Another option I think is to start in safe mode and delete the files, but my comp hangs during safe mode so that doesnt work either.

Are my approaches OK? Can anybody assist in getting rid of hese files and stopping my problem

Thanks

Simon

Reply | Quote

Replies

Simon,
Go get the two free spyware cleaners below. Before you run them check for updates.
1. Spybot Search and Destroy
http://www.safer-networking.org/index.php?…n&page=download%5B/url%5D

2. Ad-aware
http://www.lavasoft.de/support/download/%5B/url%5D

Hope these find them.

Elaine

Reply | Quote

Simon,
Go get the two free spyware cleaners below. Before you run them check for updates.
1. Spybot Search and Destroy
http://www.safer-networking.org/index.php?…n&page=download%5B/url%5D

2. Ad-aware
http://www.lavasoft.de/support/download/%5B/url%5D

Hope these find them.

Elaine

Reply | Quote

BUNDLE.EXE: it’s a parasite. Read here. MSBB.EXE: the same thing, more at this link.

Elaine’s suggestion is a good start. I would also make sure your virus definitions are up to date and run a full system scan pronto. You should be able to stop them from starting with the computer by going to Start – Run – MSCONFIG. Clear any entries for these two programs and reboot.

Post back if you continue to have problems, or if you get it fixed!

Reply | Quote

Additional to Elaine‘s good advice, you could try getting yourself a firewall.

My personal recommendation would be Sygate – right at the bottom of the page.

Other alternatives are Agnitum Outpost and ZoneAlarm. All these are the free versions of the products – and are intended for private use only.

HTH

Reply | Quote

Thanks all.

Elaine, spybot found a bunch of red it didnt like so that did the trick
Mark, msconfig was what I was thinking about to do selective startup, thanks also for the link for bundle & msbb
HTH, you are quite right. I do have NIS installed but it wasnt active, I blame others for disabling it…………..

OK MSBB is taken care of, bundle is now deleted from my temp directory, however it is still checked and listed in startup in msconfg – how do I delete it?

On startup I still get an internet connection request – his time from UOTPVH.exe – Norton tells me its a high risk and I should block it (so i do)

Oh, I did check for updates with adaware & Spybot

Thanks again for all your help – the last few hours have been quite satisfiying

Simon

Reply | Quote

Simon, if you cannot remove the program that means that it is still running. Open Task Manager by pressing CTRL+SHIFT+ESC (or however you prefer to start it) and kill the program if it is listed on the Processes tab. Do not look at applications, many do not appear there. Also kill the UOTPVH.EXE if it is running. That sounds just like a trojan, creating a random name for its executable process to mask it from antivirus software.

Once you have killed the processes, remove them from the startup tab in MSCONFIG. Use the Search function to search your hard drives and delete any instances of those two executables. And when you get done there, I have more work for you. Run your virus scanner, run the ad removal tools that have been mentioned, and install a firewall to block these programs from accessing the Internet.

I think if you manage to kill the processes and remove them from startup, you will be well on your way to a clean bill of health.

Reply | Quote

Thanks Mark

Ok, bundle.exe is nowhere to be found on my HDD. OUTPVH.exe is in the Windows folder with a date of 23/08/01 – similar to other windows components – I have renamed it just incase.

I cannot remove them from the startup tab in MSCONFIG – When I uncheck them it goes into selective startup, when I recheck normal startup it rechecks the entries on the startup tab. hitting delete does nothing nor is right click available – how do I remove them – I am administrator.

Once I clear this I will recheck Adarew/ Spybot/ virus – my Norton Internet Security firewall is what caught these ######s in the first place.

Simon

Reply | Quote

I’m not sure why they would be rechecked in the configuration if they are truly removed. Do you see them running in the task list after a reboot? If not, it may be a quirk of some kind with MSCONFIG. I know Microsoft products always work right but it is possible. Doubtful – but possible.

Do you see anything else untoward in the startup group that could be adding them back in? Perhaps these evil things have a launcher of some kind that reinstates them after removal. It could be a script attached to Internet Explorer triggering them, or perhaps a service was installed to keep them alive. Check the services panel in Administration Tools, or in MSCONFIG by hiding all Microsoft services. Also, try re-running your spyware scanners. Perhaps they will truly remove them this time.

Reply | Quote

I’m not sure why they would be rechecked in the configuration if they are truly removed. Do you see them running in the task list after a reboot? If not, it may be a quirk of some kind with MSCONFIG. I know Microsoft products always work right but it is possible. Doubtful – but possible.

Do you see anything else untoward in the startup group that could be adding them back in? Perhaps these evil things have a launcher of some kind that reinstates them after removal. It could be a script attached to Internet Explorer triggering them, or perhaps a service was installed to keep them alive. Check the services panel in Administration Tools, or in MSCONFIG by hiding all Microsoft services. Also, try re-running your spyware scanners. Perhaps they will truly remove them this time.

Reply | Quote

Simon,
Just one small note. I don’t know anything about these programs you have problem with (Bundle.exe etc.). If Ad-aware and Spybot worked as supposed they would have removed entries from the registry etc. The “msconfig” is a troubleshooting tool, not primarily a startupmanager, as you have noticed. You can de-select items and try a selective boot etc. BUT to permanently remove an item from the startup tab, which shows items both in registry and startup folder(s), you have to go there: to registry or startup folder and remove them. Look under Place (or what it’s called in English Windows) in Startup tab in “msconfig”, it shows where it’s located. I do know about Ad-aware / Spybot, but I have not had any use for them so I do not know how they remove different kinds of spyware/trojans etc. But a removal of an registry post must somehow be included, otherwise you will find it in the collection of startup entries in “msconfig” startup tab.

Regards,

Reply | Quote

Mark, Argus,

I have ran and reran spybot & adaware a number of time, each coming up clean. There is nothing in the startp folder to cause this. However there are (were) two registry keys that kept them in the statup tab of MS config. Argus was right the location (HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun) still had the entries present. They were called “nphagsl” and “SAHBundle” I exported the keys for backup and deleted the entries. Next boot both were gone from MSconfig.

Just did a quick check of daughters machine – UOTPVH.exe is not in the Windows directory – so must have been put there by something else.

Looks like problem solved – about to rerun spybot/adaware/NAV for final check – will advise if anything found.

Thanks for your help

Simon

Reply | Quote

You might try looking at the Tools|Startup page of SpyBot – as a future reference – see attachment. The page brings together some of the details in MSConfig. It is no better, but it is perhaps simpler to manage. You might also try looking at the other pages I have highlighted. “Browser Pages” refers to the Start-Up page in Internet Explorer – which various Loungers have reported as gettiung Highjacked by unwanted Programs.

If you are able to manage these aspects through Norton Internet Security, then all well & good. I have only a vague familiarity with NIS – and hope that the above may be of help.

Reply | Quote

You might try looking at the Tools|Startup page of SpyBot – as a future reference – see attachment. The page brings together some of the details in MSConfig. It is no better, but it is perhaps simpler to manage. You might also try looking at the other pages I have highlighted. “Browser Pages” refers to the Start-Up page in Internet Explorer – which various Loungers have reported as gettiung Highjacked by unwanted Programs.

If you are able to manage these aspects through Norton Internet Security, then all well & good. I have only a vague familiarity with NIS – and hope that the above may be of help.

Reply | Quote

Simon, glad you got it worked out. Spyware is no match for a determined mind.

Reply | Quote

Simon, glad you got it worked out. Spyware is no match for a determined mind.

Reply | Quote

Mark, Argus,

I have ran and reran spybot & adaware a number of time, each coming up clean. There is nothing in the startp folder to cause this. However there are (were) two registry keys that kept them in the statup tab of MS config. Argus was right the location (HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun) still had the entries present. They were called “nphagsl” and “SAHBundle” I exported the keys for backup and deleted the entries. Next boot both were gone from MSconfig.

Just did a quick check of daughters machine – UOTPVH.exe is not in the Windows directory – so must have been put there by something else.

Looks like problem solved – about to rerun spybot/adaware/NAV for final check – will advise if anything found.

Thanks for your help

Simon

Reply | Quote

Simon,
Just one small note. I don’t know anything about these programs you have problem with (Bundle.exe etc.). If Ad-aware and Spybot worked as supposed they would have removed entries from the registry etc. The “msconfig” is a troubleshooting tool, not primarily a startupmanager, as you have noticed. You can de-select items and try a selective boot etc. BUT to permanently remove an item from the startup tab, which shows items both in registry and startup folder(s), you have to go there: to registry or startup folder and remove them. Look under Place (or what it’s called in English Windows) in Startup tab in “msconfig”, it shows where it’s located. I do know about Ad-aware / Spybot, but I have not had any use for them so I do not know how they remove different kinds of spyware/trojans etc. But a removal of an registry post must somehow be included, otherwise you will find it in the collection of startup entries in “msconfig” startup tab.

Regards,

Reply | Quote

Thanks Mark

Ok, bundle.exe is nowhere to be found on my HDD. OUTPVH.exe is in the Windows folder with a date of 23/08/01 – similar to other windows components – I have renamed it just incase.

I cannot remove them from the startup tab in MSCONFIG – When I uncheck them it goes into selective startup, when I recheck normal startup it rechecks the entries on the startup tab. hitting delete does nothing nor is right click available – how do I remove them – I am administrator.

Once I clear this I will recheck Adarew/ Spybot/ virus – my Norton Internet Security firewall is what caught these ######s in the first place.

Simon

Reply | Quote

Simon, if you cannot remove the program that means that it is still running. Open Task Manager by pressing CTRL+SHIFT+ESC (or however you prefer to start it) and kill the program if it is listed on the Processes tab. Do not look at applications, many do not appear there. Also kill the UOTPVH.EXE if it is running. That sounds just like a trojan, creating a random name for its executable process to mask it from antivirus software.

Once you have killed the processes, remove them from the startup tab in MSCONFIG. Use the Search function to search your hard drives and delete any instances of those two executables. And when you get done there, I have more work for you. Run your virus scanner, run the ad removal tools that have been mentioned, and install a firewall to block these programs from accessing the Internet.

I think if you manage to kill the processes and remove them from startup, you will be well on your way to a clean bill of health.

Reply | Quote

Thanks all.

Elaine, spybot found a bunch of red it didnt like so that did the trick
Mark, msconfig was what I was thinking about to do selective startup, thanks also for the link for bundle & msbb
HTH, you are quite right. I do have NIS installed but it wasnt active, I blame others for disabling it…………..

OK MSBB is taken care of, bundle is now deleted from my temp directory, however it is still checked and listed in startup in msconfg – how do I delete it?

On startup I still get an internet connection request – his time from UOTPVH.exe – Norton tells me its a high risk and I should block it (so i do)

Oh, I did check for updates with adaware & Spybot

Thanks again for all your help – the last few hours have been quite satisfiying

Simon

Reply | Quote

Additional to Elaine‘s good advice, you could try getting yourself a firewall.

My personal recommendation would be Sygate – right at the bottom of the page.

Other alternatives are Agnitum Outpost and ZoneAlarm. All these are the free versions of the products – and are intended for private use only.

HTH

Reply | Quote