PDA

View Full Version : Runtime Errors and Registry Pop ups driving me crazy



mad hungarian
2007-01-03, 02:11
Hello,
My computer has pop ups saying that my registry needs to be repaired. These occur very frequently and are from different addresses such as www.msreg.com, www.key32.com etc.
I am also getting a lot of runtime error warnings such as line 3 error object doesn't support this property or method.
Not sure if I am in the right forum but I have posted the Panda scan and HJT Logs as requested. There were a few times today that the spybot scan would stop on its own - I saw a message saying scan aborted by user but I had not stopped the scan.

Logfile of HijackThis v1.99.1
Scan saved at 5:58:00 PM, on 1/2/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\PROGRA~1\NORTON~2\NORTON~1\navapw32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\MDM.EXE
C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
C:\Hi-jack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [Repair Registry Pro] C:\WINDOWS\TEMP\New Folder\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161576281155
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe



Incident Status Location

Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\user\Cookies\user@trafficmp[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\user\Cookies\user@advertising[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\user\Cookies\user@perf.overture[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\user\Cookies\user@hitbox[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\user\Cookies\user@doubleclick[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\user\Cookies\user@atdmt[2].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\user\Cookies\user@clickbank[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\user\Cookies\user@realmedia[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\user\Cookies\user@advertising[3].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\user\Cookies\user@zedo[2].txt
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\user\Cookies\user@citi.bridgetrack[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\user\Cookies\user@fastclick[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\user\Cookies\user@tribalfusion[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\user\Cookies\user@statcounter[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\user\Cookies\user@hitbox[3].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\user\Cookies\user@atwola[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\user\Cookies\user@2o7[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\user\Cookies\user@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\user\Cookies\user@overture[1].txt



Thanks for taking a look,
Mad Hungarian

pskelley
2007-01-05, 00:25
Welcome to the forum, do you still need help? If so, tell me about this item, did you install it?

O4 - HKLM\..\Run: [Repair Registry Pro] C:\WINDOWS\TEMP\New Folder\Repair Registry Pro\RepairRegistryPro.exe -s

If not it could be the could be the source of your problems. Let's do this:

How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Start > Control Panel > Add Remove programs and uninstall Repair Registry Pro if there. Uninstall any other program you know does not belong there.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O4 - HKLM\..\Run: [Repair Registry Pro] C:\WINDOWS\TEMP\New Folder\Repair Registry Pro\RepairRegistryPro.exe -s
(next two are resources wasters, unless you use the Alexa toolbar, get rid of them)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Close all programs but HJT and all browser windows, then click on "Fix Checked"

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\TEMP\ <<< delete the contents of that Temp folder (not the folder)

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post a new HJT log, let me know if that takes care of the problem.

Thanks

Would you post the error messages you are receiving "word for word". It is the only way I can help research the cause.

I know you are aware Microsoft is no longer supporting your Operating System, but I see you are running an out of date version of Internet Explorer and even it has none of the Critical Updates it should have. If you continue to take this computer online, sooner or later this unsecure browser is going to get badly infected.
Internet Explorer v5.00 SP4 (5.00.2920.0000)

mad hungarian
2007-01-08, 03:44
Hello PSKelly,
Happy New Year. Sorry for the late reply. It has been a busy week(end) in my household. I ran the programs you suggested and updated internet explorer. It appears that the two lines 09 Etra Tool etc. etc. are showing up again even though I am removing them withthe HJT scan.


Logfile of HijackThis v1.99.1
Scan saved at 7:39:54 PM, on 1/7/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\PROGRA~1\NORTON~2\NORTON~1\navapw32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hi-jack This\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161576281155
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168136004114
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe

I upgraded internet explorer to version 6.
As far as the runtime errors are concerned I have not seen them anymore since taking the steps you have suggested.

pskelley
2007-01-08, 04:14
Thanks for returning your information. The Alexa toolbar gets installed along with IE so when you updated the resource waster was returned thanks to Microsoft. Try removing them again with HJT and they should stay gone this time. There are not malware, just a waste of your resources unless you actively use the Alexa toolbar.
http://www.spywareguide.com/product_show.php?id=418
http://www.imilly.com/alexa.htm

Besides that, your HJT log looks fine :bigthumb: and I would say you are good to go.

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

mad hungarian
2007-01-11, 03:52
Pskelly,
I'm still getting popups suggesting I download programs to repair my computers registry. These popups are coming from microsoft messenger service and have web addresses like www.msreg.com, www.key32.com.
These still keep showing up . The runtime errors have ceased to appear anymore.
Thank you for taking the time to check out my thread.
MH

pskelley
2007-01-11, 04:59
These popups are coming from microsoft messenger service http://www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx

http://support.microsoft.com/default.aspx?scid=kb;en-us;330904

Thanks...Phil