[rhemerick]

I'm racking my brain here! I have a friend's HP Pavilion a320n and I just removed about 89 spyware and trojan related objects from it. I got his IE homepage back, but I can't open any progams related to antispyware, adaware, or antivirus (Norton). I double click, there's an hour glass for a second...and then...nothing. If I use the "Run As" feature and switch the user to myself (I hope that makes sense), I can open them right away. HOwever, as you can imagine, this is not ideal.

I've googled the living snot out of this and found nothing but "Format your drive" for advice. Can anyone suggest an alternative?

For what it's worth, here's my HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:49:16 AM, on 5/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ps2.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Desktop\Parasite Defense\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Component Windows] C:\WINDOWS\System32\pentpi32.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member....s/sbc/yinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1116606959875
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O21 - SSODL: Remote Component - {40B83A72-B7D1-490C-AC38-2A90E3D4E1E9} - C:\WINDOWS\System32\regsldpc.dll
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Thank you,

King of Nothing

[gerryf]

http://www.dougknox..../file_assoc.htm

Batch File Association Fix (Restore the default associations for BAT files)
CPL File Association Fix (Restore the default associations for CPL files)
COM File Association Fix (Restore the default associations for COM files)
EXE File Association Fix (Restore default association for EXE files)
Folder Association Fix (Restore default associations for File Folders)
LNK (Shortcut) File Association Fix (Restores Default Shortcut Behavior)

download all the above

[rhemerick]

I downloaded them all.

Nothing seems to have changed--still can't open anything with antispyware, or antivirus in the filename.

[gerryf]

Here's an old trick that sometimes works

Log out, log back in as yourself (other account) that works.

Start > run
regedit
enter

select HKEY CURRENT USER > EXPORT

save it as FIX.REG in root (c:\)

reboot

log in as friend's bad account

navigate to c:\, double click fix.reg

say yes...it will complain about some things being in use...don't worry, just say ok

reboot again, log in as friend again...fix?

[rhemerick]

I need to clarify first. No matter what account I use, I cannot run the programs by double clicking, enter, etc. As an example, if I am logged in as "Owner," I cannot open the programs normally. If I right-click, choose "Run As," the current user button is selected and the current user is YOUR-XHTR8HVC4p\Owner. The "Protect my computer..." box is checked. I select the "The Following User" radio button, and then choose to run it as "Owner" (the same account that I am logged on as), and the program runs.

Should I still try the Fix.Reg thing?

[gerryf]

no

are you trying to run a shortcut, or the file directly (in c:\program files\name of program).

what specific apps are you trying

[rhemerick]

I was using the shortcuts. However, I just tried the programs themselves (via c:\Programs Files...) and it stil doesn't work.

So far, it only seems to affetc Microsoft AntiSpyware, Adaware, and Norton. I haven't tried everything, but normal apps and programs seem to run find (IE, Media Player, Adobe, etc.).

Also, and this might possibly be unrelated, Windows freezes during shutdown frequently (but not always).

[rhemerick]

UPDATE!

I tried to uninstall Norton, and I can't. In the Add/Remove Programs screen, clicking "Remove" on the Norton programs does nothing. So I used the CD to uninstall, and it failed.

[stitchuno]

I have been having the same exact problem and my hijackthis log about the same as that. Only counterspy has been successful in completing a virus scan (though it finds nothing). I am very unsure about how to deal with this problem since I have such a hard time opening programs. IE doesn't really work that much, but there are zero signs of pop ups.

If you have any updates...I need to know!!!

[Wishspell]

Do you have Malwarebytes? Go to www.malwarebytes.org and install it. it's free. If you can't install from the site, save it to a thumb drive and install it that way. It must be updated to a certain point to work. There is a folder called Chameleon, in there you will find svchost.exe Double-click the svchost.exe and it will open a dos box. Then it will turn off any malware running on the computer and update itself. It will automatically clean the infections. There are other files in that folder for other malware as well. Give it time, it takes a while. When done, reboot and run malwarebytes one more time to be sure everything is gone. Then you should be able to open up ad-aware.

Another thing happening could be your firewall or another anti-spyware/virus program. You may have to disable them and stop them from running. You can do this with a simple ctrl-alt and tap the delete key and a box will come up. Look under the applications tab and disable anything that has to do with any spyware or virus programs. You will have to check processes for it as well. Disable that firewall too. I must tell you this is for windows xp but can be used for windows 7. There may be variations.

There is a fake antivirus program called Live Platinum, I helped a friend remove it with chameleon. There are different files in there to get rid of different problems but try that svchost.exe first. This sounds like that program since it doesn't allow you to double-click on anything if I understand right. My friends keyboard was disabled by this thing.

Look in add/remove programs and get rid of ALL TOOLBARS. They are worthless. Also google chrome is a culprit for many problems. BTW, GC sends information to the government, it's a big spy browser.

Mircosoft's version of anti-spyware and virus protection is garbage. By the time it pops up with a warning, you are already infected.

I hope this helps. I still run XP and like Ad-aware but normally use an older version of Zone Alarm security suite. It has full features. I installed this new ad-aware to test it and also use it as a 2nd program to check my computer along with malwarebytes.

[happyrock]

Hi Wishspell ... ..

this topic was Posted 20 May 2005 - 09:56 AM
posting to threads 7 years old isn't helpful...try something more recent

and do not give any malware removal advice in any topic...only those people certified can give malware advice and only in the malware removal forum