Jump to content


Photo

PC cleared of malware: still ain't workin' right!


  • This topic is locked This topic is locked
73 replies to this topic

#1 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 30 December 2007 - 04:37 PM

Rorschach112 sent me here for my problem and has confirmed my PC is now clean from all malware.

I use Windows XP Media Center Edition (SP2)

I now log on to the net using the My Connection Wizard as opposed to my ISP dialer as per suebaby41's suggestion. My problem is that if I log onto the net, use it for a time, log off, and then try to log back on it will not log back on (I get a "All devices connected. Error 50: The request is not supported." dialog box). I have to reboot in order to log back on. Also when I boot up Windows Installer pops up trying to install something in (or from) my ChromaPix SSTV Workstation folder, failing, and then shutting down. Rorschach112 suggested I delete all registry entries pertaining to this program, but it still tries to install to or from this folder (I now get a "Internal Error 2718 (67C950A9-8361-11D4-892B-00E018908519)" dialog box; when I click the "OK" button it closes). If I use Internet Explorer it pops up every time I change web pages or sites. The machine seems a bit slow also. Also when I try to use a flash drive while I'm on the net it's as if the PC will not recognize it; I have to plug it in before I log on or plug it in when I log off; Windows Media Player and all system sounds seem to stop too. All work fine as soon as I'm offline. :scratchhead: The problems started after I got a virus. :weep: I just found another problem, very minor (more like a quirk). I had made Opera my default browser; I changed it back to Internet Explorer and in IE under Favorites the icons have the usual "e" icon, but they change to the "O" icon (as if they're still linked to Opera). But they work fine! :wtf: I don't know if you need a HiJackThis log or something else, so I will wait for instructions. Thanks for any help! ;D


Addenum:

I just upgraded Comodo Firewall Professional to a newer version. I had to reboot to completely remove the old version (I had no firewall installed at all or active after that). The Windows Installer didn't pop up at bootup; when I installed the new version and rebooted it reappeared.

Edited by ZuluMan, 05 January 2008 - 11:18 PM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,533 posts

Posted 02 January 2008 - 05:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 15 January 2008 - 10:49 AM

Hi,

Sorry for this long delay.

You have a number of problems that may or may not be related to an infection.

I will try to help you as much as I can.

For a start make sure you have the latest version of HijackThis.


Please download and install the latest version of HijackThis v2.0.2:

CLICK HERE to download the HijackThis Installer:
  • Save HJTInstall.exe to your desktop.
  • Double-click on HJTInstall.exe to run the program.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis.
  • Accept the license agreement by clicking the "I Accept" button.
  • Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  • Click "Save log" to save the log file and then the log will open in Notepad.
  • Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste the log in your next reply.
  • Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Delete the older version once you have successfully downloaded and installed the latest version.
*/*

Familiarize yourself with this combofix tool.
http://www.bleepingc...to-use-combofix

It's IMPORTANT to carry out the instructions in the sequence listed below.
***************************************************

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------

1. Disconnect from the internet.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we can continue cleaning the system.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Let me see the logs.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 15 January 2008 - 10:23 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:23 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Opera 9\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://isp.netscape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com...ystempopup=true
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PosHelp - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\PROGRA~1\ADVANC~1\advancedsearchbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Echoirlp - {74966D20-B75C-43A0-98C7-DA4A60767175} - C:\Program Files\Echoirlp Toolbar\Echoirlp.dll
O3 - Toolbar: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Přečti to! - C:\WINDOWS\Speech\gbs\Precti_to.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O9 - Extra 'Tools' menuitem: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Toggle Echoirlp toolbar - {FDED5795-690D-4609-AF10-3441BE9A2AAD} - C:\Program Files\Echoirlp Toolbar\Echoirlp.dll
O9 - Extra 'Tools' menuitem: &Echoirlp toolbar - {FDED5795-690D-4609-AF10-3441BE9A2AAD} - C:\Program Files\Echoirlp Toolbar\Echoirlp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1172980391203
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://www.kscasino....liner/setup.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EB19D52-7836-4896-ACC6-87AE6E128231}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EB19D52-7836-4896-ACC6-87AE6E128231}: NameServer = 205.188.146.145
O17 - HKLM\System\CS2\Services\Tcpip\..\{0EB19D52-7836-4896-ACC6-87AE6E128231}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 9143 bytes




ComboFix 08-01-16.3 - Owner 2008-01-15 20:56:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.45 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

2008-01-15 20:50 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 20:31 . 2008-01-15 20:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-14 17:53 . 2008-01-14 18:05 <DIR> d-------- C:\Program Files\USASS
2008-01-10 15:07 . 2008-01-10 15:11 <DIR> d-------- C:\Program Files\ZonedOut
2008-01-05 22:55 . 2008-01-05 23:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-01-05 22:55 . 2008-01-05 22:55 81,272 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2008-01-05 22:55 . 2008-01-05 22:55 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-12-26 15:35 . 2007-12-26 15:35 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2007-12-26 15:35 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-26 15:31 . 2008-01-11 08:37 <DIR> d-------- C:\Program Files\SpywareGuard
2007-12-26 15:15 . 2007-12-26 15:15 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-26 15:15 . 2007-12-26 15:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-26 15:14 . 2007-12-26 15:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-26 09:35 . 2007-12-26 09:35 <DIR> d-------- C:\Program Files\RegSearch
2007-12-16 13:54 . 2007-12-16 13:54 <DIR> d-------- C:\Deckard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 00:12 --------- d-----w C:\Program Files\Speak & Roil
2008-01-14 23:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-14 22:55 139,008 ----a-w C:\WINDOWS\system32\guard32.dll
2008-01-13 15:11 --------- d-----w C:\Program Files\ian's iBeat v.1.4 engine
2008-01-13 15:07 --------- d-----w C:\Program Files\ian's iBeat 2.0 Beta1
2008-01-13 15:04 --------- d-----w C:\Program Files\Defractor
2008-01-11 14:37 --------- d-----w C:\Program Files\SpywareBlaster
2008-01-10 20:25 --------- d-----w C:\Program Files\AdvancedSearchbar
2008-01-10 20:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-09 22:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-01-09 16:06 --------- d-----w C:\Program Files\eMule
2008-01-06 05:38 --------- d-----w C:\Program Files\sfArk
2008-01-06 05:32 --------- d-----w C:\Program Files\WaveGen
2008-01-06 04:55 --------- d-----w C:\Program Files\COMODO
2008-01-06 04:55 --------- d-----w C:\Documents and Settings\Owner\Application Data\Comodo
2008-01-05 18:55 --------- d-----w C:\Program Files\YukonGold
2007-12-28 16:28 --------- d-----w C:\Program Files\Delta SP
2007-12-27 16:18 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-14 14:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-12-13 21:50 --------- d-----w C:\Program Files\MatroskaProp
2007-12-13 21:41 --------- d-----w C:\Program Files\Echoirlp Toolbar
2007-12-13 21:40 --------- d-----w C:\Program Files\Digital Media Reader
2007-12-13 21:19 --------- d-----w C:\Program Files\BigFix
2007-12-11 16:39 --------- d-----w C:\Program Files\AV Music Morpher Gold
2007-12-03 02:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2007-12-02 16:46 --------- d-----w C:\Program Files\BW
2007-12-02 16:41 --------- d-----w C:\Program Files\Draw The Sound
2007-12-02 16:22 --------- d-----w C:\Program Files\Coagula
2007-12-02 16:21 --------- d-----w C:\Program Files\Audioblast
2007-12-02 15:37 --------- d-----w C:\Program Files\Auto Recorder v3.0
2007-11-29 22:47 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-29 17:27 --------- d-----w C:\Program Files\Java
2007-11-28 14:38 --------- d-----w C:\Program Files\Common Files\Agnitum Shared
2007-11-27 15:23 --------- d-----w C:\Program Files\Agnitum
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-07-19 02:25 191,172 ------w C:\Program Files\Simmolatorstf.tmp
2007-01-01 19:13 0 ------w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2006-09-09 06:10 2,441 ------w C:\Program Files\DOSBox-0.jpg
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{0BF43445-2F28-4351-9252-17FE6E806AA0}
{74966D20-B75C-43A0-98C7-DA4A60767175}
{57F02779-3D88-4958-8AD3-83C12D86ADC7}

[HKEY_CLASSES_ROOT\clsid\{74966d20-b75c-43a0-98c7-da4a60767175}]
[HKEY_CLASSES_ROOT\TBW.Echoirlp.1]
[HKEY_CLASSES_ROOT\TypeLib\{FDED5795-690D-4609-AF10-3441BE9A2AAD}]
[HKEY_CLASSES_ROOT\TBW.Echoirlp]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{74966D20-B75C-43A0-98C7-DA4A60767175}"= C:\Program Files\Echoirlp Toolbar\Echoirlp.dll [2003-06-26 07:57 274432]

[HKEY_CLASSES_ROOT\clsid\{74966d20-b75c-43a0-98c7-da4a60767175}]
[HKEY_CLASSES_ROOT\TBW.Echoirlp.1]
[HKEY_CLASSES_ROOT\TypeLib\{FDED5795-690D-4609-AF10-3441BE9A2AAD}]
[HKEY_CLASSES_ROOT\TBW.Echoirlp]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 19:44 139264]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-26 17:25 16120832 C:\WINDOWS\RTHDCPL.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 14:03 579072]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-01-17 13:24 36904]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-01-05 22:55 1481472]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 0
"NoInstrumentation"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ultra Hal Text-to-Speech Reader Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ultra Hal Text-to-Speech Reader Startup.lnk
backup=C:\WINDOWS\pss\Ultra Hal Text-to-Speech Reader Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
C:\Program Files\AOL 9.0\AOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLSPScheduler]
C:\Program Files\Common Files\AOL\1149931830\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1149931830\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--------- 2006-11-07 14:49 1121280 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
--------- 2005-05-19 22:18 1646691 C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--------- 2007-02-18 10:48 214560 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sscRun]
C:\Program Files\Common Files\AOL\1149931830\ee\SSCRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerboseRun]
--------- 2006-09-08 13:31 344068 C:\Program Files\NCH Swift Sound\Verbose\verbose.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MskService"=2 (0x2)
"MPS9"=2 (0x2)
"MpfService"=2 (0x2)
"McShield"=2 (0x2)
"McRedirector"=2 (0x2)
"McrdSvc"=2 (0x2)
"McProxy"=2 (0x2)
"mcpromgr"=2 (0x2)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"mcmispupdmgr"=3 (0x3)
"McAfee HackerWatch Service"=2 (0x2)

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-01-05 22:55]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-01-05 22:55]
R1 hwinterface;hwinterface;C:\WINDOWS\system32\Drivers\hwinterface.sys [2007-04-17 15:51]
R2 DXSOFTIO;DXSOFTIO;C:\WINDOWS\system32\drivers\DXSOFTIO.sys [2000-11-22 21:05]
R2 musm3gld;musm3gld;C:\WINDOWS\system32\drivers\musm3gld.sys [2006-02-24 08:37]
R2 Vcs;Vcs support;C:\WINDOWS\system32\Drivers\Vcs.sys [2004-11-14 13:01]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);C:\WINDOWS\system32\DRIVERS\vrtaucbl.sys [2006-07-16 00:15]
R3 reaudio;REAUDIO - RigExpert Virtual Sound Card;C:\WINDOWS\system32\drivers\reaudio.sys [2005-04-16 21:26]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\screamingbdriver.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8b20aa1-f860-11da-b187-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-02-11 16:31:44 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-01-01 07:00:36 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 21:12:14
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll
-> C:\WINDOWS\system32\syncpipe.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
-> C:\WINDOWS\system32\syncpipe.dll

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\system32\guard32.dll
-> C:\WINDOWS\system32\syncpipe.dll
.
Completion time: 2008-01-15 21:18:30
ComboFix-quarantined-files.txt 2008-01-16 03:18:13
.
2008-01-09 12:18:17 --- E O F ---

Edited by ZuluMan, 15 January 2008 - 10:36 PM.


#5 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 17 January 2008 - 10:18 AM

Your logs are clean.

I googled this string all devices connected error 50

Found a few interesting articles that may help you solve this problems.

http://forums.pcpits...hp/t114409.html
http://www.modemsite.../56k/duns50.asp

Continue with this search if you still have this problem.
*/*

Download: CCleaner (freeware)
http://www.majorgeek...wnload4191.html
Run the installer, and uncheck the option to install Yahoo toolbar (unless you want Yahoo toolbar).
Once installed, run CCleaner click the Windows [tab]
The following should be selected by default, if not, please select:
Posted Image
Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Then click Run Cleaner (bottom right) then Exit
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#6 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 18 January 2008 - 11:07 AM

I installed CCleaner and ran it; also checked out the links on the Error 50 problem. I deleted my Netscape Dialer , web accelerator and PC Booster memory manager as per the Error 50 links instructions; no change, problems still there. :weep:

Edited by ZuluMan, 18 January 2008 - 11:11 AM.


#7 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 18 January 2008 - 11:09 AM

deleted

Edited by ZuluMan, 18 January 2008 - 11:11 AM.


#8 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 19 January 2008 - 10:57 AM

Any luck in the two links I gave You?

Did you try to google the string and see if you can find some common denominator?
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#9 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 21 January 2008 - 05:37 PM

Had no luck with the 2 links you gave me. :weep: Will keep trying Google.

#10 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 23 January 2008 - 04:26 PM

I went to the following site:

http://forums.practi...read.php?t=6781

It has a possible solution. It requires Microsoft's RARepair program, which I have downloaded. Before I run RARepair it says I must delete my present modem driver. I would rather remove it temporarily since I don't have a install program to reinstall it, so how do I do that so that I can run this program and then reinstall my driver? Or should I just search the web for a possible updated modem driver?:scratchhead:

Edited by ZuluMan, 23 January 2008 - 04:28 PM.


#11 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 24 January 2008 - 08:35 AM

I would rather remove it temporarily since I don't have a install program to reinstall it.


Removing the Hardware modem from the Add/Remove Hardware tool will require you to re install the modem via the same route.

If you do not have the Modem driver installation disk you may be out of luck.
Unless the driver is available on the Windows XP installation disk.

Look around on the net for a copy of the modem driver for your type of Modem.
If found then copy it to a floopy disk or CD, when you reinstall your best bet would be to use the XP CD first and if it contains the modem driver then select it. If not XP cd then use the copy of the modem driver you downloaded.

On the other hand why not try first to add a new DUN (Dial up networking) and see if the new setup works, that may be all you need to do. Check with your ISP to make sure that you have the correct settings.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#12 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 04 February 2008 - 10:49 AM

Glad we could help. :)

[Reopened]

Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#13 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 06 February 2008 - 08:07 PM

Reopened at request of topic owner.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#14 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 06 February 2008 - 09:03 PM

ZuluMan

I'm listening.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#15 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 06 February 2008 - 11:08 PM

Hello and thanks for reopening! :thumbsup:

I ran RArepair and it's solved my "Error 50" problem. :thumbup: But the Windows Installer pop-up problem is still there. Also I have discovered another problem: any System Restore points are either not actually being created or are being deleted. I created one yesterday as an experiment and today it's not there. :weep: The IE favorites problem as described above is still there too. The virus I had apparently did quite a number on this machine!

Edited by ZuluMan, 06 February 2008 - 11:10 PM.


#16 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 07 February 2008 - 07:39 AM

On the System restore problem. Try this fix.

How to reinstall System Restore.
http://bertk.mvps.or.../reinstall.html
*/*

Favorites - Icon.

If you open a favorite link and save the link again do you get the IE icon back?

Read post no. 5 in this topic.
http://forums.cnet.c...ssageID=2383289

Download FavOrg 1.4 from this site.
http://www.softpedia...rs/favorg.shtml

It will help you manage the Faforites icons. It may even give you some options to manage your icons in accordance with the subject at hand.
*/*

Windows Installer pop-up problem.

Run this cleaning tool. Let me know if the problem persists.

Download: CCleaner (freeware)
http://www.majorgeek...wnload4191.html
Run the installer, and uncheck the option to install Yahoo toolbar (unless you want Yahoo toolbar).
Once installed, run CCleaner click the Windows [tab]
The following should be selected by default, if not, please select:
Posted Image
Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Then click Run Cleaner (bottom right) then Exit
*/*
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#17 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 07 February 2008 - 01:50 PM

Reinstalling System Restore did not help, FavOrg didn't help, ran CCleaner, Installer still pops up. :weep:

#18 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 07 February 2008 - 03:29 PM

Delete the combofix.exe file.

Dowload the new version, see post no 3.

Submit the logs.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#19 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 07 February 2008 - 09:45 PM

I followed the instructions for using ComboFix to install the Recovery Console the last time I downloaded and used ComboFix. Apparently it did not get installed for some reason. :scratchhead:



ComboFix 08-02.05.3 - Owner 2008-02-07 21:15:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.97 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com

.
((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-07 21:09 . 2008-02-07 21:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-07 12:30 . 2008-02-07 13:10 <DIR> d-------- C:\Program Files\FavOrg
2008-02-05 11:39 . 2002-01-26 13:53 74,304 --a------ C:\WINDOWS\system32\rarepair.exe
2008-01-18 09:12 . 2008-01-18 09:12 2,608 --a------ C:\WINDOWS\system32\settings.aaw
2008-01-18 09:12 . 2008-01-18 09:12 960 --a------ C:\WINDOWS\system32\history.aaw
2008-01-16 09:27 . 2008-01-16 09:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 09:27 . 2008-01-16 09:27 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-15 23:35 . 2008-02-06 10:05 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2008-01-15 23:10 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-14 17:53 . 2008-01-14 18:05 <DIR> d-------- C:\Program Files\USASS
2008-01-10 15:07 . 2008-01-10 15:11 <DIR> d-------- C:\Program Files\ZonedOut

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 21:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-07 18:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-02-07 16:47 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-06 23:55 --------- d-----w C:\Program Files\AV Music Morpher Gold
2008-02-06 16:08 --------- d-----w C:\Program Files\SpywareGuard
2008-02-06 16:05 83,064 ----a-w C:\WINDOWS\system32\drivers\cmdGuard.sys
2008-02-06 16:05 23,800 ----a-w C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-02-06 04:23 --------- d-----w C:\Program Files\eMule
2008-02-06 03:14 --------- d-----w C:\Program Files\AdvancedSearchbar
2008-01-18 14:50 --------- d-----w C:\Program Files\InstallShield Installation Information
2008-01-15 00:12 --------- d-----w C:\Program Files\Speak & Roil
2008-01-13 15:11 --------- d-----w C:\Program Files\ian's iBeat v.1.4 engine
2008-01-13 15:07 --------- d-----w C:\Program Files\ian's iBeat 2.0 Beta1
2008-01-13 15:04 --------- d-----w C:\Program Files\Defractor
2008-01-09 22:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-01-06 05:38 --------- d-----w C:\Program Files\sfArk
2008-01-06 05:32 --------- d-----w C:\Program Files\WaveGen
2008-01-06 05:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\comodo
2008-01-06 04:55 --------- d-----w C:\Program Files\COMODO
2008-01-06 04:55 --------- d-----w C:\Documents and Settings\Owner\Application Data\Comodo
2008-01-05 18:55 --------- d-----w C:\Program Files\YukonGold
2007-12-28 16:28 --------- d-----w C:\Program Files\Delta SP
2007-12-27 16:18 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-27 15:15 --------- d-----w C:\Program Files\ERUNT
2007-12-26 21:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\Grisoft
2007-12-26 21:15 --------- d-----w C:\Program Files\Lavasoft
2007-12-26 21:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-26 21:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-26 15:35 --------- d-----w C:\Program Files\RegSearch
2007-12-14 14:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-12-13 22:17 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2007-12-13 21:50 --------- d-----w C:\Program Files\MatroskaProp
2007-12-13 21:41 --------- d-----w C:\Program Files\Echoirlp Toolbar
2007-12-13 21:40 --------- d-----w C:\Program Files\Digital Media Reader
2007-12-13 21:19 --------- d-----w C:\Program Files\BigFix
2007-07-19 02:25 191,172 ------w C:\Program Files\Simmolatorstf.tmp
2007-01-01 19:13 0 ------w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2006-09-09 06:10 2,441 ------w C:\Program Files\DOSBox-0.jpg
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{0BF43445-2F28-4351-9252-17FE6E806AA0}
{74966D20-B75C-43A0-98C7-DA4A60767175}
{57F02779-3D88-4958-8AD3-83C12D86ADC7}

[HKEY_CLASSES_ROOT\clsid\{74966d20-b75c-43a0-98c7-da4a60767175}]
[HKEY_CLASSES_ROOT\TBW.Echoirlp.1]
[HKEY_CLASSES_ROOT\TypeLib\{FDED5795-690D-4609-AF10-3441BE9A2AAD}]
[HKEY_CLASSES_ROOT\TBW.Echoirlp]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{74966D20-B75C-43A0-98C7-DA4A60767175}"= C:\Program Files\Echoirlp Toolbar\Echoirlp.dll [2003-06-26 07:57 274432]

[HKEY_CLASSES_ROOT\clsid\{74966d20-b75c-43a0-98c7-da4a60767175}]
[HKEY_CLASSES_ROOT\TBW.Echoirlp.1]
[HKEY_CLASSES_ROOT\TypeLib\{FDED5795-690D-4609-AF10-3441BE9A2AAD}]
[HKEY_CLASSES_ROOT\TBW.Echoirlp]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 19:44 139264]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-26 17:25 16120832 C:\WINDOWS\RTHDCPL.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 14:03 579072]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-01-17 13:24 36904]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-02-06 09:20 5046016]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 0
"NoInstrumentation"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ultra Hal Text-to-Speech Reader Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ultra Hal Text-to-Speech Reader Startup.lnk
backup=C:\WINDOWS\pss\Ultra Hal Text-to-Speech Reader Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
C:\Program Files\AOL 9.0\AOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLSPScheduler]
C:\Program Files\Common Files\AOL\1149931830\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1149931830\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--------- 2006-11-07 14:49 1121280 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
--------- 2005-05-19 22:18 1646691 C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--------- 2007-02-18 10:48 214560 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sscRun]
C:\Program Files\Common Files\AOL\1149931830\ee\SSCRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerboseRun]
--------- 2006-09-08 13:31 344068 C:\Program Files\NCH Swift Sound\Verbose\verbose.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--------- 2007-08-30 16:43 4670704 C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MskService"=2 (0x2)
"MPS9"=2 (0x2)
"MpfService"=2 (0x2)
"McShield"=2 (0x2)
"McRedirector"=2 (0x2)
"McrdSvc"=2 (0x2)
"McProxy"=2 (0x2)
"mcpromgr"=2 (0x2)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"mcmispupdmgr"=3 (0x3)
"McAfee HackerWatch Service"=2 (0x2)

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-02-06 10:05]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-02-06 10:05]
R1 hwinterface;hwinterface;C:\WINDOWS\system32\Drivers\hwinterface.sys [2007-04-17 15:51]
R2 DXSOFTIO;DXSOFTIO;C:\WINDOWS\system32\drivers\DXSOFTIO.sys [2000-11-22 21:05]
R2 musm3gld;musm3gld;C:\WINDOWS\system32\drivers\musm3gld.sys [2006-02-24 08:37]
R2 Vcs;Vcs support;C:\WINDOWS\system32\Drivers\Vcs.sys [2004-11-14 13:01]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);C:\WINDOWS\system32\DRIVERS\vrtaucbl.sys [2006-07-16 00:15]
R3 reaudio;REAUDIO - RigExpert Virtual Sound Card;C:\WINDOWS\system32\drivers\reaudio.sys [2005-04-16 21:26]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\screamingbdriver.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8b20aa1-f860-11da-b187-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-02-11 16:31:44 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-01-01 07:00:36 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 21:23:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll
-> C:\WINDOWS\system32\syncpipe.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
-> C:\WINDOWS\system32\syncpipe.dll
.
Completion time: 2008-02-07 21:29:38
ComboFix-quarantined-files.txt 2008-02-08 03:29:32
ComboFix2.txt 2008-01-16 03:18:47
.
2008-01-09 12:18:17 --- E O F ---

#20 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 08 February 2008 - 09:21 AM

Do not run it just now but when you boot your computer are you given choice to run the Recovery console?


Open this file in bold c:\boot.ini and post the contents.

Let me know what problem persists.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#21 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 09 February 2008 - 10:35 PM

When I boot up there is no choice to run the Recovery Console. It boots straight into Windows. Also, 3 thorough searches of my hard drive including all hidden folders using the Windows Explorer Search function did not find a "boot.ini" file. :huh: The closest thing to it was a "boot.ini.backup" file in C:\WINDOWS\pss. I did press F11 on bootup just to see what system recovery choices could be available. When I did a dialog box came up saying something to the effect that was some problem with System Restore and stated that I must use the system reinstallation disk to reinstall System Restore before I could continue. I thought I needed to give you this info and get feedback from you before I did anything. I just hope I don't have to reinstall Windows in its entirety to get this fool thing back to proper working order, but it's sure looking in that direction. :weep:

Edited by ZuluMan, 09 February 2008 - 10:36 PM.


#22 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 14 February 2008 - 08:29 AM

I just found a way to possibly let you know what I need to do about the Windows Installer pop-up problem. I have Comodo Firewall Pro installed and it lets you know exactly what is trying to change what and where. When it pops up here is what is going on:

msi.exe tried to change the following files under C:\WINDOWS\system32\ :

Lfpng12n.dll
Lfwmf12n.dll
LFPNM12n.dll
THREED20.OCX
GRID32.OCX
lffax12n.dll
SPUBCLS.OCX
SPDSP230.dll
SPRX230.OCX
COMCT232.OCX
COMCTL32.OCX
CDMDLG32.OCX
MSCOMCTL.OCX
MSWINSCK.OCX

and the following files under C:\Program Files\Silicon Pixels\CPIX\ :

CCAP.exe
CPIX.exe
cscan.exe

Hope this helps ;D

#23 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 14 February 2008 - 10:42 AM

What did you install last?

Find this file msi.exe and check the properties. It should be from Microsoft.
Tell me also were it's located.


http://www.bleepingc....dll-38089.html
Filename: lfpng12n.dll
Directory: C:\Program Files\Panasonic\MotionDV STUDIO LE for DV\
Company Name: LEAD Technologies, Inc.
*/*

http://www.fbmsoftwa...mf12n_dll/1360/
Description of Lfwmf12n.dll
This is a component of SnagIt

lffax12n.dll also part of SnagIt.
*/*

LFPNM12n.dll
Related to:
Company Name: LEAD Technologies, Inc.
*/*

SPRX230.OCX
http://www.siteadvis...nloads/2822210/
ChromaPIX SSTV Workstation 1.6.0
*/*

http://www.siteadvis...nloads/2822210/
and the following files under C:\Program Files\Silicon Pixels\CPIX\ :
Also related to ChromaPIX SSTV Workstation 1.6.0
CCAP.exe
CPIX.exe
cscan.exe


Nothing found on these files.
SPUBCLS.OCX
SPDSP230.dll
*/*

Keep me posted.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#24 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 14 February 2008 - 05:20 PM

deleted

Edited by ZuluMan, 14 February 2008 - 05:39 PM.


#25 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 14 February 2008 - 05:38 PM

I made a mistake: it's not msi.exe, it's msiexec. Sorry!! :blush:

I did a search on msiexec and this is what I found:


MsiExec.exe.8cb23528.ini.inuse was found in C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory. Properties stated "Unknown application".

MSIEXEC.EX_ was found in C:\WINDOWS\I386. Properties stated "Unknown application".

MSIEXEC.EXE-2F8A8CAE.pf was found in C:\WINDOWS\Prefetch. Properties stated "StuffIt encoded file". StuffIt is a file compressor\decompressor much like WinRAR and WinZip.

msiexec.exe was found in C:\WINDOWS\system32. Properties stated "Windows installer. Copyright Microsoft Corporation." I'll bet this is the only legitimate one of the bunch ;) .


I think the top one is the problem. I remember a program I have (can't remember which one) that had to access the C:\Documents and Settings area and the Installer popped up. Also when I access this forum (and other forums as well) it pops up, and on every page change if I use Internet Explorer. Other browsers don't have the problem. The problem is not quiet as bad since I reinstalled my DUN with RArepair.

I can't tell you what I installed last. This has been going on since the last of August last year (when I got the virus :ugh: ) and I honestly can't remember. :scratchhead: All my problems have been going on ever since then, not before.

Thanks for your help!! :thumbup:

Edited by ZuluMan, 14 February 2008 - 06:13 PM.


#26 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 15 February 2008 - 07:20 AM

Delete this one, just in case keep it in your reclycle bin for awhile.

MsiExec.exe.8cb23528.ini.inuse was found in C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory. Properties stated "Unknown application".

The I386 forder is your Operating backup files. It's ok.
MSIEXEC.EX_ was found in C:\WINDOWS\I386. Properties stated "Unknown application".

Correct.
msiexec.exe was found in C:\WINDOWS\system32. Properties stated "Windows installer. Copyright Microsoft Corporation." I'll bet this is the only legitimate one of the bunch .

Use the tool below to clean your prefetch folder.
MSIEXEC.EXE-2F8A8CAE.pf was found in C:\WINDOWS\Prefetch. Properties stated "StuffIt encoded file". StuffIt is a file compressor\decompressor much like WinRAR and WinZip.

Download ATF Cleaner by Atribune from here http://www.atribune....tent/view/25/1/ and save it to your Desktop.
Follow the instructions for the browser you use.

Read the instructions about the cookies. Delete what you do not need.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
*Prefetch (Windows XP) only.
Java Cache


The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

When you have finished, click on the Exit button in the Main menu.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

* The purpose of Prefetch folder is to increase the speed at which you can access the programs that you use on your PC. Unfortunately, Windows doesn't differentiate between a program you use every day and one you use every blue moon, which means that it may be prefetching a lot of stuff that you rarely use, adding to your startup time.
You may find that the first time you boot up after cleaning out this folder, your PC takes longer to get into gear - the second, and subsequent, boots should be quicker.
*/*

Let me know if the problem persists.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#27 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 15 February 2008 - 08:19 AM

Installer still pops up. :weep:

#28 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 16 February 2008 - 09:41 AM

Search your computer for all .ini files.

Use the Search for and in the file search box enter *.ini

Click the modified date button and post the last recent filenames you have.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#29 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 17 February 2008 - 09:45 PM

I have found 121 .ini files that have been created since August of last year (when I got the virus). I am a lousy typist :blush: and it would take forever for me to manually type every file name. Is there a way to take the list of what I have found and convert it to a text file so I can post it? I tried to find a way myself but couldn't. :scratchhead:

Edited by ZuluMan, 17 February 2008 - 09:47 PM.


#30 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 18 February 2008 - 08:03 AM

Have the Installer still popups been happening since last August?
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#31 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 19 February 2008 - 08:12 AM

Yes, ever since I got a virus. :weep:

#32 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 19 February 2008 - 08:46 AM

I do not need to see all the .ini files.

Use the Search for and in the file search box enter *.ini

Click the modified date button and post the filenames dated last august.
*/*

Also, let me see the results of this scan.

Download Silent Runners - http://www.silentrun....org/index.html
Place it in it's own folder.
Double-click "Silent Runners.vbs", it will create a text file.
Note: if you get a pop-up warning about a "script" file, ignore and allow it to run completely.
Post the content of the text file back to this thread.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#33 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 19 February 2008 - 06:10 PM

August '07 .ini files:

override_downloaded.ini
plugin-ignore.ini
profiles.ini
log.ini
54694_291920.ini
WAVECRFT.INI
ymsgipdl.ini
ymsgr.ini

"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"readericon" = "C:\Program Files\Digital Media Reader\readericon45G.exe" ["Alcor Micro, Corp."]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE"
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"SiteAdvisor" = "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" ["McAfee, Inc."]
"COMODO Firewall Pro" = ""C:\Program Files\COMODO\Firewall\cfp.exe" -h" ["COMODO"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]
{089FD14D-132B-48FC-8861-0048AE113215}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\SiteAdvisor\6253\SiteAdv.dll" ["McAfee, Inc."]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]
{CDEEC43D-3572-4E95-A2A5-F519D29F00C0}\(Default) = "PosHelp"
-> {HKLM...CLSID} = "Advanced Searchbar"
\InProcServer32\(Default) = "C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL" ["Advanced Search Technologies, Inc"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{34F4B935-17DC-4885-8BC9-CCD1ADF42F93}" = "Record ISO Image to CD"
-> {HKLM...CLSID} = "CISORecorderContextMenu Object"
\InProcServer32\(Default) = "C:\Program Files\Alex Feinman\ISO Recorder\ISORecorder.dll" ["Alex Feinman"]
"{AC80D361-5961-11d3-802D-9229DCC61331}" = "Sampled SPC Files Shell Extension"
-> {HKLM...CLSID} = "Sampled SPC Files Shell Extension by Neurodancer"
\InProcServer32\(Default) = "C:\Program Files\Neurodancer\Sampled\spcshellextension.dll" ["Neurodancer"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{780BCB64-0CAF-473c-A9FC-E08C03D75515}" = "Matroska Shell Extension, Properties Page CLSID"
-> {HKLM...CLSID} = "The Matroska Shell Extension, Prop Page CLSID"
\InProcServer32\(Default) = "C:\Program Files\MatroskaProp\MatroskaProp.dll" [" "]
"{78DC191E-EFC1-4532-9A71-224577A86A7D}" = "Matroska Shell Extension, Thumbnail Handler CLSID"
-> {HKLM...CLSID} = "The Matroska Shell Extension, Thumbnail Handler CLSID"
\InProcServer32\(Default) = "C:\Program Files\MatroskaProp\MatroskaProp.dll" [" "]
"{794D04CA-70AC-4020-80EB-FFD59DEF8027}" = "Matroska Shell Extension, Tooltip Provider CLSID"
-> {HKLM...CLSID} = "The Matroska Shell Extension, Tooltip Provider CLSID"
\InProcServer32\(Default) = "C:\Program Files\MatroskaProp\MatroskaProp.dll" [" "]
"{789111D8-68A3-46a3-9663-145A3FF4C9C9}" = "Matroska Shell Extension, ContextMenu CLSID"
-> {HKLM...CLSID} = "The Matroska Shell Extension, Context Menu CLSID"
\InProcServer32\(Default) = "C:\Program Files\MatroskaProp\MatroskaProp.dll" [" "]
"{781395AF-A127-469f-A06F-59B482AF4F3F}" = "Matroska Shell Extension, Column Provider CLSID"
-> {HKLM...CLSID} = "The Matroska Shell Extension, Column Provider CLSID"
\InProcServer32\(Default) = "C:\Program Files\MatroskaProp\MatroskaProp.dll" [" "]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "Yahoo! Mail Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YMMAPI.dll" ["Yahoo! Inc."]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
"{57F02779-3D88-4958-8AD3-83C12D86ADC7}" = "Advanced Searchbar"
-> {HKLM...CLSID} = "Advanced Searchbar"
\InProcServer32\(Default) = "C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll" ["Advanced Search Technologies, Inc"]
"{CDEEC43D-3572-4E95-A2A5-F519D29F00C0}" = "Advanced Searchbar"
-> {HKLM...CLSID} = "Advanced Searchbar"
\InProcServer32\(Default) = "C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL" ["Advanced Search Technologies, Inc"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]
<<!>> "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = " C:\WINDOWS\system32\guard32.dll" [null data]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{781395AF-A127-469f-A06F-59B482AF4F3F}\(Default) = "The Matroska Shell Extension, Column Provider CLSID"
-> {HKLM...CLSID} = "The Matroska Shell Extension, Column Provider CLSID"
\InProcServer32\(Default) = "C:\Program Files\MatroskaProp\MatroskaProp.dll" [" "]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
MatroskaContextMenu\(Default) = "{789111D8-68A3-46a3-9663-145A3FF4C9C9}"
-> {HKLM...CLSID} = "The Matroska Shell Extension, Context Menu CLSID"
\InProcServer32\(Default) = "C:\Program Files\MatroskaProp\MatroskaProp.dll" [" "]
StuffIt Compress Menu\(Default) = "{3FBFD0B0-EB46-4797-9101-615610E87DA6}"
-> {HKLM...CLSID} = "StuffIt Compress Menu"
\InProcServer32\(Default) = "C:\Program Files\Aladdin Systems\StuffIt\CompressMenu.dll" ["Aladdin Systems, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "Yahoo! Mail Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YMMAPI.dll" ["Yahoo! Inc."]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
Create ISO Image from directory\(Default) = "{34F4B935-17DC-4885-8BC9-CCD1ADF42F93}"
-> {HKLM...CLSID} = "CISORecorderContextMenu Object"
\InProcServer32\(Default) = "C:\Program Files\Alex Feinman\ISO Recorder\ISORecorder.dll" ["Alex Feinman"]
StuffIt Compress Menu\(Default) = "{3FBFD0B0-EB46-4797-9101-615610E87DA6}"
-> {HKLM...CLSID} = "StuffIt Compress Menu"
\InProcServer32\(Default) = "C:\Program Files\Aladdin Systems\StuffIt\CompressMenu.dll" ["Aladdin Systems, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoLowDiskSpaceChecks" = (REG_SZ) 0
{unrecognized setting}

"NoInstrumentation" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
{unrecognized setting}

"InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme
{unrecognized setting}

"VerboseStatus" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\emachines.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "c:\windows\web\wallpaper\emachines.bmp"


Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]


Enabled Scheduled Tasks:
------------------------

"McDefragTask" -> launches: "c:\program files\mcafee\mqc\QcConsol.exe "C:\WINDOWS\system32\defrag.exe" C: -f" ["McAfee, Inc."]
"McQcTask" -> launches: "c:\program files\mcafee\mqc\QcConsol.exe 14 0" ["McAfee, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{57F02779-3D88-4958-8AD3-83C12D86ADC7}"
-> {HKLM...CLSID} = "Advanced Searchbar"
\InProcServer32\(Default) = "C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll" ["Advanced Search Technologies, Inc"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
"{57F02779-3D88-4958-8AD3-83C12D86ADC7}"
-> {HKLM...CLSID} = "Advanced Searchbar"
\InProcServer32\(Default) = "C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll" ["Advanced Search Technologies, Inc"]
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{74966D20-B75C-43A0-98C7-DA4A60767175}"
-> {HKLM...CLSID} = "Echoirlp"
\InProcServer32\(Default) = "C:\Program Files\Echoirlp Toolbar\Echoirlp.dll" ["HamBar"]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]
"{0BF43445-2F28-4351-9252-17FE6E806AA0}" = "McAfee SiteAdvisor"
-> {HKLM...CLSID} = "McAfee SiteAdvisor"
\InProcServer32\(Default) = "C:\Program Files\SiteAdvisor\6253\SiteAdv.dll" ["McAfee, Inc."]
"{74966D20-B75C-43A0-98C7-DA4A60767175}" = (no title provided)
-> {HKLM...CLSID} = "Echoirlp"
\InProcServer32\(Default) = "C:\Program Files\Echoirlp Toolbar\Echoirlp.dll" ["HamBar"]
"{57F02779-3D88-4958-8AD3-83C12D86ADC7}" = (no title provided)
-> {HKLM...CLSID} = "Advanced Searchbar"
\InProcServer32\(Default) = "C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll" ["Advanced Search Technologies, Inc"]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

HKLM\SOFTWARE\Classes\CLSID\{74966D20-B75C-43A0-98C7-DA4A60767175}\(Default) = "Echoirlp"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\Program Files\Echoirlp Toolbar\Echoirlp.dll" ["HamBar"]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{3369AF0D-62E9-4BDA-8103-B4C75499B578}\
"ButtonText" = "AOL Toolbar"
"CLSIDExtension" = "{DE9C389F-3316-41A7-809B-AA305ED9D922}"

{57F02779-3D88-4958-8AD3-83C12D86ADC7}\
"ButtonText" = "Advanced Searchbar"
"MenuText" = "Advanced Searchbar"
"CLSIDExtension" = "{57F02779-3D88-4958-8AD3-83C12D86ADC7}"
-> {HKLM...CLSID} = "Advanced Searchbar"
\InProcServer32\(Default) = "C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll" ["Advanced Search Technologies, Inc"]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FDED5795-690D-4609-AF10-3441BE9A2AAD}\
"ButtonText" = "Toggle Echoirlp toolbar"
"MenuText" = "&Echoirlp toolbar"


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]
<<H>> "{57F02779-3D88-4958-8AD3-83C12D86ADC7}" = (no title provided)
-> {HKLM...CLSID} = "Advanced Searchbar"
\InProcServer32\(Default) = "C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll" ["Advanced Search Technologies, Inc"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ad-Aware 2007 Service, aawservice, ""C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"" ["Lavasoft AB"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."]
AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
COMODO Firewall Pro Helper Service, cmdAgent, ""C:\Program Files\COMODO\Firewall\cmdagent.exe"" ["COMODO"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]
Media Center Scheduler Service, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]
SiteAdvisor Service, SiteAdvisor Service, "C:\Program Files\SiteAdvisor\6253\SAService.exe" ["McAfee, Inc."]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


---------- (launch time: 2008-02-19 18:06:50)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 72 seconds, including 9 seconds for message boxes)

#34 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 19 February 2008 - 08:50 PM

Open these files with NotePad and let me see the contents.

54694_291920.ini
log.ini

nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#35 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 20 February 2008 - 10:20 PM

54694_291920.ini

[Roll1]
IMG000.JPG=0,0,0,0,0,0,0,0;100;0,0;0
IMG001.JPG=0,0,0,0,0,0,0,0;100;0,0;0
IMG002.JPG=0,0,0,0,0,0,0,0;100;0,0;0
IMG003.JPG=0,0,0,0,0,0,0,0;100;0,0;0
IMG004.JPG=0,0,0,0,0,0,0,0;100;0,0;0
IMG005.JPG=0,0,0,0,0,0,0,0;100;0,0;0
IMG006.JPG=0,0,0,0,0,0,0,0;100;0,0;0
IMG007.JPG=0,0,0,0,0,0,0,0;100;0,0;0
IMG008.JPG=0,0,0,0,0,0,0,0;100;0,0;0
IMG009.JPG=0,0,0,0,0,0,0,0;100;0,0;0
IMG010.JPG=0,0,0,0,0,0,0,0;100;0,0;0
IMG011.JPG=0,0,0,0,0,0,0,0;100;0,0;0
IMG012.JPG=0,0,0,0,0,0,0,0;100;0,0;0
IMG013.JPG=0,0,0,0,0,0,0,0;100;0,0;0
IMG014.JPG=0,0,0,0,0,0,0,0;100;0,0;0
IMG015.JPG=0,0,0,0,0,0,0,0;100;0,0;0
IMG016.JPG=0,0,0,0,0,0,0,0;100;0,0;0
IMG017.JPG=0,0,0,0,0,0,0,0;100;0,0;0
IMG018.JPG=0,0,0,0,0,0,0,0;100;0,0;0
IMG019.JPG=0,0,0,0,0,0,0,0;100;0,0;0
IMG020.JPG=0,0,0,0,0,0,0,0;100;0,0;0
IMG021.JPG=0,0,0,0,0,0,0,0;100;0,0;0
IMG022.JPG=0,0,0,0,0,0,90,0;100;0,0;0
IMG023.JPG=0,0,0,0,0,0,90,0;100;0,0;0
IMG024.JPG=0,0,0,0,0,0,0,0;100;0,0;0
IMG025.JPG=0,0,0,0,0,0,0,0;100;0,0;0


log.ini

[Config]
_LastLogIdx=4D43524701000000040000000400000001000000575B66A28371438B6AADFB79A673
A7322C
LastLogIdx=CA28C2B064

#36 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 21 February 2008 - 09:46 AM

Nothing interesting found.

I can only see one option to stop the prompt to install ChromaPix SSTV Workstation that is to remove it and reinstall.

I googled ChromaPix SSTV found this interested site.

http://72.14.205.104...lang_en|lang_fr

Good instructions on how to reinstall, contact, even order the installation CD if you need it.

Sorry I could not have been able to help you in your endeavour.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#37 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 22 February 2008 - 10:29 AM

Well nasdaq, thanks for everything!! :thumbup:

Since I'm not going to use this machine in my radio pursuits anymore I just deleted ChromaPix; after using CCleaner to remove all traces of the program, the Installer still pops up. And the System Restore problem is still there as outlined in a previous post.

Looks like I'll have to reinstall Windows anyway to get this fool machine back to proper working order, so can you help me do that without having to reinstall all my applications? I can't reboot into Safe Mode (the virus took care of that :grrr: ), looks like I can't install the Recovery Console (as described in a previous post) and my reinstallation disk unfortunately doesn't have a Repair Install option but does have 2 other options:

.Full System Restore (Destructive) - reformats the hard drive and restores the system software (will delete all data files).

.Full system Restore with Backup - moves the contents of the hard drive to the C:\My Backup folder and installs a new copy of Windows XP (saves existing data files, but all applications must be reinstalled and the program settings reconfigured).

Is there a program I can download that will let me save all my applications and settings and then after I reinstall Windows use it to reinstall them as well without having to manually reinstall them ( I don't have all the installation files for my programs :weep: )?

If you'd rather me start another topic for this let me know.

Edited by ZuluMan, 22 February 2008 - 10:33 AM.


#38 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 22 February 2008 - 12:56 PM

I can't reboot into Safe Mode


See if Combofix can restore you Safe Boot.

Delete your current copy of Combfix.exe

Download the latest version.

When installed on your Desktop.

Download & run this tool > SafeBootKeyRepair-CF
It shall only take a short moment for it to finish running. A log shall be produced at C:\SafeBoot_Repair.txt. Please post that in your next reply
*/*

.Full system Restore with Backup - moves the contents of the hard drive to the C:\My Backup folder and installs a new copy of Windows XP (saves existing data files, but all applications must be reinstalled and the program settings reconfigured).

Is there a program I can download that will let me save all my applications and settings and then after I reinstall Windows use it to reinstall them as well without having to manually reinstall them ( I don't have all the installation files for my programs )?


Unfortunately No!

These programs are embedded in the Registry and must be reinstalled.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#39 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 22 February 2008 - 07:19 PM

Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AVG Anti-Spyware Driver]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AVG Anti-Spyware Guard]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AVG Anti-Spyware Driver]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AVG Anti-Spyware Guard]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\PSEXESVC

#40 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 23 February 2008 - 09:16 AM

That looks good.

Do you have your Safe Boot back?
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#41 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 23 February 2008 - 06:48 PM

I have the Safe Boot option now, but only in Safe Boot with networking. Safe Boot and Safe Boot with command prompt will only go so far and then the machine hangs up (I have to turn the machine off and then back on after a time by using the switch on my power strip :gah: ). I ran AVG Anti Virus, AVG Anti Spyware, Ad-Aware 2007 and Spybot Search And Destroy yesterday as I now will start doing once a week for maintainance purposes. Spybot S&D found 2 registry entries that were bogus (something about systemlockdown and Win32.Bagel if I remember correctly :scratchhead: ). Wish I had made a note of exactly what they were and where so I could have told you exactly. :grrr: The System Restore problem is still there. As I told you in a previous post about my reinstallation disk saying it had to reinstall System Restore before it could reinstall Windows. Could I just let the reinstall disk install System Restore and then stop it after it has finished? :unsure:

About the Internet Explorer favorites icon thing: is there a way to maybe delete IE and then download and install it again?
Would that fix it? :unsure: I just deleted Opera completly and tried FavOrg again, but it did no good. :weep: It did stop the Opera icons from being displayed, but they're like a generic icon instead of the ones it should have.

Edited by ZuluMan, 24 February 2008 - 07:52 AM.


#42 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 24 February 2008 - 08:38 AM

Spybot S&D found 2 registry entries that were bogus (something about systemlockdown and Win32.Bagel if I remember correctly ). Wish I had made a note of exactly what they were and where so I could have told you exactly.


Make a note next time you run S&D and let me know.


The System Restore problem is still there.
As I told you in a previous post about my reinstallation disk saying it had to reinstall System Restore before it could reinstall Windows. Could I just let the reinstall disk install System Restore and then stop it after it has finished?


I thing going that route is playing with fire.

Found these two additional links. They may help you get this running.

Solutions to system restore problems.
http://bertk.mvps.org/html/srfail.html
http://bertk.mvps.org/html/tips.html

*/*

Repair Internet Explorer 7.

How to perform a repair installation of Windows XP if Internet Explorer 7 is installed
http://support.microsoft.com/kb/917964

Keep me posted.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#43 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 26 February 2008 - 07:43 PM

I reinstalled System Restore, I created a restore point called "test" as discussed on one of the sites you suggested I visit and System Restore restored to that point, but I'm not convinced that something is not deleting all restore points :unsure: . If the restore point is still there tommorrow only then will I believe it's OK. I will run Spybot S&D again to see if those 2 bogus registry entries come back; I now remember on a previous run Spybot found the same entries and I though they were deleted then.

I can't seem to delete IE 7. I used a method described in a Windows XP reference mag I got a few years back showing how you can delete IE and Messenger by opening Explorer, navigating to Windows\INF and editing this line in sysof.inf:

msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,hide,7

After removing "hide" and the trailing comma, and saving the file IE and Messenger will show up in the Windows portion of Add/Remove Programs, allowing you to delete them. IE did show up but did not get deleted.

#44 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 27 February 2008 - 07:28 AM

I will run Spybot S&D again to see if those 2 bogus registry entries come back; I now remember on a previous run Spybot found the same entries and I though they were deleted then.


You may have remove S&D with the Add/Remove programs tools. Fix the items and reinstall S&D.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#45 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 27 February 2008 - 12:00 PM

I deleted Spybot S&D and still can't delete IE. The System Restore point I created yesterday is not there now. I reinstalled a newer version of Spybot S&D, ran it and found no problems

#46 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 27 February 2008 - 01:26 PM

Can this be the issue?

System Restore "restore points" are missing or deleted

http://support.microsoft.com/kb/301224
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#47 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 28 February 2008 - 08:39 PM

I looked at that link you gave me: my D:\RECOVERY partition had a system backup on it that I did about 2 months ago. It was 2.38Gb and it filled all the available space on the partition. I have deleted it and think that will solve the System Restore problem! :thumbup:

Now the only probelms are the Installer popup and the IE favorites icon problem; these seem to be rather stubborn. I still can't delete IE as you suggested so I can reinstall it. :(

Edited by ZuluMan, 28 February 2008 - 08:48 PM.


#48 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 29 February 2008 - 09:43 AM

IE favorites icon problem

If you go to one of your favorites and open the link.

Then save it. Is the IE Icon now the default?
That may be the only way to get them all back if I.E. cannot be reinstalled.

Not being able to remove IE 7 may be the cause that your are prompted with the installation popups.
The installation was not completed normally and until it is you will ge prompted.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#49 ZuluMan

ZuluMan

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 29 February 2008 - 02:50 PM

Clicking on a favorite and then saving it doesn't work. At least after deleting and then reinstalling Opera stopped all the icons from displaying the Opera icon; now they're all just the "E" icon. Could I download and then reinstall IE over what I have?

#50 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 01 March 2008 - 09:20 AM

Make a restore point first.

Then try to reinstall...
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




Member of UNITE
Support SpywareInfo Forum - click the button