sweeneyj7th

Many thanks Kevin. Will do. Goodbye. Sweeneyj7th.Final post.

Had to use Windows Search to dig up the repair logs: Tweaking.com - Windows Repair Change Log. v1.9.2 Per user request the main repair window is now resizable. Added 11 new file association repairs. What makes these repairs different than just clicking a reg file is on vista and newer some of the keys are locked. Since the program runs the repairs under the system account these repairs have access to those locked keys. Added a "Tips" button that loads a page on the site with some tips on which repairs to run and tricks you can do with the program. Changed the list in the program to a treeview. I have some repairs unchecked by default now instead of all repairs checked. Many code changes. v1.9.1 Changes to the user interface. v1.9.0 Minor Interface changes. Program now pulls the information of each repair from a txt file instead of being directly in the program. Added the BITS service to the Repair Windows Updates. Added the wuauserv service to the Repair Windows Updates Added a few more things to the Repair Windows Updates. Added more support for Windows 8 repairs. Added more dll files to the register system files repair. Added new repair - "Repair Windows Safe Mode". This will put the default reg keys in order to boot into safe mode. Some viruses remove these reg keys. This will simply put the defaults back and allow safe mode to boot again. Added more to the "Remove Policies Set By Infections" repair. Multiple Code changes and improvements. v1.8.0 Replaced Erunt registry backup with Tweaking.com - Registry Backup Some new viruses have been adding programs to the Image File Execution Options in the registry. Keeping those programs from running. I have added 773 more items to the Remove Policies Set By Infections. Added new repair "Repair Windows Snipping Tool". This will run on vista or newer and replace the reg keys needed for the snipping tool. Added new repair "Repair .lnk (Shortcuts) File Association" This will run on vista or newer. Updated the "Repair CD/DVD Missing/Not Working" to see if iTunes is running (Looks for ituneshelper.exe is running). If it is it puts the iTunes "UpperFilters" for the cd/dvd rom drive so iTunes wont give the error "Warning the registry setting used for importing CD are missing". More info here http://support.apple.com/kb/TS2372?viewlocale=en_US Multiple code improvements. v1.7.5 Improved operating system detection code. What does this mean? Some repairs need to know what version of Windows it is running run to run the correct code. The program used WMI to pull this info. But if WMI was broken it didn't pull the info. I now have it use the Windows API to pull the Windows version, and if for any reason it fails it will fall back to using WMI to pull the info. v1.7.4 The program is now Terminal Server Aware. When you ran the program on a Windows server that had Terminal Services installed the Windows API returned the wrong path to the windows dir. This is now fixed. v1.7.3 Updated the Repair Windows Firewall. It now restores the reg keys for the BFE, MPSSVC and WSCSVC services. Before it only put back the shared access service. Which in XP is all the firewall needed. But in Vista and 7 it required more services. They are now part of the repair :-) v1.7.2 Small bug fixes to the log creation of the program. I have removed the 3 options "Basic" "Advanced" and "Custom" before you start the repairs. Nearly all users that I have talk to, and myself included always choose custom anyways. No need for these other options and they have been removed. Should cut down on the confusion for new users on which to use. New interface changes to the repair window in the program. Added "Always On Top" option for the repair window. Added a minimize button to the repair window. With the always on top option if something opens behind the window and the user needs to get to it they can now minimize the window. Added a minimize button to the main window in the program for the heck of it :-) Code improvements. v1.7.1 Updated the Repair WMI to better handle the commands needed for the different version of Windows. While the WMI works great on XP, Vista and 7 it didn't work correctly on 2003 thus breaking WMI. I have added the commands need to have it run properly on 2003 :-) v1.7.0 Small improvements to a few repairs. Better support when running the program through a script. I have a good amount of repair shops that use this repair tool. Some like to run the repair tool with the silent command and from a script in a bat file. The old version of the program would close any cmd.exe window before running the repairs. This of course defeated the purpose of running through a script. So I have changed the way the program waits for a repair to finish. Instead of waiting for cmd.exe to close, each repair will now make a file. When the repair is finished it will delete the file, then the program will know to move onto the next repair. I now have the cmd.exe windows change to a gray background with black text. This way when running the program through a script you will know which cmd.exe window belongs to the windows repair :-) The program will now save any errors from the repairs into a txt file on the Windows drive in a folder. Example: "C:\Tweaking.com_Windows_Repair_Logs\" Multiple log files are made for the permission repairs. This is because the MS tool doesn't append to the log file, so a new file has to be made for each section. Since this could create a fair amount of log files I have the program cleanup any empty log files after the repairs are ran. v1.6.5 Program detects if you are running in safe mode and warns that some repairs may not work in safe mode. I have also made a few changes for all repairs to run better in safe mode. No guarantees but should definitely run better in safe mode than it has before. Per user request you can now choose to restart or shutdown the computer after repairs. I have the repair window resized to 750 x 550 pixels (Now bigger than before). This is the max size to fit on the screen in safe mode which is normally 800 x 600. v1.6.4 Add ERUNT Registry backup tools. This is another option to backup the system registry before doing repairs. Also very helpful when a users system restore isn't working properly. v1.6.3 Major improvement for the Reset File Permissions repair. On vista and newer the repair would allow access to folders windows normally blocked. Such as "C:\ProgramData\Application Data". Normally with this folder you would get an access denied. After you ran the reset file permissions repair you could access it. The side effect was that this folder points back to the C:\ProgramData folder. So it made an endless loop! The repair now checks if your on anything newer than XP. If you are then it runs a batch of commands after the repair that puts back the deny permissions on all the folders that are supposed to be blocked. This stops that endless loop from happening. 46 folders total. :-) v1.6.2 Per user request I have added a silent command option to the program. Set the options in the setting.ini file and run the program with /silent. The program will run in custom mode running the repairs set in the settings and then close it self. Will even reboot when done if set in the settings. (Perfect option for my fellow network admins) :-) Small code changes. v1.6.1 Added new repair "Repair Missing Start Menu Icons Removed By Infections" This repair will put back the missing icons in the start menu, quick launch, and desktop that are moved by a rogue virus. v1.6.0 Added new repair "Repair MSI (Windows Installer)" Added exe fix (when a virus hijacks the exe section in the registry) to the "Remove Policies Set By Infections" repair. Improved "Repair Windows Updates". Small interface changes. v1.5.8 Bug Fix: I found a very odd bug where some of the repairs were not working right. All repairs run under the system account (because of the trusted installer in vista and newer). For some reason the repairs that set registry keys by a .reg file and with regedit would run but the changes wouldn't take. The fix was to have those repairs run as the logged in account. Still scratching my head on that one, but at least now they work again :-D Bug Fix: The repair windows firewall wasn't running all the repairs needed for it. This has now been fixed. The Reset File Permissions now skips the "Users" folder in Vista and newer and "Documents and Settings". The reason for this is in Vista and newer there is a bug where if the file permissions are changed in the user profile then Windows thinks the file is shared when it isn't and you get a shared icon on it. More information is here http://www.tweaking.com/forums/index.php/topic,69.0.html Small code improvements. v1.5.7 Changed Windows Image Acquisition (WIA) from "stisvc start= demand" to "stisvc start= auto" in the windows services repair. v1.5.6 The "Remove Policies Set By Infections" repair wasn't working properly. The commands where deleting the Reg file before it had been applied. I added the start /wait command to the regedit. "Remove Policies Set By Infections" Now works correctly :-) v1.5.5 Removed "WwanSvc start= demand" from the windows services repair. The program no longer defaults to the C:\ for repairs. The program now looks at the location of the Windows dir and uses the drive that Windows is on. v1.5.4 On users machines who's "Path" variable was corrupt none of the repairs would work. To fix this I have added "set path=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem" to all the repairs. Now on users systems with a corrupt "path" variable the repairs will still work properly :-) v1.5.3 Changed 4 service defaults from manual to auto in the set services to default startup repair. Media Center Receiver Service, Media Center Scheduler Service, Windows Media Center Service Launcher and Windows Media Player Network Sharing Service. Removed Panda cloud antivirus from the program and put Avast as a recommendation (Step 2 Window). Added ComboFix to the recommendation page (Step 2 Window). v1.5.2 Interface changes. v1.5.1 Blackvipers site listed the Windows 7 wireless service startup state as manual. But when it is set to manual it will not start and thus the user has no wireless. I have updated the services startup repair tool to put the wireless to auto instead of manual. v1.5.0 Added a new repair "Set Windows Services To Default Startup". (Currently 194 services) This will set the Windows services to their default startup state. Special thanks to http://www.blackviper.com/ for having all the default information handy. This will set the services startup by the "sc config" command and not by the registry. The information on the repair in the program lists all the services that are set. 1.4.3 The new setup file for the program was missing some of the repair files it needed. The setup has been updated and I made this new version so people who downloaded the last version will update and get the rest of the files they need. 1.4.2 Removed moving arrow from the repair window. Since the list of repairs is growing and the list is scrollable the arrow didn't work well. In a past update I removed the custom buttons because they would cause the program to crash. The program then used the default old ugly buttons. I have made a new button control and updated the buttons so they look better, and it doesn't cause the program to crash like the old ones. Program now asks the user if they want to create a restore point before doing repairs if they didn't have the program create one. The program now comes in a setup program and the portable version. The new setup is larger because it contains the VB6 SP6 runtimes the program needs in case they are corrupt on the system that is being repaired. More Code tweaks and changes. v1.4.1 Added more files to the register system files repair that will fix "Class not registered" when trying to open a .mmc file. Such as Task scheduler, Device Manager, Computer Management and more. Program now starts the Windows Sidebar after the Windows Sidebar repair. Removed the security zones in IE being reset with the sidebar repair. More code tweaks and improvements. v1.4.0 Removed the custom buttons from the program. It was causing the program to crash on some systems. Program is meant to repair, not look pretty, so ugly standard safe buttons it is :-) Add new repair "Repair Windows Sidebar/Gadgets" Changed the window size of the repair window, making it smaller and easier to fit on screen for smaller resolutions. More code tweaks. v1.3.1 Minor GUI and code Tweaks. v1.3.0 If you ran an older version of this repair program and it caused problems on your system, download and run this version and it will fix any problems it caused :-) Added new repair "Repair Volume Shadow Copy Service" Major update to the program making it safer and better at repairs. Make sure to use this new version and not the old versions. v1.2.0 Per user request - Added a new repair "Repair CD/DVD Missing/Not Working" Fixed bug where when repairing WMI the WMI tester would open and the program wouldn't move forward till the WMI tester was closed. Most users didn't know to close this. I have made the program now look for and close the WMI tester if it pops up during the WMI repair. v1.1.1 Remove some files from the Register System Files repair. While this repair worked great on a lot of some systems on a few ones it would create more problems. The repair now has a much smaller list of only known good files to register. Updated Repair IE section. Updated Repair MDAC Section. v1.1.0 Major changes to how the program launches the repairs. It now shows the command window doing the repair in the task bar. Also should work better with the UAC enabled and running the commands as administrator. This will also keep the program from not responding during repairs. Updated the file permissions repair to include everyone and users full rights. It use to do just Administrators & System. But on some machines they needed more to get things working right again. This should fix that. Replaced some of the controls in the program so the program & zip file is smaller in size. v1.0.2 Fixed bug in Repair WMI (Hopefully got it this time) Added link to help fix any problems someone might have with the file permissions repair. v1.0.1 Fixed bug in Repair WMI GUI Changes. v1.0.0 First Release End. You have brought me a long way, Kevin. Couldn't be happier.For all practical purposes,the error(1290) I referred to is now immaterial.Initial complaint re my Firewall,is resolved. Very grateful.

Hi Kevin, Here is the zipped filetapisrv.zip

Suggestions done. Machine running smoothly. Just a little worry about that error: 1290:0x50a. I was reading it may be related to drivers and some kind of incompatibility.I yield to your expert judgment on this Kevin, as to whether we pursue this or not. Sweeneyj

Presto Kevin, Security Centre is back. Start type: manual. Service status:stopped. When I pressed start to enable the service I got the following: "could not start security centre on local computer. Error:1290:0x50a. But the Firewall can be switched on & off now.As I said earlier, there are no other apparent issues with the machine apart from this serious one. Over to Kevin. Sweeneyj

Re the windows security alert,it said quote:"windows firewall has blocked certain features"of DSH, so I was hopeful problem solved, but attempts to restart the firewall were fruitless. Remote Procedure Call is started-type is automatic Security Center is missing! Not there at all. RPC is started type automatic(RPC-locator - manual, also started) WMIis started and set to automatic

Sorry for the delay Kevin. I just received a windows security alert asking for permission to 1. keep blocking 2.unblock or 3.tell me later a site called DSH, Digital Stream Hub.The alert says windows firewall has blocked certain features of DSH. At first I opted for 3 (tell me later) but after Googling, I didnt think DSH was that essential so I gave permission to Block. But the initial error re the security center service been unavailable still stands, and I cannot start Firewall yet.

Hi Kevin, Here is the 2nd FSS log: Farbar Service Scanner Version: 10-12-2012 Ran by HP_Administrator (administrator) on 16-12-2012 at 17:27:20 Running from "C:\Documents and Settings\HP_Administrator\Desktop" Microsoft Windows XP Service Pack 3 (X86) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo IP is accessible. Yahoo.com is accessible. Windows Firewall: ============= Firewall Disabled Policy: ================== System Restore: ============ System Restore Disabled Policy: ======================== Security Center: ============ wscsvc Service is not running. Checking service configuration: The start type of wscsvc service is OK. The ImagePath of wscsvc service is OK. The ServiceDll of wscsvc service is OK. Windows Update: ============ Windows Autoupdate Disabled Policy: ============================ File Check: ======== C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit C:\WINDOWS\system32\netman.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\srsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit C:\WINDOWS\system32\wscsvc.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\wuauserv.dll => MD5 is legit C:\WINDOWS\system32\qmgr.dll => MD5 is legit C:\WINDOWS\system32\es.dll => MD5 is legit C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit C:\WINDOWS\system32\svchost.exe => MD5 is legit C:\WINDOWS\system32\rpcss.dll => MD5 is legit C:\WINDOWS\system32\services.exe => MD5 is legit Extra List: ======= Avgtdix(8) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3) 0x080000000400000001000000020000000300000008000000050000000600000007000000 IpSec Tag value is correct. **** End of log ****

Thanks for taking my case Kevin. Here is the Farbar report: Ran by HP_Administrator (administrator) on 16-12-2012 at 16:01:33 Running from "C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\4BW0YEZS" Microsoft Windows XP Service Pack 3 (X86) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo IP is accessible. Yahoo.com is accessible. Windows Firewall: ============= sharedaccess Service is not running. Checking service configuration: Checking Start type: ATTENTION!=====> Unable to retrieve start type of sharedaccess. The value does not exist. Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of sharedaccess. The value does not exist. Unable to retrieve ServiceDll of sharedaccess. The value does not exist. Checking LEGACY_sharedaccess: ATTENTION!=====> Unable to open LEGACY_sharedaccess\0000 registry key. The key does not exist. Firewall Disabled Policy: ================== System Restore: ============ System Restore Disabled Policy: ======================== Security Center: ============ wscsvc Service is not running. Checking service configuration: The start type of wscsvc service is OK. The ImagePath of wscsvc service is OK. The ServiceDll of wscsvc service is OK. Windows Update: ============ wuauserv Service is not running. Checking service configuration: Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist. Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist. Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist. Checking LEGACY_wuauserv: ATTENTION!=====> Unable to open LEGACY_wuauserv\0000 registry key. The key does not exist. BITS Service is not running. Checking service configuration: Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist. Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist. Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist. Checking LEGACY_BITS: ATTENTION!=====> Unable to open LEGACY_BITS\0000 registry key. The key does not exist. Windows Autoupdate Disabled Policy: ============================ File Check: ======== C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit C:\WINDOWS\system32\netman.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\srsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit C:\WINDOWS\system32\wscsvc.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\wuauserv.dll => MD5 is legit C:\WINDOWS\system32\qmgr.dll => MD5 is legit C:\WINDOWS\system32\es.dll => MD5 is legit C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit C:\WINDOWS\system32\svchost.exe => MD5 is legit C:\WINDOWS\system32\rpcss.dll => MD5 is legit C:\WINDOWS\system32\services.exe => MD5 is legit Extra List: ======= Avgtdix(8) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3) 0x080000000400000001000000020000000300000008000000050000000600000007000000 IpSec Tag value is correct. **** End of log ****

A routine scan using free version of MBAM found and deleted trojan.agent one week ago. An immediate check on my firewall got the following response (error): "the security center is currently unavailable because the security center service has not started or was stopped". I didnt tamper with the firewall at all, and I have not been able to enable the firewall since a week now. Windows Update is OK. Have tried worthwhile suggestions offered by Microsoft MVP's related to wscfix and wscsvc, but to no avail. The computer functions normally otherwise, but have to disconnect from the internet most of the time for obvious reasons. Would greatly appreciate some advice from this respected forum. Many thanks in advance. Sweeneyj7th

A routine scan using free version of MBAM found and deleted trojan.agent one week ago. An immediate check on my firewall got the following response (error): "the security center is currently unavailable because the security center service has not started or was stopped". I didnt tamper with the firewall at all, and I have not been able to enable the firewall since a week now. Windows Update is OK. Have tried worthwhile suggestions offered by Microsoft MVP's related to wscfix and wscsvc, but to no avail. The computer functions normally otherwise, but have to disconnect from the internet most of the time for obvious reasons. Would greatly appreciate some advice from this respected forum. Many thanks in advance. Sweeneyj7th.

ComboFix Uninstall done. Preventive maintenance done and ungoing. My utmost gratitude to you. Sweeneyj7th.

PC is much faster, more responsive. Must re-activate my Paypal a/c. Very grateful. Sweeneyj7th.

Please pardon the delay in getting back to you. ComboFix Report: ComboFix 12-05-14.03 - HP_Administrator 14/05/2012 22:54:48.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.231 [GMT -4:00] Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . c:\documents and settings\Administrator\WINDOWS c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\Default User\WINDOWS c:\documents and settings\HP_Administrator\WINDOWS c:\documents and settings\Lloyd\WINDOWS c:\program files\Shared c:\windows\system32\Cache c:\windows\system32\Cache\2427c6dc6645c683.fb c:\windows\system32\Cache\272512937d9e61a4.fb c:\windows\system32\Cache\287204568329e189.fb c:\windows\system32\Cache\28bc8f716fd76a47.fb c:\windows\system32\Cache\2c53092c95605355.fb c:\windows\system32\Cache\3917078cb68ec657.fb c:\windows\system32\Cache\590ba23ce359fd0c.fb c:\windows\system32\Cache\610289e025a3ee9a.fb c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb c:\windows\system32\Cache\a8556537add6dfc5.fb c:\windows\system32\Cache\ad10a52aff5e038d.fb c:\windows\system32\Cache\ad5b42f39240a6d2.fb c:\windows\system32\Cache\c4d28dca2e7648be.fb c:\windows\system32\Cache\d201ef9910cd39de.fb c:\windows\system32\Cache\d2e94710a5708128.fb c:\windows\system32\Cache\d79b9dfe81484ec4.fb c:\windows\system32\Cache\e0de16f883bea794.fb c:\windows\system32\config\systemprofile\WINDOWS c:\windows\system32\ps2.bat c:\windows\system32\SET131.tmp c:\windows\system32\SET13D.tmp c:\windows\system32\SET14A.tmp c:\windows\system32\SET199.tmp c:\windows\system32\SET19E.tmp c:\windows\system32\SETE0.tmp c:\windows\system32\SETE1.tmp D:\Autorun.inf . . ((((((((((((((((((((((((( Files Created from 2012-04-15 to 2012-05-15 ))))))))))))))))))))))))))))))) . . 2012-05-15 02:40 . 2012-05-15 02:40 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AVG LiveKive 2012-05-15 02:40 . 2012-05-15 02:40 -------- d-----w- c:\program files\AVG LiveKive 2012-05-13 12:27 . 2012-05-13 12:27 8072272 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\BingBar\BBSvc\7.1.382.0oemBingBarSetup-Partner.EXE 2012-05-12 10:15 . 2012-05-12 10:15 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-05-11 18:19 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll 2012-05-11 18:19 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll 2012-05-11 18:19 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys 2012-05-11 18:19 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys 2012-05-10 14:13 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll 2012-05-10 14:13 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\dllcache\iacenc.dll 2012-05-10 13:42 . 2012-05-10 15:00 14080 ----a-w- c:\windows\system32\drivers\TrueSight.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-05-12 10:15 . 2011-05-17 18:47 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-04-11 13:14 . 2004-08-10 11:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-04-11 13:12 . 2004-08-10 04:00 1862272 ----a-w- c:\windows\system32\win32k.sys 2012-04-11 12:35 . 2004-08-10 11:00 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-04-04 19:56 . 2010-03-06 05:39 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-03-01 11:01 . 2004-08-10 04:00 916992 ----a-w- c:\windows\system32\wininet.dll 2012-03-01 11:01 . 2004-08-10 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-03-01 11:01 . 2004-08-10 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-02-29 14:10 . 2004-08-10 11:00 148480 ----a-w- c:\windows\system32\imagehlp.dll 2012-02-29 14:10 . 2004-08-10 04:00 177664 ----a-w- c:\windows\system32\wintrust.dll 2012-02-29 12:17 . 2004-08-10 04:00 385024 ----a-w- c:\windows\system32\html.iec . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn1\yt.dll" [2012-01-12 1517368] . [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}] [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1] [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}] [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}] 2012-05-11 14:25 1869152 ----a-w- c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll" [2012-05-11 1869152] . [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}] [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1] [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512] "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312] "RTHDCPL"="RTHDCPL.EXE" [2006-01-23 15969280] "HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152] "DISCover"="c:\program files\DISC\DISCover.exe" [2005-11-11 1064960] "DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-11-11 61440] "DMAScheduler"="c:\program files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2005-11-01 90112] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568] "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-10 249856] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208] "basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-04 61440] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2009-09-15 479232] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888] "nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216] "ALUAlert"="c:\program files\Symantec\LiveUpdate\ALuNotify.exe" [2010-03-04 66952] "AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480] "YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2009-05-08 174424] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-11-01 273528] "vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-05-11 982880] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408] . c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] . c:\documents and settings\Default User\Start Menu\Programs\Startup\ Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-2-12 27136] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\DISC\\DISCover.exe"= "c:\\Program Files\\DISC\\DiscStreamHub.exe"= "c:\\Program Files\\DISC\\myFTP.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Documents and Settings\\HP_Administrator\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"= "c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"= "c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"= "c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"= "c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"= "c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe"= c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:LocalSubNet,0.0.0.0/255.255.255.255:Enabled:Pure Networks Platform Service . R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13/09/2010 4:27 PM 23120] R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07/09/2010 3:48 AM 32592] R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/09/2010 3:48 AM 230608] R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [07/09/2010 3:49 AM 295248] R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [12/10/2011 6:25 AM 4433248] R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [02/08/2011 6:09 AM 192776] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [06/03/2010 1:39 AM 654408] R2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe [11/05/2012 10:25 AM 918880] R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [19/08/2010 9:42 PM 134608] R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [19/08/2010 9:42 PM 24272] R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [19/08/2010 9:42 PM 16720] R3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.1.382.0\SeaPort.EXE [16/04/2012 5:49 PM 240208] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [06/03/2010 1:39 AM 22344] S2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.1.382.0\BBSvc.EXE [16/04/2012 5:49 PM 193616] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [12/05/2012 6:16 AM 257696] S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [11/04/2011 10:26 AM 1025352] . Contents of the 'Scheduled Tasks' folder . 2012-05-15 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-12 10:16] . 2011-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50] . 2012-05-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3647030426-3136926754-3856547561-1008.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40] . 2012-05-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3647030426-3136926754-3856547561-1010.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40] . 2012-05-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3647030426-3136926754-3856547561-1012.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40] . 2012-05-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3647030426-3136926754-3856547561-1008.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40] . 2011-12-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3647030426-3136926754-3856547561-1010.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40] . 2012-05-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3647030426-3136926754-3856547561-1012.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40] . 2012-05-15 c:\windows\Tasks\User_Feed_Synchronization-{14492628-A2DC-4C86-AA41-7E4CA304E837}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31] . . ------- Supplementary Scan ------- . uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 Trusted Zone: mbamupdates.com\data-cdn Trusted Zone: msn.com\www.msnbc Trusted Zone: trymedia.com TCP: DhcpNameServer = 192.168.1.1 192.168.0.1 Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll . - - - - ORPHANS REMOVED - - - - . URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file) Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file) HKLM-Run-PCDrProfiler - (no file) . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-05-14 23:12 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\]*‘|€_t] "DisplayName"="?" "DeviceDesc"="?" "ProviderName"="" "MFG"="????ª" "ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\]???\\DriverFiles\\.INF" "DeviceInstanceIds"=multi:"\0c\00" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(988) c:\windows\system32\Ati2evxx.dll . - - - - - - - > 'explorer.exe'(4264) c:\windows\system32\WININET.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll c:\windows\system32\ieframe.dll c:\program files\Windows Desktop Search\deskbar.dll c:\program files\Windows Desktop Search\en-us\dbres.dll.mui c:\program files\Windows Desktop Search\dbres.dll c:\program files\Windows Desktop Search\wordwheel.dll c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui c:\program files\Windows Desktop Search\msnlExtRes.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\hnetcfg.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2012-05-14 23:19:14 ComboFix-quarantined-files.txt 2012-05-15 03:19 . Pre-Run: 46,121,172,992 bytes free Post-Run: 46,101,991,424 bytes free . - - End Of File - - 49CB49FBF9FF05B43CB53C8D2A978223 Sweeneyj7th.