Computer acting wierd after 'AC-Protect' or 'Qwik Fix'

Discussion in 'adware, spyware & hijack cleaning' started by vkidv, May 16, 2004.

Thread Status:
Not open for further replies.
  1. vkidv

    vkidv Registered Member

    Joined:
    Oct 6, 2003
    Posts:
    62
    Computer acting wierd after 'AC-Protect' or 'Qwik Fix' [Solved]

    Well.. My computer is being very wierd and i am sure it is not spyware.

    I was searching for a way to compress .exe files other than UPX on my programs. I Found one called 'AC Protect' installed it, Uninstalled it found it was al load of 'crap'. Then i realized the sites were a scam:
    www.anticrack.us

    http://www.ultraprotect.com
    The only reason i believed it is because it was on Tucows and some other downloading places.

    It also caused Spybot S&D 1.3 to react when i tried to uninstall it [I Did it manually i remember =)]
    Code:
    15/05/2004 12:58:18 Encountered and terminated ActualNames.AdvSearch in C:\Program Files\ACProtect\unins000.exe!
    15/05/2004 12:58:18 Encountered and terminated ActualNames.AdvSearch in C:\DOCUME~1\IMPROF~1\LOCALS~1\Temp\_iu14D2N.tmp!
    
    I am annoyed of few reasons - All my IE toolbars have gone, I liked these toolbars :(
    I posted this in a different topic btw; https://www.wilderssecurity.com/showthread.php?t=32414

    Here is my HijackThis logfile:
    Just so you know - Improfane is another of my aliases - Not spyware [I set alot of that to that]

    And the GameFaqs and Habbocrazy - ugh i forgot to remove them so i could log in.

    Logfile of HijackThis v1.97.7
    Scan saved at 15:06:47, on 16/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
    C:\Program Files\Anti\SpywareGuard\sgmain.exe
    C:\Program Files\VisualZone\VisualZone.exe
    C:\Program Files\Proxomitron\Proxomitron.exe
    C:\Program Files\Anti\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\wisptis.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Winamp 5\winamp.exe
    C:\Program Files\Java\j2re1.4.2\bin\javaw.exe
    C:\Program Files\Outlook Express\MSIMN.EXE
    C:\Program Files\Star Downloader\stardown.exe
    C:\Program Files\Symantec\LiveUpdate\LUALL.EXE
    C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~2\NORTON~1\navw32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Documents and Settings\Improfane\My Documents\Progs\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.altavista.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Improfane\Application Data\Mozilla\Profiles\default\ptxy0zaa.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Improfane\Application Data\Mozilla\Profiles\default\ptxy0zaa.slt\prefs.js)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_3_16_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\ANTI\SPYWAREGUARD\DLPROTECT.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: (no name) - {A09790E7-DD00-4A83-B632-5B563423CFBB} - C:\Program Files\SmartPopupKiller\PopupKillerIEDLL.dll (disabled by BHODemon)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_3_16_0.dll
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [] C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: BHODemon.lnk = C:\Documents and Settings\Improfane\My Documents\Progs\BHODemon\BHODemon.exe
    O4 - Startup: MRU-Blaster Scheduler.lnk.disabled
    O4 - Startup: MsgPlus.lnk = C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    O4 - Startup: TaskManager.lnk = C:\I386\TASKMGR.EXE
    O4 - Startup: TextScan.lnk.disabled
    O4 - Startup: The Proxomitron.lnk = C:\Program Files\Proxomitron\Proxomitron.exe
    O4 - Global Startup: blueyonder Instant Support Tool.lnk.disabled
    O4 - Global Startup: MRU Blast Silent Clean.lnk = C:\Program Files\Anti\MRU-Blaster\mrublaster.exe
    O4 - Global Startup: Smart Popup Killer.REGIM.lnk.disabled
    O4 - Global Startup: SpywareGuard.lnk = C:\Program Files\Anti\SpywareGuard\sgmain.exe
    O4 - Global Startup: VisualZone.lnk = C:\Program Files\VisualZone\VisualZone.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra 'Tools' menuitem: AcuteSearch Settings... (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra 'Tools' menuitem: Add to R&estricted Zone (HKLM)
    O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone (HKLM)
    O9 - Extra button: Offline (HKLM)
    O15 - Trusted Zone: *.gamefaqs.com
    O15 - Trusted Zone: *.habbocrazy.co.uk
    O16 - DPF: symsupportutil - https://www-secure.symantec.com/region/reg_eu/techsupp/activedata/symsupportutil.CAB
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6AE4CC6E-999C-11D4-A3F0-009027427750} (NSAuto Class) - http://us.i1.yimg.com/us.yimg.com/i/msgr/yauto_remove.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/region/reg_eu/techsupp/activedata/ActiveData.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw15fd.law15.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Improfane
    O17 - HKLM\Software\..\Telephony: DomainName = Improfane



    There! If you need any more info - Please ask.
     
    Last edited: May 19, 2004
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi vkidv,

    All your toolbars look to be present.
    Do you have them showing?
    In IE click View > Toolbars

    Regards,

    Pieter
     
  3. vkidv

    vkidv Registered Member

    Joined:
    Oct 6, 2003
    Posts:
    62
    Thanks much for the reply :D

    They are not in that menu.. Absolutley nothing there... Even in windows explorer i right click a blank toolbar-space or View -> Toolbars nothing else in there apart from the general things.

    Any ideas how i can enable them?

    And as one may try to re-install them - I tried. No success =(
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi vkidv,

    Click Start > Run > copy&paste regedit /e C:\toolbar.reg "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" >OK

    Then find C:\toolbar.reg and post the content.

    Regards,

    Pieter
     
  5. vkidv

    vkidv Registered Member

    Joined:
    Oct 6, 2003
    Posts:
    62
    Ok. Do you notice anything wierd there ? At first glance i cant .
     
  6. vkidv

    vkidv Registered Member

    Joined:
    Oct 6, 2003
    Posts:
    62
    Can you help then?

    Im upset about my poor toolbars :(
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi vkidv,

    Sorry you had to wait so long. Sometimes I just can´t find all the time. :oops:

    Save the bold below in notepad, then save the file as mybars.reg

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "SpecifyDefaultButtons"=dword:00000000
    "NoToolbarCustomize"=dword:00000000


    Doubleclick the file and confirm you want to merge it with the registry.

    If that does not work repeat the procedure in my previous post for:

    regedit /e C:\toolbar2.reg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars"

    Then find C:\toolbar2.reg and post the content.

    Regards,

    Pieter
     
  8. vkidv

    vkidv Registered Member

    Joined:
    Oct 6, 2003
    Posts:
    62
    I have not restarted/logged of for an effect yet, but i'll post this:

    Thanks for the help so far - Im sorry about rushing you.
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hang on to the regfiles we made. You may need them as backup in case I 'm on the wrong track here.

    Download the file I attached and save it as barsbegone.reg
    Doubleclick that file and confirm you want to merge it with the registry.

    Then open IE and check if you can set the toolbars to show.

    Regards,

    Pieter
     

    Attached Files:

  10. vkidv

    vkidv Registered Member

    Joined:
    Oct 6, 2003
    Posts:
    62
    Ive restarted and they still dont show up:


    http://www.improfane.pwp.blueyonder.co.uk/pics/dontshowup.PNG

    Any more ideas ? :doubt: :'(

    I fear that it it could be a simple button somwhere like 'Display /Disable toolbars' :(

    Please note that i have tried rei-installing these bars and they still dont come back.

    I am going to see if this affects the other users on this computer i'll post if i see them there or not.

    Well Thanks so far =D
     
  11. vkidv

    vkidv Registered Member

    Joined:
    Oct 6, 2003
    Posts:
    62
    Ahuh!

    I think it may have been solved. I tried to re-install Google Toolbar and this message came up:

    http://www.improfane.pwp.blueyonder.co.uk/pics/bhodisabled.PNG

    I dont know how they were disabled - It was either the reg-files you told me to try find the problem or one of my apps disabled them.

    I'm going to press YES now and i hope my toolbars will come back up
    I'll let you know how it goes..



    EDIT: YAY! THEY're BACK!! My Toolbars are back! :p :p :D :D
    Thanks so much for the help Pieter :D :D And thankyou, Google. :cool:

    Thanks again! :-* :-* :D :D :oops:
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    The idea was good, but I was barking up the wrong tree.

    Thank YOU for finding that out. I learned some things in this thread. :cool:

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.