# Solved: Need Help



## flyrs (Sep 21, 2007)

Hello,

I am having problems with my computer that I think have been caused by a virus. Whenever I plug anything into a USB port or insert a blank CD in the in the CD ROM drive the computer does not recognize it. My internet connection has been deleted, and when I try to reinstall from the ISP CD I get the message undefined is null or not an object. I can not open IE. My device manager is empty. And when I click add new hardware it does not open. I have tried system restore but always get a Restoration Incomplete error. The PNP and system restore services are running. When I check the event log for when I click on services I get the message "Unable to complete the operation on 'system". The interface is unknown" I am running XP SP2, AVG, Ad-ware, and Spybot. All are up to date but dont detect anything.

Sorry I cant post a log but I cant connect to the internet.

Any help would be greatly appreciated.

Thanks.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *flyrs* 

Welcome.

How do you connect to the internet? Dial-up? DSL? Router?

Who is your ISP?

Boot in Safe Mode with Networking. Are you able to connect while on this state?

What antivirus program is running?

Remove any firewall installed.

Go to *Start*->*Run*->Type *CMD* and click *Ok*. The *MSDOS* Window will be displayed. At the command prompt, type the following and press *Enter* after each line:

*ipconfig /flushdns* (The space between g and / is needed)
*netsh int ip reset C:\Resetlog.txt
netsh winsock reset catalog
Exit*

Restart the computer and attempt to connect.


----------



## flyrs (Sep 21, 2007)

Thanks for the reply JSntgRvr. 

I connect with a cable modem, my ISP is Comcast. I am running AVG.

I am not at my computer right now, but I will try what you suggested when I get home tonight.

Again, thanks for your help, I really appreciate it.


----------



## JSntgRvr (Jul 1, 2003)

:up: :up: 

Also run the enclosed batch file and post its report.


----------



## flyrs (Sep 21, 2007)

My internet connection is back , thanks JSntgRvr. Here is the log you requested.

Windows IP Configuration

Host Name . . . . . . . . . . . . : FINNEGAN

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Marvell Yukon 88E8050 PCI-E ASF Gigabit Ethernet Controller

Physical Address. . . . . . . . . : 00-13-20-3C-97-51

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.2

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

Lease Obtained. . . . . . . . . . : Friday, September 21, 2007 10:24:30 PM

Lease Expires . . . . . . . . . . : Saturday, September 22, 2007 10:24:30 PM

Pinging Yahoo.com [66.94.234.13] with 32 bytes of data:

Reply from 66.94.234.13: bytes=32 time=30ms TTL=51

Reply from 66.94.234.13: bytes=32 time=30ms TTL=50

Reply from 66.94.234.13: bytes=32 time=31ms TTL=50

Reply from 66.94.234.13: bytes=32 time=31ms TTL=50

Ping statistics for 66.94.234.13:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 30ms, Maximum = 31ms, Average = 30ms

Pinging Google.com [64.233.187.99] with 32 bytes of data:

Reply from 64.233.187.99: bytes=32 time=71ms TTL=236

Reply from 64.233.187.99: bytes=32 time=71ms TTL=236

Reply from 64.233.187.99: bytes=32 time=71ms TTL=236

Reply from 64.233.187.99: bytes=32 time=70ms TTL=236

Ping statistics for 64.233.187.99:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 70ms, Maximum = 71ms, Average = 70ms


----------



## JSntgRvr (Jul 1, 2003)

Hi, *flyrs*.

Glad to learn you are back in business.








*Click here* to download *HJTInstall.exe*

Save *HJTInstall.exe* to your desktop.
Doubleclick on the *HJTInstall.exe* icon on your desktop.
By default it will install to *C:\Program Files\Trend Micro\HijackThis* . 
Click on *Install*.
It will create a HijackThis icon on the desktop.
Once installed, it will launch *Hijackthis*.
Click on the *Do a system scan and save a logfile* button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


----------



## flyrs (Sep 21, 2007)

OK here is the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:37 PM, on 9/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.comcast.net/toolbar/?cm.src=SelfInstallPg
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8100
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=1a1840d6-ccc2-4113-aa55-c3fe7e026441
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1188018387875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1188018378218
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://finntim.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8130 bytes


----------



## JSntgRvr (Jul 1, 2003)

Hi, *flyrs* 

The log looks clear. *How is the computer doing?*


----------



## flyrs (Sep 21, 2007)

IE and Windows update still won't open, and I am still getting the "Unable to complete the operation on 'system". The interface is unknown" message when I look at the event log. Everything else seems to be working fine.

Thanks,

Doug


----------



## JSntgRvr (Jul 1, 2003)

Hi, *flyrs*








Download *Deckard's System Scanner (DSS)* from *here* or *here* to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on *dss.exe *to run it, and follow the prompts.
When the scan is complete, two text files will open - *main.txt *<- this one will be maximized and *extra.txt *<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of both, the *main.txt* and the *extra.txt* in your next reply.
If the files are too long, attach them to a reply:

Scroll down and click the [*Manage Attachments*] button
Browse to the following folder:
*C:\Deckard\System Scanner*

Click *Upload* to upload these files one by one
*Submit *your reply


----------



## flyrs (Sep 21, 2007)

OK, I ran the scanner, the logs are attached.

Thanks,

Doug


----------



## JSntgRvr (Jul 1, 2003)

Hi,* flyrs* 

Seems that you cleared the Event Viewer as no entries are shown in the reports.

Run Msconfig. Select the Startup tab. Deselect all lines therein, except for *AVG7_CC*. Click Apply then on Close. Restart the computer when prompted.

Upon restart you will be confronted with a dialogue box warning about running in selective startup. Just ignore that message and put a check in the box by "*Don't show me this message or launch the System Configuration Utility when Windows starts*" and click "OK". You will not be bothered by the message again.

Test Internet Explorer and let me know the outcome.

Download the enclosed folder. It contains a batch file to check for the contents of the *System.ini, Win.ini and Boot.ini* files. Save and extract its contents to the desktop. Once extracted, double click on the batch files and post the report it will produce.


----------



## flyrs (Sep 21, 2007)

JSntgRvr,

I don't see the enclosed folder.


----------



## JSntgRvr (Jul 1, 2003)

Mmmmm!

Here we go.


----------



## flyrs (Sep 21, 2007)

I did what you told me, but IE did not open, the screen flashes but nothing happens.

Here is the log

y7[Boot.ini] file 
. 
. 
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
. 
. 
[System.ini] file
. 
. 
; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
. 
. 
[Win.ini] file 
. 
. 
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
CMCDLLNAME32=mapi32.dll
CMCDLLNAME=mapi.dll
CMC=1
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo
asx=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo
wm=MPEGVideo
wma=MPEGVideo
wmv=MPEGVideo
wmx=MPEGVideo
wpl=MPEGVideo
wvx=MPEGVideo
[Status]
State=Running


----------



## JSntgRvr (Jul 1, 2003)

Hi, *flyrs* 

Right click on the *Start* buton and select *Explore*. In the *Address ba*r type *www.aol.com* and hit the *Go* button. Does IE launches?


----------



## flyrs (Sep 21, 2007)

It did not launch, the same thing happened.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *flyrs* 

Lets check one more item.

Right click on the Start button and select Explore. Navigate to the Windows folder. Scroll down to the *WindowsUpdates.log* file and open this document in Notepad. The log is a huge document. Please select the last 20 to 30 lines of the log and post it in a reply.


----------



## flyrs (Sep 21, 2007)

Here you go JSntRvr. Thanks.

2007-09-21	21:44:17:375 704 fc	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-21	21:44:17:390 704 fc	Misc = Process: \??\C:\WINDOWS\system32\winlogon.exe
2007-09-21	21:44:17:390 704 fc	Misc = Module: C:\WINDOWS\system32\wuaueng.dll
2007-09-21	21:44:17:375 704 fc	Shutdwn	FATAL: WUAutoUpdateAtShutdown failed, hr=80240FFF
2007-09-21	21:47:30:906 704	a74	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-21	21:47:30:906 704	a74	Misc = Process: \??\C:\WINDOWS\system32\winlogon.exe
2007-09-21	21:47:30:906 704	a74	Misc = Module: C:\WINDOWS\system32\wuaueng.dll
2007-09-21	21:47:30:906 704	a74	Shutdwn	FATAL: WUAutoUpdateAtShutdown failed, hr=80240FFF
2007-09-21	21:50:49:250 704	aac	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-21	21:50:49:281 704	aac	Misc = Process: \??\C:\WINDOWS\system32\winlogon.exe
2007-09-21	21:50:49:281 704	aac	Misc = Module: C:\WINDOWS\system32\wuaueng.dll
2007-09-21	21:50:49:250 704	aac	Shutdwn	FATAL: WUAutoUpdateAtShutdown failed, hr=80240FFF
2007-09-21	22:03:44:953 704	208	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-21	22:03:44:968 704	208	Misc = Process: \??\C:\WINDOWS\system32\winlogon.exe
2007-09-21	22:03:44:968 704	208	Misc = Module: C:\WINDOWS\system32\wuaueng.dll
2007-09-21	22:03:44:953 704	208	Shutdwn	FATAL: WUAutoUpdateAtShutdown failed, hr=80240FFF
2007-09-21	22:11:04:734 704	ac4	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-21	22:11:04:734 704	ac4	Misc = Process: \??\C:\WINDOWS\system32\winlogon.exe
2007-09-21	22:11:04:734 704	ac4	Misc = Module: C:\WINDOWS\system32\wuaueng.dll
2007-09-21	22:11:04:734 704	ac4	Shutdwn	FATAL: WUAutoUpdateAtShutdown failed, hr=80240FFF
2007-09-21	22:23:32:156	1576	660	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-21	22:23:32:171	1576	660	Misc = Process: C:\WINDOWS\Explorer.EXE
2007-09-21	22:23:32:171	1576	660	Misc = Module: C:\WINDOWS\system32\wuaueng.dll
2007-09-21	22:23:32:156	1576	660	Shutdwn	Install at shutdown: no updates to install
2007-09-21	22:23:32:171	1576	660	Shutdwn	FATAL: WUCheckForUpdatesAtShutdown failed, hr=80240FFF
2007-09-21	22:23:38:171 704	538	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-21	22:23:38:171 704	538	Misc = Process: \??\C:\WINDOWS\system32\winlogon.exe
2007-09-21	22:23:38:171 704	538	Misc = Module: C:\WINDOWS\system32\wuaueng.dll
2007-09-21	22:23:38:171 704	538	Shutdwn	FATAL: WUAutoUpdateAtShutdown failed, hr=80240FFF
2007-09-22	02:08:49:062 484	344	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-22	02:08:49:078 484	344	Misc = Process: C:\WINDOWS\Explorer.EXE
2007-09-22	02:08:49:078 484	344	Misc = Module: C:\WINDOWS\system32\wuaueng.dll
2007-09-22	02:08:49:062 484	344	Shutdwn	Install at shutdown: no updates to install
2007-09-22	02:08:49:078 484	344	Shutdwn	FATAL: WUCheckForUpdatesAtShutdown failed, hr=80240FFF
2007-09-22	02:09:02:859 504	a0c	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-22	02:09:02:859 504	a0c	Misc = Process: \??\C:\WINDOWS\system32\winlogon.exe
2007-09-22	02:09:02:859 504	a0c	Misc = Module: C:\WINDOWS\system32\wuaueng.dll
2007-09-22	02:09:02:859 504	a0c	Shutdwn	FATAL: WUAutoUpdateAtShutdown failed, hr=80240FFF
2007-09-22	11:24:45:015	3012	378	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-22	11:24:45:031	3012	378	Misc = Process: C:\WINDOWS\system32\rundll32.exe
2007-09-22	11:24:45:031	3012	378	Misc = Module: C:\WINDOWS\system32\CDM.DLL
2007-09-22	11:24:45:015	3012	378	CDM	OpenCDMContextEx: Connect if not connected = No
2007-09-22	11:24:45:281	3012	378	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-22	11:24:45:281	3012	378	Misc = Process: C:\WINDOWS\system32\rundll32.exe
2007-09-22	11:24:45:281	3012	378	Misc = Module: C:\WINDOWS\system32\wuapi.dll
2007-09-22	11:24:45:281	3012	378	COMAPI	-------------
2007-09-22	11:24:45:281	3012	378	COMAPI	-- START -- COMAPI: Search [ClientId = CDM]
2007-09-22	11:24:45:281	3012	378	COMAPI	---------
2007-09-22	11:24:45:281	3012	378	COMAPI	FATAL: Unable to connect to the service (hr=80070424)
2007-09-22	11:24:45:281	3012	378	COMAPI	WARNING: Unable to establish connection to the service. (hr=80070424)
2007-09-22	11:24:45:281	3012	378	COMAPI - WARNING: Exit code = 0x80070424
2007-09-22	11:24:45:281	3012	378	COMAPI	---------
2007-09-22	11:24:45:281	3012	378	COMAPI	-- END -- COMAPI: Search [ClientId = <NULL>]
2007-09-22	11:24:45:281	3012	378	COMAPI	-------------
2007-09-22	11:24:45:281	3012	378	COMAPI	FATAL: Unable to initiate asynchronous search, hr=80070424
2007-09-22	11:24:45:281	3012	378	CDM	WARNING: CCdm::ExecuteSearch failed, error = 0x80070424
2007-09-22	11:24:45:281	3012	378	CDM	WARNING: CCdm::ExecuteSearchForOneDriverUpdate failed, error = 0x80070424
2007-09-22	11:24:45:281	3012	378	CDM	WARNING: CCdm::FindMatchingDriver failed, error = 0x80070424
2007-09-22	11:24:45:281	3012	378	CDM	WARNING: FindMatchingDriver failed, error = 0x80070424
2007-09-22	11:27:25:125	3012	fd0	CDM	CancelCDMOperation
2007-09-22	11:30:04:937	2636	d0c	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-22	11:30:04:937	2636	d0c	Misc = Process: C:\WINDOWS\system32\rundll32.exe
2007-09-22	11:30:04:937	2636	d0c	Misc = Module: C:\WINDOWS\system32\wuapi.dll
2007-09-22	11:30:04:937	2636	d0c	ARP	Connected to update session.
2007-09-22	11:30:04:937	2636	d0c	ARP	User is allowed to install published content.
2007-09-22	11:30:04:953	2636	d0c	COMAPI	FATAL: Unable to connect to the service (hr=80070424)
2007-09-22	11:30:04:953	2636	d0c	COMAPI	WARNING: Unable to establish connection to the service. (hr=80070424)
2007-09-22	11:30:24:796 444	2d4	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-22	11:30:24:796 444	2d4	Misc = Process: C:\WINDOWS\Explorer.EXE
2007-09-22	11:30:24:796 444	2d4	Misc = Module: C:\WINDOWS\system32\wuaueng.dll
2007-09-22	11:30:24:796 444	2d4	Shutdwn	Install at shutdown: no updates to install
2007-09-22	11:30:24:796 444	2d4	Shutdwn	FATAL: WUCheckForUpdatesAtShutdown failed, hr=80240FFF
2007-09-22	11:30:33:078 504	ab0	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-22	11:30:33:078 504	ab0	Misc = Process: \??\C:\WINDOWS\system32\winlogon.exe
2007-09-22	11:30:33:078 504	ab0	Misc = Module: C:\WINDOWS\system32\wuaueng.dll
2007-09-22	11:30:33:078 504	ab0	Shutdwn	FATAL: WUAutoUpdateAtShutdown failed, hr=80240FFF
2007-09-22	11:59:34:640	3804	264	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-22	11:59:34:656	3804	264	Misc = Process: C:\WINDOWS\system32\mmc.exe
2007-09-22	11:59:34:656	3804	264	Misc = Module: C:\WINDOWS\system32\CDM.DLL
2007-09-22	11:59:34:640	3804	264	CDM	OpenCDMContextEx: Connect if not connected = No
2007-09-22	11:59:34:921	3804	264	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-22	11:59:34:921	3804	264	Misc = Process: C:\WINDOWS\system32\mmc.exe
2007-09-22	11:59:34:921	3804	264	Misc = Module: C:\WINDOWS\system32\wuapi.dll
2007-09-22	11:59:34:921	3804	264	COMAPI	-------------
2007-09-22	11:59:34:921	3804	264	COMAPI	-- START -- COMAPI: Search [ClientId = CDM]
2007-09-22	11:59:34:921	3804	264	COMAPI	---------
2007-09-22	11:59:34:937	3804	264	COMAPI	FATAL: Unable to connect to the service (hr=80070424)
2007-09-22	11:59:34:937	3804	264	COMAPI	WARNING: Unable to establish connection to the service. (hr=80070424)
2007-09-22	11:59:34:937	3804	264	COMAPI - WARNING: Exit code = 0x80070424
2007-09-22	11:59:34:937	3804	264	COMAPI	---------
2007-09-22	11:59:34:937	3804	264	COMAPI	-- END -- COMAPI: Search [ClientId = <NULL>]
2007-09-22	11:59:34:937	3804	264	COMAPI	-------------
2007-09-22	11:59:34:937	3804	264	COMAPI	FATAL: Unable to initiate asynchronous search, hr=80070424
2007-09-22	11:59:34:937	3804	264	CDM	WARNING: CCdm::ExecuteSearch failed, error = 0x80070424
2007-09-22	11:59:34:937	3804	264	CDM	WARNING: CCdm::ExecuteSearchForOneDriverUpdate failed, error = 0x80070424
2007-09-22	11:59:34:937	3804	264	CDM	WARNING: CCdm::FindMatchingDriver failed, error = 0x80070424
2007-09-22	11:59:34:953	3804	264	CDM	WARNING: FindMatchingDriver failed, error = 0x80070424
2007-09-22	11:59:38:218	3804 c8	CDM	CancelCDMOperation
2007-09-22	12:17:02:234 504	a04	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-22	12:17:02:234 504	a04	Misc = Process: \??\C:\WINDOWS\system32\winlogon.exe
2007-09-22	12:17:02:234 504	a04	Misc = Module: C:\WINDOWS\system32\wuaueng.dll
2007-09-22	12:17:02:234 504	a04	Shutdwn	FATAL: WUAutoUpdateAtShutdown failed, hr=80240FFF
2007-09-22	12:20:16:828 468	268	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-22	12:20:16:843 468	268	Misc = Process: C:\WINDOWS\Explorer.EXE
2007-09-22	12:20:16:843 468	268	Misc = Module: C:\WINDOWS\system32\wuaueng.dll
2007-09-22	12:20:16:828 468	268	Shutdwn	Install at shutdown: no updates to install
2007-09-22	12:20:16:843 468	268	Shutdwn	FATAL: WUCheckForUpdatesAtShutdown failed, hr=80240FFF
2007-09-22	12:20:19:343 504	f80	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-22	12:20:19:343 504	f80	Misc = Process: \??\C:\WINDOWS\system32\winlogon.exe
2007-09-22	12:20:19:343 504	f80	Misc = Module: C:\WINDOWS\system32\wuaueng.dll
2007-09-22	12:20:19:343 504	f80	Shutdwn	FATAL: WUAutoUpdateAtShutdown failed, hr=80240FFF
2007-09-22	12:26:53:921 476	2d0	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-22	12:26:53:937 476	2d0	Misc = Process: C:\WINDOWS\Explorer.EXE
2007-09-22	12:26:53:937 476	2d0	Misc = Module: C:\WINDOWS\system32\wuaueng.dll
2007-09-22	12:26:53:921 476	2d0	Shutdwn	Install at shutdown: no updates to install
2007-09-22	12:26:53:937 476	2d0	Shutdwn	FATAL: WUCheckForUpdatesAtShutdown failed, hr=80240FFF
2007-09-22	12:27:00:234 504	ecc	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-22	12:27:00:234 504	ecc	Misc = Process: \??\C:\WINDOWS\system32\winlogon.exe
2007-09-22	12:27:00:234 504	ecc	Misc = Module: C:\WINDOWS\system32\wuaueng.dll
2007-09-22	12:27:00:234 504	ecc	Shutdwn	FATAL: WUAutoUpdateAtShutdown failed, hr=80240FFF
2007-09-22	12:30:31:125 452	23c	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-22	12:30:31:140 452	23c	Misc = Process: C:\WINDOWS\Explorer.EXE
2007-09-22	12:30:31:140 452	23c	Misc = Module: C:\WINDOWS\system32\wuaueng.dll
2007-09-22	12:30:31:125 452	23c	Shutdwn	Install at shutdown: no updates to install
2007-09-22	12:30:31:140 452	23c	Shutdwn	FATAL: WUCheckForUpdatesAtShutdown failed, hr=80240FFF
2007-09-22	12:30:33:796 512	f90	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-22	12:30:33:796 512	f90	Misc = Process: \??\C:\WINDOWS\system32\winlogon.exe
2007-09-22	12:30:33:796 512	f90	Misc = Module: C:\WINDOWS\system32\wuaueng.dll
2007-09-22	12:30:33:796 512	f90	Shutdwn	FATAL: WUAutoUpdateAtShutdown failed, hr=80240FFF
2007-09-22	14:06:47:421	3804	f00	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-22	14:06:47:421	3804	f00	Misc = Process: C:\WINDOWS\system32\rundll32.exe
2007-09-22	14:06:47:421	3804	f00	Misc = Module: C:\WINDOWS\system32\wuapi.dll
2007-09-22	14:06:47:421	3804	f00	ARP	Connected to update session.
2007-09-22	14:06:47:421	3804	f00	ARP	User is allowed to install published content.
2007-09-22	14:06:47:437	3804	f00	COMAPI	FATAL: Unable to connect to the service (hr=80070424)
2007-09-22	14:06:47:437	3804	f00	COMAPI	WARNING: Unable to establish connection to the service. (hr=80070424)
2007-09-22	14:06:49:546	3804	124	ARP	Connected to update session.
2007-09-22	14:06:49:546	3804	124	ARP	User is allowed to install published content.
2007-09-22	14:06:49:546	3804	124	COMAPI	FATAL: Unable to connect to the service (hr=80070424)
2007-09-22	14:06:49:546	3804	124	COMAPI	WARNING: Unable to establish connection to the service. (hr=80070424)
2007-09-22	15:44:25:593 504	a60	Misc	=========== Logging initialized (build: 7.0.6000.381, tz: -0700) ===========
2007-09-22	15:44:25:593 504	a60	Misc = Process: \??\C:\WINDOWS\system32\winlogon.exe
2007-09-22	15:44:25:593 504	a60	Misc = Module: C:\WINDOWS\system32\wuaueng.dll
2007-09-22	15:44:25:593 504	a60	Shutdwn	FATAL: WUAutoUpdateAtShutdown failed, hr=80240FFF


----------



## JSntgRvr (Jul 1, 2003)

Hi, *flyrs*

This is an unusual error:



> Shutdwn FATAL: WUAutoUpdateAtShutdown failed, hr=80240FFF


Navigate to the C:\Program Files\Trend Micro\HijackThis and rename Hijackthis.exe to Mypoppy.exe. Double click on Mypoppy.exe to run the porgram. Scan and post the resulting post. Certain Malware hides when runing Hijackthis with its original name.

Also copy and paste the following in Notepad:



> @ECHO OFF
> NET START >>LOGIT.TXT
> Start LOGIT.TXT


Save the document on your desktop as *ActiveServices.bat*, change the File Type to All Files. Click on Save.

You should now have a batchfile on your desktop. Doubleclick on the batch file and post the resulting report.


----------



## flyrs (Sep 21, 2007)

All right JSntgRvr, here are the two logs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:39 PM, on 9/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\Mypoppy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.comcast.net/toolbar/?cm.src=SelfInstallPg
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8100
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=1a1840d6-ccc2-4113-aa55-c3fe7e026441
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1188018387875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1188018378218
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://finntim.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7591 bytes

y7[Boot.ini] file 
. 
. 
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
. 
. 
[System.ini] file
. 
. 
; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
. 
. 
[Win.ini] file 
. 
. 
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
CMCDLLNAME32=mapi32.dll
CMCDLLNAME=mapi.dll
CMC=1
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo
asx=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo
wm=MPEGVideo
wma=MPEGVideo
wmv=MPEGVideo
wmx=MPEGVideo
wpl=MPEGVideo
wvx=MPEGVideo
[Status]
State=Running
These Windows services are started:

Application Layer Gateway Service
AVG E-mail Scanner
AVG7 Alert Manager Server
AVG7 Update Service
Computer Browser
Creative Service for CDROM Access
Cryptographic Services
DCOM Server Process Launcher
DHCP Client
Distributed Link Tracking Client
DNS Client
Error Reporting Service
Fast User Switching Compatibility
Help and Support
HID Input Service
HTTP SSL
IPSEC Services
Machine Debug Manager
Network Connections
Network Location Awareness (NLA)
Plug and Play
Print Spooler
PrismXL
Protected Storage
Remote Access Connection Manager
Remote Procedure Call (RPC)
Secondary Logon
Security Accounts Manager
Server
Shell Hardware Detection
SSDP Discovery Service
System Restore Service
TCP/IP NetBIOS Helper
Telephony
Terminal Services
Themes
Universal Plug and Play Device Host
WebClient
Windows Firewall/Internet Connection Sharing (ICS)
Windows Image Acquisition (WIA)
Windows Management Instrumentation
Windows Time
Windows User Mode Driver Framework
Wireless Zero Configuration
WMDM PMSP Service
Workstation

The command completed successfully.

These Windows services are started:

Application Layer Gateway Service
AVG E-mail Scanner
AVG7 Alert Manager Server
AVG7 Update Service
Computer Browser
Creative Service for CDROM Access
Cryptographic Services
DCOM Server Process Launcher
DHCP Client
Distributed Link Tracking Client
DNS Client
Error Reporting Service
Fast User Switching Compatibility
Help and Support
HID Input Service
HTTP SSL
IPSEC Services
Machine Debug Manager
Network Connections
Network Location Awareness (NLA)
Plug and Play
Print Spooler
PrismXL
Protected Storage
Remote Access Connection Manager
Remote Procedure Call (RPC)
Secondary Logon
Security Accounts Manager
Server
Shell Hardware Detection
SSDP Discovery Service
System Restore Service
TCP/IP NetBIOS Helper
Telephony
Terminal Services
Themes
Universal Plug and Play Device Host
WebClient
Windows Firewall/Internet Connection Sharing (ICS)
Windows Image Acquisition (WIA)
Windows Management Instrumentation
Windows Time
Windows User Mode Driver Framework
Wireless Zero Configuration
WMDM PMSP Service
Workstation

The command completed successfully.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *flyrs* 

Please run *Services.msc*.

Check if the following services exists and if they are set to either automatic or manual as it may be the case below (To obtain the information double click on the service):

Alerter - Started- Automatic
Automatic Updates - Started- Automatic
COM+ Event System - Started- Manual
Event Log - Started- Automatic
Human Interface Device Access - Started- Automatic
Internet Connection Sharing - Started- Automatic
IPv6 Helper Service - Started- Automatic
Remote Procedure Call (RPC) - Started- Automatic
Remote Procedure Call (RPC) Locator - Started- Automatic
Security Center - Started- Automatic
System Event Notification - Started- Automatic
Task Scheduler - Started- Automatic
Windows Audio - Started- Automatic

Please note that there are two Remote Procedure Call services. They appear as (RPCSS) and the other as RPCLocator. These services are important for Windows Updates to work. If Automatic Updates refuses to Start, enable the Remote Procedure Call services first.

BTW: Are there services disabled on the list?


----------



## flyrs (Sep 21, 2007)

Here is the list of services and how they are set or if they exist.

Alerter - Started- Automatic	*Disabled*
Automatic Updates - Started- * Automatic Missing*
COM+ Event System - Started- Manual* Stopped- Manual*
Event Log - Started- Automatic *Missing*
Human Interface Device Access - Started- Automatic *OK*
Internet Connection Sharing - Started- Automatic *Missing*
IPv6 Helper Service - Started- Automatic *Missing*
Remote Procedure Call (RPC) - Started- Automatic *OK*
Remote Procedure Call (RPC) Locator - Started- Automatic * Stopped- Manual*
Security Center - Started- Automatic *Missing*
System Event Notification - Started- Automatic *Stopped Automatic*
Task Scheduler - Started- Automatic *Stopped Automatic*
Windows Audio - Started- Automatic *Missing*


----------



## flyrs (Sep 21, 2007)

JSntgRvr

These are the error messages I received went I tried to start these services:

COM+ Event System - Started- Manual Stopped- Manual *Error 1067: The Process terminated unexpectedly*

System Event Notification - Started- Automatic Stopped Automatic *Error 1075: The dependency service does not exist or is marked for deletion*

Task Scheduler - Started- Automatic Stopped Automatic *Error 1717: The interface is unknown*


----------



## JSntgRvr (Jul 1, 2003)

Hi, *flyrs* 

Seems that the registry is corrupted. I don't know if it is fixable. Services that are a dependency of most services in your system are missing.

Please open HijackThis.
Click on *Open Misc Tools Section*
Make sure that both boxes beside "Generate StartupList Log" are checked:

*List all minor sections(Full)*
*List Empty Sections(Complete)*
Click *Generate StartupList Log*.
Click *Yes* at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here.


----------



## flyrs (Sep 21, 2007)

Here is the log JSngtRvr:

StartupList report, 9/23/2007, 9:53:18 AM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\Mypoppy.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16512)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\Mypoppy.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

CheckNetworkConnection = "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=1a1840d6-ccc2-4113-aa55-c3fe7e026441

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Download Program Files:

[Office Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\OGACheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=58813

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?LinkID=39204

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab

[Snapfish Activia]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SnapfishActivia1000.ocx
CODEBASE = http://www.costcophotocenter.com/CostcoActivia.cab

[{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}]
CODEBASE = http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1188018387875

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1188018378218

[Windows Live Photo Upload Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://finntim.spaces.live.com/PhotoUpload/MsnPUpld.cab

[{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}]
CODEBASE = http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll

--------------------------------------------------
End of report, 5,765 bytes
Report generated in 0.110 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## JSntgRvr (Jul 1, 2003)

That is too short. Follow the instructions above:

* List all minor sections(Full)
* List Empty Sections(Complete)


----------



## flyrs (Sep 21, 2007)

Hi JSngtRvr,

Both of those boxes were checked, I did it again, here is the new log:

StartupList report, 9/23/2007, 11:09:45 AM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\Mypoppy.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16512)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\Mypoppy.exe
C:\WINDOWS\system32\notepad.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

CheckNetworkConnection = "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=1a1840d6-ccc2-4113-aa55-c3fe7e026441

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Download Program Files:

[Office Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\OGACheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=58813

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?LinkID=39204

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab

[Snapfish Activia]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SnapfishActivia1000.ocx
CODEBASE = http://www.costcophotocenter.com/CostcoActivia.cab

[{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}]
CODEBASE = http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1188018387875

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1188018378218

[Windows Live Photo Upload Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://finntim.spaces.live.com/PhotoUpload/MsnPUpld.cab

[{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}]
CODEBASE = http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll

--------------------------------------------------
End of report, 5,799 bytes
Report generated in 0.016 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## JSntgRvr (Jul 1, 2003)

Hi, *flyrs* 

Is not enumerating the Services. Wonder Why.

I need to see what's in your registry.

Download *WinPFind3U.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *WinPFind3u* on your desktop.

Open the *WinPFind3u* folder and double-click on WinPFind3U.exe to start the program.
In the *Processes* group click *All*
In the *Win32 Services * group click *ALL*
In the *Driver Services * group click *All*
In the *Registry* group click *All*
In the *Files Created Within *group click *60 days *Make sure *Non-Microsoft only is UNCHECKED*
In the Files *Modified Within *group select *30 days *Make sure *Non-Microsoft only is UNCHECKED*
In the *File String Search *group select *Non Microsoft *
In the *Additional scans* sections please press select *All* and *uncheck* non-microsoft only

Now click the *Run Scan *button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Use the *Reply* button and attach the notepad file here *(Do not copy and paste in a reply, rather attach it to it).*

If the report is too long, split it in two and attach both parts.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *flyrs * 

Any problems producing the above report?


----------



## flyrs (Sep 21, 2007)

Hi JSntgRvr,

I did have problems. I received an error message 'The interface is unknown' either during or just after Scanning open/command keys. I closed the message and it looked like it was Scanning EventViewer logs. I let it run overnight but it was still showing Scanning EventViewer logs this morning. No report was generated.

Thanks.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *flyrs* 

This is a longshot, but based on the last *Net Start* command, I have prepared a fix to activate the services missing. This will require a registry modification, so lets backup the registry first.

_ Modification of the registry can be *EXTREMELY* dangerous if you do not know exactly what you are doing. Please follow the steps that are listed below *EXACTLY*. If you cannot preform some of these steps, or if you have *ANY* questions please ask *BEFORE* proceeding._

*Backing Up Your Registry*
Go *Here* and download *ERUNT* 
_(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)_
Install *ERUNT* by following the prompts 
_(use the default install settings but say no to the portion that asks you to add *ERUNT* to the start-up folder, if you like you can enable this option later)_
Start *ERUNT* 
_(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)_
Choose a location for the backup 
_(the default location is C:\WINDOWS\ERDNT which is acceptable)._
Make sure that at least the first two check boxes are ticked 
Press *OK*
Press *YES* to create the folder.
*Registry Modifications*

Download the enclosed folder. Save and extract its contents to the desktop. It is a folder containing a bunch of Registry Entries files and a batch file, *RunMe.bat*.. Once extracted, open the folder and double click on the *RunMe.bat*. The MSDOS Window will display for a second, that is normal, and a report will be displayed.

Please restart the computer and test. Post the *Logit.txt* report that was created in the *FixServices *folder.


----------



## flyrs (Sep 21, 2007)

Thanks JSngtRvr. I will do this when I get home tonight and let you know when I am finished.


----------



## JSntgRvr (Jul 1, 2003)

:up: :up:


----------



## flyrs (Sep 21, 2007)

Hi JSngtRvr

Ok here is the log I ran after I restarted. I didn't think you needed the one I ran before the restart, if you do let me know and I will post it.

I haven't checked them all but I noticed some of the missing services are back. Thank You.

These Windows services are started:

Alerter
Application Layer Gateway Service
Automatic Updates
AVG E-mail Scanner
AVG7 Alert Manager Server
AVG7 Update Service
COM+ Event System
COM+ System Application
Computer Browser
Creative Service for CDROM Access
Cryptographic Services
DCOM Server Process Launcher
DHCP Client
Distributed Link Tracking Client
DNS Client
Error Reporting Service
Event Log
Fast User Switching Compatibility
Help and Support
HID Input Service
HTTP SSL
Internet Connection Sharing
IPSEC Services
Machine Debug Manager
Network Connections
Network Location Awareness (NLA)
Plug and Play
Print Spooler
PrismXL
Protected Storage
Remote Access Connection Manager
Remote Procedure Call (RPC)
Remote Procedure Call (RPC) Locator
Secondary Logon
Security Accounts Manager
Security Center
Server
Shell Hardware Detection
SSDP Discovery Service
System Event Notification
System Restore Service
Task Scheduler
TCP/IP NetBIOS Helper
Telephony
Terminal Services
Themes
Universal Plug and Play Device Host
WebClient
Windows Image Acquisition (WIA)
Windows Management Instrumentation
Windows Time
Windows User Mode Driver Framework
Wireless Zero Configuration
WMDM PMSP Service
Workstation

The command completed successfully.

These Windows services are started:

Alerter
Application Layer Gateway Service
Automatic Updates
AVG E-mail Scanner
AVG7 Alert Manager Server
AVG7 Update Service
COM+ Event System
COM+ System Application
Computer Browser
Creative Service for CDROM Access
Cryptographic Services
DCOM Server Process Launcher
DHCP Client
Distributed Link Tracking Client
DNS Client
Error Reporting Service
Event Log
Fast User Switching Compatibility
Help and Support
HID Input Service
HTTP SSL
Internet Connection Sharing
IPSEC Services
Machine Debug Manager
Network Connections
Network Location Awareness (NLA)
Plug and Play
Print Spooler
PrismXL
Protected Storage
Remote Access Connection Manager
Remote Procedure Call (RPC)
Remote Procedure Call (RPC) Locator
Secondary Logon
Security Accounts Manager
Security Center
Server
Shell Hardware Detection
SSDP Discovery Service
System Event Notification
System Restore Service
Task Scheduler
TCP/IP NetBIOS Helper
Telephony
Terminal Services
Themes
Universal Plug and Play Device Host
WebClient
Windows Image Acquisition (WIA)
Windows Management Instrumentation
Windows Time
Windows User Mode Driver Framework
Wireless Zero Configuration
WMDM PMSP Service
Workstation

The command completed successfully.


----------



## JSntgRvr (Jul 1, 2003)

Any changes?


----------



## JSntgRvr (Jul 1, 2003)

Meant, improvements?


----------



## flyrs (Sep 21, 2007)

IE is still not working, and Microsoft Update doesn't work when I select it from the All Programs menu. But I was able to get updates to work from the Help and Support Center and I was able to turn on automatic updates. And Event viewer is working. As far as I can tell everything else is working fine.

Thanks.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *flyrs* 

Lets try removing IE7.0. That should revert IE to 6.0. If it works, you can reload IE7.0 from Windows Updates.

Go to the Add/Remove Programs option in the Control Panel and Remove Windows Internet Explorer 7. If after the removal you are able to open Internet Explorer, go to Windows Updates and reload and reinstall Internet Explorer 7.0.

If after the removal you still cannot open Internet Explorer, Copy and paste the following in Notepad:



> @ECHO OFF
> If exist Report.txt Del Report.txt
> Echo %date% %time% >>report.txt
> Echo.>>report.txt
> ...


Save the document on your desktop as *Findit.bat*, change the File Type to All Files. Click on Save.

Double click on the *Findit.bat *and post the report.

Do the same with this one:



> @ECHO OFF
> IF Exist LOGIT.TXT Del LOGIT.TXT
> NET START >>LOGIT.TXT
> Start LOGIT.TXT


Save the document on your desktop as *ActiveServices.bat* (Overwrite the existing one), change the File Type to All Files. Click on Save.

Double click on the *ActiveServices.bat* and post also this report.


----------



## flyrs (Sep 21, 2007)

That did it, I did the unistall and IE worked.


----------



## JSntgRvr (Jul 1, 2003)

Congratulations, *flyrs*

This is your original complaint:



> I am having problems with my computer that I think have been caused by a virus. Whenever I plug anything into a USB port or insert a blank CD in the in the CD ROM drive the computer does not recognize it. My internet connection has been deleted, and when I try to reinstall from the ISP CD I get the message undefined is null or not an object. I can not open IE. My device manager is empty. And when I click add new hardware it does not open. I have tried system restore but always get a Restoration Incomplete error. The PNP and system restore services are running. When I check the event log for when I click on services I get the message "Unable to complete the operation on 'system". The interface is unknown" I am running XP SP2, AVG, Ad-ware, and Spybot. All are up to date but dont detect anything.


What we still have pending to do?


----------



## flyrs (Sep 21, 2007)

I think that is it, everything seems to be working ok.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *flyrs*. 

Congratulations once again.









*Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.*

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

*Create a Restore point*:

Click *Start*, point to *All Programs*, point to *Accessories*, point to *System Tools*, and then click *System Restore*.
In the System Restore dialog box, click *Create a restore point*, and then click *Next*. 
Type a description for your restore point, such as "After Cleanup", then click *Create*.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
*Spybot Search & Destroy *- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

*AdAware* - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

SpywareBlaster - Great prevention tool to keep nasties from installing on your system.

*IE-SpyAd* - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

*CleanUP*! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

Windows Updates - It is *very important* to make sure that both Internet Explorer and Windows are kept current with *the latest critical security patches* from Microsoft. To do this just start *Internet Explorer* and select *Tools > Windows Update*, and follow the online instructions from there.

*Google Toolbar* - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

*Trillian* or *Miranda-IM* - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read *this* article by Tony Klein.

Click *Here* for some advise from our security Experts.

Please use the thread's Tools and mark this thread as "*Solved*".

Best wishes!


----------



## flyrs (Sep 21, 2007)

JSntgRvr,

Thank you for all of your help, I really appreciate the amount of time and effort that you put in to fix the problems I had. It is amazing the lengths you guys go to to help out complete strangers. Again, thank you so much, I would have been lost with out your help.


----------

