# Solved: Desktop Icon Problem



## Roe727 (Mar 9, 2004)

My desktop icons have changed and I don't know why. I have done a hijackthis and attached it below. Before that I had installed updates which I have uninstalled and it didn't solve the problem and I ran adaware which came up with 7 entries awhich I let it take care of. Spybot came up clean.

Here is the hijackthis. Please let me know what to do.

Logfile of HijackThis v1.99.1
Scan saved at 10:34:05 PM, on 1/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .ggi: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Thanks...
Roe


----------



## Roe727 (Mar 9, 2004)

Ok....Ran a Housecall Scan on my computer and came up with a trojan I believe....
BKDR_DR.A. Asked Housecall to clean it, but I'm not sure that it did. It looked like it was, but then it just sat idle and never came up with the screen saying that it was taken care of. I'm running Kaspersky now and then I guess I'll run Housecall again to see if it detects it again. But how do I get my icons back to normal?? And is there anything else that I need to reset??


----------



## Roe727 (Mar 9, 2004)

Huh??


----------



## Cookiegal (Aug 27, 2003)

In what way have the desktop icons changed?

I see you have Ewido but it's been replaced by AVG Anti-Spyware so please remove Ewido and then do the following:

Download *AVG Anti-Spyware* from *HERE* and save that file to your desktop.

When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.


Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "*Update*" then select the "*Update now*" link.
Next select the "*Start Update*" button. The update will start and a progress bar will show the updates being installed.

Once the update has completed, select the "*Scanner*" icon at the top of the screen, then select the "*Settings*" tab.
Once in the Settings screen click on "*Recommended actions*" and then select "*Quarantine*".
Under "*Reports*"
Select "*Automatically generate report after every scan*"
Un-Select "*Only if threats were found*"

Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
Reboot your computer into *Safe Mode*. You can do this by restarting your computer and continually tapping the *F8* key until a menu appears. Use your up arrow key to highlight *Safe Mode* then hit enter.

*IMPORTANT:* Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:

Launch AVG Anti-Spyware by double clicking the icon on your desktop.
Select the "*Scanner*" icon at the top and then the "*Scan*" tab then click on "*Complete System Scan*".
AVG will now begin the scanning process. Please be patient as this may take a little time.
*Once the scan is complete, do the following:*
If you have any infections you will be prompted. Then select "*Apply all actions.*"
Next select the "*Reports*" icon at the top.
Select the "*Save report as*" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode.

Please go *HERE* to run Panda's ActiveScan
You need to use IE to run this scan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report

*Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.*


----------



## Cookiegal (Aug 27, 2003)

coolvision said:


> I think Roe727 suggestion will help you a lot.


Hi coolvision and welcome to TSG,

Actually, Roe727 is the poster with the problem but, in any event, I've modified your signature as there was no need for it to be so bold and dark as it completely overpowers your post.


----------



## Roe727 (Mar 9, 2004)

The folder icons stayed the same. The ones that changed are, Internet Explorer, My Computer, Microsoft Office, AIM, Itunes, Outlook Express, Share to Web Upload Folder, Create and Print...They are now the white boxes with the blue on top or the box with the inside that looks like a webpage. (sorry, not sure exactly what to call them). Strange thing happened....I was running AVG up until I believe yesterday, today it was gone, completely gone....I reinstalled it from download now and then you posted saying to download it in place of Ewido. I downloaded AVG 7.5.432 Free Edition. Is this the same one that you were telling me to download. Also...it would not put an icon on my desktop and it is not listed in my programs, only shoping up on the taskbar.

THANK YOU for helping me.


----------



## Roe727 (Mar 9, 2004)

I uninstalled the AVG that I had installed prior to your post and installed the one that you gave me the link to. After following your instructions I will post back.

Thanks.


----------



## Cookiegal (Aug 27, 2003)

OK, that's fine and your description of the icons was good. I understand what you mean.


----------



## Roe727 (Mar 9, 2004)

Ok, here we go.

---------------------------------------------------------
*AVG Anti-Spyware - Scan Report*---------------------------------------------------------

+ Created at:	4:50:48 PM 1/14/2007

+ Scan result:

C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.

::Report end

*The Panda Report*

Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt 
Spyware:Cookie/Atwola  Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

*And another Hijackthis Log:*

Logfile of HijackThis v1.99.1
Scan saved at 5:56:52 PM, on 1/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .ggi: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Let me know what the next step should be.

Thanks..
Roe

Wow....I just looked and my icons are back to normal....


----------



## Roe727 (Mar 9, 2004)

Cookiegal....
In my taskbar it shows the AVG Anti-Spyware but it also shows a Windows Security Alert shield, when I click on it is says that Firewall and Automatic Updates are found, but that Virus protection isn't found. Any idea why or how I can make sure it is recognizing it?


----------



## Cookiegal (Aug 27, 2003)

Glad the icons are back. 

Download *WinPFind.exe* to your desktop and double click on it open it and then select extract to extract the files. This will create a folder named *WinPFind* on your desktop.

*Start in Safe Mode Using the F8 method:*


Restart the computer.
As soon as the BIOS is loaded begin tapping the *F8* key until the boot menu appears.
Use the arrow keys to select the *Safe Mode* menu item.
Press the *Enter* key.

Double click on the WinPFind folder on your desktop to open it and then double click on the *WinPFind.exe* file to start the program.


Click Configure scan options
Under Run AdOns select the following:
Policies.def
Security.def

Click apply
Click "*Start Scan*"
*It will scan the entire System, so please be patient and let it complete.*

When the scan is complete reboot normally and post the *WinPFind.txt* file (located in the WinPFind folder) back here along with a new HijackThis log.


----------



## Roe727 (Mar 9, 2004)

*Ok, Here is the Hijackthis Scan...I had to attach the WinPFind Scan*

Logfile of HijackThis v1.99.1
Scan saved at 8:50:10 PM, on 1/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .ggi: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Let me know......


----------



## Cookiegal (Aug 27, 2003)

The WinpFind log looks fine.

Try uninstalling and reinstalling AVG anti-virus. It doesn't look like all of its components are running properly.

Let me know if that solves the problem please.


----------



## Roe727 (Mar 9, 2004)

I uninstalled and reinstalled AVG and it DIDN'T solve the problem. The Windows Security Alert shield is still there and this time it didn't even put the AVG in the taskbar. 
Here's another Hijackthis log....do I need to fix anything in it? Also the Panda log...there were a couple things there that it didn't take care of, should I do anything with them?

Logfile of HijackThis v1.99.1
Scan saved at 2:57:11 AM, on 1/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .ggi: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


----------



## Roe727 (Mar 9, 2004)

Cookiegal,

Is this computer safe to have on the internet with this Windows Security Alert shield showing up in the taskbar and the AVG not?


----------



## Cookiegal (Aug 27, 2003)

Do you see any processes for AVG running in the Task Manager?


----------



## Roe727 (Mar 9, 2004)

I don't believe so...this is the list of what is running:

aim6.exe
taskmgr.exe
WINWORD.EXE
wscntfy.exe
IEXPLORE.EXE
IEXPLORE.EXE
alg.exe
ehrecvr.exe
dllhos.exe
ctfmon.exe.
IEXPLORE.EXE
explorer.exe
spoolsv.exe
wmpnetwk.exe
svchost.exe
svchost.exe
mcrdsvc.exe
svchost.exe
aolsoftware.exe
svchost.exe
svchost.exe
lsass.exe
services.exe
svchost.exe
winlogon.exe
csrss.exe
smss.exe
Yahoomessenger.exe
svchost.exe
svchost.exe
ehSched.exe
System
System Idle Process


----------



## Cookiegal (Aug 27, 2003)

This one looks dodgy: *dllhos.exe*

Off hand, do you know what it is?

If not, let's see if you can find it but first, let's unhide files.

Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now do a search and let me know where the file is located (the entire path) please.


----------



## Roe727 (Mar 9, 2004)

Oops....I went to do a search and it wouldn't come up, so I went back to the task manager and I had typed it wrong. It's dllhost.exe...not dllhos.exe.. It is located in the C:\WINDOWS\system32 and the C:\WINDOWS\system32\dllcache. 

What's next?


----------



## Roe727 (Mar 9, 2004)

Why would AVG not be showing up?


----------



## blkwlnt64 (Mar 28, 2005)

Is AVG Free listed in your Add/Remove list ?


----------



## Cookiegal (Aug 27, 2003)

When you go into the Security center, does it say that virus protection is off there?


----------



## Roe727 (Mar 9, 2004)

Is AVG Free listed in your Add/Remove list ?

Yes it is.

When you go into the Security center, does it say that virus protection is off there?

Yes it says, "Not found".


----------



## Cookiegal (Aug 27, 2003)

In the Security Center you should see the recommendations button. Click on that and see if it's set as follows: "I'll monitor my anti virus software myself".


----------



## Roe727 (Mar 9, 2004)

I see that and it is unchecked.....this is strange.


----------



## Cookiegal (Aug 27, 2003)

Go to Start - Run - type in regedit and click OK to open the registry editor.

Please export the following key to your desktop. To do that, expand each of the following by clicking on the + that you see to their left:

*HKEY_LOCAL_MACHINE
SOFTWARE
Microsoft*

Under *Microsoft*, right click on *Security Center *and select "export" and then save it as Security. By default, it will have the .reg file extension. Now, right click on that file and select "open with" and "Notepad" and then copy and paste the contents here please.


----------



## Roe727 (Mar 9, 2004)

*Ok, did that and here it is:*

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=dword:00000001
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]


----------



## Cookiegal (Aug 27, 2003)

I see a couple of Norton etnries that are disabled in msconfig. It looks like it was uninstalled but not completely. It may be causing a conflict.

What Norton product and version was it?


----------



## Roe727 (Mar 9, 2004)

I never put Norton on it, the only thing I can think of is that the computer came with Norton installed originally. Anywhere I can look for that information?


----------



## Cookiegal (Aug 27, 2003)

Locate this folder and see what files are in it and if their properties can tell you the version.

C:\Program Files\Common Files\*Symantec Shared*


----------



## Roe727 (Mar 9, 2004)

The only Symantec Shared file I could find was located in

C:\Documents and Settings\Owner\Application Data\Symantec\Shared

There are two things listed under that one is 
Sessions...the only thing in that folder is this ...20040101045454906.liveReg

The other is something that says:
MyProfile.UserProfile


----------



## Roe727 (Mar 9, 2004)

FYI...The AVG showed up gray in my toolbar just now, so I did an update, it said update successful. I then looked in the toolbar and it is gone again. Windows Security Alert Shield is still there.


----------



## Roe727 (Mar 9, 2004)

Just out of curiosity I did a search for McAfee, since this is another one that alot of machines come with already loaded. I found these folders. Not sure if this helps or not.

McAfee located in C:\Documents and settings\all users\application data
this one is empty

McAfee.com located in C:\Documents and settings\all users\application data
this one contains a folder labelled Agent

McAfee located in C:\Documents and settings\owner\application data
this one contains a folder marked McAfee Shared Componets and inside that is a folder labelled Centralv3 which contains CentENU.ini

McAfee Shared Componets located in C:\Documents and settings\owner\application data\McAfee
This folder also contains: McAfee Shared COmponets and inside that is a folder labelled Centralv3 which contains CentENU.ini


----------



## Cookiegal (Aug 27, 2003)

Let's do this then.

Go to *Start *- *Run *- type in *msconfig *and click OK and then click on the startup tab.

Put a check mark beside everything that's listed there and then post a new HijackThis log please.


----------



## Roe727 (Mar 9, 2004)

Ok, here it is:

Logfile of HijackThis v1.99.1
Scan saved at 11:34:16 AM, on 1/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Owner\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .ggi: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


----------



## Cookiegal (Aug 27, 2003)

Run this Symantec removal tool:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039?

*Click Here* and download Killbox and save it to your desktop but dont run it yet.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*, if they still exisst.

*O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"*

Then boot to safe mode:

 *How to restart to safe mode*

Double-click on Killbox.exe to run it. 

Put a tick by *Standard File Kill*. 
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

*C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

C:\Program Files\Common Files\Symantec Shared

C:\Documents and settings\all users\application data\McAfee.com

C:\Documents and Settings\Owner\Application Data\McAfee Shared Components

C:\Documents and settings\owner\application data\McAfee
*

Click on the button that has the red circle with the X in the middle after you enter each file. 
It will ask for confirmation to delete the file. 
Click Yes. 
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist. 
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to *Tools > Delete Temp Files*
In the window that pops up, put a check by *ALL* the options there *except* these three:
XP Prefetch
Recent
History

Now click the *Delete Selected Temp Files* button.
Exit the Killbox.

Reboot and let me know if AVG is detected.


----------



## Roe727 (Mar 9, 2004)

Ok...
Ran the Symantec removal tool.

Did a rescan with HiJackThis, but the 2 entries that you listed were no longer there.

Downloaded Killbox and started in safe mode.

These 3 it said didn't exist:
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Symantec Shared
C:\Documents and Settings\Owner\Application Data\McAfee Shared Components

This one it found and deleted:
C:\Documents and settings\all users\application data\McAfee.com

This one it said it couldn't delete:
C:\Documents and settings\owner\application data\McAfee
(Can I manually delete it?)

Emptied the temp files in killbox.
Right before rebooting I got an ERROR message for KILLBOX...
ERROR 9

Rebooted and still no AVG in taskbar and Windows Security Alert Shield is still present.


----------



## Roe727 (Mar 9, 2004)

Here's another HijackThis also:

Logfile of HijackThis v1.99.1
Scan saved at 4:05:35 PM, on 1/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .ggi: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


----------



## Cookiegal (Aug 27, 2003)

Yes, delete that McAfee file manually.

Download *ComboFix* to your Desktop.

Reboot to Safe mode:

Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load. If done properly a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Perform the following actions in *Safe Mode*.

Double click *combofix.exe * and follow the prompts.
When finished, it will produce a log for you. Post that log and a new *HijackThis* log in your next reply
*Note: Do not mouseclick combofix's window while it's running as that may cause it to stall*


----------



## Roe727 (Mar 9, 2004)

Ok...I deleted that McAfee file manually.

I also ran adaware while I was waiting for your response and AVG Anti-spyware again. The adaware came up with realmedia.com, stat.dealtime.com and revsci.net and the AVG came up with Yieldmanager and liveperson. I believe these were all cookies and I had the programs take care of them.

Ran ComboFix and here is the log:

"Owner" - 07-01-16 18:53:45 Service Pack 2
ComboFix 07-01-16.2 - Running from: "C:\Documents and Settings\Owner\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\INSTALL.LOG

((((((((((((((((((((((((((((((( Files Created from 2006-12-16 to 2007-01-16 ))))))))))))))))))))))))))))))))))

2007-01-16 12:50 d--------	C:\!KillBox
2007-01-15 02:51	3,968	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-14 16:57 d--------	C:\WINDOWS\system32\ActiveScan
2007-01-14 12:32 d--------	C:\DOCUME~1\Owner\Application Data\AVG7
2007-01-14 12:32 d--------	C:\DOCUME~1\LOCALS~1\Application Data\AVG7
2007-01-14 12:12	76,560	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2007-01-07 17:20 d--------	C:\Program Files\Temp
2007-01-02 08:37 d--------	C:\WINDOWS\system32\Kaspersky Lab
2007-01-02 08:07 d--------	C:\DOCUME~1\Owner\Application Data\AVG7(2)
2007-01-02 07:59 d--------	C:\DOCUME~1\ALLUSE~1\Application Data\Avg7
2007-01-01 18:21 d--------	C:\DOCUME~1\Owner\.housecall6.6
2006-12-29 19:08 d--------	C:\WINDOWS\system32\LogFiles
2006-12-29 19:08 d--------	C:\WINDOWS\system32\DRM
2006-12-29 19:00	36,352	---------	C:\WINDOWS\system32\tsgqec.dll
2006-12-29 19:00	288,768	---------	C:\WINDOWS\system32\rhttpaa.dll
2006-12-29 19:00	116,736	---------	C:\WINDOWS\system32\aaclient.dll
2006-12-29 18:47 d--------	C:\Program Files\Common Files\ODBC
2006-12-27 16:01 d----c---	C:\WINDOWS\ie7
2006-12-26 14:24 d--------	C:\DECCHECK
2006-12-19 13:56 d--------	C:\WINDOWS\system32\drivers\UMDF
2006-12-18 09:54 d--------	C:\DOCUME~1\Owner\Application Data\acccore
2006-12-18 09:54 d--------	C:\DOCUME~1\ALLUSE~1\Application Data\AOL OCP
2006-12-18 09:53 d--------	C:\Program Files\Common Files\AOL
2006-12-18 09:53 d--------	C:\Program Files\AIM6
2006-12-18 09:51 d--------	C:\DOCUME~1\ALLUSE~1\Application Data\AOL Downloads

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-16 18:49	--------	d--------	C:\DOCUME~1\Owner\Application Data\adobeum
2007-01-16 13:09	--------	d--------	C:\Program Files\java
2007-01-14 13:01	--------	d--------	C:\Program Files\grisoft
2007-01-07 18:17	--------	d--------	C:\Program Files\yahoo!
2007-01-07 18:17	--------	d--------	C:\Program Files\microsoft antispyware
2007-01-07 18:17	--------	d--------	C:\Program Files\google
2007-01-07 18:15	--------	d--------	C:\Program Files\aim
2006-12-29 19:10	--------	d--------	C:\Program Files\windows media connect 2
2006-12-21 08:20	--------	d---s----	C:\DOCUME~1\Owner\Application Data\microsoft
2006-12-19 11:05	--------	d--------	C:\Program Files\hp
2006-11-29 08:40	28672	--a------	C:\WINDOWS\system32\ssconfig.exe
2006-11-29 08:40	180224	--a------	C:\WINDOWS\uninstallwsst.exe
2006-11-29 08:14	72748	--a------	C:\WINDOWS\unins001.exe
2006-11-29 08:13	72748	--a------	C:\WINDOWS\unins000.exe
2006-11-29 08:13	--------	d--------	C:\Program Files\anark
2006-11-27 03:45	60416	---------	C:\WINDOWS\system32\tzchange.exe
2006-11-17 22:44	--------	d--------	C:\Program Files\msxml 4.0
2006-11-13 01:02	1866240	--a------	C:\WINDOWS\system32\mstscax.dll
2006-11-08 00:06	679424	--a------	C:\WINDOWS\system32\inetcomm.dll
2006-11-07 03:06	600576	--a------	C:\WINDOWS\system32\mstsc.exe
2006-11-06 11:35	531568	--a------	C:\WINDOWS\system32\rmactivate_isv.exe
2006-11-06 11:35	523376	--a------	C:\WINDOWS\system32\rmactivate.exe
2006-11-06 11:35	519280	--a------	C:\WINDOWS\system32\secproc_isv.dll
2006-11-06 11:35	518768	--a------	C:\WINDOWS\system32\secproc.dll
2006-11-06 11:35	358000	--a------	C:\WINDOWS\system32\rmactivate_ssp.exe
2006-11-06 11:35	354416	--a------	C:\WINDOWS\system32\rmactivate_ssp_isv.exe
2006-11-06 11:35	323696	--a------	C:\WINDOWS\system32\msdrm.dll
2006-11-06 11:35	192624	--a------	C:\WINDOWS\system32\secproc_ssp_isv.dll
2006-11-06 11:35	192624	--a------	C:\WINDOWS\system32\secproc_ssp.dll
2006-11-04 14:14	1245696	--a------	C:\WINDOWS\system32\msxml4.dll
2006-10-19 08:56	713216	--a------	C:\WINDOWS\system32\sxs.dll
2006-10-18 21:58	8704	--a------	C:\WINDOWS\system32\wdfmgr.exe
2006-10-18 21:58	8704	--a------	C:\WINDOWS\system32\uwdf.exe
2006-10-18 21:47	99840	--a------	C:\WINDOWS\system32\wmpshell.dll
2006-10-18 21:47	991744	--a------	C:\WINDOWS\system32\drmv2clt.dll
2006-10-18 21:47	937984	--a------	C:\WINDOWS\system32\wmnetmgr.dll
2006-10-18 21:47	8231936	--a------	C:\WINDOWS\system32\wmploc.dll
2006-10-18 21:47	767488	---------	C:\WINDOWS\system32\wmvsencd.dll
2006-10-18 21:47	757248	--a------	C:\WINDOWS\system32\wmadmod.dll
2006-10-18 21:47	7168	--a------	C:\WINDOWS\system32\asferror.dll
2006-10-18 21:47	656896	---------	C:\WINDOWS\system32\wmvxencd.dll
2006-10-18 21:47	63488	--a------	C:\WINDOWS\system32\wpdmtpus.dll
2006-10-18 21:47	629760	--a------	C:\WINDOWS\system32\wpd_ci.dll
2006-10-18 21:47	613376	---------	C:\WINDOWS\system32\wmpmde.dll
2006-10-18 21:47	603648	--a------	C:\WINDOWS\system32\wmspdmod.dll
2006-10-18 21:47	542720	--a------	C:\WINDOWS\system32\blackbox.dll
2006-10-18 21:47	535040	--a------	C:\WINDOWS\system32\wmdrmsdk.dll
2006-10-18 21:47	429056	--a------	C:\WINDOWS\system32\wmdrmdev.dll
2006-10-18 21:47	414208	--a------	C:\WINDOWS\system32\msscp.dll
2006-10-18 21:47	4096	--a------	C:\WINDOWS\system32\wmvdmoe2.dll
2006-10-18 21:47	4096	--a------	C:\WINDOWS\system32\wmvdmod.dll
2006-10-18 21:47	4096	--a------	C:\WINDOWS\system32\wmvadve.dll
2006-10-18 21:47	4096	--a------	C:\WINDOWS\system32\wmvadvd.dll
2006-10-18 21:47	4096	--a------	C:\WINDOWS\system32\wmsdmoe2.dll
2006-10-18 21:47	4096	--a------	C:\WINDOWS\system32\wmsdmod.dll
2006-10-18 21:47	4096	--a------	C:\WINDOWS\system32\wdfapi.dll
2006-10-18 21:47	4096	--a------	C:\WINDOWS\system32\mpg4dmod.dll
2006-10-18 21:47	4096	--a------	C:\WINDOWS\system32\mp4sdmod.dll
2006-10-18 21:47	4096	--a------	C:\WINDOWS\system32\mp43dmod.dll
2006-10-18 21:47	38400	---------	C:\WINDOWS\system32\wpdshextres.dll
2006-10-18 21:47	37376	--a------	C:\WINDOWS\system32\wmdmps.dll
2006-10-18 21:47	35840	--a------	C:\WINDOWS\system32\wpdconns.dll
2006-10-18 21:47	356352	--a------	C:\WINDOWS\system32\wpdsp.dll
2006-10-18 21:47	348672	--a------	C:\WINDOWS\system32\wmdrmnet.dll
2006-10-18 21:47	33792	--a------	C:\WINDOWS\system32\wmdmlog.dll
2006-10-18 21:47	321536	--a------	C:\WINDOWS\system32\mswmdm.dll
2006-10-18 21:47	317440	---------	C:\WINDOWS\system32\mp4sdecd.dll
2006-10-18 21:47	314880	--a------	C:\WINDOWS\system32\wmpdxm.dll
2006-10-18 21:47	295936	---------	C:\WINDOWS\system32\wmpeffects.dll
2006-10-18 21:47	284160	---------	C:\WINDOWS\system32\portabledeviceapi.dll
2006-10-18 21:47	276992	--a------	C:\WINDOWS\system32\audiodev.dll
2006-10-18 21:47	27136	--a------	C:\WINDOWS\system32\mspmsnsv.dll
2006-10-18 21:47	2603008	---------	C:\WINDOWS\system32\wpdshext.dll
2006-10-18 21:47	259072	---------	C:\WINDOWS\system32\mpg4decd.dll
2006-10-18 21:47	259072	---------	C:\WINDOWS\system32\mp43decd.dll
2006-10-18 21:47	2450944	--a------	C:\WINDOWS\system32\wmvcore.dll
2006-10-18 21:47	242688	--a------	C:\WINDOWS\system32\wmpasf.dll
2006-10-18 21:47	229376	--a------	C:\WINDOWS\system32\cewmdm.dll
2006-10-18 21:47	227328	--a------	C:\WINDOWS\system32\wmerror.dll
2006-10-18 21:47	222208	--a------	C:\WINDOWS\system32\wmasf.dll
2006-10-18 21:47	212992	--a------	C:\WINDOWS\system32\mfplat.dll
2006-10-18 21:47	211456	--a------	C:\WINDOWS\system32\qasf.dll
2006-10-18 21:47	204288	--a------	C:\WINDOWS\system32\wmpsrcwp.dll
2006-10-18 21:47	199168	---------	C:\WINDOWS\system32\portabledevicewmdrm.dll
2006-10-18 21:47	179712	--a------	C:\WINDOWS\system32\msnetobj.dll
2006-10-18 21:47	175616	--a------	C:\WINDOWS\system32\mspmsp.dll
2006-10-18 21:47	166912	---------	C:\WINDOWS\system32\portabledevicetypes.dll
2006-10-18 21:47	1661440	--a------	C:\WINDOWS\system32\wmpencen.dll
2006-10-18 21:47	1574912	---------	C:\WINDOWS\system32\wmvencod.dll
2006-10-18 21:47	157184	--a------	C:\WINDOWS\system32\wmidx.dll
2006-10-18 21:47	154624	--a------	C:\WINDOWS\system32\wpdmtp.dll
2006-10-18 21:47	1543680	---------	C:\WINDOWS\system32\wmvdecod.dll
2006-10-18 21:47	1382912	---------	C:\WINDOWS\system32\wmvsdecd.dll
2006-10-18 21:47	133632	---------	C:\WINDOWS\system32\wpdshserviceobj.dll
2006-10-18 21:47	1329152	--a------	C:\WINDOWS\system32\wmspdmoe.dll
2006-10-18 21:47	132096	---------	C:\WINDOWS\system32\portabledevicewiacompat.dll
2006-10-18 21:47	130048	---------	C:\WINDOWS\system32\wmpps.dll
2006-10-18 21:47	11264	--a------	C:\WINDOWS\system32\laprxy.dll
2006-10-18 21:47	1117696	--a------	C:\WINDOWS\system32\wmadmoe.dll
2006-10-18 21:47	101888	---------	C:\WINDOWS\system32\portabledeviceclassextension.dll
2006-10-18 20:03	100864	--a------	C:\WINDOWS\system32\logagent.exe
2006-10-18 20:00	249856	--a------	C:\WINDOWS\system32\drmupgds.exe
2006-10-18 20:00	17408	---------	C:\WINDOWS\system32\wpdshextautoplay.exe
2006-10-17 13:33	818688	--a------	C:\WINDOWS\system32\wininet(6)(3).dll
2006-10-17 13:33	1162240	--a------	C:\WINDOWS\system32\urlmon(6)(3).dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Aim6"=""
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Recguard"=hex(2):25,57,49,4e,44,49,52,25,5c,53,4d,49,4e,53,54,5c,52,45,43,47,\
55,41,52,44,2e,45,58,45,00
"SunKistEM"="C:\\Program Files\\Digital Media Reader\\shwiconem.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"SoundMan"="SOUNDMAN.EXE"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Mixersel"="C:\\Program Files\\Realtek\\InstallShield\\mixersel.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"CHotkey"="zHotkey.exe"
"AlcWzrd"="ALCWZRD.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"="SpywareGuard"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0
WudfServiceGroup	REG_MULTI_SZ WUDFSvc\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command	C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0143afe1-c919-11d9-8c27-806d6172696f}]
Shell\AutoRun\command	C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_MDMXSDK

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\HP Usg Daily FY04.job

Completion time: 07-01-16 18:56:37

And here is another HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:03:26 PM, on 1/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .ggi: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


----------



## Cookiegal (Aug 27, 2003)

I see what looks like some corrupt files that are not being overwritten as they are supposed to be.

Do you have the XP CD? I'd like to run System File Checker but it will likely prompt you to insert the CD.


----------



## Roe727 (Mar 9, 2004)

When I got the computer I did not get a set of XP discs, but I did make the Driver and Application and recovery discs. Will that work?


----------



## Cookiegal (Aug 27, 2003)

It's possible it was copied to your HD as if often the case with preinstallations.


Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"


Then see if you can locate a directory called "i386" without the quotes and let me know the path to it please.


----------



## Roe727 (Mar 9, 2004)

Ok...This is what came up when I did that search:

I386 C:\WINDOWS
I386 C:\CMPNENTS\MEDIACTR
I386 C:\CMPNENTS\NETFX
I386 C:\CMPNENTS\TABLETPC
i386 C:\WINDOWS\Driver Cache
IIS_i386.cab C:\WINDOWS\I386\IIS6.CAB
i386 C:\Program Files\Java\jre1.5.0_04\lib
i386 C:\Program Files\Java\jre1.5.0_06\lib
i386 C:\Program Files\Java\jre1.5.0_10\lib
i386 C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles
i386 C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles
i386 C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles
i386 C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles
i386 C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles
i386 C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles
i386 C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles
i386 C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles
i386 C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles
i386 C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles
i386 C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles
i386 C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles
i386 C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles
i386 lib
i386 D:\

Also running the comboFix yesterday, when mail shows up in my toolbar through yahoo, when I click on it, it gives me a 'The page cannot be displayed' page. I also had to change my homepage back when we did that so I'm not sure if this is connected.


----------



## Cookiegal (Aug 27, 2003)

It looks like you have a copy in C:\WINDOWS so we should be able to run the System File Checker but we have to change a setting in the registry to tell it to look there.

First, we'll back up the registry as a precaution.

Go to Start > Run
Type:
*regedit*
Click OK.
On the left side, click to highlight *My Computer* at the top. 
Go up to "*File > Export*"
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put *backup*

Choose to save it to *C:\* or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

Go to *Start *- *Run *- type in *regedit *and click OK to open the registry editor.

Expand the following keys/sub-keys by clicking on the + that you see to their left:

HKEY_LOCAL_MACHINE
SOFTWARE
Microsoft
Windows
CurrentVersion

Click once on the Setup key and you will see information in the right-hand pane. double click on the entry that say "SourcePath".

In the box that pops up, type in *C:\WINDOWS* and click OK.

Then close regedit and reboot your computer.

Now, go to the Run box on the Start Menu and type in:

*sfc /scannow*

This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem.

Let me know how it goes please.


----------



## Roe727 (Mar 9, 2004)

Ok...I'll wait to see what you want me to do next.

Thanks.


----------



## Cookiegal (Aug 27, 2003)

Well, since it still prompted for the CD even after changing the paths, the i386 folder may be corrupt as well.

Have you tried doing a system restore to before all this started?


----------



## Roe727 (Mar 9, 2004)

Yes originally that is what I did. This is the first thread I started,

http://forums.techguy.org/windows-nt-2000-xp/531118-solved-spectra-1-dat-error.html

but I got noone to help with it and then I had PM you and asked for help.

I'm sorry this is such a mess. Do you think running a Repair install is an option??


----------



## Cookiegal (Aug 27, 2003)

Let's try running Dial-A-Fix and select "all":

http://www.majorgeeks.com/download4899.html


----------



## Roe727 (Mar 9, 2004)

When I download the Dial-a fix, I get two compressed files. dial-a-fix.exe and secedit.exe. I extracted the files from the dial-a-fix and it gives me a file folder, which when clicked on gives me the dial-a-fix.exe program and the secedit.exe. I did nothing with this one since I don't know what it is. Should I extract those files as well?

Also...when I open the dial-a-fix, I get a screen that has lots of options on it.

Prep, with empty temp folders
MSI, with fix windows installer
Wu/WUAU, with fix windows update and a FLUSH SOFTWARE DISTRIBUTION
Fix SSL/HTTPS/Cryptsvc
and 
Registration Center which has activex controls/codecs, control panel applets, direct [X] draw, show media, programming cores/runtimes, explorer/IE/OE/shell/wmp and
object linking libraries.

There is no All button, so I wanted to make sure I was in the right place before doing anything.


----------



## Cookiegal (Aug 27, 2003)

There should be a "check all" option. If you can't find it, let's leave this for now.

Let's check for errors:

Go to *Start *- *Run *- type in *eventvwr.msc *and click OK.

Look under "application" and "system" and see if there are any recent errors shown there in red. If so, please double click on them to open them up and then click on the icon that looks like two pieces of paper. This will copy them to the clipboard. Then paste them here please.


----------



## aarhus2004 (Jan 10, 2004)

see GIF.


----------



## Roe727 (Mar 9, 2004)

Thank you. I'll run that and check for the errors and post back.


----------



## Roe727 (Mar 9, 2004)

Here are the application Errors:

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 12/31/1969
Time: 7:00:00 PM
User: N/A
Computer:	NORDEMAN
Description:
Faulting application updatecdr4_53_71[1].exe, version 7.0.0.3, faulting module updatecdr4_53_71[1].exe, version 7.0.0.3, fault address 0x0000af71.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 75 70 64 ure upd
0018: 61 74 65 63 64 72 34 5f atecdr4_
0020: 35 33 5f 37 31 5b 31 5d 53_71[1]
0028: 2e 65 78 65 20 37 2e 30 .exe 7.0
0030: 2e 30 2e 33 20 69 6e 20 .0.3 in 
0038: 75 70 64 61 74 65 63 64 updatecd
0040: 72 34 5f 35 33 5f 37 31 r4_53_71
0048: 5b 31 5d 2e 65 78 65 20 [1].exe 
0050: 37 2e 30 2e 30 2e 33 20 7.0.0.3 
0058: 61 74 20 6f 66 66 73 65 at offse
0060: 74 20 30 30 30 30 61 66 t 0000af
0068: 37 31 0d 0a 71..

Event Type:	Error
Event Source:	crypt32
Event Category:	None
Event ID:	8
Date: 9/23/2033
Time: 12:04:03 AM
User: N/A
Computer:	NORDEMAN
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	crypt32
Event Category:	None
Event ID:	11
Date: 9/23/2033
Time: 12:04:03 AM
User: N/A
Computer:	NORDEMAN
Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	crypt32
Event Category:	None
Event ID:	8
Date: 9/23/2033
Time: 12:04:03 AM
User: N/A
Computer:	NORDEMAN
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	crypt32
Event Category:	None
Event ID:	11
Date: 9/23/2033
Time: 12:04:03 AM
User: N/A
Computer:	NORDEMAN
Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	crypt32
Event Category:	None
Event ID:	8
Date: 9/23/2033
Time: 12:04:03 AM
User: N/A
Computer:	NORDEMAN
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	crypt32
Event Category:	None
Event ID:	11
Date: 9/23/2033
Time: 12:04:03 AM
User: N/A
Computer:	NORDEMAN
Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	crypt32
Event Category:	None
Event ID:	11
Date: 9/23/2033
Time: 12:04:03 AM
User: N/A
Computer:	NORDEMAN
Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 12/31/1969
Time: 7:00:00 PM
User: N/A
Computer:	NORDEMAN
Description:
Faulting application updatecdr4_53_71[1].exe, version 7.0.0.3, faulting module updatecdr4_53_71[1].exe, version 7.0.0.3, fault address 0x0000af71.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 75 70 64 ure upd
0018: 61 74 65 63 64 72 34 5f atecdr4_
0020: 35 33 5f 37 31 5b 31 5d 53_71[1]
0028: 2e 65 78 65 20 37 2e 30 .exe 7.0
0030: 2e 30 2e 33 20 69 6e 20 .0.3 in 
0038: 75 70 64 61 74 65 63 64 updatecd
0040: 72 34 5f 35 33 5f 37 31 r4_53_71
0048: 5b 31 5d 2e 65 78 65 20 [1].exe 
0050: 37 2e 30 2e 30 2e 33 20 7.0.0.3 
0058: 61 74 20 6f 66 66 73 65 at offse
0060: 74 20 30 30 30 30 61 66 t 0000af
0068: 37 31 0d 0a 71..

Event Type:	Information
Event Source:	HHCTRL
Event Category:	None
Event ID:	1904
Date: 3/23/2006
Time: 4:04:55 PM
User: N/A
Computer:	NORDEMAN
Description:
The description for Event ID ( 1904 ) in Source ( HHCTRL ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: http://office.microsoft.com/assista...C010227221033&QueryID=kW89YF74V&respos=1&rt=6, http://go.microsoft.com/fwlink?LinkID=45840.

( HHCTRL ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: http://office.microsoft.com/assista...C010227221033&QueryID=kW89YF74V&respos=1&rt=6, http://go.microsoft.com/fwlink?LinkID=45840.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10005
Date: 3/22/2006
Time: 6:17:04 PM
User: NT AUTHORITY\SYSTEM
Computer:	NORDEMAN
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Information
Event Source:	EventLog
Event Category:	None
Event ID:	6006
Date: 3/22/2006
Time: 6:17:07 PM
User: N/A
Computer:	NORDEMAN
Description:
The Event log service was stopped.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: ff 00 00 00 ÿ...

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7026
Date: 3/22/2006
Time: 4:50:20 PM
User: N/A
Computer:	NORDEMAN
Description:
The following boot-start or system-start driver(s) failed to load: 
AFD
Avg7Core
Avg7RsW
Avg7RsXP
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 3/22/2006
Time: 4:50:20 PM
User: N/A
Computer:	NORDEMAN
Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: 
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 3/22/2006
Time: 4:50:20 PM
User: N/A
Computer:	NORDEMAN
Description:
The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: 
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 3/22/2006
Time: 4:50:20 PM
User: N/A
Computer:	NORDEMAN
Description:
The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: 
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 3/22/2006
Time: 4:50:20 PM
User: N/A
Computer:	NORDEMAN
Description:
The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: 
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10005
Date: 3/22/2006
Time: 4:49:23 PM
User: NT AUTHORITY\SYSTEM
Computer:	NORDEMAN
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10005
Date: 3/22/2006
Time: 4:49:14 PM
User: NORDEMAN\Owner
Computer:	NORDEMAN
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service netman with arguments "" in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10005
Date: 3/19/2006
Time: 3:30:20 PM
User: NT AUTHORITY\SYSTEM
Computer:	NORDEMAN
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10005
Date: 3/19/2006
Time: 3:30:05 PM
User: NORDEMAN\Owner
Computer:	NORDEMAN
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service netman with arguments "" in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7026
Date: 3/19/2006
Time: 3:28:03 PM
User: N/A
Computer:	NORDEMAN
Description:
The following boot-start or system-start driver(s) failed to load: 
AFD
Avg7Core
Avg7RsW
Avg7RsXP
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 3/19/2006
Time: 3:28:03 PM
User: N/A
Computer:	NORDEMAN
Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: 
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 3/19/2006
Time: 3:28:03 PM
User: N/A
Computer:	NORDEMAN
Description:
The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: 
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 3/19/2006
Time: 3:28:03 PM
User: N/A
Computer:	NORDEMAN
Description:
The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: 
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 3/19/2006
Time: 3:28:03 PM
User: N/A
Computer:	NORDEMAN
Description:
The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: 
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Print
Event Category:	None
Event ID:	6161
Date: 2/23/2006
Time: 1:29:40 PM
User: NORDEMAN\Owner
Computer:	NORDEMAN
Description:
The document http://us.f527.mail.yahoo.com/ym/ShowLetter?MsgId=9823_13618293 owned by Owner failed to print on printer Canon PIXMA iP1500. Data type: NT EMF 1.008. Size of the spool file in bytes: 524288. Number of bytes printed: 283348. Total number of pages in the document: 2. Number of pages printed: 1. Client machine: \\NORDEMAN. Win32 error code returned by the print processor: 122 (0x7a).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10005
Date: 2/22/2006
Time: 1:10:23 PM
User: NT AUTHORITY\SYSTEM
Computer:	NORDEMAN
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10005
Date: 2/22/2006
Time: 12:06:01 PM
User: NORDEMAN\Owner
Computer:	NORDEMAN
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10005
Date: 3/19/1970
Time: 3:15:24 AM
User: NT AUTHORITY\SYSTEM
Computer:	NORDEMAN
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7026
Date: 12/31/1969
Time: 7:00:00 PM
User: N/A
Computer:	NORDEMAN
Description:
The following boot-start or system-start driver(s) failed to load: 
AFD
Avg7Core
Avg7RsW
Avg7RsXP
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 12/31/1969
Time: 7:00:00 PM
User: N/A
Computer:	NORDEMAN
Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: 
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 12/31/1969
Time: 7:00:00 PM
User: N/A
Computer:	NORDEMAN
Description:
The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: 
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 12/31/1969
Time: 7:00:00 PM
User: N/A
Computer:	NORDEMAN
Description:
The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: 
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 12/31/1969
Time: 7:00:00 PM
User: N/A
Computer:	NORDEMAN
Description:
The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: 
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10005
Date: 4/3/1970
Time: 7:20:44 AM
User: NORDEMAN\Owner
Computer:	NORDEMAN
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10005
Date: 12/31/1969
Time: 7:00:00 PM
User: NT AUTHORITY\SYSTEM
Computer:	NORDEMAN
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10005
Date: 12/31/1969
Time: 7:00:00 PM
User: NORDEMAN\Owner
Computer:	NORDEMAN
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service netman with arguments "" in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## Roe727 (Mar 9, 2004)

Going to run the dial-a-fix and I'll let you know how I make out.


----------



## Roe727 (Mar 9, 2004)

Ran Dial-a-fix....no log or anything so I'm not sure what I am to report?


----------



## Cookiegal (Aug 27, 2003)

Thanks aarhus2004. :up:


----------



## Cookiegal (Aug 27, 2003)

I would think that clicking on the icon that looks like a piece of paper will give you a log or copy it to the clipboard but there should be a log.

Your dates seem to be all messed up in those errors. Did you not see any with current dates? 

How old is this computer?

How many user accounts are there?


----------



## aarhus2004 (Jan 10, 2004)

In my first ever use of Dial-a-fix today, and using its Check All feature, I saw no log. I ran it a second time after unchecking the Time and Temp elements in the Prep section (for no reason save curiosity) and a log was produced. It was of interest mainly because of the install of several .dll files.

HTH

And I ran it the third time with all the checks in place. The attached is that log.


----------



## Cookiegal (Aug 27, 2003)

Did you try clicking that icon that looks like Notepad to see if there's a log there?


----------



## Roe727 (Mar 9, 2004)

No, there are no recent entries and you are right the dates are weird. I have no idea.

This computer I bought back in 2005 and I'm the only user. So its' Roe and Administrator when I go into safe mode...that's it.

And I'm sorry about the log problem. I didn't notice the notepad...I ran it again and here it is....

Notes about this log:
1) "->" denotes an external command being executed, and "-> (number)" indicates
the return code from the previous command
2) Not all external command return codes are accurate, or useful
3) Sometimes commands return 0 (no error) even when they fail or crash
4) If an error occurs while registering an object, please send an email to:
[email protected] and include a copy of this log

DAF version: v0.60.0.24

--- System info ---
OS: Microsoft Windows XP Service Pack 2
IE version: 6.0.2900.2180
MPC: 76487-OEM
CPU: Intel(R) Pentium(R) 4 CPU 3.00GHz (~3000MHz)
CPU: CPU is 64-bit or has 64-bit extensions
CPU: 2 CPU cores present
BIOS: 2/14/2005
Memory (approx): 486MB
Uptime: 4 hour(s) 
Current directory: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\7Y96CQ3B\Dial-a-fix-v0.60.0.24[1]\Dial-a-fix-v0.60.0.24
---

1/17/2007 5:11:44 PM -- Dial-a-fix : [v0.60.0.24] -- started
5:11:44 PM | Policy scan started
5:11:44 PM | Policy scan ended - no restrictive policies were found
--- Emptying temp folders ---
5:11:53 PM | Deleting C:\Documents and Settings\Owner\Local Settings\Temp...
5:11:53 PM | C:\Documents and Settings\Owner\Local Settings\Temp could not be completely emptied, please reboot and try again
5:11:53 PM | Deleting C:\WINDOWS\temp...
5:11:53 PM | C:\WINDOWS\temp has been re-created
5:11:53 PM | Deleting C:\DOCUME~1\Owner\LOCALS~1\Temp...
5:11:53 PM | C:\DOCUME~1\Owner\LOCALS~1\Temp could not be completely emptied, please reboot and try again
--- MSI ---
5:12:00 PM | Registered: C:\WINDOWS\system32\msi.dll
--- Windows Update ---
--- Registration: Windows Update/Automatic Update DLLs ---
5:12:08 PM | Unregistered: C:\WINDOWS\system32\msxml.dll
5:12:08 PM | Registered: C:\WINDOWS\system32\msxml.dll
5:12:08 PM | Unregistered: C:\WINDOWS\system32\msxml2.dll
5:12:08 PM | Registered: C:\WINDOWS\system32\msxml2.dll
5:12:10 PM | Unregistered: C:\WINDOWS\system32\msxml3.dll
5:12:11 PM | Registered: C:\WINDOWS\system32\msxml3.dll
5:12:11 PM | Unregistered: C:\WINDOWS\system32\msxml4.dll
5:12:11 PM | Registered: C:\WINDOWS\system32\msxml4.dll
5:12:11 PM | Unregistered: C:\WINDOWS\system32\qmgr.dll
5:12:11 PM | Registered: C:\WINDOWS\system32\qmgr.dll
5:12:11 PM | Unregistered: C:\WINDOWS\system32\qmgrprxy.dll
5:12:11 PM | Registered: C:\WINDOWS\system32\qmgrprxy.dll
5:12:11 PM | Unregistered: C:\WINDOWS\system32\muweb.dll
5:12:11 PM | Registered: C:\WINDOWS\system32\muweb.dll
5:12:11 PM | Unregistered: C:\WINDOWS\system32\winhttp.dll
5:12:11 PM | Registered: C:\WINDOWS\system32\winhttp.dll
5:12:12 PM | Registered: C:\WINDOWS\system32\wuapi.dll
5:12:12 PM | Unregistered: C:\WINDOWS\system32\wuaueng.dll
5:12:12 PM | Registered: C:\WINDOWS\system32\wuaueng.dll
5:12:12 PM | Unregistered: C:\WINDOWS\system32\wuaueng1.dll
5:12:12 PM | Registered: C:\WINDOWS\system32\wuaueng1.dll
5:12:12 PM | Unregistered: C:\WINDOWS\system32\wucltui.dll
5:12:12 PM | Registered: C:\WINDOWS\system32\wucltui.dll
5:12:12 PM | Unregistered: C:\WINDOWS\system32\wups.dll
5:12:13 PM | Registered: C:\WINDOWS\system32\wups.dll
5:12:13 PM | Unregistered: C:\WINDOWS\system32\wups2.dll
5:12:13 PM | Registered: C:\WINDOWS\system32\wups2.dll
5:12:13 PM | Unregistered: C:\WINDOWS\system32\wuweb.dll
5:12:13 PM | Registered: C:\WINDOWS\system32\wuweb.dll
5:12:13 PM | Registered: C:\WINDOWS\system32\ole32.dll
--- SSL/HTTPS/Cryptography ---
5:12:25 PM | Executed 'cmd.exe /c rmdir /q /s C:\WINDOWS\system32\Catroot2'
--- Registration: SSL/HTTPS/Cryptography ---
5:12:29 PM | Unregistered: C:\WINDOWS\system32\cryptdlg.dll
5:12:29 PM | Registered: C:\WINDOWS\system32\cryptdlg.dll
5:12:29 PM | Unregistered: C:\WINDOWS\system32\cryptui.dll
5:12:29 PM | Registered: C:\WINDOWS\system32\cryptui.dll
5:12:29 PM | Unregistered: C:\WINDOWS\system32\cryptext.dll
5:12:29 PM | Registered: C:\WINDOWS\system32\cryptext.dll
5:12:29 PM | Unregistered: C:\WINDOWS\system32\dssenh.dll
5:12:29 PM | Registered: C:\WINDOWS\system32\dssenh.dll
5:12:30 PM | Unregistered: C:\WINDOWS\system32\gpkcsp.dll
5:12:30 PM | Registered: C:\WINDOWS\system32\gpkcsp.dll
5:12:30 PM | Unregistered: C:\WINDOWS\system32\initpki.dll
5:13:49 PM | Registered: C:\WINDOWS\system32\initpki.dll
5:13:49 PM | Unregistered: C:\WINDOWS\system32\licdll.dll
5:13:49 PM | Registered: C:\WINDOWS\system32\licdll.dll
5:13:49 PM | Unregistered: C:\WINDOWS\system32\mssign32.dll
5:13:49 PM | Registered: C:\WINDOWS\system32\mssign32.dll
5:13:50 PM | Unregistered: C:\WINDOWS\system32\mssip32.dll
5:13:50 PM | Registered: C:\WINDOWS\system32\mssip32.dll
5:13:51 PM | Unregistered: C:\WINDOWS\system32\scardssp.dll
5:13:51 PM | Registered: C:\WINDOWS\system32\scardssp.dll
5:13:51 PM | Unregistered: C:\WINDOWS\system32\sccbase.dll
5:13:51 PM | Registered: C:\WINDOWS\system32\sccbase.dll
5:13:51 PM | Unregistered: C:\WINDOWS\system32\scecli.dll
5:13:51 PM | Registered: C:\WINDOWS\system32\scecli.dll
5:13:52 PM | Unregistered: C:\WINDOWS\system32\softpub.dll
5:13:52 PM | Registered: C:\WINDOWS\system32\softpub.dll
5:13:52 PM | Unregistered: C:\WINDOWS\system32\slbcsp.dll
5:13:52 PM | Registered: C:\WINDOWS\system32\slbcsp.dll
5:13:52 PM | Unregistered: C:\WINDOWS\system32\regwizc.dll
5:13:52 PM | Registered: C:\WINDOWS\system32\regwizc.dll
5:13:52 PM | Unregistered: C:\WINDOWS\system32\rsaenh.dll
5:13:52 PM | Registered: C:\WINDOWS\system32\rsaenh.dll
5:13:52 PM | Unregistered: C:\WINDOWS\system32\winhttp.dll
5:13:52 PM | Registered: C:\WINDOWS\system32\winhttp.dll
5:13:52 PM | Unregistered: C:\WINDOWS\system32\wintrust.dll
5:13:53 PM | Registered: C:\WINDOWS\system32\wintrust.dll
--- Registration: ActiveX controls/codecs ---
5:13:53 PM | Registered: C:\WINDOWS\system32\acelpdec.ax
5:13:53 PM | Registered: C:\WINDOWS\system32\actxprxy.dll
5:13:53 PM | Registered: C:\WINDOWS\system32\asctrls.ocx
5:13:54 PM | Registered: C:\WINDOWS\system32\daxctle.ocx
5:13:54 PM | Registered: C:\WINDOWS\system32\hhctrl.ocx
5:13:54 PM | Registered: C:\WINDOWS\system32\l3codecx.ax
5:13:54 PM | Registered: C:\WINDOWS\system32\licmgr10.dll
5:13:54 PM | Registered: C:\WINDOWS\system32\mpg4ds32.ax
5:14:00 PM | Registered: C:\WINDOWS\system32\msdxm.ocx
5:14:01 PM | Registered: C:\WINDOWS\system32\proctexe.ocx
5:14:01 PM | Registered: C:\WINDOWS\system32\tdc.ocx
5:14:01 PM | Registered: C:\WINDOWS\system32\wshom.ocx
--- Registration: Control Panel applets ---
5:14:02 PM | DllInstalled: C:\WINDOWS\system32\inetcpl.cpl
5:14:03 PM | DllInstalled: C:\WINDOWS\system32\appwiz.cpl
5:14:03 PM | Registered: C:\WINDOWS\system32\appwiz.cpl
5:14:03 PM | DllInstalled: C:\WINDOWS\system32\nusrmgr.cpl
5:14:03 PM | Registered: C:\WINDOWS\system32\nusrmgr.cpl
--- Registration: Direct[X|Draw|Show|Media] ---
5:14:03 PM | Registered: C:\WINDOWS\system32\quartz.dll
5:14:03 PM | Registered: C:\WINDOWS\system32\danim.dll
5:14:04 PM | Registered: C:\WINDOWS\system32\dmscript.dll
5:14:04 PM | Registered: C:\WINDOWS\system32\dmstyle.dll
5:14:04 PM | Registered: C:\WINDOWS\system32\dxmasf.dll
5:14:05 PM | Registered: C:\WINDOWS\system32\dxtmsft.dll
5:14:05 PM | Registered: C:\WINDOWS\system32\dxtrans.dll
5:14:05 PM | Registered: C:\WINDOWS\system32\sbe.dll
--- Registration: Programming cores/runtimes ---
5:14:05 PM | Registered: C:\WINDOWS\system32\atl.dll
5:14:05 PM | Registered: C:\WINDOWS\system32\corpol.dll
5:14:05 PM | Registered: C:\WINDOWS\system32\jscript.dll
5:14:05 PM | Registered: C:\WINDOWS\system32\dispex.dll
5:14:06 PM | Registered: C:\WINDOWS\system32\scrrun.dll
5:14:06 PM | Registered: C:\WINDOWS\system32\scrobj.dll
5:14:06 PM | Registered: C:\WINDOWS\system32\vbscript.dll
5:14:06 PM | Registered: C:\WINDOWS\system32\wshext.dll
--- Registration: Explorer/IE/OE/shell/WMP ---
5:14:06 PM | Registered: C:\WINDOWS\system32\activeds.dll
5:14:06 PM | Registered: C:\WINDOWS\system32\audiodev.dll
5:14:07 PM | DllInstalled: C:\WINDOWS\system32\browseui.dll
5:14:07 PM | Registered: C:\WINDOWS\system32\browseui.dll
5:14:07 PM | Registered: C:\WINDOWS\system32\browsewm.dll
5:14:07 PM | Registered: C:\WINDOWS\system32\cabview.dll
5:14:07 PM | Registered: C:\WINDOWS\system32\cdfview.dll
5:14:07 PM | Registered: C:\WINDOWS\system32\clbcatex.dll
5:14:07 PM | Registered: C:\WINDOWS\system32\clbcatq.dll
5:14:08 PM | Registered: C:\WINDOWS\system32\comcat.dll
5:14:08 PM | Registered: C:\WINDOWS\system32\cscui.dll
5:14:08 PM | Registered: C:\WINDOWS\system32\credui.dll
5:14:08 PM | Registered: C:\WINDOWS\system32\datime.dll
5:14:08 PM | Registered: C:\WINDOWS\system32\devmgr.dll
5:14:08 PM | Registered: C:\WINDOWS\system32\dfsshlex.dll
5:14:08 PM | Registered: C:\WINDOWS\system32\dmdlgs.dll
5:14:08 PM | Registered: C:\WINDOWS\system32\dmdskmgr.dll
5:14:08 PM | Registered: C:\WINDOWS\system32\dmloader.dll
5:14:08 PM | Registered: C:\WINDOWS\system32\dmocx.dll
5:14:08 PM | Registered: C:\WINDOWS\system32\dmview.ocx
5:14:08 PM | DllInstalled: C:\WINDOWS\system32\dsuiext.dll
5:14:08 PM | Registered: C:\WINDOWS\system32\dsuiext.dll
5:14:09 PM | DllInstalled: C:\WINDOWS\system32\dsquery.dll
5:14:09 PM | Registered: C:\WINDOWS\system32\dsquery.dll
5:14:09 PM | Registered: C:\WINDOWS\system32\dskquoui.dll
5:14:09 PM | Registered: C:\WINDOWS\system32\els.dll
5:14:09 PM | Registered: C:\WINDOWS\system32\es.dll
5:14:09 PM | Registered: C:\WINDOWS\system32\fontext.dll
5:14:10 PM | Registered: C:\WINDOWS\system32\hlink.dll
5:14:10 PM | Registered: C:\WINDOWS\system32\hnetcfg.dll
5:14:10 PM | Registered: C:\WINDOWS\system32\iedkcs32.dll
5:14:10 PM | Registered: C:\WINDOWS\system32\iepeers.dll
5:14:11 PM | DllInstalled: C:\WINDOWS\system32\iesetup.dll
5:14:11 PM | Registered: C:\WINDOWS\system32\iesetup.dll
5:14:11 PM | Registered: C:\WINDOWS\system32\ils.dll
5:14:11 PM | Registered: C:\WINDOWS\system32\imgutil.dll
5:14:11 PM | Registered: C:\WINDOWS\system32\inetcfg.dll
5:14:12 PM | Registered: C:\WINDOWS\system32\inetcomm.dll
5:14:12 PM | DllInstalled: C:\WINDOWS\system32\inseng.dll
5:14:12 PM | Registered: C:\WINDOWS\system32\inseng.dll
5:14:12 PM | Registered: C:\WINDOWS\system32\laprxy.dll
5:14:12 PM | Registered: C:\WINDOWS\system32\lmrt.dll
5:14:12 PM | Registered: C:\WINDOWS\system32\mlang.dll
5:14:13 PM | Registered: C:\WINDOWS\system32\mmcndmgr.dll
5:14:13 PM | Registered: C:\WINDOWS\system32\mmcshext.dll
5:14:13 PM | Registered: C:\WINDOWS\system32\mscoree.dll
5:14:13 PM | DllInstalled: C:\WINDOWS\system32\mshtml.dll
5:14:14 PM | Registered: C:\WINDOWS\system32\mshtml.dll
5:14:14 PM | Registered: C:\WINDOWS\system32\mshtmled.dll
5:14:14 PM | Registered: C:\WINDOWS\system32\msieftp.dll
5:14:14 PM | Registered: C:\WINDOWS\system32\msoeacct.dll
5:14:14 PM | Registered: C:\WINDOWS\system32\msr2c.dll
5:14:15 PM | Registered: C:\WINDOWS\system32\msrating.dll
5:14:15 PM | DllInstalled: C:\WINDOWS\system32\mydocs.dll
5:14:15 PM | Registered: C:\WINDOWS\system32\mydocs.dll
5:14:15 PM | Registered: C:\WINDOWS\system32\mstime.dll
5:14:15 PM | Registered: C:\WINDOWS\system32\netcfgx.dll
5:14:15 PM | DllInstalled: C:\WINDOWS\system32\netplwiz.dll
5:14:15 PM | Registered: C:\WINDOWS\system32\netplwiz.dll
5:14:16 PM | Registered: C:\WINDOWS\system32\netman.dll
5:14:16 PM | Registered: C:\WINDOWS\system32\netshell.dll
5:14:16 PM | Registered: C:\WINDOWS\system32\ntmsevt.dll
5:14:16 PM | Registered: C:\WINDOWS\system32\ntmsmgr.dll
5:14:16 PM | DllInstalled: C:\WINDOWS\system32\ntmssvc.dll
5:14:16 PM | Registered: C:\WINDOWS\system32\ntmssvc.dll
5:14:17 PM | DllInstalled: C:\WINDOWS\system32\occache.dll
5:14:17 PM | Registered: C:\WINDOWS\system32\occache.dll
5:14:17 PM | Registered: C:\WINDOWS\system32\ole32.dll
5:14:17 PM | Registered: C:\WINDOWS\system32\oleaut32.dll
5:14:17 PM | Registered: C:\WINDOWS\system32\oleacc.dll
5:14:17 PM | Registered: C:\WINDOWS\system32\olepro32.dll
5:14:17 PM | DllInstalled: C:\WINDOWS\system32\photowiz.dll
5:14:17 PM | Registered: C:\WINDOWS\system32\photowiz.dll
5:14:17 PM | Registered: C:\WINDOWS\system32\pngfilt.dll
5:14:17 PM | Registered: C:\WINDOWS\system32\remotepg.dll
5:14:17 PM | Registered: C:\WINDOWS\system32\rpcrt4.dll
5:14:18 PM | Registered: C:\WINDOWS\system32\rshx32.dll
5:14:18 PM | Registered: C:\WINDOWS\system32\sendmail.dll
5:14:18 PM | Registered: C:\WINDOWS\system32\slayerxp.dll
5:14:19 PM | DllInstalled: C:\WINDOWS\system32\shdocvw.dll
5:14:19 PM | Registered: C:\WINDOWS\system32\shdocvw.dll
5:14:19 PM | Registered: C:\WINDOWS\system32\shell32.dll
5:14:22 PM | DllInstalled: C:\WINDOWS\system32\shell32.dll
5:14:22 PM | Registered: C:\WINDOWS\system32\shmedia.dll
5:14:22 PM | DllInstalled: C:\WINDOWS\system32\shimgvw.dll
5:14:22 PM | Registered: C:\WINDOWS\system32\shimgvw.dll
5:14:22 PM | DllInstalled: C:\WINDOWS\system32\shsvcs.dll
5:14:22 PM | Registered: C:\WINDOWS\system32\shsvcs.dll
5:14:22 PM | Registered: C:\WINDOWS\system32\srclient.dll
5:14:23 PM | Unregistered: C:\WINDOWS\system32\stobject.dll
5:14:23 PM | Registered: C:\WINDOWS\system32\stobject.dll
5:14:23 PM | DllInstalled: C:\WINDOWS\system32\themeui.dll
5:14:23 PM | Registered: C:\WINDOWS\system32\themeui.dll
5:14:23 PM | Registered: C:\WINDOWS\system32\twext.dll
5:14:23 PM | DllInstalled: C:\WINDOWS\system32\urlmon.dll
5:14:24 PM | Registered: C:\WINDOWS\system32\urlmon.dll
5:14:24 PM | Registered: C:\WINDOWS\system32\userenv.dll
5:14:24 PM | DllInstalled: C:\WINDOWS\system32\webcheck.dll
5:14:24 PM | Registered: C:\WINDOWS\system32\webcheck.dll
5:14:24 PM | Registered: C:\WINDOWS\system32\webvw.dll
5:14:24 PM | Registered: C:\WINDOWS\system32\winhttp.dll
5:14:24 PM | DllInstalled: C:\WINDOWS\system32\wininet.dll
5:14:24 PM | Registered: C:\WINDOWS\system32\zipfldr.dll
5:14:24 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdadc.dll
5:14:24 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaenum.dll
5:14:25 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaer.dll
5:14:25 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaipp.dll
5:14:25 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaora.dll
5:14:25 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaosp.dll
5:14:25 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaps.dll
5:14:25 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdasc.dll
5:14:26 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdasql.dll
5:14:26 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdatt.dll
5:14:26 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaurl.dll
5:14:26 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdmeng.dll
5:14:26 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdmine.dll
5:14:27 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msmdcb80.dll
5:14:27 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msmdgd80.dll
5:14:27 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msolap80.dll
5:14:27 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msolui80.dll
5:14:28 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msxactps.dll
5:14:28 PM | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32.dll
5:14:28 PM | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32r.dll
5:14:28 PM | Registered: C:\Program Files\Common Files\system\Ole DB\sqloledb.dll
5:14:28 PM | Registered: C:\Program Files\Common Files\system\Ole DB\sqlxmlx.dll


----------



## aarhus2004 (Jan 10, 2004)

Hi, Roe727,

Could you post a screen capture of your desktop?


----------



## Cookiegal (Aug 27, 2003)

Would you please run another ComboFix scan and post the log.

Also, did you buy the computer new?


----------



## Roe727 (Mar 9, 2004)

Yes I did a screen print of my desktop but for some reason I can't send it through here, it is not attaching. I saved it in paint with the extension of bmp and it won't attach. I get an upload error. How else can I send it?

I bought this computer new.

Going to run the combofix again now and I will post back shortly.


----------



## Roe727 (Mar 9, 2004)

*Ok...Here is another combo.fix log:*

"Owner" - 07-01-17 20:12:09 Service Pack 2
ComboFix 07-01-16.2 - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-17 to 2007-01-17 ))))))))))))))))))))))))))))))))))

2007-01-17 17:12 d--------	C:\WINDOWS\system32\CatRoot2
2007-01-17 16:06 d--h-----	C:\Program Files\WindowsUpdate
2007-01-17 12:42 d--------	C:\WINDOWS\LastGood
2007-01-17 12:27	5,632	--a------	C:\WINDOWS\system32\ptpusb.dll
2007-01-17 12:27	159,232	--a------	C:\WINDOWS\system32\ptpusd.dll
2007-01-17 11:38	80,037,650	--a------	C:\backup.reg
2007-01-16 12:50 d--------	C:\!KillBox
2007-01-15 02:51	3,968	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-14 16:57 d--------	C:\WINDOWS\system32\ActiveScan
2007-01-14 12:32 d--------	C:\DOCUME~1\Owner\Application Data\AVG7
2007-01-14 12:32 d--------	C:\DOCUME~1\LOCALS~1\Application Data\AVG7
2007-01-14 12:12	76,560	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2007-01-07 17:20 d--------	C:\Program Files\Temp
2007-01-02 08:37 d--------	C:\WINDOWS\system32\Kaspersky Lab
2007-01-02 08:07 d--------	C:\DOCUME~1\Owner\Application Data\AVG7(2)
2007-01-02 07:59 d--------	C:\DOCUME~1\ALLUSE~1\Application Data\Avg7
2007-01-01 18:21 d--------	C:\DOCUME~1\Owner\.housecall6.6
2006-12-29 19:08 d--------	C:\WINDOWS\system32\LogFiles
2006-12-29 19:08 d--------	C:\WINDOWS\system32\DRM
2006-12-29 19:00	36,352	---------	C:\WINDOWS\system32\tsgqec.dll
2006-12-29 19:00	288,768	---------	C:\WINDOWS\system32\rhttpaa.dll
2006-12-29 19:00	116,736	---------	C:\WINDOWS\system32\aaclient.dll
2006-12-29 18:47 d--------	C:\Program Files\Common Files\ODBC
2006-12-27 16:01 d----c---	C:\WINDOWS\ie7
2006-12-26 14:24 d--------	C:\DECCHECK
2006-12-19 13:56 d--------	C:\WINDOWS\system32\drivers\UMDF
2006-12-18 09:54 d--------	C:\DOCUME~1\Owner\Application Data\acccore
2006-12-18 09:54 d--------	C:\DOCUME~1\ALLUSE~1\Application Data\AOL OCP
2006-12-18 09:53 d--------	C:\Program Files\Common Files\AOL
2006-12-18 09:53 d--------	C:\Program Files\AIM6
2006-12-18 09:51 d--------	C:\DOCUME~1\ALLUSE~1\Application Data\AOL Downloads

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-17 12:41	--------	d--------	C:\DOCUME~1\Owner\Application Data\adobeum
2007-01-16 13:09	--------	d--------	C:\Program Files\java
2007-01-14 13:01	--------	d--------	C:\Program Files\grisoft
2007-01-07 18:17	--------	d--------	C:\Program Files\yahoo!
2007-01-07 18:17	--------	d--------	C:\Program Files\microsoft antispyware
2007-01-07 18:17	--------	d--------	C:\Program Files\google
2007-01-07 18:15	--------	d--------	C:\Program Files\aim
2006-12-29 19:10	--------	d--------	C:\Program Files\windows media connect 2
2006-12-21 08:20	--------	d---s----	C:\DOCUME~1\Owner\Application Data\microsoft
2006-12-19 11:05	--------	d--------	C:\Program Files\hp
2006-11-29 08:40	28672	--a------	C:\WINDOWS\system32\ssconfig.exe
2006-11-29 08:40	180224	--a------	C:\WINDOWS\uninstallwsst.exe
2006-11-29 08:14	72748	--a------	C:\WINDOWS\unins001.exe
2006-11-29 08:13	72748	--a------	C:\WINDOWS\unins000.exe
2006-11-29 08:13	--------	d--------	C:\Program Files\anark
2006-11-27 03:45	60416	---------	C:\WINDOWS\system32\tzchange.exe
2006-11-17 22:44	--------	d--------	C:\Program Files\msxml 4.0
2006-11-13 01:02	1866240	--a------	C:\WINDOWS\system32\mstscax.dll
2006-11-08 00:06	679424	--a------	C:\WINDOWS\system32\inetcomm.dll
2006-11-07 03:06	600576	--a------	C:\WINDOWS\system32\mstsc.exe
2006-11-06 11:35	531568	--a------	C:\WINDOWS\system32\rmactivate_isv.exe
2006-11-06 11:35	523376	--a------	C:\WINDOWS\system32\rmactivate.exe
2006-11-06 11:35	519280	--a------	C:\WINDOWS\system32\secproc_isv.dll
2006-11-06 11:35	518768	--a------	C:\WINDOWS\system32\secproc.dll
2006-11-06 11:35	358000	--a------	C:\WINDOWS\system32\rmactivate_ssp.exe
2006-11-06 11:35	354416	--a------	C:\WINDOWS\system32\rmactivate_ssp_isv.exe
2006-11-06 11:35	323696	--a------	C:\WINDOWS\system32\msdrm.dll
2006-11-06 11:35	192624	--a------	C:\WINDOWS\system32\secproc_ssp_isv.dll
2006-11-06 11:35	192624	--a------	C:\WINDOWS\system32\secproc_ssp.dll
2006-11-04 14:14	1245696	--a------	C:\WINDOWS\system32\msxml4.dll
2006-10-19 08:56	713216	--a------	C:\WINDOWS\system32\sxs.dll
2006-10-18 21:58	8704	--a------	C:\WINDOWS\system32\wdfmgr.exe
2006-10-18 21:58	8704	--a------	C:\WINDOWS\system32\uwdf.exe
2006-10-18 21:47	99840	--a------	C:\WINDOWS\system32\wmpshell.dll
2006-10-18 21:47	991744	--a------	C:\WINDOWS\system32\drmv2clt.dll
2006-10-18 21:47	937984	--a------	C:\WINDOWS\system32\wmnetmgr.dll
2006-10-18 21:47	8231936	--a------	C:\WINDOWS\system32\wmploc.dll
2006-10-18 21:47	767488	---------	C:\WINDOWS\system32\wmvsencd.dll
2006-10-18 21:47	757248	--a------	C:\WINDOWS\system32\wmadmod.dll
2006-10-18 21:47	7168	--a------	C:\WINDOWS\system32\asferror.dll
2006-10-18 21:47	656896	---------	C:\WINDOWS\system32\wmvxencd.dll
2006-10-18 21:47	63488	--a------	C:\WINDOWS\system32\wpdmtpus.dll
2006-10-18 21:47	629760	--a------	C:\WINDOWS\system32\wpd_ci.dll
2006-10-18 21:47	613376	---------	C:\WINDOWS\system32\wmpmde.dll
2006-10-18 21:47	603648	--a------	C:\WINDOWS\system32\wmspdmod.dll
2006-10-18 21:47	542720	--a------	C:\WINDOWS\system32\blackbox.dll
2006-10-18 21:47	535040	--a------	C:\WINDOWS\system32\wmdrmsdk.dll
2006-10-18 21:47	429056	--a------	C:\WINDOWS\system32\wmdrmdev.dll
2006-10-18 21:47	414208	--a------	C:\WINDOWS\system32\msscp.dll
2006-10-18 21:47	4096	--a------	C:\WINDOWS\system32\wmvdmoe2.dll
2006-10-18 21:47	4096	--a------	C:\WINDOWS\system32\wmvdmod.dll
2006-10-18 21:47	4096	--a------	C:\WINDOWS\system32\wmvadve.dll
2006-10-18 21:47	4096	--a------	C:\WINDOWS\system32\wmvadvd.dll
2006-10-18 21:47	4096	--a------	C:\WINDOWS\system32\wmsdmoe2.dll
2006-10-18 21:47	4096	--a------	C:\WINDOWS\system32\wmsdmod.dll
2006-10-18 21:47	4096	--a------	C:\WINDOWS\system32\wdfapi.dll
2006-10-18 21:47	4096	--a------	C:\WINDOWS\system32\mpg4dmod.dll
2006-10-18 21:47	4096	--a------	C:\WINDOWS\system32\mp4sdmod.dll
2006-10-18 21:47	4096	--a------	C:\WINDOWS\system32\mp43dmod.dll
2006-10-18 21:47	38400	---------	C:\WINDOWS\system32\wpdshextres.dll
2006-10-18 21:47	37376	--a------	C:\WINDOWS\system32\wmdmps.dll
2006-10-18 21:47	35840	--a------	C:\WINDOWS\system32\wpdconns.dll
2006-10-18 21:47	356352	--a------	C:\WINDOWS\system32\wpdsp.dll
2006-10-18 21:47	348672	--a------	C:\WINDOWS\system32\wmdrmnet.dll
2006-10-18 21:47	33792	--a------	C:\WINDOWS\system32\wmdmlog.dll
2006-10-18 21:47	321536	--a------	C:\WINDOWS\system32\mswmdm.dll
2006-10-18 21:47	317440	---------	C:\WINDOWS\system32\mp4sdecd.dll
2006-10-18 21:47	314880	--a------	C:\WINDOWS\system32\wmpdxm.dll
2006-10-18 21:47	295936	---------	C:\WINDOWS\system32\wmpeffects.dll
2006-10-18 21:47	284160	---------	C:\WINDOWS\system32\portabledeviceapi.dll
2006-10-18 21:47	276992	--a------	C:\WINDOWS\system32\audiodev.dll
2006-10-18 21:47	27136	--a------	C:\WINDOWS\system32\mspmsnsv.dll
2006-10-18 21:47	2603008	---------	C:\WINDOWS\system32\wpdshext.dll
2006-10-18 21:47	259072	---------	C:\WINDOWS\system32\mpg4decd.dll
2006-10-18 21:47	259072	---------	C:\WINDOWS\system32\mp43decd.dll
2006-10-18 21:47	2450944	--a------	C:\WINDOWS\system32\wmvcore.dll
2006-10-18 21:47	242688	--a------	C:\WINDOWS\system32\wmpasf.dll
2006-10-18 21:47	229376	--a------	C:\WINDOWS\system32\cewmdm.dll
2006-10-18 21:47	227328	--a------	C:\WINDOWS\system32\wmerror.dll
2006-10-18 21:47	222208	--a------	C:\WINDOWS\system32\wmasf.dll
2006-10-18 21:47	212992	--a------	C:\WINDOWS\system32\mfplat.dll
2006-10-18 21:47	211456	--a------	C:\WINDOWS\system32\qasf.dll
2006-10-18 21:47	204288	--a------	C:\WINDOWS\system32\wmpsrcwp.dll
2006-10-18 21:47	199168	---------	C:\WINDOWS\system32\portabledevicewmdrm.dll
2006-10-18 21:47	179712	--a------	C:\WINDOWS\system32\msnetobj.dll
2006-10-18 21:47	175616	--a------	C:\WINDOWS\system32\mspmsp.dll
2006-10-18 21:47	166912	---------	C:\WINDOWS\system32\portabledevicetypes.dll
2006-10-18 21:47	1661440	--a------	C:\WINDOWS\system32\wmpencen.dll
2006-10-18 21:47	1574912	---------	C:\WINDOWS\system32\wmvencod.dll
2006-10-18 21:47	157184	--a------	C:\WINDOWS\system32\wmidx.dll
2006-10-18 21:47	154624	--a------	C:\WINDOWS\system32\wpdmtp.dll
2006-10-18 21:47	1543680	---------	C:\WINDOWS\system32\wmvdecod.dll
2006-10-18 21:47	1382912	---------	C:\WINDOWS\system32\wmvsdecd.dll
2006-10-18 21:47	133632	---------	C:\WINDOWS\system32\wpdshserviceobj.dll
2006-10-18 21:47	1329152	--a------	C:\WINDOWS\system32\wmspdmoe.dll
2006-10-18 21:47	132096	---------	C:\WINDOWS\system32\portabledevicewiacompat.dll
2006-10-18 21:47	130048	---------	C:\WINDOWS\system32\wmpps.dll
2006-10-18 21:47	11264	--a------	C:\WINDOWS\system32\laprxy.dll
2006-10-18 21:47	1117696	--a------	C:\WINDOWS\system32\wmadmoe.dll
2006-10-18 21:47	101888	---------	C:\WINDOWS\system32\portabledeviceclassextension.dll
2006-10-18 20:03	100864	--a------	C:\WINDOWS\system32\logagent.exe
2006-10-18 20:00	249856	--a------	C:\WINDOWS\system32\drmupgds.exe
2006-10-18 20:00	17408	---------	C:\WINDOWS\system32\wpdshextautoplay.exe
2006-10-17 13:33	818688	--a------	C:\WINDOWS\system32\wininet(6)(3).dll
2006-10-17 13:33	1162240	--a------	C:\WINDOWS\system32\urlmon(6)(3).dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Aim6"=""
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Recguard"=hex(2):25,57,49,4e,44,49,52,25,5c,53,4d,49,4e,53,54,5c,52,45,43,47,\
55,41,52,44,2e,45,58,45,00
"SunKistEM"="C:\\Program Files\\Digital Media Reader\\shwiconem.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"SoundMan"="SOUNDMAN.EXE"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Mixersel"="C:\\Program Files\\Realtek\\InstallShield\\mixersel.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"CHotkey"="zHotkey.exe"
"AlcWzrd"="ALCWZRD.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"="SpywareGuard"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0
WudfServiceGroup	REG_MULTI_SZ WUDFSvc\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command	C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0143afe1-c919-11d9-8c27-806d6172696f}]
Shell\AutoRun\command	C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2f76f255-1270-11da-90cc-806d6172696f}]
Shell\AutoRun\command	C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_MDMXSDK

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\HP Usg Daily FY04.job

Completion time: 07-01-17 20:14:55
C:\ComboFix2.txt ... 07-01-16 18:56

*And another HiJackThis Log:*

Logfile of HijackThis v1.99.1
Scan saved at 8:20:36 PM, on 1/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .ggi: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


----------



## Cookiegal (Aug 27, 2003)

Please right click on the following folder and then select "properties" and let me know it's size please. This may be the path to the i386 that we need to run scannow.

*D:\i386*


----------



## Roe727 (Mar 9, 2004)

Size on that file is .... 1.69 GB (1,822,223,090 bytes) .


----------



## Cookiegal (Aug 27, 2003)

What else is on your D partition?


----------



## Roe727 (Mar 9, 2004)

Here is a picture of what is in my D Drive....


----------



## Cookiegal (Aug 27, 2003)

There is nothing there.


----------



## Roe727 (Mar 9, 2004)

Ok, that didn't work...Here is the list:

$Vault$.AVG
i386
MiniNT
PRELOAD
Recycled
System Restore
System Volume Information
updgoi
Autorun.inf
BATCH.LOG
BATCH.OLD
Desktop.ini
Folder.htt
FULL
graph
graph16
Info.exe
MassStorage.log
master.log
menund
move
NTDETECT.COM
ntfs
NTLDR
PROTECT.ED
STLDR
USER
warning.bmp
win51
win51.b2
win51.rc1
win51.rc2
win51ic
win51ic.b2
win51ic.rc1
win51ic.rc2
win51ip
win51iplb2
win51ip.rc2
win51ip.sp1
winbom.ini
xga


----------



## aarhus2004 (Jan 10, 2004)

Hello Roe727,

I thought you might find this link of interest - *here*. I do realise that for the moment your desktop is behaving itself again but it may not continue to do so. A small matter within the context of a larger problem, which I hope is finally resolved.

And I notice your *Sun Java needs an update*. You have, according to this entry on your last HJT log - *O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"*, the latest update is available *here*. And here is the link to the *Sticky post *in this forum telling of it together with installation instructions.(*Java Runtime Environment (JRE) 6*)

Ben.


----------



## Roe727 (Mar 9, 2004)

Actually it is funny that you just posted that. I received a message this morning that an update was ready to be installed and I let it run first thing this morning. So I think the Java should be ok for now. But thank you so much and I'll look at that other link you sent also.

Cookiegal, after we did the combofix is when when I started not being able to go into my mail through my toolbar when it pops up, bu tthe dial-a-fix had solved that problem, but now that we ran the combofix again I can't go into it through the toolbar when it pops up. Can I run the dial-a-fix again?

And the AVG, is still not showing up in the toolbar....


----------



## Cookiegal (Aug 27, 2003)

I assume this is an HP computer? It looks like you have a recovery partition on D which is common on HPs. we may need to do a non-destructive recovery but before going that route, let's try running sfc/ scannow again but change the paths in those two registry keys, as you did before, but this time change them to:

D:\

See if it will see the i386 folder and run without the CD please.


----------



## Roe727 (Mar 9, 2004)

Here is my system Information. I will change the pathways and run sfc /scannow and post back and let you know how I made out.

OS Name	Microsoft Windows XP Professional
Version	5.1.2600 Service Pack 2 Build 2600
OS Manufacturer	Microsoft Corporation
System Name	NORDEMAN
System Manufacturer	GATEWAY
System Model	831GM
System Type	X86-based PC
Processor	x86 Family 15 Model 4 Stepping 3 GenuineIntel ~3000 Mhz
Processor	x86 Family 15 Model 4 Stepping 3 GenuineIntel ~3000 Mhz
BIOS Version/Date	Intel Corp. AG91510J.15A.0816.2005.0214.1818, 2/14/2005
SMBIOS Version	2.3
Windows Directory	C:\WINDOWS
System Directory	C:\WINDOWS\system32
Boot Device	\Device\HarddiskVolume1
Locale	United States
Hardware Abstraction Layer	Version = "5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)"
User Name	NORDEMAN\Owner
Time Zone	Eastern Standard Time
Total Physical Memory	512.00 MB
Available Physical Memory	130.48 MB
Total Virtual Memory	2.00 GB
Available Virtual Memory	1.96 GB
Page File Space	1.11 GB
Page File	C:\pagefile.sys


----------



## Roe727 (Mar 9, 2004)

Changed the path and it won't run at all with that path. When we had it at C:\WINDOWS it was getting 99% of the way through.


----------



## Cookiegal (Aug 27, 2003)

Roe727 said:


> Changed the path and it won't run at all with that path. When we had it at C:\WINDOWS it was getting 99% of the way through.


OK, I didn't know that. I thought it had asked for the CD right away before doing anything.

I'm going to ask others to take a look at this as I'm really getting out of my area here.


----------



## Roe727 (Mar 9, 2004)

Ok .... 

SOmething else that is new....WHen I boot the computer a dos window flashes, but doesn't stay up long enough for me to read what is at the top of it. Any idea? Or anyway I can stop the computer to see it?


----------



## Cookiegal (Aug 27, 2003)

Let's try running chkdsk.

To use Chkdsk, click Start and My Computer. Right-click the hard drive you want to check, and click Properties. Select the Tools tab and click Check Now. Check both boxes. Click Start. You'll get a message that the computer must be rebooted to run a complete check. Click Yes and reboot. Chkdsk will take awhile, so run it when you don't need to use the computer for something else.


----------



## Roe727 (Mar 9, 2004)

Ran Chkdsk on the C Drive. The dos box is still popping up and after restarting it several times I saw 'Realtek', but couldn't read anything else. The box is empty there is just words at the top of the box.

Cookiegal .... you had said that you would be asking for help from someone else. I will wait till you get back to me about what I should do next. AVG is still not in the toolbar, I'm worried about the security on this computer. Too much has happened since the icons changed and the AVG disappeared.


----------



## Cookiegal (Aug 27, 2003)

Were you able to run chkdsk or did that interfere with it?


----------



## Roe727 (Mar 9, 2004)

Chkdsk ran fine.


----------



## Roe727 (Mar 9, 2004)

Is there a tool that makes sure that Internet Explorer was completely removed? That seems to be when all this happened. I had installed it and it made the computer all wacky and running slow. So I uninstalled it and the problems began or so I at least think.


----------



## Cookiegal (Aug 27, 2003)

Roe727 said:


> Is there a tool that makes sure that Internet Explorer was completely removed? That seems to be when all this happened. I had installed it and it made the computer all wacky and running slow. So I uninstalled it and the problems began or so I at least think.


I'm not sure I understand. You didn't have Internet Explorer before at all or do you mean you went to IE7 and then back to IE6?


----------



## Roe727 (Mar 9, 2004)

I went from IE6 and did the upgarde to IE7. THe computer started running horrible immediately. So I looked in add/remove and there was no IE7, so I did a system restore to get back to where I was. Then within a day or so the icons and so forth.


----------



## Cookiegal (Aug 27, 2003)

Can you go back and undo your last system restore? It might be easier to deal with the problem if we could get it back to where it was.


----------



## Roe727 (Mar 9, 2004)

This is strange. I undid my last system restore and it did not bring me back to IE 7 (also when I've done restores in the past it literally would put the wallpaper back to what it was at that time, didn't do that this time), so I thought maybe it was the one before that, so I went back to that one and still no IE 7. Now I really don't know where to start. I have no AVG on this system now, it is not showing the AVG Free that I had on there before. Basically....I think we have to start from scratch and troubleshoot this machine. What should I do first?

I have included a HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:18:58 AM, on 1/1/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .ggi: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


----------



## Roe727 (Mar 9, 2004)

ALso, I'm getting security certificate alerts. Noticed first when I went to check my yahoo mail.


----------



## Roe727 (Mar 9, 2004)

While waiting I ran a few scans
Adaware, which only came up with 2 cookies, took care of them.
Spybot, which came up with TagASaurus, which I had it fixed and it seemed to do it successfully. 
Going to run Panda now and I'll post back if I don't hear from you.


----------



## Roe727 (Mar 9, 2004)

Here is the Panda Scan:

Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt


----------



## Cookiegal (Aug 27, 2003)

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"


Then, let me know if you see this folder please. 

C:\WINDOWS\ie7


----------



## Roe727 (Mar 9, 2004)

Yes there is a 

C:\WINDOWS\ie7 
C:\WINDOWS\ie7(2)


----------



## Cookiegal (Aug 27, 2003)

Well, I'm out of options so this is a last resort.

I have a suggestion if you want to try it but I don't know for sure what the outcome will be. I'm thinking if you run the IE7 uninstaller, that may release some files that were not removed properly.

If you want to proceed, make sure you set a new system restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I'm not sure how this will affect IE6 so it might be good to download Firefox so you're not left without a browser if something goes wrong and IE6 disappers, in addition to having created a restore point.

Run the uninstall file as outlined in method 2 in the article in this link:

http://support.microsoft.com/default.aspx/kb/927177


----------



## Roe727 (Mar 9, 2004)

Ok...I will do that tomorrow. I don't have time tonight. 
I am running the AVG that I reinstalled and have running in safe mode on that computer. 

So far is has found :
Tracking Cookie. YieldManager
TrackingCookie.com
TrackingCookie.Tacoda
TrackingCookie.Burstnet

Thanks.


----------



## Roe727 (Mar 9, 2004)

Also...what about a Repair Install? What are your thoughts on that?
And did you see anything in the log or the scans that I should fix?


----------



## Cookiegal (Aug 27, 2003)

You could try that too but I'm not sure it will have any affect on lingering IE7 files.


----------



## Roe727 (Mar 9, 2004)

Ok, I understand.


----------



## Roe727 (Mar 9, 2004)

I was thinking I don't know that I can do a repair installation since I don't have the CD, I only have the Drivers and Applications and Recovery CD's that I made when I got the computer?????


----------



## aarhus2004 (Jan 10, 2004)

Hello Roe727,

When this thread of yours goes quiet...

Based on the facts that I believe you to be an avid user of your PC, have a wealth of experience behind you and are quite competent I offer a Microsoft article *here*.

It was just mere chance that when I bought my present and first ever system all I would ever need to care for it came with it. Most significantly was an authentic MS CD. I say chance because I had no idea of what I needed for the future.

Why not invest in an authentic WinXP CD?

Best wishes.

Ben.


----------



## Cookiegal (Aug 27, 2003)

I thought you were referring to repairing IE not the OS. 

I believe you can restore the system from the recovery partition.

It would be a better idea for you to start a new thread about this in the XP forum and you will get assistance from those who know much more than I do about these things.


----------



## Roe727 (Mar 9, 2004)

Ben....you are right everyone should have a valid copy of their OS, but my Windows XP is a valid copy, what I failed to do was get the CD from them when ordering my computer. I did not make that mistake with my second order for a computer for my boys. I can buy a copy of Windows XP, but it bothers me that I should have to pay for another copy, when I own this one. So I was trying to take care of this problem and restore this one. Thank you for the link. Awesome article, with thorough instructions, I have read it before. I thank you from the bottom of my heart for your help and expertise and wisdom.

Cookiegal....Thank you for all your time with this problem or multiple problems. I appreciate your insight and expertise in this area. I haven't decided on whether I'm going to try to take the IE7 leftover files off or not. I am up and running and I was going to see how it runs over the next day or so to see if I feel it is necessary. I still think there are some things in my logs that need attention, maybe not critically, but still. So I'll continue to work out the kinks. I did get AVG up and running and in my toolbar after the last system restore and that I'm very happy about. The error messages, I think...., not sure, but I think ...are gone. One thing at a time....Thank you again for all your help. I do appreciate it greatly.

Good night all.
Roe


----------



## EAFiedler (Apr 25, 2000)

...and for those of us who only have recovery disks, there is this option:
http://www.easydesksoftware.com/recovery.htm#XP


----------



## Roe727 (Mar 9, 2004)

Well Thank You EAFiedler...That's aswesome.....I sincerely appreciate that.


----------



## Cookiegal (Aug 27, 2003)

You're welcome. 



Roe727 said:


> I still think there are some things in my logs that need attention, maybe not critically, but still. So I'll continue to work out the kinks.


Would you tell me what they are so we can address them? I may have missed something along the way. 



> I did get AVG up and running and in my toolbar after the last system restore and that I'm very happy about.


I was my understanding that it only appeared in the toolbar briefly and then disappeared again. You are referring to the anti-virus program and not AVG-AS, right? Are you no longer getting security alerts?


----------



## Roe727 (Mar 9, 2004)

The log issues are as follows...as I said I dont' THINK there is anything critical, but I'll let you tell me. I don't like to fool with things that I"m not sure of.

*Housecall *came up with BKDR_DR.A..when I had it try to fix it a screen never came up telling me it was done.

*Panda*came up with


----------



## Roe727 (Mar 9, 2004)

Oops...sorry...I will continue..

*Panda* found
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

*AVG* found
Tracking Cookie. YieldManager
TrackingCookie.com
TrackingCookie.Tacoda
TrackingCookie.Burstnet
yieldmanager
liveperson

*Spybot *found
TagASaurus, which I had it fixed and it seemed to do it successfully.

*adaware*found
realmedia.com
stat.dealtime.com
revsci.net

*ALso:*
The dos 'Realtek' box ix no longer popping up and I'm not getting the security warnings ... Both these stopped after I did the last 2 system restores trying to restore back to IE7.

After the system restores, I reinstalled AVG-AS, updated it, started the computer in safe mode and ran a scan and when I rebooted it now shows up in the toolbar.

The Windows Security Alert Shield is now gone, so it is detecting the AVG-AS.

*Here is another Hijackthis log*
_I think the only think that probably has to be taken cae of here is the two entries (023's)with missing files, but I don't like to touch them unless I'm told by someone who has the knowledge._

Logfile of HijackThis v1.99.1
Scan saved at 9:18:45 AM, on 1/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .ggi: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


----------



## Roe727 (Mar 9, 2004)

Ran Spybot and Adaware in Safe Mode.

*Spybot* is still detecting *TagASaurus*

*Adaware* found liveperson :
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie[email protected]/
Expires : 1-20-2008 9:11:44 AM
LastSync : Hits:3
UseCount : 0
Hits : 3


----------



## Roe727 (Mar 9, 2004)

Panda...only came up with Atwola.

AVG-AS is still scanning, but hasn't come up with anything so far (usually does by now).


----------



## Cookiegal (Aug 27, 2003)

I think you are confusing AVG anti-virus and AVG Anti-Spyware (AVG-AS). The security center should not be detecting AVG-AS but it should detect your anti-virus program.

Run Housecall again and see if it still detects what it found before. 

Panda only found a few cookies.

Ad-Aware found cookies - have it fix anything it finds.

Where is Spybot finding Tagasaurus? That should only be a cookie as well.

Do not pay any attention to items in HijackThis that show "file missing" as there is a bug and most are not actually missing.


Here's what I suggest you do:

Clear out all of your cookies:

Clean your Cache and Cookies in IE: 
Close all instances of Outlook Express and Internet Explorer 
Go to Control Panel > Internet Options > General tab 
Click the "Delete Cookies" button 
Next to it, Click the "Delete Files" button 
When prompted, place a check in: "Delete all offline content", click OK


and then reset them as follows:


In IE click on Tools - Internet Options - privacy tab and select "advanced". Set First Party cookies to "prompt" and Third Party cookies to either "block" or "prompt" and check "always allow session cookies". Basically, you should refuse all cookies except those from sites you trust or need to log in to. 

You can refuse a cookie each time it asks (if you're not sure and don't want to block it all the time) or you can select the option to "apply my decision to all cookies from this website" and then select "block or allow". If you block a cookie and later find it's needed, you can go back into Internet Options, under the privacy tab and click on "advanced" and remove it from the list of blocked cookies there or change its designation to "always allow".


----------



## Roe727 (Mar 9, 2004)

The security center is detecting AVG anti-virus. Sorry my mistake there.

Housecall came up clean. 
I'm not sure where Spybot found Tagasaurus, but I reran it and it came up clean also.
I'm going to just see how it runs the next few days and go from there. 

Hopefully all is well.
Thank you for your help.


----------



## Cookiegal (Aug 27, 2003)

You're welcome. 

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click *Edit - Select All* then hit *Delete* to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK (this option does not exist in IE7). Click Apply then OK.

*Empty the recycle bin*.


----------



## Mosaic1 (Aug 17, 2001)

Please excuse the interruption.

You say you are using AVG anti Virus?

Here are my HJT log entries for AVG:

Running processes:

D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

Nothing is showing in your running processes for the Anti Virus. That's because the files are missing. You do have the registry entries, but no files.

I think you need to reinstall AVG Anti Virus.


----------



## Roe727 (Mar 9, 2004)

Cookiegal...your thoughts on that?


----------



## Cookiegal (Aug 27, 2003)

Please follow Mosaic1's advice. She is a highly regarded and respected expert.


----------



## Roe727 (Mar 9, 2004)

I believe that and I *thank you* Mosaic1 for your input.

Cookiegal, I meant no disrespect, I was just trying to respect you since you have been helping me all along. I really try not to step on toes in here.

I am a little confused on the AVG...The link you gave me was for AVG Anti-spyware, which is what is showing up in my toolbar.

When I check my Windows Security Center it picks up AVG Anti-virus, which I don't see in my add/remove or anywhere else. Is this all one program? Or should I be adding AVG anti-virus?


----------



## Roe727 (Mar 9, 2004)

Looked into it and I see that they are 2 different programs. I downloaded the AVG Anti-virus again and it is showing up in the toolbar.

Do I need to keep both running?

Here is another Hijack this log. Thank you again Mosaic1 for catching that.

Logfile of HijackThis v1.99.1
Scan saved at 7:43:10 PM, on 1/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Documents and Settings\Owner\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .ggi: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


----------



## Cookiegal (Aug 27, 2003)

Yes, they are two separate programs.

I see all running now but the e-mail scanner. Is that by choice? Did you turn it off?


----------



## Roe727 (Mar 9, 2004)

No, that is not by choice. So, I went in to the AVG anti-virus and the security status says that the e-mail scanner is fully functional, so I'm not sure why it would show that it is not running. 

FYI: Not sure if this matters, but I use Yahoo mail and I believe there is one through there also.


----------



## Mosaic1 (Aug 17, 2001)

You're welcome.

I don't see the email scanner listed in your services, though.

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe


See if you can start the service. If not set to auto, see if that change will cause it to start on next reboot of Windows.

AVG has help forums. But if you have the free version, you can't ask questions. However you can search the forums.


----------



## Cookiegal (Aug 27, 2003)

Thanks Mosaic1.


----------



## Roe727 (Mar 9, 2004)

I uninstalled and reinstalled AVG ANti-virus. It still doesn't look like it is running. I don't see where to set it to auto?

Here's my current Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 6:22:20 PM, on 1/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Owner\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .ggi: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


----------



## Cookiegal (Aug 27, 2003)

Go to Start - Run - type in services.msc and click OK. Do you see a service listed there for AVG e-mail scanner? If so, what is the status and the startup type?


----------



## blkwlnt64 (Mar 28, 2005)

Hi Cookiegal, Most MS-MVP's recommend turning OFF email scanning in your av program since it provides little or no additional protection and may slow down your system if you receive and/or send a lot of email.

But then you should know because you are an MS-MVP.


----------



## Roe727 (Mar 9, 2004)

AVG e-mail scanner is not listed in services.msc.


----------



## Roe727 (Mar 9, 2004)

Another problem that I have come across today is that my Adobe Reader doesn't seem to be working. I take online courses and I use that to open up assignments. I went in to the Add/Remove thinking I would uninstall what I have, which is Adobe Reader 7.0.7 and reinstall it, and I'm getting this message.

'The patch package could not be opened. Verify that the patch package exists and that you can access it or contact the application vendor to verify that this is a valad Windows Installer patch package.'

Any suggestions? Should I just try to install it leaving the old one?

This is what I have listed in my add/remove programs that pertain to Abode:
Adobe Download Manager 2.0 (remove only)
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.7


----------



## Cookiegal (Aug 27, 2003)

blkwlnt64 said:


> Hi Cookiegal, Most MS-MVP's recommend turning OFF email scanning in your av program since it provides little or no additional protection and may slow down your system if you receive and/or send a lot of email.
> 
> But then you should know because you are an MS-MVP.


Most MVPs....hmmmm there are 2,600+ so how many recommend disabling e-mail scanning? 2,500? Where are the poll results? Funny, I didn't receive the questionnaire.

Any scanning will slow down the system but it adds another layer of protection and I don't recommend disabling it. Modern day worms are more sophisticated and can penetrate easier than in the past and anti-virus e-mail scanning blocks them before they even get to your inbox.


----------



## Cookiegal (Aug 27, 2003)

Try running the Windows Installer cleanup and then see if you can uninstall and reinstall Adobe.

http://support.microsoft.com/default.aspx?scid=kb;en-us;290301


Roe727 said:


> Another problem that I have come across today is that my Adobe Reader doesn't seem to be working. I take online courses and I use that to open up assignments. I went in to the Add/Remove thinking I would uninstall what I have, which is Adobe Reader 7.0.7 and reinstall it, and I'm getting this message.
> 
> 'The patch package could not be opened. Verify that the patch package exists and that you can access it or contact the application vendor to verify that this is a valad Windows Installer patch package.'
> 
> ...


----------



## aarhus2004 (Jan 10, 2004)

Hello Roe727,

These links *may* help with the reader difficulty:

http://www.happycomputing.com/index.php?topic=141.msg468

http://www.majorgeeks.com/download.php?det=4763

Cheers,

Ben.


----------



## Roe727 (Mar 9, 2004)

I ran the Windows Installer cleanup and now for some reason I can't reinstall Adobe Reader. Everytime I click on a link to install it, it just sits and doesn't load.


----------



## Cookiegal (Aug 27, 2003)

Where are you trying to install it from?


----------



## Roe727 (Mar 9, 2004)

I tried download.com, majorgeeks.com and adobe.com.


----------



## Cookiegal (Aug 27, 2003)

Do you get an error message?


----------



## Roe727 (Mar 9, 2004)

No after I click on download, it just sits with a blank page, doesn't load, and then I have to use the task manager to end task.


----------



## Cookiegal (Aug 27, 2003)

I'm signing off for the night and will post back in the morning with further instructions but in the meantime I need you to locate this file and let me know the path to it please. We will probably have to re-register the Windows Installer.

*Msiexec.exe*

You may have to unhide files:

Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"


----------



## Roe727 (Mar 9, 2004)

No problem, me too.

The file *Msiexec.exe* is located in C:\WINDOWS\system32

and there is a

*Msiexec.exe*-2F8A8CAE.pf located in C:\WINDOWS\Prefetch


----------



## Cookiegal (Aug 27, 2003)

OK, that's what I expected but needed to be sure.

Go to *Start *- *Run *- type in *regedit *and click OK to open the registry editor.

We are just looking so please do not change or delete anything.

Expand the following keys/sub-keys by clicking on the + to the left.

*HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Services*

Under Services (still in the left-hand pane), click on *MSIServer *and you will see various entries appear in the right-hand pane.

Double-click on ImagePath and another box will open up called "Edit String". Copy and paste what appears in the "value data" line back here please.


----------



## Roe727 (Mar 9, 2004)

This value line reads:

C:\WINDOWS\system32\msiexec.exe /V


----------



## Cookiegal (Aug 27, 2003)

That is the correct entry so on to re-registering.

Boot to safe mode.

Go to *Start *- *Run *- type the following line exactly as it appears (note the space between the c and the /), and then click OK:

*msiexec /regserver*

Reboot and try downloading Adobe Reader again please.


----------



## Roe727 (Mar 9, 2004)

Ran msiexec /regserver in safe mode and reinstalled Abode Reader successfully.

AVG E-mail scanner I believe is still not showing up.

That post #123 from blkwlnt64 was uncalled for.....

Here is a current HiJackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 10:14:19 AM, on 1/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .ggi: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


----------



## Cookiegal (Aug 27, 2003)

As you said you're using Yahoo for your e-mail client, that could be the problem with AVGs e-mail scanner not showing up as it has to be configured. See this link that may be helpful.

http://forum.grisoft.cz/freeforum/read.php?3,31984,backpage=,sv=

Is everything else fine now?


----------



## Roe727 (Mar 9, 2004)

I looked at that link and I understand where you are coming from. Yahoo does have a scanner, so hopefully with that I'll be fine. It has in the past. 

It isn't running all that bad. It has been a bit slow loading websites, but I know that a lot of times can be the internet. I'll see what happens.

Thank you so much for your help. I do appreciate it.


----------



## Cookiegal (Aug 27, 2003)

Do you defrag regularly? Remove any unused programs and delete temporary files will help as well.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click *Edit - Select All* then hit *Delete* to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK (this option does not exist in IE7). Click Apply then OK.

*Empty the recycle bin*.


----------



## Roe727 (Mar 9, 2004)

Yes I do defrag regularly, but I checked last week and it said it didn't need it, but I'm going to do it anyway....can't hurt. 

Thank you so much for all your help. I'm going to close this thread and if anything else creeps up, I'll PM you to have it reopened or start a new one.

Thanks again and have a wonderful day.
Rosemary


----------



## Cookiegal (Aug 27, 2003)

You're welcome.


----------



## JohnWill (Oct 19, 2002)

Cookiegal said:


> Most MVPs....hmmmm there are 2,600+ so how many recommend disabling e-mail scanning? 2,500? Where are the poll results? Funny, I didn't receive the questionnaire.
> 
> Any scanning will slow down the system but it adds another layer of protection and I don't recommend disabling it. Modern day worms are more sophisticated and can penetrate easier than in the past and anti-virus e-mail scanning blocks them before they even get to your inbox.


I didn't see that poll either, and I have email scanning enabled.


----------



## Flrman1 (Jul 26, 2002)

Since this problem has been solved, I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".


----------

