Disappearing Files, Hijacked IE6 Browser, etc. etc

Discussions Search

	Advanced Search

Welcome to Omgili,
Omgili (Oh My God I Love It ;) is a search engine for discussions. With Omgili you can find answers and solutions, debates, discussions, personal experiences, opinions and more... To learn more about Omgili click here.

This is a complete preview of the discussion as it was indexed by Omgili crawlers. Use this preview if the original discussion is unavailable.
Click here to view the original discussion.
[http://www.WindowsBBS.com/showthread.php?t=74408&mode=lin...]
Click here to search for discussions with Omgili discussions search engine.

Disappearing Files, Hijacked IE6 Browser, etc. etc - Windows BBS

The following was my original post in this forum: Hi... My home page preference is a blank page. At least a week ago, while online, my home page suddenly jumped to msn.com. The problem is, in Internet Options, the address and the three choices are all grayed out. Therefore, I've lost control, and wonder if you folks would help me get back to "normal"? Many thanks. -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- Thanks for your quick response. I hope youre sitting in a comfortable chair;

This will take a while. What follows may be somewhat disjointed, but I tried to present what happened chronologically. Prior to coming here, I had been working with someone in a different forum. The problems I was experiencing preceded the appearance of the problem which brought me to your BBS. My original problems were that my computer was (is) taking an inordinate amount of time getting from the Welcome screen to a fully loaded desktop, beginning with an extended period of a plain blue screen, followed by the appearance of the full desktop.

However, at least one third of the icons were generic, and slowlyone or two at a timethey would appear correctly. Then there was at least one folder that loaded one file at a time, beginning with a blank screen.

It contained over 600 Mb.

Thinking that this might have been part of the problem, I transferred the files to a CD, but it didnt help. I tried deleting files in Word, and discovered that many of them had text missing. For instance, one was a letter with the addressee and salutation intact, but the whole text was gone. In Outlook Express, sent messages wouldnt appear in the Sent folder, so I installed Thunderbird, and sent items were saved in its Sent folder. However, incoming messages were missing a date stamp, and the next time I sent a message, the same was true in the Sent folder.

Since then, this condition has cleared up. I sent myself several test messages in OE, but some wouldnt return.

Theyd show up in Thunderbird, though. In one case I sent one to myself in OE, which appeared in Thunderbird, but not in OE until the next day.

The text was missing . (About the only thing the guy from the other forum helped me with, Im sorry to say, was discovering why sent messages werent saved.

It turned out that something had unclicked Save Messages in Options.) Secunia PSI opened a balloon that said one of my programs had been deleted, but I hadnt done it.

It turned up in the Recycle bin. About a week ago, I updated Trojan Hunter, but the beginning date was 2006, so something had deleted the contents of the Trojan vault. Recently, an AVG upgrade included a warning tab, and when I ran the program the first time, the warning tab was loaded wih ActiveX entries, and marked as potentially dangerous, so I deleted them.

They kept coming back, and while searching Microsofts site for something else, I found out that these entries belong there, so I wont mess with them again. I mention this, because I ran the Registry scan in CCleaner, and there were other ActiveX items, which I also deleted.

They were replaced by 22 other ActiveX entries, all of which began with gcasdtserv.agent.

I wasnt sure that that was a good idea, but when I examined the backup, the entries didnt make sense, so I didnt merge.

I wanted to give you an example of the backup file contents, but its among the missing. The other forum required me to run ActiveScan, (among others) and while I was involved in the process is when my home page was hijacked to msn.com. When I clicked on the Scan button in ActiveScan, there was a slight pause, and then a second page appeared telling me my machine was clean.

So the program was (and is) useless. Except for Microsoft Update and Online scanning, I usually use Firefox. Twice in Firefox, I received a message that they required Java, and I couldnt access the programs I was trying access.

But Java IS activated.

Both programs worked OK in IE. In IE, some sites take a long time to load, and links dont load at all. As if that werent enough, something switched my default browser from Firefox to IE.

That one I was able to fix myself. I wanted to delete a particular document in My Documents, and it had the doc extension missing.

It wouldnt delete, nor could I rename it.

Also, it had the attributes H and S, besides A.

Something added the H and S. So I went to a command prompt, hoping to get rid of the 2 unnecessary attributes, but the document wasnt listed when I used DIR.

Also, I tried DIR on one of the documents, but it didnt work.

I got a File not found message instead. Sometimes, a program would freeze, and I had to hit the Reset button on my computer. Sometimes, a program wouldnt open, but the hour glass was present. Once again, I d have to hit the Reset button. In either case, Task Manager wouldnt open.

I dont know if these instances still happen. Coming to the present, I followed your sequence, but when I accessed eTrust Web Scanner and tried to download the requesite files, the dowload window was preselected to No, so I couldnt do it. In its place, I ran BitDefender, which I already have on my machine. I have to confess, though, that I never turn off my resident AV program while using an online scanner.

Despite that, on some occasions they find something my resident anti-malware programs miss. If its absolutely necessary to disable AVG, Ill clench my teeth and do it. Should that be the case, please let me know if its OK to do so once the online scan starts, rather than beforehand. I ran both Spybot and Ad-Aware, and Ad-Aware found a piece of malware labeled Extended engine which I deleted. Incidentally, the Last update for Ad-Aware hasnt changed since 6/9, even though Ive updated it many times since. (I think I just found out why this is true.

Recently, after the updates take place, a window appears which looks as though its part of Ad-Aware, stating that there are software updates available, and inviting me to go to the download location, which Ive always done.

However, today I decided to say No, and when the window closed, the last update was todays date). Is there something else bugging my machine? Thats all I can think of. Im sorry this is more like a short story than a post, and I hope youve gotten through it OK. Heres my HJT and DSS main.txt logs: (The extra.txt log was missing.

The last time I used dss.exe, both logs were present.

When I was done working with the last fellow, he told me to delete Deckard.

I dont understand why the fresh download doesnt work properly.

I downloaded it again from a a different site, but the result was the same.) Deckard's System Scanner v20071014.68 Run by Norman on 2008-06-18 14:10:51 Computer is in Normal Mode. -- HijackThis (run as Norman.exe) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:12:11 PM, on 6/18/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\Program Files\MagicTune Premium\MagicTuneEngine.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe C:\Program Files\Iomega\AutoDisk\ADService.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\Iomega\AutoDisk\ADUserMon.exe C:\WINDOWS\htpatch.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\program files\siteadvisor\6253\siteadv.exe C:\WINDOWS\system32\keyhook.exe C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe C:\Program Files\TrojanHunter 4.7\THGuard.exe C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\MagicTune Premium\GammaTray.exe C:\Program Files\Secunia\PSI (RC1)\psi.exe C:\Documents and Settings\Norman\Desktop\dss.exe C:\UTILIT~1\HJT\Norman.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local> O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O4 - HKLM\..\Run: [ADUserMon] "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe O4 - HKLM\..\Run: [SiteAdvisor] c:\program files\siteadvisor\6253\siteadv.exe O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe" O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - Startup: Secunia PSI (RC1).lnk = C:\Program Files\Secunia\PSI (RC1)\psi.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: GammaTray.lnk = ? O4 - Global Startup: MagicTune 3.6.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O15 - Trusted Zone: www.bitdefender.com O15 - Trusted Zone: http://www.ewido.net O15 - Trusted Zone: usa.kaspersky.com O15 - Trusted Zone: www.pandasecurity.com O15 - Trusted Zone: http://housecall.trendmicro.com O15 - Trusted Zone: http://*.turbotax.com O15 - Trusted Zone: *.vanguard.com O15 - Trusted Zone: *.verizon.net O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {556DDE35-E955-11D0-A707- 521957} - http://www.xblock.com/download/xclean_micro.exe O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resourc...scbase3401.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120085952027 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1143236299578 O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/ge...nt/swflash.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc.

- C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o.

- C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o.

- C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc.

- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe -- End of file - 9470 bytes -- Files created between 2008-05-18 and 2008-06-18 2008-06-16 23:47:49 0 dr-h C:\Documents and Settings\Norman\Recent 2008-06-15 22:38:28 0 d C:\my documents 2008-06-13 13:26:27 0 d C:\Program Files\SpywareBlaster 2008-06-06 21:06:10 0 d C:\Program Files\Panda Security 2008-06-04 21:23:55 0 d C:\Documents and Settings\Norman\Application Data\Malwarebytes 2008-06-04 21:23:26 0 d C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-06-04 17:48:04 0 d C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-06-04 17:47:52 0 d C:\Documents and Settings\Norman\Application Data\SUPERAntiSpyware.com 2008-06-04 16:39:47 0 d C:\VundoFix Backups 2008-05-20 21:23:15 0 d C:\Documents and Settings\Norman\Application Data\Macromedia -- Find3M Report 2008-06-15 19:24:32 0 d C:\Program Files\MICROSOFT MONEY BACKUPS 2008-06-15 15:54:25 0 d C:\Program Files\Mozilla Thunderbird 2008-06-09 17:25:56 4212 ---h C:\WINDOWS\system32\zllictbl.dat 2008-06-05 19:53:31 0 d C:\Program Files\Lavasoft 2008-06-05 19:52:11 0 d C:\Program Files\Common Files\Wise Installation Wizard 2008-05-26 21:15:13 36888 --a C:\Documents and Settings\Norman\Application Data\GDIPFONTCACHEV1.DAT 2008-05-22 17:11:37 0 d C:\Program Files\SiteAdvisor 2008-05-20 21:23:14 0 d C:\Documents and Settings\Norman\Application Data\Adobe 2008-05-17 15:11:51 0 d C:\Documents and Settings\Norman\Application Data\Uniblue 2008-05-10 18:15:15 0 d C:\Documents and Settings\Norman\Application Data\Thunderbird 2008-04-30 17:20:39 0 d C:\Program Files\AVG -- Registry Dump *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [04/27/2008 03:48 PM] "Logitech Utility"="Logi_MwX.Exe" [12/17/2003 09:50 AM C:\WINDOWS\LOGI_MWX.EXE] "HTpatch"="C:\WINDOWS\htpatch.exe" [10/30/2002 05:40 AM] "SiteAdvisor"="c:\program files\siteadvisor\6253\siteadv.exe" [07/31/2006 11:03 AM] "SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [05/12/2004 05:22 PM] "Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe" [06/05/2008 07:58 PM] "THGuard"="C:\Program Files\TrojanHunter 4.7\THGuard.exe" [06/23/2007 12:19 AM] "TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [09/14/2007 02:52 AM] "AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [09/14/2007 03:02 AM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [04/30/2008 05:20 PM] "Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [09/14/2007 02:55 AM] "NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [07/09/2001 06:50 AM] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [04/02/2008 09:07 PM] C:\Documents and Settings\Norman\Start Menu\Programs\Startup\ Secunia PSI (RC1).lnk - C:\Program Files\Secunia\PSI (RC1)\psi.exe [2/5/2008 6:36:24 AM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [1/11/2008 11:16:38 PM] GammaTray.lnk - C:\Program Files\MagicTune Premium\GammaTray.exe [3/3/2007 10:38:28 PM] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 relog_ap [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawser vice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRS SSDK] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5 B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe *Newly Created Service* - AD-WATCH_REAL-TIME_SCANNER *Newly Created Service* - AD-WATCH_REGISTRY_FILTER [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static] msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb -- End of Deckard's System Scanner: finished at 2008-06-18 14:12:45

Hi catswhisker Thanks for the detailed explanation!

Lets take things a step at a time.

See if this causes a normal logon for you.

Open the Zone Alarm security center and on the Overview>Preferences tab deselect 'Load ZA when windows starts'.

Reboot.

Hi, noahdfear--- Thanks for the rapid return. I did as you suggested, but deselecting Load ZA when windows starts (and rebooting) had no effect. Since reloading ZA from Programs took so long, I tried re-selecting Load ZA.. through the System Tray icon, but encountered a problem. An Ad-Watch window opened, giving me a choice of whether or not to accept what I presumed was the requisite change.

Clicking OK resulted in a hang.

I couldnt even End Task in Task Manager. After what seemed about 5 minutes, the Ad-Watch window disappeared on its own, and Load ZA was selected. [I didnt mention it last time, but ZA Pro has been opening with only half a window (vertically), and when the rest of it appears, it takes awhile before I can select anything on the left side.] It just never stops!

It sure sounds like ZA is corrupted.

My recommendation is to make sure you have your license key (for re-installing) safely stored away, then uninstall ZA and reboot.

Let me know if there's any change.

Deleting ZA caused the blue screen between the Welcome screen and the desktop to go away..

Thats all I can tell right now, but its something. Id like to reinstall ZA, so let me know if thats OK, or should we work on something beforehand?

It would be interesting to see if the reinstall causes the blue screen to return, and whether or not ZA opens properly. FYI My resident anti-malware programs (besides ZA) are: AVG (Free) A/V, Ad-Aware Plus, Spybot, and TrojanHunter.

(Plus CCleaner) Installed programs required by the other forum: MalwareBytes Anti-Malware and SuperAntiSpyware. There are some others that I keep in a Utilities folder, including ATF-Cleaner (which I dont think compares to CCleaner.) (Another annoyance showed up yesterday.McAfee SiteAdvisor stopped working in Firefox.

Although its enabled in IE, its never even appeared there.

Leave ZA out for now.

Please update us with the current state of things.

(I’m writing this on June 21, but the following refers to yesterday, except for the parenthetical reference below, which happened while writing this.). To respond to your last post, after deleting ZA, the only change in the behavior of my machine, was the absence of the blue screen between ‘Welcome’ and the desktop. Now for the good stuff… I felt undressed without ZA, so I attempted to reinstall it, but it wouldn’t work. I returned to the Restore Point I had chosen just before the deletion, but there apparently wasn’t enough of the program to be useful. So I tried downloading the program again, but I was about a day late.

(Recent subscription renewal) Then I tried downloading the trial version to a Zip drive, but I couldn’t download it without installing, which I did.

Surprisingly, my license key was OK without my having to change it. (At this point, I have to interrupt because I saw a blank balloon pointing toward the system tray, and closed Word to check it out.

When I accessed Task Manager, it showed that ZA was running, but I hadn’t started it.

It was minimized on the task bar, and nothing happened when I clicked on it.

The balloon wouldn’t go away, so I rebooted.

This time I got a balloon saying that ZA firewall was turned off, and that’s what Security Center said.

When I double-clicked ZA, the half-window I told you about showed up, but froze. Rebooting, ZA appeared on startup (?), and when I checked the Firewall, it looked OK, which was confirmed in Security Center..

I’m going to leave ZA minimized, and hope it’ll remain operational). Getting back to where I was before…. ZA worked perfectly after installation.

All the buttons and tabs worked with no delay;

I opened and closed it several times, and rebooted a couple of times.

It was still OK. BUT…. I turned the machine off for about 30 seconds, and when I turned it back on, ZA went berserk again.

Sometimes it would open and work OK;

Or it would open with delays of buttons and tabs;

Or it might open halfway and freeze. Besides all this, when I’d access a website and click on Home, I couldn’t access any other sites without rebooting.

When I opened IE, it wouldn’t open its Home page. Later, this seemed to go away. I’ll check it again today, and edit this if necessary. If you want me to delete ZA again, I’ll do it, but I’ll cry a lot. In the meantime, is there anything else we can try? Thanks. P.S.

I should probably not have gone against your advice. I'm editing this much later than I posted, because I thought I owed you an explanation. The reason for my discomfort was the loss of the ZA firewall.

Even if I never opened the program, at least I'd have that. However, ZA isn't the only program with slow opening and performance.

For instance, Help and Support, Acronis and AVG are slow openers, and the contents are delayed.

They're not alone, but they're the only ones I can think of right now. No doubt, ZA is the worst offender, but I thought the results I had with the download might indicate another source (or sources) of the problems. From now on, you're the boss!

Just so you know, I'm not picking on Zone Alarm, and I did not randomly pick ZA as the first thing to remove from the equation.

It is known to cause quite a number of issues, hence my reason for the recommendation.

Please, using Add/Remove programs, uninstall ZA again.

It will (should) re-enable the Windows firewall when uninstalled, so don't feel like you're totally exposed. Now, another major culprit in my experience has been SuperAntispyware, and I recommend you uninstall it as well.

Once both apps are uninstalled, restart the computer and after a bit of use, bring us up to speed on it's behavior.

June 22,23 I know you werent picking on ZA, but since its the only problem program I had mentioned, it was reasonable for you to assume it might be part of the problem. My reference to the firewall in ZA was misplaced.

What I was concerned about was the loss of the popup Alerts, and I assumed they were part of the firewall.

(I have a hardware firewall). Sorry about that. Im certain Ive made some bad choices using the ZA Alerts, as well as with Ad-Watchs RegShield Alerts.

I probably have stuff in the Registry that dont belong there, and Ive probably disallowed things that do.

I have to wonder now what programs ZA allows to access the Internet, and which are allowed to access computer resources. At any rate, I uninstalled both ZA and SuperAntispyware. The only noticeable difference is that the blue screen between the Welcome screen and desktop is gone again. [Speaking of the Welcome screen---some time ago I installed a program (I forget what) which apparently caused the appearance of a logon screen at startup.

Ive never used one, and my name is the only choice showing.

I uninstalled the program, but the logon screen remained.

Is there a way I can revert to a plain Welcome screen which will segue directly to the desktop without my having to click on my name?] Not affected are the generic icons when the desktop appears.

Nor is the one-at-a-time file loading in the folder I mentioned. (Breaking news---I just opened IE and tried changing my hijacked home page to about: blank, using the address bar, but the URL changed to about:%20blank, and I got a page saying the action was cancelled.) Before IE opened, I got 3 alerts from RegShield, asking if I wanted to allow a Registry change, each one using this key: HKCU\Software\Microsoft\Main.

They all referred to Internet Explorer. It did the same thing when I closed IE.

This seems to happen almost at random when opening programs.

The last one was CCleaner.

I think I saw one set the other day with about 15 alerts! Thats enough for now. Perhaps as we progress, Ill get down to a three sentence post.

Scan again with HijackThis and place a check next to the following entry, then click Fix Checked. O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present Close HijackThis. Open Spybot On the toolbar, click Mode and select Advanced then Yes to the prompt In the left pane click Tools Select IE tweaks Make sure the locks for IE Start Page and Control Panel are not checked then Exit Spybot Close all IE browser windows then re-open and see if your homepage can be changed (try http://www.google.com).

Make sure you click Allow to any prompts from Regshield.

Close and re-open IE a couple of times to verify it sticks (if you're able to change it). Right click the desktop and select Properties Select the Appearance tab, then click EffectsIf the Use large icons box is selected, clear it If the Use large icons box is not selected, select it Click OK, then Apply Now click Effects again and undo the last action, then OK your way out of the Properties dialog Restart the computer and see if there's any change in the loading of your icons. You can find instructions to allow for booting straight to your desktop, without a login screen or prompt, here.

I would like to stress the importance of typing the correct password for the account, or just pressing Enter when prompted if the password is blank.

You’re a genius!! Following each of your instructions resulted in a positive outcome. Thanks. In no particular order, here are some questions and comments on what we’ve (?) accomplished so far. When accessing or leaving IE, there are so many RegShield alerts (I counted one with 18 alerts, and another with 20, for instance.

I wonder if it would be OK to disable the RegShield feature?) In the Advanced tab in Internet Options, I seem to recall that there was a section related to ActiveX.

If that’s true, it’s missing. I also think there is a “Lock Homepage” selection somewhere, but I don’t recall if it’s in IE or elsewhere. IE Tools/Internet Options/Temporary Files/Settings/View Objects/(“Downloaded Program Files”), containing a list of items, which were marked as Installed, Unknown, or Damaged. Is this something to be concerned about? With ZA gone, I tried running dss.exe again, but extra.txt was still missing. Ditto with ActiveScan, but the result was the same as before. The first time I tried getting to the scan page, the site froze, but when I clicked on Home and back again, it was OK. Last evening, I ran CCleaner before shutting down.

There were more files than I’m used to seeing—in the Windows Temp and Local Settings Temp folders--some of which appeared to be sites I hadn’t (knowingly) visited.

I wonder if the absence of ZA might have caused this? Assuming that—for the time being, at least—I’m not to reinstall ZA Pro, would it make any sense to try ZA’s freebie for awhile?

(On the assumption that it might not contain whatever is causing my problems with the full version) [I don’t want to expand this thread, but (FYI) Firefox stopped saving cookies.

I’ve unclicked cookie deletion in all the places I know of]. One of my complaints was the partial erasure of the contents of some of my Word documents. I did a random check, and can’t find any other examples. The disappearing files in TrojanHunter hasn’t been duplicated. But something caused each of these to occur. Is it likely that I still have some bad guys on my machine? (For instance, whatever’s causing the appearance of the so-called software download window in Ad-Aware.

Since the update date wasn’t changing when I accepted the offer, my paranoid suspicion is that it was really erasing the latest update.

The window appears even when there aren’t any updates). The logon screen activates when I bring my machine out of Standby. Oh, well, I guess I can’t have everything. There’s probably more, but that’ll do for now.

RegShield - I'm not at all familiar with it.

What are the alerts you're getting? Nothing RE: ActiveX on the Advanced tab.

Those are on the Security tab under each zone's custom properties. View Objects - remove anything Damaged or Not Installed dss will only produce the extra.txt log on it's first run, unless a custom scan is performed. ZA is ZA, whether free edition or Pro, in regards to the issues.

I wouldn't recommend re-installing it at this point. Go again to Desktop Properties, Screen Saver tab. Verify the On resume, password protect checkbox is cleared. Click the Power button. Select the Advanced tab. Verify the Prompt for password when computer resumes from standby check box is cleared. Click OK then OK again to exit. Let me know if the standby issue is resolved. Recommend you reset the amount of space allocated to store Temporary Internet Files. Open Internet Options, then click Settings on the General tab (Temporary Internet Files section) Reduce the allocated space to 50MB At the top of that properties dialog, select Every visit to the page OK out I think the Lock Homepage setting is in the IE Tweaks section of Spybot>Tools.

It's labled Lock IE start page setting against user changes (current user) Let me know how things are after applying the above and a bit of use.

Thanks, again, Dave… I’ll respond first to your instructions. In the ‘Properties’ Screen Saver tab, the line “On resume….” reads “On resume, display welcome screen.” It was grayed out because I don’t use a screen saver.

Perhaps the line you presented me with is true in Vista (I’m using XP Home). In the ‘Advanced’ tab, “Prompt for password….” was already cleared. The space allocated to Temporary Internet Files was 4 digits.

Your change was quite a difference. You were, of course, correct about the location of the Lock Homepage setting.

If I understand “Lock IE start page….” correctly, it wouldn’t have prevented my homepage from being hijacked anyhow, because it refers only to the ‘current user.’ Regarding RegShield, it’s a feature of Ad-Watch in Ad-Aware. Here are some of the popups I get.

The number in parentheses is the same in each series, but change for each session: Upon opening IE: “AdWatch.1 notification in queue.” Then, [“The process iexplorer.exe (364) is trying to modify RegKeyChangeOrCreate the Registry.

Path:HKCU\Software\Microsoft\Internet Explorer\Main”]…Block or Allow? Since there was only 1 notification, in this case, the next popup= “Ad-Watch---RegShield ValueChangeOrAdd.”…(Same as notification above)…Block or Allow? On closing IE: “Ad-Watch.

3 notifications in queue.” Then, “…..modify (ValueChangeOrAdd) the Registry.” (Path=same as above). The next two notifications are pretty much the same, but the last popup’s title is: “RegShield…RegistryChangeOrCreate”. There are two other programs I’ve noticed this with so far---Spybot and CCleaner.

The differences appear to be the required changes and the paths. I realize these examples are truncated, but I hope they give you an idea of what they do. It’s pretty annoying to have to deal with these popups all the the time;

Particularly when there have been up to 20. Besides, I really don’t have the smarts to know which choice to make. View Objects: The ones marked ‘Damaged’ deleted OK, but those marked ‘Unknown’ are problematic, and apparently all ActiveX . The first one I tried to delete gave me a message saying that there wasn’t enough information for it to be completely deleted.

I clicked on the close button instead of OK, because I wanted to consult you first.

But the darned thing deleted anyway. I checked Properties for the 2 that were left, and found these: “ActiveX Control Code Base: http://fpdownload.macromedia.com/get/flashplay(er)” “Dependency = c:\windows\download…\ERMA/INF” and the version number is v.1,0,0,25 “ActiveX Control Base: http://fpdownload02.macromedia.com/get/flashplay(er)” “Dependency = c:\windows\downl…\swflash.inf” and the version number is v.9,0,124,0 The version number of the deleted file is 0,0,0,1 I’ll certainly get the same incomplete removal message for the remaining 2, so is it OK to delete them, anyhow? dss: Interesting info.

Technically, since I reinstalled it at your request, I ran the program for the first time.

I wonder if there’s an entry in the Registry that ‘remembered’ the program had run before, even though I had deleted it (previous forum). If you feel it’s necessary to see the extra.txt, log, would it be worthwhile to correct the Registry?

If not, is the program worth keeping? Once a month, I run 2 online scans.

One is ewido antispyware, plus an anti-virus program. I tried running BitDefender, but got a message that the update had failed.

I was given the option of running it anyway, which I declined. That makes two online anti-virus programs I can’t use;

The other being ActiveScan. I ran Kaspersky instead.

That program says that it might not run properly unless I disable my anti-virus program.

This is the program I had in mind when I asked if it was necessary to do so.

I didn’t. Next-to-last observation---One of the programs that takes a long time to open, is Ad-Aware.

It takes about a minute and a half to open, or before it starts updating. Last time I ran it, it seemingly wouldn’t close, so I clicked the ‘close’ button again, and got a “The program is not responding” message, so I clicked on ‘End Task’, and it finally closed. This hasn’t happened when the program updates;

Only when it runs. After finishing work on my computer, I ran it a second time, and once again it wouldn’t close. But it did close after about 15 seconds.

Doesn’t sound right. (I think I’ll publish my posts as a book.

I don’t seem to know how to make a short one) Last observation---I mentioned that Firefox has stopped saving cookies. I’m not sure that it really isn’t part of my problems, because it’s not too dissimilar from the disappearing files in TrojanHunter or the deleted parts in some of My Documents. Following are two messages in Firefox/Tools/Error Console/Warnings: Warning: Warning: Unrecognized chrome registration modifier 'contentaccessible=yes'. Source File: file:///C:/Program%20Files/AVG/AVG8/Firefox/chrome.manifest Line: 2 (The one above wasn’t present at the time I pasted the next one, but they appeared together today). Warning: Warning: Unrecognized chrome registration modifier 'contentaccessible=yes'. Source File: file:///C:/Documents%20and%20Settings/Norman/Application%20Data/Mozilla/Firefox/Profiles/cpi4wa1g.default/extensions/%7B3d7eb24f-2740-49df-8937-200b1cc08f8a%7D/chrome.manifest Line: 6 Any connection? In general, I’d say there’s been a vast improvement in my machine’s behavior. P.S.

I notice that this post makes use of the horizontal scroll bar. Did I do something wrong?

Oftentimes a setting needs to be toggled off and on for Windows to take note of it, so lets try that with the standby issue. Go back to the Screensaver tab>Power>Advanced tab, then check the box labled Prompt for Password and click Apply. Now uncheck the box and click Apply, then OK your way out. Let me know if it continues to activate the logon screen when coming out of standby. Lets just see what it is that IE wants to change.

First we'll take a snapshot/create a backup.

Highlight and copy the following bolded command. regedit /e "%userprofile%\desktop\main1.txt" "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" Click Start>Run and paste the command in the Run dialog, then hit Enter.

It should create the file main1.txt on your desktop.

Open it to verify it has contents. Now open IE and when RegShield prompts you to allow the change, allow it. Now, Click Start>Run and change main1.txt in the command you just pasted there to main2.txt, then hit Enter.

Either study the contents of both main.txt files to find the difference and act accordingly, or post both files here for review and recommendation. Windows, by default, allocates 10% of the available hard disk space for the storage of Temporary Internet Files.

Much like System Restore points, when the maximum is reached, older files will be pushed out and replaced with newer ones.

50mb is enough to load a good number of pages all at once, and low enough to cut down on the clutter. The Lock IE Start Page setting will effectively prevent your page from being hijacked.

Current user setting override Local Machine settings in this area. Any and all downloaded program files (ActiveX) can be safely deleted.

They are only required/used by an application when needed, and from within IE.

If you pull up something requiring ActiveX, you will be prompted to install it, or it will automatically be installed, or it will be blocked, depending on the settings you have applied for ActiveX content. dss can be run using a configuration switch that will allow for creating a custom scan, including the creation of a new extra.txt log.

I don't see that it's necessary at this point, so don't worry about it.

Hang onto dss for the time being.

It's not hurting anything and we may need it yet again. Resident antivirus and realtime protection programs can indeed be problematic with online scanners, and may well be behind the failure of those 2 scanners.

I wouldn't sweat it though.

Kaspersky's online scanner is as good as any. I have to admit, I haven't been too impressed with Ad-aware 2007.

I've seen quite a number of people having the same sort of behavior you have reported.

I suggest that if it continues, you uninstall it, then re-install it and see if there's any change. RE: the error message in Firefox, see if there's any help in the following links. http://chrispederick.com/blog/2008/0...developer-116/ http://www.google.com/search?num=30&...er&btnG=Search RE: Firefox not saving cookies, did you install the Torbutton add-on?

Did the behavior begin after installing some other add-on? Since you feel the machine's performance has improved, in your words, vastly, try re-installing Zone Alarm and see how it is after a day or so of use. Quote: : P.S.

I notice that this post makes use of the horizontal scroll bar. Did I do something wrong?

No, it was caused by the consecutive character length of the firefox warning you posted. PS.

Let me know when you start on the book

Firstly, I checked my last post, and noticed that while I referred to the process for getting rid of the logon screen coming out of standby, I neglected to say that the procedure was successful.. I tried uninstalling Ad-Aware, but it didnt completely work. I found 2 partial Ad-Aware programs in the Lavasoft folder, one called Ad-Aware, and the other called Ad-Aware 2007. Was able to delete the one named Ad-Aware, but the other one wouldnt delete, so I ran a program called RegSupreme, which got rid of what was left in the folder very nicely. (I thought it would just get rid of stuff in the Registry which might be causing the uninstall problem.

I was pleasantly surprised at the result.) When I reinstalled Ad-Aware, it seemed to initialize faster, and for awhile I didnt get that pesky software update window (until today, July 5), and it appears that the initialization now lasts as long as it did before.

Whether theres a connection, I dont know. Serendipitously, I went through all of Ad-Watchs features, and came across one that clears items in IE, Firefox, and Opera, on closing.

I deselected Cookies in Firefox, and my cookies are being saved again. (I dont recall whether the previous version contained the above selectionsor if it had RegShield---but if it did, I had the one set to save cookies, and the other to disable RegShield) Then I reinstalled ZoneAlarm.

Not a good idea. Same problems, but worse, after several attempts. For one thing, it wouldnt recognize my license key. For another, the blue screen between Welcome screen and desktop was back. The last install resulted in the program appearing on startup.

I dont know if I messed up during installation, or if the program did it on its own. (During one of my installations, RegShield hung.

I hoped that that might have caused the program to not install properly, so I disabled RegShield and did another install, but it didnt make any difference.) At any rate, the machine hung, and Task Manager couldnt end task. This happened each time I rebooted using the reset button. After being frustrated several times, I managed to get to the programs uninstaller from the Start button before ZA loaded, and was able to uninstall it. (I guess I shouldnt have used the word vastly in describing the improvement) This is the first time Ive had any problems with ZA upgrades.

Ditto Ad-Aware. (Actually, theyre both subscription renewals, each of which resulted in an upgrade, so that Ad-Aware 2007 is now Ad-Aware 2008) I performed your Regedit procedure, and as far as I can tell, there is no difference between the two files. If you want to see them anyhow, let me know. (Its not just IE that RegShield targets.

Apparently, anything that wants to change the Registrywhether its new program installs, or programs other than IE---so I would guess that most requested changes are necessary.

As I said before, I wouldnt know the difference.) View Objects in Temporary Internet Files---One Unknown object deleted OK, but the other gave an error message labeled Advanced INF Installer, and said Error unregistering the OCX C:\Windows\system32\macromed\download\Download.dll, but it did delete. I mentioned these messages because I wasnt sure it was a good idea to delete the files with pieces floating around somewhere.

The files are gone now, so I guess Ill find out the hard way. I just thought there might be another way to get rid of them. Re: Firefox Error Console---Thanks for the links.

I discovered that Warnings can be ignored;

Theyre apparently caused by Web sites.

So I cleared them. However, items in the Errors and Messages tabs should be addressed. Im still bothered by the one-at-a-time file loading in a couple of folders in PowerDesk, which I use instead of Windows Explorer. Also, as I mentioned, Help and Support seems to behave similarly, with the arrows appearing one at a time from top to bottom, and a delay in loading the final item. In addition, the icons in Control Panel also start out generic.

It takes over 5 seconds, but they eventually appear OK. I was hoping I could repeat the Large Icons/ Small Icons routine we used on the desktop, but there wasnt any option to do that. Interestingly, the slow file loading, and the slow icons in Control Panel hold only if I restart the machine.

They open OK if I change folders or close the programs and reopen them. Lucky you!

Thats all I can think of right now. P.S.

When I write my book, youll get the first autographed copy!

Discussion Title: Disappearing Files, Hijacked IE6 Browser, etc. etc
Title Keywords: Disappearing Files, Hijacked Browser, etc. Windows

Omgili Home

About

FAQ

Plugins

Usenet