Is this on your own personal machine, someone elses or a public computer??? Also, what OS?
it is my home computer...and os is xp...i have never had this problem before until recently...with task mananger and system restore..dont know what other problems i may have...could it be that nanny think i dl? if so i cant find it any wheres. i have looked and looked and cant find it
0
Mt_GoatHead Cheezy KnobPflugerville (north of Austin)Icrontian
edited February 2005
I would start by rebooting in "Safe Mode" and logging on as "Administrator" then look for anything that doesn't look right. Did you ever install the nanny thing you DL'd?
Do what Raptor (the ol' goat) suggests - it's good advice.
You might also try hitting Ctrl+Alt+Del and then click on Task Manager. This will provide you with a list of all processes running on your computer. From what you describe, I think the "Nanny" thing is running and is being a little too aggressive. Maybe Freddy Mercury was right...
No matter. If you can find the program, there may well be a setting to give you a choice about the course of action it takes when confronted with a decision. See if there is an option to "ask first". You might be able to train the program to work the way you want it to.
i installed one that i did delete that added all kinds of spyware like bargain buddy and i have another one that i downloaded that i cant find to delete..its is nowhere on pc. i have searched and searched ..even in safemode. and i am most of the time in administrator..
also in order for the nanny program to stop running cause it wouldnt take my password or user name for some reason..therefore it wouldnt start up pc..i had to go in safemode and go to run msnconfig startup and then stop it from running that way...cause i cant find it on my system
here is exactly what it says.........task manager has been disabled by your adminaster...no matter which way i try and do it through run or ctrl+alt+dlt or throuh run...also for system restore it says system restore has been turned of by group policy. to turn on system restore, contact your domain adminstrator
You have all of the symptoms of a Spyware infestation. Go to the Short-Media Download page and get the latest version of HijackThis. Post your log here and we'll give it a look-see.
1. login as admin in safe mode.
2. set permissions for all your regular logins to have admin rights.
3. goto admin tools and open policy editor and remove and policies that may be in place.
4. goto run and to services.msc and stop any non necessary services. You can make a list of them and post it or screen shot the running services and we can help you shut off what you dont need.
5. reboot to normal and login and test things out.
sounds like the nanny software put some kind of group policy in place.
You have all of the symptoms of a Spyware infestation. Go to the Short-Media Download page and get the latest version of HijackThis. Post your log here and we'll give it a look-see.
Hang in there - help is on the way!
Logfile of HijackThis v1.99.0
Scan saved at 1:52:19 PM, on 2/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
1. login as admin in safe mode.
2. set permissions for all your regular logins to have admin rights.
3. goto admin tools and open policy editor and remove and policies that may be in place.
4. goto run and to services.msc and stop any non necessary services. You can make a list of them and post it or screen shot the running services and we can help you shut off what you dont need.
5. reboot to normal and login and test things out.
sounds like the nanny software put some kind of group policy in place.
as far as step 2 not sure how to do that..steo 3 went to admin tools and did not find a policy editor and then as far as step 4 here is the info...it overwelmed me..how do i take a snapshot? lots of info to write down...i tried to save ti so i could ccp it here and it didnt work
You have all of the symptoms of a Spyware infestation. Go to the Short-Media Download page and get the latest version of HijackThis. Post your log here and we'll give it a look-see.
Hang in there - help is on the way!
help!!!!!!!!!!!!! did everyone forget about me?????????? i'm going nuts here :bawling:
Take note -
To clear the log file without needing the admin password:
Go to C:\Netnanny (or whatever directory it's been installed into)
Delete the file "Wnn3.log"
NOTE: This file can't be edited, as it seems to be encrypted, but this will sucessfully clear the entire log without any passwords necessary.
Not sure if you can do this though with the file permission thing.
As for your HJT log:
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU) - Outright remove these entries
C:\Program Files\Internet Explorer\iexplore.exe - This entry is fishy, someone else may want to clarify before deleting. Never seen IE listed in HJT.
Is http://us4.hpwis.com known to you? If it's not, delete these entries. HJT restores normal settings.
[b}O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1[/b] - Nice space in policies, I don't trust this entry, again, would like someone else to clarify this one first.
Take note -
To clear the log file without needing the admin password:
Go to C:\Netnanny (or whatever directory it's been installed into)
Delete the file "Wnn3.log"
NOTE: This file can't be edited, as it seems to be encrypted, but this will sucessfully clear the entire log without any passwords necessary.
Not sure if you can do this though with the file permission thing.
As for your HJT log:
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU) - Outright remove these entries
C:\Program Files\Internet Explorer\iexplore.exe - This entry is fishy, someone else may want to clarify before deleting. Never seen IE listed in HJT.
Is http://us4.hpwis.com known to you? If it's not, delete these entries. HJT restores normal settings.
[b}O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1[/b] - Nice space in policies, I don't trust this entry, again, would like someone else to clarify this one first.
if i remove incredimail files and weatherbug will it remove it from my system? and if so are they dangerous programs? i have been told incredimail is ok...
oops also i dont know where it loaded my nanny program into...it is called will nanny i think...cant find it anywheres..and i also cant run task manager as i have said...
ok dont know if this will help anyone but here goes..some how i got my task manager to work and here is the processes running.
ypager.exe
taskmgr.exe
IMApp.exe
weather.exe
CCAPP.EXE
CCEVTMGR.EXE
SPBBCSvc.exe
SNDSrvc.exe
CCSETMGR.EXE
CCPROXY.EXE
nvsvc32.exe
NPROTECT.EXE
svchost.exe
NPFMNTOR.EXE
svchost.exe
explorer.exe
msnmsgr.exe
svchost.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
navapsvc.exe
smss.exe
notepad.exe
lexpps.exe
spoolsv.exe
lexbces.exe
navw32.exe
wdfmgr.exe
symlcsvc.exe
svchost.exe
NOPDB.EXE
system
system idle process..
dont know if this is gonna help but here it is...
Comments
You might also try hitting Ctrl+Alt+Del and then click on Task Manager. This will provide you with a list of all processes running on your computer. From what you describe, I think the "Nanny" thing is running and is being a little too aggressive. Maybe Freddy Mercury was right...
No matter. If you can find the program, there may well be a setting to give you a choice about the course of action it takes when confronted with a decision. See if there is an option to "ask first". You might be able to train the program to work the way you want it to.
Hang in there - help is on the way!
1. login as admin in safe mode.
2. set permissions for all your regular logins to have admin rights.
3. goto admin tools and open policy editor and remove and policies that may be in place.
4. goto run and to services.msc and stop any non necessary services. You can make a list of them and post it or screen shot the running services and we can help you shut off what you dont need.
5. reboot to normal and login and test things out.
sounds like the nanny software put some kind of group policy in place.
Scan saved at 1:52:19 PM, on 2/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.fastaccess.com/launch.asp
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: Norton Personal Firewall - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1133930494187
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
here it is
Take note -
To clear the log file without needing the admin password:
Go to C:\Netnanny (or whatever directory it's been installed into)
Delete the file "Wnn3.log"
NOTE: This file can't be edited, as it seems to be encrypted, but this will sucessfully clear the entire log without any passwords necessary.
Not sure if you can do this though with the file permission thing.
As for your HJT log:
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU) - Outright remove these entries
C:\Program Files\Internet Explorer\iexplore.exe - This entry is fishy, someone else may want to clarify before deleting. Never seen IE listed in HJT.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
Is http://us4.hpwis.com known to you? If it's not, delete these entries. HJT restores normal settings.
[b}O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1[/b] - Nice space in policies, I don't trust this entry, again, would like someone else to clarify this one first.
if i remove incredimail files and weatherbug will it remove it from my system? and if so are they dangerous programs? i have been told incredimail is ok...
ypager.exe
taskmgr.exe
IMApp.exe
weather.exe
CCAPP.EXE
CCEVTMGR.EXE
SPBBCSvc.exe
SNDSrvc.exe
CCSETMGR.EXE
CCPROXY.EXE
nvsvc32.exe
NPROTECT.EXE
svchost.exe
NPFMNTOR.EXE
svchost.exe
explorer.exe
msnmsgr.exe
svchost.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
navapsvc.exe
smss.exe
notepad.exe
lexpps.exe
spoolsv.exe
lexbces.exe
navw32.exe
wdfmgr.exe
symlcsvc.exe
svchost.exe
NOPDB.EXE
system
system idle process..
dont know if this is gonna help but here it is...