[sonicshadow]

The scanner's result:

Result: 2 malware found
AdTool.Win32.MyWebSearch (spyware)

* System

Tracking Cookie (spyware)

* System

Statistics
Scanned:

* Files: 47051
* System: 4691
* Not scanned: 20

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 2
* Submitted: 0

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
* C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
* C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{1FE5EC0D-3062-4501-8098-49F698047035}.BIN
* C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6C08B5BBBEB3FEAC27EA5B6CD0F1DCC8_66A38FD2-D1E3-4212-B66C-5995690844E9
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6C08B5BBBEB3FEAC27EA5B6CD0F1DCC8_66A38FD2-D1E3-4212-B66C-5995690844E9
* C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL


The new HJT Log:
 HJTLog.txt   12.72KB   155 downloads

[Advertisements]

The log looks clear. Still having problems?

[JSntgRvr]

The log looks clear. Still having problems?

[sonicshadow]

Unfortunately, yes. Windows Live Messenger is the program I use to test, and it still closes once i click on "Sign In"

In fact, all of the problems are like that. I can open them, but once I click on anything, THEN it closes. Maybe that helps a little?

[JSntgRvr]

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.

RegSearch Options File

[Search]
Policies

[Exclude]

[Options]
Filter=KLU

2. Download Registry Search to your desktop.

• Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
• Open the new folder, and double click on regsearch.exe
• Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
• Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
• Please reply here with the entire contents of the Notepad file from RegSearch.

[sonicshadow]

Just my luck. Notepad has JUST joined the list of essentially unusable programs. I made the new options.txt on a separate CPU to send to myself for use. I can't copy and paste it, so here it is, attached:

 RegSearch.txt   51.84KB   1206 downloads

[JSntgRvr]

Lets check for a Rootkit:

Please download gmer rootkit detector from the following link:

Link 1

• Unzip it and double click the gmer.exe file
• Select rootkit tab.
• Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
• Press scan
• When it has finished press save & post back the log it makes
• Repeat the proces with the Autostarts tab and do the same there

[sonicshadow]

Here are the results for the gmer scan:

 gmerresults.txt   3.72KB   125 downloads

one thing I noticed though: There is a certain program that was installed. It was a really old Chinese-english dictionary, probably programmed before Vista was invented. It opens on startup, along with Windows live. I tried to click "sign on" but it closed, as usual with the error message. I noticed the quicklaunch logo for the dictionary program, and closed it. I tried windows live again, and it worked. But I'm not sure under what conditions this works or not. sometimes the quicklaunch for the program isn't where it's supposed to be, and yet it still fails to work.

What should I do with it?

[JSntgRvr]

Hi, sonicshadow

Perform a clean boot to trouble shoot Windows:

How to perform a clean boot procedure on a Windows Vista-based computer

Note: You may experience a temporary loss of some services functionality when you follow these steps. When you restore the settings, the functionality will be restored. However, the original error message or behavior may return.

• Click StartStart button, type msconfig in the Start Search box, and then press ENTER.
  

  User Account Control permission:
  If you are prompted for an administrator password or for a confirmation, type the password, or click Continue.
  

• On the General tab, click Selective Startup.
• Under Selective Startup, click to clear the Load Startup Items check box.
• Click the Services tab, click to select the Hide All Microsoft Services check box, and then click Disable All.
• Click OK, and then click Restart.
• After the computer starts, test the computer and see whether the problems occur. If the problem does not occur, continue to with the following to determine what is causing the problem.

Determine what is causing the problem

Step 1: Start the System Configuration Utility Windows Vista

To start the System Configuration Utility in Windows Vista, click StartStart button in the Start Search box, type msconfig, and then press ENTER.

User Account Control permission:
If you are prompted for an administrator password or for a confirmation, type the password, or click Continue.

Step 2: Enable half the Services items

• Click the Services tab, click to select the Hide All Microsoft Services check box.
• Click to select half of the check boxes in the Services list.
• Click OK, and then click Restart.

Step 3: Determine whether the problem returns

• Test the computer.
• If this problem occurs, repeat step 1 and step 2. In step 2.b. click to clear half of the check boxes that you originally selected in the Services list.
• If this problem does not occur, repeat step 1 and step 2. In step 2.b. select only half of the remaining check boxes that are cleared in the Services list. Keep doing this until you have selected all the check boxes.
• If only one service is selected in the Services list, and you experience this problem, the service that is selected in the list is the service that is causing the problem. Go to step 6.
• If you find that the items in the Services list are not causing this problem, go to step 4.

Step 4: Enable half of the Startup items:

• Repeat step 1.
• Click the Startup tab, and then click to select half of the check boxes in the Startup list.
• Click OK, and then click Restart

.
Step 5: Determine whether the problem returns

• Test the computer:
• If this problem occurs, repeat step 1 and step 4. In step 4.b., click to clear half of the check boxes that you originally selected in the Startup list.
• If this problem does not occur, repeat step 1 and step 4. In step 4.b., select only half of the remaining check boxes that are cleared in the Startup list. Keep doing this until you have selected all the check boxes.
• If only one service is set in the Startup list, and this problem occurs, the service that is set in the list is the service that is causing the problem. Go to step 6.

Step 6: Resolve the problem

After you determine the specific program or service that causes the behavior, contact the program manufacturer to determine whether the issue can be resolved. Or, you can run the System Configuration Utility with the offending program or service unchecked on the list.

[sonicshadow]

Hi,

It looks like disabling the program in question works, and consistently too. The program was called Kingsoft Powerword. Since it's old, and I don't really need it anymore. Would uninstalling the program work just as well as keeping it disabled?

[JSntgRvr]

Great. Keep me posted on any development. Does the issue with Notepad resolves when this program is disabled?

[sonicshadow]

It looks like everything has been fixed. It's been roughly 2 days since I disabled the program, and I have yet to encounter the same problem.

Thank you for your help

[JSntgRvr]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.