big problems

Discussion in 'Home Networking' started by Jim W, Mar 10, 2005.

  1. Jim W

    NBT Guest

    Since you no nothing about the registry we will tempt fate and hope HJT has
    fixed most of the errors.
    We still need to fix your "System Restore" problem but I need to know what
    your settings are as mine are slightly different from what Symantec expects.

    Go to start-->Run type

    regedit

    and press enter.

    Registry Editor should appear.In the Left Hand Column you will see a number
    of HKEY listings.

    Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
    NT\SystemRestore

    In the Right Hand Column you may have listings for
    "DisableConfig" = "0"
    "DisableSR" = "0"

    I just have DisableSR = 0

    For the present I just want to know whether you have one or both of these at
    what the value is
    after the = sign

    We will be going out shortly so will have to continue tomorrow but if you
    could post your entries.
    First thing tomorrow could you run HJT in normal mode and make sure none of
    the entries we deleted have returned and let me know.(Fingers crossed we
    only need to do System Restore)

    NBT
     
    NBT, Mar 12, 2005
    #41
    1. Advertisements

  2. Jim W

    Jim W Guest

    NBT

    Can't thank you enough, every thing seems to running normally, like you say,
    system restore is till not turned on.

    I will go through what you have suggested and post.

    Hope you have a GREAT night out, wish I was there, you wouldn't have to buy
    a drink all night

    Once again thank you

    Jim
     
    Jim W, Mar 12, 2005
    #42
    1. Advertisements

  3. Jim W

    Jim W Guest

    NBT

    This is what comes up in WindowsNT system restore

    (Default) REG-SZ (value not set)
    DisableConfig REG-SZ 0
    DisableSR REG-SZ 0

    Will run HJT in the morning

    Jim
     
    Jim W, Mar 12, 2005
    #43
  4. Jim W

    mikeFNB Guest

    hats of to nbt

    well done
    sri i've been busy

    mike
     
    mikeFNB, Mar 13, 2005
    #44
  5. Jim W

    Jim W Guest

    He is my new hero Mike

    Jim

     
    Jim W, Mar 13, 2005
    #45
  6. Jim W

    Jim W Guest

    NBT

    Hope you had a good night, I slept a little easier last night thanks to you
    :)

    Ran HJT this morning, everything seems ok although my daughter has yet to go
    on to Messenger, how can I protect my computer from nasties in Messenger,
    apart from Mike's suggestion of cutting her fingers off.

    HJT read out

    Logfile of HijackThis v1.99.1
    Scan saved at 08:18:54, on 13/03/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Jim\Desktop\HijackThis.exe
    C:\WINDOWS\System32\imapi.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://www.freeserve.com/iesearch/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.wanadoo.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.freeserve.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
    Internet Explorer provided by Freeserve
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program
    Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} -
    C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft
    Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common
    Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [Omnipage] C:\Program
    Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common
    Files\Logitech\QCDriver2\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program
    Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program
    Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program
    Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
    O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk =
    C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    Office\Office\OSA9.EXE
    O8 - Extra context menu item: Search with Freeserve -
    res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
    C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links -
    {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
    C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -
    C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
    Files\Messenger\MSMSGS.EXE
    O9 - Extra button: Medion-UK - {E2FE0687-6D9A-4136-8B83-591878BF4C0E} -
    http://www.medion.co.uk (file missing) (HKCU)
    O12 - Plugin for .mid: C:\Program Files\Internet
    Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .spop: C:\Program Files\Internet
    Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
    O16 - DPF: Yahoo! Bingo -
    http://download.games.yahoo.com/games/clients/y/xt0_x.cab
    O16 - DPF: Yahoo! Dominoes -
    http://download.games.yahoo.com/games/clients/y/dot4_x.cab
    O16 - DPF: Yahoo! MahJong Solitaire -
    http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
    O16 - DPF: Yahoo! Tic-Tac-Toe -
    http://download.games.yahoo.com/games/clients/y/ft3_x.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
    http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags
    Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
    http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wu
    web_site.cab?1101155435965
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient
    Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
    (MsnMessengerSetupDownloadControl Class) -
    http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: C-DillaSrv - C-Dilla Ltd -
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON
    CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
    C:\WINDOWS\System32\nvsvc32.exe
     
    Jim W, Mar 13, 2005
    #46
  7. Jim W

    Jim W Guest

    I have service pack 2 sitting in the system tray ready to be installed, have
    heard it can cause all sorts of problems, would I be better off with or
    without it

    Jim

     
    Jim W, Mar 13, 2005
    #47
  8. Jim W

    NBT Guest

    The entries in your registry indicate that system restore is not disabled
    ,if they had of been you would have seen the value (1) somewhere.Do you
    normally access system restore via the "Help and Support" menu or some other
    method?

    Your HJT entries look clear so you should be ok.

    I don't know the settings for AVG but in most you can set your AV
    scanner to check all messages on IM's ,Messenger or AIM ...,.Make sure all
    your s/ware patches are up to date and you are using the latest
    versions.AVG7 is at Ver7.308 and last definition update was on
    11/03/05.Always scan any file you receive and if you didn't ask for it
    delete it and DO NOT OPEN.Suggest you get your daughter to check with her
    friends to see if they have had any problems or you could end up circulating
    this worm amongst yourselves for quite a while.

    We are not interested in playing Games so we had no problems with the
    upgrade to SP2 and in fact it cleared some niggling problems which we had
    with SP1.
     
    NBT, Mar 13, 2005
    #48
  9. Jim W

    NBT Guest

    "While I am having several coffees will you confirm the above
    and check to see if it is not something like

    (Default) REG-SZ (value not set)
    DisableConfig REG-DWORD 0x00000001(1)
    DisableSR REG-DWORD 0x00000001(1)

    This what I was expecting to see if System Restore had been
    disabled by the worm.

    NBT
     
    NBT, Mar 13, 2005
    #49
  10. Jim W

    Jim W Guest

    Thanks NBT, sorry for wait
    Wife at work, kids needed feeding, bacon sandwiches all round.

    To use restore I always go into accessories, system tools, never used help

    Jim
     
    Jim W, Mar 13, 2005
    #50
  11. Jim W

    Jim W Guest

    Have checked again and it is as I posted

    Jim

     
    Jim W, Mar 13, 2005
    #51
  12. Jim W

    NBT Guest

    I want you to try this .In that location of regedit at the bottom of the
    list for systemrestore rt click (in free space) and add new DWORD.

    Rename this DisableConfig.

    Rt click (in free space) and add new DWORD

    Rename this DisableSR

    Rt click on DisableConfig REG-SZ and delete
    Rt click on DisableSR REG-SZ and delete.

    This should give you this

    Default) REG-SZ (value not set)
    DisableConfig REG-DWORD 0x00000000(0)
    DisableSR REG-DWORD 0x00000000(0)


    Now try System Restore

    NBT
     
    NBT, Mar 13, 2005
    #52
  13. Jim W

    Jim W Guest

    NBT

    I honestly cannot thank you enough, now have restore back

    When I cleared the HKLM entries last night, AVG was ready to update, I
    updated and ran it, it picked up the sumom B worm straight away and dealt
    with it, I did not install KAV, will I be ok sticking with AVG or should I
    get myself another VS.

    Once again thank you so much, really appreciate your time, trouble and above
    all, patience with a none techie

    Jim
     
    Jim W, Mar 13, 2005
    #53
  14. Jim W

    Jim W Guest

    By the way, will the restore points created before all the trouble be any
    good or am I best not touching them

    Cheers

    jim
     
    Jim W, Mar 13, 2005
    #54
  15. Jim W

    NBT Guest

    Best not to touch them as we do not know if the worm has been included.

    Stick with your AVG if you are comfortable with it ,just remember others
    are available should you have any problems.AV's are very subjective and
    extremely long and very boring debates are held on which is the best.

    NBT
     
    NBT, Mar 13, 2005
    #55
  16. Jim W

    Jim W Guest

    Once again, Thank you
    Jim
     
    Jim W, Mar 13, 2005
    #56
  17. Jim W

    Jim W Guest

    NBT

    Hope you can help with this one, hope your still there

    Everything seems to be working apart from the CD writer, on the same night
    we got the virus my daughter has received a "song" from her pal and tried to
    burn it to CD.

    Now overtime we start up, a bubble pops up informing us that we have files
    to write to CD, when I click on the bubble the box pop up but there seems to
    be now files ready to be written, when I click on "delete temp files" then
    look in the recycle bin, there is a file which says "autorun.inf" when I
    right click and go into properties it says "type, setup info, orogin,
    CDBurning,

    When I restore "autorun.inf, the bubble with "files to be written" starts to
    pop up again

    I have tied to burn files to CD in both Nero and Windows, neither works

    Hope you can help with this one

    Thanks Jim
     
    Jim W, Mar 13, 2005
    #57
  18. Jim W

    NBT Guest

    I want you to do a search for autorun.inf and in the advanced search
    mode make sure the boxes for
    Search system folders
    Search hidden files.....
    Search subfolders
    are all ticked

    When search is completed look to see if any is associated with CD Burning.
    Put your cursor over the file and it should show the complete path to the
    file.
    May be something like

    Local Settings\Application Data\Microsoft\CD Burning\autorun.inf

    If one is I want you to open it using Notepad and see if there is a line

    OPEN=autorun.exe

    If this line is there delete it and save file .
    Try to burn another CD.

    NBT
     
    NBT, Mar 13, 2005
    #58
  19. Jim W

    Jim W Guest

    Once again, I don't know how to thank you enough, I can honestly say, you
    have made, not only my weekend, but the weekend of two teenage girls who are
    desperate to get onto the computer and chat to there friends on Messenger.

    Thing is, I don't want them to, but what's a Dad to do, please keep yourself
    handy.............................I may be back

    Thank you again

    Jim
    Nicola and Hollie.....they told me to thank you also
     
    Jim W, Mar 13, 2005
    #59
  20. Jim W

    NBT Guest

    If you are having problems with my instructions can you tell me the
    following.

    You said you had deleted an autorun.inf file, did you then try to burn a cd
    while this file was still in the recycle bin?If not try it.

    NBT
     
    NBT, Mar 13, 2005
    #60
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.