# pc running very slow, malware found



## 1wozk (May 6, 2008)

Hi my pc is still running very slow after running malware bytes which found some malware which was put in the virus vault so i thought but still experincing problems,I also ran avg which didnt pick anything up, I then used highjack this and the logs for all these are below.
thanks
warren
*LOGS*

highjack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:07:08, on 08/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\Generic\USB Card Reader Driver v1.9e3\Disk_Monitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Innovative Solutions\DriverMax\devices.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox 3.1 Beta 3\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com/?fr=fp-yie8
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=10168&gct=&gc=1&q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,[email protected]
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [Disk Monitor] "C:\Program Files\Generic\USB Card Reader Driver v1.9e3\Disk_Monitor.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKCU\..\Run: [DriverMax] "C:\Program Files\Innovative Solutions\DriverMax\devices.exe" -agent
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O15 - Trusted Zone: http://www.worldwinner.com
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v47/scrabblecubes/scrabblecubes.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {0EB73E39-8AD4-43E8-8FBA-0165C2CCDB8B} (GameControl Class) - http://uk.midas.games.yahoo.net/midasa.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - http://www3.authentium.com/bt/wbiw/bin/wizard.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - http://www.worldwinner.com/games/v48/brickout/brickout.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v50/pool/pool.cab
O16 - DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} (SolitaireRush Control) - http://www.worldwinner.com/games/v47/solitairerush/solitairerush.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166606521953
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdesktop/PreQual/files/MotivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Branding/olr3313/OCX/v1018/flashax.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Google Update Service (gupdate1c9b3aee63047d8) (gupdate1c9b3aee63047d8) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe

--
End of file - 10370 bytes

avg log

"Scan ""Scan whole computer"" was finished."
"No infection was found during this scan"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"04 April 2009, 21:41:25"
"Scan finished:";"04 April 2009, 22:59:54 (1 hour(s) 18 minute(s) 29 second(s))"
"Total object scanned:";"500255"
"User who launched the scan:";"warren keen"

"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\angela keen\Application Data\Opera\Opera\profile\cookies4.dat";"Found Tracking cookie.Mediaplex";"Healed"
"C:\Documents and Settings\angela keen\Application Data\Opera\Opera\profile\cookies4.dat:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\angela keen\Application Data\Opera\Opera\profile\cookies4.dat:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\angela keen\Application Data\Opera\Opera\profile\cookies4.dat:\revsci.net.55564293";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\angela keen\Application Data\Opera\Opera\profile\cookies4.dat:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\angela keen\Application Data\Opera\Opera\profile\cookies4.dat:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\angela keen\Application Data\Opera\Opera\profile\cookies4.dat:\doubleclick.net.bf396750";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\warren keen\Application Data\Mozilla\Firefox\Profiles\va529s2u.default\cookies.sqlite:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\warren keen\Application Data\Mozilla\Firefox\Profiles\va529s2u.default\cookies.sqlite:\ad.yieldmanager.com.b68f2b7b";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\angela keen\Application Data\Opera\Opera\profile\cookies4.dat:\mediaplex.com.f652b123";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
"C:\Documents and Settings\angela keen\Application Data\Opera\Opera\profile\cookies4.dat:\questionmarket.com.3eb5a9f1";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
"C:\Documents and Settings\angela keen\Application Data\Opera\Opera\profile\cookies4.dat:\questionmarket.com.4dd5e426";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
"C:\Documents and Settings\warren keen\Application Data\Mozilla\Firefox\Profiles\va529s2u.default\cookies.sqlite:\ad.yieldmanager.com.ff92306";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\warren keen\Application Data\Mozilla\Firefox\Profiles\va529s2u.default\cookies.sqlite:\doubleclick.net.bf396750";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\angela keen\Application Data\Opera\Opera\profile\cookies4.dat:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\warren keen\Application Data\Mozilla\Firefox\Profiles\va529s2u.default\cookies.sqlite:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\warren keen\Application Data\Mozilla\Firefox\Profiles\va529s2u.default\cookies.sqlite:\mediaplex.com.323e9a10";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
"C:\Documents and Settings\warren keen\Application Data\Mozilla\Firefox\Profiles\va529s2u.default\cookies.sqlite:\mediaplex.com.dc30fb3c";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
"C:\Documents and Settings\warren keen\Application Data\Mozilla\Firefox\Profiles\va529s2u.default\cookies.sqlite:\mediaplex.com.f652b123";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
"C:\Documents and Settings\warren keen\Application Data\Mozilla\Firefox\Profiles\va529s2u.default\cookies.sqlite:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\warren keen\Application Data\Mozilla\Firefox\Profiles\va529s2u.default\cookies.sqlite";"Found Tracking cookie.Yieldmanager";"Healed"
"C:\Documents and Settings\warren keen\Application Data\Mozilla\Firefox\Profiles\va529s2u.default\cookies.sqlite:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\warren keen\Application Data\Mozilla\Firefox\Profiles\va529s2u.default\cookies.sqlite:\revsci.net.b8d48360";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\warren keen\Application Data\Mozilla\Firefox\Profiles\va529s2u.default\cookies.sqlite:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\warren keen\Cookies\[email protected][2].txt";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\warren keen\Cookies\[email protected][2].txt:\2o7.net.87f47d84";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\warren keen\Cookies\[email protected][1].txt";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\warren keen\Cookies\[email protected][1].txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"

malwarebytes log 1st scan

Malwarebytes' Anti-Malware 1.35
Database version: 1940
Windows 5.1.2600 Service Pack 2

04/04/2009 20:43:06
mbam-log-2009-04-04 (20-43-05).txt

Scan type: Full Scan (C:\|)
Objects scanned: 182175
Time elapsed: 57 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 21
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 27

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{76f30661-76c7-48cd-b18e-64f388ae030b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\f3PSSavr.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\msimg32.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP113\A0014235.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP113\A0014236.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP113\A0014241.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP113\A0014243.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP113\A0014245.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP113\A0014250.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP113\A0014251.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP113\A0014252.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP113\A0014253.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP113\A0014254.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP113\A0014255.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP113\A0014257.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP113\A0014258.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP113\A0014259.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP113\A0014260.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP113\A0014261.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP113\A0014262.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP113\A0014263.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP113\A0014264.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP113\A0014265.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP113\A0014266.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP113\A0014267.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP113\A0014268.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\WINDOWS\fmark2.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\f49f4daa.dat (Trojan.Koobface) -> Quarantined and deleted successfully.

malwarebytes 2nd scan

Malwarebytes' Anti-Malware 1.35
Database version: 1943
Windows 5.1.2600 Service Pack 2

06/04/2009 05:56:13
mbam-log-2009-04-06 (05-56-13).txt

Scan type: Full Scan (C:\|)
Objects scanned: 192822
Time elapsed: 1 hour(s), 19 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP125\A0016858.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7B0895D1-BDF9-4A3B-98CD-84F9D76DD6E5}\RP125\A0016859.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.


----------



## 1wozk (May 6, 2008)

*Hi just to add to this when i try to do a windows update it fails everytime.*


----------



## blitzkreig (Mar 6, 2009)

Ok,
Have you tried using super-atispyware free edition?
If not download this, run a scan and do a removal i.e if the program detects anything duh..
U seem to have been infected with common adware and trojans


----------



## 1wozk (May 6, 2008)

Hi i used super spyware and the log is below it found some spyware but nothing to serious, i also done a scan with free fixer and that log is below too.
thanks warren

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/08/2009 at 08:47 AM

Application Version : 4.26.1000

Core Rules Database Version : 3834
Trace Rules Database Version: 1790

Scan type : Complete Scan
Total Scan Time : 02:05:49

Memory items scanned : 430
Memory threats detected : 0
Registry items scanned : 5597
Registry threats detected : 0
File items scanned : 114465
File threats detected : 13

Adware.Tracking Cookie
C:\Documents and Settings\warren keen\Cookies\[email protected][2].txt
C:\Documents and Settings\warren keen\Cookies\[email protected][2].txt
C:\Documents and Settings\warren keen\Cookies\[email protected][1].txt
C:\Documents and Settings\warren keen\Cookies\[email protected][2].txt
C:\Documents and Settings\warren keen\Cookies\[email protected][2].txt
C:\Documents and Settings\warren keen\Cookies\[email protected][1].txt
C:\Documents and Settings\warren keen\Cookies\[email protected][2].txt
C:\Documents and Settings\warren keen\Cookies\[email protected][1].txt
C:\Documents and Settings\warren keen\Cookies\[email protected][2].txt
C:\Documents and Settings\warren keen\Cookies\[email protected][1].txt
C:\Documents and Settings\warren keen\Cookies\[email protected][1].txt
C:\Documents and Settings\warren keen\Cookies\[email protected][2].txt
C:\Documents and Settings\warren keen\Cookies\[email protected][1].txt

FreeFixer v0.37 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-04-08 08:07

BootExecute (1 whitelisted)
C:\WINDOWS\system32\stera.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)
C:\WINDOWS\system32\SsiEfr.exe (file is missing)

Winlogon Notify (9 whitelisted)
!SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
avgrsstarter - C:\WINDOWS\system32\avgrsstx.dll
dimsntfy - (no file specified)
WgaLogon - C:\WINDOWS\system32\WgaLogon.dll

Browser Helper Objects
{02478D38-C3F9-4EFB-9B51-7695ECA05670}, &Yahoo! Toolbar Helper, C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}, Adobe PDF Link Helper, C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
{3049C3E9-B461-4BC5-8870-4C09146192CA}, RealPlayer Download and Record Plugin for Internet Explorer, C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}, AVG Safe Search, C:\Program Files\AVG\AVG8\avgssie.dll
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}, UberButton Class, C:\Program Files\Yahoo!\Common\yiesrvc.dll
{65D886A2-7CA7-479B-BB95-14D1EFB7946A}, YahooTaggedBM Class, C:\Program Files\Yahoo!\Common\YIeTagBm.dll
{A057A204-BACC-4D26-9990-79A187E2698E}, AVG Security Toolbar, C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
{AA58ED58-01DD-4d91-8333-CF10577473F7}, Google Toolbar Helper, C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}, Google Toolbar Notifier BHO, C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}, Google Dictionary Compression sdch, C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
{C920E44A-7F78-4E64-BDD7-A57026E7FEB7}, , No file specified
{DBC80044-A445-435b-BC74-9C25C1C588A9}, Java(tm) Plug-In 2 SSV Helper, C:\Program Files\Java\jre6\bin\jp2ssv.dll
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}, JQSIEStartDetectorImpl Class, C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D}, SidebarAutoLaunch Class, C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}, SingleInstance Class, C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll

Internet Explorer toolbars (2 whitelisted)
HKLM\..\Toolbar\Locked - - No file specified
HKLM\..\Toolbar\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
HKCU\..\Toolbar\WebBrowser\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - &Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
HKCU\..\Toolbar\WebBrowser\{F2CF5485-4E02-4F68-819C-B92DE9277049} - &Links - C:\WINDOWS\system32\ieframe.dll
HKCU\..\Toolbar\WebBrowser\{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
HKCU\..\Toolbar\WebBrowser\{4B3803EA-5230-4DC3-A7FC-33638F3D3542} - - No file specified
HKCU\..\Toolbar\WebBrowser\{71576546-354D-41C9-AAE8-31F2EC22BF0D} - - No file specified
HKCU\..\Toolbar\WebBrowser\{724D43A0-0D85-11D4-9908-00400523E39A} - - No file specified
HKCU\..\Toolbar\WebBrowser\ITBar7Height - - No file specified

Basic Internet Explorer settings
HKCU\..\Main, Start Page = http://www.yahoo.com/
HKLM\..\Main, Default_Page_URL = http://uk.yahoo.com/?fr=fp-yie8
HKLM\..\Search, SearchAssistant = http://www.google.com/ie

Registry Startups (1 whitelisted)
HKLM\..\Run, LXCECATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,[email protected]
HKLM\..\Run, EzPrint = "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
HKLM\..\Run, Disk Monitor = "C:\Program Files\Generic\USB Card Reader Driver v1.9e3\Disk_Monitor.exe"
HKLM\..\Run, AVG8_TRAY = C:\PROGRA~1\AVG\AVG8\avgtray.exe
HKLM\..\Run, Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
HKLM\..\Run, SunJavaUpdateSched = "C:\Program Files\Java\jre6\bin\jusched.exe"
HKLM\..\Run, SoundMan = SOUNDMAN.EXE
HKLM\..\Run, Logitech Utility = Logi_MwX.Exe
HKLM\..\Run, VTTimer = VTTimer.exe
HKCU\..\Run, DriverMax = "C:\Program Files\Innovative Solutions\DriverMax\devices.exe" -agent

Processes (16 whitelisted)
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Generic\USB Card Reader Driver v1.9e3\Disk_Monitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Innovative Solutions\DriverMax\devices.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox 3.1 Beta 3\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\FreeFixer\freefixer.exe

Application modules (67 whitelisted)
C:\WINDOWS\system32\ieframe.dll
C:\WINDOWS\system32\iertutil.dll
C:\WINDOWS\system32\Normaliz.dll

Services (34 whitelisted)
avg8emc, AVG8 E-mail Scanner, c:\progra~1\avg\avg8\avgemc.exe
avg8wd, AVG8 WatchDog, c:\progra~1\avg\avg8\avgwdsvc.exe
Brother XP spl Service, BrSplService, c:\windows\system32\brsvc01a.exe
gupdate1c9b3aee63047d8, Google Update Service (gupdate1c9b3aee63047d8), c:\program files\google\update\googleupdate.exe
JavaQuickStarterService, Java Quick Starter, c:\program files\java\jre6\bin\jqs.exe

Shell services (4 whitelisted)
WPDShServiceObj, {AAA288BA-9A4C-45B0-95D7-94D524869DB5}, C:\WINDOWS\system32\WPDShServiceObj.dll

Drivers (27 whitelisted)
AvgLdx86, AVG AVI Loader Driver x86, C:\WINDOWS\system32\drivers\avgldx86.sys
AvgTdiX, AVG8 Network Redirector, C:\WINDOWS\system32\drivers\avgtdix.sys
PxHelp20, PxHelp20, C:\WINDOWS\system32\drivers\pxhelp20.sys
SASDIFSV, SASDIFSV, c:\program files\superantispyware\sasdifsv.sys
SASKUTIL, SASKUTIL, c:\program files\superantispyware\saskutil.sys
tmcomm, tmcomm, c:\windows\system32\drivers\tmcomm.sys
ubsbm, Unibrain 1394 SBM Driver, C:\WINDOWS\system32\drivers\ubsbm.sys
ubumapi, Unibrain 1394 FireAPI Driver, C:\WINDOWS\system32\drivers\ubumapi.sys
viaagp1, VIA AGP Filter, C:\WINDOWS\system32\drivers\viaagp1.sys
videX32, , C:\WINDOWS\system32\drivers\videx32.sys
WudfPf, Windows Driver Foundation - User-mode Driver Framework Platform Driver, C:\WINDOWS\system32\drivers\wudfpf.sys


----------



## WhitPhil (Oct 4, 2000)

I have asked that a Gold Shield step in and complete the disinfection exercise.


----------



## 1wozk (May 6, 2008)

Ok thanks for your quick response and i look forward to hopefully sorting this problem out.
warren


----------



## 1wozk (May 6, 2008)

Just to add more info on this matter i am listing a log file from bazooka below to, I have also highlighted in that log what bazooka warns me about which is the terror site.

****************************************
Bazooka Scanner v1.13.03
http://www.kephyr.com/spywarescanner/
http://www.kephyr.com/spywarescanner/library/
[email protected]
Log created 20:05:32.
OS: Windows NT 5.1
Database version: 3.300000
Database format version: 1.020000
Database date: 20071118
Current date: 2009-04-08 20:05

****************************************
Result when scanning:

*Exploit searchterror.com 344.777.002 c:\tmp.txt
c:\tmp.txt
http://www.kephyr.com/spywarescanner/library/exploit-searchterror.com/index.phtml*

****************************************
Auto start entries:

****************************************
Run entries:
LXCECATS rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,[email protected]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\LXCECATS

EzPrint "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\EzPrint

Disk Monitor "C:\Program Files\Generic\USB Card Reader Driver v1.9e3\Disk_Monitor.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Disk Monitor

AVG8_TRAY C:\PROGRA~1\AVG\AVG8\avgtray.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AVG8_TRAY

Adobe Reader Speed Launcher "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher

SunJavaUpdateSched "C:\Program Files\Java\jre6\bin\jusched.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched

SoundMan SOUNDMAN.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SoundMan

Logitech Utility Logi_MwX.Exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Logitech Utility

VTTimer VTTimer.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\VTTimer

DriverMax "C:\Program Files\Innovative Solutions\DriverMax\devices.exe" -agent
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DriverMax

Go here to analyse the run entries and the associated files:
http://www.kephyr.com/filedb/index.php

****************************************
Browser helper objects:

{02478D38-C3F9-4EFB-9B51-7695ECA05670}	not set	C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	AcroIEHelperStub	C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}

{3049C3E9-B461-4BC5-8870-4C09146192CA}	not set	C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}	WormRadar.com IESiteBlocker.NavFilter	C:\Program Files\AVG\AVG8\avgssie.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}	not set	C:\Program Files\Yahoo!\Common\yiesrvc.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}

{65D886A2-7CA7-479B-BB95-14D1EFB7946A}	not set	C:\Program Files\Yahoo!\Common\YIeTagBm.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65D886A2-7CA7-479B-BB95-14D1EFB7946A}

{A057A204-BACC-4D26-9990-79A187E2698E}	not set	C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}

{AA58ED58-01DD-4d91-8333-CF10577473F7}	not set	C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}	not set	C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}

{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}	Google Dictionary Compression sdch	C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}

{C920E44A-7F78-4E64-BDD7-A57026E7FEB7}	not set	C:\Program Files\WOT\WOT.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C920E44A-7F78-4E64-BDD7-A57026E7FEB7}

{DBC80044-A445-435b-BC74-9C25C1C588A9}	not set	C:\Program Files\Java\jre6\bin\jp2ssv.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}

{E7E6F031-17CE-4C07-BC86-EABFE594F69C}	JQSIEStartDetectorImpl	C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}

{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D}	not set	C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D}

{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}	not set	C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}

****************************************
Toolbars:

Locked	Error when opening a registry key, the key doesn't exist. Key: HKEY_CLASSES_ROOT\CLSID\Locked\InprocServer32

System error message: The system cannot find the file specified.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked

{EF99BD32-C1FB-11D2-892F-0090271D4F88}	C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

{01E04581-4EEE-11D0-BFE9-00AA005B4383}	C:\WINDOWS\System32\browseui.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383}

{0E5CBF21-D15F-11D0-8301-00AA005B4383}	C:\WINDOWS\system32\SHELL32.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0E5CBF21-D15F-11D0-8301-00AA005B4383}

{EF99BD32-C1FB-11D2-892F-0090271D4F88}	C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

{2318C2B1-4965-11D4-9B18-009027A5CD4F}	C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{2318C2B1-4965-11D4-9B18-009027A5CD4F}

ITBar7Layout	Error when opening a registry key, the key doesn't exist. Key: HKEY_CLASSES_ROOT\CLSID\ITBar7Layout\InprocServer32

System error message: The system cannot find the file specified.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout

{F2CF5485-4E02-4F68-819C-B92DE9277049}	C:\WINDOWS\system32\ieframe.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{F2CF5485-4E02-4F68-819C-B92DE9277049}

{A057A204-BACC-4D26-9990-79A187E2698E}	C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{A057A204-BACC-4D26-9990-79A187E2698E}

{C107F7A0-B489-11d2-B2FE-005004055BFB}	Error when opening a registry key, the key doesn't exist. Key: HKEY_CLASSES_ROOT\CLSID\{C107F7A0-B489-11d2-B2FE-005004055BFB}\InprocServer32

System error message: The system cannot find the file specified.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{C107F7A0-B489-11d2-B2FE-005004055BFB}

{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}	C:\WINDOWS\system32\SHELL32.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}

{EFA24E62-B078-11D0-89E4-00C04FC9E26E}	C:\WINDOWS\system32\shdocvw.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}

{EFA24E64-B078-11D0-89E4-00C04FC9E26E}	C:\WINDOWS\system32\shdocvw.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}

****************************************
All processes:

[System Process]
System
SMSS.EXE
CSRSS.EXE
WINLOGON.EXE
SERVICES.EXE
LSASS.EXE
SVCHOST.EXE
SVCHOST.EXE
SVCHOST.EXE
SVCHOST.EXE
SVCHOST.EXE
BRSVC01A.EXE
BRSS01A.EXE
SPOOLSV.EXE
AVGWDSVC.EXE
JQS.EXE
GoogleUpdate.exe
SVCHOST.EXE
AVGEMC.EXE
AVGRSX.EXE
AVGNSX.EXE
AVGCSRVX.EXE
EXPLORER.EXE
ALG.EXE
EZPRINT.EXE
Disk_Monitor.exe
AVGTRAY.EXE
JUSCHED.EXE
SOUNDMAN.EXE
VTTimer.exe
DEVICES.EXE
LXCECOMS.EXE
wuauclt.exe
FIREFOX.EXE
spywarescanner.exe

Go here to analyse the running processes:
http://www.kephyr.com/filedb/index.php

****************************************
Internet Explorer Settings:

Default_Page_URL http://uk.yahoo.com/?fr=fp-yie8
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL

Default_Search_URL http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL

Search Bar http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar

Search Page http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page

Start Page http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page

Default_Search_URL http://toolbar.ask.com/toolbarv/askRedirect?o=10168&gct=&gc=1&q=
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\Default_Search_URL

SearchAssistant http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant

CustomizeSearch http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch

http://
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\

www http://
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\www

http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\

Default_Page_URL http://uk.yahoo.com/?fr=fp-yie8
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL

Search Page http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page

Start Page http://www.yahoo.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

Use Search Asst no
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Use Search Asst

SearchAssistant http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant

CustomizeSearch http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\CustomizeSearch

****************************************


----------



## JSntgRvr (Jul 1, 2003)

Hi, *1wozk* 

Welcome.

Please download ComboFix from *Here* or *Here* to your Desktop.

***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------​
*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_.
_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._
-----------------------------------------------------------​

Close any open browsers. 
*WARNING: Combofix will disconnect your machine from the Internet as soon as it starts*
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------​
Double click on *combofix.exe* & follow the prompts.
If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
Install the *Recovery Console* upon request.
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review.
***Note: Do not mouseclick combofix's window while it's running. That may cause it to stall***


----------



## blitzkreig (Mar 6, 2009)

hello 1wozk,
You know what, my pc was infected with malware too, but I decided to back-up my important data onto another drive and I formatted my C partition, the speed is breathtaking, trust me.


----------



## 1wozk (May 6, 2008)

Hi thanks for your response i already have malware bytes and the log is above aswell as highjack this, I am having a problem with combo fix my windows can not open it keeps saying it cant open it and asks if i want to search online to find something which will open it so if possible you know why its not opening it for me please.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *1wozk* 

Download *OTScanit2.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *OTScanit2* on your desktop. *OTScanit2* can be detected as malware by your firewall and Ativirus. Chose *Ignore* on any warning alert.

Close any open browsers.
Open the *OTScanit2* folder and double-click on *OTScanit2.exe* to start the program.
Leave all settings as they appear as default, except for the following:
Under *Drivers*, select *"All"*.
Under *Rootkit Search*, select *Yes*
Under *additional Scan* select the following:
*
Reg - ControlSets
Reg - Disabled MS Config Items
Reg - File Associations
Reg - Security Center Settings
Reg - Tcpip Persistent Routes
*


Now click the *Run Scan *button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Use the *Reply* button and attach the notepad file here *(Do not copy and paste in a reply, rather attach it to it).*


----------



## 1wozk (May 6, 2008)

Hi i have followed your instructions but when i try to post you the log it says it is to long


----------



## 1wozk (May 6, 2008)

i am going to send you bits of the log so you get it


----------



## 1wozk (May 6, 2008)

```
OTScanIt2 logfile created on: 09/04/2009 07:41:54 - Run 1
OTScanIt2 by OldTimer - Version 1.0.12.2     Folder = C:\Documents and Settings\warren keen\Desktop\OTScanIt2
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.97 Gb Total Physical Memory | 1.60 Gb Available Physical Memory | 81.39% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 3700 4096;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.51 Gb Total Space | 44.09 Gb Free Space | 59.17% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OEM-V9ZGBAT0XF7
Current User Name: warren keen
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

[Processes - Safe List]
agentsvr.exe -> %SystemRoot%\msagent\AgentSvr.exe -> [2006/10/12 11:09:54 | 00,256,512 | ---- | M] (Microsoft Corporation)
avgcsrvx.exe -> %ProgramFiles%\AVG\AVG8\avgcsrvx.exe -> [2009/04/04 21:38:26 | 00,687,896 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgcsrvx.exe -> %ProgramFiles%\AVG\AVG8\avgcsrvx.exe -> [2009/04/04 21:38:26 | 00,687,896 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgemc.exe -> %ProgramFiles%\AVG\AVG8\avgemc.exe -> [2009/04/04 21:38:18 | 00,903,960 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgnsx.exe -> %ProgramFiles%\AVG\AVG8\avgnsx.exe -> [2009/04/04 21:38:26 | 00,592,128 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgrsx.exe -> %ProgramFiles%\AVG\AVG8\avgrsx.exe -> [2009/04/04 21:38:26 | 00,484,120 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgwdsvc.exe -> %ProgramFiles%\AVG\AVG8\avgwdsvc.exe -> [2009/04/04 21:38:16 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.)
brss01a.exe -> %SystemRoot%\System32\brss01a.exe -> [2001/12/12 16:01:00 | 00,045,056 | ---- | M] (brother Industries Ltd)
brsvc01a.exe -> %SystemRoot%\System32\brsvc01a.exe -> [2002/04/11 16:00:00 | 00,057,344 | ---- | M] (brother Industries Ltd)
disk_monitor.exe -> %ProgramFiles%\Generic\USB Card Reader Driver v1.9e3\Disk_Monitor.exe -> [2003/06/18 10:57:40 | 00,466,944 | ---- | M] (Neodio Corp.)
explorer.exe -> %SystemRoot%\Explorer.EXE -> [2007/06/13 11:23:08 | 01,033,216 | ---- | M] (Microsoft Corporation)
ezprint.exe -> %ProgramFiles%\Lexmark 4300 Series\ezprint.exe -> [2005/07/26 13:17:18 | 00,094,208 | ---- | M] (Lexmark International Inc.)
googleupdate.exe -> %ProgramFiles%\Google\Update\GoogleUpdate.exe -> [2009/04/02 17:19:42 | 00,133,104 | ---- | M] (Google Inc.)
jqs.exe -> %ProgramFiles%\Java\jre6\bin\jqs.exe -> [2009/04/07 10:51:56 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.)
jusched.exe -> %ProgramFiles%\Java\jre6\bin\jusched.exe -> [2009/04/07 10:51:56 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.)
lxcecoms.exe -> %SystemRoot%\system32\lxcecoms.exe -> [2005/07/06 11:14:12 | 00,471,040 | ---- | M] (Lexmark International, Inc.)
otscanit2.exe -> %UserProfile%\Desktop\OTScanIt2\OTScanIt2.exe -> [2009/04/08 13:39:08 | 00,493,568 | ---- | M] (OldTimer Tools)
soundman.exe -> %SystemRoot%\SOUNDMAN.EXE -> [2007/04/16 15:28:22 | 00,577,536 | ---- | M] (Realtek Semiconductor Corp.)
vttimer.exe -> %SystemRoot%\system32\VTTimer.exe -> [2005/03/08 03:33:28 | 00,053,248 | ---- | M] (S3 Graphics, Inc.)
winword.exe -> %ProgramFiles%\Microsoft Office\Office\WINWORD.EXE -> [1999/03/17 22:38:10 | 08,798,260 | R--- | M] (Microsoft Corporation)

[Win32 Services - Safe List]
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -> [2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation)
(avg8emc) AVG8 E-mail Scanner [Win32_Own | Auto | Running] -> %ProgramFiles%\AVG\AVG8\avgemc.exe -> [2009/04/04 21:38:18 | 00,903,960 | ---- | M] (AVG Technologies CZ, s.r.o.)
(avg8wd) AVG8 WatchDog [Win32_Own | Auto | Running] -> %ProgramFiles%\AVG\AVG8\avgwdsvc.exe -> [2009/04/04 21:38:16 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.)
(Brother XP spl Service) BrSplService [Win32_Own | Auto | Running] -> %SystemRoot%\System32\brsvc01a.exe -> [2002/04/11 16:00:00 | 00,057,344 | ---- | M] (brother Industries Ltd)
(clr_optimization_v2.0.50727_32) .NET Runtime Optimization Service v2.0.50727_X86 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -> [2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation)
(gupdate1c9b3aee63047d8) Google Update Service (gupdate1c9b3aee63047d8) [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Google\Update\GoogleUpdate.exe -> [2009/04/02 17:19:42 | 00,133,104 | ---- | M] (Google Inc.)
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> [2009/02/20 17:08:34 | 00,137,200 | ---- | M] (Google)
(helpsvc) Help and Support [Win32_Shared | Auto | Running] -> %SystemRoot%\PCHealth\HelpCtr\Binaries\pchsvc.dll -> [2004/08/04 07:56:44 | 00,038,912 | ---- | M] (Microsoft Corporation)
(JavaQuickStarterService) Java Quick Starter [Win32_Own | Auto | Running] -> %ProgramFiles%\Java\jre6\bin\jqs.exe -> [2009/04/07 10:51:56 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.)
(lxce_device) lxce_device [Win32_Own | On_Demand | Running] -> %SystemRoot%\system32\lxcecoms.exe -> [2005/07/06 11:14:12 | 00,471,040 | ---- | M] (Lexmark International, Inc.)
(uploadmgr) Upload Manager [Win32_Shared | Auto | Stopped] -> %SystemRoot%\PCHealth\HelpCtr\Binaries\pchsvc.dll -> [2004/08/04 07:56:44 | 00,038,912 | ---- | M] (Microsoft Corporation)
(WLSetupSvc) Windows Live Setup Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Windows Live\installer\WLSetupSvc.exe -> [2007/10/25 15:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation)
(WMPNetworkSvc) Windows Media Player Network Sharing Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Windows Media Player\WMPNetwk.exe -> [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation)
```


----------



## JSntgRvr (Jul 1, 2003)

Click on *Reply* then scroll down to *Manage Attachments*. *Browse* and *Upload* the report. Submit the reply.


----------



## 1wozk (May 6, 2008)

[Driver Services - All]
(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] -> -> File not found
(abp480n5) abp480n5 [Kernel | Disabled | Stopped] -> -> File not found
(ACPI) Microsoft ACPI Driver [Kernel | Boot | Running] -> %SystemRoot%\System32\DRIVERS\ACPI.sys -> [2004/08/04 06:07:38 | 00,187,776 | ---- | M] (Microsoft Corporation)
(ACPIEC) ACPIEC [Kernel | Disabled | Stopped] -> %SystemRoot%\System32\drivers\acpiec.sys -> [2001/08/18 20:00:00 | 00,011,648 | ---- | M] (Microsoft Corporation)
(adpu160m) adpu160m [Kernel | Disabled | Stopped] -> -> File not found
(aec) Microsoft Kernel Acoustic Echo Canceller [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\aec.sys -> [2006/02/15 01:22:26 | 00,142,464 | ---- | M] (Microsoft Corporation)
(AFD) AFD Networking Support Environment [Kernel | System | Running] -> %SystemRoot%\System32\drivers\afd.sys -> [2008/08/14 10:51:44 | 00,138,368 | ---- | M] (Microsoft Corporation)
(Aha154x) Aha154x [Kernel | Disabled | Stopped] -> -> File not found
(aic78u2) aic78u2 [Kernel | Disabled | Stopped] -> -> File not found
(aic78xx) aic78xx [Kernel | Disabled | Stopped] -> -> File not found
(ALCXSENS) Service for WDM 3D Audio Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\ALCXSENS.SYS -> [2003/09/23 09:03:00 | 00,404,736 | ---- | M] (Sensaura Ltd)
(ALCXWDM) Service for Realtek AC97 Audio (WDM) [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\ALCXWDM.SYS -> [2008/09/24 10:40:22 | 04,122,368 | R--- | M] (Realtek Semiconductor Corp.)
(AliIde) AliIde [Kernel | Disabled | Stopped] -> -> File not found
(AmdK7) AMD K7 Processor Driver [Kernel | System | Running] -> %SystemRoot%\System32\DRIVERS\amdk7.sys -> [2004/08/04 05:59:20 | 00,037,376 | ---- | M] (Microsoft Corporation)
(amsint) amsint [Kernel | Disabled | Stopped] -> -> File not found
(Arp1394) 1394 ARP Client Protocol [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\DRIVERS\arp1394.sys -> [2004/08/04 05:58:30 | 00,060,800 | ---- | M] (Microsoft Corporation)
(asc) asc [Kernel | Disabled | Stopped] -> -> File not found
(asc3350p) asc3350p [Kernel | Disabled | Stopped] -> -> File not found
(asc3550) asc3550 [Kernel | Disabled | Stopped] -> -> File not found
(AsyncMac) RAS Asynchronous Media Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\asyncmac.sys -> [2004/08/04 06:05:04 | 00,014,336 | ---- | M] (Microsoft Corporation)
(atapi) Standard IDE/ESDI Hard Disk Controller [Kernel | Boot | Running] -> %SystemRoot%\System32\DRIVERS\atapi.sys -> [2004/08/04 05:59:42 | 00,095,360 | ---- | M] (Microsoft Corporation)
(Atdisk) Atdisk [Kernel | Disabled | Stopped] -> -> File not found
(Atmarpc) ATM ARP Client Protocol [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\DRIVERS\atmarpc.sys -> [2004/08/04 05:58:30 | 00,059,904 | ---- | M] (Microsoft Corporation)
(audstub) Audio Stub Driver [Kernel | On_Demand | Running] -> %SystemRoot%\System32\DRIVERS\audstub.sys -> [2001/08/17 13:59:44 | 00,003,072 | ---- | M] (Microsoft Corporation)
(AvgLdx86) AVG AVI Loader Driver x86 [Kernel | System | Running] -> %SystemRoot%\System32\Drivers\avgldx86.sys -> [2009/04/04 21:38:26 | 00,325,128 | ---- | M] (AVG Technologies CZ, s.r.o.)


----------



## 1wozk (May 6, 2008)

Hi i think i have added the attachment for you


----------



## 1wozk (May 6, 2008)

What do i do now please been a while since i posted the attachment for you.


----------



## 1wozk (May 6, 2008)

ok thanks will keep a check on things to see if this matter has been updated.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *1wozk* 

It was past my bedtime last night.

There seem no issues in that report.

Please remove all copies of Combofix from your desktop, then follow these steps

Right click the *AVG* icon and click *Open*.

In the *Overview *panel click on *Resident Sheild* >* Uncheck* the *Resident Shield Active* box > *Save Changes.* Run *Combofix* and post its report.

Please download the latest version of ComboFix from *Here* or *Here* to your Desktop.

Please, never rename Combofix unless instructed.
Close any open browsers. 
*WARNING: Combofix will disconnect your machine from the Internet as soon as it starts*
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------​
Double click on *combofix.exe* & follow the prompts.
If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in our next reply.
Install the *Recovery Console* upon request.
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review.

***Note: Do not mouseclick combofix's window while it's running. That may cause it to stall***

Download *This file*. Note its name and save it to your root folder, such as C:\.


Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
Click on *this link* to see a list of programs that should be disabled.
Double-click on *the downloaded file* to start the program. (If running Vista, right click on it and select "Run as an Administrator")
Allow the driver to load if asked.
You may be prompted to scan immediately if it detects rootkit activity.
If you are prompted to scan your system click "*Yes*" to begin the scan.
If not prompted, click the "*Rootkit/Malware*" tab.
On the right-side, all items to be scanned should be checked by default _except_ for "Show All". Leave that box *unchecked*.
Select all drives that are connected to your system to be scanned.
Click the *Scan* button to begin. _(Please be patient as it can take some time to complete)_
When the scan is finished, click *Save* to save the scan results to your Desktop.
Save the file as *Results.log* and copy/paste the contents in your next reply.
Exit the program and re-enable all active protection when done.


----------



## 1wozk (May 6, 2008)

Hi Thanks for your help so far on this problem and sorry if i did keep you up from sleeping last night.

I have followed all you quoted in your last reply and i am still having the same problem in trying to download combofix, Everytime i try to download it it opens lots of boxes saying windows can not open this file n.com i have tried to download it many times but still no joy, I was sucsessfull in downloading the other program you wanted me too which was call jbijxd35.exe I have put the log for this below aswell as the latest highjack this log.
Hope this is of some use to you now, Also im still having the problem where i can not do a windows update which is trying to download pack 3 for windows and stops half way through.

Thanks again
warren

*jbijxd35.exe log*

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-09 19:16:25
Windows 5.1.2600 Service Pack 2

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\ubohci \Device\UBOHCI0 UB1394.SYS (ubCore® 1394 Class Driver (x86 XP/2003/Vista Rel)/Unibrain S.A.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\ubohci \Device\C1394 UB1394.SYS (ubCore® 1394 Class Driver (x86 XP/2003/Vista Rel)/Unibrain S.A.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] midimap.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] imaadp32.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] msadp32.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] msg711.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] msgsm32.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] tssoft32.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] iccvid.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] msh263.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] ir32_32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] ir32_32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] iyuv_32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] msrle32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] msvidc32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] msyuv.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] msyuv.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] tsbyuv.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] msyuv.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] msacm32.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] msg723.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] msh263.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] msh261.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] msaud32.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected]_anet sl_anet.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] C:\WINDOWS\system32\l3codeca.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] ir41_32.ax
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] iac25_32.ax
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] ir50_32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] jpegCode.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] jpegCode.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] VfWWDM32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] mpg4c32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] mpg4c32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] VfwECamC.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] lhacm.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] wdmaud.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] wdmaud.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] wdmaud.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] wdmaud.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] wdmaud.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server 
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP 
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\[email protected] rdpsnd.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\[email protected] 22201
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\[email protected] msacm32.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\[email protected] 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\[email protected] midimap.dll

---- EOF - GMER 1.0.15 ----

*Highjack this log*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:17:17, on 09/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\Generic\USB Card Reader Driver v1.9e3\Disk_Monitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,[email protected]
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [Disk Monitor] "C:\Program Files\Generic\USB Card Reader Driver v1.9e3\Disk_Monitor.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O15 - Trusted Zone: http://www.worldwinner.com
O16 - DPF: {0EB73E39-8AD4-43E8-8FBA-0165C2CCDB8B} (GameControl Class) - http://uk.midas.games.yahoo.net/midasa.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - http://www3.authentium.com/bt/wbiw/bin/wizard.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166606521953
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdesktop/PreQual/files/MotivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Branding/olr3313/OCX/v1018/flashax.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Google Update Service (gupdate1c9b3aee63047d8) (gupdate1c9b3aee63047d8) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9234 bytes


----------



## JSntgRvr (Jul 1, 2003)

Very strange.

Follow these steps:

Please download ComboFix from *Here* or *Here* to your Desktop.

***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop***

If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

During the download, rename *Combofix* to *Combo-Fix* as follows:



















It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------​
*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_.
_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._
-----------------------------------------------------------​

Close any open browsers. 
*WARNING: Combofix will disconnect your machine from the Internet as soon as it starts*
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------​
Double click on *combo-Fix.exe* & follow the prompts.
When finished, it will produce a report for you. 
Please post the *"C:\Combo-Fix.txt" *along with a *new HijackThis log* for further review.
***Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall***

If it fails again, download GMER's *MBR.exe* to your desktop from the following link:

Double click on the *MBR.exe* file to run it. A log will be produced, *MBR.log*. Please open this log in *Notepad* and post its contents in your next reply.


----------



## 1wozk (May 6, 2008)

Hi sorry about this but still cant open combo-fix i did all you said and turned off all what needed turning off and all what happens when i try to open it is lots of small windows open saying it can open it.
I did get the log for the other one you wanted which is below.

*MBR.EXE LOG*

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


----------



## 1wozk (May 6, 2008)

Hello again i have been checking around the search engine to see if i could find any useful infor to add to this problem and came across this site http://www.techspot.com/vb/topic76647.html and saw something similar with combo fix and some of the problem listed in there on the processes svchost.exe i have on mine to and it states on that other site that it is bad malware so do you think this might be the cause of some of my problems, what i saw on that site i have also listed below.

HJT logs, of HJT, AVG anti spyware, combo fix logs as Mr Howards

Thread Tools

#1 05-05-2007 
hacsan 
Newcomer, in training Member since: May 2007, 5 posts

HJT,AVG anti spyware, combo fix logs as Mr Howards said, explorer error help required

--------------------------------------------------------------------------------

Dear Howard,

Thanks for your such a detailed help guide, indeed it is an effort which needs to be appreciated. i thank you a lot.

i have taken all the steps as you mentioned and now waiting for the response so i can put things on normal track.

there are three attatchments, of Hjt, Avg anti spyware, and combo fix. i have not yet fix the Hijack log files, waiting for any response..

second problem i am facing is that my internet options does not allow me to change the default settings of internet explorer, whenever i open internet explorer it takes me to the same web page and then i receive a message from AVG anitvirus that VB.asd virus has been healed, and i can not change the settings as i told you beceause the internet option settings are disable.

and lastly my hard disk D: partiton does not open with window explorer, whenever i double click it, windows open a dialouge box asking me to choose a programe to open with, but that disk is accessable with folder options, or through right clicking start button and explore.
Attached Files Report-Scan-20070505-191757.txt (3.4 KB, 6 views) 
ComboFix.txt (37.0 KB, 11 views) 
hijackths.txt (5.7 KB, 7 views)

--------------------------------------------------------------------------------
Last edited by hacsan; 05-05-2007 at 04:54 PM.. Reason: windows erroe, vb.asd virus reason

My System Information

#2 05-05-2007 
howard_hopkinso 
Banned Member since: Aug 2004, 25,946 posts

Hello and welcome to Techspot.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

svchost32.exe<Not to be confused with svchost.exe
dap74.exe
toolbar.exe
rebates.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\system\svchost.exe

O4 - HKLM\..\Run: [Yahoo Messenger] C:\WINDOWS\system\svchost32.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system\svchost.exe<this is nasty and is added by malware, it`s also running from the wrong location.
C:\WINDOWS\system\svchost32.exe<As above.
D:\EasyDrive\DAP<Delete the entire folder as it`s infected with adware and a downloader.

Reboot into normal mode and rehide your protected OS files.

Post fresh HJT and Combofix logs.


----------



## JSntgRvr (Jul 1, 2003)

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous. As a precaution, we will make a backup of the registry first.

_ Modification of the registry can be *EXTREMELY* dangerous if you do not know exactly what you are doing. Please follow the steps that are listed below *EXACTLY*. If you cannot preform some of these steps, or if you have *ANY* questions please ask *BEFORE* proceeding._

*Backing Up Your Registry*
Go *Here* and download *ERUNT* 
_(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)_
Install *ERUNT* by following the prompts 
_(use the default install settings but say no to the portion that asks you to add *ERUNT* to the start-up folder, if you like you can enable this option later)_
Start *ERUNT* 
_(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)_
Choose a location for the backup 
_(the default location is C:\WINDOWS\ERDNT which is acceptable)._
Make sure that at least the first two check boxes are ticked 
Press *OK*
Press *YES* to create the folder.
*Registry Modifications*

Download the enclosed folder. Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, *Associationfix.reg* . Once extracted, open the folder and double click on the *Associationfix.reg* file and select *Yes* when prompted to merge it into the registry.

Restart the computer and attempt to run Combofix.


----------



## 1wozk (May 6, 2008)

Hi having a problem at the moment in opening the zip file its doing the same as the combo fix and saying it cant open the reg file i have managed to do everything else


----------



## 1wozk (May 6, 2008)

i managed to open that zip file on a notepad and it has just come up with a log which i have put below, if you know of a file to open it then i might be able to complete your instructions.
thanks 
warren

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.bat]
@="batfile"

[HKEY_CLASSES_ROOT\.bat\PersistentHandler]
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\batfile]
@="MS-DOS Batch File"
"EditFlags"=hex:30,04,00,00

[HKEY_CLASSES_ROOT\batfile\DefaultIcon]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,\
65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,31,00,35,\
00,33,00,00,00

[HKEY_CLASSES_ROOT\batfile\shell]

[HKEY_CLASSES_ROOT\batfile\shell\edit]

[HKEY_CLASSES_ROOT\batfile\shell\edit\command]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,4e,00,4f,00,\
54,00,45,00,50,00,41,00,44,00,2e,00,45,00,58,00,45,00,20,00,25,00,31,00,00,\
00

[HKEY_CLASSES_ROOT\batfile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\batfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\batfile\shell\print]

[HKEY_CLASSES_ROOT\batfile\shell\print\command]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,4e,00,4f,00,\
54,00,45,00,50,00,41,00,44,00,2e,00,45,00,58,00,45,00,20,00,2f,00,70,00,20,\
00,25,00,31,00,00,00

[HKEY_CLASSES_ROOT\batfile\shellex]

[HKEY_CLASSES_ROOT\batfile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\batfile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\batfile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\batfile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

[HKEY_CLASSES_ROOT\.reg]
@="regfile"

[HKEY_CLASSES_ROOT\.reg\PersistentHandler]
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\regfile]
@="Registration Entries"
"EditFlags"=dword:00100000

[HKEY_CLASSES_ROOT\regfile\DefaultIcon]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,72,00,65,00,67,00,65,00,64,00,69,00,74,00,2e,00,65,00,78,00,65,00,\
2c,00,31,00,00,00

[HKEY_CLASSES_ROOT\regfile\shell]

[HKEY_CLASSES_ROOT\regfile\shell\edit]

[HKEY_CLASSES_ROOT\regfile\shell\edit\command]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,4e,00,4f,00,\
54,00,45,00,50,00,41,00,44,00,2e,00,45,00,58,00,45,00,20,00,25,00,31,00,00,\
00

[HKEY_CLASSES_ROOT\regfile\shell\open]
@="Mer&ge"

[HKEY_CLASSES_ROOT\regfile\shell\open\command]
@="regedit.exe \"%1\""

[HKEY_CLASSES_ROOT\regfile\shell\print]

[HKEY_CLASSES_ROOT\regfile\shell\print\command]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,4e,00,4f,00,\
54,00,45,00,50,00,41,00,44,00,2e,00,45,00,58,00,45,00,20,00,2f,00,70,00,20,\
00,25,00,31,00,00,00

[HKEY_CLASSES_ROOT\.txt]
@="txtfile"
"PerceivedType"="text"
"Content Type"="text/plain"

[HKEY_CLASSES_ROOT\.txt\PersistentHandler]
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\.txt\ShellNew]
"NullFile"=""

[HKEY_CLASSES_ROOT\txtfile]
@="Text Document"
"FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\
00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,\
32,00,5c,00,6e,00,6f,00,74,00,65,00,70,00,61,00,64,00,2e,00,65,00,78,00,65,\
00,2c,00,2d,00,34,00,36,00,39,00,00,00
"EditFlags"=dword:00010000
"BrowserFlags"=dword:00000008

[HKEY_CLASSES_ROOT\txtfile\DefaultIcon]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,\
65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,31,00,35,\
00,32,00,00,00

[HKEY_CLASSES_ROOT\txtfile\shell]
@="open"

[HKEY_CLASSES_ROOT\txtfile\shell\open]

[HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,4e,00,4f,00,\
54,00,45,00,50,00,41,00,44,00,2e,00,45,00,58,00,45,00,20,00,25,00,31,00,00,\
00

[HKEY_CLASSES_ROOT\txtfile\shell\print]

[HKEY_CLASSES_ROOT\txtfile\shell\print\command]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,4e,00,4f,00,\
54,00,45,00,50,00,41,00,44,00,2e,00,45,00,58,00,45,00,20,00,2f,00,70,00,20,\
00,25,00,31,00,00,00

[HKEY_CLASSES_ROOT\txtfile\shell\printto]

[HKEY_CLASSES_ROOT\txtfile\shell\printto\command]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6e,00,6f,00,\
74,00,65,00,70,00,61,00,64,00,2e,00,65,00,78,00,65,00,20,00,2f,00,70,00,74,\
00,20,00,22,00,25,00,31,00,22,00,20,00,22,00,25,00,32,00,22,00,20,00,22,00,\
25,00,33,00,22,00,20,00,22,00,25,00,34,00,22,00,00,00

[HKEY_CLASSES_ROOT\.lnk]
@="lnkfile"

[HKEY_CLASSES_ROOT\.lnk\ShellEx]

[HKEY_CLASSES_ROOT\.lnk\ShellEx\{000214EE-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\.lnk\ShellEx\{000214F9-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\.lnk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\.lnk\ShellNew]
"Command"="rundll32.exe appwiz.cpl,NewLinkHere %1"

[HKEY_CLASSES_ROOT\lnkfile]
@="Shortcut"
"EditFlags"=dword:00000001
"IsShortcut"=""
"NeverShowExt"=""

[HKEY_CLASSES_ROOT\lnkfile\CLSID]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\lnkfile\shellex]

[HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}]

[HKEY_CLASSES_ROOT\lnkfile\shellex\DropHandler]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\lnkfile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\lnkfile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}]
@="Shortcut"

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32]
@="shell32.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\PersistentAddinsRegistered]

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\PersistentHandler]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\ProgID]
@="lnkfile"

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\shellex]

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\shellex\MayChangeDefaultMenu]

[HKEY_CLASSES_ROOT\cmdfile]
@="Windows NT Command Script"
"EditFlags"=hex:30,04,00,00

[HKEY_CLASSES_ROOT\cmdfile\DefaultIcon]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,\
65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,31,00,35,\
00,33,00,00,00

[HKEY_CLASSES_ROOT\cmdfile\shell]

[HKEY_CLASSES_ROOT\cmdfile\shell\edit]

[HKEY_CLASSES_ROOT\cmdfile\shell\edit\command]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,4e,00,4f,00,\
54,00,45,00,50,00,41,00,44,00,2e,00,45,00,58,00,45,00,20,00,25,00,31,00,00,\
00

[HKEY_CLASSES_ROOT\cmdfile\shell\EditWithVS]
@="&Edit with Visual Studio"

[HKEY_CLASSES_ROOT\cmdfile\shell\EditWithVS\command]
@="\"C:\\Program Files\\Microsoft Visual Studio\\Common\\IDE\\IDE98\\devenv.exe\" \"%1\""

[HKEY_CLASSES_ROOT\cmdfile\shell\EditWithVS\ddeexec]
@="Open(\"%1\")"

[HKEY_CLASSES_ROOT\cmdfile\shell\EditWithVS\ddeexec\application]
@="vstudio"

[HKEY_CLASSES_ROOT\cmdfile\shell\EditWithVS\ddeexec\topic]
@="system"

[HKEY_CLASSES_ROOT\cmdfile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\cmdfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\cmdfile\shell\print]

[HKEY_CLASSES_ROOT\cmdfile\shell\print\command]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,4e,00,4f,00,\
54,00,45,00,50,00,41,00,44,00,2e,00,45,00,58,00,45,00,20,00,2f,00,70,00,20,\
00,25,00,31,00,00,00

[HKEY_CLASSES_ROOT\cmdfile\shellex]

[HKEY_CLASSES_ROOT\cmdfile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\cmdfile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\cmdfile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\cmdfile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

[HKEY_CLASSES_ROOT\.jpeg]
"PerceivedType"="image"
@="OISjpegfile"
"Content Type"="image/jpeg"

[HKEY_CLASSES_ROOT\.jpeg\OpenWithList]

[HKEY_CLASSES_ROOT\.jpeg\OpenWithList\ois.exe]
@=""

[HKEY_CLASSES_ROOT\.jpeg\OpenWithProgids]
"jpegfile"=hex(0):

[HKEY_CLASSES_ROOT\.jpeg\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}

[HKEY_CLASSES_ROOT\.jpg]
"PerceivedType"="image"
@="OISjpegfile"
"Content Type"="image/jpeg"

[HKEY_CLASSES_ROOT\.jpg\OpenWithList]

[HKEY_CLASSES_ROOT\.jpg\OpenWithList\ois.exe]
@=""

[HKEY_CLASSES_ROOT\.jpg\OpenWithProgids]
"jpegfile"=hex(0):

[HKEY_CLASSES_ROOT\.jpg\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\.scr]
@="scrfile"

[HKEY_CLASSES_ROOT\jpegfile]
@="JPEG Image"
"EditFlags"=dword:00010000
"FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\
00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,\
32,00,5c,00,73,00,68,00,69,00,6d,00,67,00,76,00,77,00,2e,00,64,00,6c,00,6c,\
00,2c,00,2d,00,33,00,30,00,33,00,00,00
"ImageOptionFlags"=dword:00000003

[HKEY_CLASSES_ROOT\jpegfile\CLSID]
@="{25336920-03F9-11cf-8FD0-00AA00686F13}"

[HKEY_CLASSES_ROOT\jpegfile\DefaultIcon]
@="shimgvw.dll,3"

[HKEY_CLASSES_ROOT\jpegfile\shell]

[HKEY_CLASSES_ROOT\jpegfile\shell\open]
"MuiVerb"="@shimgvw.dll,-550"

[HKEY_CLASSES_ROOT\jpegfile\shell\open\command]
@="rundll32.exe C:\\WINDOWS\\system32\\shimgvw.dll,ImageView_Fullscreen %1"

[HKEY_CLASSES_ROOT\jpegfile\shell\open\DropTarget]
"Clsid"="{E84FDA7C-1D6A-45F6-B725-CB260C236066}"

[HKEY_CLASSES_ROOT\jpegfile\shell\printto]

[HKEY_CLASSES_ROOT\jpegfile\shell\printto\command]
@="rundll32.exe C:\\WINDOWS\\system32\\shimgvw.dll,ImageView_PrintTo /pt \"%1\" \"%2\" \"%3\" \"%4\""

[HKEY_CLASSES_ROOT\JPEGFilter.CoJPEGFilter]
@="CoJPEGFilter Class"

[HKEY_CLASSES_ROOT\JPEGFilter.CoJPEGFilter\CLSID]
@="{607fd4e8-0a03-11d1-ab1d-00c04fc9b304}"

[HKEY_CLASSES_ROOT\JPEGFilter.CoJPEGFilter.1]
@="CoJPEGFilter Class"

[HKEY_CLASSES_ROOT\JPEGFilter.CoJPEGFilter.1\CLSID]
@="{607fd4e8-0a03-11d1-ab1d-00c04fc9b304}"

[HKEY_CLASSES_ROOT\scrfile]
@="Screen Saver"

[HKEY_CLASSES_ROOT\scrfile\shell]

[HKEY_CLASSES_ROOT\scrfile\shell\config]
@="C&onfigure"

[HKEY_CLASSES_ROOT\scrfile\shell\config\command]
@="\"%1\""

[HKEY_CLASSES_ROOT\scrfile\shell\install]
@="&Install"

[HKEY_CLASSES_ROOT\scrfile\shell\install\command]
@="rundll32.exe desk.cpl,InstallScreenSaver %l"

[HKEY_CLASSES_ROOT\scrfile\shell\open]
@="T&est"

[HKEY_CLASSES_ROOT\scrfile\shell\open\command]
@="\"%1\" /S"

[HKEY_CLASSES_ROOT\scrfile\shellex]

[HKEY_CLASSES_ROOT\scrfile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"


----------



## 1wozk (May 6, 2008)

Hi i have managed to add all the info from that association file into the registry, What i done was Type regedit in Start -> Execute Then File -> Open -> Import
and that seemed to sort that problem out for reg files as i have now added the info into the registry.
I have restarted my pc and have tried to open combo-fix again but still keep getting the message windows cannot open this file n.com


----------



## 1wozk (May 6, 2008)

Hi i have been looking again in the registry at exe which is the file for combofix and have noticed that exe is set to default reg_sz exefile and below that content type reg_sz application/x-ms download
I was wondering if the exe should be set to the application as default and as its not this may be the cause for combofix not opening, I might be wrong but thought you should know the info in the registry for the exe


----------



## JSntgRvr (Jul 1, 2003)

Rightclick Here and select Save as or Save link as to download unhookexec.inf. Save it to the desktop. Once downloaded. rightclick on the unhookexec.inf file and select Install.

Retry Combofix


----------



## 1wozk (May 6, 2008)

Hi i followed your instructions and installed that new software but still no joy with combo fix
could it be because when i download combofix it will only let me use combofix.exe, I have tried to change it to combo-fix and when i do i lose the combofix logo and get a sqaure small box.


----------



## 1wozk (May 6, 2008)

also i checked to see what opens unhook and its notepad


----------



## JSntgRvr (Jul 1, 2003)

I dont know if that file is part of Combofix, but it has a .com association.

Edit the registry as follows:


*Copy the entire contents of the Quote Box * below to *Notepad*. 
Leave an empty line at the end of the script.
Name the file as *fix.reg * 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 
 Once saved, double click on the *fix.reg* file and merge it into the Registry.



> Windows Registry Editor Version 5.00
> 
> [HKEY_CLASSES_ROOT\.com]
> @="comfile"
> ...


Restart and retry.


----------



## 1wozk (May 6, 2008)

Hi i followed your instructions and re-booted but still no luck with combofix i looked to see file type for combofix and it is n.com but next to the combofix on the shortcut it has exe next to it, when i try to change the whole name to combo-fix it doesnt allow it so maybe some malware has changed some of my registry values.


----------



## 1wozk (May 6, 2008)

is it possible maybe you could log into my pc to check the problem would that help.


----------



## 1wozk (May 6, 2008)

I must also sleep now as its 2.30 am here in the uk i will log back in later today and follow your next instructions.
Thanks for all your time and effort its much apprciated.
warren


----------



## JSntgRvr (Jul 1, 2003)

We can continue tomorrow. If I am not mistaken, there is a File association problem somewhere.


----------



## JSntgRvr (Jul 1, 2003)

Whenever you have the time, re-scan with OTScanit2 using the same settings:

Leave all settings as they appear as default, except for the following:
Under *Drivers*, select *"All"*.
Under *Rootkit Search*, select *Yes*
Under *additional Scan* select the following:
*
Reg - ControlSets
Reg - Disabled MS Config Items
Reg - File Associations
Reg - Security Center Settings
Reg - Tcpip Persistent Routes
*


Now click the *Run Scan *button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Use the *Reply* button and attach the notepad file here *(Do not copy and paste in a reply, rather attach it to it).*


----------



## 1wozk (May 6, 2008)

Hi Just carried out your latest instructions i was a bit suprised as it didnt take very long to complete.


----------



## JSntgRvr (Jul 1, 2003)

Download *SREng*

Extract it to Desktop and double click *SREngLdr.EXE* to run it
Select *System Repair* from the left pane.
Click on *File Association*
Select all entries that has an *Error status* click *[Repair]*
Refer to this image for an example:










Close SREng now.
Download the enclosed folder. Save and extract its contents to the desktop. Once extracted open the *Query* folder and click on the *Query.bat* file. Post its report and your experience with *SREng* above.


----------



## 1wozk (May 6, 2008)

Hi thanks for your next instruction which i have completed the only part which i could not complete was at the end of your last instruction you said

*Download the enclosed folder. Save and extract its contents to the desktop. Once extracted open the Query folder and click on the Query.bat file. Post its report and your experience with SREng above. *

I could not see a file to download for this sorry.

What did happen through was when running that areng it found about 5 errors i ran the repair then closed the file like you asked then i checked to see if the combo fix would open and it did  i reclosed it straight away so i could await your next instruction but all looks good with opening files of com now thanks.


----------



## 1wozk (May 6, 2008)

Hi again i thought while i am waiting i might as well run the combo fix now following your intstructions and will come back here to post all you need.


----------



## 1wozk (May 6, 2008)

Hi here is a attachment with the sreng log which i carried out after the repair, The problem i am having now is i can open combofix and have turned exited from my avg anti virus and turned of the resident shield but combo fix still says avg antivirus is still running after i switched it off which is weird so i went to my security in the start menu and clicked on that and it will not open it come up with small box saying windows can not open this which is strange as it open yesterday, I will keep trying for a bit and if i can get it turned off i will carry out the combofix and a highjack this and send you the results shortly.


----------



## 1wozk (May 6, 2008)

Hi i have attached 2 logs for you, all went well with the combofix it installed the console to my pc, I managed to turn off the processes for avg in the task manager to get the combofix running.
I still have the problem where i can't ope the security program for windows in mt start menu, I noticed in the combo fix log that something in windows is diabled so that could be the reason for me not being able to open the security program for windows.

I await your next instruction.


----------



## 1wozk (May 6, 2008)

This is what i noticed to be disabled in the cobofix log

*[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001*


----------



## JSntgRvr (Jul 1, 2003)

Those keys above mean nothing. There are programs I do not recommend you keep, especially Registry Cleaners. I would recommend you remove the following programs:

*OpenWith.org Desktop Tool
RegGenie
PC MightyMax 2009*


*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *CFScript.txt* 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 



> File::
> c:\windows\system32\drivers\_003695_.tmp.dll
> c:\windows\system32\drivers\_003668_.tmp.dll
> 
> ...












Once saved, referring to the picture above, drag *CFScript.txt * into *ComboFix.exe*, and post back the resulting report along with a Hijackthis log.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under *Upgrading Java*, to download and install the latest vesion.


Read through the requirements and privacy statement and click on *Accept* button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*.
When the downloads have finished, click on *Settings*.
Make sure the following is checked. 
*Spyware, Adware, Dialers, and other potentially dangerous programs 
Archives
Mail databases*

Click on *My Computer* under *Scan*.
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As...*.
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Please post this log in your next reply.
*Upgrading Java*:

Download the latest version of *Java SE Runtime Environment (JRE)JRE 6 Update 13*.
Click the "*Download*" button to the right.
Select your Platform and check the box that says: "*I agree to the Java SE Runtime Environment 6 License Agreement.*".
Click on *Continue*.
Click on the link to download Windows Offline Installation (jre-6u13-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the *jre-6u13-windows-i586-p.exe* and select "Run as an Administrator.")


----------



## JSntgRvr (Jul 1, 2003)

1wozk said:


> Hi thanks for your next instruction which i have completed the only part which i could not complete was at the end of your last instruction you said
> 
> *Download the enclosed folder. Save and extract its contents to the desktop. Once extracted open the Query folder and click on the Query.bat file. Post its report and your experience with SREng above. *
> 
> ...


Never mind. Seems that all is in place now.


----------



## 1wozk (May 6, 2008)

Hi i have attached 2 logs so far for you with 1 more to follow which shouldnt be to much longer as the scan is in progress now.

One problem i had in the latest instructions you gave me was you asked me to delete these

*OpenWith.org Desktop Tool
RegGenie
PC MightyMax 2009*

I could not find anywhere to uninstall two of these only reg genie i could find by doing a search on through the start menu and was able to uninstal that one, the other two i could find doing a search but there was know uninstaller with the files i found so i just deleted the ones i did find.


----------



## 1wozk (May 6, 2008)

Its 2.30 am here in the uk and the kaspersky scan is taking a very long time so i will leave it running and goto bed and post it to you later today, Thanks again for all your help so far.


----------



## JSntgRvr (Jul 1, 2003)

The fix didn't go thru. Perhaps wordwrap is enabled in Notepad. Open Notepad, select Format from the Menu, make sure wordwrap is not selected.

*Copy the entire contents of the Code Box * below to *Notepad*. 
Name the file as *CFScript.txt* 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 


```
File::
c:\windows\system32\drivers\_003695_.tmp.dll
c:\windows\system32\drivers\_003668_.tmp.dll
c:\windows\system32\drivers\_003677_.tmp.dll
c:\windows\system32\SET2E9.tmp
c:\windows\system32\SET26A.tmp


Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00
```










Once saved, referring to the picture above, drag *CFScript.txt * into *ComboFix.exe*, and post back the resulting report along with a Hijackthis log.


----------



## 1wozk (May 6, 2008)

Hi i have attached three logs for you the scan log for bugs found two viruses.
I followed your other instructions too for the cfscript.txt and noticed that wordwrap was in the format but wasn't highlighted there was also font there two.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *1wozk* 

Findings are in quarantine, one backed-up by Windows..

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

*Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.*

*Follow these steps to uninstall Combofix and tools used in the removal of malware*

 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *x* and the */u*, it needs to be there.









*Create a Restore point* (If the above process fails to do so):

Click *Start*, point to *All Programs*, point to *Accessories*, point to *System Tools*, and then click *System Restore*.
In the System Restore dialog box, click *Create a restore point*, and then click *Next*. 
Type a description for your restore point, such as "After Cleanup", then click *Create*.

*How is the computer doing?*


----------



## 1wozk (May 6, 2008)

Hi I have followed all your latest instrucions and was able to complete all.
My pc does seem alot better now the load up is much faster, I still cant open the security centre in the system tools from the start menu when i try to it says windows can not open this file file ww cui.cpl
Other than that problem i havent noticed anymore thanks to your hard work which i appreciate very much indeed.
If you could let me know if possible what i can do to resolve the problem with opening the security centre please.
thanks again for all your time i will donate to techguy for sure .
thanks 
warren


----------



## JSntgRvr (Jul 1, 2003)

Lets query the registry.

Download the enclosed folder. Save and extract its contents to the desktop. Once extracted, click on the *query.bat* and post its report.


----------



## 1wozk (May 6, 2008)

hi below is the infor you asked for thanks.

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\cplfile
<NO NAME>	REG_SZ	Control Panel extension

HKEY_CLASSES_ROOT\cplfile\shell

HKEY_CLASSES_ROOT\cplfile\shell\cplopen
<NO NAME>	REG_SZ	Open with Control Panel

HKEY_CLASSES_ROOT\cplfile\shell\cplopen\command
<NO NAME>	REG_SZ	rundll32.exe shell32.dll,Control_RunDLL "%1",%*

HKEY_CLASSES_ROOT\cplfile\shell\runas

HKEY_CLASSES_ROOT\cplfile\shell\runas\command
<NO NAME>	REG_SZ	rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*

wscui.cpl exists


----------



## JSntgRvr (Jul 1, 2003)

Run ERUNT and backup your registry once again.

Download the enclosed folder. Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, *Regfix.reg* . Once extracted, open the folder and double click on the *Regfix.reg* file and select *Yes* when prompted to merge it into the registry.

Let me know if that makes a difference.


----------



## 1wozk (May 6, 2008)

Hi i did what you have asked by using erunt and then downloaded and extacted that file which asked if i was sure i wanted to add it to the registry then clicked ok to add it was that right or should i of moved it into a different prigram as my security centre still wont open.
thanks
warren


----------



## JSntgRvr (Jul 1, 2003)

Run the query once again.


----------



## 1wozk (May 6, 2008)

Hi i followed what you have asked and when i clicked yes on the file i extacted it asked if i wanted to add it to the registry which i did but the windows security still wont ope sorry about that, Did i do the right thing when it asked me if i wanted to add it to the registry or should i of added it somewhere else


----------



## 1wozk (May 6, 2008)

i have right clicked on the security centre and it says open unknown application


----------



## JSntgRvr (Jul 1, 2003)

Run the query downloaded on post #54 and post its report.


----------



## 1wozk (May 6, 2008)

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\cplfile
<NO NAME>	REG_SZ	Control Panel extension
EditFlags	REG_DWORD	0x0

HKEY_CLASSES_ROOT\cplfile\shell

HKEY_CLASSES_ROOT\cplfile\shell\cplopen
<NO NAME>	REG_SZ	Open with Control Panel

HKEY_CLASSES_ROOT\cplfile\shell\cplopen\command
<NO NAME>	REG_SZ	rundll32.exe shell32.dll,Control_RunDLL "%1",%*

HKEY_CLASSES_ROOT\cplfile\shell\runas

HKEY_CLASSES_ROOT\cplfile\shell\runas\command
<NO NAME>	REG_SZ	rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*

wscui.cpl exists


----------



## JSntgRvr (Jul 1, 2003)

Download the enclosed file. Save and extract its contents to the desktop. Once extracted, open the folder and click on the CPLFix.bat file.

Run the query once again and post its report.


----------



## 1wozk (May 6, 2008)

Hi i download that new filecplfix but when i attempt to open it i have problems as it only attempts to open then closes again


----------



## JSntgRvr (Jul 1, 2003)

The zipped file?


----------



## 1wozk (May 6, 2008)

Yes after extracting that file i try to open cplfix and it attempts to by showing a black sqaured box then closes it within 1 second so it doesnt properly open for some reason


----------



## JSntgRvr (Jul 1, 2003)

1wozk said:


> Yes after extracting that file i try to open cplfix and it attempts to by showing a black sqaured box then closes it within 1 second so it doesnt properly open for some reason


I am sorry, that is normal. I forgot to mention it. Run the query and post the report.


----------



## 1wozk (May 6, 2008)

I wish i could send you the report but that black box which opens doesnt stay open it closes within 1 second and i cant see any report left on the desktop after i attempted to run it sorry about this.


----------



## JSntgRvr (Jul 1, 2003)

Run the query downloaded on post #54 and post its report.


----------



## 1wozk (May 6, 2008)

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\cplfile
<NO NAME>	REG_SZ	Control Panel extension
EditFlags	REG_DWORD	0x0

HKEY_CLASSES_ROOT\cplfile\shell

HKEY_CLASSES_ROOT\cplfile\shell\cplopen
<NO NAME>	REG_SZ	Open with Control Panel

HKEY_CLASSES_ROOT\cplfile\shell\cplopen\command
<NO NAME>	REG_SZ	rundll32.exe shell32.dll,Control_RunDLL "%1",%*

HKEY_CLASSES_ROOT\cplfile\shell\runas

HKEY_CLASSES_ROOT\cplfile\shell\runas\command
<NO NAME>	REG_SZ	rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*

wscui.cpl exists


----------



## 1wozk (May 6, 2008)

this *wscui.cpl * which is in that report above is what comes up when i attempt to open the security centre


----------



## JSntgRvr (Jul 1, 2003)

Run Regedit.exe. Right click on the *HKEY_CLASSES_ROOT* and select *Permissions*. Click on Administrators. Can you tell me what is indicated therein as the permissions for the Administrators?


----------



## JSntgRvr (Jul 1, 2003)

How about for *Everyone*?


----------



## 1wozk (May 6, 2008)

Hi sorry about this but im looking for permissions in hkey_classes_root and can not see it in the list it displays


----------



## JSntgRvr (Jul 1, 2003)

That Registry was really messed-up by those registry cleaners.

Remove the CPLFix.zip and the CPLFix folder from your desktop.

Download the enclosed one. Save and extract its contents to the desktop. Once extracted, open the folder and click on the CPLFix.bat file. The MSDOS window will flash for a second. That is normal.

Run the query downloaded on post #54 and post its report.


----------



## 1wozk (May 6, 2008)

found it sorry i missed where you said to right click on the hkey for administrators it says
full control has a tick
read has a tick
special permissions is blank


----------



## 1wozk (May 6, 2008)

hi just followed your other instructions for the cplfix and its doing the same thing and not giving me a report


----------



## JSntgRvr (Jul 1, 2003)

It should be to *Everyone* Run the new CPLFix as submitted on the previous post.


----------



## JSntgRvr (Jul 1, 2003)

1wozk said:


> hi just followed your other instructions for the cplfix and its doing the same thing and not giving me a report


The fix wont give you a report. The Query on Post 54 will.


----------



## 1wozk (May 6, 2008)

this is the report from the query

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\cplfile
<NO NAME>	REG_SZ	Control Panel extension
EditFlags	REG_DWORD	0x0

HKEY_CLASSES_ROOT\cplfile\shell

HKEY_CLASSES_ROOT\cplfile\shell\cplopen
<NO NAME>	REG_SZ	Open with Control Panel

HKEY_CLASSES_ROOT\cplfile\shell\cplopen\command
<NO NAME>	REG_SZ	rundll32.exe shell32.dll,Control_RunDLL "%1",%*

HKEY_CLASSES_ROOT\cplfile\shell\runas

HKEY_CLASSES_ROOT\cplfile\shell\runas\command
<NO NAME>	REG_SZ	rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*

wscui.cpl exists


----------



## JSntgRvr (Jul 1, 2003)

There is a key missing and the registry is not allowing its creation.

Run Regedit.

Expand the HKEY_CLASSES_ROOT.

Scroll down to .cpl. Does it exists?


----------



## 1wozk (May 6, 2008)

hi i cant see cpl there the nearest i can find to that match is .clp


----------



## 1wozk (May 6, 2008)

found it there is one which says cpl file


----------



## 1wozk (May 6, 2008)

Do you think it was a registry cleaner which has stopped thigs opening on my pc then as i thought registry cleaners were safe to run if they are not i wont use them again unless you know of a safe one to use


----------



## JSntgRvr (Jul 1, 2003)

1wozk said:


> found it there is one which says cpl file


There must be two, one as *.cpl* and the other as *cplfile*. Is the .cpl present?


----------



## 1wozk (May 6, 2008)

there is only a .clp and cant see a .cpl


----------



## JSntgRvr (Jul 1, 2003)

1wozk said:


> there is only a .clp and cant see a .cpl


Right click on that key and select *Export*. Name it as *Test*, and save it on your desktop. That should create a file on your desktop named Test.reg. Rightclick on that file and select *Send to*. Select Compressed (Zipped) file. That should create a zipped file named Test.zip.

Open a Reply and scroll down to Manage Attachments. Browse to your desktop and upload the zipped file. Submit the reply. (It is possible you need to write something on the main window)

Lets see if this is the .cpl we need.


----------



## 1wozk (May 6, 2008)

hi when i right click on that test file there is no Compressed (Zipped) file to send it too


----------



## 1wozk (May 6, 2008)

i do see when i right click on it merge but not Compressed (Zipped) file


----------



## 1wozk (May 6, 2008)

dont know if this helps but also just noticed that the test file opens with registry editor


----------



## JSntgRvr (Jul 1, 2003)

Right click on it and select Edit. Copy and paste its contents in a reply.


----------



## 1wozk (May 6, 2008)

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.clp]
@="clpfile"


----------



## JSntgRvr (Jul 1, 2003)

If you still have the Regfix previously downloaded, remove it from your computer.

Download the enclosed file. Save and extract its contents to the desktop. Once extracted click on the *Regfix.reg *file and select Yes when prompted to merge it into your registry.

once done, run the Query.bat previously downloaded on post 54.


----------



## 1wozk (May 6, 2008)

REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\.cpl
<NO NAME>	REG_SZ	cplfile
Generic	REG_SZ	system

HKEY_CLASSES_ROOT\.cpl\PersistentHandler
<NO NAME>	REG_SZ	{098f2470-bae0-11cd-b579-08002b30bfeb}

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\cplfile
<NO NAME>	REG_SZ	Control Panel extension
EditFlags	REG_DWORD	0x0

HKEY_CLASSES_ROOT\cplfile\shell

HKEY_CLASSES_ROOT\cplfile\shell\cplopen
<NO NAME>	REG_SZ	Open with Control Panel

HKEY_CLASSES_ROOT\cplfile\shell\cplopen\command
<NO NAME>	REG_SZ	rundll32.exe shell32.dll,Control_RunDLL "%1",%*

HKEY_CLASSES_ROOT\cplfile\shell\runas

HKEY_CLASSES_ROOT\cplfile\shell\runas\command
<NO NAME>	REG_SZ	rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*

wscui.cpl exists


----------



## JSntgRvr (Jul 1, 2003)

Those are the right entries now. Try the Security Center.


----------



## 1wozk (May 6, 2008)

Hi thankyou for sorting that out all is good with it now and has taken alot of worry off my mind knowing that is working now.
There was one last thing which i mentioned at the start of these problems and that was i could not do a windows update it would start to update windows pack 3 then stop half way through, Do yoiu think this has been fixed also now, If you like i can try it now and post to you what happens.

Lastly shall i delete all the stuff i have downloaded with your help for these problems or shall i keep them in a folder for future references, and shall i delete all the registry cleaners i have.


----------



## JSntgRvr (Jul 1, 2003)

Please do and let me know.


----------



## JSntgRvr (Jul 1, 2003)

1wozk said:


> Lastly shall i delete all the stuff i have downloaded with your help for these problems or shall i keep them in a folder for future references, and shall i delete all the registry cleaners i have.


Remove all those tools. There is no more need for them.

Create a Restore point and backup the registry with ERUNT.


----------



## 1wozk (May 6, 2008)

ok i will remove them and create a restore point, im doing the windows update now so will let you know what happens with that shortly.


----------



## 1wozk (May 6, 2008)

Hi the windows update was sucsessful and all seems to back to normal now thanks to your expertise, You really have done a great job and taken alot of worry off my mind and i thankyou very much for that.

Do you think i should not run any registry cleaners in the future i was told glary registry repair and reg cleaner might be good ones to keep but will await to see what you think before i go deleting anything.

Finally i would like to make a donation with paypal is that possible to do through techguy.

Thanks Again
warren


----------



## 1wozk (May 6, 2008)

Hi just to let you know after i rebooted my pc after the latest windows pack 3 update that i went into the start menu to check the windows security and its not there any more seems to have disapeared after the update.
thanks
warren


----------



## JSntgRvr (Jul 1, 2003)

1wozk said:


> Hi the windows update was sucsessful and all seems to back to normal now thanks to your expertise, You really have done a great job and taken alot of worry off my mind and i thankyou very much for that.
> 
> Do you think i should not run any registry cleaners in the future i was told glary registry repair and reg cleaner might be good ones to keep but will await to see what you think before i go deleting anything.
> 
> ...


Never use Registry Tools, other that ERUNT.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

*Spybot Search & Destroy *- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

*AdAware* - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

*SpywareBlaster* - Great prevention tool to keep nasties from installing on your system.

*ZonedOut + IE-SpyAd* - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

*ATF*! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

*Windows Updates* - It is *very important* to make sure that both Internet Explorer and Windows are kept current with *the latest critical security patches* from Microsoft. To do this just start *Internet Explorer* and select *Tools > Windows Update*, and follow the online instructions from there.

*Google Toolbar* - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

*Trillian* or *Miranda-IM* - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

*ERUNT* (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

* Recovery Console* - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the *Recovery Console* in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see *This Article*. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read *this article* by *Miekiemoes*.

Best wishes!


----------



## 1wozk (May 6, 2008)

Hi thankyou for the info you left me that will come in very usefull for the future and thanks again for all your help.
One last question do you know what might of happened to my windows security centre in the start menu as its not there anymore it vanished after completing the windows update.
thanks warren


----------



## JSntgRvr (Jul 1, 2003)

The Security Center, as far as I know, is in the Control Panel. See Picture enclosed. Is it present in your Computer?


----------



## 1wozk (May 6, 2008)

Hi yes its in the control panel thanks for that and thanks again for all your help i will be making a donation to tech guy for all your hardwork and will mark this thread as closed now.
all the best
warren


----------

