Solved: Ad/remove Won't Open

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

xico

Thread Starter
Joined
Jun 29, 2002
Messages
29,787
I'm on my son's XP. He's been dealing with a hacker. Don't know if we got rid of him yet, but now the Ad/Remove program won't open. I've tried using the Control Pane; from the Start button and from the Computer button. Every other button in the Control Panel Works. And yes we've rebooted many times.

Any suggestions would be greatly appreciated.:D
 

awalker0878

Removed by request
Joined
Dec 16, 2005
Messages
407
bet he used a reg hack to prevent you from ADD/Remove programs from opening

start\run: regedit
navagate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall
delete every entry under

also check
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall
delete every entry under
 

xico

Thread Starter
Joined
Jun 29, 2002
Messages
29,787
Just checked in. Didn't get a notifying email. Thanks. I'll post a HJT log, and check out the eregedit. Thanks again! (y)
 

xico

Thread Starter
Joined
Jun 29, 2002
Messages
29,787
Here's the HJT log--but I went into the registry and did as I was told, and we got the Ad/Remove panel back up like a charm. Thanks! Could you give me a brief explanation of what the hacker did, and if he coul put this on another program, would I be going to the same "policies" to uninstall there too?

I'm thrilled! Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 7:10:41 PM, on 1/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\program files\valve\steam\steam.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\VisualZone\VisualZone.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\webshots.scr
C:\Program Files\Anti-BO\Anti-bo.exe
C:\Program Files\ewido anti-malware\SecuritySuite.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AvltMain.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\Apvxdwin.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Luke1\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: TimeSync.lnk = C:\Program Files\J River\Netbox3\NetBox.exe
O4 - Global Startup: VisualZone.lnk = C:\Program Files\VisualZone\VisualZone.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - C:\Program Files\Magic NetTrace\MTIE.exe
O9 - Extra 'Tools' menuitem: &Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - C:\Program Files\Magic NetTrace\MTIE.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: My IP Suite - {FB5F1910-F110-11d2-BB9E-80C04F795683} - C:\Program Files\My IP Suite\MyIPSuite.exe
O9 - Extra 'Tools' menuitem: My IP Suite - {FB5F1910-F110-11d2-BB9E-80C04F795683} - C:\Program Files\My IP Suite\MyIPSuite.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://zone.msn.com/bingame/trbo/default/ActiveLauncher.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4650/mcfscan.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
 

awalker0878

Removed by request
Joined
Dec 16, 2005
Messages
407
Yes you could do the same steps if he did this on another pc. Though he probably did not edit the registry he might of used poledit an *old* utility designed to lockdown corporate pcs from tinkering users. I *do not* suggest using to remove restrictions as it can unexpected results on xp.

use Panda AntiveScan to check for hacker tools or trojans he might of put on your system:

http://www.pandasoftware.com/products/activescan.htm

and post the log
 

awalker0878

Removed by request
Joined
Dec 16, 2005
Messages
407
We could trim the start-up so that your computer runs faster.

MFDnSC was nice enough look at your HJT log (thanks MFDnSC!)

MFDnSC's Avatar
MFDnSC MFDnSC is online now
Distinguished Member

Posts: 19,419
Join Date: Sep 2004
Location: Low Country SC
Experience: Ret. Director IT
Quote:
Originally Posted by awalker0878
http://forums.techguy.org/windows-nt...l-missing.html

http://forums.techguy.org/windows-nt...wont-open.html
Both are fine
__________________
"Nothing could be finer than to be in South Carolina......"

Member ASAP

If my posts have helped you please make a donation

Give credit where credit is do thanks MFDnSC
 

xico

Thread Starter
Joined
Jun 29, 2002
Messages
29,787
I'd appreciate it if you 'd trim the start menu. And thanks MFDnSC! (y) :D
 

awalker0878

Removed by request
Joined
Dec 16, 2005
Messages
407
You could safely remove these entries:

O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: TimeSync.lnk = C:\Program Files\J River\Netbox3\NetBox.exe
O4 - Global Startup: VisualZone.lnk = C:\Program Files\VisualZone\VisualZone.exe

though some programs you would now have to open yourself but they would not always be in memory eating up ram
 

xico

Thread Starter
Joined
Jun 29, 2002
Messages
29,787
(y) Thank you AWalker! Much obliged! My son thanks you too. (y) :D
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top