Disappearing Files, Hijacked IE6 Browser, etc. etc

The following was my original post in this forum:

Hi...

My home page preference is a blank page.

At least a week ago, while online, my home page suddenly jumped to msn.com.

The problem is, in Internet Options, the address and the three choices are all grayed out.

Therefore, I've lost control, and wonder if you folks would help me get back to "normal "?

Many thanks.

-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-

Thanks for your quick response.

I hope you’re sitting in a comfortable chair; this will take a while.

What follows may be somewhat disjointed, but I tried to present what happened chronologically.

Prior to coming here, I had been working with someone in a different forum.

The problems I was experiencing preceded the appearance of the problem which brought me to your BBS.

My original problems were that my computer was (is) taking an inordinate amount of time getting from the Welcome screen to a fully loaded desktop, beginning with an extended period of a plain blue screen, followed by the appearance of the full desktop. However, at least one third of the icons were generic, and slowly—one or two at a time—they would appear correctly.

Then there was at least one folder that loaded one file at a time, beginning with a blank screen. It contained over 600 Mb. Thinking that this might have been part of the problem, I transferred the files to a CD, but it didn’t help.

I tried deleting files in Word, and discovered that many of them had text missing.

For instance, one was a letter with the addressee and salutation intact, but the whole text was gone.

In Outlook Express, sent messages wouldn’t appear in the Sent folder, so I installed Thunderbird, and sent items were saved in its Sent folder.

However, incoming messages were missing a date stamp, and the next time I sent a message, the same was true in the Sent folder. Since then, this condition has cleared up.

I sent myself several test messages in OE, but some wouldn’t return. They’d show up in Thunderbird, though.

In one case I sent one to myself in OE, which appeared in Thunderbird, but not in OE until the next day. The text was missing .

(About the only thing the guy from the other forum helped me with, I’m sorry to say, was discovering why sent messages weren’t saved. It turned out that "something" had unclicked "Save Messages" in Options.)

Secunia PSI opened a balloon that said one of my programs had been deleted, but I hadn’t done it. It turned up in the Recycle bin.

About a week ago, I updated Trojan Hunter, but the beginning date was 2006, so "something" had deleted the contents of the Trojan vault.

Recently, an AVG upgrade included a warning tab, and when I ran the program the first time, the warning tab was loaded wih ActiveX entries, and marked as potentially dangerous, so I deleted them. They kept coming back, and while searching Microsoft’s site for something else, I found out that these entries belong there, so I won’t mess with them again.

I mention this, because I ran the Registry scan in CCleaner, and there were other ActiveX items, which I also deleted. They were replaced by 22 other ActiveX entries, all of which began with "gcasdtserv.agentâ€. I wasn’t sure that that was a good idea, but when I examined the backup, the entries didn’t make sense, so I didn’t merge. I wanted to give you an example of the backup file contents, but it’s among the missing.

The other forum required me to run ActiveScan, (among others) and while I was involved in the process is when my home page was "hijacked" to msn.com.

When I clicked on the Scan button in ActiveScan, there was a slight pause, and then a second page appeared telling me my machine was clean. So the program was (and is) useless.

Except for Microsoft Update and Online scanning, I usually use Firefox.

Twice in Firefox, I received a message that they required Java, and I couldn’t access the programs I was trying access. But Java IS activated. Both programs worked OK in IE.

In IE, some sites take a long time to load, and links don’t load at all.

As if that weren’t enough, "something" switched my default browser from Firefox to IE. That one I was able to "fix" myself.

I wanted to delete a particular document in My Documents, and it had the "doc" extension missing. It wouldn’t delete, nor could I rename it. Also, it had the attributes H and S, besides A. "Something" added the H and S.

So I went to a command prompt, hoping to get rid of the 2 unnecessary attributes, but the document wasn’t listed when I used DIR. Also, I tried DIR on one of the documents, but it didn’t work. I got a "File not found" message instead.

Sometimes, a program would freeze, and I had to hit the Reset button on my computer.

Sometimes, a program wouldn’t open, but the hour glass was present.

Once again, I "˜d have to hit the Reset button.

In either case, Task Manager wouldn’t open. I don’t know if these instances still happen.

Coming to the present, I followed your sequence, but when I accessed eTrust Web Scanner and tried to download the requesite files, the dowload window was preselected to "Noâ€, so I couldn’t do it.

In its place, I ran BitDefender, which I already have on my machine.

I have to confess, though, that I never turn off my resident AV program while using an online scanner. Despite that, on some occasions they find something my resident anti-malware programs miss.

If it’s absolutely necessary to disable AVG, I’ll clench my teeth and do it.

Should that be the case, please let me know if it’s OK to do so once the online scan starts, rather than beforehand.

I ran both Spybot and Ad-Aware, and Ad-Aware found a piece of malware labeled "Extended engine" which I deleted.

Incidentally, the "Last update" for Ad-Aware hasn’t changed since 6/9, even though I’ve updated it many times since.

(I think I just found out why this is true. Recently, after the updates take place, a window appears which looks as though it’s part of Ad-Aware, stating that there are software updates available, and inviting me to go to the download location, which I’ve always done. However, today I decided to say No, and when the window closed, the last update was today’s date).

Is there "something" else bugging my machine?

That’s all I can think of.

I’m sorry this is more like a short story than a post, and I hope you’ve gotten through it OK.

Here’s my HJT and DSS main.txt logs:

(The extra.txt log was missing. The last time I used dss.exe, both logs were present. When I was done working with the last fellow, he told me to delete Deckard. I don’t understand why the fresh download doesn’t work properly. I downloaded it again from a a different site, but the result was the same.)

Deckard's System Scanner v20071014.68
Run by Norman on 2008-06-18 14:10:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Norman.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:12:11 PM, on 6/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\program files\siteadvisor\6253\siteadv.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\Secunia\PSI (RC1)\psi.exe
C:\Documents and Settings\Norman\Desktop\dss.exe
C:\UTILIT~1\HJT\Norman.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [ADUserMon] "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe "
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiteAdvisor] c:\program files\siteadvisor\6253\siteadv.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe "
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe "
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - Startup: Secunia PSI (RC1).lnk = C:\Program Files\Secunia\PSI (RC1)\psi.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: GammaTray.lnk = ?
O4 - Global Startup: MagicTune 3.6.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: www.bitdefender.com
O15 - Trusted Zone: http://www.ewido.net
O15 - Trusted Zone: usa.kaspersky.com
O15 - Trusted Zone: www.pandasecurity.com
O15 - Trusted Zone: http://housecall.trendmicro.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: *.vanguard.com
O15 - Trusted Zone: *.verizon.net
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120085952027
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143236299578
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 9470 bytes

-- Files created between 2008-05-18 and 2008-06-18 -----------------------------

2008-06-16 23:47:49 0 dr-h----- C:\Documents and Settings\Norman\Recent
2008-06-15 22:38:28 0 d-------- C:\my documents
2008-06-13 13:26:27 0 d-------- C:\Program Files\SpywareBlaster
2008-06-06 21:06:10 0 d-------- C:\Program Files\Panda Security
2008-06-04 21:23:55 0 d-------- C:\Documents and Settings\Norman\Application Data\Malwarebytes
2008-06-04 21:23:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-04 17:48:04 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-04 17:47:52 0 d-------- C:\Documents and Settings\Norman\Application Data\SUPERAntiSpyware.com
2008-06-04 16:39:47 0 d-------- C:\VundoFix Backups
2008-05-20 21:23:15 0 d-------- C:\Documents and Settings\Norman\Application Data\Macromedia


-- Find3M Report ---------------------------------------------------------------

2008-06-15 19:24:32 0 d-------- C:\Program Files\MICROSOFT MONEY BACKUPS
2008-06-15 15:54:25 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-06-09 17:25:56 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-05 19:53:31 0 d-------- C:\Program Files\Lavasoft
2008-06-05 19:52:11 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-26 21:15:13 36888 --a------ C:\Documents and Settings\Norman\Application Data\GDIPFONTCACHEV1.DAT
2008-05-22 17:11:37 0 d-------- C:\Program Files\SiteAdvisor
2008-05-20 21:23:14 0 d-------- C:\Documents and Settings\Norman\Application Data\Adobe
2008-05-17 15:11:51 0 d-------- C:\Documents and Settings\Norman\Application Data\Uniblue
2008-05-10 18:15:15 0 d-------- C:\Documents and Settings\Norman\Application Data\Thunderbird
2008-04-30 17:20:39 0 d-------- C:\Program Files\AVG


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ADUserMon "= "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [04/27/2008 03:48 PM]
"Logitech Utility "= "Logi_MwX.Exe" [12/17/2003 09:50 AM C:\WINDOWS\LOGI_MWX.EXE]
"HTpatch "= "C:\WINDOWS\htpatch.exe" [10/30/2002 05:40 AM]
"SiteAdvisor "= "c:\program files\siteadvisor\6253\siteadv.exe" [07/31/2006 11:03 AM]
"SiS Windows KeyHook "= "C:\WINDOWS\system32\keyhook.exe" [05/12/2004 05:22 PM]
"Ad-Watch "= "C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe" [06/05/2008 07:58 PM]
"THGuard "= "C:\Program Files\TrojanHunter 4.7\THGuard.exe" [06/23/2007 12:19 AM]
"TrueImageMonitor.exe "= "C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [09/14/2007 02:52 AM]
"AcronisTimounterMonitor "= "C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [09/14/2007 03:02 AM]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM]
"AVG8_TRAY "= "C:\PROGRA~1\AVG\AVG8\avgtray.exe" [04/30/2008 05:20 PM]
"Acronis Scheduler2 Service "= "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [09/14/2007 02:55 AM]
"NeroCheck "= "C:\WINDOWS\System32\\NeroCheck.exe" [07/09/2001 06:50 AM]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"ZoneAlarm Client "= "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [04/02/2008 09:07 PM]

C:\Documents and Settings\Norman\Start Menu\Programs\Startup\
Secunia PSI (RC1).lnk - C:\Program Files\Secunia\PSI (RC1)\psi.exe [2/5/2008 6:36:24 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [1/11/2008 11:16:38 PM]
GammaTray.lnk - C:\Program Files\MagicTune Premium\GammaTray.exe [3/3/2007 10:38:28 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

*Newly Created Service* - AD-WATCH_REAL-TIME_SCANNER
*Newly Created Service* - AD-WATCH_REGISTRY_FILTER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb



-- End of Deckard's System Scanner: finished at 2008-06-18 14:12:45 ------------



Thanks a lot. I look forward to hearing from you.

 

Hi catswhisker

Thanks for the detailed explanation! Lets take things a step at a time. See if this causes a normal logon for you. Open the Zone Alarm security center and on the Overview>Preferences tab deselect 'Load ZA when windows starts'. Reboot.

 

Hi, noahdfear---

Thanks for the rapid return.

I did as you suggested, but deselecting "Load ZA when windows starts" (and rebooting) had no effect.

Since reloading ZA from "˜Programs’ took so long, I tried re-selecting "Load ZA….." through the System Tray icon, but encountered a problem.

An Ad-Watch window opened, giving me a choice of whether or not to accept what I presumed was the requisite change. Clicking OK resulted in a hang. I couldn’t even "˜End Task’ in Task Manager.

After what seemed about 5 minutes, the Ad-Watch window disappeared on its own, and "˜Load ZA…’ was selected.

[I didn’t mention it last time, but ZA Pro has been opening with only half a window (vertically), and when the rest of it appears, it takes awhile before I can select anything on the left side.]

It just never stops!

 

It sure sounds like ZA is corrupted. My recommendation is to make sure you have your license key (for re-installing) safely stored away, then uninstall ZA and reboot. Let me know if there's any change.

 

Deleting ZA caused the blue screen between the Welcome screen and the desktop to go away.. That’s all I can tell right now, but it’s something.

I’d like to reinstall ZA, so let me know if that’s OK, or should we work on something beforehand? It would be interesting to see if the reinstall causes the blue screen to return, and whether or not ZA opens properly.

FYI My resident anti-malware programs (besides ZA) are:

AVG (Free) A/V, Ad-Aware Plus, Spybot, and TrojanHunter. (Plus CCleaner)

Installed programs required by the other forum:

MalwareBytes’ Anti-Malware and SuperAntiSpyware.

There are some others that I keep in a Utilities folder, including ATF-Cleaner (which I don’t think compares to CCleaner.)

(Another annoyance showed up yesterday….McAfee SiteAdvisor stopped working in Firefox. Although it’s enabled in IE, it’s never even appeared there.

 

Leave ZA out for now. Please update us with the current state of things.

 

(I’m writing this on June 21, but the following refers to yesterday, except for the parenthetical reference below, which happened while writing this.).

To respond to your last post, after deleting ZA, the only change in the behavior of my machine, was the absence of the blue screen between ‘Welcome’ and the desktop.

Now for the good stuff…

I felt undressed without ZA, so I attempted to reinstall it, but it wouldn’t work.

I returned to the Restore Point I had chosen just before the deletion, but there apparently wasn’t enough of the program to be useful.

So I tried downloading the program again, but I was about a day late. (Recent subscription renewal)

Then I tried downloading the trial version to a Zip drive, but I couldn’t download it without installing, which I did. Surprisingly, my license key was OK without my having to change it.

(At this point, I have to interrupt because I saw a blank balloon pointing toward the system tray, and closed Word to check it out. When I accessed Task Manager, it showed that ZA was running, but I hadn’t started it. It was minimized on the task bar, and nothing happened when I clicked on it. The balloon wouldn’t go away, so I rebooted. This time I got a balloon saying that ZA firewall was turned off, and that’s what Security Center said. When I double-clicked ZA, the half-window I told you about showed up, but froze.

Rebooting, ZA appeared on startup (?), and when I checked the Firewall, it looked OK, which was confirmed in Security Center.. I’m going to leave ZA minimized, and hope it’ll remain operational).

Getting back to where I was before….

ZA worked perfectly after installation. All the buttons and tabs worked with no delay; I opened and closed it several times, and rebooted a couple of times. It was still OK. BUT….

I turned the machine off for about 30 seconds, and when I turned it back on, ZA went berserk again. Sometimes it would open and work OK; or it would open with delays of buttons and tabs; or it might open halfway and freeze.

Besides all this, when I’d access a website and click on Home, I couldn’t access any other sites without rebooting. When I opened IE, it wouldn’t open its Home page.

Later, this seemed to go away.

I’ll check it again today, and edit this if necessary.

If you want me to delete ZA again, I’ll do it, but I’ll cry a lot.

In the meantime, is there anything else we can try?

Thanks.

P.S. I should probably not have gone against your advice.

I'm editing this much later than I posted, because I thought I owed you an explanation.

The reason for my discomfort was the loss of the ZA firewall. Even if I never opened the program, at least I'd have that.

However, ZA isn't the only program with slow opening and performance. For instance, Help and Support, Acronis and AVG are slow openers, and the contents are delayed. They're not alone, but they're the only ones I can think of right now.

No doubt, ZA is the worst offender, but I thought the results I had with the download might indicate another source (or sources) of the problems.

From now on, you're the boss!

 

Just so you know, I'm not picking on Zone Alarm, and I did not randomly pick ZA as the first thing to remove from the equation. It is known to cause quite a number of issues, hence my reason for the recommendation. Please, using Add/Remove programs, uninstall ZA again. It will (should) re-enable the Windows firewall when uninstalled, so don't feel like you're totally exposed.

Now, another major culprit in my experience has been SuperAntispyware, and I recommend you uninstall it as well. Once both apps are uninstalled, restart the computer and after a bit of use, bring us up to speed on it's behavior.

 

June 22,23

I know you weren’t picking on ZA, but since it’s the only problem program I had mentioned, it was reasonable for you to assume it might be part of the problem.

My reference to the firewall in ZA was misplaced. What I was concerned about was the loss of the popup Alerts, and I assumed they were part of the firewall. (I have a hardware firewall).

Sorry about that.

I’m certain I’ve made some bad choices using the ZA Alerts, as well as with Ad-Watch’s RegShield Alerts. I probably have stuff in the Registry that don’t belong there, and I’ve probably disallowed things that do. I have to wonder now what programs ZA allows to access the Internet, and which are allowed to access computer resources.

At any rate, I uninstalled both ZA and SuperAntispyware.

The only noticeable difference is that the blue screen between the Welcome screen and desktop is gone again.

[Speaking of the Welcome screen---some time ago I installed a program (I forget what) which apparently caused the appearance of a logon screen at startup. I’ve never used one, and my name is the only choice showing. I uninstalled the program, but the logon screen remained. Is there a way I can revert to a plain Welcome screen which will segue directly to the desktop without my having to click on my name?]

Not affected are the generic icons when the desktop appears. Nor is the one-at-a-time file loading in the folder I mentioned.

(Breaking news---I just opened IE and tried changing my hijacked home page to "˜about: blank’, using the address bar, but the URL changed to "˜about:%20blank’, and I got a page saying the action was cancelled.)

Before IE opened, I got 3 alerts from RegShield, asking if I wanted to allow a Registry change, each one using this key: HKCU\Software\Microsoft\Main. They all referred to Internet Explorer.

It did the same thing when I closed IE. This seems to happen almost at random when opening programs. The last one was CCleaner. I think I saw one set the other day with about 15 alerts!

That’s enough for now.

Perhaps as we progress, I’ll get down to a three sentence post.

 

Scan again with HijackThis and place a check next to the following entry, then click Fix Checked.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Close HijackThis.

• Open Spybot
• On the toolbar, click Mode and select Advanced then Yes to the prompt
• In the left pane click Tools
• Select IE tweaks
• Make sure the locks for IE Start Page and Control Panel are not checked then Exit Spybot

Close all IE browser windows then re-open and see if your homepage can be changed (try http://www.google.com). Make sure you click Allow to any prompts from Regshield. Close and re-open IE a couple of times to verify it sticks (if you're able to change it).

• Right click the desktop and select Properties
• Select the Appearance tab, then click Effects
  • If the Use large icons box is selected, clear it
  • If the Use large icons box is not selected, select it
• Click OK, then Apply
• Now click Effects again and undo the last action, then OK your way out of the Properties dialog

Restart the computer and see if there's any change in the loading of your icons.

You can find instructions to allow for booting straight to your desktop, without a login screen or prompt, here. I would like to stress the importance of typing the correct password for the account, or just pressing Enter when prompted if the password is blank.

 

You’re a genius!!

Following each of your instructions resulted in a positive outcome.

Thanks.

In no particular order, here are some questions and comments on what we’ve (?) accomplished so far.

When accessing or leaving IE, there are so many RegShield alerts (I counted one with 18 alerts, and another with 20, for instance. I wonder if it would be OK to disable the RegShield feature?)

In the Advanced tab in Internet Options, I seem to recall that there was a section related to ActiveX. If that’s true, it’s missing.

I also think there is a “Lock Homepage” selection somewhere, but I don’t recall if it’s in IE or elsewhere.

IE Tools/Internet Options/Temporary Files/Settings/View Objects/(“Downloaded Program Files”), containing a list of items, which were marked as Installed, Unknown, or Damaged.

Is this something to be concerned about?

With ZA gone, I tried running dss.exe again, but extra.txt was still missing.

Ditto with ActiveScan, but the result was the same as before.

The first time I tried getting to the scan page, the site froze, but when I clicked on Home and back again, it was OK.

Last evening, I ran CCleaner before shutting down. There were more files than I’m used to seeing—in the Windows Temp and Local Settings Temp folders--some of which appeared to be sites I hadn’t (knowingly) visited. I wonder if the absence of ZA might have caused this?

Assuming that—for the time being, at least—I’m not to reinstall ZA Pro, would it make any sense to try ZA’s freebie for awhile? (On the assumption that it might not contain whatever is causing my problems with the full version)

[I don’t want to expand this thread, but (FYI) Firefox stopped saving cookies. I’ve unclicked cookie deletion in all the places I know of].

One of my complaints was the partial erasure of the contents of some of my Word documents.

I did a random check, and can’t find any other examples.

The disappearing files in TrojanHunter hasn’t been duplicated.

But something caused each of these to occur.

Is it likely that I still have some bad guys on my machine?

(For instance, whatever’s causing the appearance of the so-called software download window in Ad-Aware. Since the update date wasn’t changing when I accepted the offer, my paranoid suspicion is that it was really erasing the latest update. The window appears even when there aren’t any updates).

The logon screen activates when I bring my machine out of Standby.

Oh, well, I guess I can’t have everything.

There’s probably more, but that’ll do for now.

 

RegShield - I'm not at all familiar with it. What are the alerts you're getting?

Nothing RE: ActiveX on the Advanced tab. Those are on the Security tab under each zone's custom properties.

View Objects - remove anything Damaged or Not Installed

dss will only produce the extra.txt log on it's first run, unless a custom scan is performed.

ZA is ZA, whether free edition or Pro, in regards to the issues. I wouldn't recommend re-installing it at this point.

Go again to Desktop Properties, Screen Saver tab.
Verify the On resume, password protect checkbox is cleared.
Click the Power button.
Select the Advanced tab.
Verify the Prompt for password when computer resumes from standby check box is cleared.
Click OK then OK again to exit.
Let me know if the standby issue is resolved.


Recommend you reset the amount of space allocated to store Temporary Internet Files.
Open Internet Options, then click Settings on the General tab (Temporary Internet Files section)
Reduce the allocated space to 50MB
At the top of that properties dialog, select Every visit to the page
OK out


I think the Lock Homepage setting is in the IE Tweaks section of Spybot>Tools. It's labled Lock IE start page setting against user changes (current user)


Let me know how things are after applying the above and a bit of use.

 

Thanks, again, Dave…

I’ll respond first to your instructions.

In the ‘Properties’ Screen Saver tab, the line “On resume….” reads “On resume, display welcome screen.” It was grayed out because I don’t use a screen saver. Perhaps the line you presented me with is true in Vista (I’m using XP Home).

In the ‘Advanced’ tab, “Prompt for password….” was already cleared.

The space allocated to Temporary Internet Files was 4 digits. Your change was quite a difference.

You were, of course, correct about the location of the Lock Homepage setting. If I understand “Lock IE start page….” correctly, it wouldn’t have prevented my homepage from being hijacked anyhow, because it refers only to the ‘current user.’

Regarding RegShield, it’s a feature of Ad-Watch in Ad-Aware.

Here are some of the popups I get. The number in parentheses is the same in each series, but change for each session:

Upon opening IE: “AdWatch.1 notification in queue.”

Then, [“The process iexplorer.exe (364) is trying to modify RegKeyChangeOrCreate the Registry. Path:HKCU\Software\Microsoft\Internet Explorer\Main”]…Block or Allow?

Since there was only 1 notification, in this case, the next popup=

“Ad-Watch---RegShield ValueChangeOrAdd.”…(Same as notification above)…Block or Allow?

On closing IE: “Ad-Watch. 3 notifications in queue.”

Then, “…..modify (ValueChangeOrAdd) the Registry.” (Path=same as above).

The next two notifications are pretty much the same, but the last popup’s title is:

“RegShield…RegistryChangeOrCreate”.

There are two other programs I’ve noticed this with so far---Spybot and CCleaner. The differences appear to be the required changes and the paths.

I realize these examples are truncated, but I hope they give you an idea of what they do.

It’s pretty annoying to have to deal with these popups all the the time; particularly when there have been up to 20.

Besides, I really don’t have the smarts to know which choice to make.

View Objects: The ones marked ‘Damaged’ deleted OK, but those marked ‘Unknown’ are problematic, and apparently all ActiveX .

The first one I tried to delete gave me a message saying that there wasn’t enough information for it to be completely deleted. I clicked on the close button instead of OK, because I wanted to consult you first. But the darned thing deleted anyway.

I checked Properties for the 2 that were left, and found these:

“ActiveX Control Code Base: http://fpdownload.macromedia.com/get/flashplay(er)”
“Dependency = c:\windows\download…\ERMA/INF” and the version number is v.1,0,0,25

“ActiveX Control Base: http://fpdownload02.macromedia.com/get/flashplay(er)”
“Dependency = c:\windows\downl…\swflash.inf” and the version number is v.9,0,124,0

The version number of the deleted file is 0,0,0,1

I’ll certainly get the same incomplete removal message for the remaining 2, so is it OK to delete them, anyhow?


dss: Interesting info. Technically, since I reinstalled it at your request, I ran the program for the first time. I wonder if there’s an entry in the Registry that ‘remembered’ the program had run before, even though I had deleted it (previous forum).

If you feel it’s necessary to see the extra.txt, log, would it be worthwhile to correct the Registry? If not, is the program worth keeping?


Once a month, I run 2 online scans. One is ewido antispyware, plus an anti-virus program.

I tried running BitDefender, but got a message that the update had failed. I was given the option of running it anyway, which I declined.

That makes two online anti-virus programs I can’t use; the other being ActiveScan.

I ran Kaspersky instead. That program says that it might not run properly unless I disable my anti-virus program. This is the program I had in mind when I asked if it was necessary to do so. I didn’t.


Next-to-last observation---One of the programs that takes a long time to open, is Ad-Aware. It takes about a minute and a half to open, or before it starts updating.

Last time I ran it, it seemingly wouldn’t close, so I clicked the ‘close’ button again, and got a “The program is not responding” message, so I clicked on ‘End Task’, and it finally closed.

This hasn’t happened when the program updates; only when it runs.

After finishing work on my computer, I ran it a second time, and once again it wouldn’t close.

But it did close after about 15 seconds. Doesn’t sound right.

(I think I’ll publish my posts as a book. I don’t seem to know how to make a short one)


Last observation---I mentioned that Firefox has stopped saving cookies.

I’m not sure that it really isn’t part of my problems, because it’s not too dissimilar from the disappearing files in TrojanHunter or the deleted parts in some of My Documents.

Following are two messages in Firefox/Tools/Error Console/Warnings:

Warning: Warning: Unrecognized chrome registration modifier 'contentaccessible=yes'.
Source File: file:///C:/Program%20Files/AVG/AVG8/Firefox/chrome.manifest
Line: 2

(The one above wasn’t present at the time I pasted the next one, but they appeared together today).

Warning: Warning: Unrecognized chrome registration modifier 'contentaccessible=yes'.
Source File: file:///C:/Documents%20and%20Settings/Norman/Application%20Data/Mozilla/Firefox/Profiles/cpi4wa1g.default/extensions/%7B3d7eb24f-2740-49df-8937-200b1cc08f8a%7D/chrome.manifest
Line: 6

Any connection?

In general, I’d say there’s been a vast improvement in my machine’s behavior.

P.S. I notice that this post makes use of the horizontal scroll bar.

Did I do something wrong?

 

Oftentimes a setting needs to be toggled off and on for Windows to take note of it, so lets try that with the standby issue.
Go back to the Screensaver tab>Power>Advanced tab, then check the box labled Prompt for Password and click Apply.
Now uncheck the box and click Apply, then OK your way out.
Let me know if it continues to activate the logon screen when coming out of standby.

Lets just see what it is that IE wants to change. First we'll take a snapshot/create a backup. Highlight and copy the following bolded command.


regedit /e "%userprofile%\desktop\main1.txt" "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "


Click Start>Run and paste the command in the Run dialog, then hit Enter. It should create the file main1.txt on your desktop. Open it to verify it has contents.
Now open IE and when RegShield prompts you to allow the change, allow it.
Now, Click Start>Run and change main1.txt in the command you just pasted there to main2.txt, then hit Enter. Either study the contents of both main.txt files to find the difference and act accordingly, or post both files here for review and recommendation.

Windows, by default, allocates 10% of the available hard disk space for the storage of Temporary Internet Files. Much like System Restore points, when the maximum is reached, older files will be pushed out and replaced with newer ones. 50mb is enough to load a good number of pages all at once, and low enough to cut down on the clutter.

The Lock IE Start Page setting will effectively prevent your page from being hijacked. Current user setting override Local Machine settings in this area.

Any and all downloaded program files (ActiveX) can be safely deleted. They are only required/used by an application when needed, and from within IE. If you pull up something requiring ActiveX, you will be prompted to install it, or it will automatically be installed, or it will be blocked, depending on the settings you have applied for ActiveX content.

dss can be run using a configuration switch that will allow for creating a custom scan, including the creation of a new extra.txt log. I don't see that it's necessary at this point, so don't worry about it. Hang onto dss for the time being. It's not hurting anything and we may need it yet again.

Resident antivirus and realtime protection programs can indeed be problematic with online scanners, and may well be behind the failure of those 2 scanners. I wouldn't sweat it though. Kaspersky's online scanner is as good as any.

I have to admit, I haven't been too impressed with Ad-aware 2007. I've seen quite a number of people having the same sort of behavior you have reported. I suggest that if it continues, you uninstall it, then re-install it and see if there's any change.


RE: the error message in Firefox, see if there's any help in the following links.

http://chrispederick.com/blog/2008/05/web-developer-116/

http://www.google.com/search?num=30...ized+chrome+registration+modifier&btnG=Search


RE: Firefox not saving cookies, did you install the Torbutton add-on? Did the behavior begin after installing some other add-on?


Since you feel the machine's performance has improved, in your words, vastly, try re-installing Zone Alarm and see how it is after a day or so of use.

No, it was caused by the consecutive character length of the firefox warning you posted.

PS. Let me know when you start on the book .....

 

Firstly, I checked my last post, and noticed that while I referred to the process for getting rid of the logon screen coming out of standby, I neglected to say that the procedure was successful..

===============================================================

I tried uninstalling Ad-Aware, but it didn’t completely work.

I found 2 partial Ad-Aware programs in the Lavasoft folder, one called "˜Ad-Aware,’ and the other called "˜Ad-Aware 2007’.

Was able to delete the one named Ad-Aware, but the other one wouldn’t delete, so I ran a program called RegSupreme, which got rid of what was left in the folder very nicely.

(I thought it would just get rid of stuff in the Registry which might be causing the uninstall problem. I was pleasantly surprised at the result.)

When I reinstalled Ad-Aware, it seemed to initialize faster, and for awhile I didn’t get that pesky "˜software update’ window (until today, July 5), and it appears that the initialization now lasts as long as it did before. Whether there’s a connection, I don’t know.

Serendipitously, I went through all of Ad-Watch’s features, and came across one that clears items in IE, Firefox, and Opera, on closing. I deselected Cookies in Firefox, and my cookies are being saved again.

(I don’t recall whether the previous version contained the above selections—or if it had RegShield---but if it did, I had the one set to save cookies, and the other to disable RegShield)


Then I reinstalled ZoneAlarm. Not a good idea. Same problems, but worse, after several attempts.

For one thing, it wouldn’t recognize my license key.

For another, the blue screen between Welcome screen and desktop was back.

The last install resulted in the program appearing on startup. I don’t know if I messed up during installation, or if the program did it on its own.

(During one of my installations, RegShield hung. I hoped that that might have caused the program to not install properly, so I disabled RegShield and did another install, but it didn’t make any difference.)

At any rate, the machine hung, and Task Manager couldn’t "˜end task.’ This happened each time I rebooted using the reset button.

After being frustrated several times, I managed to get to the program’s uninstaller from the Start button before ZA loaded, and was able to uninstall it.

(I guess I shouldn’t have used the word "˜vastly’ in describing the improvement)

This is the first time I’ve had any problems with ZA upgrades. Ditto Ad-Aware.

(Actually, they’re both subscription renewals, each of which resulted in an upgrade, so that Ad-Aware 2007 is now Ad-Aware 2008)


I performed your Regedit procedure, and as far as I can tell, there is no difference between the two files.

If you want to see them anyhow, let me know.

(It’s not just IE that RegShield targets. Apparently, anything that wants to change the Registry—whether it’s new program installs, or programs other than IE---so I would guess that most requested changes are necessary. As I said before, I wouldn’t know the difference.)


View Objects in Temporary Internet Files---One "˜Unknown’ object deleted OK, but the other gave an error message labeled "Advanced INF Installerâ€, and said "Error unregistering the OCX C:\Windows\system32\macromed\download\Download.dllâ€, but it did delete.

I mentioned these messages because I wasn’t sure it was a good idea to delete the files with pieces floating around somewhere. The files are gone now, so I guess I’ll find out the hard way.

I just thought there might be another way to get rid of them.


Re: Firefox Error Console---Thanks for the links. I discovered that "˜Warnings’ can be ignored; they’re apparently caused by Web sites. So I cleared them.

However, items in the "˜Errors’ and "˜Messages’ tabs should be addressed.

I’m still bothered by the one-at-a-time file loading in a couple of folders in PowerDesk, which I use instead of Windows Explorer.

Also, as I mentioned, "˜Help and Support’ seems to behave similarly, with the arrows appearing one at a time from top to bottom, and a delay in loading the final item.

In addition, the icons in Control Panel also start out generic. It takes over 5 seconds, but they eventually appear OK.

I was hoping I could repeat the Large Icons/ Small Icons routine we used on the desktop, but there wasn’t any option to do that.

Interestingly, the slow file loading, and the slow icons in Control Panel hold only if I restart the machine. They open OK if I change folders or close the programs and reopen them.


Lucky you! That’s all I can think of right now.

P.S. When I write my book, you’ll get the first autographed copy!

 

OK, lets see if I can sum things up.

1. You need a replacement for Zone Alarm, unless you'd rather turn to ZA support for help (good luck with that )
2. You need a replacement for Ad-aware, unless you'd rather turn to Lavasoft for support with that. You may do some good posting the issues at their forums.
3. Control Panel icons and Help and Supoort are loading slow

Lets do a bit of cleanup. Click Start>Run and type the following line (or copy/paste it) then hit Enter

cleanmgr /sageset:1

A disk cleanup dialog will open. Select all boxes (you can skip Compress old files if there's a large number of them, as it might take up to a couple of hours to complete) then click OK.
Now click Start>Run and type this command then hit Enter

cleanmgr /sagerun:1

Be patient and don't try to multitask while disk cleanup runs.
Once disk cleanup has finished, download ATF Cleaner by Atribune and save it to your Desktop. (I realize this might seem redundant, but it's not)

• Double click ATF-Cleaner.exe to run the program.
• Check the boxes to the left of:
  
  
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
  • Recycle bin
  
  
• The rest are optional - if you want it to remove everything check "Select All ".
• Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot

Now open My Computer and right click Local Disk C: then select Properties.
Select the Tools tab then click Check Now in the Error Checking section
Select both boxes on the popup, then click Start
You should receive a message that disk check cannot be performed and offered to run it at the next restart. Click Yes.
Now reboot.

A disk Check will run after restart, before you ever get to the logon screen.
Once finished and again logged on, go back to the Tools tab and run Defragmentation
I recommend you not run any other applications while defragmenting, and disabling the screen saver and Power Saving options is recommended as well. Other disk activity during defrag slows the process considerably.
Figure on a 2 or 3 beer wait for defrag

Now, have you opened the case of this computer and blown the dust out of the fans and CPU heatsink? A decrease in airflow can cause tempatures to rise, which causes a decrease in performance. If you need any specifics for that task, don't hesitate to ask.

Let me know how things are once all of the above is complete. There are some other things to check if no change.

 

I performed all the house cleaning chores you asked me to.

As far as I can tell, they didn’t help.

Before I get to that….Yesterday was my weekly anti-malware day, before backing up.

Malwarebyte found and deleted 3 Trojans and 2 Rogue.Installers.

AVG found 3 instances of a "potentially harmful program Logger,BGA," but when I clicked on "Remove all unhealed infections," a window popped up saying "Moved object is bigger than the archive size limit." Therefore, no deletions.

I was given the option to "Go to file," or "Ignore.â€

When I went to the file, it was marked "˜Read only’ and "˜Hidden,’ and I wasn’t sure how to proceed.

I tried deleting the other 2. Got the same message, and the named file was always the first one, instead of each file’s name, individually.

All paths were the same. Only each file’s contents were different.

Path = C:\Program files\Softwin\Setup Information\

The files: (All the same,except additions after "˜msi’)

{A4E55645-B82F-44DD-90D8-6B2B9BEA7F85}bdantispy.msi

\bdprof.cab.AE3C3951_7A91_4185_B6E7_BA9F788FE365

\bdprof.cab.AE3C3951_7A91_4185_B6E7_BA9F788FE365:\regspy.sys

As you might know, these files are associated with BitDefender, and might be false positives.

I hope to delete BitDefender and ActiveScan, since I can’t use them, but it’ll probably have to be done one file at a time, since neither is in Add/Remove Programs.

Is there a better way to do this?

--------------------

As I mentioned before, there’s one file in My Documents which I can neither open nor delete (it has 0 bytes). It has no extension, and has attributes hsa---not something I would do. It’s not the kind of document that needs the the first two attributes, anyhow.

I don’t know that it’s presence is a problem, but when I copy the file to a zip drive—if I forget to unselect this document—the file transfers until it reaches this document (it begins with "˜W’), then the transfer stops with an error message, and I have to start over again, after first deselecting the document.

---------------------

Getting back to the problems at hand, I notice that the time between Welcome screen and desktop has gone from zero, to upwards of 3 seconds of blue screen in between.

Sometimes, when I exit a program, all the desktop icons go generic momentarily, then reappear OK.

And, sometimes when the startup routine is in progress, some or all of the desktop icons disappear momentarily.

Nothing has changed regarding the one-at-a-time loading. I mentioned the Help and Support, and Control Panel delays only because I assumed they occur for the same reason as the file loading problem.

I seldom use either Help and Support, or Control Panel, so their delays are tolerable, even if not normal.

--------------------

I will take your advice and try the Ad-Aware and ZoneAlarm websites.

Regarding Ad-Aware, despite the very slow initialization, the program is probably a keeper, because it seems to be otherwise performing OK.

But ZoneAlarm is an entirely different story. If this thread is still open, I’ll let you know how I make out.

-----------------------

A day later, July 10:

While I was updating my anti-malware programs, msconfig popped up, and I clicked OK, forgetting that by doing so, the machine required a restart.

Maybe not necessary, but I went back to a Restore Point, hoping to bypass any possible changes to msconfig.

When I checked it after the Restore, the only thing that looked suspicious to me was this:

In Win.ini, there’s an item called [Internal], which contained the following:

VirtualASPY=1139436411
VirtualASPY2=1139436061
Network2=vsfLz728y8vIur7HucnPzMfPzLo=

Anything to worry about? Is there any likelihood that msconfig could have been compromised from the Internet?

Thanks, again.

 

MBAM creates a log file of each scan. Please open MBAM and get the last scan results, then post the log here.

If you give me the exact name of the problem file in My Documents, I can instruct you on how to remove it.

BitDefender and ActiveScan ....... both online scans? I seem to remember BitDefender (online scanner) creating an uninstall option on one of the Internet Explorer menu items ....... hmmm, Tools maybe?
Lets go ahead and get a full dss output. Copy the command below, click Start>Run and paste it in, then hit enter.

"%userprofile%\Desktop\dss.exe" /config

The dss interface should open. Click Uncheck All, then click Select All.
Now click Scan and post the resulting logs. You will likely need to put them in separate posts due to character count limitations.


Generally, win.ini is not used by XP. Instead, entries in the following registry key are used.

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

That said, it probably wouldn't hurt anything to remove the entire [Internal] section and the accompanying entries.

 

Firstly, I installed the trial version of Sunbelt Personal Firewall to replace ZoneAlarm.

I don’t know why I waited so long….I just hope it wasn’t too long.

I’ve gotten no response from either Ad-Aware or ZoneAlarm.

-----------------

I’m including the MBAM you asked for, plus the one I ran today (July 15).

My homepage had been hijacked again, but since it was grayed out on my preferred home page, I intended to ask you if it would be OK to leave it alone.

Today’s scan answered that question very nicely, as you’ll see.

---------------

Malwarebytes' Anti-Malware 1.19
Database version: 930
Windows 5.1.2600 Service Pack 2

11:28:37 PM 7/7/2008
mbam-log-7-7-2008 (23-28-37).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 93837
Time elapsed: 24 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\revo uninstaller (Rogue.Installer) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Hewlett-Packard\hpis\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Verizon Online\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Verizon Online\bin\UpdateSC.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\UTILITIES\Revo Uninstaller\uninst.exe (Rogue.Installer) -> Quarantined and deleted successfully.

----------------

Malwarebytes' Anti-Malware 1.20
Database version: 957
Windows 5.1.2600 Service Pack 2

6:26:06 PM 7/15/2008
mbam-log-7-15-2008 (18-26-06).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 94352
Time elapsed: 25 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

---------------

The name of the My Documents file I want to delete is: WCAU Old Timers. (with the period).

-------------------

You were right about the BitDefender uninstaller in IE Tools.

It referred to a previous version, so when I did the uninstall, I don’t know if it did anything.

However, I did a Search and found and deleted the remnants in Common Files\Softwin. The next time I run AVG, I’ll know if I got rid of the questionable files.

I’ll terminate this post here. With any luck, I’ll get the dss logs posted OK.

 

Deckard's System Scanner v20071014.68
Run by Norman on 2008-07-16 15:10:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 3 Restore Point(s) --
3: 2008-07-16 03:21:57 UTC - RP14 - Deckard's System Scanner Restore Point
2: 2008-07-15 20:04:45 UTC - RP13 - Before anti-malware scan
1: 2008-07-15 20:03:36 UTC - RP12 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as Norman.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12:04 PM, on 7/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
C:\Program Files\Secunia\PSI (RC1)\psi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Norman\Desktop\dss.exe
C:\UTILIT~1\HJT\Norman.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [ADUserMon] "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe "
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiteAdvisor] c:\program files\siteadvisor\6253\siteadv.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe "
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe "
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
O4 - Startup: Secunia PSI (RC1).lnk = C:\Program Files\Secunia\PSI (RC1)\psi.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: MagicTune 3.6.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: Antivirus software - BitDefender - The future of security now!
O15 - Trusted Zone: ewido is AVG - anti-spyware, anti-malware and anti-virus software
O15 - Trusted Zone: usa.kaspersky.com
O15 - Trusted Zone: Antivirus, anti-spyware, anti-spam, firewall. Protect yourself with Panda Security
O15 - Trusted Zone: Trend Micro HouseCall - Free Online Virus and Spyware Scan - Trend Micro USA
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: *.vanguard.com
O15 - Trusted Zone: *.verizon.net
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120085952027
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143236299578
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 8427 bytes