Windows security settings problem

[ncSkeet]

Whenever I try to run certain programs, a small message window pops up with the following - "Your current security settings do not allow this file to be downloaded." This has been happening for the last week or so. It happens not only when I'm online and using a browser (I generally don't have a problem with it when I'm online. My primary browser is Firefox 1.0.4), but also when I'm not online. For example, it'll happen when I try to open certain "Help" files. The message also appears when I attempt to run CWShredder. It also happens when I try to use my newsreader, SharpReader. The SharpReader program itself will run, and I can click on a news link, but it will not then download and display the news story in the message pane. Instead, the "security settings" message window will appear. I've gone into "Internet Options" in Internet Explorer and made sure the settings are on their default levels, and have even tried some other, less secure personal settings in case that was causing the problem, all to no avail. I've also done much the same with Firefox's settings. I've checked "Security settings" at MSN but have found nothing that helps. Does Windows have security settings that can be checked for problems? (I'm using XP Home SP2 with .NET Framework 1.1 on a Compaq Presario S4000NX with 2.4 GHz Intel Celeron CPU, 504mb RAM, 40Gb hard drive.) I've lost the ability to use some of my favorite programs, so any help would be greatly appreciated.

ncSkeet

[merlin_2]

Run.......spysweeper from webroot.com.......what happens if you use internet explorer......six.....

[ncSkeet]

I don't have spysweeper, but I did run AdAware, Microsoft Anti-Spywar, AVG Free, Spybot S&D, A Squared, and Spyware Blaster, none of which found anything. If I use IE6, it generally works fine, except for one thing - at one time I had IE set to open with no homepage (to open with a blank page), but after I started having this problem it would show the "about:blank" in the location bar, and I would get the  "Your current security settings do not allow this file to be downloaded" message, and also a "What do you want to do with this HTML file?" message, to which I had to answer "save" to get it to go any farther, but then I would get the "security settings" message and be unable to use the browser. But after I changed it back to open/start with my previous homepage (Yahoo), IE would start up with no messages or problems and work just fine. Complicated? You bet...

[Fed]

Is all your anti virus/spyware stuff up to date?
Some time ago Adaware was seeing 'about:blank' as a bug because there was a bug of that name in the wild.

[ncSkeet]

Yep...I manually update it all every day.

[Fed]

Here is a direct download link to Hijackthis, see if you can download & run it.
Save the link to go back and get your log checked.
Paste your log in here too and we may be able to see what's going on.
http://www.hijackthis.de/index.php?langselect=english

[ncSkeet]

When I try to post the entire logfile, I'm told the "message is too long", so I'm going to try to post it in 2 separate posts -

Part 1:

Logfile of HijackThis v1.99.1
Scan saved at 11:03:12 PM, on 5/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\taskswitch.exe
C:\PROGRA~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\LTMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Buzzsaw\Buzzsaw.exe
C:\Program Files\Capio Utility Manager\CapioUtilityMgr.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\YPOPs\ypops.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\JGsoft\EditPadLite\EditPad.exe
C:\Program Files\Capio Utility Manager\Programs\C_Cmdr.exe
C:\Program Files\HiJackThis\HijackThis.exe

[ncSkeet]

Part 2:

Logfile of HijackThis v1.99.1
Scan saved at 11:03:12 PM, on 5/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\taskswitch.exe
C:\PROGRA~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\LTMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Buzzsaw\Buzzsaw.exe
C:\Program Files\Capio Utility Manager\CapioUtilityMgr.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\YPOPs\ypops.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\JGsoft\EditPadLite\EditPad.exe
C:\Program Files\Capio Utility Manager\Programs\C_Cmdr.exe
C:\Program Files\HiJackThis\HijackThis.exe

[ncSkeet]

Well, it's gonna have to be 3 posts-

Part 2:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 64.246.62.201 http://www.bootlegzone.com
O1 - Hosts: 207.171.175.35 http://www.amazon.com
O1 - Hosts: 193.86.103.19 guru.grisoft.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\PROGRA~1\iFinger\plugins\IE.ifp
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: Buzzsaw.exe.lnk = C:\Program Files\Buzzsaw\Buzzsaw.exe
O4 - Global Startup: Capio Utilities.lnk = C:\Program Files\Capio Utility Manager\CapioUtilityMgr.exe
O4 - Global Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: ypops.exe.lnk = C:\Program Files\YPOPs\ypops.exe
O8 - Extra context menu item: &Acronym Finder lookup... - http://www.acronymfinder.com/iesearch/
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Encarta &Definition - http://encarta.msn.com/encnet/features/dictionary/quickDictionary.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\System32\SHDOCVW.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

[ncSkeet]

Part 3:

O15 - Trusted Zone: http://*.conxion.com (HKLM)
O15 - Trusted Zone: www.excite.com (HKLM)
O15 - Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O18 - Protocol: aim - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: shell - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Don't know how part 1 got reposted as part 2...must have hit a buttom without realizing it.

Got this from the automatic scan:

        O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)                 Unnecessarily
Unnecessarily               The entry Messenger has been identified as safe.               If the entry 'Messenger ' is not needed anymore, it should be fixed.
Unnecessary (deactivated) entry that can be fixed.
       O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)               Unnecessarily
Unnecessarily               The entry Windows Messenger has been identified as safe.               If the entry 'Windows Messenger ' is not needed anymore, it should be fixed.
Unnecessary (deactivated) entry that can be fixed.

O18 - Protocol: aim - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll                 Possibly nasty
Possibly nasty               Only a few Hijackers are listed here. The most popular are 'cn' (CommonName) , 'ayb' (Lop.com) and 'relatedlinks' (Huntbar) . They should be fixed.               
       O18 - Protocol: shell - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll               Possibly nasty
Possibly nasty               Only a few Hijackers are listed here. The most popular are 'cn' (CommonName) , 'ayb' (Lop.com) and 'relatedlinks' (Huntbar) . They should be fixed.               
       O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll               Unknown
Unknown       

[Fed]

I ran your logs & got quite a load of nasties, scan again & save the logfile, then go back to the site, browse your computer for the saved file & analyse it at the site.
You then need to carefully read the results and remove the things you're sure are nasty.

I was going to make some suggestions but it's your computer so you will have a better idea what should or shouldn't be there.

[ncSkeet]

I've checked everything out that was listed as nasty or unknown, and none of them are anything to be concerned about. For example, the.dll's checked out as harmless, and the "msmsgs.exe (file missing)" is there probably because I have the messenger disabled. These:

O1 - Hosts: 64.246.62.201 http://www.bootlegzone.com    
Nasty   This entry should be fixed immediately!   Must be fixed!  
 O1 - Hosts: 207.171.175.35 http://www.amazon.com    
Nasty   This entry should be fixed immediately!   Must be fixed!  
 O1 - Hosts: 193.86.103.19 guru.grisoft.com    
Nasty   This entry should be fixed immediately!   Must be fixed!  

are changes I've deliberately made to my HOSTS file. The rest are explainable and not nasty.

ncSkeet

[Fed]

You have good AV programs there but it's horses for courses, can you download, update & run 'ewido', I have had very good results with this when all else has failed.
I still feel it's a virus.

[ncSkeet]

Thanks for the suggestion, but I would prefer not to have to download anymore anti-spyware software, particularly something that will disable itself after a few eeks. I'll keep looking around, though...

[Fed]

You could uninstall it afetr use.