-----Original Message-----
Bob,
No suspicious items found. (But there may be a browser extension/malware
causing this). Anyways, trt setting a registry audit for this key:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
Setting a registry audit:
http://groups.google.com/groups?hl=en&lr=&ie=UTF- 8&selm=eOLMZy9YEHA.1692%40TK2MSFTNGP10.phx.gbl
FYI, ITBarLayout stores the toolbar layout values in REG_BINARY. Clear all
events, then open your browser and customize the toolbars. Then close
Internet Explorer. Reboot and view the Event Log. Post the contents here.
You could also try disabling 3rd party browser extensions in the Advanced
Tab of Internet Explorer Options. This rules out any browser extension
causing this.
--
Ramesh, Microsoft MVP
Window XP Shell/User
http://www.mvps.org/sramesh2k
Win XP Pro, all updates applied.
Here's the autoruns log:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit
+ C:\WINDOWS\system32\userinit.exe Userinit Logon
Application Microsoft Corporation
c:\windows\system32\userinit.exe
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Shell
+ Explorer.exe Windows Explorer Microsoft
Corporation c:\windows\explorer.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ 000StTHK c:\windows\system32
\000stthk.exe
+ 00THotkey THotkey (Not verified) TOSHIBA Corp.
c:\windows\system32\00thotkey.exe
+ Advanced Tools Check Norton AntiVirus Advanced Tools
Integrity Checker Symantec Corporation
c:\program files\norton
antivirus\advtools\advchk.exe
+ ccApp Common Client User Session Symantec
Corporation c:\program files\common files\symantec
shared\ccapp.exe
+ EXSHOW95.EXE Kensington MouseWorks Win32 Support
(Not verified) Kensington Technology Group
c:\windows\system32\exshow95.exe
+ NvCplDaemon NVIDIA Display Properties Extension
(Not verified) NVIDIA Corporation
c:\windows\system32\nvcpl.dll
+ nwiz NVIDIA nView Wizard, Version 45.91 (Not
verified) NVIDIA Corporation c:\windows\system32
\nwiz.exe
+ Pinger Toshiba Pinger (Not verified) Toshiba
Corporation c:\toshiba\ivp\ism\pinger.exe
+ RemoteControl PowerDVD RC Service (Not verified)
Cyberlink Corp. c:\program
files\cyberlink\powerdvd\pdvdserv.exe
+ SSC_UserPrompt Norton Security Center Helper
Symantec Corporation c:\program files\common
files\symantec shared\security center\usrprmpt.exe
+ SxgTkBar Taskbar application (Not verified)
YAMAHA COROPRATION c:\windows\system32\sxgtkbar.exe
+ TFNF5 TFnF5 (Not verified) Toshiba Corp.
c:\windows\system32\tfnf5.exe
+ TMEEJME.EXE TMEEJME (Not verified) TOSHIBA
c:\program files\toshiba\tme3\tmeejme.exe
+ TMERzCtl.EXE TMERzCtl (Not verified) TOSHIBA
c:\program files\toshiba\tme3\tmerzctl.exe
+ TMESBS.EXE tmesbs32 (Not verified) TOSHIBA
Corporation c:\program files\toshiba\tme3\tmesbs32.exe
+ TMESRV.EXE TOSHIBA MobileExtension Service (Not
verified) TOSHIBA c:\program files\toshiba\tme3
\tmesrv31.exe
+ TosHKCW.exe Wireless Hotkey (Not verified) TOSHIBA
CORPORATION c:\program files\toshiba\wireless
hotkey\toshkcw.exe
+ Tpwrtray TOSHIBA Power Saver (Not verified)
TOSHIBA Corporation c:\windows\system32\tpwrtray.exe
+ TweakMASTER TweakMASTER main module (Not verified)
Hagel Technologies c:\program
files\tweakmaster\twmaster.exe
+ USB SECURITY DEVICE CoInstaller PROLIFIC USB
SECURITY DEVICE AP (Not verified) Prolific
Technology Inc. c:\windows\system32\jupitco.exe
+ Zone Labs Client Zone Labs Client Zone
Labs, Inc c:\program files\zone
labs\zonealarm\zlclient.exe
C:\Documents and Settings\All Users\Start
Menu\Programs\Startup
+ D-Link AirPlus Xtreme G Configuration Utility.lnk
WLAN Adapter Utility (Not verified) D-Link
c:\program files\d-link airplus xtreme
g\airplus.exe
+ D-Link REG Utility.lnk Reg MFC Application
c:\program files\d-link airplus xtreme g\reg.exe
+ PopupDummy! 3.16.EXE.lnk PopupDummy!
http://www.popupdummy.com c:\program
files\popupdummy!\popupdummy! 3.16.exe
C:\Documents and Settings\Kemp\Start Menu\Programs\Startup
+ KaVoom!.lnk (Not verified) KaVoom Software
c:\program files\kavoom!\kavoomc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ NVIEW NVIDIA nView Desktop and Window Manager 45.91
(Not verified) NVIDIA Corporation
c:\windows\system32\nview.dll
Task Scheduler
+ Symantec NetDetect.job Symantec NetDetect
Symantec Corporation c:\program
files\symantec\liveupdate\ndetect.exe
-----Original Message-----
Bob,
Please mention the Operating System you're using. In addition, get Autoruns
from Sysinternals.com and post the log here.
--
Ramesh, Microsoft MVP
Window XP Shell/User
http://www.mvps.org/sramesh2k
Thanks. Unfortunately, the following are true:
No fash.exe exists on the PC.
Latest version of Adaware reports no problem.
PC is not HP or Compaq (It's a Toshiba)
Applied IEToolbar.reg after closing all browsers.
Toolbar still goes back to the arrangement it chooses,
even though I unlocked, rearranged, locked & then quit
the browser.
HP/Compaq
unit)
.
.
-----Original Message-----
Bob,
No suspicious items found. (But there may be a browser extension/malware
causing this). Anyways, trt setting a registry audit for this key:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
Setting a registry audit:
http://groups.google.com/groups?hl=en&lr=&ie=UTF- 8&selm=eOLMZy9YEHA.1692%40TK2MSFTNGP10.phx.gbl
FYI, ITBarLayout stores the toolbar layout values in REG_BINARY. Clear all
events, then open your browser and customize the toolbars. Then close
Internet Explorer. Reboot and view the Event Log. Post the contents here.
You could also try disabling 3rd party browser extensions in the Advanced
Tab of Internet Explorer Options. This rules out any browser extension
causing this.
--
Ramesh, Microsoft MVP
Window XP Shell/User
http://www.mvps.org/sramesh2k
Win XP Pro, all updates applied.
Here's the autoruns log:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit
+ C:\WINDOWS\system32\userinit.exe Userinit Logon
Application Microsoft Corporation
c:\windows\system32\userinit.exe
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Shell
+ Explorer.exe Windows Explorer Microsoft
Corporation c:\windows\explorer.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ 000StTHK c:\windows\system32
\000stthk.exe
+ 00THotkey THotkey (Not verified) TOSHIBA Corp.
c:\windows\system32\00thotkey.exe
+ Advanced Tools Check Norton AntiVirus Advanced Tools
Integrity Checker Symantec Corporation
c:\program files\norton
antivirus\advtools\advchk.exe
+ ccApp Common Client User Session Symantec
Corporation c:\program files\common files\symantec
shared\ccapp.exe
+ EXSHOW95.EXE Kensington MouseWorks Win32 Support
(Not verified) Kensington Technology Group
c:\windows\system32\exshow95.exe
+ NvCplDaemon NVIDIA Display Properties Extension
(Not verified) NVIDIA Corporation
c:\windows\system32\nvcpl.dll
+ nwiz NVIDIA nView Wizard, Version 45.91 (Not
verified) NVIDIA Corporation c:\windows\system32
\nwiz.exe
+ Pinger Toshiba Pinger (Not verified) Toshiba
Corporation c:\toshiba\ivp\ism\pinger.exe
+ RemoteControl PowerDVD RC Service (Not verified)
Cyberlink Corp. c:\program
files\cyberlink\powerdvd\pdvdserv.exe
+ SSC_UserPrompt Norton Security Center Helper
Symantec Corporation c:\program files\common
files\symantec shared\security center\usrprmpt.exe
+ SxgTkBar Taskbar application (Not verified)
YAMAHA COROPRATION c:\windows\system32\sxgtkbar.exe
+ TFNF5 TFnF5 (Not verified) Toshiba Corp.
c:\windows\system32\tfnf5.exe
+ TMEEJME.EXE TMEEJME (Not verified) TOSHIBA
c:\program files\toshiba\tme3\tmeejme.exe
+ TMERzCtl.EXE TMERzCtl (Not verified) TOSHIBA
c:\program files\toshiba\tme3\tmerzctl.exe
+ TMESBS.EXE tmesbs32 (Not verified) TOSHIBA
Corporation c:\program files\toshiba\tme3\tmesbs32.exe
+ TMESRV.EXE TOSHIBA MobileExtension Service (Not
verified) TOSHIBA c:\program files\toshiba\tme3
\tmesrv31.exe
+ TosHKCW.exe Wireless Hotkey (Not verified) TOSHIBA
CORPORATION c:\program files\toshiba\wireless
hotkey\toshkcw.exe
+ Tpwrtray TOSHIBA Power Saver (Not verified)
TOSHIBA Corporation c:\windows\system32\tpwrtray.exe
+ TweakMASTER TweakMASTER main module (Not verified)
Hagel Technologies c:\program
files\tweakmaster\twmaster.exe
+ USB SECURITY DEVICE CoInstaller PROLIFIC USB
SECURITY DEVICE AP (Not verified) Prolific
Technology Inc. c:\windows\system32\jupitco.exe
+ Zone Labs Client Zone Labs Client Zone
Labs, Inc c:\program files\zone
labs\zonealarm\zlclient.exe
C:\Documents and Settings\All Users\Start
Menu\Programs\Startup
+ D-Link AirPlus Xtreme G Configuration Utility.lnk
WLAN Adapter Utility (Not verified) D-Link
c:\program files\d-link airplus xtreme
g\airplus.exe
+ D-Link REG Utility.lnk Reg MFC Application
c:\program files\d-link airplus xtreme g\reg.exe
+ PopupDummy! 3.16.EXE.lnk PopupDummy!
http://www.popupdummy.com c:\program
files\popupdummy!\popupdummy! 3.16.exe
C:\Documents and Settings\Kemp\Start Menu\Programs\Startup
+ KaVoom!.lnk (Not verified) KaVoom Software
c:\program files\kavoom!\kavoomc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ NVIEW NVIDIA nView Desktop and Window Manager 45.91
(Not verified) NVIDIA Corporation
c:\windows\system32\nview.dll
Task Scheduler
+ Symantec NetDetect.job Symantec NetDetect
Symantec Corporation c:\program
files\symantec\liveupdate\ndetect.exe
-----Original Message-----
Bob,
Please mention the Operating System you're using. In addition, get Autoruns
from Sysinternals.com and post the log here.
--
Ramesh, Microsoft MVP
Window XP Shell/User
http://www.mvps.org/sramesh2k
Thanks. Unfortunately, the following are true:
No fash.exe exists on the PC.
Latest version of Adaware reports no problem.
PC is not HP or Compaq (It's a Toshiba)
Applied IEToolbar.reg after closing all browsers.
Toolbar still goes back to the arrangement it chooses,
even though I unlocked, rearranged, locked & then quit
the browser.
HP/Compaq
unit)
.
.
-----Original Message-----
Bob,
Look for events which involve the WebBrowser key.
--
Ramesh, Microsoft MVP
Window XP Shell/User
http://www.mvps.org/sramesh2k
Disabling 3rd party extensions didn't help.
I set up the registry audit, but didn't know what to
select to audit so I selected everything under WebBrowser.
I cleared the event log,started a browser, rearranged the
toolbars, locked them, closed the browser & then rebooted.
Unfortunately, the event log is quite lengthly & I don't
see how to get any useful info in a form that I can post
to you.-----Original Message-----
Bob,
No suspicious items found. (But there may be a browser extension/malware
causing this). Anyways, trt setting a registry audit for this key:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
Setting a registry audit:
http://groups.google.com/groups?hl=en&lr=&ie=UTF- 8&selm=eOLMZy9YEHA.1692%40TK2MSFTNGP10.phx.gbl
FYI, ITBarLayout stores the toolbar layout values in REG_BINARY. Clear all
events, then open your browser and customize the toolbars. Then close
Internet Explorer. Reboot and view the Event Log. Post the contents here.
You could also try disabling 3rd party browser extensions in the Advanced
Tab of Internet Explorer Options. This rules out any browser extension
causing this.
--
Ramesh, Microsoft MVP
Window XP Shell/User
http://www.mvps.org/sramesh2k
Win XP Pro, all updates applied.
Here's the autoruns log:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit
+ C:\WINDOWS\system32\userinit.exe Userinit Logon
Application Microsoft Corporation
c:\windows\system32\userinit.exe
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Shell
+ Explorer.exe Windows Explorer Microsoft
Corporation c:\windows\explorer.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ 000StTHK c:\windows\system32
\000stthk.exe
+ 00THotkey THotkey (Not verified) TOSHIBA Corp.
c:\windows\system32\00thotkey.exe
+ Advanced Tools Check Norton AntiVirus Advanced Tools
Integrity Checker Symantec Corporation
c:\program files\norton
antivirus\advtools\advchk.exe
+ ccApp Common Client User Session Symantec
Corporation c:\program files\common files\symantec
shared\ccapp.exe
+ EXSHOW95.EXE Kensington MouseWorks Win32 Support
(Not verified) Kensington Technology Group
c:\windows\system32\exshow95.exe
+ NvCplDaemon NVIDIA Display Properties Extension
(Not verified) NVIDIA Corporation
c:\windows\system32\nvcpl.dll
+ nwiz NVIDIA nView Wizard, Version 45.91 (Not
verified) NVIDIA Corporation c:\windows\system32
\nwiz.exe
+ Pinger Toshiba Pinger (Not verified) Toshiba
Corporation c:\toshiba\ivp\ism\pinger.exe
+ RemoteControl PowerDVD RC Service (Not verified)
Cyberlink Corp. c:\program
files\cyberlink\powerdvd\pdvdserv.exe
+ SSC_UserPrompt Norton Security Center Helper
Symantec Corporation c:\program files\common
files\symantec shared\security center\usrprmpt.exe
+ SxgTkBar Taskbar application (Not verified)
YAMAHA COROPRATION c:\windows\system32\sxgtkbar.exe
+ TFNF5 TFnF5 (Not verified) Toshiba Corp.
c:\windows\system32\tfnf5.exe
+ TMEEJME.EXE TMEEJME (Not verified) TOSHIBA
c:\program files\toshiba\tme3\tmeejme.exe
+ TMERzCtl.EXE TMERzCtl (Not verified) TOSHIBA
c:\program files\toshiba\tme3\tmerzctl.exe
+ TMESBS.EXE tmesbs32 (Not verified) TOSHIBA
Corporation c:\program files\toshiba\tme3\tmesbs32.exe
+ TMESRV.EXE TOSHIBA MobileExtension Service (Not
verified) TOSHIBA c:\program files\toshiba\tme3
\tmesrv31.exe
+ TosHKCW.exe Wireless Hotkey (Not verified) TOSHIBA
CORPORATION c:\program files\toshiba\wireless
hotkey\toshkcw.exe
+ Tpwrtray TOSHIBA Power Saver (Not verified)
TOSHIBA Corporation c:\windows\system32\tpwrtray.exe
+ TweakMASTER TweakMASTER main module (Not verified)
Hagel Technologies c:\program
files\tweakmaster\twmaster.exe
+ USB SECURITY DEVICE CoInstaller PROLIFIC USB
SECURITY DEVICE AP (Not verified) Prolific
Technology Inc. c:\windows\system32\jupitco.exe
+ Zone Labs Client Zone Labs Client Zone
Labs, Inc c:\program files\zone
labs\zonealarm\zlclient.exe
C:\Documents and Settings\All Users\Start
Menu\Programs\Startup
+ D-Link AirPlus Xtreme G Configuration Utility.lnk
WLAN Adapter Utility (Not verified) D-Link
c:\program files\d-link airplus xtreme
g\airplus.exe
+ D-Link REG Utility.lnk Reg MFC Application
c:\program files\d-link airplus xtreme g\reg.exe
+ PopupDummy! 3.16.EXE.lnk PopupDummy!
http://www.popupdummy.com c:\program
files\popupdummy!\popupdummy! 3.16.exe
C:\Documents and Settings\Kemp\Start Menu\Programs\Startup
+ KaVoom!.lnk (Not verified) KaVoom Software
c:\program files\kavoom!\kavoomc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ NVIEW NVIDIA nView Desktop and Window Manager 45.91
(Not verified) NVIDIA Corporation
c:\windows\system32\nview.dll
Task Scheduler
+ Symantec NetDetect.job Symantec NetDetect
Symantec Corporation c:\program
files\symantec\liveupdate\ndetect.exe
-----Original Message-----
Bob,
Please mention the Operating System you're using. In addition, get Autoruns
from Sysinternals.com and post the log here.
--
Ramesh, Microsoft MVP
Window XP Shell/User
http://www.mvps.org/sramesh2k
Thanks. Unfortunately, the following are true:
No fash.exe exists on the PC.
Latest version of Adaware reports no problem.
PC is not HP or Compaq (It's a Toshiba)
Applied IEToolbar.reg after closing all browsers.
Toolbar still goes back to the arrangement it chooses,
even though I unlocked, rearranged, locked & then quit
the browser.
-----Original Message-----
Three possibilities:
1. Corrupt Toolbar layout
2. AutoTKit program causing this (in case of a HP/Compaq
unit)
3. A malware, fash.exe or something causing this
Internet Explorer Toolbar settings are not saved
http://www.mvps.org/sramesh2k/IEFAQ.htm
--
Ramesh, Microsoft MVP
Window XP Shell/User
http://www.mvps.org/sramesh2k
message
My favorite toolbar arrangement will no longer "stick".
I've tried unlocking, rearranging, locking & quitting the
browser. But the next browser always comes up with the
unwanted arrangement. Is there a registry fix?
.
.
.
.
http://forums.spywareinfo.com |-----Original Message-----
Only IExplore.exe is modifying the value, not any other process. Perhaps a
hijackthis log might help. Download HijackThis from
http://www.majorgeeks.com/download3155.html Generate a log using HijackThis
and visit any of these forums below to post your HijackThis log. The experts
there will guide you identify and remove the spyware (if present in your
system) http://forums.aumha.org |
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.