bestfriends.scr has altered IE security settings

Unknown · October 2004

My friends use my computer and somehow I got the bestfriends.scr virus. I downloaded AIMFix and that got rid of it from affecting AIM. However, now Internet Explorer displays that blinking yellow Information Bar (just under the address bar) everytime I load a website saying, "To help protect your security, Internet Explorer has restricted this file from showing active content that could access your computer. Click here for options..." This is something new from Microsoft for Windows XP users. It is part of the new Security Center from Windows Update.

Anyway, I have tried EVERYTHING that I can possibly think of to stop Internet Explorer from showing me the Information Bar at every website. I have tried to change the Pop-Up ad settings, I ran McAfee Virus Scan (which picked up a couple random trojans and got rid of them), I did a complete system scan with Ad-Aware AND Spybot. I have checked and re-checked the programs running on my computer and followed the step-by-step instructions in this forum to get rid of the virus. I have reset the Security Settings in IE to their default levels, ran HiJackThis (log below), I have even deleted the virus entries in the Run folders in the registry and from msconfig.

==================Begin HiJackThis Log==================

Logfile of HijackThis v1.98.2
Scan saved at 4:33:14 PM, on 10/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Matt\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.ebay.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590} (Project1.SBDownloader) - http://www.spybouncer.com/downloader/downloader.ocx

==================End HiJackThis Log==================

All I want is to have IE back to its normal working self (I cant even log into eBay anymore!). IE thinks that every website is trying to load Active X script content and it prompts me with that yellow Information Bar and I have to click "Yes allow this website to display active content" at every site.

Please help, any tips, thoughts, advice, prior experiences are greatly greatly appreciated! Thank you.

Matt

primesuspect · October 2004

You should download LSPfix from our security downloads page (link in my sig). Then have it fix CONNWSP.DLL

After you do that, reboot, and post a new log

MMcwill426 · October 2004

primesuspect,

I have downloaded and ran LSPfix and fixed the CONNWSP.DLL file (which was already under the Remove column, I just highlighted it and clicked the Finish button), I also restarted the computer and ran HJT. However, LSPfix did not make that annoying yellow Information Bar go away. This is my new HJT log:

==============Begin HiJackThis Log===============

Logfile of HijackThis v1.98.2
Scan saved at 1:46:53 AM, on 10/13/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Matt\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.ebay.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590} (Project1.SBDownloader) - http://www.spybouncer.com/downloader/downloader.ocx

==============End HiJackThis Log==============

I am guessing that the file AOLacsd.exe could be part of the virus? I dont know, but I cannot begin to explain how grateful I am that you are helping me. I appreciate your help very much and if anyone else reading this has a clue to fix this annoyance please pitch in! Thanks again primesuspect!

-Matt

primesuspect · October 2004

Alright, now that your LSP stack has been fixed, we can go ahead and fix the rest of it

See this process?

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

What I need you to do is end it - hit ctrl alt del to get to task manager, go to the processes tab, and then END that process.

Now, go to C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\ and rename VS7DEBUG to VS7DEBUG.OLD

After you rename that folder, reboot and post a new log

MMcwill426 · October 2004

Sorry I haven't replied in a while. I am very busy with my new business. Anyway, I changed the name of the folder like you said, rebooted and here is my new log. Thanks so much for your help!!! I apprecaite it!!!!

==============Begin HiJackThis Log==============

Logfile of HijackThis v1.98.2
Scan saved at 8:01:32 PM, on 10/18/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Matt\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.ebay.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590} (Project1.SBDownloader) - http://www.spybouncer.com/downloader/downloader.ocx

==============End HiJackThis Log==============

Thanks again!

-Matt

Dexter · October 2004

Is the problem solved now, or do you still have trouble?

If you still have trouble, try going into IE, click Tools -> Internet Options -> Security -> Custom Level, then Reset Custom Settings to Medium and click the RESET button. Click Yes, then OK and OK. Close IE, re-open it, and try some pages.

Let us know if that helps.

Dexter...

SaturdaySaviour · October 2004

I screwed around with the advanced settings and got the bar to go away but thats only temporary fix. I'd like to find this file on my computer that keeps trying to run some active content and get rid of it. Thats my concern is getting rid of it all together.

ydnandy · October 2004

I have been having this same problem. I downloaded and ran that lspfix thing and it didnt find that file you listed above. That mdm.exe process is running though, so I guess that is a start. Should I just follow your instructions from there to remove this?

Also, what is causing this problem? I guess I just dont understand why it keeps sending that information bar down? Does this fix solve the porblem or just prevent that bar from comming down?

And does renaming that folder prevent any program from working? If not, cant we just delete that folder?

Anyway, after my last issue was resolved here, I decided to download firefox, and i have been using it for about 2 weeks now and i really like it. Thanks for the suggestions and help.

Olson2k · October 2004

Alright Heres the deal...I used to get the whole away message deal and stuff with aim, but I d/led aimfix and it cleaned it out so it doesnt do that anymore. But the other thing that started happening at the same time as the aim away message prob. that didnt get removed is whenever i go to ANY WEBSITE, under the address bar I get that yellow bar that says, "To help protect yoru security, Internet Explorer has restricted this file from showing active content that could access your computer. Click here for options..." IM sick of it and i want to get rid of it!!! I have no clue where to start! here is my first hijackthis log....(ps, i dont know if i even did this right lol....let me know if I didnt...)

StartupList report, 10/31/2004, 10:36:43 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Owner\Desktop\StartupList.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Unable to get Internet Explorer version!
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\StartupList.exe

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

BJCFD = C:\Program Files\BroadJump\Client Foundation\CFD.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
YBrowser = C:\Program Files\Yahoo!\browser\ybrwicon.exe
WildTangent CDA = RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
96b7885J = c:\documents and settings\owner\local settings\temp\96b7885J.exe
PX = c:\documents and settings\owner\local settings\temp\PX.exe
WinPatrol = C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

NSAgent = C:\Documents and Settings\Owner\Desktop\SaveKobeGameSetup03.exe
Yahoo! Pager = 1
Tvknzjei = C:\WINDOWS\system32\l?ass.exe
AIM = "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl
eZWO = C:\PROGRA~1\Web Offer\wo.exe

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

Enumerating Browser Helper Objects:

(no name) - (no file) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

Enumerating Download Program Files:

[SBITAX7Ctrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\tl7000.dll
CODEBASE = http://www.ultimateplugin.com/tl7000.dll

[{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}]
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Web P2P Installer]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

[YInstStarter Class]
InProcServer32 = C:\Program Files\Yahoo!\Common\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinstc.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[{5F426A93-0821-47D2-A126-5A48A874B289}]
CODEBASE = http://212.145.159.194/251065/dialercab/WebRecomendada.cab

[{62475759-9E84-458E-A1AB-5D2C442ADFDE}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[{65E7DB1D-0101-4100-BD66-C5C78C917F93}]
CODEBASE = http://install.wildtangent.com/bgn/partners/aolim/install.cab

[GSDACtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\gsda.dll
CODEBASE = https://www.gamespyid.com/alaunch.cab

[Cubis Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\cubis.ocx
CODEBASE = http://mirror.worldwinner.com/games/v55/cubis/cubis.cab

[{B9191F79-5613-4C76-AA2A-398534BB8999}]
CODEBASE = http://download.yahoo.com/dl/installs/yab_af.cab

[PhotosCtrl Class]
InProcServer32 = C:\Program Files\Yahoo!\Common\YPhotos.dll
CODEBASE = http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[iTunesDetector Class]
InProcServer32 = C:\Program Files\iTunes\ITDetector.ocx
CODEBASE = http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab

[BTDownloadCtrl Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\BTDOWN~1.OCX
CODEBASE = http://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab

[McFreeScan Class]
InProcServer32 = C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll
CODEBASE = http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4397/mcfscan.cab

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe

Enumerating ShellServiceObjectDelayLoad items:

0aMCPClient: *Registry key not found*
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

End of report, 8,081 bytes
Report generated in 0.203 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Dryer · November 2004

Not an expert here but I had the same problem and simply did a system restore. Everything seems to have gotten back to normal...hope that helps.

Olson2k · November 2004

Thanks, but i have alot of important stuff on this computer, and it would take forever to make back ups of all of them, so sorry, but I dont think im up to doing a full system restore....Any other ideas?

BlackHawk · November 2004

System restore doesn't delete anything.

Olson2k · November 2004

i checked and i have no system restore points to go to before the virus was on, system restore had been turned off and i turned it on just when i found out i had the virus...any other ideas??

wanggen · November 2004

Found where the problems is... The following key was altered

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\ZoneMap\ProtocolDefaults]
change the key (http) from 0 to 3

Olson2k · November 2004

wanggen wrote:

Found where the problems is... The following key was altered

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\ZoneMap\ProtocolDefaults]
change the key (http) from 0 to 3

I dont know where that directory is, or how to get to it....can i get like a step by step or something? thanks alot.

SpywareShooter · November 2004

Okay, this is VERY risky. If you do one thing wrong here, your whole computer, or parts of it, may not function correctly, or at all. To get to the registry, click "Start" then "run" and type in "Regedit" (without the quotes). Now click the + signs next to HKey_Current_User then Software, etc until you get down to "http". Then in the right pane, right click the entry that is set to 0, and click "Modify". Change the 0 to a 3. Now close Regedit, and you should be all set.

Olson2k · November 2004

SpywareShooter wrote:

Okay, this is VERY risky. If you do one thing wrong here, your whole computer, or parts of it, may not function correctly, or at all. To get to the registry, click "Start" then "run" and type in "Regedit" (without the quotes). Now click the + signs next to HKey_Current_User then Software, etc until you get down to "http". Then in the right pane, right click the entry that is set to 0, and click "Modify". Change the 0 to a 3. Now close Regedit, and you should be all set.

I got as far as clicking the software plus mark, and then there is no "http" thing that im suppose to click on. Triple checked and its not there!

SpywareShooter · November 2004

Did you also look in the right pane for http? I haven't been through my registry for a while so I'm not exactly sure where the key is located.

Olson2k · November 2004

SpywareShooter wrote:

Did you also look in the right pane for http? I haven't been through my registry for a while so I'm not exactly sure where the key is located.

Checking the right pane....do you mean clicking on each program under the program tab and checking everything that comes up on the right? (after clicking the plus sign by programs, all my programs come up and when i click on one, what the folder contains is displayed in the right pane)

ydnandy · November 2004

that seems to have fixed it for me... oh well, it doesn't matter anymore anyway, because i have gotten used to using firefox... any clue what would have changed that setting?

Thanks for the help

SpywareShooter · November 2004

bestfriends.scr changes that setting/.

jimmy2in1 · November 2004

Hey OLSON2K I finally got the info bar to stop popping up on me. Just follow the directions in folder order that is posted by wanggen on 11-04 :

HKEY_CURRENT_USER --> Software --> Microsoft --> Windows --> CurrentVersion --> Internet Settings--> ZoneMap --> ProtocolDefaults

change the key (http) from 0 to 3
How to change the key: Right-Click on http in the right pane, Click on Modify, Change value data from 0 to 3.

The Information Bar has finally been defeated! Oh yeah, you will find that you can now access Hotmail, Ebay, or any other site that uses Java or runs active content.

Spinner · November 2004

jimmy2in1 wrote:

Hey OLSON2K I finally got the info bar to stop popping up on me. Just follow the directions in folder order that is posted by wanggen on 11-04 :

HKEY_CURRENT_USER --> Software --> Microsoft --> Windows --> CurrentVersion --> Internet Settings--> ZoneMap --> ProtocolDefaults

change the key (http) from 0 to 3
How to change the key: Right-Click on http in the right pane, Click on Modify, Change value data from 0 to 3.

The Information Bar has finally been defeated! Oh yeah, you will find that you can now access Hotmail, Ebay, or any other site that uses Java or runs active content.

Like I said in the other thread, I tried to try it out, but that (http) value is already set to '3' on all my rigs.

I tried changing it from '3' to '0' and it had no effect.

bestfriends.scr has altered IE security settings

Comments