Window appears on startup 2

[Evil6]

Hello.

Wonder if someone knows about this: since I installed Norton Internet Security Professional 2004, I have this explorer window of the Norton program group appearing on the desktop each time I do a reboot.

Any ideas how to make the damned thing go away?

Thanx

 

[Evil6]

Hi all.

So, I've gone over your faq and did exactly those steps, in that order and though adaware and spybot found some threats that I removed, the window still appears. I think it's starting to be too much trouble...

 

[gpalmer711]

Evil6,
There are a couple of entries above that concern me a little.

msmsgs.exe "E:\Program Files\Messenger\msmsgs.exe" -Embedding

I've never seen MSN started with the -Embedding switch, nor could I find any reference to it.

CiDial.exe "E:\Program Files\CiDial\CiDial.exe"

Do you know what this is? If so don't worry about it.

Finally I think it would be a good idea to download "Hijack This" from

http://www.tomcoyote.com/hjt

Create a log file and post it here, this software is very similar to the software the bcaster recommended to you. This software looks at the old win.ini files and a few other places as well.

Greg Palmer
Free Software for Adminstrators

http://www.palmersoft.co.uk

 

[Evil6]

Hi gpalmer711.

About your questions, 1st of all, let me say I don't even use messenger, so I don't know how that came up in the log. I believe it's messenger installed by default, but I can uninstall it, if you think it's needed. About cidial, it's little program I've picked ip from download.com to resume broken internet connections.

I've done as you told and here's the log:

Logfile of HijackThis v1.97.7
Scan saved at 15:17:48, on 09-07-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
E:\WINDOWS\System32\nvsvc32.exe
E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\Trust\Keyboard\Ikeymain.exe
E:\PROGRA~1\Trust\Mouse\Amoumain.exe
E:\WINDOWS\System32\RunDll32.exe
E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
E:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\WindUpdates\WinUpdt.exe
E:\WINDOWS\System32\RUNDLL32.EXE
E:\Program Files\LiveUpdate\LiveUpdate.exe
E:\Program Files\WindUpdates\WinKA.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
E:\Program Files\emule\emule.exe
E:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\HijackThis.exe
E:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: AutoSearch Class - {1E432263-6841-4653-8F02-366A2F77E339} - E:\PROGRA~1\WIACA5~1\WinSB1.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - E:\PROGRA~1\WIACA5~1\WinSB1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [iKeyWorks] E:\PROGRA~1\Trust\\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] E:\PROGRA~1\Trust\\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] E:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] E:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [BootWarn] E:\Program Files\Norton Internet Security Professional\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [CloneCDTray] "E:\Program Files\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WindUpdates] E:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [Ad-aware] "E:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [BTCLiveUpdate] "E:\Program Files\LiveUpdate\LiveUpdate.exe" /autostart
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
O4 - HKCU\..\RunOnce: [ICQ Lite] E:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -

http://public.windupdates.com/get_f...cd67c18f4e9f:5b624d5af8ad6bd64417002f5b97a1db

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -

http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) -

http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) -

https://www.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38057.6212384259

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) -

http://www.microsoft.com/security/controls/SassCln.CAB

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) -

http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{B2D71D95-749D-4952-9ECC-357A120DF1DA}: NameServer = 194.65.100.117 194.65.5.2

Thank you.

Cheers

 

[gpalmer711]

If you don't want messenger you can remove it using the instructions in faq779-4299

The entry below is Listed as parasite on

http://www.spywaredata.com/bho.php?limit=show_all&PHPSESSID=71a88860718229a70fe86717a2da3018

R3 - URLSearchHook: AutoSearch Class - {1E432263-6841-4653-8F02-366A2F77E339} - E:\PROGRA~1\WIACA5~1\WinSB1.dll


Download BHOCop listed in faq779-5240 to remove.

However your log does not show where this explorer window could be appearing from.

Next step I think would be to copy the path from the address bar next time it appears. Then Click on Start > Then Run > Type regedit click ok > Press F3 and paste the path click ok.

If it makes a match then let us know what the Key is.

Greg Palmer
Free Software for Adminstrators

http://www.palmersoft.co.uk

 

[Evil6]

Well guys, I think adaware did the trick, because the after I intalled and run it, in the reboot, the window ceased to appear.

Thank you very much for your patiente and your help.

Cheers!