I was running my Adaware spyware removal program as usual, but when it
removed some spy programs it has left my computer partialy disabled. 
Now I can only start in the safe mode however, most programs run,
other then my desk top, sound, and I cant remove or uninstall some
programs like panda.  I usually run Panda anti virus and I noticed the
this uninstall bug when I wanted to upgrade to a different version.

I am pretty savvy but I am not a tech.  I manage a network for a
company where I maintain a network of about 15 computers I deal a lot
with viruses and spyware but this one has me stumped.  I am
apprehensive about going into the registry to start deleting things I
am not really sure about.

This computer is on a smaller network of 5 computers.  And I have to
get it back to full function.  I don?t mind to run different
diagnostic tools or buy/download maybe a better diagnostic tool But I
need help I am tried of fighting this thing alone.

Here is a highjack this log for starters. 

Sam 


Log file of HijackThis v1.97.7
Scan saved at 10:39:02 PM, on 10/22/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\SYSTEM32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Internet Explorer\iexplore.exe
H:\WINDOWS\system32\ctfmon.exe
H:\My Download\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://securitycameraworld.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
= http://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://google.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
H:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
H:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
h:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
H:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - H:\Program Files\Norton
SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
h:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "H:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] H:\Program Files\Norton
SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] H:\Program Files\Norton
SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
H:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "H:\Program Files\Roxio\Easy Media
Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] H:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "H:\Program Files\Common
Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [HP Component Manager] "H:\Documents and
Settings\sam Pascucci\My Documents\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SCANINICIO] "H:\Program Files\Panda Software\Panda
Platinum Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "H:\Program Files\Panda Software\Panda
Platinum Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [UpgConfVer] "H:\Program Files\Panda Software\Panda
Platinum Internet Security\UpgConf.exe" /v:8.03.00
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] H:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
H:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft
Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://h:\program
files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://h:\program
files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://h:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://h:\program
files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://h:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Unknown file in Winsock LSP: h:\program files\panda
software\panda platinum internet security\pavlsp.dll
O10 - Unknown file in Winsock LSP: h:\program files\panda
software\panda platinum internet security\pavlsp.dll
O10 - Unknown file in Winsock LSP: h:\program files\panda
software\panda platinum internet security\pavlsp.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2D00CB73-BF43-4AC1-9535-11E281A91BA3} (Hikvision
Card_Activex Control) -
http://www.hikvision.com/images/program/BoardOCX.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) -
http://ticketpro.viewnetcam.com:2000/kxhcm10.ocx
O16 - DPF: {392A4878-26D4-4CE1-80D2-B6AF2F99A5A9} (IPDom Control) -
http://www.multipixcctv.net/ActiveX/ipdome.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
http://software-dl.real.com/26981e10873588eceb03/netzip/RdxIE2.cab
O16 - DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} (ActiveView Control)
- http://216.6.170.102/ActiveView.cab
O16 - DPF: {7326059D-0357-4239-8537-69EA428A232D} (Hikvision
MPEG4_Activex Control) -
http://www.hikvision.com/images/program/HikMP4NetVideo.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
- http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0.1.0)) -
http://208.57.226.46/cab/Live.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan
Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9E265649-6E0E-4EEA-9F49-DAE0801440CF} (WebDigiNet Control)
- http://68.157.101.6/WebDiginet.CAB
O16 - DPF: {AAD32D2E-02C8-11D7-81B3-0050FC352236}
(Softwell_DVR_Monitor.monitor) -
http://211.23.141.3/activeX/DvrActiveXSetup.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EAE11EB6-E1C6-43B7-AF23-1DBC52C80FD6} (My3DCtrl Control) -
http://www.exform.com/dev/ActiveX/3DCtrl.cab
O16 - DPF: {F255050F-988C-4683-AAEB-2523A2CE885D} (DVSView Control) -
http://68.209.102.224/DvsView.cab

---

Clarification of Question by drsam2007-ga on 08 Nov 2004 03:58 PST

Thanks for your comment, I was not aware of Windows System File Checker.
nor have I ever used it.  Your assumptions were correct.  I have tried
all the system restore things that you mentioned.  I did not go back
and look at the adaware log file.

What I am going to do from here is.  Wait to see if someone adds more
comments or answers the questions.  In the mean time I am going to
back up my data.  I understand how things go, some times the attempted
fix could be worst then the first crash.  So I am prepared to live
with that.
also I realize this probably will be a back and forth process because
the real tech is not at the control's.

Thanks for your time and suggestions.

Sam

---

Clarification of Question by drsam2007-ga on 09 Nov 2004 18:17 PST

I tried to run the SFC and it returned this error message.  Also no
luck on the Adaware log After the crash I deleted Adaware and now I
cant find a log of what was removed.  I do remember what trigger the
whole event, I deleted the files in the quarantine folder.  Oh here is
the error on the SFC
The specific error code is 0x000006ab  The RP server is unavailable

Dr, 

Required disclaimer: If I were sitting in front of your computer, I
would have no problem taking responsibility for it's repair... in this
forum, however, I can't be responsible for how you use the info I'm
going to give here.

Without knowing exactly what happens or what messages are displayed at
boot-time, these suggestions assume that there is no other info to
base a recovery strategy upon.

I am guessing that you do not have any backed up system files, a
working drive image or system backups for the affected computer that
you could restore (after backing up any critical files.)

I assume that you have tried to do a system restore (Start | All
Programs | Accessories | System Tools | System Restore | Select
'Restore My Computer To An Earlier Time' | click the 'Next' button |
then choose a date on the calender before the problem happened | click
the 'Next' button.)

I also assume that you have also tried the "Last Known Good
Configuration" option from the boot option menu where you can also
find the "Safe Mode" option.

That said: My first guess would be that the spyware that was removed
by Ad Aware initially overwrote, substituted or linked itself to a
critical system file or driver or library or registry key when it was
installed. I think that Ad Aware creates a log file when it cleans
that you can consult to find out what files &/or keys were deleted. If
you see that a sys or dll or some other system dependent file or
registry key was deleted then you will have a clue as to what went
wrong.

You can probably find the Ad Aware logfile in your root directory or
in the Ad Aware directory of the affected computer.

Another thing you could try is the Windows System File Checker. This
will find and restore (assuming you have your WinXP CD) any critical
system files that have become corrupt or missing.

ANOTHER DISCLAIMER: I notice that you have installed Service Pack 2
for WinXP... I am not familiar enough yet with SP2 to know if there
could be conflicts arising by restoring files from a pre-SP2 source
(like your WinXP CD. Perhaps someone else can comment on this issue.
It is possible that the File Checker might see a SP2 file and think
that it is a corrupted or changed file and replace it.)

To run Windows System File Checker, open a command window (Start | Run
| type 'Command' [without quotes] | click 'OK'.) At the prompt, type
[again with no quotes] 'sfc' and then press 'Enter' on your keyboard
to see the parameters available with the command. When (if) you are
ready to do the scan, type 'sfc/scanonce' at the prompt and then press
'Enter' on your keyboard. After you have done this (and followed any
instructions according to your judgement that might come up,) then to
leave the command window, at the prompt type 'Exit'. Finally, close
all running programs and then do a re-boot.

Of course you always have the option if all else fails, [groan] to
back up any critical data on the affected computer while you are in
Safe Mode, and then do a clean install (not just a re-install) of
Windows XP. Naturally, you will also have to re-install all of your
software applications afterwards. As a network manager, you would know
how to do this and to get it re-connected back to your net.

For what they are worth, these are the ideas I would have if faced
with your situation.

techie

Thanks for your comment, I was not aware of Windows System File Checker.
nor have I ever used it.  Your assumptions were correct.  I have tried
all the system restore things that you mentioned.  I did not go back
and look at the adaware log file.

What I am going to do from here is.  Wait to see if someone adds more
comments or answers the questions.  In the mean time I am going to
back up my data.  I understand how things go, some times the attempted
fix could be worst then the first crash.  So I am prepared to live
with that.
also I realize this probably will be a back and forth process because
the real tech is not at the control's.

Thanks for your time and suggestions.

Sam

I tried to run the SFC and it returned this error message.  Also no
luck on the Adaware log After the crash I deleted Adaware and now I
cant find a log of what was removed.  I do remember what trigger the
whole event, I deleted the files in the quarantine folder.  Oh here is
the error on the SFC
The specific error code is 0x000006ab  The RP server is unavailable

Most likely, Adaware has removed some system file or registry key that
is required for a normal boot up.
I would suggest
1)back up your data.
2)pop in Windows install CD, and restore system files off the CD.
it;s too hard to tell which file is missing or corrupted.

Then you should be able to log back on normal mode.
To fix registry keys, type msconfig at start->run.., and on the right
most tab, uncheck all of apps you dont know.

I sort of think the reinstall would be best as suggested already.
However if you could access web in your current state you might look
at online virus scan, and online spyware scanners.

I guess you could put the hdrive in another machine and scan it.

Actually I have run all the virus and spyware programs and I am not
dealing with a Virus or Spyware any more I am now dealing with the
damage that was done by the removal of a spyware.

Now the complication is my local drive is "H" and when I put the XP CD
in the drive it wants to default to do the repair or reinstallation in
"C"

Maybe I have to do this through a prompt command but I don't know the
commands to force the cd to do the repair or installation in the H
drive.  That's what I am working on now.

Thanks for your comment.

Sam

The advice below should give you a quick fix to your problem.

First of all, get your winXP CD out, and boot it.  After a few splash
screens, you should get an option to press 'R' to Repair Installation.
 Press 'R'.  What this will do is patch up your install path (eg.
/WINNT).

If that doesn't work, I suggest plugging the hard drive (assuming it
is not a raid setup) into one of your other PCs to back up and reimage
your hdd.

Good luck.

Now the complication is my local drive is "H" and when I put the XP CD
in the drive it wants to default to do the repair or reinstallation in
"C"

Maybe I have to do this through a prompt command but I don't know the
commands to force the cd to do the repair or installation in the H
drive.  That's what I am working on now.

Thanks for your comment.

Sam