33 replies to this topic

[CAPTAIN]

Norton Internet Security 2005 I don't have the info on the McAfee as it came on the computer that I got this year. Can't locate the file to pull the info up. I would say it's the 2005 version.

[rand1038]

Follow the instructions here to remove Norton Internet Security 2005. If you have already run the uninstaller (which it looks like you have done according to your HJT log) then skip down to "Section 2: Using SymNRT".

Next, follow the instructions here to uninstall Mcaffee. You should be able to skip down to " Download the registry cleanup file" as it appears you have already used Add/Remove programs.

Once both of those steps are done, reboot and see if things work properly. If not, post a fresh HJT log and well go from there.

[CAPTAIN]

Still not working. Here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 9:20:28 AM, on 6/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\OSD.EXE
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRA~1\NETSCA~1\NETSCA~1\pbhelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Enable Belkin Wireless Keyboard Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
O4 - Global Startup: Enable Belkin Wireless Mouse Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - http://jpedownload.j....com/wi/p2p.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go...GameManager.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec....sa/SymAData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab
O18 - Protocol: aim - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - Unknown owner - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

[rand1038]

First, run HijackThis and place a checkmark in the boxes next to the 023 lines that have "Symantec" or "McAfee" in them then click "fix checked". I'm writing a script so you will be able to see my computer in Internet Options and will also be able to allow activex to run in the local machine zone. I'll post it in a bit. I think the script will most likely take care of your problem.

[rand1038]

Ok CAPTAIN, I think your problem is being caused by SP2 which changes ActiveX settings for the local zone. I've written a script that can toggle these settings. It is included as an attachment to this post. Click the link to download it then unzip it (right click and choose Extract).

Once you have extracted it then double click to run it. Say yes to the two prompts, which will then give you a dialog telling you the action was performed. Once that is done go to Start > Control Panel > Internet Options and click the security tab. You should see a My Computer icon there now, click to hilight it and then click the custom level button . In the dialog that comes up click the dropdown box and choose medium then click the reset button next to the box. Close all the dialogs with the ok buttons and see if things work now (you will most likely get a prompt asking to allow the activex control to run).

The script toggles the settings only for the current user. Each user on the machine will need to run it if they have to use ActiveX in the local zone.
The script can also turn the protection back on. If you share your compuer I recommend you run the script again and choose to hide My Computer in IE's Security but decline to lock Internet Explorer.

Let us know how things work out.

File removed, updated file link in next post.

Edited by rand1038, 18 June 2005 - 12:46 PM.

[CAPTAIN]

Ran the program and I can't get the "my computer" icon to come up once I hit the security tab.

[rand1038]

When you run the script do you get dialog boxes (yes/no buttons and message boxes (just an ok button) asking you what to do and letting you know it was done?. If not, you may be running a program that blocks scripts. Check your monitoring programs (anitvirus, malware scanners, registry monitors) and make sure they are set to prompt or allow (preferabley prompt) scripts to run.

If you are running any registry monitoring programs shut them down before you run the script, it makes changes to the registry which they may silently block.

Go to Start > Control Panel > User Accounts. Click the name of the account you are using then click "Change my account type" and in the window that comes up make sure "Administrator" is selected. If it is not you can try changing it but that will probably not work. You will need to sign on with the Administrator account and then change the settings for the account you normally use.

I wrote some checks into the script that should shed some light into what is happening. Download the copy I have attached to this post, unzip it and run it again. It will let you know if you do not have administrator privledges and if it was successful in changing the registry settings.

Attachment removed. See below for revised version.

Edited by rand1038, 21 June 2005 - 09:50 PM.

[CAPTAIN]

I'm getting the dialog boxes and everything is unlocked. I don't get the my computer icon when I click on the securities tab. I unzipped the new link you gace me and now I'm getting a runtime error when I try to open the control panel.

[rand1038]

What does the error say?

[CAPTAIN]

Runtime error Program:C:/windows/explorer.exe abnormal program termination This won't let me open the control panel.

Edited by CAPTAIN, 18 June 2005 - 06:26 PM.

[rand1038]

That is interesting. The script should not affect explorer at all. I've run it multiple times on my system (XP) during testing and it does as expected with no side effects.

If you haven't done so yet, reboot the computer and see if the explorer problem still occurs, if it does then do the following.

First make sure the script has IE Unlocked and Local Zone visible. When you run the script the titles of the Yes/No dialog boxes show the current state of these items.

Go to Start > Run and in the run box type CMD and click ok.
In the command window that opens type CONTROL INETCPL.CPL and press enter. There is one space between the L and the I. This should open up the Internet Options dialog box.

Proceed with resetting the local zone settings to medium as I explained in the earlier post.

[CAPTAIN]

I got the runtime error issue resolved and followed the rest of your instructions. I'm still having the active x issue. I just ran the Norton Program again and the active x issue comes up when I try to register the product. The program can not continue at that point.

[rand1038]

I'd be intersested to know what you had to do to solve the runtime error. I assume that you run the second version of the script that I posted and end up with message boxes saying "Internet Explorer Unlocked" and "My Computer is now visible in IE Security Tab" How about the scanner, does that work now?

[CAPTAIN]

I solved the problem with the runtime error by running an adware scan and then deleting them. Then I was able to open the control panel. I ended up with the boxes saying "Internet Explorer Unlocked" and "My Computer is now visible in IE Security Tab". But" My Computer" still isn't visable in the IE Security tab. The boxes say it is ,but it's not. At This time, I still have a problem with Norton and my scanner. The box comes up that My current security setting prohibits running active x controls on this page, therefore the page can not be displayed correctly.

Edited by CAPTAIN, 21 June 2005 - 04:37 PM.

[rand1038]

I solved the problem with the runtime error by running an adware scan and then deleting them. Then I was able to open the control panel.

My guess would be you had a bogus copy of rundll32 in your path, probably in the Windows folder.

At This time, I still have a problem with Norton and my scanner. The box comes up that My current security setting prohibits running active x controls on this page, therefore the page can not be displayed correctly.

These problems will continue until we get ActiveX going in the Local Zone. I am doing some checking right now, I'll get back to you in a little bit.