Need final removal of CWS (HSA+SE+SW) using object protected in c: and d:\recycler

Discussion in 'adware, spyware & hijack cleaning' started by Bill Baynton, Jul 20, 2004.

Thread Status:
Not open for further replies.
  1. Bill Baynton

    Bill Baynton Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    13
    Hi, I'm new to this or any forum. I'm registered and hope this is the correct procedure. I just saw your following, which sounds much like my experience.

    https://www.wilderssecurity.com/showthread.php?goto=lastpost&t=39754

    I've been at this since July 14, getting to bed at 10:00 am one time and going 48 hours this weekend. I'm not a computer whiz, but have learned from the web , advice from known geeks and experience.

    I use Netscape from XP Pro, but am forced to use IE on some pages for download or other compatability not satisfied by Netscape. My reboots were taking increasingly longer, and then I began to get popups on IE only.

    I could use any assistance in removing what appears to be a linked bug, resident in c: and d:\recycler that resists removal, I'm assuming because it's linked to a system file that's always running?

    I have had this CWS bug - HSA=Home Search Assistant + SE=Search Assistant + SW=Shopping Wizard. At the least, I've had both the Db variant FC327B3F-377B-4CB7-8B61-27CD69816BC3 and the WUInst variant E2F2BDO-96B9-4B25-B90C-636ECB207D18 (since I removed them from the register). The way this thing works is to combat removal of its exe, dll or dat files with the production of a next set (even when removed from safe mode). The exe (and I think dll) appear in both c:\windows and c:\windows\system32. The dat are only in one of these.

    All of the following applications have been installed since this fight began. For a day or so, I've had Ad-Aware 6.0 running clean, after using Ad-Aware, HijackThis, CWShredder, HSRemove and Advanced Uninstaller Pro (to force out the 3 programs from "remove programs"). In its last scan before reporting clear, Ad-Aware reported "Coolwebsearch object recognized: 00000970.dll in c:\recycler\nprotect, but one of the forums said it can't remove the object. The HSA, SE and SW kept reappearing in the register (don't know if still), and were reported at the same time. I'm assuming the dll is still there and the register clear, so Ad-Aware is clear.

    Sunday, it became more clear what this thing does. I have it to the point, I think, where there is exactly the same object in each of c:\recycler and d:\recycler - S-1-5-21-1078081533-1682526488-842925246-1003 (but it's linked to something somewhere else, I think). The 1003 is my profile ID. The one in d: remains a contant size. The one in c: accumulates by a few k every time I try to remove either with Advanced Uninstaller Pro (responds being used by something else). When I disable every program, I can only see the file in d: (suggesting that the one in c: is driven by some program). When I also disable every process except system and svchost in task manager, I still can't delete from Advanced Uninstaller Pro (suggesting it's somehow tied to something in one of the O/S objects). In safe mode, from command for each of c:\recycler and d:\recycler, I did del *.* after attrib -s,-h and -r and response was no files there. Having reviewed my post, I now see that Ad-Aware had the dll in c:\recycler\nprotect (now suspect I tried to remove from recycler only).

    When an attempt is made to delete these recycler objects, it produces exactly the same object entries in c:\docs & selections for every profile and local service for temp and. I believe one of the folders that it keeps reproducing is named Content-IE5. In the 1st instance, it also produced a dll in c:\windows or c:\windows\system32. I suspect the absence of a subsequent dll is because this thing works in stages, and I'm now using AVA Find to monitor S-1-5-21-....I only found this and easy removal with AVA Find. The 1003 suffix in docs & setting changes to correspond to the number assigned each profile. If the user at time of removal is different, the object in recycler has that corresponding suffix.

    I'm just drowing in all the twists and turns that this removal has taken, but would appreciate any final assistance to eradicate this beast. The folks that designed this thing should be keel-hauled. Many thanks. Bill
     
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    It's important to disable the Norton Protected Recycle bin in order to be able to get rid of those files; if they resist removal, it's a good idea to simply delete the Recycler folders (you need to end task on Explorer.exe in order to be able to do that from a Command prompt). On reboot new Recycler folders will be created automatically.

    But let's have a closer look:

    Go to https://www.wilderssecurity.com/showthread.php?t=12516, and download Hijack This.

    Unzip to a folder other than your Desktop or the Temp folder, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please show us its contents.

    Most of what it lists will be harmless or even required, so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  3. Bill Baynton

    Bill Baynton Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    13
    Re: Need final removal of CWS (HSA+SE+SW) using object protected in c: and d:\recycle

    Thanks so much Tony for the nice surprise of your reply after some beauty sleep.

    At the bottom is the log of HijackThis, which I had with current update.

    I'm reasonably sure I tried tried deleting these files after disabling Norton Proteceted Recycle bin, but combination of being battle weary and "monkey see/do" makes it confusing. I've had some difficulty knowing if I'm properly identifying these hidden directories and their files from command prompt.

    FYI, upon start a few minutes ago, I rechecked my S-1-5-21... with AVA Find. I had previously renamed this object for each on c: and d:\recycler as same with an additional x at the end of its name, thinking it might defeat a reference to it. They were still there, the one in d: of 2k size and the one on c: of 34k. There was a new one, back to suffix 1003 and of 2k size on d: (which I deleted from AVA Find.

    Logfile of HijackThis v1.98.0
    Scan saved at 9:15:13 AM, on 20/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\AvaFind\AvaFind.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\PROGRA~1\Netscape\Netscape\Netscp.exe
    C:\Hijack This\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.ca/"); (C:\Documents and Settings\Bill\Application Data\Mozilla\Profiles\default\ipzxuxse.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Bill\Application Data\Mozilla\Profiles\default\ipzxuxse.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.en-ca\msntb.dll
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKCU\..\Run: [AvaFind] "C:\Program Files\AvaFind\AvaFind.exe" /minimized
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra button: MUSICMATCH Radio - {A12651D6-468F-46B1-B99B-1D61FC39A6A9} - C:\WINDOWS\Downloaded Program Files\MMWebRadioBand.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
    O16 - DPF: {640C5F8F-5678-4084-87C6-6ECC0828D9A5} (MMBarCtrl Class) - http://mmdl.vo.llnw.net/llnw_cdn/01...builds/MMD/MMRADIO/DNL/999993077/MMLRadio.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

    Thanks so much, Tony. Bill
     
  4. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Re: Need final removal of CWS (HSA+SE+SW) using object protected in c: and d:\recycle

    Well, your log looks clean.

    First make sure the Norton Protected Recycle bin is disabled on both drives.

    Now Open a Command Prompt window (Start > Run > Cmd) and leave it open. Close all open programs.

    Click Start, Run, enter taskmgr and press OK in order to bring up Task Manager.
    Go to the Processes tab and End Process on Explorer.exe.

    Leave Task Manager open. Go back to the Command Prompt window , and type: rd /s c:\recycler in order to delete your Recycle Bin.
    Answer Yes when prompted to confirm deletion.

    Do the same with D:\Recycler

    NOTE: that command reads "rd (space)/s (space) c:\recycled"

    Go back to Task Manager, click File > New Task and enter EXPLORER.EXE to restart the GUI shell. Close Task Manager.

    Restart your computer. New Recycle Bins will automatically be created.

    Tell us how that goes...
     
  5. Bill Baynton

    Bill Baynton Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    13
    Re: Need final removal of CWS (HSA+SE+SW) using object protected in c: and d:\recycle

    Boy, you're faster than I imagined, Tony. Thks. I'll check back every 1/2 hr.

    Welll, when you asked me to disable, I guess I never have or it's lost in the mists. I did a websearch to see direction to right click the bin for the disable option, but none apparent. Then did another search, suggesting, in that event, there might be corruption with suggested fix (which I haven't digested): http://www.experts-exchange.com/Operating_Systems/WinXP/Q_20839435.html

    If not correct, I don't want to do anything before you direct, so I don't screw it up? Thks. Bill
     
  6. Bill Baynton

    Bill Baynton Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    13
    Re: Need final removal of CWS (HSA+SE+SW) using object protected in c: and d:\recycle

    Sorry, in now digesting the forum referenced above (5th printed pg, 01/02/2004 04:10PM, I see that you rt click the Norton Protected Recycle, go to properties and then Norton protection tab, then uncheck the box to enable protection for each drive. Mine were checked, so I'll now proceed as you suggested. Bill
     
  7. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
  8. Bill Baynton

    Bill Baynton Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    13
    Re: Need final removal of CWS (HSA+SE+SW) using object protected in c: and d:\recycle

    You're the bomb, Tony. I just rebooted and checked my famous S-1 5-21..., and there is only a single reference under C:\Documents and Settings\Bill\Application Data\Microsoft\Protect\S-1-5-21-1078081533-1682526488-842925246-1003
    which I'll delete, empty the recycle bin, run but not scan CWShredder, reboot.

    Incidentally, I meant to mention that, from your https://www.wilderssecurity.com/showthread.php?t=28658&page=2
    I also had the famous bug redirect to res://usufr.dll/index.html#96676 on IE.

    Thks for giving me back a life. If I knew you folks existed at the start and asked you then, I might have saved myself something I estimate to be 125 hours fighting this thing (but then I wouldn't have learned about regedit, msconfig, Norton unprotect, delete from command..., task mgr and all the related tools, including autoruns and APM, which I haven't previously mentioned).

    If there's anything else you suggest, I'm certainly receptive. I assume that I should reset the Norton protection on the drives and reenable the system restore? Thks again. I'll be away for a little bit on my new life, but will check upon return. Bill
     
  9. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Re: Need final removal of CWS (HSA+SE+SW) using object protected in c: and d:\recycle

    The first is your choice entirely, but the second is certainly to be recommended!

    Glad to hear that did the trick! :)
     
  10. Bill Baynton

    Bill Baynton Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    13
    Re: Need final removal of CWS (HSA+SE+SW) using object protected in c: and d:\recycle

    Tony, I don't know if I'm supposed to be asking possibly unrelated questions, but here goes. I have 2 problems that have happened during the process:

    1. Although I usually hibernate on shutdown, I can no longer go to full shutdown. If I choose that option, it simply reboots. The only way I can do it is to into safe mode and, once it's booted, close down from safe. This happened some time ago, perhaps when I think the bug 1st introduced ~June 16, although it could be unrelated to it.

    2. The bigger problem is that my Netscape 7.1 no longer downloads. This has happened only in the last few days and requires me to default to using the dreaded IE. It goes through the motions, including showing "done" at the bottom, but the download manager doesn't show and the file doesn't end up anywhere on my system? Bill
     
  11. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
  12. Bill Baynton

    Bill Baynton Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    13
    Re: Need final removal of CWS (HSA+SE+SW) using object protected in c: and d:\recycle

    You're pretty sharp, Tony. Expert, you are. I'm very grateful for your assistance. I'm going to research the Firefox browser, as I heard that MS is no longer supporting IE, and I can't imagine Netscape longer term (Incidentally, my webpage message to Netscape support just hung twice!). Out of curiousity, you don't use IE with all its problems, do you (or are you swift enough to fix all its holes)? Bill
     
  13. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Re: Need final removal of CWS (HSA+SE+SW) using object protected in c: and d:\recycle

    In fact I'm still using IE; I guess I like living dangerously... LOL!

    But I hear great things about FireFox, so I may well try it as well in the near future.
    BTW, MS certainly hasn't stopped supporting IE; It's just that they're having a hard time plugging all those holes....
     
  14. Bill Baynton

    Bill Baynton Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    13
    Hi, Tony. I don't know how you know if I'm sending a message, but here goes.

    Unfortunately, I'm back again. Until now, system's been behaving itself, my time having been directed toward returning to the apps and files I had before having to deal with this. In that regard, I was installing an auto zip file (with winzip) this evening and got a message: "can't find shell.dll". After a websearch, I saw a suggestion to copy this dll into the same folder as there were reportedly several shell.dlls in XP. I originally thought this worked, but got the same message, then tried with a known zip I had opened, and got the same, even after reboot. I wasn't terribly concerned until I did another search and saw the following linkage to my CWS:
    http://www.google.ca/search?q=cache...&part=all "cannot find shell.dll" "CWS"&hl=en

    I saw another reference, and installed and ran PC Doctor OnCall v1, producing the following report:

    1. The Applications Paths section of your registry refers to one or more invalid files. This will cause applications not to run.
    2. The Microsoft shared section of your registry refers to one or more invalid files. This will often cause applications to crash or not run.
    Details:
    3. The following file was not found on your hard drive during the scan: C;|program Files\ Kazaa\D:\InstallShield\Kazaa\Kazaa
    (It was actually just the 1st 2, if I recall properly, but I since restored the prior register status after I had run System Mechanic and Advanced Uninstaller Pro without any effect.)

    I've since run Ad-Aware, and it's clean. HJT looks same as well.
    Logfile of HijackThis v1.98.0
    Scan saved at 2:53:06 AM, on 24/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\realtime.exe
    C:\Program Files\AvaFind\AvaFind.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Hijack This\HijackThis.exe

    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.ca/"); (C:\Documents and Settings\Bill\Application Data\Mozilla\Profiles\default\ipzxuxse.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Bill\Application Data\Mozilla\Profiles\default\ipzxuxse.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.en-ca\msntb.dll
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
    O4 - HKCU\..\Run: [AvaFind] "C:\Program Files\AvaFind\AvaFind.exe" /minimized
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe"
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra button: MUSICMATCH Radio - {A12651D6-468F-46B1-B99B-1D61FC39A6A9} - C:\WINDOWS\Downloaded Program Files\MMWebRadioBand.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
    O16 - DPF: {640C5F8F-5678-4084-87C6-6ECC0828D9A5} (MMBarCtrl Class) - http://mmdl.vo.llnw.net/llnw_cdn/01...builds/MMD/MMRADIO/DNL/999993077/MMLRadio.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

    Incidentally, I've installed Opera instead of my norm Netscape in the last day or so, and it's been working like a charm. I'm at the point of throwing it in and reformatting and reinstalling the million programs and associated passwords, etc., so any alternative thought you have to fix this would be welcome. As always, many thanks. Bill
     
  15. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    The registry inconsistencies PC Doctor mentions are totally immaterial, and should be ignored. Any registry will contain orphaned registry entries left behind after a program's uninstall, and these usually don't create any problems.

    As for the Shell.dll error, find the Shell.dll file in your C:\WINDOWS\system32\dllcache fokder, and copy that to both the C:\Windows\System and the C:\Windows\System32 folder, allowing it to overwrite the ones in there.

    That ought to fix that.

    There's really nothing to worry about; your problems should be over! :)
     
  16. Bill Baynton

    Bill Baynton Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    13
    So relieved to hear that, Tony, particularly about ignoring the message, and that I'm indeed likely out of the woods wrt this pest. Since I wrote this post, I lost about 3/4 of the icons on my screen, so reverted to last known registry, which seemed to restore that issue upon reboot (so I have no idea where I am know). You are a scholar AND a gentleman, sir. Bill
     
  17. Bill Baynton

    Bill Baynton Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    13
    I should have checked 1st before replying. The cache has a shell32.dll but not a shell.dll. There is a shell.dll in c:\windows\system only. There are numerous ?shell.exe. Bill
     
  18. Bill Baynton

    Bill Baynton Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    13
    OK, Tony, I fixed it. I did some browsing, and one suggestion was to copy shell.dll from my XP disk - nothing there. The following suggested copying the shell.dll from c:\windows\system to c:\windows\system32, which is what I did - installed the program that executed winzip and which had been producing the error message, and I'm right as rain again.
    http://forums.civfanatics.com/archive/index.php/t-92745.html
    The wonderful world of computing! Thank you, again, for your wonderful and prompt support throughout this ordeal. Bill
     
  19. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    You're welcome; glad to help. :)
     
  20. Bill Baynton

    Bill Baynton Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    13
    Hi, Tony. I'll try to make this my last post on this subject (otherwise, we may have to start shopping together for crystal and china patterns).

    In the course of removing the unremovable in the recyler, the one thing that came to my attention was the inability to remove Content.IE5 (viewed easilt with Ava Find, mentioned earlier, which I recommend) in:
    C:\Documents and Settings\user name\Local Settings\Temporary Internet Files\Content.IE5 and
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5

    I don't know if the following article sees sinister aspects in the innocent, but I found it quite disturbing if true i.e. the retention of a file of browsing history at ALL times, including after clearing IE history/cache; and deleted emails:
    http://www.****microsoft.com/content/ms-hidden-files.shtml (just tried it - server wouldn't connect). I highly recommend the read if news to you.

    Anyway, it turns out that the DOS commands for removal in the article do not apply to XP Pro. Long story short, I used IE Purge as the authgor recommended, but also, after some more research, located and used CyberScrub Pro, which did the job.

    This exercise has resulted in half my desktop icons being for related tools. Happily, I can now retire most of them until a possible new infection, although I'll do what I can to protect against, having migrated to Opera (slick), and looking to put in place pop-up blockers and protect against uninvited intrusion via activeX, java etc. of other pests.

    I just wanted to pass along this business wrt the article in case it's news to you, and my way of trying to thank you for your help. Bill
     
  21. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    It's only your temporary internet files; FYI, you do not really need a third party application to remove the index.dat, or indeet the entire folder.

    Simply log in as Administrator (just having administrative priviledges does NOT suffice), and you'll be able to simply delete the Temp. Internet Files folder in your profile.

    Windows will automatically create a brand new one on reboot.
     
  22. Bill Baynton

    Bill Baynton Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    13
    Gotcha. Thks. Bill
     
  23. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    You're very welcome. :)
     
Thread Status:
Not open for further replies.