Solved Annoying pop ups

Hi Geri,

That was easy !

Did I have to be in my kids account ?

When I get a new java update is it ok to delete the old update ?

I deleted limewire my daugther will be gutted

and Noadware which I purchased when those annoying windows started popping up, sucker aye

C:\WINDOWS\system32\gnc.exe moved successfully.
C:\WINDOWS\popcreg.dat moved successfully.
C:\WINDOWS\popcinfot.dat moved successfully.
C:\WINDOWS\popcinfo.dat moved successfully.

Created on 09/25/2007 08:02:45

Cheers

Jae

 

Hi Jae

No OT moved them.

Most definitely, Old versions are exploitable and are targets for malware.

Good that you removed it, sorry about your daughter but it is cheaper to buy whatever she wants to have, then to buy a new computer because one was toasted from infections.

I did not know you bought it, hate to see you loosing money that way
There are free ones SpyBot Search and Destroy works well, inable Tea Timer.
If you go to buy any more programs come by here first and get opinions from the people here, everyone here is more then happy to give their two cents worth.
Post security programs in the "General Security" form, other programs in the "Other Software" form.

OK, Go to SpyBots web site again and see what happens, Let me know and let me know of any more problems.
Run dss again and post the main log only.
If OK, then we will go ahead and remove tools and such.

Thanks
Geri

 

Hi Geri,

I have downloaded Spybots successfully, but did not enable tea timer as you suggested, can I go back and do this.

The scan found 4 items

1 from Crazy girls (shame) which is dailer that I used the "fix problems button" to remove, is this Ok ?

The other 3 were telling me that windows Firewall, updates and antivirus were disabled, which I asked to "ignore in future scans ", only because it said that other antivirus programmes automatically do this to avoid mutliple warning messages for the same things, Ok ??

While we are on antivirus programmes I seem to have a few, what do I do with all of them ?

Is it time to do "set new system restore point "

I hope you are still enjoying my bumbling because I feel like a pain up the but !

Deckard's System Scanner v20070905.67
Run by DAD on 2007-09-25 20:01:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 224 MiB (512 MiB recommended).


-- HijackThis (run as DAD.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:52 p.m., on 25/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Tamariki\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\DAD.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.kol.co.nz
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140056860937
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4004673-4AD4-44AB-89BC-FCCC626FD816}: NameServer = 210.55.12.1 210.55.12.2
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8840 bytes

-- Files created between 2007-08-25 and 2007-09-25 -----------------------------

2007-09-25 18:35:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-25 11:23:51 64 ---h----- C:\WINDOWS\popcreg.dat
2007-09-25 11:23:50 16 --a------ C:\WINDOWS\popcinfot.dat
2007-09-22 18:35:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-09-22 18:35:40 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-20 18:11:46 0 d-------- C:\Program Files\Navilog1
2007-09-19 23:22:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-19 06:50:04 0 d-------- C:\Program Files\Trend Micro
2007-09-17 09:53:20 0 d-------- C:\WINDOWS\pss
2007-09-14 21:57:25 0 d-------- C:\Program Files\NoAdware5.0
2007-09-02 17:57:44 0 d--hs---- C:\FOUND.004
2007-08-26 09:28:11 0 dr------- C:\Documents and Settings\Tamariki\Favorites
2007-08-25 12:44:00 0 d-------- C:\Program Files\Common Files\Adobe
2007-08-25 12:43:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2007-08-15 19:02:30 0 d-------- C:\Program Files\MSXML 6.0


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp "= "Alaunch" []
"SiSPower "= "SiSPower.dll" [13/07/2005 02:55 a.m. C:\WINDOWS\system32\SiSPower.dll]
"eRecoveryService "= "C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [16/11/2005 05:00 p.m.]
"SoundMan "= "SOUNDMAN.EXE" [14/12/2005 06:06 p.m. C:\WINDOWS\soundman.exe]
"SMSERIAL "= "sm56hlpr.exe" [06/06/2005 07:40 a.m. C:\WINDOWS\sm56hlpr.exe]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [22/01/2007 10:19 p.m.]
"Symantec PIF AlertEng "= "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [12/03/2007 06:30 p.m.]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [19/09/2007 10:36 p.m.]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [14/03/2007 03:43 a.m.]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 09:24 a.m.]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [30/06/2007 09:16 a.m.]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 05:00 a.m.]
"updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [30/03/2006 04:45 p.m.]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [31/08/2007 04:46 p.m.]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [15/02/2006 5:52:26 p.m.]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [18/02/1999 8:05:56 a.m.]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 10:05:26 p.m.]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)

*Newly Created Service* - INT15.SYS



-- End of Deckard's System Scanner: finished at 2007-09-25 20:03:37 ------------

Cheers

Jae

 

Hi Jae

You can if you want it to monitor your system in real time, (your choice.)

Yes and Yes

I see only 1 anti-virus, > Norton.
The others are Spyware Programs. You need to update them and then run a scan at least once a week fix whatever they find.

Almost. If you feel things are running OK then we will proceed. I have a couple questions first.

I see these came back,
popcreg.dat
popcinfot.dat

They could be related to popcap games, which is no threat, just wanted to make sure your kids or you went there and played some games.

Also, Your date seems to be off, you seem to be a number of days ahead of the rest of us.
"Scan saved at 8:01:52 p.m., on 25/09/2007 "
Double click your clock in your tool bar and adjust the date by clicking on the correct day click Apply > OK.

If you feel things are running OK then lets proceed.

You can delete any tools you were asked to download and the files/folders or logs they created, There will be newer versions if ever needed again any way.

These tools.
Navilog1. OTMoveIt, dss.exe

These files/Folders
C:\fixnavi.txt <<This file
C:\cleannavi.txt <<This file
C:\_OTMoveIt\MovedFiles <<This folder
C:\Deckard <<This folder

Empty your recycle bin

Turn off and On system Restore

You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed.
Turning off System Restore will clear out all previous restore points.

To turn off Windows XP System Restore:
NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:
1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives. "
5. Click Apply, and then click OK
Make a new restore point. And name it.

Let me know if you feel this is resolved, then I will mark this thread accordingly.

Surf Safely
Geri

 

Kiaora Geri,

Yes my kids have been playing popcap games.

I fixed the time I'm am not in the future anymore

Everything is well, computer feels like new.

Thanks again for all your help it was much appreciated.

Help us surf safely.

Jae

 

Hi Jae
Glad to help out.

Geri

 

Hi Geri,
Ever since we killed my malware I have been unable to add a desktop to my kids account, yet my account is fine.Also on my account when I'm on the internet, up in the address bar and on the page tabs they do not have the correct company logos next to the addresses. Even though it's not affecting my surfing, just thought I will mention it.
Can you help or do you want me to use a differant forum ?
Cheers
Jae

 

Hi jamon08

Click on Start > Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" Check to see if there is a entry checked called something like "Security" or similar. Select that entry and click the "Delete" button.
Also, there should be nothing with a box checked, if there is uncheck it, and if the "Lock desktop items" box is checked, uncheck it.
Click OK then Apply and OK.

Let me know if this helps.

Not sure about this?
Is it just one certain logo? if so can to tell me what the logo is.
If you point your cruser at it does it disply a text of what it is or from whom?

Thanks
Geri

 

Hi Geri,

There where no entries in the web pages box, nothing had been checked.
After posted my reply for help on the desktop issue, I tried to delete that account and created a new one but it still have the same problem it also came up with a " cannot load user profile error switching to default user ". I know what your thinking, "why didn't I wait for help" instead I had to try and be clever, I think i might have made the problem worse, little things like the desktop, unable to switch to classic veiw in control panel any more tips mate ?

I sorted out the logo problem, I just deleted all of my tempory internet files and cookies and it seems to have come right. It was not the same logo, intead of the windows bbs logo I had the logo of the local radio station that I had been surfing and only one other had the wrong logo of a differant website again.

The "new programs installed" balloon keeps appearing on the start menu as well, refering to spybot only, usually this goes away after you use the programme for the first time.

I'm back, the fula between the seat and keyboard

Jae

 

Hi Jae

Lets try this.
Give the kids account administrative privileges from Your account, then log onto the kids and see if you can make the changes you want to. Then just change it back to limited when done.

Let me know if that works.

Geri

 

Hi Geri,

I tried that, still no good

Cheers

Jae

 

Hi Jae
OK lets see if we can see anything in a dss scan. Please do this from your kids account.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Thanks
Geri

 

Hi Geri,

That account sick, It did not give me the EXTRA TXT

DSS asked me if I wanted to install HJT but because I took to long decide, it decided for me and I think used a clone, what ever that means

hope this helps

Deckard's System Scanner v20070905.67
Run by 1 on 2007-09-24 22:27:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 224 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-24 22:28:02
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16512)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\DAD\Desktop\dss.exe

R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar5.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [LaunchApp] Alaunch
O4 - HKEY_LOCAL_MACHINE\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKEY_LOCAL_MACHINE\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKEY_LOCAL_MACHINE\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
O4 - HKEY_LOCAL_MACHINE\..\Run: [LexPPS.exe] C:\WINDOWS\system32\lexpps.exe
O4 - Startup: i386
O4 - Startup: VALUEADD
O4 - Startup: dotnetfx
O4 - Startup: FOUND.000
O4 - Startup: FOUND.001
O4 - Startup: Sysinfo
O4 - Startup: Guide
O4 - Startup: drv
O4 - Startup: WINDOWS
O4 - Startup: Documents and Settings
O4 - Startup: Program Files
O4 - Startup: Acer
O4 - Startup: ntldr
O4 - Startup: NTDETECT.COM
O4 - Startup: boot.ini
O4 - Startup: CONFIG.SYS
O4 - Startup: AUTOEXEC.BAT
O4 - Startup: IO.SYS
O4 - Startup: MSDOS.SYS
O4 - Startup: Preload.aaa
O4 - Startup: Recycled
O4 - Startup: XPH.TAG
O4 - Startup: FOUND.002
O4 - Startup: System Volume Information
O4 - Startup: FOUND.003
O4 - Startup: FOUND.004
O4 - Startup: pagefile.sys
O4 - Startup: nwathome
O4 - Startup: output
O4 - Startup: hiberfil.sys
O4 - Startup: Deckard
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\winrnr.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\mswsock.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140056860937
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{A4004673-4AD4-44AB-89BC-FCCC626FD816}: NameServer = 210.55.12.1 210.55.12.2
O20 - Winlogon Notify: AtiExtEvent - C:\WINDOWS\system32\Ati2evxx.dll
O20 - Winlogon Notify: crypt32chain - C:\WINDOWS\system32\crypt32.dll
O20 - Winlogon Notify: cryptnet - C:\WINDOWS\system32\cryptnet.dll
O20 - Winlogon Notify: cscdll - C:\WINDOWS\system32\cscdll.dll
O20 - Winlogon Notify: ScCertProp - C:\WINDOWS\system32\wlnotify.dll
O20 - Winlogon Notify: Schedule - C:\WINDOWS\system32\wlnotify.dll
O20 - Winlogon Notify: sclgntfy - C:\WINDOWS\system32\sclgntfy.dll
O20 - Winlogon Notify: SensLogn - C:\WINDOWS\system32\WlNotify.dll
O20 - Winlogon Notify: termsrv - C:\WINDOWS\system32\wlnotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\system32\WgaLogon.dll
O20 - Winlogon Notify: wlballoon - C:\WINDOWS\system32\wlnotify.dll
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe "
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe "
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe "
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Microsoft Corp., Veritas Software - C:\WINDOWS\System32\dmadmin.exe /com
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE "
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll "
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - "C:\Program Files\Norton AntiVirus\navapsvc.exe "
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe "
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - "C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE "
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - "C:\Program Files\Norton AntiVirus\SAVScan.exe "
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe "
O23 - Service: SPBBCSvc - Symantec Corporation - "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe "
O23 - Service: Symantec Core LC - Symantec Corporation - "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe "


-- Files created between 2007-08-24 and 2007-09-24 -----------------------------

2007-09-25 11:23:51 64 ---h----- C:\WINDOWS\popcreg.dat
2007-09-25 11:23:50 16 --a------ C:\WINDOWS\popcinfot.dat
2007-09-20 18:11:46 0 d-------- C:\Program Files\Navilog1
2007-09-19 06:50:04 0 d-------- C:\Program Files\Trend Micro
2007-09-17 09:53:20 0 d-------- C:\WINDOWS\pss
2007-09-14 21:57:25 0 d-------- C:\Program Files\NoAdware5.0
2007-09-02 17:57:44 0 d--hs---- C:\FOUND.004
2007-08-27 17:13:42 537992 --a------ C:\WINDOWS\system32\SymNeti.dll <Not Verified; Symantec Corporation; Symantec Security Drivers>
2007-08-27 17:13:40 161160 --a------ C:\WINDOWS\system32\SymRedir.dll <Not Verified; Symantec Corporation; Symantec Security Drivers>
2007-08-27 17:13:36 189320 --a------ C:\WINDOWS\system32\drivers\symtdi.sys <Not Verified; Symantec Corporation; Symantec Security Drivers>
2007-08-27 17:13:32 23944 --a------ C:\WINDOWS\system32\drivers\symredrv.sys <Not Verified; Symantec Corporation; Symantec Security Drivers>
2007-08-27 17:13:28 31624 --a------ C:\WINDOWS\system32\drivers\symids.sys <Not Verified; Symantec Corporation; Symantec Security Drivers>
2007-08-27 17:13:24 28040 --a------ C:\WINDOWS\system32\drivers\symndis.sys <Not Verified; Symantec Corporation; Symantec Security Drivers>
2007-08-27 17:13:20 97672 --a------ C:\WINDOWS\system32\drivers\symfw.sys <Not Verified; Symantec Corporation; Symantec Security Drivers>
2007-08-27 17:13:16 12680 --a------ C:\WINDOWS\system32\drivers\symdns.sys <Not Verified; Symantec Corporation; Symantec Security Drivers>
2007-08-25 12:44:00 0 d-------- C:\Program Files\Common Files\Adobe


-- Find3M Report ---------------------------------------------------------------

2007-09-24 22:25:06 0 d-------- \Deckard
2007-09-24 06:28:08 397410304 --ahs---- \pagefile.sys
2007-09-24 06:28:08 234409984 --ahs---- \hiberfil.sys
2007-09-18 19:22:04 60800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL <Not Verified; Symantec Corporation; SYMEVENT>
2007-09-17 09:54:54 211 -rahs---- \boot.ini
2007-09-02 17:57:44 0 d--hs---- \FOUND.004
2007-08-15 19:02:30 0 d-------- C:\Program Files\MSXML 6.0
2007-07-30 19:19:42 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-30 19:19:36 549720 --a------ C:\WINDOWS\system32\wuapi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-30 19:19:32 325976 --a------ C:\WINDOWS\system32\wucltui.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-30 19:19:28 203096 --a------ C:\WINDOWS\system32\wuweb.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-30 19:19:20 92504 --a------ C:\WINDOWS\system32\cdm.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-30 19:19:16 53080 --a------ C:\WINDOWS\system32\wuauclt.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-30 19:19:12 43352 --a------ C:\WINDOWS\system32\wups2.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-30 19:18:40 33624 --a------ C:\WINDOWS\system32\wups.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-29 10:53:08 0 d-------- \output
2007-07-29 10:53:02 0 d-------- \nwathome
2007-06-26 18:08:16 1104896 --a------ C:\WINDOWS\system32\msxml3.dll <Not Verified; Microsoft Corporation; Microsoft(R) MSXML 3.0 SP9>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp "= "Alaunch" []
"SiSPower "= "SiSPower.dll" [07/13/2005 02:55 AM C:\WINDOWS\system32\SiSPower.dll]
"eRecoveryService "= "C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [11/16/2005 05:00 PM]
"SoundMan "= "SOUNDMAN.EXE" [12/14/2005 06:06 PM C:\WINDOWS\soundman.exe]
"SMSERIAL "= "sm56hlpr.exe" [06/06/2005 07:40 AM C:\WINDOWS\sm56hlpr.exe]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/22/2007 10:19 PM]
"Symantec PIF AlertEng "= "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 06:30 PM]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [03/14/2007 03:43 AM]
"LexPPS.exe "= "C:\WINDOWS\system32\lexpps.exe" [02/25/2003 05:50 PM]




-- End of Deckard's System Scanner: finished at 2007-09-24 22:36:11 ------------
Cheers

Jae

 

Hi Jae

OK about the wall paper.
How comfortable are you witht he registry?
I would like to check something, there sre a couple ways to do this, one is you checking manually the other is a command line.

If you can check it, then here is what i want you to do.
Click on Start > Run > type in regedit click OK
Click on this Key and all the subkeys untill you get to ActiveDesktop

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

Click on ActiveDesktop and tell me if this is listed in the right pane, and what the DWord value is....be it 0 or 1

Look in the right pane for a value called NoChangingWallPaper.

Or we can do it this way.

Click on Start > Run type in cmd click OK, a command box will open
Then copy and paste this in the command box and hit enter.

regedit.exe /e c:\wallpaper.txt HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

Copy and paste the context of c:\wallpaper.txt here.

Thanks
Geri

 

Hi Jae
Also,
The HJT log in the dss log is somewhat weird so I would like you to run a regular HJT scan from your kids account and post the log.

Thanks
Geri

 

Hi Geri

I tried the second way with no joy, as that account will not connect to the internet, I typed the command, no luck.

The first way, I followed all of the sub keys to policies, to find there was no "active desktop ". Instead there was a explorer folder. In the right hand pane was "REG DWORD No drive type auto" and "REGsz 0x00000095(149) if this means anything

Cheers

Jae

 

Hi Geri,

I just about missed your second reply

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:23:15 PM, on 9/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
O4 - HKUS\S-1-5-21-2696166679-282274220-1199131496-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'DAD')
O4 - HKUS\S-1-5-21-2696166679-282274220-1199131496-1006\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'DAD')
O4 - HKUS\S-1-5-21-2696166679-282274220-1199131496-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'DAD')
O4 - HKUS\S-1-5-21-2696166679-282274220-1199131496-1006\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 (User 'DAD')
O4 - HKUS\S-1-5-21-2696166679-282274220-1199131496-1006\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'DAD')
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.kol.co.nz
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140056860937
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4004673-4AD4-44AB-89BC-FCCC626FD816}: NameServer = 210.55.12.1 210.55.12.2
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8529 bytes

Cheers

Jae

 

Hi Jae
Ok please do this for me.

While logged into your kids account

Click on this.

dsspaths

Save it to C:\ drive and double click it. A log will open in just a few seconds. Post the contents of that log.

Thanks
Geri

 

Hi Geri,


AppDataCommonDir = C:\Documents and Settings\All Users\Application Data
DesktopCommonDir = C:\Documents and Settings\All Users\Desktop
DocumentsCommonDir = C:\Documents and Settings\All Users\Documents
FavoritesCommonDir = C:\Documents and Settings\All Users\Favorites
ProgramsCommonDir = C:\Documents and Settings\All Users\Start Menu\Programs
StartMenuCommonDir = C:\Documents and Settings\All Users\Start Menu
StartupCommonDir = C:\Documents and Settings\All Users\Start Menu\Programs\Startup

AppDataDir =
DesktopDir =
MyDocumentsDir =
FavoritesDir =
ProgramsDir =
StartMenuDir =
StartupDir =
UserProfileDir = C:\Documents and Settings\1

HomeDrive = C:
HomePath = \Documents and Settings\1
HomeShare =
LogonDNSDomain =
LogonDomain = MARINO
LogonServer = \\MARINO
ProgramFilesDir = C:\Program Files
CommonFilesDir = C:\Program Files\Common Files
WindowsDir = C:\WINDOWS
SystemDir = C:\WINDOWS\system32
TempDir = C:\WINDOWS\TEMP
ComSpec = C:\WINDOWS\system32\cmd.exe

Cheers

Geri

 

Hi Jae
Ok Please do this.

Click on Start > Run type in cmd click OK, a command box will open
Then copy and paste this in the command box and hit enter.


regedit.exe /e c:\ShellFolders.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "


Copy and paste the context of c:\shellfolders.txt here.

Can you tell me the username on the kids account, what the folder name is for it in Docs & Settings.
Appears to be 1 ? I need to make sure.

Thanks
Geri