Okay, I’m a little outta my element here. After the removal of the win32:ZBot virus on my system I had 2 new problems.

1. My folder options disappeared from my menu’s. So wasn’t able to display hidden folders etc. for a day or so.
   This I was able to repair using gpedit.msc and going to user configuration/administrative templates/windows components/windows explorer and disabling the “remove the folder options menu item from the tools menu” option. All good no punt no foul right?

2. Not as easy. I can no longer download files. When I go to do a download and hit save I get “This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.” If I hit the run button however it’ll run and open whatever download I go to. This wouldn’t be odd if I was logged under a guest account, but, I AM the administrator. I have tried resetting most of the switches I can find in the GP editor to no avail. so I am figuring either I’m missing the relevant one or I have lost my mind. Can anyone point me in a direction to fix this without completely blowing out this system. I have gotten rid of the virus finally. Hate to blow it out now.

Thankz for any assistance.

Hi LivinTarget,

Install EventLogExplorer through a USB stick from another comp from here:
http://www.eventlogxp.com/download/elex.zip
Check what happened there if you had any LSA negotations lately, check at virustotal.com these files:
kerberos.dll, msv1_0.dll (this one is in C:\WINDOWS\System32\

Give us a hjt logfile scan as an attached txt to your reply posting: http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe (recent version of HJT),

Download ATFCleaner from: http://www.atribune.org/ccount/click.php?id=1
Doubleclick ATF cleaner to start this program .
In tab page “Main”, placetag at Select All.
Then remove the tag at Prefetch.
Click button Empty Selected.

  When you use the Firefox browser:
  Click tab page "Firefox", placetag at Select All.
  Do you want to save the Firefox passwords, tag that window that appears for "No".
  (this will remove the tag at "Firefox saved passwords")
  Click button Empty Selected. 

  When you use Opera, the routine is similar as for Firefox Click tab page "Opera", 
  and repeat the procedure,

  Return to tab page "Main" and push button Exit to close the programme,

polonus

I appreciate the fast response especially on Christmas day.

Here’s where we sit …

Check what happened there if you had any LSA negotations lately

No LSA negotiations that I could find. (Should I generate a file from that also and from what area?)

check at virustotal.com these files: kerberos.dll, msv1_0.dll

Checked both files no virus in either. Log file from Hijack included.

Doubleclick ATF cleaner to start this program . In tab page "Main", placetag at Select All. Then remove the tag at Prefetch. Click button Empty Selected.

Done…

I normally use Avant as a browser so bookmarks/passwords aren’t a major concern I don’t even keep them on my system (except FTP pass’s). Hopefully you can find something on the log according to everything else I can see this POS should be functioning normally. Course now my secondary machine won’t boot today sooo… damn don’t it figure when it rains it pours… hehehe…

I am able to download using a download manager I found out today. Seems kind of odd. Wouldn’t it either allow downloads or not manager or not?

---

The only suspicious items that I can see in your HJT log are …

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

… and these belong to Punkbuster which may be needed to play some games.

---

Nothing strange or suspicious there, infact this is one of the best things to happen to the online gaming community. It’s a multiplayer anti-cheat system, let’s us serious players play it like it should be played. ;D

http://www.evenbalance.com/

@ LivinTarget:

Why don’t you fire up SuperAntispyware(since you already have it installed i see), go to settings - repairs and try the Internet Zone Security Reset. Did that help ?

@ LivinTarget: I’m sorry i haven’t checked out your log in detail before(just woke up), after reviewing it a bit more carefully i can see what the problem is here:

You will need to remove the following items in HijackThis:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Mikey I deeply appreciate it. I think things are fully back to normal. ;D ;D ;D

Hi Miha,

Thanks for handling this one for me, while I was away on Boxing Day, LivinTarget may have uttered a sigh of relief there, this is always the best reward for the malware fighter,

Damian

No problem at all guys …

;D ;D Dude, more than just a sigh of relief. I very DEEPLY appreciate the both of you. Redoing this computer is a bear at best. You’ve saved me HOURS of work literally. I am very grateful to the work and the time ya’ll put into this. That’s why I try not to bother ya’ll unless it’s something I have searched the forums for first. I know it gets redundant repeating a fix over and over so I figure the least I can do is try to figure it out before I bother ya’ll. This is a region of computers (not unlike the programming area) that I have never understood completely and without people like you guyz my life in repair would be VERY intolerable more daze than not. You seem to be the silent group that most people do not have ENOUGH appreciation for. But, only because they only look at their computers through the monitor and don’t realize what happens behind it.

Thankz again
Peace guyz and a Happy New Year to you all.

Target